Crash in WiFiScanClass::_scanDone() with negative scan result

[TD-er]

Board

Any

Device Description

Not related to device, but crash happens on ESP32-C2 and -C3

Hardware Configuration

Not HW related

Version

latest master (checkout manually)

IDE Name

PlatformIO

Operating System

Windows 11

Flash frequency

40MHz

PSRAM enabled

no

Upload speed

115200

Description

I get crashes related to the new-operator when processing results from a WiFi scan It seems to be caused by the code in this function: https://github.com/espressif/arduino-esp32/blob/b811ea40875bbfbf8bd62b4038879ac7be2c2e2b/libraries/WiFi/src/WiFiScan.cpp#L109-L121

As can be seen, there is no check for negative scan results as the type of _scanCount is an uint16_t. However the result of a scan can be negative, so maybe there is some conversion somewhere to this unsigned value and thus resulting in an attempt to allocate 65k elements of wifi_ap_record_t, which does fail at least on a C2.

Sketch

-

Debug Message

abort() was called at PC 0x420e944d on core 0
=> 0x420e944d: __wrap__Unwind_RaiseException at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/cxx/cxx_exception_stubs.cpp:156
Core  0 register dump:
MEPC    : 0x40381ce8  RA      : 0x40385308  SP      : 0x3fcbb380  GP      : 0x3fca8e60
=> 0x40381ce8: panic_abort at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/esp_system/panic.c:471
=> 0x40385308: __ubsan_include at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/esp_system/ubsan.c:313
TP      : 0x3fc92268  T0      : 0x37363534  T1      : 0x7271706f  T2      : 0x33323130
S0/FP   : 0x3fcbb3ac  S1      : 0x3fcbb390  A0      : 0x3fcbb3ac  A1      : 0x3fcbb38e
A2      : 0x00000000  A3      : 0x3fcbb3d9  A4      : 0x00000001  A5      : 0x3fcb3000
A6      : 0x00000000  A7      : 0x76757473  S2      : 0x3fcab6d0  S3      : 0x3fcab810
S4      : 0x3fcb3000  S5      : 0x00000029  S6      : 0x00000000  S7      : 0x00000000
S8      : 0x00000000  S9      : 0x00000000  S10     : 0x00000000  S11     : 0x00000000
T3      : 0x6e6d6c6b  T4      : 0x6a696867  T5      : 0x66656463  T6      : 0x62613938
MSTATUS : 0x00001801  MTVEC   : 0x40380001  MCAUSE  : 0x00000007  MTVAL   : 0x00000000
=> 0x40380001: _vector_table at ??:?
MHARTID : 0x00000000

