CMSIS Part 12: Memory Management in Embedded Systems

Heap Fragmentation

Heap fragmentation occurs when free memory exists as many small non-contiguous chunks rather than one large contiguous block. A heap containing 8 KB of free memory split into 512 individual 16-byte fragments cannot satisfy a 1 KB allocation even though 8 KB is available. In long-running embedded systems, fragmentation grows monotonically unless the allocation pattern is perfectly predictable — which it rarely is.

Recognising Fragmentation in Practice

The classic symptom is an allocation failure that appears only after hours of operation — the system runs fine in the lab, then fails in the field. FreeRTOS's xPortGetFreeHeapSize() returns total free bytes but cannot tell you whether a 2 KB contiguous block is available. Use xPortGetMinimumEverFreeHeapSize() during development to find the low-water mark, and monitor allocation failures by overriding vApplicationMallocFailedHook().

FreeRTOS Heap4 vs Pure Static Allocation

/**
 * FreeRTOS static allocation: eliminate heap entirely for RTOS objects.
 * Set configSUPPORT_STATIC_ALLOCATION 1 in FreeRTOSConfig.h.
 *
 * Benefits:
 *   - RTOS objects use zero heap space
 *   - Sizes verified at compile time (linker reports overflow)
 *   - No malloc failure path for RTOS internals
 */
#include "FreeRTOS.h"
#include "task.h"
#include "queue.h"
#include "semphr.h"

/* --- Static task creation --- */
#define TASK_STACK_WORDS   256U   /* Stack size in 32-bit words = 1 KB */

static StaticTask_t  g_sensor_task_tcb;
static StackType_t   g_sensor_task_stack[TASK_STACK_WORDS];
static TaskHandle_t  g_sensor_task_handle;

/* --- Static queue creation --- */
#define QUEUE_DEPTH   16U
#define ITEM_SIZE     sizeof(uint32_t)

static StaticQueue_t  g_data_queue_struct;
static uint8_t        g_data_queue_storage[QUEUE_DEPTH * ITEM_SIZE];
static QueueHandle_t  g_data_queue;

/* --- Static mutex creation --- */
static StaticSemaphore_t g_spi_mutex_struct;
static SemaphoreHandle_t g_spi_mutex;

void app_create_rtos_objects(void) {
    /* Create task with static memory — returns NULL only on bad params */
    g_sensor_task_handle = xTaskCreateStatic(
        sensor_task_fn,           /* task function           */
        "SensorTask",             /* debug name              */
        TASK_STACK_WORDS,         /* stack depth in words    */
        NULL,                     /* task parameter          */
        3U,                       /* priority                */
        g_sensor_task_stack,      /* stack buffer            */
        &g_sensor_task_tcb        /* TCB storage             */
    );
    configASSERT(g_sensor_task_handle != NULL);

    g_data_queue = xQueueCreateStatic(QUEUE_DEPTH, ITEM_SIZE,
                                      g_data_queue_storage,
                                      &g_data_queue_struct);
    configASSERT(g_data_queue != NULL);

    g_spi_mutex = xSemaphoreCreateMutexStatic(&g_spi_mutex_struct);
    configASSERT(g_spi_mutex != NULL);
}

/* Required when configSUPPORT_STATIC_ALLOCATION=1 */
void vApplicationGetIdleTaskMemory(StaticTask_t **ppxIdleTaskTCBBuffer,
                                   StackType_t  **ppxIdleTaskStackBuffer,
                                   uint32_t      *pulIdleTaskStackSize) {
    static StaticTask_t idle_tcb;
    static StackType_t  idle_stack[configMINIMAL_STACK_SIZE];
    *ppxIdleTaskTCBBuffer   = &idle_tcb;
    *ppxIdleTaskStackBuffer = idle_stack;
    *pulIdleTaskStackSize   = configMINIMAL_STACK_SIZE;
}

RTOS Memory Pools

CMSIS-RTOS2 provides a standardised memory pool API that wraps the underlying RTOS pool implementation (FreeRTOS, Keil RTX5, Zephyr). The API offers deterministic O(1) allocation and deallocation with bounded latency — safe to call from tasks and, on some RTOS implementations, from ISRs.

