Hello,
iXBlue is using TMS320C6713 DSP processor on one of it’s processing board.
We’re working with CCS 3.1.0 and are currently facing a processor crash issue.
We’ve analysed generated assembler code and seen something strange:
System reads task stask using uninitialized offset (register).
Environment:
- Code composer Studio 3.1.0
- DSP Bios Kernel 5.2.0.46 04-29-2006
- Processor: TMS320C6713
Problem description:
- System Crash
Source code:
Here after is the part of code that causes the system crash:
- Function prototype and local variables
- Specific code part that crashes.
- The main part of the code is not reported here (has no effect on problem detected).
|
/* Output and update for referenced model: 'ManageExternalSensors' */ void ManageExternalSensorsTID0(real_T *rty_g_dCovAltLoop, real_T *rty_g_dCovVUpLoop, real_T rty_vListSsrBias[8], real_T rty_vAltiCoef[3], real_T *rty_SigHext, uint16_T *rty_iIdSelectedSsr, real_T rty_vListStatusLoopAltSsr[8], real_T *rty_dHext, rtB_ManageExternalSensors *localB, rtDW_ManageExternalSensors *localDW) { /* local block i/o variables */ uint16_T rtb_n_vSensorFlags_m[89]; boolean_T n_bFlagFk; real_T l_dQ; real_T l_dQ_0; real_T l_dQ_1; real_T l_dQ_2; real_T l_dTemp; real_T l_dTemp_0; boolean_T b; uint16_T c_ii; static SENSOR_OPMODE d[8] = { SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF, SENSOR_OPMODE_OFF };
boolean_T l_bStarterActif; real_T l_QRot[4]; STATUS_STACK l_bStackStatusQnb; STATUS_STACK l_bStackStatusZ; uint16_T c_n_iStackId; real_T l_qQd[4]; SENSOR_OPMODE rtb_n_vSystOpModeZupt_f[6]; real_T rtb_n_vIncVDVL[3]; real_T rtb_n_dIncVINSCov; real_T rtb_n_dIncVDVLCov; real_T rtb_n_dAltDR; real_T rtb_n_vDelayAltitudeLoop[8]; real_T rtb_n_vMeasureAltLoop[8]; real_T rtb_n_vAltitudeINSLoop[8]; real_T rtb_n_vDelayAltitude[8]; uint16_T rtb_n_vSensorFlags_e[89]; real_T rtb_n_vSigAltitude[8]; real_T rtb_n_vMeasureAltitude[8]; SENSOR_OPMODE rtb_n_vSystOpModeAltitude[8]; boolean_T rtb_n_vAltitudeRejected[8]; boolean_T rtb_n_vFlagAltitudeLoopKF[8]; real_T rtb_n_mSigZUPT[18]; real_T rtb_n_mQnb[32]; int32_T i; real_T tmp[4]; real_T tmp_0[3]; real_T rtb_n_mQnb_0[4]; real_T l_dDeltaLat[3]; int32_T i_0; real_T tmp_1[16]; real_T tmp_2[20]; uint16_T l_IdList_data[3]; uint16_T c_data[3]; int32_T l_IdList_sizes_idx; real_T l_vPsi_idx; real_T l_vPsi_idx_0; real_T l_vPsi_idx_1; uint32_T qY; uint32_T tmp_4; int index=0;
//… UNREPORTED CODE (~3000lines) …//
for (i = 0; i < 2; i++) { l_bStarterActif = FALSE;
if (l_bStarterActif) L3118 { l_dQ_0 = l_dQ;
rtb_n_vMeasureAltLoop[i] = (rtb_n_dAltDR + l_dTemp) -rtb_n_vSigAltitude[i]; L3122
} else { l_dQ_0 = rtb_n_vDelayAltitudeLoop[i] + T_TK; }
rtb_n_vFlagAltitudeLoopKF[i] = l_bStarterActif; rtb_n_vDelayAltitudeLoop[i] = l_dQ_0; } return; |
Compilation results:
- Project is compiled with following options (No optimization used).
