Add safety comments & fix memory.x

pdobbins23 · pdobbins23 · commit 2f144adca798 · 2025-02-23T10:41:37.000-08:00
diff --git a/hal/src/peripherals/flash_controller.rs b/hal/src/peripherals/flash_controller.rs
@@ -299,8 +299,19 @@ impl<'gcr, 'icc> FlashController<'gcr, 'icc> {
         Ok(())
     }
 
-    /// Writes less than 128 bits (16 bytes) of data to flash. Data needs to fit
-    /// within one flash word (16 bytes).
+    /// Writes less than 128 bits (16 bytes) of data to flash.
+    /// Data needs to fit within one flash word (16 bytes).
+    ///
+    /// SAFETY:
+    /// 
+    /// Writes must not corrupt potentially executable instructions of the program.
+    /// Callers must ensure that the following condition is met:
+    /// * If `address` points to a portion of the program's instructions, `data` must
+    ///   contain valid instructions that does not introduce undefined behavior.
+    ///
+    /// It is very difficult to define what would cause undefined behavior when
+    /// modifying program instructions. This would almost certainly result
+    /// in unwanted and likely undefined behavior. Do so at your own risk.
     unsafe fn write_lt_128_unaligned(
         &self,
         address: u32,
@@ -332,6 +343,18 @@ impl<'gcr, 'icc> FlashController<'gcr, 'icc> {
     }
 
     /// Writes 128 bits (16 bytes) of data to flash.
+    /// Address must be 128-bit aligned.
+    ///
+    /// SAFETY:
+    /// 
+    /// Writes must not corrupt potentially executable instructions of the program.
+    /// Callers must ensure that the following condition is met:
+    /// * If `address` points to a portion of the program's instructions, `data` must
+    ///   contain valid instructions that does not introduce undefined behavior.
+    ///
+    /// It is very difficult to define what would cause undefined behavior when
+    /// modifying program instructions. This would almost certainly result
+    /// in unwanted and likely undefined behavior. Do so at your own risk.
     unsafe fn write128(
         &self,
         address: u32,
diff --git a/tests/memory.x b/tests/memory.x
@@ -1,28 +1,9 @@
 MEMORY
 {
-    FLASH      (rx)  :  ORIGIN = 0x1000E000,                             LENGTH = 222K 
-    SECFLASH   (rx)  :  ORIGIN = ORIGIN(FLASH) + LENGTH(FLASH),          LENGTH = 2K 
+    FLASH      (rx)  :  ORIGIN = 0x10000000,                             LENGTH = 512K
     STACK      (rw)  :  ORIGIN = 0x20000000,                             LENGTH = 110K
     RAM        (rw)  :  ORIGIN = ORIGIN(STACK) + LENGTH(STACK),          LENGTH = 128K - LENGTH(STACK)
 }
 
-/*
-Add a block of memory for the stack before the RAM block, so that a stack overflow leaks into
-reserved space and flash memory, instead of .data and .bss.
-*/
-ASSERT((LENGTH(SECFLASH) == 2K), "Error: SECFLASH is not 2K. To change the size, update this assert, the size in the MEMORY section, and the assert in the flash layout crate.") 
-
 _stack_start = ORIGIN(STACK) + LENGTH(STACK);
 _stack_end = ORIGIN(STACK);
-
-/* Bootloader hard jumps to 0x1000e200 */
-_stext = ORIGIN(FLASH) + 0x200;
-
-SECTIONS {
-    /* Add a section for the secure flash space. */
-    .secflash ORIGIN(SECFLASH) :
-    {
-        KEEP(*(.secflash .secflash.*));
-        . = ALIGN(4);
-    } > SECFLASH
-}
