RTEMS | BSP_printStackTrace runs into stack protection pattern, 0xa5a5a5a5 (#5535)

@mlueck Thu, 26 Mar 2026 02:20:26 -0700


Martin Lück created an issue: 
https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5535




## Summary

Configuration: RTEMS 6.0.0, PowerPC e500v2 CPU with qoriq BSP. However, the 
issue seems to be also present in the current main.

There seems to be an issue in the function BSP_printStackTrace(). In a loop the 
function follows the stack pointers until it hits `f->frameLink == 0`:

https://gitlab.rtems.org/rtems/rtos/rtems/-/blob/main/bsps/powerpc/shared/exceptions/ppc_exc_print.c#L87

However, when stack protection is enabled with `#define 
CONFIGURE_STACK_CHECKER_ENABLED`, the pointer does not hit 0, but instead the 
last frameLink becomes 0xa5a5a5a5. This is the stack protection pattern which 
is set up here:

https://gitlab.rtems.org/rtems/rtos/rtems/-/blob/main/cpukit/libmisc/stackchk/check.c#L80

In GDB, the issue manifests as the error message "Cannot access memory at 
address 0xa5a5a5a9":

```
(gdb) x/100a _ISR_Stack_area_end-256
0x813f40 <_ISR_Stack_area_begin+7936>:  0xa5a5a5a5      0xa5a5a5a5      
0xa5a5a5a5      0xa5a5a5a5
0x813f50 <_ISR_Stack_area_begin+7952>:  0xa5a5a5a5      0xa5a5a5a5      
0x813f80 <_ISR_Stack_area_begin+8000>   0xa5a5a5a5
0x813f60 <_ISR_Stack_area_begin+7968>:  0xa5a5a5a5      0xa5a5a5a5      
0xa5a5a5a5      0xa5a5a5a5
0x813f70 <_ISR_Stack_area_begin+7984>:  0x12010001      0x0     0x813fe0 
<_ISR_Stack_area_begin+8096>   0x816830 <_Timer_Objects+16>
0x813f80 <_ISR_Stack_area_begin+8000>:  0x813fa8 <_ISR_Stack_area_begin+8040>   
0x30cf24 <_Watchdog_Do_tickle+132>      0xffffdf73      0x0
0x813f90 <_ISR_Stack_area_begin+8016>:  0x0     0x0     0x811554 
<bsp_interrupt_dispatch_table> 0x2021200
0x813fa0 <_ISR_Stack_area_begin+8032>:  0x810668 <_Per_CPU_Information+200>     
0x8105a0 <_Per_CPU_Information> 0x813fe0 <_ISR_Stack_area_begin+8096>   
0x30d020 <_Watchdog_Tick+120>
0x813fb0 <_ISR_Stack_area_begin+8048>:  0x0     0x0     0x0     0x0
0x813fc0 <_ISR_Stack_area_begin+8064>:  0x2029200       0x811554 
<bsp_interrupt_dispatch_table> 0x0     0x2021200
0x813fd0 <_ISR_Stack_area_begin+8080>:  0x0     0x2021200       0xffe40000      
0x8105a0 <_Per_CPU_Information>
0x813fe0 <_ISR_Stack_area_begin+8096>:  0x814000 <_ISR_Stack_area_begin+8128>   
0x307140 <_Timecounter_Tick+96> 0x2029200       0xa5a5a5a5
0x813ff0 <_ISR_Stack_area_begin+8112>:  0xa5a5a5a5      0xa5a5a5a5      
0xa5a5a5a5      0x811b24 <qoriq_clock_entry>
0x814000 <_ISR_Stack_area_begin+8128>:  0x814020 <_ISR_Stack_area_begin+8160>   
0x303458 <bsp_interrupt_dispatch+136>   0xa5a5a5a5      0x816040 
<_RTEMS_tasks_Objects>
0x814010 <_ISR_Stack_area_begin+8144>:  0x8105a0 <_Per_CPU_Information> 
0x8003ac <_User_extensions_Switches_list+4>     0x8003ac 
<_User_extensions_Switches_list+4>     0x816430 <_Thread_Objects>
0x814020 <_ISR_Stack_area_begin+8160>:  0xa5a5a5a5      0x3039e8 
<ppc_exc_interrupt+184>        0xa5a5a5a5      0xa5a5a5a5
0x814030 <_ISR_Stack_area_begin+8176>:  0xa5a5a5a5      0xa5a5a5a5      
0xa5a5a5a5      0xa5a5a5a5
0x814040:       0x0     0x0     0x0     0x0
0x814050:       0x0     0x0     0x0     0x0
0x814060:       0x0     0x0     0x0     0x0
0x814070:       0x0     0x0     0x0     0x0
0x814080:       0x0     0x0     0x0     0x0
0x814090:       0x0     0x0     0x0     0x0
0x8140a0:       0x0     0x0     0x0     0x0
0x8140b0:       0x0     0x0     0x0     0x0
0x8140c0:       0x0     0x0     0x0     0x0
(gdb) i s
#0  0x003009f8 in timer_isr ()
#1  0x0030cf24 in _Watchdog_Do_tickle (header=header@entry=0x810678 
<_Per_CPU_Information+216>, first=0x816830 <_Timer_Objects+16>, now=<optimized 
out>, lock=lock@entry=0x810668 <_Per_CPU_Information+200>, 
    lock_context=lock_context@entry=0x813fc0 <_ISR_Stack_area_begin+8064>) at 
../../../../src/rtems/cpukit/score/src/watchdogtick.c:66
#2  0x0030d020 in _Watchdog_Tick (cpu=cpu@entry=0x8105a0 
<_Per_CPU_Information>) at 
../../../../src/rtems/cpukit/score/src/watchdogtick.c:105
#3  0x00307140 in _Timecounter_Tick () at 
../../../../src/rtems/cpukit/score/src/kern_tc.c:2355
#4  0x00303458 in bsp_interrupt_dispatch_entries (entry=0x811b24 
<qoriq_clock_entry>) at ../../../../src/rtems/bsps/include/bsp/irq-generic.h:571
#5  bsp_interrupt_handler_dispatch_unchecked (vector=<optimized out>) at 
../../../../src/rtems/bsps/include/bsp/irq-generic.h:627
#6  bsp_interrupt_dispatch (exception_number=<optimized out>) at 
../../../../src/rtems/bsps/powerpc/qoriq/irq/irq.c:663
#7  0x003039e8 in ppc_exc_interrupt ()
Backtrace stopped: Cannot access memory at address 0xa5a5a5a9
```

