esp-zigbee-sdk: Zigbee stack assertion failed common/zb_bufpool_mult.c:1183 (TZ-729)

Answers checklist.

I have read the documentation ESP Zigbee SDK Programming Guide and tried the debugging tips, the issue is not addressed there.
I have updated ESP Zigbee libs (esp-zboss-lib and esp-zigbee-lib) to the latest version, with corresponding IDF version, and checked that the issue is present there.
I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

v5.3-dev-2320-ge4f167df25

esp-zigbee-lib version.

1.2.1

esp-zboss-lib version.

1.2.1

Espressif SoC revision.

ESP32-C6

What is the expected behavior?

Does not crash

What is the actual behavior?

Zigbee stack assertion failed common/zb_bufpool_mult.c:1183

Steps to reproduce.

Unknown

More Information.

Source: https://github.com/nomis/candle-dribbler/tree/0.7.2 Binary: candle-dribbler.elf.gz Core dump: core-dump-2024-04-02.txt Log: log-2024-04-02.txt (all except the last two switch changes have been omitted)

Zigbee stack assertion failed common/zb_bufpool_mult.c:1183

abort() was called at PC 0x4202dde3 on core 0
Core  0 register dump:
MEPC    : 0x40800774  RA      : 0x40808c2c  SP      : 0x4082d690  GP      : 0x40811690
TP      : 0x4082d890  T0      : 0x37363534  T1      : 0x7271706f  T2      : 0x33323130
S0/FP   : 0x4082d6bc  S1      : 0x4082d6bc  A0      : 0x4082d6c8  A1      : 0x4082d6aa
A2      : 0x00000000  A3      : 0x4082d6f5  A4      : 0x00000001  A5      : 0x4081f000
A6      : 0x00000000  A7      : 0x76757473  S2      : 0x00000098  S3      : 0x0000000d
S4      : 0x00000008  S5      : 0x0000000d  S6      : 0x00000000  S7      : 0x00000000
S8      : 0x00000000  S9      : 0x00000000  S10     : 0x00000000  S11     : 0x00000000
T3      : 0x6e6d6c6b  T4      : 0x6a696867  T5      : 0x66656463  T6      : 0x62613938
MSTATUS : 0x00001881  MTVEC   : 0x40800001  MCAUSE  : 0x00000007  MTVAL   : 0x00000000
MHARTID : 0x00000000