Stack memory:
3fcbb380: 0x3fcab6d0 0x3fcc132c 0x3fcb3b10 0x40380030 0x65303234 0x64343439 0x3fcb3000 0x3fcab0b0
=> 0x40380030: _vector_table at ??:?
3fcbb3a0: 0x3fcbb390 0x3fcab0cc 0x3fcbb38c 0x726f6261 0x20292874 0x20736177 0x6c6c6163 0x61206465
3fcbb3c0: 0x43502074 0x34783020 0x39653032 0x20643434 0x63206e6f 0x2065726f 0x00000030 0x420e0000
=> 0x43502074: ?? ??:0
=> 0x420e0000: cnx_do_handoff at wl_cnx.o:?
3fcbb3e0: 0x3fcab6d0 0x3fcc1284 0x3fcc138c 0x420e9450 0x3fcab6d0 0x3fcc1284 0x420e8e68 0x3c12774c
=> 0x420e9450: __wrap___gxx_personality_v0 at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/cxx/cxx_exception_stubs.cpp:33
      (inlined by) __wrap___gxx_personality_v0 at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/cxx/cxx_exception_stubs.cpp:185
=> 0x420e8e68: std::bad_alloc::~bad_alloc() at /builds/idf/crosstool-NG/.build/HOST-x86_64-w64-mingw32/riscv32-esp-elf/src/gcc/libstdc++-v3/libsupc++/bad_alloc.cc:28
3fcbb400: 0x3fcab6d0 0x3fcc1284 0x00000498 0x420e856e 0x3fcab6d0 0x3fcc046c 0x3fcb3000 0x420073ee
=> 0x420e856e: operator new(unsigned int) at /builds/idf/crosstool-NG/.build/HOST-x86_64-w64-mingw32/riscv32-esp-elf/src/gcc/libstdc++-v3/libsupc++/new_op.cc:55
=> 0x420073ee: WiFiScanClass::_scanDone() at C:/Users/gijsn/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiScan.cpp:113
      (inlined by) WiFiGenericClass::_eventCallback(arduino_event_t*) at C:/Users/gijsn/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.cpp:1044
      (inlined by) _arduino_event_task at C:/Users/gijsn/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.cpp:307
3fcbb420: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0x3fcc1284 0x3c101d88 0x00000000
3fcbb440: 0x00000000 0x00000000 0x00000000 0xa5a5a500 0xa5a5a500 0x3c101d88 0x00000000 0x00000000
3fcbb460: 0x00000000 0x00000000 0xa5a5a500 0xa5a5a500 0x00000002 0x00000000 0x00000000 0x00000000
3fcbb480: 0x00000000 0xa5a5a500 0xa5a5a500 0x00000010 0x00000000 0x4203a166 0x00000000 0x420388da
=> 0x4203a166: WiFiEvent(arduino_event_id_t, arduino_event_info_t) at src/src/ESPEasyCore/ESPEasyWiFiEvent.cpp:61
=> 0x420388da: std::_Function_handler<void (arduino_event_id_t, arduino_event_info_t), void (*)(arduino_event_id_t, arduino_event_info_t)>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation) at c:\users\gijsn\.platformio\packages\toolchain-riscv32-esp\riscv32-esp-elf\include\c++\12.2.0\bits/std_function.h:267
3fcbb4a0: 0x420388aa 0x00000000 0x00000029 0x3fca8e60 0x3fc91258 0x4038553e 0x40385a14 0xffffffff
=> 0x420388aa: std::_Function_handler<void (arduino_event_id_t, arduino_event_info_t), void (*)(arduino_event_id_t, arduino_event_info_t)>::_M_invoke(std::_Any_data const&, arduino_event_id_t&&, arduino_event_info_t&&) at c:\users\gijsn\.platformio\packages\toolchain-riscv32-esp\riscv32-esp-elf\include\c++\12.2.0\bits/std_function.h:288
=> 0x4038553e: vPortEnterCritical at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:323
=> 0x40385a14: xTaskIncrementTick at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/tasks.c:3345
      (inlined by) xTaskIncrementTick at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/tasks.c:3294
3fcbb4c0: 0x3fcb6e04 0x00000000 0x00000001 0x00000001 0x00000014 0x00000004 0x00000001 0x600c0000
3fcbb4e0: 0x00000010 0x00000000 0x3fcba510 0xffffffff 0xffffffff 0x00000000 0x00000000 0x00000000
3fcbb500: 0xffffffff 0x00000000 0x3fcb7068 0x420f7d28 0x420f7e72 0x3fcb7068 0x00000000 0xffffffff
=> 0x420f7d28: xQueueSemaphoreTake at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1675
=> 0x420f7e72: xQueueTakeMutexRecursive at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:788
3fcbb520: 0x3fcba510 0x00000000 0x3fcb6e04 0x420f7cd6 0x00000000 0x00000000 0xffffffff 0xffffffff
=> 0x420f7cd6: xQueueReceive at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1495
3fcbb540: 0x00000000 0x00000000 0x3fcb7068 0x420f7e72 0x00000000 0x00000000 0xffffffff 0xffffffff
=> 0x420f7e72: xQueueTakeMutexRecursive at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:788
3fcbb560: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb580: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
3fcbb5a0: 0xa5a5a5a5 0xa5a5a5a5 0xbaad5678 0x00000160 0xabba1234 0x00000154 0x3fcbb350 0x0015fd1b
3fcbb5c0: 0x3fcae284 0x3fcae284 0x3fcbb5b8 0x3fcae27c 0x00000006 0x3fcb6d24 0x3fcb6d24 0x3fcbb5b8
3fcbb5e0: 0x00000000 0x00000013 0x3fcba5a8 0x75647261 0x5f6f6e69 0x6e657665 0x00007374 0x00000000
3fcbb600: 0x3fcbb5a0 0x00000013 0x00000000 0x3fcc2130 0x4208e272 0x00000000 0x3fcb371c 0x3fcb3784
=> 0x4208e272: pthread_cleanup_thread_specific_data_callback at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/pthread/pthread_local_storage.c:126
3fcbb620: 0x3fcb37ec 0x00000000 0x00000000 0x00000001 0x00000000 0x00000000 0x00000000 0x420f0e7a
=> 0x420f0e7a: _cleanup_r at /builds/idf/crosstool-NG/.build/HOST-x86_64-w64-mingw32/riscv32-esp-elf/src/newlib/newlib/libc/stdio/findfp.c:229
3fcbb640: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb660: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb680: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb6a0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb6c0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb6e0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcbb700: 0x00000000 0x00000000 0x1a000000 0xbaad5678 0x0000001c 0xabba1234 0x00000010 0x3c126548
3fcbb720: 0x3fcbb73c 0x00000000 0x3fcbb76c 0xbaad5678 0x00000014 0xabba1234 0x00000008 0x3fcbb754
3fcbb740: 0x3fcc0850 0xbaad5678 0x00000014 0xabba1234 0x00000008 0x4200154c 0x00000000 0xbaad5678
=> 0x4200154c: _arduino_event_cb(void*, char const*, int, void*) at C:/Users/gijsn/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.cpp:334
3fcbb760: 0x0000001c 0xabba1234 0x00000010 0x3c126558 0x3fcbb78c 0x00000000 0x3fcceb50 0xbaad5678

