XC878 WDT broken?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Not applicable
After all my tests I can only come to the conclusion that the WDT of the XC878 is broken and not fit for use unless your application meets some requirements:

- You use no NMIs
- You use the CCLK/128 prescaler

Two things strike me as problems by design:
1) The WDT uses the same clock as the entire µC, even when the source is external
The issue I have with that are PLL loss of clock occurrences. I have an ISR that does recovery, but it only succeeds most of the time, not always. If it doesn't the WDT will be slower by the same margin everything else has become by switching to the internal clock.

Now imagine all your software assumes the wrong clock speed. You're cut off and useless, no longer able to communicate with the outside world. You cannot speak CAN, serial protocols and your PWM signals have the wrong base frequency. The only sensible cause is a reset. And the WDT doesn't, because it's running at the same way too slow speed.

2) The WDTCON.WDTRS (refresh start) bit is protected
At first sight this is a good idea, it protects the WDTRS bit from stray writes by faulty access to NMICON, PMICON2 or PASSWD. However there is a drawback. It means you need to mask interrupts, because the PASSWD register forgets that it was unlocked after 32 cycles.

And even worse, NMIs cannot be masked. So occasionally (e.g. when using the flash timer) some WDTRS writes simply won't count, I think everyone who knows what a WDT is good for knows that this must not happen. It only can be worked around with by refreshing at a much higher frequency than required and hoping for the best.



Apart from that some things appear to be plain hardware bugs. I measured the WDTRS intervals, so I am without doubt.

1) The WDT must be started late
The WDT resets the device without an overflow if started too soon. The µC must be running for some unspecified time before the WDT may be started. The issue is much worse when the CCLK/2 prescaler is used. If the WDT is started too early (e.g. because the boot process is simply not long enough), the only way to survive I have found is to flood it with WDTRS for a while.

2) NMIs break it
Even if I set up the WDT with its maximum interval, the µC is reset once I initiate a flash write. My flash writes use the NMIFLASH interrupt source and for the duration of the write that means an NMI every 5µs. Setting WDTRS is a challenge under these circumstances, however a flash write doesn't take 350ms. It actually takes less than 4 ms.
0 Likes
2 Replies
Juergen
Employee
Employee
Hi Kamikaze,

Thanks for this thourough investigation, this is really valuable input. May I ask what the application is?

Best Regards
Jurgen
0 Likes
Not applicable
Steering wheel
- LEDs/Displays with ICM7228
- 2 Clutch Pedals (analogue, we plan to switch to digital pulse generators)
- A couple of buttons

Gearbox
- PWM controlled servo
- Some motors

Automatic Fuse Box
- TLD5095EL based SEPIC circuit for the brake light
- BTS50050 based power channels

There are some more, but those are the most interesting. Feel free to ask specific questions.

They all are configurable to a degree, the configurations are stored in the D-Flash. We don't use the boot loader flash functions and instead have implemented the eeprom emulation as a state machine in the NMI. This way we don't block the µC entirely.
0 Likes