Stack memory:
4082d690: 0x00000000 0x00000000 0x4082d6a8 0x4080fcba 0x00000000 0x0000000d 0x00000030 0x40811dec
4082d6b0: 0x4082d6bc 0x40811e08 0x4082d6a8 0x32303234 0x33656464 0x00000000 0x726f6261 0x20292874
4082d6d0: 0x20736177 0x6c6c6163 0x61206465 0x43502074 0x34783020 0x64323032 0x20336564 0x63206e6f
4082d6f0: 0x2065726f 0x00000030 0x00000000 0x64f7aefa 0x0000002f 0x0000049f 0x4209ab06 0x4202dde6
4082d710: 0x1d25d205 0x00000008 0x40815304 0x4202cf24 0x4082d780 0x00000000 0x408153a3 0x4081b898
4082d730: 0x40815310 0x408153a4 0x4081d418 0x4202d0d4 0x00000000 0x00000095 0x4081d418 0x420604ce
4082d750: 0x00000000 0x0000004c 0x0000098f 0x00000000 0x00000000 0x4082d780 0x4082628c 0x4206142e
4082d770: 0x00000000 0x00000733 0x00000001 0x42060cda 0x00000010 0x00000000 0x00000000 0x00000000
4082d790: 0x00000000 0x00000000 0x00000004 0x420608f0 0x00000001 0x00000000 0x000cdcf8 0x42031eaa
4082d7b0: 0x00000000 0x00000000 0x022c02c2 0x42032b16 0x00000000 0x00000000 0x022c02c2 0x42032f4c
4082d7d0: 0x00000000 0xffffffff 0x40825f04 0x40809bc4 0x00000000 0x00000000 0x00000000 0x00000000
4082d7f0: 0x00000000 0x00000000 0x4082b850 0x42050042 0x00000040 0x00000000 0x4082632c 0x420217f6
4082d810: 0x00000000 0x00000000 0x00000000 0x42010456 0x00000000 0x00000000 0x00000000 0x42076d4a
4082d830: 0x00000000 0x00000000 0x00000000 0x4082b380 0x00000000 0x00000000 0x4082b850 0x42004e22
4082d850: 0x00000000 0x00000000 0x00000000 0x40809e1c 0x00000000 0x00000000 0x00000000 0x00000000
4082d870: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
4082d890: 0xa5a5a5a5 0x0000015c 0x4082d640 0x0356090d 0x40812e90 0x40812e90 0x4082d898 0x40812e88
4082d8b0: 0x00000014 0x40827504 0x40827504 0x4082d898 0x00000000 0x00000005 0x4082b894 0x6267697a
4082d8d0: 0x6d5f6565 0x006e6961 0x00000000 0x4082d890 0x00000005 0x00000000 0x00000005 0x00000001
4082d8f0: 0x00000000 0x00000000 0x25837c76 0x00000009 0x40820168 0x408201d0 0x40820238 0x00000000
4082d910: 0x00000000 0x00000001 0x00000000 0x00000000 0x00000000 0x42004166 0x00000000 0x00000000
4082d930: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d950: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d970: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d990: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d9b0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d9d0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
4082d9f0: 0x00000000 0x00000028 0x00000000 0x4081f684 0x0000000e 0x0000002b 0x00000000 0x4082da48
4082da10: 0x4082da68 0x4082da68 0x00000000 0x00000000 0x00000020 0x00000000 0x4082fe28 0x00000000
4082da30: 0x00000000 0x2a0bebd0 0x0001fec7 0x4082644c 0x4082643c 0x00000020 0x00000000 0x00000abe
4082da50: 0x0029f630 0x00000000 0x0000ff00 0x000000fa 0x0003d090 0x00000000 0x0000005c 0x00000000
4082da70: 0x4082da6c 0x00000000 0x00000000 0x00000000 0x4082da84 0xffffffff 0x4082da84 0x4082da84

===============================================================
==================== ESP32 CORE DUMP START ====================

Crashed task handle: 0x4082d898, name: 'zigbee_main', GDB name: 'process 1082316952'
Crashed task is not in the interrupt context
Panic reason: abort() was called at PC 0x4202dde3 on core 0

================== CURRENT THREAD REGISTERS ===================
ra             0x40808c2c	0x40808c2c <__ubsan_include>
sp             0x4082d690	0x4082d690
gp             0x40811690	0x40811690 <_impure_data+136>
tp             0x4082d890	0x4082d890
t0             0x37363534	926299444
t1             0x7271706f	1920036975
t2             0x33323130	858927408
fp             0x4082d6bc	0x4082d6bc
s1             0x4082d6bc	1082316476
a0             0x4082d6c8	1082316488
a1             0x4082d6aa	1082316458
a2             0x0	0
a3             0x4082d6f5	1082316533
a4             0x1	1
a5             0x4081f000	1082257408
a6             0x0	0
a7             0x76757473	1987409011
s2             0x98	152
s3             0xd	13
s4             0x8	8
s5             0xd	13
s6             0x0	0
s7             0x0	0
s8             0x0	0
s9             0x0	0
s10            0x0	0
s11            0x0	0
t3             0x6e6d6c6b	1852664939
t4             0x6a696867	1785292903
t5             0x66656463	1717920867
t6             0x62613938	1650538808
pc             0x40800774	0x40800774 <panic_abort+18>

==================== CURRENT THREAD STACK =====================
#0  panic_abort (details=details@entry=0x4082d6c8 "abort() was called at PC 0x4202dde3 on core 0") at /home/simon/src/esp-idf/components/esp_system/panic.c:469
#1  0x40808c2c in esp_system_abort (details=details@entry=0x4082d6c8 "abort() was called at PC 0x4202dde3 on core 0") at /home/simon/src/esp-idf/components/esp_system/port/esp_system_chip.c:92
#2  0x4080fcba in abort () at /home/simon/src/esp-idf/components/newlib/abort.c:38
#3  0x4202dde6 in ?? ()

