Y334275 commented on issue #18137:
URL: https://github.com/apache/nuttx/issues/18137#issuecomment-3794790122
I performed further debugging and here’s a summary of my findings:
First, I enabled CONFIG_DEBUG_ASSERTIONS. As a result, I obtained the
following logs:
```
ESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x3 (RTC_SW_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40374724
pro cpu reset by JTAG
SPIWP:0xee
mode:DIO, clock div:2
load:0x3fc95300,len:0x24f8
load:0x40374000,len:0x9360
load:0x50000000,len:0x20
SHA-256 comparison failed:
Calculated: f149d09508d8465342bd470d6768f90b563bc19c0e4d0af984556a9480492679
Expected: 0000000040470000000000000000000000000000000000000000000000000000
Attempting to boot anyway...
entry 0x40374a2c
*** Booting NuttX ***
I (76) boot: chip revision: v0.2
I (76) boot: efuse block revision: v1.3
I (76) boot.esp32s3: Boot SPI Speed : 40MHz
I (77) boot.esp32s3: SPI Mode : DIO
I (80) boot.esp32s3: SPI Flash Size : 4MB
I (84) boot: Enabling RNG early entropy source...
dram: lma 0x00000020 vma 0x3fc95300 len 0x24f8 (9464)
iram: lma 0x00002520 vma 0x40374000 len 0x9360 (37728)
rtc: lma 0x0000b888 vma 0x50000000 len 0x20 (32)
padd: lma 0x0000b8b8 vma 0x00000000 len 0x4740 (18240)
imap: lma 0x00010000 vma 0x42010000 len 0x150860 (1378400)
padd: lma 0x00160868 vma 0x00000000 len 0xf790 (63376)
dmap: lma 0x00170000 vma 0x3c180000 len 0x61fac (401324)
total segments stored 7
Aprint_psram_reg: vendor id : 0x0d (AP)
print_psram_reg: dev id : 0x02 (generation 3)
print_psram_reg: density : 0x03 (64 Mbit)
print_psram_reg: good-die : 0x01 (Pass)
print_psram_reg: Latency : 0x01 (Fixed)
print_psram_reg: VCC : 0x01 (3V)
print_psram_reg: SRF : 0x01 (Fast Refresh)
print_psram_reg: BurstType : 0x01 (Hybrid Wrap)
print_psram_reg: BurstLen : 0x01 (32 Byte)
print_psram_reg: Readlatency : 0x02 (10 cycles@Fixed)
print_psram_reg: DriveStrength: 0x00 (1/1)
esp_spiram_init: Found 8MB SPI RAM device
esp_spiram_init: Speed: 40MHz
esp_spiram_init: Initialized, cache is in normal (1-core) mode.
esp_spiram_init_cache: PSRAM available size = 8388608
esp_spiram_init_cache: Virtual address size = 0x1e10000, start: 0x3c1f0000,
end: 0x3c9f0000
esp_spiram_test: SPI SRAM memory test OK!
BI (847) app_init: Application information:
I (847) app_init: Compile time: Jan 24 2026 20:10:12
I (847) app_init: ELF file SHA256: 000000000...
