ESP32 tcp_close_shutdown() crash

#1

It is difficult to reproduce because it happens infrequently, but I finally captured a problem I have been seeing on ESP32 (WROVER). It appears tcp_close_shutdown() might be doing a double free on heap memory causing heap corruption.

0x400897dc in invoke_abort ()
    at /opt/Espressif/esp-idf/components/esp32/panic.c:156
156             *((int *) 0) = 0;
#0  0x400897dc in invoke_abort ()
    at /opt/Espressif/esp-idf/components/esp32/panic.c:156
#1  0x40089a20 in abort ()
    at /opt/Espressif/esp-idf/components/esp32/panic.c:171
#2  0x40096564 in multi_heap_assert (address=1073554264, line=477,
    format=0x3ffb321c "CORRUPT HEAP: multi_heap.c:%d detected at 0x%08x\n",
    condition=false)
    at /opt/Espressif/esp-idf/components/heap/multi_heap_platform.h:54
#3  multi_heap_free_impl (heap=0x3ffb9c58, p=0x3ffd235c)
    at /opt/Espressif/esp-idf/components/heap/multi_heap.c:477
#4  0x400835bd in heap_caps_free (ptr=0x3ffd235c)
    at /opt/Espressif/esp-idf/components/heap/heap_caps.c:272
#5  0x40083c6c in _free_r (r=0x3ffc6a10, ptr=0x3ffd235c)
    at /opt/Espressif/esp-idf/components/newlib/syscalls.c:42
#6  0x4000beca in ?? ()
#7  0x401720d4 in mem_free (rmem=0x3ffd235c)
    at /app/components/lwip/lwip/src/core/mem.c:151
#8  0x40172176 in do_memp_free_pool (desc=0x3f4288c8 <memp_TCP_PCB>,
    mem=0x3ffd235c) at /app/components/lwip/lwip/src/core/memp.c:432
#9  0x401721d2 in memp_free (type=<optimized out>, mem=0x3ffd235c)
    at /app/components/lwip/lwip/src/core/memp.c:489
#10 0x4017335d in tcp_close_shutdown (pcb=0x3ffd235c,
    rst_on_unacked_data=<optimized out>)
    at /app/components/lwip/lwip/src/core/tcp.c:311
#11 0x401733c5 in tcp_close (pcb=0x3ffd235c)
    at /app/components/lwip/lwip/src/core/tcp.c:409
#12 0x401bb924 in tcp_close_tcpip (arg=0x3ffd235c)
    at common/platforms/lwip/mg_lwip_net_if.c:357
#13 0x401bb907 in xxx_tcpip (arg=0x3ffb8c40 <mgos_task_stack+15908>)
    at common/platforms/lwip/mg_lwip_net_if.c:70
#14 0x40171e10 in tcpip_thread (arg=<optimized out>)
    at /app/components/lwip/lwip/src/api/tcpip.c:120
#15 0x40093854 in vPortTaskWrapper (pxCode=0x40171dc8 <tcpip_thread>,
    pvParameters=0x0) at /opt/Espressif/esp-idf/components/freertos/port.c:143

Here is what my build is using:

mgos_freertos.c:177     Mongoose OS 2.17.0 (20200730-220834/2.17.0-gc31a745)
mgos_freertos.c:181     CPU: 240 MHz, FreeRTOS 8.2.0, heap: 4501320 total, 4401236 free
mgos_freertos.c:183     Newlib 2.2.0
esp32_main.c:116        ESP-IDF v3.3-r2
esp32_main.c:119        Boot partition: app_0; flash: 8M
mg_lwip_ev_mgr.c:77     Mongoose 6.16, LwIP 2.0.3
mg_ssl_if_mbedtls.c:57  mbed TLS 2.16.3-cesanta9

I’m not sure how to proceed. Are there any more things I can do to help the Cesanta team diagnose and isolate this issue?

#2

Might be related to https://github.com/cesanta/mongoose-os/issues/545 and Cannot do HTTPS requests in google chrome ?

#3

Quite possible. Looks similar, if not identical.