CMSIS-RTOS2 Memory Pool API

/**
 * CMSIS-RTOS2 memory pool: deterministic fixed-block allocation.
 * osMemoryPoolNew / osMemoryPoolAlloc / osMemoryPoolFree
 *
 * The pool is backed by statically-allocated storage when using
 * static attributes — no heap involved.
 */
#include "cmsis_os2.h"

/* Define block type: 32-byte message descriptor */
typedef struct {
    uint32_t  timestamp_ms;
    uint16_t  sensor_id;
    uint16_t  flags;
    float     value;
    uint8_t   payload[16];
} SensorMsg_t;

#define MSG_POOL_CAPACITY   20U

/* Static backing storage for the pool (optional — avoids heap) */
static osMemoryPoolAttr_t pool_attr = {
    .name      = "SensorMsgPool",
    .attr_bits = 0U,
    .cb_mem    = NULL,   /* let RTOS allocate control block */
    .cb_size   = 0U,
    .mp_mem    = NULL,   /* let RTOS allocate block storage */
    .mp_size   = 0U
};

static osMemoryPoolId_t g_msg_pool;

void pool_demo_init(void) {
    g_msg_pool = osMemoryPoolNew(MSG_POOL_CAPACITY,
                                  sizeof(SensorMsg_t),
                                  &pool_attr);
    if (g_msg_pool == NULL) {
        /* Fatal: pool creation failed — check heap config */
        while(1) {}
    }
}

void sensor_task(void *arg) {
    osMessageQueueId_t queue = (osMessageQueueId_t)arg;

    for (;;) {
        /* Allocate a message block — O(1), bounded latency */
        SensorMsg_t *msg = (SensorMsg_t *)osMemoryPoolAlloc(g_msg_pool,
                                                             osWaitForever);
        if (msg == NULL) { continue; }  /* should not happen with osWaitForever */

        /* Fill message */
        msg->timestamp_ms = osKernelGetTickCount();
        msg->sensor_id    = 1U;
        msg->value        = read_adc_voltage();

        /* Post to queue */
        osStatus_t status = osMessageQueuePut(queue, &msg, 0U, 0U);
        if (status != osOK) {
            /* Queue full: return block to pool immediately */
            osMemoryPoolFree(g_msg_pool, msg);
        }
    }
}

void comms_task(void *arg) {
    osMessageQueueId_t queue = (osMessageQueueId_t)arg;
    SensorMsg_t *msg;

    for (;;) {
        osStatus_t status = osMessageQueueGet(queue, &msg, NULL, osWaitForever);
        if (status == osOK) {
            transmit_over_uart((uint8_t *)msg, sizeof(SensorMsg_t));
            /* Return block to pool after use — O(1) */
            osMemoryPoolFree(g_msg_pool, msg);
        }
    }
}

Stack Overflow Detection

Stack overflows are the most common cause of silent corruption in embedded RTOS firmware. A task that overflows its stack writes into the adjacent RTOS TCB or the next task's stack — corrupting kernel state silently. By the time the bug manifests, the call stack is meaningless. Early detection is essential.

Stack Watermark Checking with 0xDEADBEEF Pattern

/**
 * Stack watermark detection: fill stack with sentinel pattern at startup,
 * scan from the base upward to find the high-water mark at runtime.
 *
 * FreeRTOS provides this automatically when configCHECK_FOR_STACK_OVERFLOW >= 1
 * and uxTaskGetStackHighWaterMark() is called periodically.
 *
 * For bare-metal or custom RTOS, implement manually as shown below.
 */
#include 
#include 

#define STACK_SENTINEL   0xDEADBEEFUL
#define TASK_STACK_SIZE  1024U    /* bytes */

/* Statically allocated task stack */
static uint32_t g_task_stack[TASK_STACK_SIZE / 4U];

/**
 * @brief Fill task stack with sentinel pattern.
 *        Call before starting the scheduler.
 */
void stack_watermark_init(uint32_t *stack_base, size_t word_count) {
    for (size_t i = 0U; i < word_count; i++) {
        stack_base[i] = STACK_SENTINEL;
    }
}

/**
 * @brief Scan stack from base to find high-water mark.
 * @return Number of words still containing the sentinel (unused stack words).
 *         Zero means the stack has completely overflowed.
 */
size_t stack_watermark_check(const uint32_t *stack_base, size_t word_count) {
    size_t unused = 0U;
    for (size_t i = 0U; i < word_count; i++) {
        if (stack_base[i] == STACK_SENTINEL) {
            unused++;
        } else {
            break;  /* First modified word = bottom of used stack */
        }
    }
    return unused;
}

void monitor_task(void *arg) {
    for (;;) {
        size_t unused = stack_watermark_check(g_task_stack,
                                              sizeof(g_task_stack) / 4U);
        size_t used   = (sizeof(g_task_stack) / 4U) - unused;

        /* Log or assert: less than 64 words (256 bytes) remaining is danger */
        if (unused < 64U) {
            /* Log: "STACK LOW: task used %u/%u words", used, total */
            configASSERT(0);  /* Halt in debug builds */
        }

        osDelay(1000U);  /* Check every second */
    }
}

MPU-Based Memory Protection

The Memory Protection Unit (MPU) on Cortex-M3/M4/M7/M33 allows you to configure up to 8 or 16 memory regions with individual access permissions. The most powerful use case for embedded firmware is the stack guard page: configure a small no-access region immediately below each task stack. When a stack overflow occurs, the CPU attempts to write into the guard region, immediately triggers a MemFault exception with precise fault address information — caught at the point of overflow, not silently afterwards.