At runtime, this results in an access violation.

Compare the same stacktrace without stack checking enabled:

```
(gdb) x/100a _ISR_Stack_area_end-256
0x813e20 <_ISR_Stack_area_begin+7936>:  0x2021200       0x20200484      
0x813df8 <_ISR_Stack_area_begin+7896>   0x30c474
0x813e30 <_ISR_Stack_area_begin+7952>:  0x0     0x2021200       0x813e60 
<_ISR_Stack_area_begin+8000>   0x813f20
0x813e40 <_ISR_Stack_area_begin+7968>:  0x0     0x30017c 
<bsp_section_start_begin+380>  0x0     0x20000000
0x813e50 <_ISR_Stack_area_begin+7984>:  0x12010001      0x0     0x813ec0 
<_ISR_Stack_area_begin+8096>   0x816710 <_Timer_Objects+16>
0x813e60 <_ISR_Stack_area_begin+8000>:  0x813e88 <_ISR_Stack_area_begin+8040>   
0x30cf34 <_Watchdog_Do_tickle+132>      0xffffdf73      0x0
0x813e70 <_ISR_Stack_area_begin+8016>:  0x0     0x0     0x811534 
<bsp_interrupt_dispatch_table> 0x2021200
0x813e80 <_ISR_Stack_area_begin+8032>:  0x810648 <_Per_CPU_Information+200>     
0x810580 <_Per_CPU_Information> 0x813ec0 <_ISR_Stack_area_begin+8096>   
0x30d030 <_Watchdog_Tick+120>
0x813e90 <_ISR_Stack_area_begin+8048>:  0x0     0x0     0x0     0x0
0x813ea0 <_ISR_Stack_area_begin+8064>:  0x2029200       0x811534 
<bsp_interrupt_dispatch_table> 0x0     0x2021200
0x813eb0 <_ISR_Stack_area_begin+8080>:  0x0     0x2021200       0xffe40000      
0x810580 <_Per_CPU_Information>
0x813ec0 <_ISR_Stack_area_begin+8096>:  0x813ee0 <_ISR_Stack_area_begin+8128>   
0x307150 <_Timecounter_Tick+96> 0x2029200       0x0
0x813ed0 <_ISR_Stack_area_begin+8112>:  0x0     0x0     0x4427e4 
<_Copyright_Notice>    0x811b04 <qoriq_clock_entry>
0x813ee0 <_ISR_Stack_area_begin+8128>:  0x813f00 <_ISR_Stack_area_begin+8160>   
0x303468 <bsp_interrupt_dispatch+136>   0x813ef8 <_ISR_Stack_area_begin+8152>   
0x0
0x813ef0 <_ISR_Stack_area_begin+8144>:  0x0     0x800000 <_Thread_Information>  
0x8003ac <_User_extensions_Switches_list+4>     0x816310 <_Thread_Objects>
0x813f00 <_ISR_Stack_area_begin+8160>:  0x0     0x3039f8 
<ppc_exc_interrupt+184>        0x0     0x0
0x813f10 <_ISR_Stack_area_begin+8176>:  0x0     0x0     0x0     0x0
0x813f20:       0x0     0x0     0x0     0x0
0x813f30:       0x0     0x0     0x0     0x0
0x813f40:       0x0     0x0     0x0     0x0
0x813f50:       0x0     0x0     0x0     0x0
0x813f60:       0x0     0x0     0x0     0x0
0x813f70:       0x0     0x0     0x0     0x0
0x813f80:       0x0     0x0     0x0     0x0
0x813f90:       0x0     0x0     0x0     0x0
0x813fa0:       0x0     0x0     0x0     0x0
(gdb) i s
#0  0x00300a10 in timer_isr ()
#1  0x0030cf34 in _Watchdog_Do_tickle (header=header@entry=0x810658 
<_Per_CPU_Information+216>, first=0x816710 <_Timer_Objects+16>, now=<optimized 
out>, lock=lock@entry=0x810648 <_Per_CPU_Information+200>, 
    lock_context=lock_context@entry=0x813ea0 <_ISR_Stack_area_begin+8064>) at 
../../../../src/rtems/cpukit/score/src/watchdogtick.c:66
#2  0x0030d030 in _Watchdog_Tick (cpu=cpu@entry=0x810580 
<_Per_CPU_Information>) at 
../../../../src/rtems/cpukit/score/src/watchdogtick.c:105
#3  0x00307150 in _Timecounter_Tick () at 
../../../../src/rtems/cpukit/score/src/kern_tc.c:2355
#4  0x00303468 in bsp_interrupt_dispatch_entries (entry=0x811b04 
<qoriq_clock_entry>) at ../../../../src/rtems/bsps/include/bsp/irq-generic.h:571
#5  bsp_interrupt_handler_dispatch_unchecked (vector=<optimized out>) at 
../../../../src/rtems/bsps/include/bsp/irq-generic.h:627
#6  bsp_interrupt_dispatch (exception_number=<optimized out>) at 
../../../../src/rtems/bsps/powerpc/qoriq/irq/irq.c:663
#7  0x003039f8 in ppc_exc_interrupt ()
```