======================== THREADS INFO =========================
  Id   Target Id          Frame 
* 1    process 1082316952 panic_abort (details=details@entry=0x4082d6c8 "abort() was called at PC 0x4202dde3 on core 0") at /home/simon/src/esp-idf/components/esp_system/panic.c:469
  2    process 1082276268 0x40806032 in esp_cpu_wait_for_intr () at /home/simon/src/esp-idf/components/esp_hw_support/cpu.c:150
  3    process 1082326024 0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
  4    process 1082278672 0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
  5    process 1082341940 vPortClearInterruptMaskFromISR (prev_int_level=1) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:496
  6    process 1082335352 0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
  7    process 1082330792 0x40809fe0 in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
  8    process 1082262892 vPortClearInterruptMaskFromISR (prev_int_level=1) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:496


       TCB             NAME PRIO C/B  STACK USED/FREE
---------- ---------------- -------- ----------------
0x4082d898      zigbee_main      5/5         592/7596
0x408239ac             IDLE      0/0         208/1320
0x4082fc08      zigbee_task      5/5         528/7660
0x40824310          Tmr Svc      1/1         272/1764
0x40833a34          ui_uart      1/1         464/5664
0x40832078          ui_main      2/2         336/3756
0x40830ea8      device_main    19/19         336/3756
0x4082056c        esp_timer    22/22         240/3840

==================== THREAD 1 (TCB: 0x4082d898, name: 'zigbee_main') =====================
#0  panic_abort (details=details@entry=0x4082d6c8 "abort() was called at PC 0x4202dde3 on core 0") at /home/simon/src/esp-idf/components/esp_system/panic.c:469
#1  0x40808c2c in esp_system_abort (details=details@entry=0x4082d6c8 "abort() was called at PC 0x4202dde3 on core 0") at /home/simon/src/esp-idf/components/esp_system/port/esp_system_chip.c:92
#2  0x4080fcba in abort () at /home/simon/src/esp-idf/components/newlib/abort.c:38
#3  0x4202dde6 in ?? ()