I (849) app_init: ESP-IDF:
I (852) sleep_gpio: Configure to isolate all GPIO pins in sleep state
I (858) sleep_gpio: Enable automatic switching of GPIO sleep configuration
nx_start: Entry
up_allocate_heap: Heap: start=3c1f0000 end=3c9f0000 size=8388608
mm_initialize: Heap: name=Umem, start=0x3c1f0000 size=8388608
mm_addregion: [Umem] Region 1: base=0x3c1f0174 size=8388232
up_allocate_kheap: Heap: start=3fc977f8 end=3fceee34 size=357948
mm_initialize: Heap: name=Kmem, start=0x3fc977f8 size=357948
mm_addregion: [Kmem] Region 1: base=0x3fc9796c size=357568
mm_malloc: Allocated 0x3fc97980, size 72
mm_malloc: Allocated 0x3fc979c8, size 424
mm_malloc: Allocated 0x3fc97b70, size 48
uart_register: Registering /dev/console
mm_malloc: Allocated 0x3fc97ba0, size 48
mm_malloc: Allocated 0x3fc97bd0, size 56
uart_register: Registering /dev/ttyS0
mm_malloc: Allocated 0x3fc97c08, size 56
uart_register: Registering /dev/ttyS1
mm_malloc: Allocated 0x3fc97c40, size 56
uart_register: Registering /dev/ttyS2
mm_malloc: Allocated 0x3fc97c78, size 56
mm_malloc: Allocated 0x3fc97cb0, size 48
mm_malloc: Allocated 0x3fc97ce0, size 56
mm_malloc: Allocated 0x3fc97d18, size 48
mm_malloc: Allocated 0x3fc97d48, size 32
mm_malloc: Allocated 0x3fc97d68, size 16
mm_malloc: Allocated 0x3fc97d78, size 32
work_start_highpri: Starting high-priority kernel worker thread(s)
mm_malloc: Allocated 0x3fc97d98, size 208
mm_malloc: Allocated 0x3fc97e68, size 3080
nxtask_activate: hpwork pid=1,TCB=0x3fc97d98
work_start_lowpri: Starting low-priority kernel worker thread(s)
mm_malloc: Allocated 0x3fc98a70, size 208
mm_malloc: Allocated 0x3fc98b40, size 2056
nxtask_activate: lpwork pid=2,TCB=0x3fc98a70
mm_malloc: Allocated 0x3fc99348, size 48
nx_start_application: Starting init thread
task_spawn: name=nsh_main entry=0x42014ce8 file_actions=0 attr=0x3fc95290
argv=0x3fc952a4
mm_malloc: Allocated 0x3fc99378, size 208
mm_malloc: Allocated 0x3fc99448, size 256
mm_malloc: Allocated 0x3c1f0188, size 424
mm_malloc: Allocated 0x3c1f0330, size 32
mm_malloc: Allocated 0x3c1f0350, size 16
mm_malloc: Allocated 0x3c1f0360, size 6152
nxtask_activate: nsh_main pid=3,TCB=0x3fc99378
mm_malloc: Allocated 0x3fc99548, size 32
mm_malloc: Allocated 0x3fc99568, size 32
mm_malloc: Allocated 0x3fc99588, size 32
mm_malloc: Allocated 0x3fc995a8, size 32
mm_malloc: Allocated 0x3fc995c8, size 32
mm_malloc: Allocated 0x3fc995e8, size 32
mm_malloc: Allocated 0x3fc99608, size 32
mm_malloc: Allocated 0x3fc99628, size 32
mm_malloc: Allocated 0x3fc99648, size 32
mm_malloc: Allocated 0x3fc99668, size 32
mm_malloc: Allocated 0x3fc99688, size 32
mm_malloc: Allocated 0x3fc996a8, size 32
mm_malloc: Allocated 0x3fc996c8, size 32
mm_malloc: Allocated 0x3fc996e8, size 32
mm_malloc: Allocated 0x3fc99708, size 32
mm_malloc: Allocated 0x3fc99728, size 32
mm_malloc: Allocated 0x3fc99748, size 32
mm_malloc: Allocated 0x3fc99768, size 32
mm_malloc: Allocated 0x3fc99788, size 32
