Reading and writing the same virtual address multiple times will cause the system to crash (IDFGH-2532)

[GitOfLance]

Environment

• Module or chip used: ESP32-WROOM-32
• IDF version : v4.0-dev-1443-g39f090a4f 2nd stage bootloader
• Build System: Make
• Compiler version : xtensa-esp32-elf-
• Operating System: Ubuntu 18.04
• Power Supply: USB

Problem Description

In the file copy function, I defined a structure variable (not a pointer). Read out a structure-sized data in a loop, and then write this structure data into a backup file until all data is backed up.

When I call this function multiple times in succession, the system crashes. I changed this variable to a pointer and allocated space through the malloc () function before each operation. The problem of system crash still exists. But I found that the value of this structure pointer variable is the same every time it crashes. That is, each time the crash, the same address is operated. Is this address a virtual address mapped by the MMU? Why does reading and writing the same address multiple times cause the system to crash?

Debug record

use structure variable

• Struct：

  
  typedef struct {
  int unumber;                
  char userid[USER_ID_LEN];         
  int type;      
  unsigned long long int time;     
  char ways;         
  }UserPermission __attribute__ ((packed));

- Code：not pointer

/**

• FunctionName : record_file_backup
• Description : 用于操作文件前拷贝文件做备份 源文件是有数据的，目标文件内容全部清除 每次更改文件前要先备份，一方面保证数据的完整性， 一方面尝试读写文件，防止文件操作失败
• Input : srcfile -- 源文件 destfile -- 目标文件
• Output : 文件
• Return : -1,出错；0，成功

• Others : 仅限于内部使用，不供外部使用 / static int record_file_backup(char srcfile, char destfile) { FILE fpsrc = NULL; FILE *fpdest = NULL; int ret = -1; UserPermission user; //暂定为用户类型，不用缓冲池 struct stat st;

  //申请锁 xSemaphoreTake(Mutex_openrecord, portMAX_DELAY);

  do { //获取原文件大小 if (stat(srcfile, &st) < 0) //文件不存在 { ESP_LOGE(TAG, "failed to stat, file not exist"); ret = 0; break; } ESP_LOGI(TAG, "source file size is %ld", st.st_size); //vTaskDelay(5000 / portTICK_PERIOD_MS); //未联网刷卡多次崩溃，确认问题点

  printf("user addr. is %p\n", &user);
  printf("sizeof is %d\n", sizeof(UserPermission));
  
  //打开文件
  fpsrc = fopen(srcfile, "r");
  fpdest = fopen(destfile, "w");
  if (NULL == fpsrc || NULL == fpdest)
  {
      ESP_LOGE(TAG, "fopen file faile");
      break;
  }
  
  //遍历拷贝
  while (ftell(fpsrc) < st.st_size)
  {
      memset(&user, 0, sizeof(user));
      //读取文件
      if (fread(&user, sizeof(UserPermission), 1, fpsrc) != 1)
      {
          ESP_LOGE(TAG, "read file failed");
          break;
      }
  
      //写入目标文件
      if (fwrite(&user, sizeof(UserPermission), 1, fpdest) != 1)
      {
          ESP_LOGE(TAG, "write file failed");
          break;
      }
  
  }
  
  //拷贝结果判定 -- 不要放在while(0)外面，因为fpsrc可能是NULL
  if ((st.st_size > 0) && (ftell(fpsrc) != st.st_size)) //st.st_size 可能小于等于0 
  {
      ESP_LOGI(TAG, "file copy failed");
      break;
  }
  
  ret = 0;

  }while (0);

  //释放资源 if (fpsrc) { fclose(fpsrc); fpsrc = NULL; } if (fpdest) { fclose(fpdest); fpdest = NULL; }

  //释放锁 xSemaphoreGive(Mutex_openrecord);

  return ret;
  }

• Error log： This is a common bug report： I used this information to confirm the location of the system crash:

• Code： use poniter

/**

• FunctionName : record_file_backup
• Description : 用于操作文件前拷贝文件做备份 源文件是有数据的，目标文件内容全部清除 每次更改文件前要先备份，一方面保证数据的完整性， 一方面尝试读写文件，防止文件操作失败
• Input : srcfile -- 源文件 destfile -- 目标文件
• Output : 文件
• Return : -1,出错；0，成功

• Others : 仅限于内部使用，不供外部使用 / static int record_file_backup(char srcfile, char destfile) { FILE fpsrc = NULL; FILE fpdest = NULL; int ret = -1; UserPermission user = NULL; //暂定为用户类型，不用缓冲池 struct stat st;

  //申请锁 xSemaphoreTake(Mutex_openrecord, portMAX_DELAY);

  do { //获取原文件大小 if (stat(srcfile, &st) < 0) //文件不存在 { ESP_LOGE(TAG, "failed to stat, file not exist"); ret = 0; break; } ESP_LOGI(TAG, "source file size is %ld", st.st_size);

  user = (UserPermission *)malloc(sizeof(UserPermission));
  if (NULL == user)
  {
      ESP_LOGE(TAG, "failed to malloc for UserPermission");
      break;
  }
  memset(user, 0, sizeof(UserPermission));
  
  printf("user addr. is %p\n", user);
  printf("sizeof is %d\n", sizeof(UserPermission));
  