==================== THREAD 2 (TCB: 0x408239ac, name: 'IDLE') =====================
#0  0x40806032 in esp_cpu_wait_for_intr () at /home/simon/src/esp-idf/components/esp_hw_support/cpu.c:150
#1  0x42069286 in esp_vApplicationIdleHook () at /home/simon/src/esp-idf/components/esp_system/freertos_hooks.c:58
#2  0x4080adb0 in prvIdleTask (pvParameters=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/tasks.c:4310
#3  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 3 (TCB: 0x4082fc08, name: 'zigbee_task') =====================
#0  0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
#1  vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:604
#2  0x40809af4 in xQueueSemaphoreTake (xQueue=0x4082fad0, xTicksToWait=<optimized out>, xTicksToWait@entry=6001) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1901
#3  0x42005140 in pthread_cond_timedwait (mut=0x40825bb8, to=<optimized out>, cv=<optimized out>) at /home/simon/src/esp-idf/components/pthread/pthread_cond_var.c:163
#4  0x42010f28 in __gthread_cond_timedwait (__abs_timeout=0x4082fb60, __mutex=<optimized out>, __cond=0x40825bbc) at /home/simon/.espressif/tools/riscv32-esp-elf/esp-13.2.0_20230928/riscv32-esp-elf/riscv32-esp-elf/include/c++/13.2.0/riscv32-esp-elf/rv32imac_zicsr_zifencei/ilp32/no-rtti/bits/gthr-default.h:872
#5  std::__condvar::wait_until (__abs_time=..., __m=..., this=0x40825bbc) at /home/simon/.espressif/tools/riscv32-esp-elf/esp-13.2.0_20230928/riscv32-esp-elf/riscv32-esp-elf/include/c++/13.2.0/bits/std_mutex.h:178
#6  std::condition_variable::__wait_until_impl<std::chrono::duration<long long, std::ratio<1ll, 1000000000ll> > > (__lock=..., __atime=<synthetic pointer>..., this=0x40825bbc) at /home/simon/.espressif/tools/riscv32-esp-elf/esp-13.2.0_20230928/riscv32-esp-elf/riscv32-esp-elf/include/c++/13.2.0/condition_variable:224
#7  std::condition_variable::wait_until<std::chrono::_V2::steady_clock, std::chrono::duration<long long, std::ratio<1ll, 1000000000ll> > > (__atime=..., __lock=..., this=0x40825bbc) at /home/simon/.espressif/tools/riscv32-esp-elf/esp-13.2.0_20230928/riscv32-esp-elf/riscv32-esp-elf/include/c++/13.2.0/condition_variable:137
#8  nutt::ZigbeeDevice::run_tasks (this=0x40825bb8) at /home/simon/build/candle-dribbler-0.7.2/src/zigbee.cpp:157
#9  0x42076d4a in std::execute_native_thread_routine (__p=<optimized out>) at /builds/idf/crosstool-NG/.build/riscv32-esp-elf/src/gcc/libstdc++-v3/src/c++11/thread.cc:104
#10 0x42004e22 in pthread_task_func (arg=0x4082dbc0, arg@entry=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/pthread/pthread.c:222
#11 0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 4 (TCB: 0x40824310, name: 'Tmr Svc') =====================
#0  0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
#1  vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:604
#2  0x4080a95a in prvProcessTimerOrBlockTask (xListWasEmpty=<optimized out>, xNextExpireTime=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/timers.c:739
#3  prvTimerTask (pvParameters=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/timers.c:685
#4  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 5 (TCB: 0x40833a34, name: 'ui_uart') =====================
#0  vPortClearInterruptMaskFromISR (prev_int_level=1) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:496
#1  vPortExitCritical () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:597
#2  0x408081de in prvReceiveGeneric (pxRingbuffer=0x40825688, pvItem1=pvItem1@entry=0x4083392c, pvItem2=pvItem2@entry=0x0, xItemSize1=xItemSize1@entry=0x4083394c, xItemSize2=xItemSize2@entry=0x0, xMaxSize=xMaxSize@entry=1, xTicksToWait=<optimized out>, xTicksToWait@entry=4294967295) at /home/simon/src/esp-idf/components/esp_ringbuf/ringbuf.c:876
#3  0x40808622 in xRingbufferReceiveUpTo (xRingbuffer=<optimized out>, pxItemSize=pxItemSize@entry=0x4083394c, xTicksToWait=xTicksToWait@entry=4294967295, xMaxSize=xMaxSize@entry=1) at /home/simon/src/esp-idf/components/esp_ringbuf/ringbuf.c:1178
#4  0x42008fdc in uart_read_bytes (uart_num=UART_NUM_0, buf=0x4083398c, length=1, ticks_to_wait=4294967295) at /home/simon/src/esp-idf/components/esp_driver_uart/src/uart.c:1404
#5  0x4200eb3e in __GNU_EH_FRAME_HDR ()
#6  0x42076d4a in std::execute_native_thread_routine (__p=<optimized out>) at /builds/idf/crosstool-NG/.build/riscv32-esp-elf/src/gcc/libstdc++-v3/src/c++11/thread.cc:104
#7  0x42004e22 in pthread_task_func (arg=0x408321ec, arg@entry=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/pthread/pthread.c:222
#8  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 6 (TCB: 0x40832078, name: 'ui_main') =====================
#0  0x40809fdc in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
#1  vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:604
#2  0x40809af4 in xQueueSemaphoreTake (xQueue=0x40824e20, xTicksToWait=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1901
#3  0x4201a088 in nutt::WakeupThread::run_loop (this=0x40824d9c) at /home/simon/build/candle-dribbler-0.7.2/src/thread.cpp:64
#4  0x42076d4a in std::execute_native_thread_routine (__p=<optimized out>) at /builds/idf/crosstool-NG/.build/riscv32-esp-elf/src/gcc/libstdc++-v3/src/c++11/thread.cc:104
#5  0x42004e22 in pthread_task_func (arg=0x40831030, arg@entry=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/pthread/pthread.c:222
#6  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 7 (TCB: 0x40830ea8, name: 'device_main') =====================
#0  0x40809fe0 in vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:622
#1  vPortYield () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:604
#2  0x40809af4 in xQueueSemaphoreTake (xQueue=0x40825b34, xTicksToWait=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:1901
#3  0x4201a088 in nutt::WakeupThread::run_loop (this=0x408259b0) at /home/simon/build/candle-dribbler-0.7.2/src/thread.cpp:64
#4  0x42076d4a in std::execute_native_thread_routine (__p=<optimized out>) at /builds/idf/crosstool-NG/.build/riscv32-esp-elf/src/gcc/libstdc++-v3/src/c++11/thread.cc:104
#5  0x42004e22 in pthread_task_func (arg=0x4082fe60, arg@entry=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/pthread/pthread.c:222
#6  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229