Other Steps to Reproduce

No response

I have checked existing issues, online documentation and the Troubleshooting Guide

• [X] I confirm I have checked existing issues, online documentation and Troubleshooting guide.

[TD-er]

I'm looking into this code a bit more and there are lots of really strange things here.

For example:

void * WiFiScanClass::_getScanInfoByIndex(int i)
{
    if(!WiFiScanClass::_scanResult || (size_t) i >= WiFiScanClass::_scanCount) {
        return 0;
    }
    return reinterpret_cast<wifi_ap_record_t*>(WiFiScanClass::_scanResult) + i;
}

A very tricky way to not check for i < 0.

One of the return statements in WiFiScanClass::scanNetworks(...):

        if(WiFiGenericClass::waitStatusBits(WIFI_SCAN_DONE_BIT, 10000)){
            return (int16_t) WiFiScanClass::_scanCount;
        }

So this clearly shows it should be considered a signed int, as does int16_t WiFiScanClass::scanComplete()

I can't find what has been changed recently, so no idea why it is now completely unusable where it was running fine on previous ESP-IDF5.1 builds I made. The code I mentioned here doesn't seem to have changed in years.

Edit: Forgot to mention, but it might also be a memory leak, as there is no check to see if the array _scanResult wasn't already allocated.

[TD-er]

Not sure if it can be used on array allocations, but isn't the simplest fix to just do new (std::nothrow) here?

[P-R-O-C-H-Y]

@SuGlider Can you please take a look as you are now investigation WiFi changes? Thanks

[SuGlider]

@TD-er - Please provide a sketch that I can use to reproduce this issue.

[SuGlider]

It is not clear to me how and why you need to use _scanDone() in your sketch.

This fuction will be called from the WiFi Event Callback only when it gets ARDUINO_EVENT_WIFI_SCAN_DONE. Therefore, the number _scanResult is positive or zero. Never negative.

[TD-er]

It is being called when the scan is done. I can't not call it.

It's called from:

esp_err_t WiFiGenericClass::_eventCallback(arduino_event_t *event)

with event ID ARDUINO_EVENT_WIFI_SCAN_DONE

[SuGlider]

Sorry, you replied fast... :-) -- I was editing my reply - including exactly what you wrote. Anyway I can't reproduce the issue.

[SuGlider]

I need some sketch that I can use to reproduce this issue and find out what could be its cause.

[TD-er]

This fuction will be called from the WiFi Event Callback only when it gets ARDUINO_EVENT_WIFI_SCAN_DONE. Therefore, the number _scanResult is positive or zero. Never negative.

