Ben Pratt

KW40Z HardFault in hciLeCallback

Discussion created by Ben Pratt on Mar 6, 2017
Latest reply on Apr 4, 2017 by Ben Pratt



I am using the KW40Z in the GAP Central role to scan and connect to other BLE devices. Occasionally, a HardFault will be triggered while processing scan requests. I've managed to trace the issue back to a potential null-pointer dereference in "hciLeCallback" from "gap_hci_cb.o" in "ble_host_central_lib.a" within Connectivity Software 1.0.1.


The disassembly for this function is shown below. There is a conditional breakpoint on address 0x1875C right after the call to "MEM_BufferAlloc". Notice that there is no check to verify that "MEM_BufferAlloc" did not return NULL, unlike the previous call to "MEM_BufferAlloc" earlier in the function (starting at address 0x18736, the "MOVS" followed by the "BEQ.N").



Ultimately, the HardFault occurs within the call to "FLib_MemCpy" at address 0x1877C where we end up trying to write to address 0. A snapshot of this condition is shown below (destination in R0, source in R1). There are a few reads and writes that occur between the call to "MEM_BufferAlloc" and "FLib_MemCpy" that I haven't fully decoded, but they don't seem to help us avoid writing to address 0.



I suspect I can increase the heap size to avoid running into this situation, but it doesn't fix the underlying cause. Is there a planned update to the Connectivity Software that happens to address this issue?