lib_cxx_initialize: _sinit: 0x3c1e1ee0 _einit: 0x3c1e1f9c
lib_cxx_initialize: initp: 0x3c1e1ee0 initializer: 0x4037a588
lib_cxx_initialize: Calling 0x4037a588
lib_cxx_initialize: initp: 0x3c1e1ee4 initializer: 0x4203bb28
lib_cxx_initialize: Calling 0x4203bb28
lib_cxx_initialize: initp: 0x3c1e1ee8 initializer: 0x4203f2ac
lib_cxx_initialize: Calling 0x4203f2ac
lib_cxx_initialize: initp: 0x3c1e1eec initializer: 0x4203f430
lib_cxx_initialize: Calling 0x4203f430
lib_cxx_initialize: initp: 0x3c1e1ef0 initializer: 0x4203fd60
lib_cxx_initialize: Calling 0x4203fd60
lib_cxx_initialize: initp: 0x3c1e1ef4 initializer: 0x42041b9c
lib_cxx_initialize: Calling 0x42041b9c
lib_cxx_initialize: initp: 0x3c1e1ef8 initializer: 0x42043f70
lib_cxx_initialize: Calling 0x42043f70
lib_cxx_initialize: initp: 0x3c1e1efc initializer: 0x42050828
lib_cxx_initialize: Calling 0x42050828
lib_cxx_initialize: initp: 0x3c1e1f00 initializer: 0x42051a30
lib_cxx_initialize: Calling 0x42051a30
lib_cxx_initialize: initp: 0x3c1e1f04 initializer: 0x420524f4
lib_cxx_initialize: Calling 0x420524f4
lib_cxx_initialize: initp: 0x3c1e1f08 initializer: 0x420531c4
lib_cxx_initialize: Calling 0x420531c4
lib_cxx_initialize: initp: 0x3c1e1f0c initializer: 0x42054420
lib_cxx_initialize: Calling 0x42054420
lib_cxx_initialize: initp: 0x3c1e1f10 initializer: 0x42054fb4
lib_cxx_initialize: Calling 0x42054fb4
lib_cxx_initialize: initp: 0x3c1e1f14 initializer: 0x42056e70
lib_cxx_initialize: Calling 0x42056e70
lib_cxx_initialize: initp: 0x3c1e1f18 initializer: 0x420575f0
lib_cxx_initialize: Calling 0x420575f0
lib_cxx_initialize: initp: 0x3c1e1f1c initializer: 0x4205cf88
lib_cxx_initialize: Calling 0x4205cf88
lib_cxx_initialize: initp: 0x3c1e1f20 initializer: 0x42069668
lib_cxx_initialize: Calling 0x42069668
lib_cxx_initialize: initp: 0x3c1e1f24 initializer: 0x4206a264
lib_cxx_initialize: Calling 0x4206a264
lib_cxx_initialize: initp: 0x3c1e1f28 initializer: 0x42096948
lib_cxx_initialize: Calling 0x42096948
lib_cxx_initialize: initp: 0x3c1e1f2c initializer: 0x42096fb0
lib_cxx_initialize: Calling 0x42096fb0
lib_cxx_initialize: initp: 0x3c1e1f30 initializer: 0x42098284
lib_cxx_initialize: Calling 0x42098284
lib_cxx_initialize: initp: 0x3c1e1f34 initializer: 0x42099d2c
lib_cxx_initialize: Calling 0x42099d2c
lib_cxx_initialize: initp: 0x3c1e1f38 initializer: 0x4209d4b8
lib_cxx_initialize: Calling 0x4209d4b8
lib_cxx_initialize: initp: 0x3c1e1f3c initializer: 0x4209f3b8
lib_cxx_initialize: Calling 0x4209f3b8
lib_cxx_initialize: initp: 0x3c1e1f40 initializer: 0x420a074c
lib_cxx_initialize: Calling 0x420a074c
lib_cxx_initialize: initp: 0x3c1e1f44 initializer: 0x420a1188
lib_cxx_initialize: Calling 0x420a1188
lib_cxx_initialize: initp: 0x3c1e1f48 initializer: 0x420a371c
lib_cxx_initialize: Calling 0x420a371c
lib_cxx_initialize: initp: 0x3c1e1f4c initializer: 0x420a6af4
lib_cxx_initialize: Calling 0x420a6af4
lib_cxx_initialize: initp: 0x3c1e1f50 initializer: 0x420b03f8
lib_cxx_initialize: Calling 0x420b03f8