But what if the scan is called again while busy or failed? Then it is assigned a negative value, stored in an unsigned int, thus the argument for the new call can request a really large array. On the ESP32-C2 this is very likely to fail due to its more limited amount of memory.

I have to think about some short sketch to reproduce, as you probably don't think "the entire ESPEasy project" is "a short sketch" ;)

[SuGlider]

In my opinion, _scanDone() should never be called by the user side (sketch). It is meant to be called only when the WiFi Event Handler needs to fill up the list of scanned SSIDs.

IF the sketch calls it, the code must make sure that the previous array was deleted, freeing the memory, and that a previous scan process has succeeded.

[TD-er]

I don't call it, it is called from the Arduino callback function. Only thing I did was register events so I can act on those events too. But _scanDone() is not something I call.

[SuGlider]

Can you point me out the code in the ESPEasy project where WiFi Scan takes place?

[SuGlider]

Reading the ESPEasy Project code, I see that the issue seems to be related to Async WiFi Scan...

[TD-er]

Can you point me out the code in the ESPEasy project where WiFi Scan takes place?

It happened while working on the PR for IDF5.1 So this is on this branch: https://github.com/TD-er/ESPEasy/blob/2dbb2f770b208ee623a04ced081f8d366e91f2ba/src/src/ESPEasyCore/ESPEasyWifi.cpp#L982

[TD-er]

Reading the ESPEasy Project code, I see that the issue seems to be related to Async WiFi Scan...

Ehh wow, you read through all that WiFi code in under 6 minutes? Impressive!

Edit: Now you'll understand why I am so keen on having a major rewrite/restructure on the Arduino WiFi/Eth/Network code base. So I can get rid of this extremely complex legacy of 5+ years of working around very odd WiFi/Network issues and start over making a lean and clean network interfacing class for ESPEasy.

[TD-er]

I just thought of this recent change I made after reporting this issue:

https://github.com/TD-er/ESPEasy/blob/2dbb2f770b208ee623a04ced081f8d366e91f2ba/src/src/ESPEasyCore/ESPEasyWifi.cpp#L1069-L1082

This disconnect code is now wrapped in #if ESP_IDF_VERSION_MAJOR<5 ... #endif but was present when I ran into these issues. Perhaps this also caused a new call to scan before the previous scan was done? Or maybe the disconnect also changed something causing the scan to fail -> scancount being -1 or -2 => malloc fail.

[SuGlider]

Ok, I've read some other pieces of code here and there, but it is not clear why the issue happens. It seems to depend on the sequence of how the WiFi Scan functions are called. All I can say is that I see no issue in the Arduino Core WiFi Scan code. It follows the IDF model.

I may try to help it by describing how WiFi Async Scan should work: 1- scanNetworks(false, ....) will return immediatly with code -1 (WIFI_SCAN_RUNNING). 2- Whenever the IDF WiFi scan is done, the event loop will fill up the array with the list of SSIDs using _scanDone() 3- The code can check if the Scaning is done by getting the status from scanComplete() 4- The possible results from scanNetworks(false, ....) or scanComplete() are:

• Positive (> 0 => number of networks found) if the scanning process ended and it has produced a list of SSIDs in the proper array (WiFi.SSID(n) etc).
• Negative when it is still running (-1 = WIFI_SCAN_RUNNING) or a failure has happened (-2 = WIFI_SCAN_FAILED).

5- From one WiFi Scan to another it is necessary to release the array memory by calling WiFi.scanDelete();, otherwise the sketch wil leak memory and fail after a while.

[TD-er]

But as I mentioned before, the _scanCount is unsigned, so if you consider negative values, the new wifi_ap_record_t[WiFiScanClass::_scanCount]; call attempts to allocate something very large. See: https://github.com/espressif/arduino-esp32/blob/b811ea40875bbfbf8bd62b4038879ac7be2c2e2b/libraries/WiFi/src/WiFiScan.cpp#L109-L121

N.B. This also doesn't check for the current value of the pointer, so it might be possible this also introduces a memory leak.

[SuGlider]

I can't see a reason for making _scanCount a negative value (or a very high unsigned value).