MPU Stack Guard Page Configuration

/**
 * MPU stack guard: configure a no-access region one cache line (32 bytes)
 * below the task stack. Stack overflow triggers MemFault immediately.
 *
 * Cortex-M4/M7: uses ARMv7-M MPU (8 regions, base+size format).
 * Cortex-M33:   uses ARMv8-M MPU (16 regions, base+limit format).
 *
 * This example targets ARMv7-M (STM32F4).
 */
#include "core_cm4.h"

/* Task stack: 4 KB aligned (MPU regions must be power-of-2 aligned) */
__attribute__((aligned(4096)))
static uint8_t g_task_stack_buf[4096];

/**
 * @brief Configure MPU region 7 as a no-access guard below the stack.
 *
 * ARMv7-M region encoding:
 *   RASR AP[26:24] = 0b000 → no access (any access triggers MemFault)
 *   RASR SIZE[5:1] = 0b00100 → 32 bytes region
 *   RASR ENABLE[0] = 1
 */
void mpu_configure_stack_guard(void) {
    /* Disable MPU before configuration */
    MPU->CTRL = 0U;

    /* Region 7: 32-byte no-access guard at stack base */
    MPU->RNR  = 7U;
    MPU->RBAR = (uint32_t)g_task_stack_buf | MPU_RBAR_VALID_Msk | 7U;
    MPU->RASR = (0x00UL << MPU_RASR_AP_Pos)   |  /* No access       */
                (0x04UL << MPU_RASR_SIZE_Pos)  |  /* 32 bytes        */
                MPU_RASR_ENABLE_Msk;

    /* Enable MPU with default memory map for privileged accesses,
       and fault on NMI and hard fault handlers accessing guard region */
    MPU->CTRL = MPU_CTRL_ENABLE_Msk
              | MPU_CTRL_PRIVDEFENA_Msk;

    __DSB();
    __ISB();
}

/**
 * @brief MemFault handler: examine SCB->MMFAR for fault address.
 *        A MMFAR pointing to the guard region confirms stack overflow.
 */
void MemManage_Handler(void) {
    uint32_t fault_addr = 0U;
    if (SCB->CFSR & SCB_CFSR_MMARVALID_Msk) {
        fault_addr = SCB->MMFAR;
    }

    /* Determine if fault address is in stack guard region */
    if (fault_addr >= (uint32_t)g_task_stack_buf &&
        fault_addr <  (uint32_t)g_task_stack_buf + 32U) {
        /* Confirmed stack overflow — log and halt */
        /* In production: trigger watchdog reset, preserve fault info in RTC backup */
    }

    while (1) { __NOP(); }
}

Common Embedded Memory Bugs

Exercises

Memory Strategy Planner

Use this tool to document your project's memory management strategy — MCU, allocation approach, memory pool inventory, stack guard configuration, and MPU regions. Download as Word, Excel, PDF, or PPTX for architecture review documentation.

Conclusion & Next Steps

In this article we have built a complete embedded memory management toolkit:

• Static allocation is the foundation — zero runtime overhead, verifiable at link time, MISRA-compliant. Use it wherever objects have fixed lifetime and known size.
• Fixed-size memory pools give you O(1) deterministic allocation for variable-lifetime objects — the correct replacement for malloc() in real-time firmware.
• CMSIS-RTOS2 osMemoryPool provides a standardised pool API that works across FreeRTOS, RTX5, and Zephyr — write once, run on any CMSIS-RTOS2 implementation.
• FreeRTOS static allocation (xTaskCreateStatic, xQueueCreateStatic) eliminates the heap entirely for RTOS objects — strongly recommended for production firmware.
• Stack watermark scanning with a sentinel pattern gives you high-water mark data during testing; MPU stack guard pages give you hard real-time overflow detection in production.
• The common memory bug table — stack overflow, fragmentation, double-free, dangling pointer, null dereference — gives you a diagnostic checklist for when memory-related faults appear.