[SDMMC Mount] fix infinite loop when SD card is not responsive (IDFGH-9132)

[chipweinberger]

Related Issue: #10531

When the sd card is not responsive, we need to have reasonable timeouts to prevent infinite loops.

[atanisoft]

perhaps use ESP_RETURN_ON_FALSE (from esp_check.h) for this sort of check?

[igrr]

Additionally, I wouldn't rely on esp_log_timestamp, it is not guaranteed to be monotonic. I would suggest esp_timer_get_time, instead.

[chipweinberger]

I looked at ESP_RETURN_ON_FALSE, but I noticed it logs, which we don't need here.

[atanisoft]

@chipweinberger Fair point on logging, I'm on the fence if the timeout should be logged or not. It would be really nice if ESP_RETURN_ON_FALSE had a way to pass in a log level or a flag to say "don't log this"

[atanisoft]

perhaps use ESP_RETURN_ON_ERROR for this and similar usages.

[igrr]

Additionally, I wouldn't rely on esp_log_timestamp, it is not guaranteed to be monotonic. I would suggest esp_timer_get_time, instead.

[igrr]

Probably not necessary to log here, since it's not something that can happen in practice. (Clock update commands don't depend on the state of the Card Interface Unit, and as such shouldn't be blocked by the bus state.)

(Same comment for other sdmmc_host_clock_update_command error checks.)

[chipweinberger]

You must be mistaken? In my issue #10531, we get stuck in

I (5109) sdmmc_periph: sdmmc_host_clock_update_command() - SDMMC.clkena.cclk_enable &= ~BIT(slot);

And this other commenter hit sdmmc_host_clock_update_command() as well : #2986 (comment)

We should probably just leave it in.

[igrr]

Sorry, have overlooked that. In that case the fix might be a bit different than ignoring the fact that the clock update didn't happen. We might be missing to reset some part of the peripheral. I'll check it and come back with more details.

[chipweinberger]

Yes would be great to fix the underlying issue, in addition to having reasonable timeouts.

[chipweinberger]

lmk how things go, Ivan. Thanks.

[chipweinberger]

@igrr , updated the PR with the given feedback.

[chipweinberger]

@igrr , I audited all SDMMC code for potential infinite loops & added reasonable timeouts.

Please re-review.

[igrr]

The timeout constants are defined with _MS suffix (e.g. SDMMC_INIT_WAIT_DATA_READY_TIMEOUT_MS) but you are comparing them against the return value of esp_timer_get_time(), which is in microseconds.

[igrr]

The return type of esp_timer_get_time is int64_t, suggest using that for the variable type.

(applies to a bunch of other assignments, as well)

[igrr]

The name of this is confusing (to me, at least), since it's not really the transaction timeout being implemented here. Transaction timeout is defined by cmdinfo->timeout_ms. This is more like a state machine timeout? What kind of situation does it protect against?

Also, you can't return at this point, since the request mutex is still held — see out bail-out path below.

[chipweinberger]

Correct me if I'm wrong, but it is not just a state machine. It seems like it does active communication with the SD card, which is why I added a timeout.

For example:

static esp_err_t process_events(sdmmc_event_t evt, sdmmc_command_t* cmd,
        sdmmc_req_state_t* pstate, sdmmc_event_t* unhandled_events)

{
    while (next_state != state) {
            state = next_state; // note: this might still be the same state as before!
            switch (state) {

         case SDMMC_SENDING_DATA:
                  .....
                 // it looks like this code will loop until some 
                 // stop condition is set in the peripheral
                break;
}

[igrr]

The waiting-for-the-peripheral should happen outside of process_events, in the handle_event -> sdmmc_host_wait_for_event, which does know how to timeout.

process_events is only updating the sdmmc_req_state_t* pstate based on events recorded in sdmmc_event_t* unhandled_events. The loop in process_events has a condition while (next_state != state) {, which basically means that we are only looping while the state is changing. If we stay in the same state, then the function exits and we get back to sdmmc_host_wait_for_event until the next event arrives.

[chipweinberger]

If we stay in the same state, then the function exits and we get back to sdmmc_host_wait_for_event

So, could a broken SD card prevent us from exiting? i.e. by returning new events infinitely?

lmk if I should remove this check. From my understanding it seems like it could be hit with a broken SD card.

[igrr]

Not really, it's more like if the SDMMC peripheral suddenly stops following its documented state machine. I mean, it's okay to not trust the hardware, but if we sprinkle all the drivers for checks that the chip peripheral is not following its spec, it will be a mess to read and the code size will be impacted. So I do think this one is unnecessary.

(I agree with the other ones which are card behavior dependent, though.)

[chipweinberger]

Okay. removed!

[igrr]

esp_timer could be in PRIV_REQUIRES

[igrr]

Suggested change

	if (esp_timer_get_time() - t0 > SDMMC_WRITE_SECTORS_DMA_TIMEOUT_MS) {
	if (esp_timer_get_time() - t0 > SDMMC_READY_FOR_DATA_TIMEOUT_MS) {

(the data has already been written at this point, we are waiting for the card to become idle)

[igrr]

likewise, suggest SDMMC_READY_FOR_DATA_TIMEOUT_MS

[igrr]

suggest

Suggested change

	ESP_LOGE(TAG, "read: status cmd failed");
	ESP_LOGE(TAG, "%s: sdmmc_send_cmd_send_status returned 0x%x", __func__, err);

(similar to other error messages in this file)

[igrr]

Can be combined with the loop condition,

while (esp_timer_get_time() - t0 < SDMMC_HOST_CLOCK_UPDATE_CMD_TIMEOUT_MS) {

[chipweinberger]

True, but I think it's more readable to keep all the checks identical. Unnecessary complexity imo. Plus, readability wise it makes the return value less immediately clear, IMO.

[igrr]

Fair enough, I just thought someone might ask me to change this during code review. Let's leave it as is, for now.

[igrr]

I think it's not necessary to define these in a public header file, since these are an implementation detail.
There is no use for these macros in the application code.

(Once something is defined in a public header file, we need to take care to keep it backwards compatible.)

[chipweinberger]

Thanks for the review, Ivan!

[igrr]

sha=d7324be0348dd9f4990f4762b193427b4f8e05f2

[chipweinberger]

@igrr any updates? this seemed like a good simple change

[chipweinberger]

bump. Any blockers?

[adokitkat]

Hi @chipweinberger. The MR is currently in review stage needing just a few last accepts. Sorry for the wait. Hopefully it will be merged soon.

[AxelLin]

sha=d7324be0348dd9f4990f4762b193427b4f8e05f2

Just curious what does this comment mean?
People usually think this means the PR is merged internally and will be available publicly soon.
But the fact is it may take yet another months to get the fix in github. (And such long time is not a single case).
Several PRs are in "Sync-merge" state for months.

[igrr]

This type of a comment is a trigger for creating an internal merge request. This change is in review now, it was left unattended for a while but was recently picked up again.

[adokitkat]

The pull request was merged to master branch. Thank you for your contribution :) I will close this on GH as canceled but your commits are merged and will be shown in commit history after the GH master branch syncs with our internal master.