async/await on embedded Rust

In a previous post we explored what needs to be done on the rustc side to bring async/await to no_std Rust.

In this post we'll explore what could be done once async/await is available in no_std land and why we think async/await is a big deal for embedded development.

From blocking to non-blocking

A blocking blinky program looks like this:

use cortex_m_rt::entry;
use embedded_hal::blocking::DelayMs as _; // `delay_ms` trait
use hal::{Led, Timer};

#[entry]
fn main() -> ! {
    let mut led = Led::new();
    let mut timer = Timer::new();

    loop {
        led.on();
        timer.delay_ms(1_000);
        led.off();
        timer.delay_ms(1_000);
    }
}

The program will turn an LED on for one second and then turn it off for the next second. The program will then repeat these two steps over and over.

The interesting part here is timer.delay_ms. The trait documentation indicates that the function must "pause execution for n milliseconds" but neither the documentation or the signature specify how the pause should be implemented. An implementation could implement the pause in one of two ways:

  • By busy waiting, that is by continuously polling the state of the Timer to see if the desired time has elapsed (this approach is bad for power conscious applications),

  • Or by sleeping, that is by setting an interrupt to fire at some point in the future and then putting the device in low power mode (e.g. by stopping the CPU) until the interrupt fires.

Which behavior gets implemented is up to the author of the Timer abstraction.

The Timer abstraction has a device-specific implementation so there will be several different implementations of it, at least one per device family (nrf52::Timer, stm32::Timer, etc.). This means that you could run into one behavior or the other depending on which chip you pick for your application.

An async/await blinky program may look like this:

use async_cortex_m::task; // <- async runtime
use cortex_m_rt::entry;
use hal::{Led, Timer};

#[entry]
fn main() -> ! {
    let mut led = Led::new();
    let mut timer = Timer::new();

    // `block_on` runs the future (`async` block) to completion
    task::block_on(async {
        loop {
            led.on();
            timer.wait(Duration::from_secs(1)).await;
            // ^ suspends the task for one second
            led.off();
            timer.wait(Duration::from_secs(1)).await;
        }
    })
}

The two don't look much different in terms of code and, to an external observer, the program will appear to do the same but their actual semantics are quite different. async/await code uses futures under the hood. A future represents an asynchronous computation and comes with a contract that specifies its runtime characteristics. In particular, the "futures should not be poll-ed in a tight loop" (paraphrased) part indicates that timer.wait should not result in continuously polling the state of the Timer (i.e. busy waiting).

How often the future is polled and whether the device is put in sleep mode when no future can made progress is up to the runtime, or executor, used to run the future. A runtime that continuously polls (all or some) futures can result in a more responsive application whereas a runtime that puts the device in deep sleep mode when no future can make progress will sacrifice responsiveness in favor of improved power savings.

The main take away here is that the application author now gets to pick the desired runtime characteristic by picking, or building, the right async runtime. On the other hand, the authors of HAL abstractions like Timer now have to write abstractions that are flexible enough to work with different async runtimes – they can no longer implement busy-waiting APIs as these go against the contract of the Future API.

Multitasking

Async/await is a building block for multitasking. Most async executors will expose a concept of tasks, a future that will be run to completion, and allow running them concurrently (for example, see std_async::task::spawn).

no_std lacks multitasking primitives. std::thread is implemented on top of OS threads only available in hosted environment like Linux. Embedded no_std applications are usually bare-metal applications with no OS underneath. Given these conditions, async/await tasks could become the missing "standard" multitasking primitive in bare-metal no_std land – after all the task module is already in core.

To give you a feel for async/await based multitasking here's an application that uses the task::spawn API to spawn an additional task onto the executor.

use async_cortex_m::task;
use cortex_m_rt::entry;
use hal::{Led, Timer, serial};

#[entry]
fn main() -> ! {
    let mut led = Led::new();
    let mut timer = Timer::new();

    // heartbeat task
    task::spawn(async move {
        loop {
            Led.on();
            timer.wait(Duration::from_millis(500)).await;
            Led.off();
            timer.wait(Duration::from_millis(500)).await;
        }
    });

    // opens the serial port; returns transmit and receive handles
    let (mut tx, mut rx): (Tx, Rx) = serial::open();
    
    // echo task: sends back all incoming bytes
    task::block_on(async {
        loop {
            let mut buf = [0];
            rx.read(&mut buf).await;
            // ^ suspends the task until enough data has been received
            tx.write(&buf).await;
        }
    })
}

// where Tx and Rx have the following async API
impl Tx {
    /// Sends *all* `bytes` over the serial interface
    pub async fn write(&mut self, bytes: &[u8]) { /* .. */ }
}

impl Rx {
    /// *Completely* fills the given `buffer` with bytes received
    /// over the serial interface
    pub async fn read(&mut self, buffer: &mut [u8]) { /* .. */ }
}

Here, the previous blinky program has been converted into a "heartbeat" task that visually indicates that the program is making progress and has not locked up (due to an unhandled exception or some software bug). An "echo" task is run concurrently; this second task reads data from the serial interface and sends it back without altering it.

Threads

Another multitasking option commonly used in embedded systems, specially in C firmware (see FreeRTOS, Zephyr, etc.), are threads, as in OS-like threads where each thread gets its own, separate call stack. As most microcontrollers are single-core systems using threads does not improve parallelism or throughput but threads are a concurrency model that most programmers are familiar with so they are a commonly offered multitasking option.

Using threads increases the risk of stack overflows, however. Microcontrollers don't have much RAM available. As more threads are spawned each thread gets a smaller chunk of the available RAM to place its call stack. If a thread does too many nested function calls or uses too many local variables it can overflow its assigned stack space and overwrite the call stack of another thread resulting in memory corruption.

Threading runtimes will usually use some runtime mechanism, like the Memory Protection Unit (MPU) in ARM Cortex-M devices, to catch and prevent these stack overflows. Not all microcontroller architectures, e.g. ARM Cortex-M0 and MSP430, have an MPU or a equivalent mechanism so threads are inherently memory unsafe to use on those architectures.

There are techniques, like flipping the layout of the program memory, that can be used to protect against stack overflows in devices with no MPU but these techniques don't work if there's more than one call stack.

We are bringing threads into the discussion because an async runtime could be implemented without using, or even implementing, threads by running all tasks cooperatively and on the same call stack. Having a single call stack reduces the chances of stack overflows and at the same time lets us use the stack overflow protection mechanism described in the previous paragraph.

Sharing data

Readers familiar with the std::thread API know that (explicitly) sharing data between threads will require some form of synchronization like sync::Mutex or sync::RwLock, which usually will come wrapped in an Arc. The reason these wrappers are needed is to make the data thread-safe to access.

Interestingly, if one is dealing with an async runtime that runs all tasks cooperatively ("on the same thread") then these synchronization wrappers are not needed and types with interior mutability (types that allow mutation through a shared reference (&T)) like Cell and RefCell are sufficient to safely share data between tasks.

For example, to extend the previous program to have the serial interface control the state of the blinking LED we can share a boolean (Cell<bool>) between the two tasks.

#![deny(unsafe_code)]

use core::cell::Cell;

use cortex_m_rt::entry;
use hal::{Led, Timer, serial};

#[entry]
fn main() -> ! {
    // the state of the LED: off (`false`) or blinking (`true`)
    static mut STATE: Cell<bool> = Cell::new(true);

    let state: &'static Cell<bool> = STATE;
    let mut led = Led::new();
    let mut timer = Timer::new();

    // the future argument must satisfy the bound `: 'static` but
    // no `: Send` bound is required. `Cell<T>` is *not* `Sync` so
    // `&Cell<T>` is *not* `Send`
    task::spawn(async move {
        // `state: &'static Cell<_>` gets moved into the async block

        loop {
            if state.get() {
                led.on();
            }
            timer.wait(Duration::from_millis(500)).await;
            led.off();
            timer.wait(Duration::from_millis(500)).await;
        }
    });

    let (tx, rx) = serial::open();
    task::block_on(async move {
        // `state: &'static Cell<_>` gets moved into the async block

        loop {
            let mut buf = [0];
            rx.read(&mut buf).await;
            
            // toggles the state of the LED
            if buf[0] == b't' {
               state.set(!state.get());
            }

            tx.write(&buf).await;
        }
    })
}

Perhaps the most surprising part of the above snippet, if you are not familiar with the cortex_m_rt crate, is that the static mut variable is safe to access and that its type changes from T to &'static mut T. This is a feature of the cortex_m_rt::entry macro / attribute; it does this transformation in its expansion. The reason this is safe is that the main function can not be (safely) called from software (calling main() will not compile); instead it will be called exactly once by the hardware (reset handler).

There are other ways to obtain a static reference (&'static T) that one could have used here, like Box::leak. It would also have been OK to send an Rc<Cell<bool>> to each task. These two options require a #[global_allocator] and the unstable #[alloc_error_handler] feature.

