Page 1 of 1

Trying to understand the mysteries of Core Dump

Posted: Wed May 29, 2024 9:09 am
by sempek34
Before I start the topic let me give brief summary of the setup;

I am using esp-idf 5.2.1 version and esp32 based board. My project contains WiFi connection as wifi_sta and creating a socket connection with a remote ip and port in order to exchange data.

Basically I have this core dump which I am having difficulties to figure out what is causing the crash resulting the core dump.
In the core dump, the back trace leads me through a line in my code which is an if statement where as in the statement comparing one defined constant and one constant integer. Other than that i see no useful information in the core dump. Here is my core dump and the line of code which it refers to:

  1. D (2633) esp_core_dump_elf: ELF ident 7f E L F
  2. D (2633) esp_core_dump_elf: Ph_num 42 offset 34
  3. D (2637) esp_core_dump_elf: PHDR type 4 off 574 vaddr 0 paddr 0 filesz 2f80 memsz 2f80 flags 6 align 0
  4. D (2646) esp_core_dump_elf: PHDR type 1 off 34f4 vaddr 3ffdd840 paddr 3ffdd840 filesz 154 memsz 154 flags 6 align 0
  5. D (2658) esp_core_dump_elf: PHDR type 1 off 3648 vaddr 3ffdcf30 paddr 3ffdcf30 filesz 8f0 memsz 8f0 flags 6 align 0
  6. D (2667) esp_core_dump_elf: PHDR type 1 off 3f38 vaddr 3ffde324 paddr 3ffde324 filesz 154 memsz 154 flags 6 align 0
  7. D (2677) esp_core_dump_elf: PHDR type 1 off 408c vaddr 3fff3030 paddr 3fff3030 filesz 6e0 memsz 6e0 flags 6 align 0
  8. D (2687) esp_core_dump_elf: PHDR type 1 off 476c vaddr 3ffddd24 paddr 3ffddd24 filesz 154 memsz 154 flags 6 align 0
  9. D (2697) esp_core_dump_elf: PHDR type 1 off 48c0 vaddr 3ffe8f30 paddr 3ffe8f30 filesz 7a0 memsz 7a0 flags 6 align 0
  10. D (2707) esp_core_dump_elf: PHDR type 1 off 5060 vaddr 3ffc0cb0 paddr 3ffc0cb0 filesz 154 memsz 154 flags 6 align 0
  11. D (2717) esp_core_dump_elf: PHDR type 1 off 51b4 vaddr 3ffc0af0 paddr 3ffc0af0 filesz 1a0 memsz 1a0 flags 6 align 0
  12. D (2727) esp_core_dump_elf: PHDR type 1 off 5354 vaddr 3ffc053c paddr 3ffc053c filesz 154 memsz 154 flags 6 align 0
  13. D (2738) esp_core_dump_elf: PHDR type 1 off 54a8 vaddr 3ffc0380 paddr 3ffc0380 filesz 1a0 memsz 1a0 flags 6 align 0
  14. D (2748) esp_core_dump_elf: PHDR type 1 off 5648 vaddr 3ffc9bd0 paddr 3ffc9bd0 filesz 154 memsz 154 flags 6 align 0
  15. D (2758) esp_core_dump_elf: PHDR type 1 off 579c vaddr 3ffc5180 paddr 3ffc5180 filesz 230 memsz 230 flags 6 align 0
  16. D (2768) esp_core_dump_elf: PHDR type 1 off 59cc vaddr 3ffdda24 paddr 3ffdda24 filesz 154 memsz 154 flags 6 align 0
  17. D (2778) esp_core_dump_elf: PHDR type 1 off 5b20 vaddr 3ffe27d0 paddr 3ffe27d0 filesz 610 memsz 610 flags 6 align 0
  18. D (2788) esp_core_dump_elf: PHDR type 1 off 6130 vaddr 3ffcb350 paddr 3ffcb350 filesz 154 memsz 154 flags 6 align 0
  19. D (2799) esp_core_dump_elf: PHDR type 1 off 6284 vaddr 3ffc43e0 paddr 3ffc43e0 filesz 1c0 memsz 1c0 flags 6 align 0