lib_cxx_initialize: initp: 0x3c1e1f54 initializer: 0x420b41cc
lib_cxx_initialize: Calling 0x420b41cc
lib_cxx_initialize: initp: 0x3c1e1f58 initializer: 0x420b5808
lib_cxx_initialize: Calling 0x420b5808
lib_cxx_initialize: initp: 0x3c1e1f5c initializer: 0x420d166c
lib_cxx_initialize: Calling 0x420d166c
lib_cxx_initialize: initp: 0x3c1e1f60 initializer: 0x420d41d8
lib_cxx_initialize: Calling 0x420d41d8
lib_cxx_initialize: initp: 0x3c1e1f64 initializer: 0x420d6f44
lib_cxx_initialize: Calling 0x420d6f44
lib_cxx_initialize: initp: 0x3c1e1f68 initializer: 0x420d91b4
lib_cxx_initialize: Calling 0x420d91b4
lib_cxx_initialize: initp: 0x3c1e1f6c initializer: 0x420da224
lib_cxx_initialize: Calling 0x420da224
lib_cxx_initialize: initp: 0x3c1e1f70 initializer: 0x420dd610
lib_cxx_initialize: Calling 0x420dd610
lib_cxx_initialize: initp: 0x3c1e1f74 initializer: 0x420dedf4
lib_cxx_initialize: Calling 0x420dedf4
lib_cxx_initialize: initp: 0x3c1e1f78 initializer: 0x420e06cc
lib_cxx_initialize: Calling 0x420e06cc
lib_cxx_initialize: initp: 0x3c1e1f7c initializer: 0x420ed598
lib_cxx_initialize: Calling 0x420ed598
lib_cxx_initialize: initp: 0x3c1e1f80 initializer: 0x420ee4c0
lib_cxx_initialize: Calling 0x420ee4c0
lib_cxx_initialize: initp: 0x3c1e1f84 initializer: 0x421090c8
lib_cxx_initialize: Calling 0x421090c8
lib_cxx_initialize: initp: 0x3c1e1f88 initializer: 0x4210c100
lib_cxx_initialize: Calling 0x4210c100
lib_cxx_initialize: initp: 0x3c1e1f8c initializer: 0x4214728c
lib_cxx_initialize: Calling 0x4214728c
mm_malloc: Allocated 0x3c1f1b68, size 264
mm_malloc: Allocated 0x3c1f1c70, size 264
lib_cxx_initialize: initp: 0x3c1e1f90 initializer: 0x42149038
lib_cxx_initialize: Calling 0x42149038
lib_cxx_initialize: initp: 0x3c1e1f94 initializer: 0x42149300
lib_cxx_initialize: Calling 0x42149300
lib_cxx_initialize: initp: 0x3c1e1f98 initializer: 0x4214eaec
lib_cxx_initialize: Calling 0x4214eaec
mm_malloc: Allocated 0x3fc997a8, size 56
mm_malloc: Allocated 0x3fc997e0, size 32
nx_start: CPU0: Beginning Idle Loop
mm_malloc: Allocated 0x3fc99800, size 184
mm_malloc: Allocated 0x3fc998b8, size 48
mm_malloc: Allocated 0x3fc998e8, size 48
mm_free: Freeing 0x3c1f0350
mm_free: Freeing 0x3c1f0330
mm_malloc: Allocated 0x3fc99918, size 208
mm_malloc: Allocated 0x3fc999e8, size 256
mm_malloc: Allocated 0x3c1f1d78, size 424
mm_malloc: Allocated 0x3c1f1f20, size 1384
nxtask_activate: wq:manager pid=4,TCB=0x3fc99918
mm_malloc: Allocated 0x3fc99ae8, size 32
mm_malloc: Allocated 0x3fc99b08, size 32
mm_malloc: Allocated 0x3fc99b28, size 32
mm_malloc: Allocated 0x3fc99b48, size 32
mm_malloc: Allocated 0x3fc99b68, size 32
mm_malloc: Allocated 0x3fc99b88, size 32
mm_malloc: Allocated 0x3fc99ba8, size 32
mm_malloc: Allocated 0x3fc99bc8, size 32
mm_malloc: Allocated 0x3fc99be8, size 32
mm_malloc: Allocated 0x3fc99c08, size 32
mm_malloc: Allocated 0x3fc99c28, size 32
mm_malloc: Allocated 0x3fc99c48, size 32
mm_malloc: Allocated 0x3fc99c68, size 32
