Heap corruption diagnostics causing heap corruption?.

ESP_Angus
Posts: 2186
Joined: Sun May 08, 2016 4:11 am

Re: Heap corruption diagnostics causing heap corruption?.

Postby ESP_Angus » Sat Feb 10, 2018 5:14 am

The commit is now in master here:
https://github.com/espressif/esp-idf/co ... d703c13e59

Will be backported to release/v3.0 shortly.
caseymdk wrote:Phew...that seems like a major buffer overrun bug! Was that a serious one or am I misreading/misunderstanding?
I'm not really aware of a non serious type of memory corruption bug...

The thing here is, usually in realloc if you're shrinking the buffer it shrinks in place. Therefore if you find yourself allocating a new buffer and copying to it then you know it's because old_size is the smaller size. This was probably always true when this code was originally written.

Since then there have been added two situations (mentioned in the commit message) when this may not be true:

Comprehensive heap checking mode (we don't shrink buffers in place in this mode, to keep the poisoning code manageable).

The feature that you can use heap_caps_realloc() to take a buffer that was in one kind of memory and move it into a different kind of memory, possibly resizing at the same time.

In these cases, a memcpy could happen to the new buffer where size < old_size.

We should have caught this in feature development or testing, but we didn't. Thanks to everyone who persisted in testing and ruling out other sources of corruption.

caseymdk
Posts: 15
Joined: Wed Feb 07, 2018 2:35 am

Re: Heap corruption diagnostics causing heap corruption?.

Postby caseymdk » Sat Feb 10, 2018 6:10 am

ESP_Angus wrote: I'm not really aware of a non serious type of memory corruption bug...
Goood point. Cheers Angus.

Ritu21
Posts: 123
Joined: Sat Aug 04, 2018 9:58 am

Re: Heap corruption diagnostics causing heap corruption?.

Postby Ritu21 » Fri May 17, 2019 8:40 am

Hi,

I am re-opening this issue as I am going through the same. I really dont know who is the culprit but in my code I am using cJSON over both tcp and http platforms. After around 400-500 Rfid card swipe (this data is sent to Http and tcp servers), HTTP starts giving (0x4290) & (0x7f00) error, after which device doesn't recover and ends up in rebooting the device. TCP creates Load Prohibited error as below:

Guru Meditation Error: Core 0 panic'ed (LoadProhibited). Exception was unhandled.
Core 0 register dump:
PC : 0x400013f9 PS : 0x00060630 A0 : 0x800ea2a2 A1 : 0x3ffec3f0
A2 : 0x3ffecad4 A3 : 0x00000000 A4 : 0x000000ff A5 : 0x0000ff00
A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x3ffec390
A10 : 0x3ffecad4 A11 : 0x00000001 A12 : 0x3ffb1df0 A13 : 0x00000010
A14 : 0x00000000 A15 : 0xff000000 SAR : 0x00000016 EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000 LBEG : 0x400013f9 LEND : 0x4000140d LCOUNT : 0xffffffff

ELF file SHA256: f7c74c8f8c46f47fa0097c00699cca580346f9edde34a68fc9a3ad7daf80e1ff

Backtrace: 0x400013f9:0x3ffec3f0 0x400ea29f:0x3ffec400 0x400d3e09:0x3ffec680 0x4008def5:0x3ffecfb0

Also, enabled comprehensive mode for heap debugging and called below functions:
heap_caps_check_integrity_all(true);
freeheap1 = xPortGetFreeHeapSize();
printf("xPortGetFreeHeapSize = %d bytes\n", freeheap1);
Free Heap size kept decreasing after every http and TCP calls.

I am deleting and freeing cJSON objects and char * after every call.

Wifi also starts creating issue of trying to reconnect.

Could you please suggest how to resolve this issue??

Waiting for your response.

Thanks
Ritu.

Who is online

Users browsing this forum: No registered users and 24 guests