CMSIS Part 11: Interrupts, Concurrency & Real-Time Constraints

Critical Sections

A critical section is a code region that must execute atomically with respect to interrupts — no ISR may interleave. On Cortex-M there are two primary mechanisms: PRIMASK, which disables all maskable exceptions globally, and BASEPRI, which masks all exceptions at or below a numeric priority threshold while leaving higher-priority ISRs active. Choosing between them is a real-time engineering decision, not a convenience one.

PRIMASK Save & Restore Pattern

The naive approach — __disable_irq() / __enable_irq() — works only if critical sections never nest. In production firmware, always use save/restore to handle re-entrant callers safely. CMSIS provides __get_PRIMASK() and __set_PRIMASK() for this pattern.

/**
 * PRIMASK-based critical section: save/restore pattern.
 * Safe for nested calls — preserves the caller's IRQ state.
 */
#include "cmsis_compiler.h"  /* __get_PRIMASK, __set_PRIMASK, __DMB */

/* Enter critical section — returns previous PRIMASK value */
static inline uint32_t critical_section_enter(void) {
    uint32_t primask = __get_PRIMASK();
    __disable_irq();   /* sets PRIMASK = 1, blocks all IRQs */
    __DSB();           /* ensure write-buffer is drained     */
    __ISB();           /* flush pipeline so masking takes effect */
    return primask;
}

/* Exit critical section — restores caller's IRQ state */
static inline void critical_section_exit(uint32_t primask) {
    __set_PRIMASK(primask);
    __ISB();
}

/* ----- Usage example: protect a shared counter --------- */
static volatile uint32_t g_shared_counter = 0U;

void increment_shared_counter(void) {
    uint32_t saved = critical_section_enter();
    g_shared_counter++;   /* read-modify-write is now atomic */
    critical_section_exit(saved);
}

/* Even safe when called from an ISR that itself disabled IRQs */
void TIM3_IRQHandler(void) {
    uint32_t saved = critical_section_enter();
    g_shared_counter += 10U;
    critical_section_exit(saved);   /* restores PRIMASK=1, not 0 */
    TIM3->SR &= ~TIM_SR_UIF;
}

BASEPRI Threshold Masking

BASEPRI is only available on Cortex-M3/M4/M7/M33 (ARMv7-M and ARMv8-M Main). It masks all exceptions whose numeric priority is greater than or equal to the BASEPRI value (lower number = higher priority). Setting BASEPRI = 0x50 (priority 5 on an 8-bit field) leaves priorities 0–4 unmasked — those ISRs can still preempt your critical section. This is the basis of FreeRTOS's taskENTER_CRITICAL().

/**
 * BASEPRI-based partial masking: block ISRs at priority >= threshold
 * while leaving high-priority ISRs (e.g. safety watchdog) runnable.
 *
 * configMAX_SYSCALL_INTERRUPT_PRIORITY in FreeRTOS maps directly
 * to this register.
 */
#include "core_cm4.h"

/* Priority threshold — mask ISRs with numeric priority >= this value.
 * NOTE: On 4-bit priority implementations (most STM32), shift left 4. */
#define CRITICAL_BASEPRI_VALUE   (5U << (8U - __NVIC_PRIO_BITS))

static inline uint32_t basepri_enter(void) {
    uint32_t old = __get_BASEPRI();
    __set_BASEPRI_MAX(CRITICAL_BASEPRI_VALUE);
    __DSB();
    __ISB();
    return old;
}

static inline void basepri_exit(uint32_t old_basepri) {
    __set_BASEPRI(old_basepri);
    __ISB();
}

/* ---- Critical section technique comparison table ---- */

Atomic Operations

For single 32-bit variables, full critical sections are overkill. ARMv7-M and ARMv8-M provide Load-Exclusive / Store-Exclusive (LDREX/STREX) instructions that implement hardware-level compare-and-swap without disabling interrupts at all. If an interrupt fires between LDREX and STREX, STREX detects the hazard and returns 1 (failure) — the caller retries. This gives you interrupt-transparent atomics with zero latency impact on ISRs.

