Electronic – Stack error when jumping from bootloader to application

armbootloadercregistertexas instruments

I have been trying to jump from my bootloader to an application for a while now but I can not figure out what is going wrong. I am hoping someone here might be able to help me.
I am using Texas Instrument's CC2652 and Texas Instrument's Code Composer Studio to develop and flash the bootloader. The code below is the code I use to jump to the application.

void startApp(uint32_t prgEntry) {
    static uint32_t temp;
    temp = prgEntry;
    // Reset the stack pointer,
    temp +=4;
    asm(" LDR SP, [R0, #0x0] ");
    ((void (*)(void))(*((uint32_t*)temp)))();
}

When I run this code I will end up in the FaultISR. Here I can use the debugger to look at the registers. In the CFSR (Configurable Fault Status Register) I can see that the STKERR and the IBUSERR bits are set.

prgEntry Is 0x2E000 in this case. I defined this address as the start of the application in the linker command files of both the bootloader and the application as well. I copied the command files further below.

The application I am trying to jump to is first uploaded to the device in intel hex format and looks like this https://pastebin.com/DAerFkXr. Texas Instruments has a Flash Programmer application for Windows with which I can read a range of addresses from the internal flash of the device. I went through the intel hex file by hand and compared it to what I saw in the Flash Programmer application and I believe everything is put in the correct location. I posted a screenshot of the output of the Flash Programmer below the command files.

When I flash the application to the device using Code Composer Studio without my bootloader I can see that the application runs normally so I know it is not a problem with the application.

Application command file:

--stack_size=1024   /* C stack is also used for ISR stack */

--heap_size=256

/* Retain interrupt vector table variable                                    */
--retain=g_pfnVectors
/* Override default entry point.                                             */
--entry_point resetISR
/* Allow main() to take args                                                 */
--args 0x8
/* Suppress warnings and errors:                                             */
/* - 10063: Warning about entry point not being _c_int00                     */
/* - 16011, 16012: 8-byte alignment errors. Observed when linking in object  */
/*   files compiled using Keil (ARM compiler)                                */
--diag_suppress=10063,16011,16012

#define BOOT_BASE               0x0
#define BOOT_SIZE               0x8000
#define FLASH_BASE              0x2E000
#define FLASH_SIZE              0x2A000
#define RAM_BASE                0x20000000
#define RAM_SIZE                0x14000
#define GPRAM_BASE              0x11000000
#define GPRAM_SIZE              0x2000


/* System memory map */

MEMORY
{
    /* Application stored in and executes from internal flash */
    FLASH (RX) : origin = FLASH_BASE, length = FLASH_SIZE
    /* Application uses internal RAM for data */
    SRAM (RWX) : origin = RAM_BASE, length = RAM_SIZE
    /* Application can use GPRAM region as RAM if cache is disabled in the CCFG
    (DEFAULT_CCFG_SIZE_AND_DIS_FLAGS.SET_CCFG_SIZE_AND_DIS_FLAGS_DIS_GPRAM = 0) */
    GPRAM (RWX): origin = GPRAM_BASE, length = GPRAM_SIZE
}

/* Section allocation in memory */

SECTIONS
{
    .intvecs        :   > FLASH_BASE
    .text           :   > FLASH
    .TI.ramfunc     : {} load=FLASH, run=SRAM, table(BINIT)
    .const          :   > FLASH
    .constdata      :   > FLASH
    .rodata         :   > FLASH
    .binit          :   > FLASH
    .cinit          :   > FLASH
    .pinit          :   > FLASH
    .init_array     :   > FLASH
    .emb_text       :   > FLASH
    .ccfg           :   > FLASH (HIGH)

    .vtable         :   > SRAM
    .vtable_ram     :   > SRAM
     vtable_ram     :   > SRAM
    .data           :   > SRAM
    .bss            :   > SRAM
    .sysmem         :   > SRAM
    .stack          :   > SRAM (HIGH)
    .nonretenvar    :   > SRAM

    .gpram          :   > GPRAM
}

Bootloader command file:

--stack_size=1024   /* C stack is also used for ISR stack */

--heap_size=256

/* Retain interrupt vector table variable                                    */
--retain=g_pfnVectors
/* Override default entry point.                                             */
--entry_point resetISR
/* Allow main() to take args                                                 */
--args 0x8
/* Suppress warnings and errors:                                             */
/* - 10063: Warning about entry point not being _c_int00                     */
/* - 16011, 16012: 8-byte alignment errors. Observed when linking in object  */
/*   files compiled using Keil (ARM compiler)                                */
--diag_suppress=10063,16011,16012

#define BOOT_BASE               0x0
#define BOOT_SIZE               0x8000
#define FLASH_BASE              0x2E000
#define FLASH_SIZE              0x2A000
#define RAM_BASE                0x20000000
#define RAM_SIZE                0x14000
#define GPRAM_BASE              0x11000000
#define GPRAM_SIZE              0x2000


/* System memory map */

MEMORY
{
    /* The bootloader will be stored and executed from this location in internal flash */
    BOOT (RX)  : origin = BOOT_BASE, length = BOOT_SIZE
    /* Application stored in and executes from internal flash */
    FLASH (RX) : origin = FLASH_BASE, length = FLASH_SIZE
    /* Application uses internal RAM for data */
    SRAM (RWX) : origin = RAM_BASE, length = RAM_SIZE
    /* Application can use GPRAM region as RAM if cache is disabled in the CCFG
    (DEFAULT_CCFG_SIZE_AND_DIS_FLAGS.SET_CCFG_SIZE_AND_DIS_FLAGS_DIS_GPRAM = 0) */
    GPRAM (RWX): origin = GPRAM_BASE, length = GPRAM_SIZE
}


/* Section allocation in memory */

SECTIONS
{
    .intvecs        :   > BOOT_BASE
    .text           :   > BOOT
    .TI.ramfunc     : {} load=BOOT, run=SRAM, table(BINIT)
    .const          :   > BOOT
    .constdata      :   > BOOT
    .rodata         :   > BOOT
    .binit          :   > BOOT
    .cinit          :   > BOOT
    .pinit          :   > BOOT
    .init_array     :   > BOOT
    .emb_text       :   > BOOT
    .ccfg           :   > BOOT (HIGH)

    .vtable         :   > SRAM
    .vtable_ram     :   > SRAM
     vtable_ram     :   > SRAM
    .data           :   > SRAM
    .bss            :   > SRAM
    .sysmem         :   > SRAM
    .stack          :   > SRAM (HIGH)
    .nonretenvar    :   > SRAM

    .gpram          :   > GPRAM
}

Screenshot from Flash Programmer:

Description of STKERR:
Stacking from exception has caused one or more bus faults. The SP is still adjusted and the values in the context area on the stack might be incorrect. BFAR is not written.

Description of IBUSERR:
Instruction bus error flag. This flag is set by a prefetch error. The fault stops on the instruction, so if the error occurs under a branch shadow, no fault occurs. BFAR is not written.

Edit:
This is the disassembly of the startApp function:

void startApp(uint32_t prgEntry) {
startApp():
    push       {r3, r14}
    str        r0, [r13]
temp = prgEntry;
    ldr        r1, [pc, #0x18]
    ldr        r0, [r13]
    str        r0, [r1]
temp +=4;
    ldr        r1, [pc, #0x14]
    ldr        r0, [r1]
    adds       r0, r0, #4
    str        r0, [r1]
asm(" LDR SP, [R0, #0x0] ");
    ldr.w      r13, [r0]
((void (*)(void))(*((uint32_t*)temp)))();
    ldr        r0, [pc, #8]
    ldr        r0, [r0]
    ldr        r0, [r0]
    blx        r0
}

Best Answer

I think you should single-step through this code to see what is in R0 just before the LDR SP, [R0]. Remember that the value in R0 is interpreted as an address, and the instruction fetches whatever is at that address and shoves it into the stack pointer.

It appears to me that your code is taking the value 0x0002E004 and using it as an address. Whatever value is stored at 0x0002E004 is then stored in the stack pointer. Is that what you intended?

Depending on endianess, it looks like the SP gets 0x1F1F1F00 or 0x001F1F1F.

Related Solutions

Electronic – AVR simple bootloader – how to call application code

You are misunderstanding the function of the assembler command.

