Skip to content

ISSUE-4332: Fix boot-path stack overflow risk and reduce update stack footprint#4350

Open
herbenderbler wants to merge 3 commits intoflipperdevices:devfrom
herbenderbler:ISSUE-4332/stack-overflow
Open

ISSUE-4332: Fix boot-path stack overflow risk and reduce update stack footprint#4350
herbenderbler wants to merge 3 commits intoflipperdevices:devfrom
herbenderbler:ISSUE-4332/stack-overflow

Conversation

@herbenderbler
Copy link

@herbenderbler herbenderbler commented Mar 12, 2026

Summary

This PR resolves a potential stack overflow in the boot update path (issue #4332) with a two-part fix:

  1. Increase main thread stack in linker scripts from 1024 bytes to 2048 bytes.
  2. Refactor update-path functions to move large FatFS structures from stack to heap, substantially reducing stack pressure in critical boot code.

It also restores production build settings by disabling temporary stack-usage instrumentation after analysis.

Problem

The boot update path could consume too much stack in constrained scenarios, especially around manifest handling and stage loading. The original configuration used a 1024-byte stack, which provided insufficient safety margins for deep call paths and interrupt context.

What Changed

1) Stack size increase (safety fix)

  • Increased _stack_size from 0x400 to 0x800 in:
    • stm32wb55xx_flash.ld
    • stm32wb55xx_ram_fw.ld

2) Stack-footprint refactor in boot update code

  • Refactored update functions to heap-allocate large FatFS objects (FIL, FILINFO, and path buffer where applicable), with allocation-failure handling and cleanup:
    • update.c
  • Added clarifying in-code comments documenting stack rationale and safety intent for issue Potential thread stack overflow in main #4332.

3) Build config cleanup

  • Kept -fstack-usage only for analysis phase, then disabled for normal production builds:
    • cc.scons

Commit Breakdown

  • de0fa1dbfix(boot): increase main thread stack to prevent overflow (#4332)
  • 5908589arefactor(boot): heap-allocate large FatFS structures in update path (#4332)
  • 421c1751build: disable -fstack-usage in production builds

Validation Performed

  • Static stack-usage investigation was run during development using -fstack-usage.
  • Final branch build verified successfully with fbt.
  • Firmware links and packages successfully (firmware.elf, firmware.bin, firmware.dfu).

Risk / Impact

  • SRAM impact from stack increase is small relative to STM32WB55 capacity and materially improves reliability.
  • Refactor introduces heap usage in boot path, but with explicit allocation checks and deterministic cleanup.
  • Overall effect is a safer boot update path with significantly improved stack headroom.

Related Issue

Checklist (For Reviewer)

  • PR has description of feature/bug or link to Confluence/Jira task
  • Description contains actions to verify feature/bugfix
  • I've built this code, uploaded it to the device and verified feature/bugfix

@herbenderbler
fix(boot): increase main thread stack to prevent overflow (flipperdev…
de0fa1d 
…ices#4332)

- Increase stack size from 1024 → 2048 bytes (0x400 → 0x800)
- Provides 1096 bytes headroom for boot update operations
- Resolves potential overflow in flipper_update_process_manifest
- Enable -fstack-usage for static stack analysis
@herbenderbler
refactor(boot): heap-allocate large FatFS structures in update path (f…
5908589 
…lipperdevices#4332)

Further optimization of boot update stack usage by moving large FatFS
structures (FIL, FILINFO, path buffers) from stack to heap allocation.

Refactored functions:
1. flipper_update_get_manifest_path
   Before: ~1160 bytes (FIL + FILINFO + 256B buffer)
   After:  ~50 bytes (pointers only)

2. flipper_update_load_stage
   Before: ~928 bytes (FIL + FILINFO)
   After:  ~100 bytes (pointers + variables)

3. flipper_update_process_manifest
   Before: ~920 bytes (FIL + FILINFO)
   After:  ~80 bytes (pointers + variables)

Total stack reduction: ~2778 bytes on critical boot path

Benefits:
- Estimated total boot path stack: ~230 bytes (was ~952 bytes)
- Leaves ~1818 bytes headroom in 2048-byte stack
- Follows embedded systems best practices
- Proper error handling for malloc() failures at each call site
- No performance impact - allocations occur once per boot

Implementation details:
- All FatFS structures now heap-allocated with proper cleanup
- Added NULL checks for malloc() failures
- Maintained cleanup paths in error conditions
- Added clarifying comments explaining stack requirements

Files changed:
- targets/f7/src/update.c: Three functions refactored

Testing: Build validation successful, firmware size unchanged
Relates to: flipperdevices#4332 (stack overflow fix)
@herbenderbler
build: disable -fstack-usage in production builds
421c175 
Disable -fstack-usage compiler flag that was enabled for stack analysis
during the fix for issue flipperdevices#4332. Stack analysis is complete and should only
be enabled during future stack usage investigations.
@herbenderbler herbenderbler marked this pull request as ready for review March 12, 2026 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DrZlo13 DrZlo13 Awaiting requested review from DrZlo13 DrZlo13 is a code owner

@hedger hedger Awaiting requested review from hedger hedger is a code owner

@gsurkov gsurkov Awaiting requested review from gsurkov gsurkov is a code owner

@nminaylov nminaylov Awaiting requested review from nminaylov nminaylov is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Potential thread stack overflow in main

1 participant

@herbenderbler