mm_malloc: Allocated 0x3fc99c88, size 32
mm_malloc: Allocated 0x3fc99ca8, size 32
mm_malloc: Allocated 0x3fc99cc8, size 32
mm_malloc: Allocated 0x3fc99ce8, size 32
mm_malloc: Allocated 0x3fc99d08, size 32
mm_malloc: Allocated 0x3fc99d28, size 32
mm_malloc: Allocated 0x3fc99d48, size 32
mm_malloc: Allocated 0x3fc99d68, size 32
mm_malloc: Allocated 0x3fc99d88, size 32
mm_malloc: Allocated 0x3fc99da8, size 32
mm_malloc: Allocated 0x3c1f2488, size 72
mm_malloc: Allocated 0x3c1f24d0, size 56
mm_malloc: Allocated 0x3c1f2508, size 64
pthread_mutex_timedlock: mutex=0x3fc96558
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3fc96558
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3c1f0330, size 32
pthread_mutex_timedlock: mutex=0x3fc96558
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3fc96558
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3c1f2548, size 32
pthread_mutex_timedlock: mutex=0x3fc96558
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3fc96558
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3c1f2568, size 64
pthread_mutex_timedlock: mutex=0x3fc96558
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3fc96558
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3c1f25a8, size 104
pthread_mutex_timedlock: mutex=0x3c1f248c
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3c1f248c
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3fc99dc8, size 216
mm_malloc: Allocated 0x3c1f2610, size 3504
nxtask_activate: wq:manager pid=5,TCB=0x3fc99dc8
pthread_mutex_timedlock: mutex=0x3c1f248c
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3c1f248c
pthread_mutex_unlock: Returning 0
pthread_mutex_timedlock: mutex=0x3c1f248c
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3c1f248c
pthread_mutex_unlock: Returning 0
pthread_mutex_timedlock: mutex=0x3c1f3310
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3c1f3310
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3c1f0350, size 16
mm_malloc: Allocated 0x3c1f33c0, size 432
mm_malloc: Allocated 0x3fc99ea0, size 32
mm_free: Freeing 0x3fc99ea0
mm_malloc: Allocated 0x3c1f3570, size 72
mm_malloc: Allocated 0x3fc99ea0, size 24
mm_malloc: Allocated 0x3fc99eb8, size 48
mm_malloc: Allocated 0x3fc99ee8, size 56
mm_malloc: Allocated 0x3fc99f20, size 32
mm_free: Freeing 0x3fc99f20
mm_malloc: Allocated 0x3c1f35b8, size 552
mm_malloc: Allocated 0x3fc99f20, size 24
mm_malloc: Allocated 0x3c1f37e0, size 32
pthread_mutex_timedlock: mutex=0x3fc96558
pthread_mutex_timedlock: Returning 0
pthread_mutex_unlock: mutex=0x3fc96558
pthread_mutex_unlock: Returning 0
mm_malloc: Allocated 0x3fc99f38, size 128
mm_malloc: Allocated 0x3fc99fb8, size 48
mm_malloc: Allocated 0x3fc99fe8, size 56
mm_malloc: Allocated 0x3fc9a020, size 56
mm_malloc: Allocated 0x3fc9a058, size 208
mm_malloc: Allocated 0x3fc9a128, size 2056
nxtask_activate: rt_timer pid=6,TCB=0x3fc9a058
mm_malloc: Allocated 0x3c1f3800, size 32
mm_malloc: Allocated 0x3c1f3820, size 16