==================== THREAD 8 (TCB: 0x4082056c, name: 'esp_timer') =====================
#0  vPortClearInterruptMaskFromISR (prev_int_level=1) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:496
#1  vPortExitCritical () at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:597
#2  0x4080c49e in ulTaskGenericNotifyTake (uxIndexToWait=uxIndexToWait@entry=0, xClearCountOnExit=xClearCountOnExit@entry=1, xTicksToWait=xTicksToWait@entry=4294967295) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/tasks.c:5722
#3  0x4206bf62 in timer_task (arg=<error reading variable: value has been optimized out>) at /home/simon/src/esp-idf/components/esp_timer/src/esp_timer.c:477
#4  0x40809e1c in vPortTaskWrapper (pxCode=<optimized out>, pvParameters=<optimized out>) at /home/simon/src/esp-idf/components/freertos/FreeRTOS-Kernel/portable/riscv/port.c:229


======================= ALL MEMORY REGIONS ========================
Name   Address   Size   Attrs
.rtc.text 0x50000000 0x0 RW  
.rtc.force_fast 0x50000000 0x0 RW  
.rtc.force_slow 0x50000010 0x0 RW  
.iram0.text 0x40800000 0x10e88 R XA
.iram0.text_end 0x40810e88 0x0 RW  
.iram0.bss 0x40810e90 0x0 RW  
.dram0.data 0x40810e90 0x1d84 RW A
.flash.text 0x42000020 0x80908 R XA
.flash.appdesc 0x42090020 0x100 R  A
.flash.rodata 0x42090120 0x1afe0 RW A
.flash.tls 0x420ab100 0x0 RW  
.eh_frame 0x420ab100 0x10d8 R  A
.flash.rodata_noload 0x420ac1d8 0x0 RW  
.coredump.tasks.data 0x4082d898 0x15c RW 
.coredump.tasks.data 0x4082d5f0 0x2a0 RW 
.coredump.tasks.data 0x408239ac 0x15c RW 
.coredump.tasks.data 0x408238d0 0xd0 RW 
.coredump.tasks.data 0x4082fc08 0x15c RW 
.coredump.tasks.data 0x4082f9f0 0x210 RW 
.coredump.tasks.data 0x40824310 0x15c RW 
.coredump.tasks.data 0x408241f0 0x110 RW 
.coredump.tasks.data 0x40833a34 0x15c RW 
.coredump.tasks.data 0x40833850 0x1d0 RW 
.coredump.tasks.data 0x40832078 0x15c RW 
.coredump.tasks.data 0x40831f20 0x150 RW 
.coredump.tasks.data 0x40830ea8 0x15c RW 
.coredump.tasks.data 0x40830d50 0x150 RW 
.coredump.tasks.data 0x4082056c 0x15c RW 
.coredump.tasks.data 0x40821e10 0xf0 RW 

===================== ESP32 CORE DUMP END =====================
===============================================================

4202cf24: zb_bufpool_mult.c.obj:? <zb_get_buf_tail_ptr>
4202dde6: zb_init_common.c.obj:? <zb_assert>
42031eaa: zb_scheduler.c.obj:? <sched_is_cb_q_empty>
42032b16: zb_scheduler.c.obj:? <zb_sched_mac_transport_iteration>

About this issue

Original URL
State: open
Created 3 months ago
Comments: 30 (7 by maintainers)

Commits related to this issue

https://github.com/espressif/esp-zigbee-sdk/issues/304#issuecomment-2049144637 — committed to nomis/esp-idf by nomis 3 months ago
https://github.com/espressif/esp-zigbee-sdk/issues/304#issuecomment-2071877536 — committed to nomis/esp-idf by nomis 3 months ago

Most upvoted comments

This is in zb_zcl_get_next_reporting_info() which has just called zb_zcl_get_attr_desc_manuf_a() with manuf_code of 0 (a4) and received NULL back (a0) so it crashes when it dereferences it:

Hello, I have a similar problem. When between boot, I change the number of registered clusters/attributes, and the zb lib crash. A simple flash erase fixes the problem.

