STM32F756 jumps unknown address "BX LR"

MuratUnal · ‎2024-10-17

Hello everyone,

I and my collegue have more than 20 years experience on embedded desing with MCUs. We have a problem which we haven't seen this kind of problem before. I guess someone can help us in here.

MCU: STM32F756
IDE: Project created from cubeMX and toughgfx, coded from IAR

The main problem is our code jumps unknown address. We have custom bootloader, it runs first and jumps application. After it jumps user application, we initialize every peripherals again. We start freeRTOS kernel and toughgfx task. Actually the code runs well but, sometimes it couldn't run after user application starts.

When we dig on it, we saw the code try to jump unknown address which is not on address space. (We get Hard fault or Bus fault or Mem Fault exeption)
Anyway, we decided to remove bootloader and try to user code alone. At that moment the code started to do same thing at same location.
The code starts from Reset_Handler, initializes stack pointer, goes to SystemInit, iar_program_start and jumps main.
You can see the main code below. The code jumps unknown address from inside HAL_Init().

This is the main code starts as simple as possible. Here is the debug pictures:

It jumps to HAL_Init() function and then HAL_TickInit() function.

Then it goes to HAL_NVIC_EanbleIRQ function after system tick timer initialized.

And it goes to NVIC_Enable function.

Finally it reaches NVIC->ISER[(((uint32_t)IRQn) >> 5UL)] = (uint32_t)(1UL << (((uint32_t)IRQn) & 0x1FUL));

At that moment we continue to single step on disassembly window.

We saw everything is ok on CPU Registers

But when we go single step at "BX LR", it jumps unknown address.

Actually there was return address on LR register (0x08032a4d) and we were hopping to jump this address in LR, but it jumps unknown address. At this moment IAR fault exception viewer says "A bus fault occurred on an instruction prefetch (CFSR.IBUSERR, BFAR)...".

MCU voltages are stable, VCAP voltages are stables. PDR_ON pin = 1, BYPASS_REG pin=0. Boot0 pin=0.

We checked it with ST Link and also JLink, same things happened.

Thanks for all for any suggestion.

Epamuk · ‎2024-11-02

Hi I had same problem and I solved it. I highley recommend you review the following document.

https://www.st.com/resource/en/errata_sheet/es0290-stm32f74xxx-and-stm32f75xxx-device-limitations-stmicroelectronics.pdf

Cortex M7 have some limitations. Some of theese have solutions , some doesnt, so You have to find another way to solve problem.

Especially you have to look

CORE -> Cortex-M7 data corruption when using Data cache configured in write-through

FMC

QUADSPI

sections.

Best luck

View solution in original post

Sarra.S · ‎2024-10-17

Hello @MuratUnal,

A first thought is timing issues related to I-Cache and D-Cache, if the caches are not properly invalidated or synchronized, the CPU fetch incorrect instructions

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Tesla DeLorean · ‎2024-10-17

So likely going to the IRQ Handler, and that's trashing the stack.

Most likely the one you're enabling.

Check stack depth, auto/local variables, context switching if you're doing any of that.

Any subroutine/function that calls something else, pushes LR first, typically in the prologue, and popping PC in the epilogue.

The 0xFFFFFFF9 is a call-gate, lets the fault/handler know which stack to pull return context from.

I prefer to dump as many registers as I can, the stack, and the instruction stream

https://github.com/cturvey/RandomNinjaChef/blob/main/KeilHardFault.c

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

Epamuk · ‎2024-11-02