mm_malloc: Allocated 0x3c1f3830, size 16
mm_malloc: Allocated 0x3c1f3840, size 16
mm_malloc: Allocated 0x3c1f3850, size 16
mm_malloc: Allocated 0x3c1f3860, size 1352
mm_malloc: Allocated 0x3fc9a930, size 32
mm_malloc: Allocated 0x3fc9a950, size 32
mm_malloc: Allocated 0x3fc9a970, size 24
mm_malloc: Allocated 0x3fc9a988, size 520
mm_free: Freeing 0x3fc9a988
mm_free: Freeing 0x3fc9a970
mm_free: Freeing 0x3fc9a950
mm_free: Freeing 0x3fc9a930
dump_assert_info: Current Version: NuttX 11.0.0 1c8b2be659-dirty Jan 24
2026 20:09:44 xtensa
dump_assert_info: Assertion failed mm_heapmember(heap, mem): at file:
mm_heap/mm_free.c:243 task: nsh_main process: nsh_main 0x42014ce8
up_dump_register: PC: 42039357 PS: 00060122
up_dump_register: A0: 80378d5e A1: 3c1f18f0 A2: 00000000 A3:
3fc919a0
up_dump_register: A4: 0000000a A5: 3c1f1978 A6: 00000000 A7:
3fc95bec
up_dump_register: A8: 00000001 A9: 3fc99378 A10: 00000000 A11:
0000007e
up_dump_register: A12: 3c1f1a00 A13: 3c1f19e0 A14: 00000008 A15:
3fc99348
up_dump_register: SAR: 00000005 CAUSE: 42026724 VADDR: 8203ae48
up_dump_register: LBEG: 400570e8 LEND: 400570f3 LCNT: 00000000
dump_stackinfo: User Stack:
dump_stackinfo: base: 0x3c1f0390
dump_stackinfo: size: 00006096
dump_stackinfo: sp: 0x3c1f18f0
stack_dump: 0x3c1f18d0: 3c189998 3c1f18f0 400570f3 00000000 8201f9b1
3c1f1910 3c1f0390 3fc99378
stack_dump: 0x3c1f18f0: 3c1f0390 000017d0 3c1f18d0 3c189998 8201ed39
3c1f1a00 3c18621f 000000f3
stack_dump: 0x3c1f1910: 3fc99428 3fc99428 42014ce8 3c1862d9 7474754e
3c1f0058 00000008 00000000
stack_dump: 0x3c1f1930: 3c1f1a00 3c1f00e0 00000008 3fc99348 82022e50
3c1f1990 00000006 3c1862d9
stack_dump: 0x3c1f1950: 0000001c 2e313100 00302e30 42039ec8 4215b5bc
3c1f1970 6331000a 62326238
stack_dump: 0x3c1f1970: 39353665 7269642d 4a207974 32206e61 30322034
32203632 39303a30 0034343a
stack_dump: 0x3c1f1990: 3c1f1a00 3c1f19e0 00000008 65747848 0061736e
3c1f19e0 00000008 00000000
stack_dump: 0x3c1f19b0: 3c1f1a00 3fc99378 3fc919a0 3c1862e9 3c18621f
000000f3 3c1f0000 3fc9a930
stack_dump: 0x3c1f19d0: 00000006 00060120 000000f3 00000000 3fc95300
000017d0 3c1f1b60 3c1f18f0
stack_dump: 0x3c1f19f0: 8201e624 3c1f1a20 3c1f0000 3fc9a930 3c1862e9
3fc9a930 00000000 3c1f1870
stack_dump: 0x3c1f1a10: 82015ecd 3c1f1a40 3fc9a930 3c1f3d50 00000003
3fc95a9c 3fc99378 3c1f1870
stack_dump: 0x3c1f1a30: 82014f22 3c1f1a60 3fc9a930 00000050 00000000
00000000 00000001 3c1f1a40
stack_dump: 0x3c1f1a50: 82014f44 3c1f1a80 3c1f3860 3c1f3c60 00000003
ffffffff 42015598 3c1f1930
stack_dump: 0x3c1f1a70: 82014d99 3c1f1ab0 3c1f3860 00000000 3fc9a930
3c1f1ab0 00000000 00000000
stack_dump: 0x3c1f1a90: 3c1f3d50 00000000 ffffffff 00000000 82014d0f
3c1f1ad0 3c1f3860 3c1f1af0
stack_dump: 0x3c1f1ab0: 3c1f1ae0 3c1f1ac0 00000008 00000000 82021001
3c1f1af0 00000001 3c1f0370
stack_dump: 0x3c1f1ad0: 3c1875cd 4214eaec 4214eaec 42010fc4 8201206c
3c1f1b20 42014ce8 00000001
stack_dump: 0x3c1f1af0: 00000064 3c1f1b20 42014ce8 00000001 3c1875cd