There are only two places when scanCount is changed to a value different than zero, both in _scanDone()

in the line: esp_wifi_scan_get_ap_num(&(WiFiScanClass::_scanCount)); which will change scanCount to the number of APs found in last scan, since it is called only after completing a WiFi Scan.

IDF documentation says: Attention: This API can only be called when the scan is completed, otherwise it may get wrong value.

Also in _scanDone() in the line: if(!WiFiScanClass::_scanResult || esp_wifi_scan_get_ap_records(&(WiFiScanClass::_scanCount), (wifi_ap_record_t*)_scanResult) != ESP_OK) { Here is it used as Input and Output. As Inpout, it defines the Maximum number of entries in the array. As Output, it will return the actual number of Networks scanned by IDF.

[SuGlider]

In other words, void WiFiScanClass::_scanDone() shall only be called after the WiFi Event ARDUINO_EVENT_WIFI_SCAN_DONE Otherwise the result is unpredictable.

Any scketch that wants to scan WiFi shall folow the right sequence as in the Arduino WiFi example (although it doesn't use the Asynch mode).

[SuGlider]

A valid code should be like this:

  if (WiFi.scanComplete() > 0) _scanDone();

[TD-er]

Yep, but like I said, I don't call this _scanDone() function myself. But having this right before the actual call to this function is of course already an extra guard.

[SuGlider]

I need a sketch that can reproduce the issue. At this point I can't dig in. Something I noticed by analyzing the logs is that from => 0x420073ee: WiFiScanClass::_scanDone() at C:/Users/gijsn/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiScan.cpp:113

The Line 113 is not in the _scanDone() code. Maybe PlatformIO has some different core code for it? Maybe if you try to build it and test it using Arduino IDE using Core 3.0.0-alpha3 (latest with IDF 5.1), the error will be gone.

[TD-er]

I will try to make a small sketch for it.

[TD-er]

The Line 113 is not in the _scanDone() code. Maybe PlatformIO has some different core code for it?

Ehhm are we looking at the same code? This is the master branch of arduino-esp32:

https://github.com/espressif/arduino-esp32/blob/51cb927712e512664a0a0f7b1219fdc18e11b857/libraries/WiFi/src/WiFiScan.cpp#L109-L121

[SuGlider]

I see... My bad. I don't remember where I looked this line 113.

I'll wait for the sketch that demonstrates the issue. Thanks!

[SuGlider]

I have created an example that uses Async WiFi Scanning. I've done a change to the scanComplete() function.

Do you want to try this change to check if it may fix ESPEasy Project? https://github.com/espressif/arduino-esp32/pull/8981/files#diff-bace60178f098d80f1b271ad8ffff33f935644dfad66894478bf3a5969dc7b57 in WiFiScan.cpp file

[SuGlider]

The issue fixed in scanComplete() is related to timeout in Async Mode. It returned an error code, but it should wait a bit more instead.

Added Note:

I think that this change may solve some issue related to ESPEasyCore/ESPEasyWiFi_ProcessEvent.cpp::processScanDone()

[TD-er]

Had a few personal issues the past few days, but will now try to see if I can still reproduce and hopefully no longer reproduce when applying your suggestions.

[TD-er]

I have created an example that uses Async WiFi Scanning. I've done a change to the scanComplete() function.

Do you want to try this change to check if it may fix ESPEasy Project? https://github.com/espressif/arduino-esp32/pull/8981/files#diff-bace60178f098d80f1b271ad8ffff33f935644dfad66894478bf3a5969dc7b57 in WiFiScan.cpp file

Tried it and it still crashing.

09.060 : (96084) Info   : firstLoopConnectionsEstablished
36.764 : (92720) Info   : WiFi : Start network scan all channels
43.511 : (84460) Info   : WiFi : Scan finished, found: 15
43.520 : (83596) Info   : WiFi : Best AP candidate: Lurch4 3C:37:12:AB:0B:F8 Ch:1 (-31dBm)WPA2/PSK (bgn)
43.525 : (83780) Info   : WiFi : Disconnect after scan
43.527 : (83780) Info   : WiFi : WifiDisconnect()
Guru Meditation Error: Core  0 panic'ed (Load access fault). Exception was unhandled.

