-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FirmwareInfo has wrong sizes for fields #411
Comments
Can you give an example of a value in |
A time longer than that will likely never happen. But in theory (i.e. when the fields are manually overwritten) it would be possible. The version field does however provide a problem (e.g. from git describe: 1.23.45-67-g1234567-dirty would be 25 characters long). |
Excuse my ignorance, but from where is |
By default, ESP-IDF uses There are three options of how to avoid this issue:
Those "solutions" aren't really solutions tough. If esp-idf supports 32 characters for a version string, esp-idf-svc needs to be able to deal with that somehow. |
But we also can't just extend the existing fields of Open to ideas how we van extend the |
Firstly, I'd really like to see the unwrap() calls disappear there, right now I can't use esp-idf-svc to check what is on my OTa partitions as I cannot be sure it won't crash my device. I feel a call to something like EspOta::get_running_slot() should just never panic but return errors where relevant.
I'd think that just increasing the lengths of the strings is likely to be limited as heapless::String<24> and heapless::String<32> will largely support all the same operations. And where it doesn't there probably is a compile error which is trivial to fix. Additionally, given that a default build causes crashes and/or incorrect version numbers I doubt it's used much anyway. Personally, given the choice between having backwards compatibility or risk a device bootlooping because one of the partitions contains a app with the default version produced by IDF I'd take the breaking change. |
For a possible blast-radius i checked esp-hal, and there usage of embedded-svc. They are currently only using it in esp-wifi and don't use the ota stuff if i see correctly. So at least we would not break there anything. But yeah as a minimal solution we should at least add something to the |
Did you guys read this? |
Yes, I did, but I might be missing something. This is how I think thing would work out if FirmwareInfo struct would have some fields be extended, please correct me if I'm wrong: I'd expect the new code to be compile time incompatible with existing rust code in a few usage scenarios, I'd expect the compiler to catch these cases forcing the code changes needed to happen. As such it could be a breaking change at compile time for some users (but I doubt it). But, as far as I can see, it should not negatively affect the actual upgrading of devices as it does not affect the format of the actual binary in any way (that is dictated by IDF). The current code will deal with application images and partitions as long as the version field does not exceed 24 bytes. Changed code will handle those just fine as well, but also deal with images containing a longer version field. Extending the field in FirmwareInfo will not change the way version numbers are generated in any way, so if OTA updates are currently working they should still work both for upgrades and downgrades after that change. So unless you refer to something else when you say it might break 'older upgrades', I really don't see anything bad happening if those fields are extended. |
I agree. The one and only problem with simply extending the fields is that it makes it too easy for folks which already have production deployments of firmware with shorter fields to eventually forget that even though they now have fields which can take longer data - they must use shorter data in those forever. Or at least until they can guarantee that the last device they have ever sold/deployed in the field is running with a newer firmware that supports reading the longer fields. This is not something that you can necessarily catch during testing, because - after a few release iterations you might forget that you might still be having devices with old firmware that can only read shorter fields. Then you'll release firmware with long data in the fields, and suddenly any laggers out there in the field which are like 10 versions behind your latest firmware will not be upgradable to it. That's all. I think we can live with that though, as long as we do something along the lines of what @Vollbrecht suggests - at compile time - issue a warning if a firmware is generated which puts longer data in the fields than the current limits. This warning might be annoying for newcomers which are just about to release their first production firmware, but might help folks who are already in production. Also: I might be extra paranoid here, but this is OTA, and we must be careful. I've been yelled at twice already for other OTA changes, which are not even changing the firmware format (just changing the API). The other thing I would like that we are exploring is getting rid (if at all possible) from the heapless fields in the If it is not clear, having |
I appreciate the paranoia, OTA is one of those 'better safe then sorry' things ;) I've done some testing with the most basic implementation of an OTA update, something like this:
That does not create any FirmwareInfo objects but just calls into IDF directly. A quick test confirms this code does successfully update to a version containing a 29 bytes version string. It's only when the Another thing to be aware of: The docs for the ESP app image format have this note:
So the actual length would be 31 characters, not 32. I like the idea of getting rid of
This would have the added benefit that creating the FirmwareInfo can never fail as it just takes the bytes. Any error handling is moved into the accessor functions and there is the option to inspect the raw data if needed. And once you get into the idea of accessor functions, maybe FirmwareInfo can just be a trait implemented on |
Well this is a bit like re-inventing I was rather thinking (but that might be impossible) to lifetime the
Yes, this seems much cleaner! Also cleaner than my I think we need to experiment with this a bit (that is - making The big benefit is that if we need to keep Would you like to drive this? |
I wouldn't mind giving it a go, but it will be end of august at the earliest as I'll be on vacation. I somebody else wants to pick it up before that I'm fine with that too. |
Currently,
FirmwareInfo
is defined as follows:However, the fields
version
andreleased
are too small. Theesp_app_desc_t
struct definesversion
to be 32 characters long.time
anddate
are both 16 bytes long, which would require 33 bytes in total forreleased
(becausereleased
is currently formatted as"{date} {time}"
).This is currently an issue, because if the version contained in the binary is longer than 24 bytes, this line will cause a panic.
Changing the length probably requires changing it in embedded-svc as well. The alternative (but worse) solution would be to trim both version and release date info.
The text was updated successfully, but these errors were encountered: