Safety Stack Checking

To ensure correct operation of the controller, the stack is continuously monitored. For this, the Safety Controller checks the stack in each run. These checks include:

  1. Checking of used stack space and limit to end of stack

  2. Checking a protection area between heap and stack for memory corruption

Any detected error will set the ERR_FLAG_STACK error flag.

Stack Pointer Checking

The stack pointer is checked using stack_check_get_free(). The returned value for the remaining stack space is checked against

SAFETY_MIN_STACK_FREE 0x100

Minimum number of bytes that have to be free on the stack. If this is not the case, an error is detected.

int32_t stack_check_get_free()

Get free stack space.

Return

free stack space in bytes. If negative, a stack overflow occured

Stack and Heap Corruption Checking

A section of memory is located between the stack and the heap. It is defined inside the linker script. It’s size is configured by the linker script parameter __stack_corruption_area_size, which is set to 128 by default. This section is filled at the initializazion of the safety controller by a call to

int stack_check_init_corruption_detect_area(void)

Init the stack corruption detection area.

This function initializes the memory area between heap and stack with random values generated by the STM’s random number generator. A 32 bit CRC generated by the CRC unit of the STM is appended for verification of the area.

Return

0 if successful, else an error has occured in generating a random number. This should never happen

Note

This function turns on the CRC unit but does not disable it afterwards. Therefore, the CRC unit does not have to be explicitly initialized before calling stack_check_corruption_detect_area.

On each run of the safety controller’s handling function (safety_controller_handle()) the following function is called:

int stack_check_corruption_detect_area(void)

Check the CRC of the stack corruption detection area.

This function checks the stack corruption detection area, which must be initialized by stack_check_init_corruption_detect_area beforehand.

The CRC unit must be enabled for this function to work properly. After calling stack_check_init_corruption_detect_area, this is the case.

Return

0 if no error is detected, all other values are an error.

Note

Make sure CRC unit is enabled.

This function checks the memory area for write modifications, and therefore detects, if the stack or heap have grown outside their boundaries. This canary approach does, however, not guarantee a full protection against heap or stack overflows.