Core  0 register dump:
MEPC    : 0x4004b292  RA      : 0x420f5338  SP      : 0x3fcb6950  GP      : 0x3fca8ed0  
=> 0x4004b292: ?? ??:0
=> 0x420f5338: ieee80211_output_do at ??:?
TP      : 0x3fc8d838  T0      : 0x403855ac  T1      : 0x4038585a  T2      : 0x144f7821  
=> 0x403855ac: vPortEnterCritical at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:323
=> 0x4038585a: xQueueGiveFromISR at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1370
S0/FP   : 0x3fce0000  S1      : 0x3fce0000  A0      : 0x00000000  A1      : 0x3fcc3b4a
A2      : 0x3fcb697c  A3      : 0x3fcb6c04  A4      : 0x3fcb3000  A5      : 0x00000000
A6      : 0x00000004  A7      : 0x00000001  S2      : 0x3fce0000  S3      : 0x3fcb0de4
S4      : 0x0000002a  S5      : 0x3fcc3b4a  S6      : 0x00000000  S7      : 0x00000000
S8      : 0x3fcbbe74  S9      : 0x00000001  S10     : 0x00000000  S11     : 0x00000000
T3      : 0x0000000a  T4      : 0x00000000  T5      : 0x00000000  T6      : 0x00000006
MSTATUS : 0x00001881  MTVEC   : 0x40380001  MCAUSE  : 0x00000005  MTVAL   : 0x00000018
=> 0x40380001: _vector_table at ??:?
MHARTID : 0x00000000

