november 2011 doc id 2476 rev 2 1/11 AN421 application note stack overflow detection using the st9 timer/watchdog 1 introduction in real time applications, implementation of softw are protection is not always easy, but it is needed to reach a high level of security against software malfunction. this is particularly true for on-board applications in noisy environments, such as automotive, power meter or industrial applications. to help avoid un-contro lled operations an d damage to real time systems due to any possible disturbance of the st9 microcontroller core and i/o ports, a special peripheral acting as a watchdog is available on all st9 family members: the timer/watchdog. the periodic restarting of the timer/watchdog by the application software, associated with the automatic detection of any stack overflow, provide enhanced protection to real time application software. this application note shows how to detect stack overflow by using the timer/watchdog in watchdog mode. www.st.com
contents AN421 2/11 doc id 2476 rev 2 contents 1 introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 stack overflow detectio n principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1 summary of timer/watchdog features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 stack overflow detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3 software description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 stack initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 timer/watchdog programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 timer/watchdog restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5 revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
AN421 list of figures doc id 2476 rev 2 3/11 list of figures figure 1. example of stack overflow detection in register file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 figure 2. system stack initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 figure 3. timer/watchdog initialization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 figure 4. restarting the timer/watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
stack overflow detection principle AN421 4/11 doc id 2476 rev 2 2 stack overflow detection principle 2.1 summary of timer/watchdog features the st9 core includes a 16-bit down counter with an 8-bit prescaler capable of operating in watchdog mode. this timer, driven by a clock at a frequency of intclk divided by 4, is able to provide time periods within the range of 333 ns to 5.59 s (using a 12 mhz internal clock). in watchdog mode, the timer/watchdog generates a fixed time base depending on the timer/watchdog registers and prescaler, and to intclk. this time base can be modified on the fly by changing the prescaler value. the ne w value will be taken into account only after an end of count event. in watchdog mode, the end of count occurrence generates a system reset. in order to prevent the reset, the byte sequence aah, 55h should be written into the timer watchdog register low. once the write of 55h has been performed, the timer reloads the prescaler register and the counting restarts from this value (the prescaler register value may be modified between two end of count events). note: 1 for a better understanding of this application note; please refer to the st9 technical manual chapter on the 16-bit programmable timer/watchdog. 2 intclk: internal clock. this cloc k issued from th e oscillator circuitry, divided or not by 2, is the st9 internal clock driving the peripherals. the maximum frequency allowed for intclk is 12mhz. 2.2 stack overflow detection in many software applications, for exampl e when running on st9 romless versions or without external memory space, the size of the stack is limited. on st9 devices, the system stack may be located in the register file or in data memory space. the st9 stack pointer moves from the top to the bottom of the stack area. a solution to detect stack overflow is to reserve the first two bytes after the bottom of the stack and to store in these locations the timer watchdog restart value, aah, 55h. in the case of stack overflow , the data will be over written and thus destroyed and a system reset will be generated on the ne xt timer watchdog end of count.
AN421 stack overflow detection principle doc id 2476 rev 2 5/11 figure 1. example of stack overflow detection in register file system registers group e group d stack area aah 55h r0 r14 r15 system application register area group 0 register file system stack pointer on current stack location end_sstack: last byte of system stack �-�3�����������6��
software description AN421 6/11 doc id 2476 rev 2 3 software description 3.1 stack initialization the following example initializes the system stack in groups d and c of the register file. in the stack management of the st9, the stack pointer is automatically pre-decremented before the data is stored on the stack. so the expression: sstack = (bke * 16) - 1 defines the first location of the system stack in group d and c within the register file, while the instruction: ld ssplr,#sstack + 1 initializes the system stac k pointer in the system register. the instruction: ldw rr#end_sstack,#0aa55h initializes the first two bytes following the bottom of the system stack with the value used to restart the timer/watc hdog. initialization figure 2. system stack initialization ;*************************************************************** ; stack declaration and end of stack initialisation ; in ram space or register file ;*************************************************************** ; initialisation in register file sstack := (bke * 16) - 1 ; sys.stack add.group lg-sstack := 32 ; sys.stack length end_sstack := (bke * 16) - lg_sstack ; last sys.stack byte ld ssplr,#sstack + 1 ; load sys.stack pointer ldw rr#end_stack - 2,#0aa55h ; init end of stack. ; initialisation in ram space sstack := 2000h ; top of sys.stack end-stack := 1000h ; init end of stack essp = rr0 sdm ldw sspr,#sstack ; select data space ld essp,#end_sstack ; init end of sys.stack ldw -2(essp),#0aa55h
