ESP32 Forum

The commit is now in master here:
https://github.com/espressif/esp-idf/co ... d703c13e59

Will be backported to release/v3.0 shortly.

caseymdk wrote:Phew...that seems like a major buffer overrun bug! Was that a serious one or am I misreading/misunderstanding?

I'm not really aware of a non serious type of memory corruption bug...

The thing here is, usually in realloc if you're shrinking the buffer it shrinks in place. Therefore if you find yourself allocating a new buffer and copying to it then you know it's because old_size is the smaller size. This was probably always true when this code was originally written.

Since then there have been added two situations (mentioned in the commit message) when this may not be true:

Comprehensive heap checking mode (we don't shrink buffers in place in this mode, to keep the poisoning code manageable).

The feature that you can use heap_caps_realloc() to take a buffer that was in one kind of memory and move it into a different kind of memory, possibly resizing at the same time.

In these cases, a memcpy could happen to the new buffer where size < old_size.

We should have caught this in feature development or testing, but we didn't. Thanks to everyone who persisted in testing and ruling out other sources of corruption.

ESP_Angus wrote: I'm not really aware of a non serious type of memory corruption bug...

Goood point. Cheers Angus.

Hi,

I am re-opening this issue as I am going through the same. I really dont know who is the culprit but in my code I am using cJSON over both tcp and http platforms. After around 400-500 Rfid card swipe (this data is sent to Http and tcp servers), HTTP starts giving (0x4290) & (0x7f00) error, after which device doesn't recover and ends up in rebooting the device. TCP creates Load Prohibited error as below:

Guru Meditation Error: Core 0 panic'ed (LoadProhibited). Exception was unhandled.
Core 0 register dump:
PC : 0x400013f9 PS : 0x00060630 A0 : 0x800ea2a2 A1 : 0x3ffec3f0
A2 : 0x3ffecad4 A3 : 0x00000000 A4 : 0x000000ff A5 : 0x0000ff00
A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x3ffec390
A10 : 0x3ffecad4 A11 : 0x00000001 A12 : 0x3ffb1df0 A13 : 0x00000010
A14 : 0x00000000 A15 : 0xff000000 SAR : 0x00000016 EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000 LBEG : 0x400013f9 LEND : 0x4000140d LCOUNT : 0xffffffff

ELF file SHA256: f7c74c8f8c46f47fa0097c00699cca580346f9edde34a68fc9a3ad7daf80e1ff

Backtrace: 0x400013f9:0x3ffec3f0 0x400ea29f:0x3ffec400 0x400d3e09:0x3ffec680 0x4008def5:0x3ffecfb0

Also, enabled comprehensive mode for heap debugging and called below functions:
heap_caps_check_integrity_all(true);
freeheap1 = xPortGetFreeHeapSize();
printf("xPortGetFreeHeapSize = %d bytes\n", freeheap1);
Free Heap size kept decreasing after every http and TCP calls.

I am deleting and freeing cJSON objects and char * after every call.

Wifi also starts creating issue of trying to reconnect.

Could you please suggest how to resolve this issue??

Waiting for your response.

Thanks
Ritu.

I got an error and it is similar to the one described here. How can you solve the problem?

CORRUPT HEAP: Bad head at 0x3ffd631c. Expected 0xabba1234 got 0x00000000
assertion "head != NULL" failed: file "/home/runner/work/esp32-arduino-lib-builder/esp32-arduino-lib-builder/esp-idf/components/heap/multi_heap_poisoning.c", line 214, function: multi_heap_free
abort() was called at PC 0x40116f73 on core 1

Backtrace: 0x4008c8c0:0x3ffd5e70 0x4008caf1:0x3ffd5e90 0x40116f73:0x3ffd5eb0 0x4008c535:0x3ffd5ee0 0x40084f9e:0x3ffd5f00 0x400853a5:0x3ffd5f20 0x4000bec7:0x3ffd5f40
0x4014f019:0x3ffd5f60 0x400d62ad:0x3ffd5f80 0x400d820b:0x3ffd5fa0 0x400d8a89:0x3ffd5fc0 0x400daedd:0x3ffd5fe0 0x400d6423:0x3ffd6000 0x400d642f:0x3ffd6020 0x4016b302:0x3ffd6040 0x4016b436:0x3ffd6070 0x4016b44c:0x3ffd6090 0x4016b70e:0x3ffd60b0 0x40089009:0x3ffd60e0

That is not relevant to this discussion. Suggest you start your own topic. In general, it's most likely that you're writing past the boundaries of some array or structure.