How unwind ARM Cortex M3 stack

Question

The ARM Coretex STM32's HardFault_Handler can only get several registers values, r0, r1,r2, r3, lr, pc, xPSR, when crash happened. But there is no FP and SP in the stack. Thus I could not unwind the stack. Is there any solution for this? Thanks a lot.

[update]
Following a web instruction to let ARMGCC(Keil uvision IDE) generate FP by adding a compiling option "--use_frame_pointer", but I could not find the FP in the stack. I am a real newbie here. Below is my demo code:

int test2(int i, int j)
{
    return i/j;
}

int main()
{
    SCB->CCR |= 0x10;
    int a = 10;
    int b = 0;
    int c;
    c = test2(a,b);
}

enum { r0 = 0, r1, r2, r3, r11, r12, lr, pc, psr};
void Hard_Fault_Handler(uint32_t *faultStackAddress)
{
    uint32_t r0_val = faultStackAddress[r0]; 
    uint32_t r1_val = faultStackAddress[r1];
    uint32_t r2_val = faultStackAddress[r2]; 
    uint32_t r3_val = faultStackAddress[r3];
    uint32_t r12_val = faultStackAddress[r12]; 
    uint32_t r11_val = faultStackAddress[r11]; 
    uint32_t lr_val =  faultStackAddress[lr];
    uint32_t pc_val =  faultStackAddress[pc];
    uint32_t psr_val = faultStackAddress[psr];
}

I have two questions here:
1. I am not sure where the index of FP(r11) in the stack, or whether it is pushed into stack or not. I assume it is before r12, because I compared the assemble source before and after adding the option "--use_frame_pointer". I also compared the values read from Hard_Fault_Handler, seems like r11 is not in the stack. Because r11 address I read points to a place where the code is not my code. [update] I have confirmed that FP is pushed into the stack. The second question still needs to be answered.

See below snippet code:

Without the option "--use_frame_pointer"

test2 PROC
        MOVS     r0,#3
        BX       lr
        ENDP

main PROC
        PUSH     {lr}
        MOVS     r0,#0
        BL       test2
        MOVS     r0,#0
        POP      {pc}
        ENDP

with the option "--use_frame_pointer"

test2 PROC
        PUSH     {r11,lr}
        ADD      r11,sp,#4
        MOVS     r0,#3
        MOV      sp,r11
        SUB      sp,sp,#4
        POP      {r11,pc}
        ENDP

main PROC
        PUSH     {r11,lr}
        ADD      r11,sp,#4
        MOVS     r0,#0
        BL       test2
        MOVS     r0,#0
        MOV      sp,r11
        SUB      sp,sp,#4
        POP      {r11,pc}
        ENDP

2. Seems like FP is not in the input parameter faultStackAddress of Hard_Fault_Handler(), where can I get the caller's FP to unwind the stack?
[update again] Now I understood the last FP(r11) is not stored in the stack. All I need to do is to read the value of r11 register, then I can unwind the whole stack.
So now my final question is how to read it using inline assembler of C. I tried below code, but failed to read the correct value from r11 following the reference of http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0472f/Cihfhjhg.html

volatile int top_fp;
__asm
{
    mov top_fp, r11
}

r11's value is 0x20009DCC top_fp's value is 0x00000004

[update 3] Below is my whole code.

int test5(int i, int j, int k)
{
    char a[128] = {0} ;
    a[0] = 'a';
    return i/j;
}
int test2(int i, int j)
{
    char a[18] = {0} ;
    a[0] = 'a';
    return test5(i, j, 0);    
}


int main()
{
    SCB->CCR |= 0x10;
    int a = 10;
    int b = 0;
    int c;
    c = test2(a,b); //create a divide by zero crash
}

/* The fault handler implementation calls a function called Hard_Fault_Handler(). */

#if defined(__CC_ARM)
__asm void HardFault_Handler(void)
{
   TST lr, #4
   ITE EQ
   MRSEQ r0, MSP
   MRSNE r0, PSP
   B __cpp(Hard_Fault_Handler)
}
#else
void HardFault_Handler(void)
{
   __asm("TST lr, #4");
   __asm("ITE EQ");
   __asm("MRSEQ r0, MSP");
   __asm("MRSNE r0, PSP");
   __asm("B Hard_Fault_Handler");
}
#endif

void Hard_Fault_Handler(uint32_t *faultStackAddress)
{
   volatile int top_fp;
   __asm
   {
       mov top_fp, r11
   }
   //TODO: use top_fp to unwind the whole stack.

 }

[update 4] Finally, I made it out. My solution:
Note: To access r11, we have to use embedded assembler, see here, which costs me much time to figure it out.

