Hi All,
I am developing on a CM0+ with functional safety support. The safety manual requires to test some features before activating safety functions; many of these are straightforward while others are "convoluted".
One of the requirements is access to an unimplemented space ad expect the abort to occur. This of course leads to an (expected) Hard Fault exception. My routine in the hard fault handler is able to detect if it is a testor not, and in case of test just set a flag and then exits from the hard fault handler.
As expected, the unstacking of the registers leads to the instruction that triggered the fault, entering in a faulty instruction- hardfault handler- faulty instruction loop.
Now, my idea is to modify the stacked program counter in order to return to the next instruction and going on with the regular program flow.
Many questions here:
Any Hint would be gladly appreciated;
Thanks and best regards,
You should modify the ReturnAddress in stack at adderss SP+18. This address is pushed into the stack automatically when the fault happens and is taken.
In real usage, if a hardfault happens in CM0, the system almost can't do anything to recover it or debug it, so a reset for the system looks more sensible.
Hi Haiyan,
Thanks for your reply! The assumption on SP + 0x18 states true if there are not other push operations on the stack when entering the hard fault handler. In the disassembled code I can see that there is another push {R3, LR} (in O1) or {R3, R4, R7, LR} (in O0), hence the stack pointer increments and if I read SP + 18 I get a wrong word (R2 or R12 depending on the number of element pushed on the stack).My hardfault handler is not a naked function, hence the compiler takes care about register pushes and pops for me.
How can I determine where is the PC located respect to the CURRENT SP?
K.R.
You are correct. SP+ 18 assume that there is no further push/pop after the automatic stack operation during the exception enters. In this case, you may need to check your assemble code and check how many words have been pushed/popped after the automatic stack operation and then calculate the address for such return address. Please note M0 uses full descending stack.
Is there any information that could allow me to retrieve the number of words pushed in hard fault handler in the ARM registers?My concern is that the assembly will change with different optimization levels so I can't rely on a "fixed" implementation, I would say.
So one way around the stack pushing is to have the hard fault handler in assembly which calls another function to do the processing. Then the hard fault handler does not push any more registers to stack. Then in the function called from hard fault you can get the data from stack and do analysis, see code below.
Please note that in production code often the best thing to do in hard fault is to reset the processor. That is a hard fault could because of a random bit flip in SRAM (single event upset) which means if you try to continue running you will just dig the hole deeper in most cases. Hence you want to reset processor and get back to work.
void prvGetRegistersFromStack( uint32_t *pulFaultStackAddress ){/* These are volatile to try and prevent the compiler/linker optimising themaway as the variables never actually get used. If the debugger won't show thevalues of the variables, make them global my moving their declaration outsideof this function. */volatile __attribute__((unused)) uint32_t r0;volatile __attribute__((unused)) uint32_t r1;volatile __attribute__((unused)) uint32_t r2;volatile __attribute__((unused)) uint32_t r3;volatile __attribute__((unused)) uint32_t r12;volatile __attribute__((unused)) uint32_t lr; /* Link register. */volatile __attribute__((unused)) uint32_t pc; /* Program counter. */volatile __attribute__((unused)) uint32_t psr;/* Program status register. */ volatile __attribute__((unused)) uint32_t _CFSR ; volatile __attribute__((unused)) uint32_t _HFSR ; volatile __attribute__((unused)) uint32_t _DFSR ; volatile __attribute__((unused)) uint32_t _AFSR ; volatile __attribute__((unused)) uint32_t _BFAR ; volatile __attribute__((unused)) uint32_t _MMAR ;
r0 = pulFaultStackAddress[ 0 ]; r1 = pulFaultStackAddress[ 1 ]; r2 = pulFaultStackAddress[ 2 ]; r3 = pulFaultStackAddress[ 3 ];
r12 = pulFaultStackAddress[ 4 ]; lr = pulFaultStackAddress[ 5 ]; pc = pulFaultStackAddress[ 6 ]; psr = pulFaultStackAddress[ 7 ];
// Configurable Fault Status Register // Consists of MMSR, BFSR and UFSR _CFSR = (*((volatile unsigned long *)(0xE000ED28))) ;
// Hard Fault Status Register _HFSR = (*((volatile unsigned long *)(0xE000ED2C))) ;
// Debug Fault Status Register _DFSR = (*((volatile unsigned long *)(0xE000ED30))) ;
// Auxiliary Fault Status Register _AFSR = (*((volatile unsigned long *)(0xE000ED3C))) ;
// Read the Fault Address Registers. These may not contain valid values. // Check BFARVALID/MMARVALID to see if they are valid values // MemManage Fault Address Register _MMAR = (*((volatile unsigned long *)(0xE000ED34))) ; // Bus Fault Address Register _BFAR = (*((volatile unsigned long *)(0xE000ED38))) ;
/* When the following line is hit, the variables contain the register values. */#if defined DEBUG __BKPT(3);#endif for( ;; ); //This is where you would call the NVIC reset in production after logging error if needed}
/* The prototype shows it is a naked function - in effect this is just anassembly function. */void HardFault_DUMMY( void ) __attribute__( ( naked ) );
/* The fault handler implementation calls a function calledprvGetRegistersFromStack(). */void HardFault_DUMMY(void){ __asm volatile ( " tst lr, #4 \n" " ite eq \n" " mrseq r0, msp \n" " mrsne r0, psp \n" " ldr r1, [r0, #24] \n" " ldr r2, handler2_address_const \n" " bx r2 \n" " handler2_address_const: .word prvGetRegistersFromStack \n" );}
During hardfault (actually all exceptions) entry, the return address is pushed into SP+18. This is done by hardware and I don't think a proper code will change it
Hello Trampas,
thanks for your reply. Your approach seems suitable to my use case, using naked functions. Nevertheless, based onthe suggestions of the community, I decided for a slightly different approach: since the hard fault is generated on purpose (I KNOW when and why it happens) I provide the stack pointer value just before launching the fault instruction. Then in the hard fault handler I retrieve this information, subtract the value from the current stack pointer and I am then able to understand the offset value toa dd to the current stack pointer to retrieve the PC: SP + offset +0x18.
What happens when/if the processor gets a real Hard Fault, ie not one generated by test code?