  20. D (2809) esp_core_dump_elf: PHDR type 1 off 6444 vaddr 3ffde624 paddr 3ffde624 filesz 154 memsz 154 flags 6 align 0
  21. D (2819) esp_core_dump_elf: PHDR type 1 off 6598 vaddr 3fff80a0 paddr 3fff80a0 filesz 690 memsz 690 flags 6 align 0
  22. D (2829) esp_core_dump_elf: PHDR type 1 off 6c28 vaddr 3ffde1a4 paddr 3ffde1a4 filesz 154 memsz 154 flags 6 align 0
  23. D (2839) esp_core_dump_elf: PHDR type 1 off 6d7c vaddr 3fff0870 paddr 3fff0870 filesz 690 memsz 690 flags 6 align 0
  24. D (2849) esp_core_dump_elf: PHDR type 1 off 740c vaddr 3ffddba4 paddr 3ffddba4 filesz 154 memsz 154 flags 6 align 0
  25. D (2859) esp_core_dump_elf: PHDR type 1 off 7560 vaddr 3ffe6830 paddr 3ffe6830 filesz 690 memsz 690 flags 6 align 0
  26. D (2870) esp_core_dump_elf: PHDR type 1 off 7bf0 vaddr 3ffde4a4 paddr 3ffde4a4 filesz 154 memsz 154 flags 6 align 0
  27. D (2880) esp_core_dump_elf: PHDR type 1 off 7d44 vaddr 3fff5890 paddr 3fff5890 filesz 690 memsz 690 flags 6 align 0
  28. D (2890) esp_core_dump_elf: PHDR type 1 off 83d4 vaddr 3ffde024 paddr 3ffde024 filesz 154 memsz 154 flags 6 align 0
  29. D (2900) esp_core_dump_elf: PHDR type 1 off 8528 vaddr 3ffee060 paddr 3ffee060 filesz 690 memsz 690 flags 6 align 0
  30. D (2910) esp_core_dump_elf: PHDR type 1 off 8bb8 vaddr 3ffddea4 paddr 3ffddea4 filesz 154 memsz 154 flags 6 align 0
  31. D (2920) esp_core_dump_elf: PHDR type 1 off 8d0c vaddr 3ffeb850 paddr 3ffeb850 filesz 690 memsz 690 flags 6 align 0
  32. D (2931) esp_core_dump_elf: PHDR type 1 off 939c vaddr 3ffd9a90 paddr 3ffd9a90 filesz 154 memsz 154 flags 6 align 0
  33. D (2941) esp_core_dump_elf: PHDR type 1 off 94f0 vaddr 3ffd9740 paddr 3ffd9740 filesz 330 memsz 330 flags 6 align 0
  34. D (2951) esp_core_dump_elf: PHDR type 1 off 9820 vaddr 3ffca048 paddr 3ffca048 filesz 154 memsz 154 flags 6 align 0
  35. D (2961) esp_core_dump_elf: PHDR type 1 off 9974 vaddr 3ffc65a0 paddr 3ffc65a0 filesz 220 memsz 220 flags 6 align 0
  36. D (2971) esp_core_dump_elf: PHDR type 1 off 9b94 vaddr 3ffafc5c paddr 3ffafc5c filesz 154 memsz 154 flags 6 align 0
  37. D (2981) esp_core_dump_elf: PHDR type 1 off 9ce8 vaddr 3ffbdd60 paddr 3ffbdd60 filesz 1b0 memsz 1b0 flags 6 align 0
  38. D (2992) esp_core_dump_elf: PHDR type 1 off 9e98 vaddr 3ffafaf8 paddr 3ffafaf8 filesz 154 memsz 154 flags 6 align 0
  39. D (3002) esp_core_dump_elf: PHDR type 1 off 9fec vaddr 3ffaf920 paddr 3ffaf920 filesz 1c0 memsz 1c0 flags 6 align 0
  40. D (3012) esp_core_dump_elf: PHDR type 1 off a1ac vaddr 3ffaf584 paddr 3ffaf584 filesz 154 memsz 154 flags 6 align 0
  41. D (3022) esp_core_dump_elf: PHDR type 1 off a300 vaddr 3ffaf3b0 paddr 3ffaf3b0 filesz 1c0 memsz 1c0 flags 6 align 0
  42. D (3032) esp_core_dump_elf: PHDR type 1 off a4c0 vaddr 3ffccd50 paddr 3ffccd50 filesz 154 memsz 154 flags 6 align 0
