Proofing I2C slave against too short reads: outputs old value from TXDR as soon as master clocks again - how to prevent?

I have this scenario:

My stm32f0 implements a I2C slave, and I have a raspberrypi with i2ctools as a master.

I define a bunch of 16bit wide registers to access in the stm32.

Now I wanted to test what happens if the master only reads 1 byte instead of 2 bytes, to make the stm32 firmware robust against wrong accesses.

What I see is this:

• on a logic analyzer, all looks correct: I see a NACK from master on the 1st (and only) R data byte, and then a STOP
• in the stm32, however, the interrupt order is, on the first attempt of reading only 1 byte:
  • [...] TXIS, TXIS, NACK, STOP.
• i.e. I get a second TXIS before the NACK, as apparently the TXDR is empty more quickly than the NACK from master is registered
• wich means my code has no way (?) of telling that this happened and it will write the second byte into TXDR
  • which is not clocked by the master, as it wants only 1 byte
• the second time I read, again only 1 byte, with the master, the NACK interrupt comes first, I guess because this time TXDR is not empty anymore...
• Now if I read a proper 16bit word again with master: it is apparent that the bytes are shifted in history, so to speak, by one.
• i.e. from the 1st time that the TXDR was filled with a 2nd byte but the slave won't clock it out afterwards, started a chain of "you get the previous byte, not the current one"

How can this be fixed?

Is there a way to force the TX to be "empty" without it being clocked/read?

That would help at least for the 2nd time only 1 byte is read and this becomes detectable because the NACK IRQ comes first.

Or can this somehow prevented to happen in the first place?

The "condensed" code snippet below contains the 2 handler functions of my i2c state machine that are involved in the above scenario. They are called by the i2c interrupt handler. The first state, "...SendData..." is active after the ReStart condition (2nd time the ADDR interrupt occurred, this time with ISR.DIR==1 i.e. read), and it's now about to write data to the master - so txBufPos is set to 0 and the TX interrupt is enabled right before changing to that state. (it's disabled again in that state given a condition, see below)

static void handle_state_SendDataBytesToMaster(I2cSlave* m)
{
    if (LL_I2C_IsActiveFlag_NACK(m->periph)) // NOTE - this didn't really work, as the 2nd TXIS arrives earlier than the NACK
    {   // EARLY STOP : Abort. If a master reads only one byte instead of two and then stops, we must not expect to send any next bytes.
        LL_I2C_DisableIT_TX( m->periph );
        m->state = I2cSlaveState_WaitForMasterReadFinalization;
    }
    else if (LL_I2C_IsActiveFlag_TXIS(m->periph))
    {	const typeof(m->txBufPos) newTxPos = m->txBufPos + 1;
        if (newTxPos >= sizeof(m->currRegisterVal)) // Expected number of bytes done with this one?
        {	LL_I2C_DisableIT_TX( m->periph );
            m->state = I2cSlaveState_WaitForMasterReadFinalization;
        }
        m->periph->TXDR = 0xff & (m->currRegisterVal >> (8 * m->txBufPos)); // put next byte into the TX register
        m->txBufPos = newTxPos;
    }
}
 
 
static void handle_state_WaitForMasterReadFinalization(I2cSlave* m)
{
    if (LL_I2C_IsActiveFlag_NACK(m->periph))
    {	LL_I2C_ClearFlag_NACK( m->periph );
    }
    else if (LL_I2C_IsActiveFlag_STOP(m->periph))
    {	LL_I2C_ClearFlag_STOP( m->periph );
        m->state = I2cSlaveState_Idle;
    }
}