Flash address 0x27fd does not exist. Probably stack return address destroyed.
That's an odd assertion, Bob. How does flash address 0x27FD not exist?
Sorry, mis-calculated. Still assuming clobbered stack.
I checked that, but turns out it doesn't track. First, 27E3 is a valid return address (shown by the listing snippet) and is where the last RET in the trace returns to. (I didn't paste enough for you to see this, but I also verified that the code being returned from was legitimately executed from the call.) So as far as I can tell, it reached 27E3 exactly when it should have, and with its marbles intact. It's also in the stack exactly where you'd expect it, given the stack pointer values seen in the trace.
Second, the stack doesn't show anything that would explain a return to 0068. I didn't post that before, it didn't actually seem relevant since the stack wasn't in operation, but I've pasted it below to satisfy any curiosity.
But none of this involved the stack, or at least, it shouldn't have. JZ doesn't use the stack for anything. The fact is that a local jump to 27FD actually landed at 0068... the return had already been executed, so even a borked stack wouldn't explain the wayward jump. Also note that the stack pointer jumped from 4 to 7 and the flags all cleared. All during a simple JZ which, according to documentation, does not affect the flags at all, and can't jump more than 2048 bytes from the current PC+1.
This was recorded via Run, not Step, so any interrupts during that execution would have been recorded in the debug trace.
I did save a copy of the stack, so here it is.
0300 1B 03 26 DB 27 E3 07 00 ..&Û'ã..
0308 20 6F 85 C4 85 14 90 81 o.Ä....
0310 91 01 73 81 69 81 81 81 ..s.i...
0318 83 81 19 25 00 00 00 00 ...%....
The rest of page 3 is all zeros.
...On a separate note, I find it both odd and annoying that this forum allows you to apply all kinds of nice formatting options to your post, and then throws it away when you click Submit. The code in my OP should have been all nicely lined up with a fixed-width font. I don't know what you're seeing, but I'm not seeing that. For me, the entire post shows in a sans-serif proportional font.
... Oh, fer cryin' out loud. I also find it egregious that this forum allowed me to complete the above post without warning me that I wasn't logged in. When I clicked Submit it brought me to a login page and threw away all I'd written. Fortunately I was able to hit Back and copy my post into the clipboard before completing the action. I hereby invoke the Principle of Least Astonishment, violations of which Cypress has a lot to answer for. *sigh* I'll just add this to the list. (At least the post was still in a buffer and I was able to retrieve it. Google Plus, for one, will throw away everything I wrote when a glitch happens.)
Oh now, see, there. The reply kept the fixed-width font (stack trace) and shows it to me. Why not on OP? Jeez, Cypress, you're not even consistent. I'll see if I can edit the post and... uh... fix it in post. Hah hah.
Nope. Formatting shows in the edit screen but isn't applied. *sigh* I'll add it to the list.