An example of how the bug appears:

Boot, register 15 attributes and join a zb network
Reboot --> all work fine
On my project, the user can change to the “advanced mode” and after a reboot register more clusters and attributes (around 30 attributes)
After reboot, the firmware will crash after that the zb stack starts like this:

Can you fix this bug ?

Thanks

....
I (6446) ZIGBEE: Device started up in non factory-reset mode
I (6447) ZIGBEE: Device rebooted
Guru Meditation Error: Core  0 panic'ed (Load access fault). Exception was unhandled.

Core  0 register dump:
MEPC    : 0x4205a8f8  RA      : 0x4205a8f4  SP      : 0x40841bf0  GP      : 0x4081e504
0x4205a8f8: zb_zcl_get_next_reporting_info at ??:?
0x4205a8f4: zb_zcl_get_next_reporting_info at ??:?

TP      : 0x407f886c  T0      : 0x40030dca  T1      : 0x0000000f  T2      : 0x62808861
0x40030dca: memset in ROM

S0/FP   : 0x40848f94  S1      : 0x00000004  A0      : 0x00000000  A1      : 0x00000020
A2      : 0x0000ffff  A3      : 0x0000000c  A4      : 0x4084888d  A5      : 0x00000005
A6      : 0x0000000c  A7      : 0x0000000c  S2      : 0x00000000  S3      : 0x40848eb4
S4      : 0x00000000  S5      : 0x00000006  S6      : 0x00000000  S7      : 0x00000052
S8      : 0x00000038  S9      : 0x0000ff42  S10     : 0x00000000  S11     : 0x00000007
T3      : 0x000000fd  T4      : 0x000000fe  T5      : 0xffffffff  T6      : 0x000000ff
MSTATUS : 0x00001881  MTVEC   : 0x40800001  MCAUSE  : 0x00000005  MTVAL   : 0x00000003
0x40800001: _vector_table at ??:?

MHARTID : 0x00000000

Stack memory:
40841bf0: 0x4205a224 0x00000017 0x0000004a 0x40848eec 0x40848eb4 0x40848a80 0x40842ec9 0x42054c5e
0x4205a224: zb_zcl_reporting_timer_handler at ??:?
0x42054c5e: zb_zcl_send_report_attr_command at ??:?

40841c10: 0x0000000f 0x40841c30 0x00000003 0x4206a394 0x0000000f 0x00000000 0x7fffffff 0x00000002
0x4206a394: zb_osif_scheduler_event at ??:?

40841c30: 0x0000000f 0x00000000 0x00000042 0x00000000 0x00000000 0x4205a3e8 0x00000006 0x00000000
0x4205a3e8: zb_zcl_report_attr at ??:?

40841c50: 0x00000002 0x00000052 0x40848eb4 0x4205a4d8 0x0000000f 0x4205a3e8 0x7fffffff 0x000000ff
0x4205a4d8: zb_zcl_report_attr at ??:?
0x4205a3e8: zb_zcl_report_attr at ??:?

40841c70: 0x0000000f 0x00000000 0x40828ba0 0x42044f14 0x0000007f 0x0000000f 0x40841dd8 0x00000000
0x42044f14: zb_sched_loop_iteration at ??:?

40841c90: 0x40848808 0x00000000 0x40846f48 0x40831000 0x00000000 0x0000ff42 0x00000b04 0x00000004
40841cb0: 0x0000007f 0x0000000f 0x40841dd8 0x40847aa0 0x40848808 0x408480fc 0x42158000 0x420364fe
0x420364fe: esp_zb_main_loop_iteration at ??:?