  43. D (3042) esp_core_dump_elf: PHDR type 1 off a614 vaddr 3ffc8680 paddr 3ffc8680 filesz 200 memsz 200 flags 6 align 0
  44. D (3052) esp_core_dump_elf: PHDR type 4 off a814 vaddr 0 paddr 0 filesz 11c memsz 11c flags 6 align 0
  45. D (3061) esp_core_dump_elf: 72 bytes target note (204A) found in the note section
  46. D (3069) esp_core_dump_elf: 152 bytes target note (2A5) found in the note section
  47. D (3076) esp_core_dump_port: Crash TCB 0x3ffde324
  48. D (3080) esp_core_dump_port: excvaddr 0x10
  49. D (3084) esp_core_dump_port: exccause 0x1c
  50. D (3088) esp_core_dump_elf: Core dump version 0x102
  51. D (3092) esp_core_dump_elf: App ELF SHA2 50869a97d
  52. D (3097) esp_core_dump_elf: Crashing task Event New Event
  53. D (3102) esp_core_dump_port: Crashing PC 0x400e0f3f
  54. 0x400e0f3f: ReadArea at D:/Github/KRIO-2S_V5/main/s7.c:323
  55.  
  56. D (3107) esp_core_dump_port: A[0] 0x800e1a61
  57. D (3111) esp_core_dump_port: A[1] 0x3fff30f0
  58. D (3115) esp_core_dump_port: A[2] 0x0
  59. D (3118) esp_core_dump_port: A[3] 0x84
  60. D (3122) esp_core_dump_port: A[4] 0x2
  61. D (3125) esp_core_dump_port: A[5] 0x1032
  62. D (3129) esp_core_dump_port: A[6] 0x4
  63. D (3132) esp_core_dump_port: A[7] 0x4
  64. D (3135) esp_core_dump_port: A[8] 0x68
  65. D (3139) esp_core_dump_port: A[9] 0x2
  66. D (3142) esp_core_dump_port: A[10] 0x1
  67. D (3146) esp_core_dump_port: A[11] 0xffffffff
  68. D (3150) esp_core_dump_port: A[12] 0x60e20
  69. D (3154) esp_core_dump_port: A[13] 0x0
  70. D (3157) esp_core_dump_port: A[14] 0x0
  71. D (3161) esp_core_dump_port: A[15] 0x3ffdeeb8
  72. D (3165) esp_core_dump_port: Crash Backtrace
  73. D (3169) esp_core_dump_port:  0x400e0f3f
  74. 0x400e0f3f: ReadArea at D:/Github/KRIO-2S_V5/main/s7.c:323
  75.  
  76. D (3172) esp_core_dump_port:  0x400e1a5e
  77. 0x400e1a5e: GetDInt_S7 at D:/Github/KRIO-2S_V5/main/s7.c:970
  78.  
  79. D (3176) esp_core_dump_port:  0x400eb33b
  80. 0x400eb33b: event_task_get_tag_s7_data at D:/Github/KRIO-2S_V5/main/event_task.c:164
  81.  
  82. D (3180) esp_core_dump_port:  0x400ecc27
  83. 0x400ecc27: event_task at D:/Github/KRIO-2S_V5/main/event_task.c:1171
  84.  
  85. D (3183) esp_core_dump_port:  0x4008b7a1
  86. 0x4008b7a1: vPortTaskWrapper at D:/Espressif_5_2_1/frameworks/esp-idf-v5.2.1/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:134
  87.  
  88. E (3181) CORE_DUMP: [backtrace]: Backtrace: 0x400E0F3F 0x400E1A5E 0x400EB33B 0x400ECC27 0x4008B7A1
  89. 0x400e0f3f: ReadArea at D:/Github/KRIO-2S_V5/main/s7.c:323
  90. 0x400e1a5e: GetDInt_S7 at D:/Github/KRIO-2S_V5/main/s7.c:970
  91. 0x400eb33b: event_task_get_tag_s7_data at D:/Github/KRIO-2S_V5/main/event_task.c:164
  92. 0x400ecc27: event_task at D:/Github/KRIO-2S_V5/main/event_task.c:1171
  93. 0x4008b7a1: vPortTaskWrapper at D:/Espressif_5_2_1/frameworks/esp-idf-v5.2.1/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:134