Channels

Sometimes inter-task communication is better expressed using channels rather than explicit shared state. An asynchronous runtime will usually re-export some asynchronous SPSC (Single-Producer Single-Consumer) or MPMC (Multiple-Producer Multiple-Consumer) channel as part of its API.

Modifying the previous program to have the serial task and the LED task talk through a channel would look like this:

use async_cortex_m::{
    Channel, // MPMC channel
    task,
};
use cortex_m_rt::entry;
use hal::{Led, serial};

#[entry]
fn main() -> ! {
    static mut CHANNEL: Channel<u8> = Channel::new();

    let channel: &'static Channel<u8> = CHANNEL;
    let mut led = Led::new();

    task::spawn(async move {
        loop {
            let byte = channel.recv().await;
            // ^ suspends the task while the channel is empty

            if byte == b'0' {
                led.off();
            } else if byte == b'1' {
                led.on();
            } else {
                // unknown command
            }
        }
    });

    let (tx, rx) = serial::open();
    task::block_on(async move {
        loop {
            let mut buf = [0];
            rx.read(&mut buf).await;

            // the input controls the state of the LED
            channel.send(buf[0]).await; 
            // ^ will suspend the task if the channel is full

            tx.write(&buf).await;
        }
    })
}

Mutex

Even though Cell and RefCell can be used to share data between tasks there's still room for an async Mutex abstraction. The following contrived example will help us visualize the need for it:

use async_cortex_m::{task, Mutex, MutexGuard};
use cortex_m_rt::entry;

#[entry]
fn main() -> ! {
    static mut MUTEX: Mutex<i32> = Mutex::new(0);

    let mutex: &'static Mutex<i32> = MUTEX;
    task::spawn(async move {
        println!("A: before lock");

        let lock: MutexGuard = mutex.lock().await;

        println!("A: mutex contains the value {}", *lock);

        loop {
            println!("A: yield");
            task::r#yield().await;
        }
    });

    let mut lock: MutexGuard = mutex.try_lock().unwrap();
    task::block_on(async {
        println!("B: yield");

        // suspend the task / yield control
        task::r#yield().await;

        println!("B: after yield");

        *lock += 1;

        drop(lock); // release the lock

        println!("B: released the lock");

        loop {
            println!("B: yield");
            task::r#yield().await;
        }
    })
}

This program prints:

B: yield
A: before lock
B: after yield
B: released the lock
B: yield
A: mutex contains the value 1
A: yield
(..)

The key points here are that (a) one task can hold the lock (MutexGuard) across a suspension point, in the example the suspension point is an explicit task::yield call but all .await calls contain potential suspension points; and (b) Mutex::lock contention suspends the caller task until the task currently holding the lock releases it.

If you replace the async::Mutex with a plain RefCell (and the async lock().awaits with non-async borrow_mut()s) you'll get a panic at the contention point:

B: yield
A: before lock
panicked at 'already borrowed: BorrowMutError'

Holding a BorrowMut (what RefCell::borrow_mut returns) across a suspension point is likely to be wrong and may result in a panic at runtime. On the other hand, if you are using an async::Mutex but the MutexGuard never lives across a suspension point then chances are you could be using a (cheaper) RefCell instead of the async::Mutex.

async::Mutex is particularly useful when the inner type has an async API. Let's see how async::Mutex could be used to communicate with two I2C devices connected to the same I2C bus.

I2C

Inter-Integrated Circuit (I2C or I squared C) is a bi-directional communication protocol widely used in embedded systems. The protocol allows a host to communicate with many devices that are connected the same bus (all of them share two electrical lines plus ground).

The key points of the protocol are:

  • The host drives the communication regardless of the direction of the data (host to device, or the way around)

  • Each device has an address that the host must use to select the device it will communicate with

  • Devices cannot communicate with each other or start communication with the host

  • A special set of electrical signals, START and STOP, are used to delimit data transfers.

  • The address of the device must be sent after the START condition.