3fc91954 3c1e1f9c 3fc8f10c
stack_dump: 0x3c1f1b10: 00000000 3c1f1b40 00000000 42014ce8 3c1f0370
3fc99250 00000001 3c181267
stack_dump: 0x3c1f1b30: 00000000 3c1f1b60 00000000 00000000 00000000
00000000 00000000 00000000
stack_dump: 0x3c1f1b50: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
mm_free: Freeing 0x3c1f0188
mm_free: Freeing 0x3fc99548
mm_free: Freeing 0x3fc99568
mm_free: Freeing 0x3fc99588
mm_free: Freeing 0x3fc995a8
mm_free: Freeing 0x3fc995c8
mm_free: Freeing 0x3fc995e8
mm_free: Freeing 0x3fc99608
mm_free: Freeing 0x3fc99628
mm_free: Freeing 0x3fc99648
mm_free: Freeing 0x3fc99668
mm_free: Freeing 0x3fc99688
mm_free: Freeing 0x3fc996a8
mm_free: Freeing 0x3fc996c8
mm_free: Freeing 0x3fc996e8
mm_free: Freeing 0x3fc99708
mm_free: Freeing 0x3fc99728
mm_free: Freeing 0x3fc99748
mm_free: Freeing 0x3fc99768
mm_free: Freeing 0x3fc99788
mm_free: Freeing 0x3fc99448
nxtask_exit: nsh_main pid=3,TCB=0x3fc99378
mm_free: Freeing 0x3c1f0360
mm_free: Freeing 0x3fc99378
```
Next, based on these logs, I used GDB to debug the code. Here are the
backtraces from the assertion failure:
```
#0 0x4215b21e in esp32s3_lowputc_is_tx_fifo_full (priv=<optimized out>) at
chip/esp32s3_lowputc.c:729
#1 0x4201c083 in xtensa_lowputc (ch=95 '_') at chip/esp32s3_lowputc.c:994
#2 0x4201c6a6 in up_putc (ch=95) at chip/esp32s3_serial.c:1235
#3 0x420391c4 in up_nputs (str=0x3c18b123 <__FUNCTION__$0+8> "register",
len=<optimized out>) at common/xtensa_nputs.c:46
#4 0x42026751 in syslog_default_write (channel=<optimized out>,
buffer=<optimized out>, buflen=16) at syslog/syslog_channel.c:319
#5 0x4203ada4 in syslog_write_foreach (buffer=0x3c18b11b <__FUNCTION__$0>
"up_dump_register", buflen=16, force=<optimized out>) at
syslog/syslog_write.c:163
#6 0x4203ae48 in syslog_write (buffer=0x3c18b11b <__FUNCTION__$0>
"up_dump_register", buflen=16) at syslog/syslog_write.c:260
#7 0x42039ef9 in syslograwstream_puts (len=16, buff=0x3c18b11b
<__FUNCTION__$0>, self=0x3c1f1810) at stream/lib_syslograwstream.c:219
#8 syslograwstream_puts (self=0x3c1f1810, buff=0x3c18b11b <__FUNCTION__$0>,
len=16) at stream/lib_syslograwstream.c:188
#9 0x4202257e in vsprintf_internal (stream=0x3c1f1810, arglist=0x0,
numargs=0, fmt=<optimized out>, ap=..., numargs=0, arglist=0x0) at
stream/lib_libvsprintf.c:945
#10 0x42022944 in lib_vsprintf_internal (stream=0x3c1f1810, fmt=0x3c18b0ef
"%s: LBEG: %08lx LEND: %08lx LCNT: %08lx\n", ap=...) at
stream/lib_libvsprintf.c:1443
#11 0x420264a8 in nx_vsyslog (priority=1, fmt=0x3c18b0ef "%s: LBEG: %08lx
LEND: %08lx LCNT: %08lx\n", ap=0x3c1f1850) at syslog/vsyslog.c:258
#12 0x42022e28 in vsyslog (priority=1, fmt=0x3c18b0ef "%s: LBEG: %08lx
LEND: %08lx LCNT: %08lx\n", ap=...) at syslog/lib_syslog.c:70
#13 0x42022e50 in syslog (priority=1, fmt=0x3c18b0ef "%s: LBEG: %08lx
LEND: %08lx LCNT: %08lx\n") at syslog/lib_syslog.c:102
#14 0x420392e8 in up_dump_register (dumpregs=<optimized out>) at
common/xtensa_registerdump.c:68