  //打开文件
  fpsrc = fopen(srcfile, "r");
  fpdest = fopen(destfile, "w");
  if (NULL == fpsrc || NULL == fpdest)
  {
      ESP_LOGE(TAG, "fopen file failed");
      break;
  }
  
  //遍历拷贝
  while (ftell(fpsrc) < st.st_size)
  {
      //读取文件
      if (fread((void *)user, sizeof(UserPermission), 1, fpsrc) != 1)
      {
          ESP_LOGE(TAG, "read file failed");
          break;
      }
  
      //写入目标文件
      if (fwrite((void *)user, sizeof(UserPermission), 1, fpdest) != 1)
      {
          ESP_LOGE(TAG, "write file failed");
          break;
      }
      memset(user, 0, sizeof(UserPermission));
  }
  
  //拷贝结果判定 -- 不要放在while(0)外面，因为fpsrc可能是NULL
  if ((st.st_size > 0) && (ftell(fpsrc) != st.st_size))      //st.st_size 可能小于等于0 
  {
      ESP_LOGI(TAG, "file copy failed");
      break;
  }
  
  ret = 0;

  }while (0);

  //释放资源 if (fpsrc) { fclose(fpsrc); fpsrc = NULL; } if (fpdest) { fclose(fpdest); fpdest = NULL; }

  if (user) { free(user); user = NULL; }

  //释放锁 xSemaphoreGive(Mutex_openrecord);

  return ret;
  }

• Error Log:

  
  I (105329) >Door: ready to write door record
  I (105329) >Door: source file size is 3312
  user addr. is 0x3ffd0a38
  sizeof is 48
  Guru Meditation Error: Core 0 panic'ed (Cache disabled but cached memory region accessed)
  Core 0 register dump:
  PC : 0x400873d9 PS : 0x00060034 A0 : 0x80087779 A1 : 0x3ffb0610  
  0x400873d9: wdev_push_promis_misc_buf at ??:?

A2 : 0x3ffb2364 A3 : 0x3ffb2380 A4 : 0x00004013 A5 : 0xf7ffffff
A6 : 0x6200007a A7 : 0x00004013 A8 : 0x000000ad A9 : 0x3ffb05b0
A10 : 0x3ffe0d44 A11 : 0x00000000 A12 : 0x00000000 A13 : 0x3f8429b8
A14 : 0x00000003 A15 : 0x00060023 SAR : 0x00000020 EXCCAUSE: 0x00000007
EXCVADDR: 0x00000000 LBEG : 0x4008eda0 LEND : 0x4008edce LCOUNT : 0xffffffff
0x4008eda0: memcpy at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/machine/xtensa/../../../../.././newlib/libc/machine/xtensa/memcpy.S:168

0x4008edce: memcpy at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/machine/xtensa/../../../../.././newlib/libc/machine/xtensa/memcpy.S:201

Core 0 was running in ISR context: EPC1 : 0x4009328e EPC2 : 0x00000000 EPC3 : 0x00000000 EPC4 : 0x400873d9 0x4009328e: spi_flash_ll_set_command8 at /home/lance/Workspace/esp/esp-idf/components/soc/esp32/include/hal/spi_flash_ll.h:316 (inlined by) spi_flash_hal_configure_host_read_mode at /home/lance/Workspace/esp/esp-idf/components/soc/src/hal/spi_flash_hal_iram.c:64

0x400873d9: wdev_push_promis_misc_buf at ??:?

ELF file SHA256: ad0bd0baad0bd0baad0bd0baad0bd0baad0bd0baad0bd0baad0bd0baad0bd0ba

Backtrace: 0x400873d6:0x3ffb0610 0x40087776:0x3ffb0630 0x40084b75:0x3ffb0660 0x4009328b:0x3ffdbfb0 0x40093475:0x3ffdbfe0 0x400925bd:0x3ffdc010 0x400920f2:0x3ffdc040 0x400922a1:0x3ffdc080 0x40085eda:0x3ffdc0a0 0x400f5948:0x3ffdc0f0 0x400f7ff7:0x3ffdc110 0x400f97d2:0x3ffdc140 0x400f8415:0x3ffdc170 0x400f8f56:0x3ffdc190 0x400fa4fd:0x3ffdc1d0 0x400f6dd5:0x3ffdc230 0x400f763d:0x3ffdc250 0x400f6a4d:0x3ffdc280 0x40101d52:0x3ffdc2a0 0x4008e0db:0x3ffdc2c0 0x4008eba5:0x3ffdc2e0 0x4008ec21:0x3ffdc300 0x4008f9f7:0x3ffdc320 0x4016f915:0x3ffdc350 0x4016f961:0x3ffdc390 0x40107baa:0x3ffdc3b0 0x40107d69:0x3ffdc410 0x40107f73:0x3ffdc440 0x40095045:0x3ffdc4d0 0x400873d6: wdev_push_promis_misc_buf at ??:?