We can summarize the I2C protocol from the point of view of the host using the following async API:

// I2C bus (host side) 
pub struct I2c { /* .. */ }

impl I2c {
    /// Sends `bytes` to the device with the specified address
    ///
    /// Events: START - ADDR - (H -> D) - STOP 
    ///
    /// `(H -> D)` denotes data being sent from the Host to the Device
    pub fn async write(
        &mut self,
        addr: u8,
        bytes: &[u8],
    ) -> Result<(), I2cError> { /* .. */ }

    /// Fills the given buffer with data from the device with the
    /// specified address 
    /// 
    /// Events: START - ADDR - (D -> H) - STOP 
    ///
    /// `(D -> H)` denotes data being sent from the Device to the Host
    pub fn async read(
        &mut self,
        addr: u8,
        buf: &mut [u8],
    ) -> Result<(), I2cError> { /* .. */ }

    /// `write` followed by `read` in a single transaction (without an
    /// intermediate STOP)
    /// 
    /// Events:
    /// START - ADDR - (H -> D) - reSTART - ADDR - (D -> H) - STOP
    ///
    /// `reSTART` denotes a "repeated START"
    pub fn async write_then_read(
        &mut self,
        addr: u8,
        tx_buf: &[u8],
        rx_buf: &mut [u8],
    ) -> Result<(), I2cError> { /* .. */ }
}

Common I2C devices include sensors like accelerometers, temperature sensors, gas (air quality) sensors, etc; and external peripherals like Real Time Clocks, IO port expanders, etc. Let's use the SCD30 gas sensor and the DS3231 real time clock to show how to write asynchronous driver APIs.

To read data from an I2C device one will usually use the write_then_read API to first send (write transaction) the address of the register (on the I2C device) that one wants to read and then receive (read transaction) the contents of that register. Some I2C devices take a command instead of an address in the write phase. There's not much difference between the two; they are just a sequence of bytes sent on the bus.

The DS3231 represents its data and state as registers. An API to retrieve the current date and time would look like this:

use chrono::NaiveDateTime;

/// DS3231 I2C driver
pub struct Ds3231 {
    i2c: I2c,
}

// I2C address of this device
const ADDRESS: u8 = 0x61;

impl Ds3231 {
    pub fn new(i2c: I2c) -> Self {
        Self { i2c }
    }

    /// Returns the current date and time
    pub async fn get_datetime(
        &mut self,
    ) -> Result<NaiveDateTime, Error> {
        let mut buf = [0; 7];

        // reads 7 registers starting at register address 0x00
        self.i2c.write_then_read(ADDRESS, &[0x00], &mut buf).await?;
        
        Ok(bytes2datetime(&buf)?)
    }
}

fn bytes2datetime(
   bytes: &[u8],
) -> Result<NaiveDateTime, InvalidDateError> {
    // ..
}

The SCD30 uses commands instead of registers. An API to retrieve the last measurement of the sensor would look like this:

/// SCD30 I2C driver
pub struct Scd30 {
    i2c: I2c,
}

// I2C address of this device
const ADDRESS: u8 = 0b110_1000;

// A command encoded as 2 bytes
const READ_CMD: [u8; 2] = [0x03, 0x00];

impl Scd30 {
    pub fn new(i2c: I2c) -> Self {
        Self { i2c }
    }

    /// Returns the last sensor measurement
    pub async fn get_measurement(
        &mut self,
    ) -> Result<Measurement, Error> {
        let mut buf = [0; 18];

        // the data sheet indicates there must be a STOP condition
        // between the write and the read; this is why
        // `write_then_read` is not used here
        self.i2c.write(ADDRESS, &READ_CMD).await?;
        self.i2c.read(ADDRESS, &mut buf).await?;
        
        Ok(bytes2measurement(&buf)?)
    }
}

fn bytes2measurement(
   bytes: &[u8],
) -> Result<Measurement, CrcError> {
    // ..
}

pub struct Measurement {
    /// CO2 concentrain in parts per million (0 - 40,000 ppm)
    pub co2: f32,

    /// Relative humidity (0 - 100%)
    pub humidity: f32,
    
    /// Temperature in Celsius (-40 - 70 C)
    pub temperature: f32,
}

These async APIs work fine on their own but won't let you use the same I2c instance to talk to both devices because each abstraction takes I2c by value.

Sharing the I2C bus

To make the Ds3231 and Scd30 drivers work with a shared I2c we can change the implementation to use a shared async::Mutex<I2c>.