If you program a "GOTO" in C, the jmp assembler command comes out. It is just what it says on the tin: Jump. It tells the compiler nothing about code location.

Nowhere in your code do you specify what code goes where, as such the compiler just decides for you that you want the code to go where it thinks is best. Which most likely is the start of non-vector non-boot space.

I think you'd be well off going to: http://www.avrfreaks.net/

And searching for "[TUT] Bootloader" and see if there's a tutorial that pops up that fits your general way of thinking. It'll take you at least a good half day, but you will learn most you need to know about it.

Edit:

I forgot to point out that your code also doesn't stop at a predictable point. These days often the compiler helps out in the assumption you mean to stop at the end of main(), but it's "good manners" to include a while(1){}; at the end, where you want the code to halt. That way you are in absolute control of what happens and you are absolutely sure your code doesn't just run on into empty flash.

Electronic – bootloader application on arm controller

The way we do it in one of our products is like this (code is based on IAR compiler, so pragmas might differ for you):

We defined a structure which contains important information of the application part (which is called mainpart in our projects):

#pragma pack(push,1)
    struct softwareRevision_t {
        uint8_t VersionSystem;
        uint8_t VersionFunction;
        uint8_t VersionError;
        uint8_t VersionCustomer;
        uint8_t BuildNumber;
    };
#pragma pack(pop)

#pragma pack(push,1)
    struct mainInfoStruct_t {
        softwareRevision_t softwareRevision;
        uint32_t startFunctionAddress;
        uint8_t reserve[27];
        uint32_t bootControl;
    };
#pragma pack(pop)

This contains among other things the uint32_t startFunctionAddress. Now for this structure to be useful, you have to do several things:

Initialize it with meaningful values in the application
Make it const so it can be placed in flash
Tell the linker to place the structure always on the exact same location every time you compile your project
share the location and structure between application and boot part

In the application part:

To share the location, we created a header-file which is included in both parts with a simple define:

#define MAIN_INFO_MEMORY_POSITION (0x0807FFD4)

In a .cpp file of our application we create an instance of the structure which is placed accordingly:

#pragma location = MAIN_INFO_MEMORY_POSITION
extern __root const mainInfoStruct_t mainInfoStruct =
{
    {
            1U,     // mainInfo.softwareRevision.VersionSystem
            0U,     // mainInfo.softwareRevision.VersionFunction
            0U,     // mainInfo.softwareRevision.VersionError
            0U,     // mainInfo.softwareRevision.VersionCustomer
            0U      // mainInfo.softwareRevision.BuildNumber
    },

    reinterpret_cast<uint32_t>((&_start)),  // mainInfo.startFunctionAddress
    {0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U,0U},     // reserve

    0xF0F0FFFFU     // mainInfo.bootControl
};

Several things happen here: #pragma location = MAIN_INFO_MEMORY_POSITION tells the linker where to place the next structure.

The __root tells our linker that this symbol must be kept, even if it is not referenced by the application code (which it isn't). It has to be const otherwise it would not get placed in flash (if it doesn't end up in flash try adding a static).

So with this we have done everything in the application.

In the boot part:

The boot part needs access to the application part info structure. We wrapped a class around this whole thing, but basically a pointer will be enough:

volatile mainInfoStruct_t* pMainInfo = reinterpret_cast<mainInfoStruct_t*>(MAIN_INFO_MEMORY_POSITION);

We use volatile here to make sure, that the compiler will not optimize the access to the flash away. With this you can now jump into the application code with an ugly cast:

(reinterpret_cast<void (*)(void)>(pMainInfo->startFunctionAddress))();

Notes:

In our application we do a CRC check over the whole application part which includes the mainInfoStruct, so we don't jump into nirvana is something went wrong with the update.

The first thing we do in our application is to set the stackpointer to the value it is expected to start with (you can get that from the linker configuration file or your interrupt vector table). Otherwise you might end up with a stack overflow and corrupting your other data.

This is not a minimal example, but might give some hint on what might be useful in a shared structure as well.

We use C++, sorry for the reinterpret_casts.

Best Answer

Related Solutions

Electronic – AVR simple bootloader – how to call application code

Electronic – bootloader application on arm controller

Related Topic