[U-Boot-Users] Re: Redundant environment
Wolfgang Denk
wd at denx.de
Sat May 6 01:28:47 CEST 2006
Dear Tolunay,
in message <445B8086.9000404 at orkun.us> you wrote:
>
> This patch would solve the issue that exists today that when the
> "active" environment is lost/corrupted for some reason the "redundant"
> environment would contain an exact copy of the primary to have the board
> come up without requiring the need to redo the changes that was lost on
Actually I think that you will not acchieve this with your patch.
This is why I'm concerned. You see, if you feel better having this
patch I would not complain, but I am afraid that a lot of people
might just activate it because they think it would do them any good
when it doesn't (and actually it just hurts).
There is only one occasion when we have any significant likelyhood of
losing the environment data: this is when a call to "saveenv" fails
becaue either a) we have a power loss, b) we have an otherwise
induced reset of the CPU, or c) the flash sector that shall be
erased/written is failing.
So where exactly does your modification improve anything? Let's go
through this step by step.
Case 1: power loss/reset happens during the first "saveenv", i. e.
when writing the first copy of the new environment data.
In this case this first copy contains no valid data; the
second copy of the environment contains valid, but old data.
This is exactly the same as we have with the current imple-
mentation. I don't see any improvement.
Case 2: power loss/reset happens during the second "saveenv", i. e.
when writing the second copy of the new environment data.
In this case this first copy contains valid new data, while
the second copy of the environment does not contain valid
data.
In the current implementation, the first (and only) saveenv
would have completed, too, and the reset would hit after
leaving this part of code, so we had valid new data in the
first copy, and valid (but old) data in the second one.
Again, this is not an improvement. Actually I think the
current implementations is even more useful.
Case 3: A flash sector in the first copy of the environment becomes
defective while we erase or write it. In this case we will
see appropriate error conditions, and the "saveenv" command
will abort.
This is the same as case 1: no valid data in copy 1, valid,
but old data in copy 2; no difference between the existing
and your new implementation.
Case 4: A flash sector in the second copy of the environment becomes
defective while we erase or write it. In this case we will
see appropriate error conditions, and the "saveenv" command
will abort.
This is the same as case 2: valid new data in copy 1, no
valid data in copy 2 with your implementation, but probably
valid old data with the existing code.
I guess I must have missed some cases because there was none yet
where the new implementaion would improve the reliability. Please
fill in these missing cases.
But, and I think this is an undisputet fact, the current implemen-
tation needs only hald the number of erase/write cycles, so it causes
much less flash wear than your code. [Actually your code will see the
same level of flash wear as you have now without the redundant
environment enabled; it's that enabling the current implementation of
redundance *improves* flash lifetime by halfing the number of
erase/write cycles to the environment.]
> Among the things that can cause one environment to go corrupt would be
> charge decays in memory cells in aging flash, supply variations/noise
I think that the likelyhood of such a thing to happen during read
accesses only is infinitesimal.
> during erase/write and random memory corruption when power is
I agree that erase/write cycles are the critical phase where
corruption may happen, and which we want to try to protect with our
implementation. See above.
> interrupted while another section of flash memory is being written/erased.
I don't see how this could happen to flash. [Well, I've seen flash
corruption before; this was on Intel flash where you could write the
flash control commands to arbitrary addresses, so just copying a
binary image to a flash device could cause random write / erase
actions. But then, such devices should have hardware flash protection
(which you should enable, or you deserve what you get), or if you are
concerned about reliability you would avoid such devices like hell.]
> Sure these could cause other problems as well like if this issue happens
> for U-Boot code the system might become un-bootable. But at least we
> have full recovery for the case when it happens within U-Boot environment.
I'm not sure I can follow that logic. If you have some undetected and
unexpected memory corruption in your flash, and if you care about
reliability, then you must try to recognize such situations and halt
the system. Trying to continue in such an undefined state is too
hazardous.
So, can you please fill in the szenario where your modification would
really help to make the system more reliable?
Best regards,
Wolfgang Denk
--
Software Engineering: Embedded and Realtime Systems, Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Our business is run on trust. We trust you will pay in advance.
More information about the U-Boot
mailing list