The updated Ds3231 driver would look like this:

pub struct Ds3231<'a> {
    i2c: &'a Mutex<I2c>, // <-
}

impl<'a> Ds3231<'a> {
    pub fn new(i2c: &'a Mutex<I2c>) -> Self {
        Self { i2c }
    }

    pub async fn get_datetime(
        &mut self,
    ) -> Result<NaiveDateTime, Error> {
        let mut buf = [0; 7];

        {   // this block has exclusive access to the I2C bus
            let i2c = self.i2c.lock().await;
            i2c.write_then_read(ADDRESS, &[0x00], &mut buf).await?;
            drop(i2c); 
        }   // ^ releases the I2C bus
        
        Ok(bytes2datetime(&buf)?)
    }
}

The updated Scd30 driver would look like this:

pub struct Scd30<'a> {
    i2c: &'a Mutex<I2c>, // <-
}

impl Scd30 {
    pub fn new(i2c: &'a Mutex<I2c>) -> Self {
        Self { i2c }
    }

    pub async fn get_measurement(
        &mut self,
    ) -> Result<Measurement, Error> {
        let mut buf = [0; 18];

        {
            let i2c = self.i2c.lock().await;
            i2c.write(ADDRESS, &READ_CMD).await?;

            // no other I2C transaction will occur between these
            // two function calls because we have exclusive access
            // to the I2C bus

            i2c.read(ADDRESS, &mut buf).await?;
            drop(i2c); // release the I2C bus
        }
        
        Ok(bytes2measurement(&buf)?)
    }
}

(Small digression: under a multi-threaded executor it's important to hold the MutexGuard for the span of write.await and read.await; not doing so could lead to another task stealing the I2C to communicate with a different device; this may be problematic as not all I2C devices may correctly handle this scenario. This, however, is a discussion to be had when trying to make this driver generic so we won't delve into it right now)

Using the two drivers, from different tasks, with the same I2C bus would look like this:

use async_cortex_m::{Mutex, task};
use cortex_m_rt::entry;

#[entry]
fn main() -> ! {
    static mut M: Option<Mutex<I2c>> = None;
    
    let i2c = I2c::new();
    let m: &'static Mutex<I2c> = M.get_or_insert(Mutex::new(i2c));

    let scd30 = Scd30::new(m);
    task::spawn(async move {
        loop {
             // .. other async things ..
             let m = scd30
                 .get_measurement()
                 .await
                 .unwrap_or_else(handle_error);
             // .. other async things ..
        }
    });
    
    let ds3231 = Ds3231::new(m);
    task::block_on(async {
        loop {
             // .. other async things ..
             let datetime = ds3231
                 .get_datetime()
                 .await
                 .unwrap_or_else(handle_error);
             // .. other async things ..
        }
    })
}

(Small digression: under a single-threaded executor and certain circumstances the above program can run into resource starvation where one task consecutively locks the I2C bus denying the other task access to it. An interesting topic that we won't expand on in this blog post.)

Nothing of this is "In Theory"

At Ferrous Systems we have been building a proof of concept executor for the Cortex-M architecture (though it has very few architecture specific bits so it should be fairly portable to other architectures). All the snippets presented in this blog post are fragments of fully working examples that you can find in this repository. The most complete example uses the async::Mutex<I2c> pattern to build an interactive serial console (see below) that lets you access a I2C real time clock and a I2C gas sensor connected to the same I2C bus.

> help
Commands:
help              displays this text
date              display the current date and time
sensors           displays the gas sensor data
set date %Y-%m-%d changes the date
set time %H:%M:%S changes the time
> sensors
CO2: 652ppm
T: 26C
RH: 23%
> set time 18:49:30
> date
2020-02-28 18:49:32

The executor and examples use zero unstable features, like #[alloc_error_handler], but depend on this pull request of ours that makes async/await work on no_std. As that PR does not add an unstable feature but rather changes the implementation details of an existing stable feature the change will immediately ride the train towards stable once it lands.

There still lots of work to do in the area of asynchronous embedded Rust. This post only roughly covers some of the API that application and driver authors will deal with but there's still plenty of work to do before asynchronous HALs can prosper. Namely, an asynchronous version of the existing embedded-hal traits need to be developed; and community consensus, and documentation, about how to port existing blocking HALs to async/await also needs to be built.

We see plenty of potential in async/await for embedded. It can become the go to multitasking solution for applications that don't have hard real-time requirements. In particular, the concept of tunable async runtimes seems well suited for these applications where one may need to be highly energy efficient (e.g. battery powered) and the next may need to be highly responsive.

Ferrous Systems GmbH is a Rust consultancy based in Berlin. Interested in leveraging async / await for your next embedded Rust project or using Rust in your next embedded project? We do development and consulting! Want to learn how to effectively use Rust's async/await feature or get started with (embedded) Rust development? We also do trainings! Contact us