Description
@tannewt and I debugged a very weird problem in CircuitPython, and we think it's a micropython bug.
Here's what happened:
The GC layout is:
E (3011) gc: GC layout:
E (3011) gc: alloc table at 0x3fd80428, length 32001 bytes, 128004 blocks
E (3011) gc: finaliser table at 0x3fd88129, length 16001 bytes, 128008 blocks
E (3021) gc: pool at 0x3fd8bfc0, length 2048064 bytes, 128004 blocks
Block 128003 is an AT_HEAD and eventually is passed to gc_mark_subtree.. This causes gc_mark_subtree to call ATB_GET_KIND(128004). When block 1 is created with a finaliser, the first byte of the finaliser table becomes 0x2, but ATB_GET_KIND(128004) reads these bits as AT_TAIL, and then gc_mark_subtree references past the end of the heap, which happened to be past the end of psram on the esp32-s2
This is all kinda low probability, but happily we had a reproducible test case
We think that a possible solution is to ensure there's always one additional ATB entry, but wanted to kick it up to you to find out the right solution (or whether we're all wet in our diagnosis)