15.4 Functional Description

The ECC decoding is enabled or disabled with the CTRLA.ENABLE bit. After reset the Rom code will copy the BOOTCFG1.BOOT_FLAG.RAM_INIT_ENB fuse in the CTRLA.ENABLE bit.

The ECC feature can then be disabled and re-enabled using the same bit (for testing the ECC feature, for example, as detailed in the “ECC testing” chapter).

This disabling/enabling only applies to ECC decoding upon reads. The ECC encoding upon writes is always enabled and cannot be disabled.

Each 32-bit data word in SRAM is completed by 7 additional ECC bits, which are not accessible by the user.

Upon any 8, 16, or 32-bit write in the memory, the 7 ECC bits are computed and stored along with the data (The 8-bit or 16-bit writes are actually composed of an atomic read 32 bits, modify, write 32 bits).

Upon any 8, 16, or 32-bit read in the memory, if the ECC feature is disabled, then single or double errors are not detected, and not corrected. If the ECC feature is enabled, the ECC syndrome is computed on the related 32 data bits + 7 ECC bits.

Single-bit error read correction is performed on the fly with no penalty.

The MCRAMC writes back any corrected data into the RAM.

Simply reading the sensitive RAM content on a regular basis, for example from a DMA Host, prevents bit error accumulation. This is known as ECC memory scrubbing.

Double-bit error read detection triggers a bus error response from the MCRAMC, typically leading to a synchronous abort exception at the bus Host. This enables stopping of the bus Host access sequence precisely at the faulty address.

Upon a bus error response, the faulty address is registered in Error Capture Address Register.

If the corrupted RAM word laying at the 32-bit aligned address was originally provided from a non volatile memory, i.e., CPU instruction, it can be safely copied again into the RAM before returning from the abort exception handler. If the abort exception is immediately re-entered, there are ‘stuck-at’ bits in the corrupted memory word, which requires applying self-patching code technics prior returning from the abort exception handler.

Another example is if the corrupted RAM word was part of a DMA buffer from a communication peripheral, the communication might be retried if the DMA master has support for transfer error response.

After a reset the SRAM content (data and ECC) is random and the ECC feature may be enabled depending on the BOOTCFG1.BOOT_FLAG.RAM_INIT_ENB fuse value.

In case the ECC feature is enabled:

Any 32-bit write will initialize the data and the related ECC bits. However, 8-bit or 16-bit writes (which imply an internal read32/modify/write32) will probably trigger a single or double error on the internal 32-bit read (depending on the randomness of the 39 bits in memory). Consequently, the SRAM content must be initialized before it can be used.

The simplest option is to program a basic FOR loop filling the whole memory or to program a DMA transfer. The written data can take any value. However, care must be taken to only perform 32-bit writes in SRAM to access variables or DMA descriptors, and to not overwrite these data during the memory fill. The ECC bits will then be computed for each write and the memory will then be available for normal use.

For ECC testing purpose, single-bit or double-bit faults can be injected during writes at a specific address. The address needs to be programmed in the MCRAMC Fault Injection Address Register (MCRAMC.FLTADDR), the bits to be flipped need to be programmed in the MCRAMC Fault Injection Pointer Register (MCRAMC.FLTPTR) and the fault injection needs to be enabled in the MCRAMC Fault Injection Control Register (MCRAMC.FLTCTRL).

Then the MCRAMC FLTCTRL Register has to be read prior to the first write access to the RAM.

After fault injections, if ECC decoding is disabled in the MCRAMC Control Enable A Register, reading at a faulty address directly shows the faulty data bits, if any. Then ECC decoding can be enabled again and fault injection disabled, to read and check single error correction or double error detection. Then ECC decoding can be disabled again to read and check if a single error has been automatically corrected in the RAM array.

When ECC decoding is enabled in the MCRAMC Control Enable A Register, single-bit and double-bit ECC errors can be flagged in the MCRAMC INTSTA Interrupt Status register and can trigger an interrupt if enabled in the MCRAMC.INTENx Interrupt Enable register.

The characteristics of a single-bit error are captured into the MCRAMC Error Capture registers and held stable until either the MCRAMC INTSTA.SER status bit is cleared by the software or a Double-bit error occurs.

The characteristics of a double-bit error are captured into the MCRAMC Error Capture registers and held stable until the MCRAMC INTSTA.DER status bit is cleared by the software.

The following constraints must be observed during the ECC testing process:

• After one or more writes to the MCRAMC user interface to change its configuration, a single read needs to be done from the MCRAMC FLTCTRL Register, prior to performing any access to the RAM.
• When both ECC decoding and fault injection are enabled, no single-bit fault RAM word must be read at the RAM fault injection address, because memory correction write-back would inject a fault again.
• When both ECC decoding and fault injection are enabled, a double-bit fault RAM word at the RAM fault injection address must be overwritten only with a 32-bit wide access.
• When fault injection is enabled, the data bits to be flipped, as programmed in the MCRAMC Fault Injection Pointer Register, must always be part of the bytes modified by the write access to the RAM fault injection address. A simple way to ensure this is to restrict the write accesses to the RAM fault injection address to be 32-bit wide only.

The throughput of the MCRAMC can be optimized when the system bus clock frequency is in lower range by removing any wait-state in the access to the RAM.

At higher frequency a wait-state must be inserted at the start of a burst.

When the MCRAMC_CTRLA.WS = 1, a wait state is inserted.

Refer to the Electrical Characteristics chapter for the configuration of WS.

When the MCRAMC_CTRLA.PRIV = 1, the user interface access is granted only if the read or write access is performed only if the privileged attribute is set.