The line refered as "0x400e0f3f: ReadArea at D:/Github/KRIO-2S_V5/main/s7.c:323" is as follows :

  1. if (WordLen == S7WLBit)

WordLen is a function parameter with type int and S7WLBit is #defined as 0x01 of value. The function is called at "0x400e1a5e: GetDInt_S7 at D:/Github/KRIO-2S_V5/main/s7.c:970" with the WordLen as a #defined value of 0x02. So basically my core dump lead me with the following code:

  1. if ( 0x02 == 0x01)

And boom! I have a crash :)

I am trying to receive a better information according of this crash by looking at the core dump but i can not tell more.

Any help on this topic?

Re: Trying to understand the mysteries of Core Dump

Posted: Thu May 30, 2024 9:24 am
by ESP_Sprite
Hard to say without the sources; in general it could be that your C code gets optimized in such a way that bits of the preceding or following lines are merged with that statement.

Re: Trying to understand the mysteries of Core Dump

Posted: Thu May 30, 2024 1:09 pm
by sempek34
Thanks for the reply!

For further clarification, here is the follow and previous lines of the referenced line in the core dump.

  1.     if ((Area == S7AreaCT) || (Area == S7AreaTM))
  2.         WordSize = 2;
  3.  
  4.     if (WordLen == S7WLBit)
  5.         Amount = 1;
  6.  
  7.     MaxElements = (info->PDUlen - 25) / WordSize;
I hope that brings some color to the picture.

Re: Trying to understand the mysteries of Core Dump

Posted: Fri May 31, 2024 2:08 am
by ESP_Sprite
Any chance that `info` is a null pointer or something? You can probably try loading the coredump into gdb, that might allow you to print its value.

Re: Trying to understand the mysteries of Core Dump

Posted: Fri May 31, 2024 12:09 pm
by sempek34
"info" is pointer which in the program, it is used by multiple tasks and is thread safe as it is used with a mutex. When the count of tasks which are using "info" are zero than there is another routine frees that pointer which also waiting for the mutex indefinetely to free.

In this sense I've double checked the possibilities to share common resource within tasks and it is free routine and everything seems correct.

About the second recommendation to load the core dump into gdb, can you broaden this subject? I am not sure what is referred as gdb at this point.

Re: Trying to understand the mysteries of Core Dump

Posted: Sat Jun 01, 2024 1:52 am
by ESP_Sprite
Note that 'info' doesn't need to be explicitly set to NULL in order for it to be NULL. E.g. something like a buffer overflow or an use-after-free could also have overwritten the memory where that pointer is stored.

Not sure what IDE you're using, but commandline you could try this. You should be able to do a 'p info' to get the value of that pointer.

Re: Trying to understand the mysteries of Core Dump

Posted: Fri Jun 07, 2024 7:40 am
by sempek34
After some deep code review I found out the problem was the pointer info being nulled during a socket close operation.

I have a end point struct which holds the socket and info pointer and my socket routine basically closes socket and frees info when it detects there is a socket operation error. Hence I found out this by testing a multi thread sharing same socket as they had a synchronization issue while rising the socket error and resulting in closing a on use socket for another thread.

Thanks for the replies :)