Below is an extract from .asm file
|
DW$L$_ManageExternalSensorsTID0$754$B: .dwpsn "ManageExternalSensors.c",3114,0
[!B0] B .S1 L347 ; |3118| || [ B0] LDW .D2T2 *+SP(1448),B8 ; |3122| || [ B0] MVK .S2 32,B6 ; |3122|
[ B0] STW .D2T2 B4,*+SP(232) ; |3120| || [ B0] MVK .S2 53,B9 ; |3122|
[ B0] STW .D2T2 B5,*+SP(236) ; |3120| LDDW .D2T2 *+SP[B6],B7:B6 ; |3122| LDDW .D2T2 *+SP[B9],B5:B4 ; |3122| [!B0] LDW .D2T2 *+SP(1448),B6 ; |3127| ; BRANCHCC OCCURS {L347} ; |3118| DW$L$_ManageExternalSensorsTID0$754$E: ;** ------------------------------------------------------* DW$L$_ManageExternalSensorsTID0$755$B:
ADDAD .D2 SP,B8,B2 ; |3122| || MVK .S2 109,B1 ; |3122| || MV .L2 B8,B0 ; |3122|
NOP 2
LDDW .D2T2 *+B2[B1],B7:B6 ; |3122| || ADDDP .L2 B7:B6,B5:B4,B5:B4 ; |3122|
NOP 6 SUBDP .L2 B5:B4,B7:B6,B7:B6 ; |3122| ADDAD .D2 SP,B0,B4 ; |3122| ADDK .S2 496,B4 ; |3122| B .S1 L348 ; |3124| NOP 3 STW .D2T2 B7,*+B4(4) ; |3122| STW .D2T2 B6,*B4 ; |3122| ; BRANCH OCCURS {L348} ; |3124| |
Below is corresponding Code:
Analyse is the following:
- Test on B0 corresponds to “l_bStarterActif” test L 3122.
- B.S1 occurs since “l_bStarterActif” is FALSE
- It takes 6 cycles to branch so DSP continue to execute 6 following instructions.
Affecting 0x0020 to B6 is conditioned to B0 value.
- But using B6 as an offset isn’t conditioned to B0.
- When B6 value is high (~larger than memory space), system crashes.
We did an other test changing –ms to -ms3 option.
- Generated code is not the same
- Result is the same
Below is .asm code.
|
DW$L$_ManageExternalSensorsTID0$689$B: .dwpsn "ManageExternalSensors.c",3114,0 ZERO .L2 B4 ; |3115| STB .D2T2 B4,*+SP(276) ; |3115| LDBU .D2T2 *+SP(276),B0 ; |3118| NOP 1 LDDW .D2T2 *+SP(224),B5:B4 ; |3120| NOP 2 [ B0] MVK .S2 53,B7 ; |3122| [ B0] MVK .S2 32,B6 ; |3122| [ B0] STW .D2T2 B5,*+SP(236) ; |3120| [ B0] LDW .D2T2 *+SP(1448),B2 ; |3122| [ B0] STW .D2T2 B4,*+SP(232) ; |3120| LDDW .D2T2 *+SP[B6],B5:B4 ; |3122| [!B0] LDW .D2T2 *+SP(1448),B6 ; |3127| [!B0] B .S1 L343 ; |3118| LDDW .D2T2 *+SP[B7],B9:B8 ; |3122| [!B0] MVK .S2 54,B7 ; |3127| [!B0] LDW .D2T2 *+DP(_T_TK),B4 ; |3127| [!B0] ADDAD .D2 SP,B6,B6 ; |3127| [!B0] LDDW .D2T2 *+B6[B7],B7:B6 ; |3127| ; BRANCHCC OCCURS {L343} ; |3118| |
Below is assembler code.
In this case:
- System still crashes
- Branch is placed after stack read that causes system crash.
We did a third test using Full Symbolic Option
In this case, no optimation is done and all is ok!
Questions:
- Is this a bug known by TI? How to fix it?
- Why does the system crash when reading unavailable memory address or address out of the stack?
