75079

Atmelstudio UC3C AVR32 - framework objects in wrong place in memory?

Question:

During the setup of a CAN transmission, a Pointer is being corrupted (it goes from a valid 0x00000bd0 to a 0x84520000 that is out of the bounds of my RAM). The pointer is also unrelated to the CAN activity. The reason for the corruption is, that a union64 is written over the address of the pointer. This union64 belongs to the CANIF object (from ASF), in sourcecode the corruption happens here:

void CAN_SendMsg_KMS(uint64_t msg) { CANIF_mob_get_ptr_data(ACTIVECHANNEL,0)->data = (Union64)msg; AVR32_CANIF.channel[ACTIVECHANNEL].mober = 1<<0; }

<strong>My question is, why is the memory for "data" allocated at the same address as my pointer?</strong> Or is this a wrong conclusion?

In the following screenshots, the first is immediately before the function is executed, the last is immediately after execution. The Content of "msg" is 0x8452000000000000. The content of the pointer A that is corrupted should be 0x00000bd0, as it is before the corruption happens. The 32Bit integer after the pointer A is pointer B, pointer B is pointing at pointer A, its uncorrupted content is therefore 0x00000004 (as seen in the screenshot).

<a href="https://i.stack.imgur.com/VAng1.png" rel="nofollow"><img alt="Memory before corruption" class="b-lazy" data-src="https://i.stack.imgur.com/VAng1.png" data-original="https://i.stack.imgur.com/VAng1.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" /></a>

<a href="https://i.stack.imgur.com/pWHbO.png" rel="nofollow"><img alt="Memory after corruption" class="b-lazy" data-src="https://i.stack.imgur.com/pWHbO.png" data-original="https://i.stack.imgur.com/pWHbO.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" /></a>

I don't know if this is a useful information: According to the Datasheet the CANIF registers are at Memory address 0xFFFD1C00.

update: This is the assembly level code that corrupts the pointer:

//CANIF_mob_get_ptr_data(ACTIVECHANNEL,0)->data = (Union64)msg;

80006AC8 mov R8, -189440 80006ACC ld.w R9, R8[8] 80006ACE st.d R9[8], R5

Answer1:

In the line:

CANIF_mob_get_ptr_data(ACTIVECHANNEL,0)->data = (Union64)msg;

CANIF_mob_get_ptr_data is a macro yielding a structure pointer, defined according to the <a href="http://asf.atmel.com/docs/latest/uc3c/html/group__group__avr32__drivers__canif.html#ga59b2eae1889660cd1fce80b4362d5038" rel="nofollow">documentation</a> as:

#define CANIF_mob_get_ptr_data( ch, mob ) ((can_msg_t *)(CANIF_SIZE_OF_CANIF_MSG*mob+CANIF_get_ram_add(ch)))

In turn the macro CANIF_get_ram_add is a macro returning the address contained in the CAN interface register CANRAMB:

#define CANIF_get_ram_add(ch) ( AVR32_CANIF.channel[ch].canramb )

So if AVR32_CANIF_CANRAMB is not previously initialised, or incorrectly initialised, the pointer returned by CANIF_mob_get_ptr_data will not be valid, and the subsequent assignment will fail.

Even if the resolved address is invalid, the typical effect of such an access in the absence of any kind of hardware memory protection is to "wrap" the address so that it resolves to a non-deterministic real address - so corrupts unrelated memory.

Recommend

  • Eclipse Juno/Android broken, the debug is wrong and gen folder not created (R error)
  • Why multiply the error by the derivative of the sigmoid in neural networks?
  • Swift 3: How to reverse a transparent Navigation Bar?
  • JavaFX: Mouse clipboard does not work in Unix
  • Large items in the notification area (AKA system tray)?
  • Find lines in shape
  • Meteor: Block access to application if user's email is not verified
  • Authentication - JavaScript - Logout issue
  • G1 Collector not doing full GC
  • How is SLOC counted by Delphi IDE?
  • Pass nested C++ vector as built-in style multi-dimensional array
  • Program crashes when run outside IDE
  • phpmailer - How to verify a sent email arrived at its destination
  • Using an STL Iterator without initialising it
  • Where these are stored?
  • Spark job failing in YARN mode
  • Hardware Accelerated Image Scaling in windows using C++
  • Meteor: Do Something On Email Verification Confirmation
  • Ajax Loaded meta Tags
  • Xamarin Forms - UWP Fonts
  • DotNetZip - Calculate final zip size before calling Save(stream)
  • Can Jackson SerializationFeature be overridden per field or class?
  • How to extract text from Word files using C#?
  • Where to put my custom functions in Wordpress?
  • vba code to select only visible cells in specific column except heading
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • Warning: Can't call setState (or forceUpdate) on an unmounted component
  • RestKit - RKRequestDelegate does not exist
  • Arrays break string types in Julia
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • InvalidAuthenticityToken between subdomains when logging in with Rails app
  • KeystoneJS: Relationships in Admin UI not updating
  • WPF Applying a trigger on binding failure
  • trying to dynamically update Highchart column chart but series undefined
  • Benchmarking RAM performance - UWP and C#
  • embed rChart in Markdown
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • How can I use `wmic` in a Windows PE script?
  • Unable to use reactive element in my shiny app
  • java string with new operator and a literal