0x40087776: wDev_ProcessFiq at ??:?

0x40084b75: _xt_lowint1 at /home/lance/Workspace/esp/esp-idf/components/freertos/xtensa_vectors.S:1153

0x4009328b: spi_flash_ll_set_command8 at /home/lance/Workspace/esp/esp-idf/components/soc/esp32/include/hal/spi_flash_ll.h:316 (inlined by) spi_flash_hal_configure_host_read_mode at /home/lance/Workspace/esp/esp-idf/components/soc/src/hal/spi_flash_hal_iram.c:64

0x40093475: spi_flash_hal_common_command at /home/lance/Workspace/esp/esp-idf/components/soc/src/hal/spi_flash_hal_iram.c:73

0x400925bd: memspi_host_read_status_hs at /home/lance/Workspace/esp/esp-idf/components/spi_flash/memspi_host_driver.c:76

0x400920f2: spi_flash_chip_generic_wait_idle at /home/lance/Workspace/esp/esp-idf/components/spi_flash/spi_flash_chip_generic.c:255

0x400922a1: spi_flash_chip_generic_erase_sector at /home/lance/Workspace/esp/esp-idf/components/spi_flash/spi_flash_chip_generic.c:118

0x40085eda: esp_flash_erase_region at /home/lance/Workspace/esp/esp-idf/components/spi_flash/esp_flash_api.c:609

0x400f5948: esp_partition_erase_range at /home/lance/Workspace/esp/esp-idf/components/spi_flash/partition.c:464

0x400f7ff7: spiffs_api_erase at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs_api.c:58

0x400f97d2: spiffs_erase_block at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_nucleus.c:1164

0x400f8415: spiffs_gc_erase_block at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_gc.c:15

0x400f8f56: spiffs_gc_check at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_gc.c:168

0x400fa4fd: spiffs_object_append at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_nucleus.c:1219

0x400f6dd5: spiffs_hydro_write at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_hydrogen.c:1121

0x400f763d: SPIFFS_write at /home/lance/Workspace/esp/esp-idf/components/spiffs/spiffs/src/spiffs_hydrogen.c:1121

0x400f6a4d: vfs_spiffs_write at /home/lance/Workspace/esp/esp-idf/components/spiffs/esp_spiffs.c:261

0x40101d52: esp_vfs_write at /home/lance/Workspace/esp/esp-idf/components/vfs/vfs.c:795 (discriminator 4)

0x4008e0db: __swrite at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/stdio.c:97

0x4008eba5: __sflush_r at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/fflush.c:225

0x4008ec21: _fflush_r at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/fflush.c:281

0x4008f9f7: __sfvwrite_r at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/fvwrite.c:190 (discriminator 1)

0x4016f915: _fwrite_r at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/fwrite.c:170

0x4016f961: fwrite at /home/jeroen/esp8266/esp32/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/fwrite.c:211

0x40107baa: record_file_backup at /home/lance/Workspace/esp/glock/components/device/door.c:542

0x40107d69: door_record_wirte at /home/lance/Workspace/esp/glock/components/device/door.c:542

0x40107f73: door_wait_open at /home/lance/Workspace/esp/glock/components/device/door.c:542

0x40095045: vPortTaskWrapper at /home/lance/Workspace/esp/esp-idf/components/freertos/port.c:435

This is the last message. The value of the pointer user is **`0x3ffd0a38`**.
![image](https://user-images.githubusercontent.com/48943389/72145036-95f27680-33d4-11ea-8008-c65bc0f229d1.png)

This is the penultimate message:
![image](https://user-images.githubusercontent.com/48943389/72145098-b4f10880-33d4-11ea-9559-a75454831529.png)

This is the third last message:
![image](https://user-images.githubusercontent.com/48943389/72145106-ba4e5300-33d4-11ea-8c8f-94b56e637b70.png)

- Extra error logs：
![image](https://user-images.githubusercontent.com/48943389/72145217-026d7580-33d5-11ea-87e9-1ff9f05cfd2c.png)

![image](https://user-images.githubusercontent.com/48943389/72145224-06999300-33d5-11ea-93c2-5f63a64e3289.png)

[negativekelvin]

Looks like wifi interrupt wdev_push_promis_misc_buf problem are you using WiFi promiscuous mode cb?

[GitOfLance]

I used smart configuration（EspTouch） to configure wif. How can I solve this problem?

[GitOfLance]

Hi, @negativekelvin I remember, I will start smartconfig on the ESP32, but I don't use EspTouch to configure the network. Then test the above code and this problem will occur. If I start the smartconfig function and use EspTouch to connect the ESP32 to the network, there is no problem in testing the above code.