

# **APPLICATION NOTE**

# STACK OVERFLOW DETECTION USING THE ST9 TIMER/WATCHDOG

Pierre Guillemin

## INTRODUCTION

In real time applications, the implemention of software protection is not always easy, but allows reaching a high security level for the software against malfunction. This is particularly true for in-board applications in disturbed environments, such as automotive, power meter or industrial applications.

To help avoid non-controlled functionality and damage to real time system due to possible perturbations on the ST9 microcontoller core and I/O ports, a special peripheral able to act as a watchdog is available on all ST9 family members: the Timer Watchdog.

A periodic restarting of the Timer Watchdog by program, associated with the automatic detection of possible stack overflow, add to the protection of real time application software.

This application note shows how to detect stack overflow by using the Timer Watchdog in watchdog mode.

#### STACK OVERFLOW DETECTION PRINCIPLE

# **Summary of Timer Watchdog Features**

The ST9 core include a 16-bit down counter with an 8-bit prescaler offering the possibility of a watchdog mode. This timer, driven by a clock equal to INTCLK divided by 4, is able to provide time periods within the range of 333ns to 5.59s (using a 12 MHz internal clock).

In watchdog mode, the Timer Watchdog generates a fixed time base according to the Timer Watchdog registers and prescaler, and to INTCLK. This time base can be modified on the fly by changing the prescaler value. The new value will be taken into account only after an End Of Count event. In watchdog mode, the End Of Count occurrence generates a system reset.

In order to prevent the reset, the byte sequence AAh, 55h should be written into the Timer Watchdog register Low. Once the writing of 55h has been performed, the timer reloads the prescaler register and the counting restarts from this value (the prescaler register value may be modified between two End Of Count events).

**Note 1.** For a better understanding of this application note; please refer to the ST9 Technical Manual chapter on the 16-bit programmable Timer/Watchdog.

**Note 2.** INTCLK: Internal Clock. This clock issued from the oscillator circuitry, divided or not by 2, is the ST9 Internal Clock driving the peripherals. The maximum frequency allowed for INTCLK is 12MHz.

AN421 / 1292 1/6

#### Stack Overflow Detection

In many software applications, for example when running on ST9 ROMLESS versions or without external memory space, the size of the stack is limited.

On ST9 devices, the system stack may be located in the Register File or in data memory space. The ST9 stack pointer moves from the top to the bottom of the stack area.

A solution to detect stack overflow is to reserve the first two bytes after the bottom of the stack and to store in these locations the Timer Watchdog restart value, ie AAh, 55h.

In the case of stack overflow, the data will be overwritten and thus destroyed and a system reset will be generated on the next Timer Watchdog End Of Count.



Figure 1. Example of Stack overflow detection in Register File

### SOFTWARE DESCRIPTION

#### Stack Initialization

The following example initializes the system stack in groups D and C of the Register File.

In the stack management of the ST9, the stack pointer is automatically pre-decremented before the data is stored on the stack. So the expression:

```
SSTACK = (BKE * 16) - 1
```

defines the first location of the system stack in group D and C within the Register File, while the instruction:

```
ld SSPLR, #SSTACK + 1
```

initializes the system stack pointer in the system register. The instruction:

```
ldw RR#END_SSTACK,#0AA55h
```

initializes the first two bytes following the bottom of the system stack with the value used to restart the Timer Watchdog.

# Figure 2. System stack initialisation

```
STACK Declaration and end of stack initialisation
               in RAM space or Register File
; Initialisation in Register FIle
         := (BKE * 16) - 1 ; Sys.stack add.group
SSTACK
LG-SSTACK
          := 32
                           ; Sys.stack length
END_SSTACK := (BKE * 16) - LG_SSTACK ; Last sys.stack byte
ld
     SSPLR, #SSTACK + 1
                       ; Load sys.stack pointer
ldw
     RR#END_STACK - 2,#0AA55h; Init end of stack.
; Initialisation in RAM space
SSTACK
         := 2000h
                          ; top of sys.stack
END-STACK := 1000h
                          ; Init end of stack
           = rr0
essp
sdm
ldw
     SSPR, #SSTACK
                             ; Select data space
     essp,#END_SSTACK
                         ; Init End of sys.stack
ld
ldw
     -2(essp),#0AA55h
```

# **Timer Watchdog Programmation**

As an example, the Timer Watchdog is initialized in order to provide a time base of 10ms (with a ST9 driven by a clock frequency of 24MHz internally divided by two). To enable the Watchdog mode, the requirement is to initialize Timer prescaler and counter, to initialize the Timer Watchdog Control Register with its reset value, and then to enable the watchdog mode by clearing the WDGEN bit in the Wait Control Register in page 0. Resetting this bit causes the counter to start in Watchdog mode regardless of the start/stop, Single/Continuous and input mode bits.