//we have to use embedded assembler.     
__asm int getRegisterR11()
{
    mov r0,r11
    BX LR
}

//call it from Hard_Fault_Handler function.
/*
Function call stack frame:
   FP1(r11) ->    | lr |(High Address)
                  | FP2|(prev FP)
                  | ...| 
Current FP(r11) ->| lr |
                  | FP1|(prev FP)
                  | ...|(Low Address)

    With FP, we can access lr(link register) which is the address to return when the current functions returns(where you were).
    Then (current FP - 1) points to prev FP.
    Thus we can unwind the stack.
*/
void unwindBacktrace(uint32_t topFp, uint16_t* backtrace)
{
    uint32_t nextFp = topFp;
    int j = 0;

    //#define BACK_TRACE_DEPTH 5
    //loop backtrace using FP(r11), save lr into an uint16_t array.
    for(int i = 0; i < BACK_TRACE_DEPTH; i++)
    {
        uint32_t lr = *((uint32_t*)nextFp);
        if ((lr >= 0x08000000) && (lr <= 0x08FFFFFF))
        {
            backtrace[j*2] = LOW_16_BITS(lr);
            backtrace[j*2 + 1] = HIGH_16_BITS(lr);
            j += 1;
        }
        nextFp = *((uint32_t*)nextFp - 1);
        if (nextFp == 0)
        {
            break;
        }
    }
}

#if defined(__CC_ARM)
__asm void HardFault_Handler(void)
{
   TST lr, #4
   ITE EQ
   MRSEQ r0, MSP
   MRSNE r0, PSP
   B __cpp(Hard_Fault_Handler)
}
#else
void HardFault_Handler(void)
{
   __asm("TST lr, #4");
   __asm("ITE EQ");
   __asm("MRSEQ r0, MSP");
   __asm("MRSNE r0, PSP");
   __asm("B Hard_Fault_Handler");
}
#endif

void Hard_Fault_Handler(uint32_t *faultStackAddress)
{
       //get back trace
    int topFp = getRegisterR11();

    unwindBacktrace(topFp, persistentData.faultStack.back_trace);
}

mkmk88 · Accepted Answer · 2018-03-06T10:35:41.013

Very primitive method to unwind the stack in such case is to read all stack memory above SP seen at the time of HardFault_Handler and process it using arm-none-eabi-addr2line. All link register entries saved on stack will be transformed into source line (remember that actual code path goes the line before LR points to). Note, if functions in between were called using branch instruction (b) instead of branch and link (bl) you'll not see them using this method.

(I don't have enough reputation points to write comments, so I'm editing my answer):

UPDATE for question 2:

Why do you expect that Hard_Fault_Handler has any arguments? Hard_Fault_Handler is usally a function to which address is stored in vector (exception) table. When the processor exception happens then Hard_Fault_Handler will be executed. There is no arguments passing involved doing this. But still, all registers at the time the fault happens are preserved. Specifically, if you compiled without omit-frame-pointer you can just read value of R11 (or R7 in Thumb-2 mode). However, to be sure that in your code Hard_Fault_Handler is actually a real hard fault handler, look into startup.s code and see if Hard_Fault_Handler is at the third entry in vector table. If there is an other function, it means Hard_Fault_Handler is just called from that function explicitly. See this article for details. You can also read my blog :) There is a chapter about stack which is based on Android example, but a lot of things are the same in general.

Also note, most probably in faultStackAddress should be stored a stack pointer, not a frame pointer.

UPDATE 2

Ok, lets clarify some things. Firstly, please paste the code from which you call Hard_Fault_Handler. Secondly, I guess you call it from within real HardFault exception handler. In that case you cannot expect that R11 will be at faultStackAddress[r11]. You've already mentioned it at the first sentence in your question. There will be only r0-r3, r12, lr, pc and psr.

You've also written:

But there is no FP and SP in the stack. Thus I could not unwind the stack. Is there any solution for this?

The SP is not "in the stack" because you have it already in one of the stack registers (msp or psp). See again THIS ARTICLE. Also, FP is not crucial to unwind stack because you can do it without it (by "navigating" through saved Link Registers). Other thing is that if you dump memory below your SP you can expect FP to be just next to saved LR if you really need it.

Answering your last question: I don't now how you're verifying this code and how you're calling it (you need to paste full code). You can look into assembly of that function and see what's happening under the hood. Other thing you can do is to follow this post as a template.

Thank you @mkmk88 for your comments. I have updated my question, could you take a look at it again? Thanks. — bettermanlu, Dec 03 '15 at 08:43
Thank you again. Now I made some progress on this question. And I have updated my question again. Could you take a look at it again? Thanks a ton. — bettermanlu, Dec 04 '15 at 11:15

How unwind ARM Cortex M3 stack

1 Answers1