40841cd0: 0x42157ce8 0x00000394 0x00000007 0x42010b8a 0x00000025 0x40841dd8 0xa5a5a5a5 0xa5a5a5a5
0x42010b8a: zigbee_task at D:/08-LocalRepos/TICMeter/firmware/main/zigbee.c:635

40841cf0: 0xa5a5a5a5 0xa5a5a5a5 0x40847888 0x42150030 0x40847c08 0x40847d70 0x40847d04 0x40847a34
40841d10: 0x0000007f 0x0000ff42 0x0000002d 0x00000025 0xa5a5a5a5 0xa5a5a5a5 0xfb010101 0xa5a50008
40841d30: 0x00010000 0x000003e8 0x00000004 0x030205a0 0xa5a50040 0x00000000 0x00000000 0xa5a500fb
40841d50: 0x00000002 0x00000000 0x00000006 0x00000fa0 0x00030202 0x00c8ffff 0x00000000 0x00000000
40841d70: 0x00030202 0x00000000 0x00000000 0x00000000 0x2e335617 0x2d322e32 0x34672d31 0x30623832
40841d90: 0x642d3762 0x79747269 0xa5a5a500 0xa5a5a5a5 0xa5a5a5a5 0x32303213 0x34302d34 0x2038322d
40841db0: 0x333a3131 0x35303a37 0xa5a5a500 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
40841dd0: 0xa5a5a5a5 0xa5a5a5a5 0x30000030 0x00003030 0x32333935 0xa5a5a500 0xa5a5a5a5 0xa5a5a5a5
40841df0: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
40841e10: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
40841e30: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0x53010401 0x00303200 0x33393500 0xa5000032 0xa5a5a5a5
40841e50: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0x4201041c 0x00000000 0x00000000 0x4081e504
0x4201041c: zigbee_task at D:/08-LocalRepos/TICMeter/firmware/main/zigbee.c:319

40841e70: 0x407f886c 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
40841e90: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
40841eb0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
40841ed0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
40841ef0: 0x00000000 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
40841f10: 0x00000150 0x40841af0 0x0000336d 0x408221cc 0x408221cc 0x40841f14 0x408221c4 0x00000014
40841f30: 0x40848834 0x40848834 0x40841f14 0x00000000 0x00000005 0x4083ff10 0x6267695a 0x6d5f6565
40841f50: 0x006e6961 0x00000000 0x40841f00 0x00000005 0x00000001 0x00000000 0x00000000 0x00000009
40841f70: 0x408327cc 0x40832834 0x4083289c 0x00000000 0x00000000 0x00000001 0x00000000 0x00000000
40841f90: 0x00000000 0x42006116 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
0x42006116: esp_cleanup_r at C:/Espressif/frameworks/esp-idf-v5.2.1/components/newlib/newlib_init.c:60

40841fb0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
40841fd0: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000



ELF file SHA256: ff35324e1e01a5c8

Rebooting in  2 seconds...```

xmow49 on Apr 28, 2024

The ieee802154_receive_at() function also needs to call ieee802154_enter_critical() earlier. Otherwise it’s calling stop_current_operation() (via rx_init()) and set_next_rx_buffer() with interrupts enabled.

This function isn’t used by the Zigbee libraries.

nomis on Apr 26, 2024

By the way, enabling the debug mode is helpful for this issue. Could you also add the esp_zb_set_trace_level_mask(ESP_ZB_TRACE_LEVEL_CRITICAL, 0); function before esp_zb_init(&zb_nwk_cfg); to reproduce the issue and provide us with the result?

xieqinan on Apr 11, 2024

@nomis ,

We’ve debugged some detailed issues based on the information you provided and made some fixes, but I cannot guarantee they are the root cause of this issue. The fixes will be released in the next version. Before that, could you replace this function the code below with the belowed code and test again?

static void ieee802154_receive_done(uint8_t *data, esp_ieee802154_frame_info_t *frame_info)
{
    // If the RX done packet is written in the stub buffer, drop it silently.
    if (s_rx_index == CONFIG_IEEE802154_RX_BUFFER_SIZE) {
        esp_rom_printf("receive buffer full, drop the current frame.\n");
    } else {
        // Otherwise, post it to the upper layer.
        frame_info->process = true;
        if (data[0] > 127) {
            esp_rom_printf("ovesized frame: %d\n", data[0]);
        }
        esp_ieee802154_receive_done(data, frame_info);
    }
}

xieqinan on Apr 11, 2024