## Steps to reproduce

The following program can reproduce the issue:

```c
// If removing this, the issue disappears
#define CONFIGURE_STACK_CHECKER_ENABLED



#define CONFIGURE_INIT
#define CONFIGURE_APPLICATION_NEEDS_CLOCK_DRIVER
#define CONFIGURE_APPLICATION_NEEDS_CONSOLE_DRIVER
#define CONFIGURE_MAXIMUM_TIMERS 3
#define CONFIGURE_MAXIMUM_TASKS 1
#define CONFIGURE_RTEMS_INIT_TASKS_TABLE
#define CONFIGURE_INIT_TASK_PRIORITY 1
#define CONFIGURE_INIT_TASK_INITIAL_MODES (RTEMS_DEFAULT_MODES)
#define CONFIGURE_INIT_TASK_STACK_SIZE (RTEMS_MINIMUM_STACK_SIZE * 4)

#include <rtems.h>
#include <rtems/bspIo.h>
#include <rtems/confdefs.h>

static void timer_isr(rtems_id id, void* arg)
{
    (void)id;
    (void)arg;
    printk("Timer ISR fired\n");

    void (*function_ptr)() = 0;

    // Provoke an exception from inside an ISR
    function_ptr();
}

rtems_task Init(rtems_task_argument arg)
{
    rtems_id timerid;

    rtems_status_code status;

    printk("RTEMS version: %s\n", RTEMS_VERSION);

    status = rtems_timer_create(rtems_build_name('T', 'M', 'R', 'x'), &timerid);
    printk("rtems_timer_create() = %s\n", rtems_status_text(status));

    status = rtems_timer_fire_after(timerid, RTEMS_MILLISECONDS_TO_TICKS(1000), 
timer_isr, NULL);
    printk("rtems_timer_fire_after() = %s\n", rtems_status_text(status));

    while(1)
    {
        rtems_task_wake_after(RTEMS_MILLISECONDS_TO_TICKS(1000));
    }
}
```

-- 
View it on GitLab: https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5535
You're receiving this email because of your account on gitlab.rtems.org.

_______________________________________________
bugs mailing list
[email protected]
http://lists.rtems.org/mailman/listinfo/bugs

RTEMS | BSP_printStackTrace runs into stack protection pattern, 0xa5a5a5a5 (#5535)

Reply via email to