LDREX/STREX Compare-and-Swap on Cortex-M

/**
 * Atomic compare-and-swap using LDREX/STREX (ARMv7-M, ARMv8-M Main).
 * Returns 1 if the swap succeeded, 0 if it was interrupted and retried.
 *
 * CMSIS intrinsics: __LDREXW / __STREXW
 */
#include "cmsis_compiler.h"

/**
 * @brief Atomic CAS: if *ptr == expected, write desired and return 1.
 */
static inline int atomic_cas32(volatile uint32_t *ptr,
                                uint32_t expected,
                                uint32_t desired) {
    uint32_t current;
    do {
        current = __LDREXW(ptr);          /* Load-exclusive          */
        if (current != expected) {
            __CLREX();                    /* Clear exclusive monitor  */
            return 0;                     /* Mismatch — no swap       */
        }
    } while (__STREXW(desired, ptr));     /* Retry if interrupted     */

    __DMB();  /* Data memory barrier: ensure visibility before return */
    return 1;
}

/**
 * @brief Atomic fetch-and-add: atomically adds delta to *ptr,
 *        returns the original value.
 */
static inline uint32_t atomic_fetch_add(volatile uint32_t *ptr,
                                         uint32_t delta) {
    uint32_t old, tmp;
    do {
        old = __LDREXW(ptr);
        tmp = old + delta;
    } while (__STREXW(tmp, ptr));

    __DMB();
    return old;
}

/* ---- Usage: lock-free reference counter ---- */
static volatile uint32_t g_ref_count = 0U;

void object_acquire(void) {
    atomic_fetch_add(&g_ref_count, 1U);
}

void object_release(void) {
    uint32_t prev = atomic_fetch_add(&g_ref_count, (uint32_t)-1);
    if (prev == 1U) {
        /* Last reference released — trigger cleanup */
    }
}

Lock-Free Data Structures

The most common pattern in embedded concurrent programming is the Single-Producer Single-Consumer (SPSC) ring buffer: one writer (often main loop or a DMA callback) and one reader (often a communication task or ISR). With only one producer and one consumer, no atomic operations or critical sections are needed — only memory barriers to prevent out-of-order memory access from breaking the invariant.

SPSC Ring Buffer with Memory Barriers

/**
 * Lock-free SPSC ring buffer for embedded use.
 * Producer (writer) and consumer (reader) each own one index pointer.
 * Only __DMB() barriers are needed — no disabling of interrupts.
 *
 * Safe when producer runs in main context and consumer in ISR (or vice versa).
 * For MPMC (multiple producers/consumers), use atomic CAS instead.
 */
#include "cmsis_compiler.h"
#include 
#include 

#define RING_BUF_SIZE   256U   /* Must be power of 2 */
#define RING_BUF_MASK   (RING_BUF_SIZE - 1U)

typedef struct {
    uint8_t          buf[RING_BUF_SIZE];
    volatile uint32_t head;   /* Written by producer only */
    volatile uint32_t tail;   /* Written by consumer only */
} RingBuf_t;

/**
 * @brief Write one byte to the ring buffer (producer side).
 * @return true on success, false if buffer is full.
 */
bool ring_buf_write(RingBuf_t *rb, uint8_t byte) {
    uint32_t head = rb->head;
    uint32_t next = (head + 1U) & RING_BUF_MASK;

    /* Check full: next == tail means buffer is full */
    if (next == rb->tail) {
        return false;
    }

    rb->buf[head] = byte;

    /* DMB: ensure the data write is visible before updating head */
    __DMB();

    rb->head = next;
    return true;
}

/**
 * @brief Read one byte from the ring buffer (consumer side).
 * @return true on success, false if buffer is empty.
 */
bool ring_buf_read(RingBuf_t *rb, uint8_t *out) {
    uint32_t tail = rb->tail;