#15 0x40378e3a in dump_running_task (regs=<optimized out>, rtcb=0x3fc99378)
at misc/assert.c:659
#16 dump_assert_info (regs=<optimized out>, msg=<optimized out>,
linenum=243, filename=<optimized out>, rtcb=0x3fc99378) at misc/assert.c:717
#17 _assert (filename=<optimized out>, linenum=243, msg=<optimized out>,
regs=<optimized out>) at misc/assert.c:902
#18 0x4201f9b1 in __assert (filename=0x3c18621f "mm_heap/mm_free.c",
linenum=243, msg=0x3c1862e9 "mm_heapmember(heap, mem)") at
assert/lib_assert.c:38
#19 0x4201ed39 in mm_free (heap=0x3c1f0000, mem=0x3fc9a930) at
mm_heap/mm_free.c:243
#20 0x4201e624 in free (mem=0x3fc9a930) at umm_heap/umm_free.c:51
#21 0x42015ecd in nsh_freefullpath (fullpath=0x3fc9a930
"/etc/init.d/rc.sysinit") at nsh_envcmds.c:233
--Type <RET> for more, q to quit, c to continue without paging--
#22 0x42014f22 in nsh_script (vtbl=0x3c1f3860, cmd=<optimized out>,
path=<optimized out>, log=false) at nsh_script.c:201
#23 0x42014f44 in nsh_script_redirect (log=false, path=0x3c181fd1
"/etc/init.d/rc.sysinit", cmd=0x3c181fe0 "sysinit", vtbl=0x3c1f3860) at
nsh_script.c:71
#24 nsh_sysinitscript (vtbl=0x3c1f3860) at nsh_script.c:221
#25 0x42014d99 in nsh_initialize () at nsh_init.c:157
#26 0x42014d0f in nsh_main (argc=1, argv=0x3c1f0370) at nsh_main.c:71
#27 0x42021001 in nxtask_startup (entrypt=0x42014ce8 <nsh_main>, argc=1,
argv=0x3c1f0370) at sched/task_startup.c:72
#28 0x4201206c in nxtask_start () at task/task_start.c:104
```
After reviewing the code shown in the backtraces, I identified the root
cause of the issue:
1. The fullpath variable in the nsh_script function is allocated on the
kernel heap.
2. However, nsh_freefullpath calls a function to free this space from the
user heap (mismatched heap allocation/deallocation).
The fullpath variable is returned by nsh_getfullpath, so I inspected that
function. It uses strdup to duplicate the path—this is the critical flaw:
strdup allocates memory on the kernel heap, but nsh_freefullpath incorrectly
frees it from the user heap. Over time, this mismatch corrupts the kernel heap,
leading to the out-of-memory error.
Fortunately, I have some familiarity with Xtensa. I checked the Newlib
implementation and found the following code in
`arch/xtensa/src/esp32s3/es32s3_libc_stubs.c`:
```c
void *_malloc_r(struct _reent *r, size_t size)
{
return lib_malloc(size);
}
void *_realloc_r(struct _reent *r, void *ptr, size_t size)
{
return lib_realloc(ptr, size);
}
void *_calloc_r(struct _reent *r, size_t nmemb, size_t size)
{
return lib_calloc(nmemb, size);
}
void _free_r(struct _reent *r, void *ptr)
{
lib_free(ptr);
}
```
It appears that these implementations of
_malloc_r/_realloc_r/_free_r/_calloc_r should call lib_umalloc/lib_ufree (user
heap) instead of lib_malloc/lib_free (kernel heap) in this context.
These changes are tested in my environment, and they worked. I don’t know if
they will cause other problems.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
