I am working with an ESP32-Wrover-DevKit using Eclipse CDT 12.2019, the ESP-IDF framework and FreeRTOS.
I am using a single queue to collect data from multiple tasks (sensor readings). A single queue receiver will output the data through a TCP socket. Since the queue item is rather large, I decided to put only a pointer to queue items, which should be fine according to the FreeRTOS documentation, as long as memory is handled correctly.
This is the data structure I am using for the queue items, note the flexible array at the end of the struct:
typedef struct mb32_packet_t {
uint16_t preamble;
uint8_t system_id;
uint8_t message_id;
uint8_t reserved;
uint16_t checksum;
uint32_t pay_len;
uint8_t payload[];
} __attribute__((packed)) mb32_packet_t;
The queue declaration and definition:
#define MAX_QUEUE_SEND_ITEMS (25)
QueueHandle_t sys_link_send_queue;
sys_link_send_queue = xQueueCreate(MAX_QUEUE_SEND_ITEMS, sizeof(mb32_packet_t*));
Here's a snippet of one of the sensor reading tasks that put items to the queue:
mb32_packet_t *packet;
uint32_t pay_len = 8; // payload: 8 bytes
uint32_t pac_len = sizeof(*packet)+pay_len; // header: 11 bytes
packet = malloc(pac_len);
// ... code to assign header fields
// ... code to assign payload bytes
if(xQueueSend(sys_link_send_queue, &packet, portMAX_DELAY) != pdPASS) {
// release allocated memory in case the queue rejected the item
free(packet);
}
Here's the snippet of the single receiver:
void sys_link_task(void *pvParameters) {
while(1) {
mb32_packet_t* packet;
if(xQueueReceive(sys_link_send_queue, &packet, portMAX_DELAY) == pdPASS) {
// put packet bytes on the TCP stream (blocking mode)
tcp_server_send((uint8_t*)packet, packet->pay_len+11);
// finally release the packet memory
free(packet);
} else {
ESP_LOGE(TAG, "Failed to get message from queue.");
}
}
}
And finally this is the implementation of the tcp_server_send() function:
void tcp_server_send(uint8_t* buffer, size_t size) {
// send() can return less bytes than supplied length. Walk-around for robust implementation.
if(client_sock > 0) {
int to_write = size;
while(to_write > 0) {
int written = send(client_sock, buffer+(size-to_write), to_write, 0);
if(written < 0) {
printf("Failed to send data [w=%d]: %d", written, errno);
break;
}
to_write -= written;
}
}
}
Now with only one sensor task, everything is running fine. As soon as I put a second sensor task in action, I get heap corruption errors sooner or later. Sometimes it runs fine for some seconds, sometimes I immediately get these errors.
The error looks like this:
CORRUPT HEAP: multi_heap.c:288 detected at 0x3ffc75e8
abort() was called at PC 0x4008da2e on core 1
ELF file SHA256: c4fc5b20ae785f9a890274f05fd4fcfcada76b29ea16a9f736ceabbea34086ad
Backtrace: 0x400913e9:0x3ffc95c0 0x40091785:0x3ffc95e0 0x4008da2e:0x3ffc9600 0x4008dda5:0x3ffc9620 0x4008413d:0x3ffc9640 0x4008416d:0x3ffc9660 0x40093a71:0x3ffc9680 0x40094557:0x3ffc96a0 0x400f4946:0x3ffc96c0 0x400f4987:0x3ffc96e0 0x400f4b0d:0x3ffc9700 0x400f4e8e:0x3ffc9720 0x400f4ee5:0x3ffc9770 0x400e2e43:0x3ffc97a0 0x400e2f52:0x3ffc97d0 0x400d3f89:0x3ffc97f0 0x4000bd83:0x3ffc9810 0x4000182a:0x3ffc9830 0x400d5e9c:0x3ffc9850 0x400d608c:0x3ffc9880 0x40093cd1:0x3ffc98b0
CPU halted.
I then ran the xtensa-esp32-elf-gdb and looked-up the symbol at the program counter (PC):
PC 0x4008da2e -> split_if_necessary + 206 in section .iram0.text
Any idea how to solve this issue?
My thoughts:
Do I release the packet memory too early? Although the TCP socket is in blocking state as I understand (default setting). However, if the TCP socket would not be in blocking state, it would probably also not work when using a single sensor task. Therefore I guess I am doing something wrong regarding the queue itself or the memory allocation/deallocation.
I also tried to use
pvPortMalloc()instead ofmalloc()andvPortFree()instead offree(). But no difference, same problems.