    /* Empty check */
    if (tail == rb->head) {
        return false;
    }

    /* DMB: ensure head is read before accessing buf[tail] */
    __DMB();

    *out = rb->buf[tail];
    rb->tail = (tail + 1U) & RING_BUF_MASK;
    return true;
}

/* ---- UART receive ISR -> main loop example ---- */
static RingBuf_t g_uart_rx;

/* Called from UART ISR */
void USART1_IRQHandler(void) {
    if (USART1->SR & USART_SR_RXNE) {
        uint8_t byte = (uint8_t)(USART1->DR & 0xFFU);
        ring_buf_write(&g_uart_rx, byte);   /* no IRQ disable needed */
    }
}

/* Called from main loop */
void process_uart_bytes(void) {
    uint8_t byte;
    while (ring_buf_read(&g_uart_rx, &byte)) {
        /* Process byte */
    }
}

Real-Time Constraint Budgeting

Every professional embedded system has a real-time budget — a table mapping each IRQ to its deadline, worst-case execution time (WCET), and allowable latency. Budget violations cause missed deadlines, corrupted data, communication dropouts, and safety events. The process of constructing and verifying this budget is not optional in production firmware.

The budgeting workflow proceeds in four steps. First, list all interrupt sources, their expected firing rate (Hz), and their hard deadlines. Second, measure worst-case ISR execution time using DWT CYCCNT with all cache misses and bus contention present. Third, calculate CPU utilisation: U = sum(WCET_i * rate_i). Fourth, apply Rate Monotonic Analysis (RMA) — if total utilisation is below the RMA bound (69% for n tasks, or the exact bound), the system is provably schedulable.

/**
 * Real-time budget enforcement: assert that ISR WCET stays within budget.
 * Uses DWT CYCCNT for cycle-accurate measurement.
 * In production, replace assert() with a fault handler or error log.
 */
#include "core_cm4.h"
#include 

/* Budget in clock cycles (168 MHz, 5 µs deadline = 840 cycles) */
#define ADC_ISR_BUDGET_CYCLES   840U

static volatile uint32_t g_adc_wcet = 0U;

void ADC_IRQHandler(void) {
    uint32_t t_enter = DWT->CYCCNT;

    /* --- ISR work: read ADC, run filter, write to shared buffer --- */
    /* ... (your actual ISR code here) ... */

    uint32_t elapsed = DWT->CYCCNT - t_enter;

    /* Track WCET */
    if (elapsed > g_adc_wcet) {
        g_adc_wcet = elapsed;
    }

    /* Hard budget enforcement — violation is a firmware bug */
    assert(elapsed <= ADC_ISR_BUDGET_CYCLES);

    ADC1->SR &= ~ADC_SR_EOC;
}

Exercises

IRQ Latency Planner

Use this tool to document your project's interrupt architecture — MCU, IRQ list with latency budgets, critical section strategy, lock-free structures, and shared resource inventory. Download as Word, Excel, PDF, or PPTX for design-review documentation.

Conclusion & Next Steps

In this article we have covered the full concurrency toolkit for professional ARM Cortex-M firmware:

• DWT CYCCNT measurement gives you cycle-accurate latency data — measure under realistic load with all IRQs active, not just in isolation.
• PRIMASK save/restore is the universal critical section for all Cortex-M cores; always save and restore rather than blindly re-enabling.
• BASEPRI threshold masking is the professional choice on M3/M4/M7/M33 — it keeps safety-critical high-priority ISRs running while protecting lower-priority shared resources.
• LDREX/STREX atomics give you interrupt-transparent compare-and-swap for single 32-bit variables on ARMv7-M and ARMv8-M Main — the building block of all lock-free algorithms.
• SPSC ring buffers with DMB barriers are the correct pattern for ISR-to-task communication — no mutex, no critical section, minimal overhead.
• Build a real-time budget table for every project. Measure WCET, assign priorities by Rate Monotonic rules, and enforce budgets with assertions during development.