Hi,
We are developing a safety critical product based on Cortex-M4 CPU. In the Definitive Guide for ARM Cortex-M3/4 I read that it is recommended to use both (MSP and SPS) stacks even, if program does not use RTOS. By using both stacks, the program is supposed to be more robust. I also see in the book how this should be implemented in the startup file, but I don't understand in which cases these separate stacks would be more beneficial than just one stack (MSP).
I would be very grateful, if someone could explain this a little bit.
Best regards.
Hi matic,
if programs are running on PSP, the stack pointer will switch to MSP when interrupt or exception occurs. This means that an interrupt stack (i.e. MSP) will be protected from a user stack (i.e. PSP) even if the user stack may be overflowed. Don't you think it will be a benefit?Also important registers such as r0 to r3, r14 (lr), r15 (pc) and xPSR are pushed on PSP stack. This would be useful for context switching. In the case of no RTOS, it will also work like a register bank.
Best regards,Yasuhiko Koumoto.
Let say there is an error where MPU violation triggers HardFault (writing to some RO address). In HardFault I would like to read a PC counter to locate this fault. With a single stack (MSP only) this works great. Will this work also with separate stacks?
Second, let say that I have separate stacks (PSP for program, MSP for interrupts and exceptions). For somewhat reason PSP overflow occurs during program and at the bottom of the stack it hits a protected region (by MPU). This also triggers HardFault. Am I able to recognize there what went wrong? Even if MPU violation occurred before all 8 registers were pushed to the stack?
Thank you
you can recognize the stack of which the exception had been occurred by checking the bit 2 of the EXE_RETRUN code which is stored into r14 (aka. lr).Regarding the implementation of the hard fault handler, please refer to Re: Re: error: Hard Fault Handler .
Regarding the second issue, there would be no reason to identfy of the hard fault cause. You should imagine by the information of PC, BFAR, CFAR, HFSR, DFSR and AFSR.
Best Regards,Yasuhiko Koumoto.
Thanks for your reply.
Do you also suggest to have both stacks (MSP and PSP) guarded by the MPU at their bottom? If I understand well, then this would be advisable to detect stack overflow on any of stacks, right?
Do you also suggest to have both stacks (MSP and PSP) guarded by the MPU at their bottom?
Yes I do. I also recommend to make the stack regions never executable.
If I understand well, then this would be advisable to detect stack overflow on any of stacks, right?
No, it is not for the stack overflow but also for guarding the malicious program execution on each stack.
So, I have to implement 4 MPU regions just for stacks. Two at the bottom of each stack to detect their overflow (with no access allowed) and two regions that are covered by each stack (with XN attribute). Is this correct?
yes, it is correct.
Best regards,
Yasuhiko Koumoto.