Stack memory:
3fcb6950: 0x3fcb3130 0x0000003c 0x3fcc3b38 0xffffffff 0x00000000 0x3fce0000 0x3fce0000 0x420f531c
=> 0x420f531c: ieee80211_output_do at ??:?
3fcb6970: 0x00000000 0x00000001 0x3fcbbe74 0x00000000 0x3fcbbda0 0x3fcb6b38 0x3c1259bc 0x3c1259b4
3fcb6990: 0x3fcbbda0 0x3fcb6b38 0x3c1259bc 0x3fcbbe74 0x3fcbbd9c 0x3fcc3b38 0x3fcbbcf4 0x420ade78
=> 0x420ade78: low_level_output at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/esp_netif/lwip/netif/wlanif.c:90
3fcb69b0: 0x0000001c 0x3fcbbd9c 0x0000000e 0x4209b78c 0x3fcbbd9c 0x3fcc3b38 0x00000006 0x420a9e9e
=> 0x4209b78c: mem_malloc at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/mem.c:209
=> 0x420a9e9e: ethernet_output at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/netif/ethernet.c:319
3fcb69d0: 0x3fcbbda0 0x3fcb6b38 0x3c1259bc 0x3fcbbe74 0x3fcbbd9c 0x3fcc3b38 0x3fcc3b58 0x420a3a98
=> 0x420a3a98: etharp_raw at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/etharp.c:1177
3fcb69f0: 0x00000000 0x00000000 0x00000011 0x00000000 0x3fcb3000 0x00000002 0x3fcaf8fc 0x3fcb6b38
3fcb6a10: 0x3fcaf92c 0x3fcbbd9c 0x3fcc6100 0x420a3df8 0x420ac57a 0x420ac5f6 0x3fcb6aa0 0x3fca8ed0
=> 0x420a3df8: etharp_query at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/etharp.c:995
=> 0x420ac57a: lwip_standard_chksum at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/inet_chksum.c:150
=> 0x420ac5f6: inet_cksum_pseudo_base at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/inet_chksum.c:269
3fcb6a30: 0x3fcb3000 0x3fcbbda0 0x3fcbbd9c 0x3fcb6b38 0x3fcc6100 0x3fcb6b38 0x3fcbbd9c 0x420a3fe2
=> 0x420a3fe2: etharp_output at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/etharp.c:890
3fcb6a50: 0x00000000 0x00000001 0x0001cd58 0x00000000 0x3fcc6100 0x00010c0f 0x3fcc6140 0x420a4f8e
=> 0x420a4f8e: ip4_output_if_opt_src at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/ip4.c:1057
3fcb6a70: 0x0000ffff 0x0000013c 0x00000000 0x00000043 0x00000000 0x00000000 0x00000000 0x00000043
3fcb6a90: 0x3fcbbd9c 0x3fcbbda0 0x3fcc6100 0x3fcb6b38 0x3fcc6100 0x3fcc3bdc 0x3fcc6154 0x420a4fec
=> 0x420a4fec: ip4_output_if_src at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/ip4.c:876
3fcb6ab0: 0x00000000 0x3fcc3bdc 0x3fcc6154 0x420ac6de 0x3fcc6100 0x3fcc3bdc 0x3fcc6154 0x420a1d24
=> 0x420ac6de: ip_chksum_pseudo at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/inet_chksum.c:392
=> 0x420a1d24: udp_sendto_if_src at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/udp.c:904 (discriminator 4)
3fcb6ad0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000004 0x3fcc615c 0x00000043 0x3fcc6100
3fcb6af0: 0x3fcb6b38 0x3fcbbd9c 0x3fcc3bdc 0x420a1d9a 0x3fcc1fd4 0x3fcbbd9c 0x3fcb3000 0x420a22ce
=> 0x420a1d9a: udp_sendto_if at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/udp.c:703
=> 0x420a22ce: dhcp_create_msg at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/dhcp.c:2013
3fcb6b10: 0x00000004 0x3fcc615c 0x00000005 0x3fcc624c 0x3fcc6100 0x3fcbbd9c 0x3fcc1fd4 0x420a3486
=> 0x420a3486: dhcp_release_and_stop at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/core/ipv4/dhcp.c:1458
3fcb6b30: 0x00000004 0x00120003 0x010aa8c0 0x00000000 0x00000000 0x00000000 0x00000000 0x0000a900
3fcb6b50: 0x00000004 0x00000003 0x3fcc4eb4 0x00000002 0x3fcb3000 0x3fcbbd9c 0x3fcbbcf4 0x420ad0aa
=> 0x420ad0aa: esp_netif_down_api at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/esp_netif/lwip/esp_netif_lwip.c:1655
3fcb6b70: 0x00000004 0x00000003 0x3fcc4eb4 0x00000002 0x3fcb3000 0xffffffff 0x3fcba55c 0x420ac96e
=> 0x420ac96e: esp_netif_api_cb at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/esp_netif/lwip/esp_netif_lwip.c:229
3fcb6b90: 0x3fcb3000 0xffffffff 0x3fcba520 0x4209a55c 0x00000000 0x00000000 0x00000000 0x3fcba520
=> 0x4209a55c: tcpip_thread_handle_msg at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/api/tcpip.c:203
      (inlined by) tcpip_thread at /home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/lwip/lwip/src/api/tcpip.c:148
3fcb6bb0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6bd0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
3fcb6bf0: 0xa5a5a5a5 0xbaad5678 0x00000160 0xabba1234 0x00000154 0x3fcb6a20 0x0000aa5e 0x3fcae4f8
3fcb6c10: 0x3fcae4f8 0x3fcb6c04 0x3fcae4f0 0x00000007 0x3fcb47f8 0x3fcb47f8 0x3fcb6c04 0x00000000
3fcb6c30: 0x00000012 0x3fcb61f4 0x00546974 0x00000000 0x00000000 0x00000000 0x00000000 0x3fcb6bf0
3fcb6c50: 0x00000012 0x00000001 0x00000000 0x00000000 0x00000000 0x3fcb399c 0x3fcb3a04 0x3fcb3a6c
3fcb6c70: 0x00000000 0x00000000 0x00000001 0x00000000 0x00000000 0x00000000 0x420f14c6 0x00000000
=> 0x420f14c6: _cleanup_r at /builds/idf/crosstool-NG/.build/HOST-x86_64-w64-mingw32/riscv32-esp-elf/src/newlib/newlib/libc/stdio/findfp.c:229
3fcb6c90: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6cb0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6cd0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6cf0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6d10: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
3fcb6d30: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

[SuGlider]

@TD-er - This seems to be a new issue. The messages may not come from WiFi layer anymore (as in the original post). It could be something related to an empty IP address or something else.

I'd say that it would need a new investigation and debugging. But it's hard to tell that it is related to a bug in the Arduino Core layer.

It would be better if you could isolate the issue and create a small sketch that can reproduce it.