Figure 3. Timer/Watchdog Initialisation

```
********************
                   WATCHDOG INITIALISATION
      INIT_WGT[PPR] {
proc
           #0
      spp
      ld
                             ; TWD prescaler register
           WDTPR,#0
      ld
           WDTLR, #-30h
                             ; TWD Timer counter low
      ld
           WDTHR, #075h
                             ; TWD Timer counter high
                             ; call TWD initialisation
      call INIT_WGT
           #0
                             ; select page 0 register
      spp
      ld
           WCR, #00111111b;
                             ; Enable the Watchdog
      ei
                             ; Enable Interrupt
```

**Note 3.** A bit (DIV2 located in the MODE Register MODER, R235 in the system group) controls the divide by two circuit which operates on the OSCIN clock driving the ST9. The maximum Internal Clock (INTCLK) allowable for the ST9 is 12MHz. This internal clock drives all the ST9 peripherals, while this same clock, optionally slowed down by the ST9 Core clock programmable prescaler and by wait cycle insertion, drives the ST9 Core.

After a reset cycle, the clock frequency applied to the ST9 is divided by two and no Core clock prescaling is done.

# **Timer Watchdog Restart**

This example shows how to restart the Timer Watchdog when the stack is located in Register File or in RAM space. In the register file, the two instructions:

```
ld WDTLR,#END_SSTACK-2
ld WDTLR,#END_SSTACK-1
```

load the restart value of Timer Watchdog.

When the system stack is located in RAM space, a register essp (end of system stack pointer) must be used to load the sequence AAh, 55h in the Timer Watchdog counter register low.

# Figure 4. Restarting the Timer/Watchdog

```
In Register File
       #0
                            ; TWD register page
spp
ld
       WDTLR,R#END_SSTACK-2
                                ; Load AAh
       WDTLR,R#END_SSTACK-1
ld
                                 ; Load 55h
             In RAM space
       #0
spp
                            ; TWD register page
sdm
                            ; Select RAM space
ld
       essp, #END_SSTACK
                                 ; End stack pointer
ld
       WDTLR,-2(essp)
                                 ; Load AAh
ld
       WDTLR,-1(essp)
                                 ; Load 55h
```

#### **SUMMARY**

Protection of software against externally generated perturbations can be made by additional test routines. This protection can easily be increased by using the ST9 Timer Watchdogbringing software reliability and security. With the Timer Watchdog the ST9 programmer may control the software execution. Additionally, when restarting the Timer Watchdog from values (AAh, 55h) located at the bottom of the system stack two new securities are added:

- test of the integrity of the Register File or the RAM space
- provision of a system reset in the case of stack overflow.



# STACK OVERFLOW PROTECTION

THE SOFTWARE INCLUDED IN THIS NOTE IS FOR GUIDANCE ONLY. SGS-THOMSON SHALL NOT BE HELD LIABLE FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL DAMAGES WITH RESPECT TO ANY CLAIMS ARISING FROM USE OF THE SOFTWARE.

Information furnished is believed to be accurate and reliable. However, SGS-THOMSON Microelectronics assumes no responsability for the consequences of use of such information nor for any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SGS-THOMSON Microelectronics. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied.

SGS-THOMSON Microelectronics products are not authorized for use as critical components in life support devices or systems without the express written approval of SGS-THOMSON Microelectronics.

© 1994 SGS-THOMSON Microelectronics - All rights reserved.

Purchase of I<sup>2</sup>C Components by SGS-THOMSON Microelectronics conveys a license under the Philips I<sup>2</sup>C Patent. Rights to use these components in an I<sup>2</sup>C system is granted provided that the system conforms to the I<sup>2</sup>C Standard Specification as defined by Philips.

SGS-THOMSON Microelectronics Group of Companies

Australia - Brazil - France - Germany - Hong Kong - Italy - Japan - Korea - Malaysia - Malta - Morocco - The Netherlands Singapore - Spain - Sweden - Switzerland - Taiwan - Thailand - United Kingdom - U.S.A.