AN421 software description doc id 2476 rev 2 7/11 3.2 timer/watchdog programming as an example, the timer watchdog is initialized in order to provide a time base of 10 ms (with a st9 driven by a clock frequency of 24 mhz internally divided by two). to enable the watchdog mode, the requirement is to initialize timer prescaler and counter, to initialize the timer/watchdog control register with its reset value, and then to enable the watchdog mode by clearing the wdgen bit in the wait control register in page 0. resetting this bit causes the counter to start in watchdog mode regardless of the start/stop, single/continuous and input mode bits. figure 3. timer/watchdog initialization note: 1 a bit (div2 located in the mode register moder, r235 in the system group) controls the divide by two circuit which operates on th e oscin clock driving the st9. the maximum internal clock (intclk) allowabl e for the st9 is 12 mhz. this internal clock drives all the st9 peripherals, while this same clock, optionally slowed down by the st9 core clock programmable prescaler and by wait cycle inse rtion, drives the st9 core. after a reset cycle, the clock frequency applied to the st9 is divided by two and no core clock prescaling is done. 3.3 timer/watchdog restart this example shows how to restart the timer watchdog when the stack is located in register file or in ram space. in th e register file, the two instructions: ld wdtlr,#end_sstack-2 ld wdtlr,#end_sstack-1 load the restart value of timer watchdog. ;*************************************************************** ** ; watchdog initialisation ;*************************************************************** ** proc init_wgt[ppr] { spp #0 ld wdtpr,#0 ; twd prescaler register ld wdtlr,#-30h ; ; twd timer counter low ld wdthr,#075h ; ; twd timer counter high } call init_wgt ; call twd initialisation spp #0 ; ; select page 0 register ld wcr,#00111111b ; ; enable the watchdog ei ; ; enable interrupt
software description AN421 8/11 doc id 2476 rev 2 when the system stack is located in ram s pace, a register essp (end of system stack pointer) must be used to load the sequence aah, 55h in the timer watchdog counter register low. figure 4. restarting the timer/watchdog ; in register file spp #0 ; twd register page ld wdtlr,r#end_sstack-2 ; load aah ld wdtlr,r#end_sstack-1 ; load 55h ; in ram space spp #0 ; twd register page sdm ; select ram space ld essp,#end_sstack ; end stack pointer ld wdtlr,-2(essp) ; load aah ld wdtlr,-1(essp) ; load 55h
AN421 summary doc id 2476 rev 2 9/11 4 summary protection of software against externally generated perturbations can be made by additional test routines. this protection can easily be increased by using the st9 timer/watchdog bringing software reliability and security. with the timer/watchdog the st9 pr ogram can control that the software executing properly. additionally, when restarting the timer watchdog from values (aah, 55h) located at the bottom of the system stack two additional security functions are added: test of the integrity of the register file or the ram space provision of a system reset in the case of stack overflow.
revision history AN421 10/11 doc id 2476 rev 2 5 revision history table 1. document revision history date revision changes 15-dec-1992 1 initial release. 02-nov-2011 2 updated format and company logo.
AN421 doc id 2476 rev 2 11/11 please read carefully: information in this document is provided solely in connection with st products. stmicroelectronics nv and its subsidiaries (?st ?) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described he rein at any time, without notice. all st products are sold pursuant to st?s terms and conditions of sale. purchasers are solely responsible for the choice, selection and use of the st products and services described herein, and st as sumes no liability whatsoever relating to the choice, selection or use of the st products and services described herein. no license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. i f any part of this document refers to any third party products or services it shall not be deemed a license grant by st for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoev er of such third party products or services or any intellectual property contained therein. unless otherwise set forth in st?s terms and conditions of sale st disclaims any express or implied warranty with respect to the use and/or sale of st products including without limitation implied warranties of merchantability, fitness for a parti cular purpose (and their equivalents under the laws of any jurisdiction), or infringement of any patent, copyright or other intellectual property right. unless expressly approved in writing by two authorized st representatives, st products are not recommended, authorized or warranted for use in milita ry, air craft, space, life saving, or life sustaining applications, nor in products or systems where failure or malfunction may result in personal injury, death, or severe property or environmental damage. st products which are not specified as "automotive grade" may only be used in automotive applications at user?s own risk. resale of st products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by st for the st product or service described herein and shall not create or extend in any manner whatsoev er, any liability of st. st and the st logo are trademarks or registered trademarks of st in various countries. information in this document supersedes and replaces all information previously supplied. the st logo is a registered trademark of stmicroelectronics. all other names are the property of their respective owners. ? 2011 stmicroelectronics - all rights reserved stmicroelectronics group of companies australia - belgium - brazil - canada - china - czech republic - finland - france - germany - hong kong - india - israel - ital y - japan - malaysia - malta - morocco - philippines - singapore - spain - sweden - switzerland - united kingdom - united states of america www.st.com
|
