The effect also affects periodic timers, but with a very low frequency.

Extended test & results:
https://github.com/espressif/esp-idf/issues/8234#issuecomment-1013650548

The test run had 3 periodic callback dupes while counting 5912 single shot callback dupes.

Timer usages in the OVMS aside events are a) the housekeeping per second timer, from which the monotictime and all standard tickers are derived, and b) the update ticker for websocket connections.

Vehicles using timers are: Nissan Leaf, Tesla Roadster, Renault Twizy & VW e-Up. I suggest the respective maintainers check their timer uses for issues that might result from a duplicate callback.

The event timer already detects duplicate invocations and produces the log warning (see below) on this.

Regarding the main ticker timer: a duplicate call would cause the monotonictime counter to get ouf of sync with the actual system time, but I don't think we would rely on that anywhere. More serious could be that the per second ticker can run twice on the same second in this case. But I also don't think we rely on a mininum execution interval as well -- after all, these are software timers and generally not guaranteed to run in exactly the interval they are defined to run. We use the monotonictime for some expiry checks, but none of these should be so low a single skipped second would matter.

So I don't think the housekeeping ticker running occasionally twice would cause an issue. I do remember though I had an issue with the monotonictime behaving strangely once, but I don't recall the exact issue.

The websocket timer is used to schedule data updates, metrics etc., for the websocket clients. It does not rely on a minimum interval as well, and the occasional queue overflow events we see there are more probably caused by a slow network / client.

The vehicle uses of timers may be more critical, as they seem to involve protocol timing, I recommend to check these ASAP.

A simple strategy to detect duplicate calls on periodic timers can be to keep & compare the FreeRTOS tick count (xTaskGetTickCount()) of the last execution in some static variable, if it's the same, skip the run.

For single shot timers, the strategy I've used in the events framework seems to work: use the timer ID to check the call validity, i.e. define some timer ID property to mark an invalid call and set that property in the callback.

Regards,
Michael

Am 14.01.22 um 09:43 schrieb Michael Balzer:

The effect is also present with SPIRAM disabled (and 64K for cpuload_task to fit in internal RAM), and it's even more frequent when running in single core mode.

I haven't reviewed all our timers yet, I'll try to test periodic timers first for the effect so we know if these need to be reviewed also.

Regards,
Michael

Am 14.01.22 um 06:50 schrieb Mark Webb-Johnson:

Good to hear this has been confirmed in a test case.

Do we need to review all our use of timers? Or have you already checked?

I wonder if it is reproducible single core and without SPI RAM? Whether this is another ESP32 hardware bug affecting something else...

Regards, Mark.

On 14 Jan 2022, at 12:03 AM, Michael Balzer <dexter@expeedo.de> wrote:

Signed PGP part

Everyone,

I've managed to reproduce the effect on a standard ESP32 development board with a simple test project only involving timers, some CPU/memory load & wifi networking.

I've tested both the standard esp-idf release 3.3 and the latest esp-idf release 4.4 (using gcc 8.4) for this, and the effect is still present.

→ Bug report: https://github.com/espressif/esp-idf/issues/8234

Attached are my test projects if you'd like to reproduce this or improve the test.

I haven't tested periodic timer callbacks yet for the effect. These are normally designed to run periodically, but if the timing is important (e.g. on some CAN transmission?), this could cause erroneous behaviour as well.

Regards,
Michael

Am 30.12.21 um 19:25 schrieb Michael Balzer:

Followup to…

Am 26.09.21 um 19:28 schrieb Michael Balzer:

If so, my conclusions so far would be:

a) we've got a real heap corruption issue that sometimes gets triggered by the test. I've had it twice around the same place, i.e. within the scheduled event processing. I'll check my code.

Am 26.09.21 um 18:46 schrieb Craig Leres:

Second crash on the production module, CORRUPT HEAP after ~350 minutes.

OVMS# CORRUPT HEAP: Bad head at 0x3f8adc78. Expected 0xabba1234 got 0x3f8adcc0
abort() was called at PC 0x400844c3 on core 0

I've found the heap corruption source and a new bug class:

The corruption was caused by a duplicate free() (here via delete), which was basically impossible: it was the free() call for the event message for a delayed event delivery. There is exactly one producer (OvmsEvents::ScheduleEvent) and exactly one consumer (OvmsEvents::SignalScheduledEvent), which is called exactly once -- when the single shot timer expires.

In theory. In reality, the timer callback occasionally gets executed twice. To exclude every possible race condition, I enclosed both producer & consumer into a semaphore lock. I then changed the code in order to clear the timer payload as soon as it's read, and added a test for a NULL payload -- and voila, the timer callback now gets occasionally called with a NULL payload, which is also impossible as the allocation result is checked in the producer.

I've had no luck reproducing this in a reduced test project, even with multiple auto reload timers and distribution over both cores, but I still see no other explanation than a bug in the FreeRTOS timer service (or the Espressif FreeRTOS multi core adaption). Ah, and yes, this occurs on the ESP32/r3 as well.

You should be able to reproduce the effect using the same event test loop as for the Duktape TypeError issue: https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3/issues/474#issuecomment-1002687055

My workaround prevents crashes and outputs a log entry when the NULL payload is detected.

Example log excerpt:

script eval 'testcnt=0; PubSub.subscribe("usr.testev", function(ev) { var ms=Number(ev.substr(11))||10; if (++testcnt % (3*1000/ms) == 0) print(ev + ": " + testcnt); OvmsEvents.Raise("usr.testev."+ms, ms); })'
script eval 'testcnt=0; OvmsEvents.Raise("usr.testev.10")'
I (13493019) events: ScheduleEvent: creating new timer
W (13495919) events: SignalScheduledEvent: duplicate callback invocation detected
I (13497029) ovms-duk-util: [eval:1:] usr.testev.10: 300
I (13501109) housekeeping: 2021-12-30 18:12:35 CET (RAM: 8b=64448-67004 32b=6472)
--
I (13521779) ovms-duk-util: [eval:1:] usr.testev.10: 2100
I (13525809) ovms-duk-util: [eval:1:] usr.testev.10: 2400
W (13527579) events: SignalScheduledEvent: duplicate callback invocation detected
W (13527629) events: SignalScheduledEvent: duplicate callback invocation detected
I (13529839) ovms-duk-util: [eval:1:] usr.testev.10: 2700
I (13533329) ovms-server-v2: Incoming Msg: MP-0 AFA
--
I (13579149) ovms-duk-util: [eval:1:] usr.testev.10: 6300
I (13583319) ovms-duk-util: [eval:1:] usr.testev.10: 6600
W (13584679) events: SignalScheduledEvent: duplicate callback invocation detected
I (13587439) ovms-duk-util: [eval:1:] usr.testev.10: 6900
I (13591589) ovms-duk-util: [eval:1:] usr.testev.10: 7200
--
I (13714299) ovms-duk-util: [eval:1:] usr.testev.10: 16200
I (13718339) ovms-duk-util: [eval:1:] usr.testev.10: 16500
W (13718719) events: SignalScheduledEvent: duplicate callback invocation detected
I (13722459) ovms-duk-util: [eval:1:] usr.testev.10: 16800
I (13726509) ovms-duk-util: [eval:1:] usr.testev.10: 17100
--
I (13743149) ovms-duk-util: [eval:1:] usr.testev.10: 18300
I (13747129) ovms-duk-util: [eval:1:] usr.testev.10: 18600
W (13748979) events: SignalScheduledEvent: duplicate callback invocation detected
I (13751299) ovms-duk-util: [eval:1:] usr.testev.10: 18900
I (13755349) ovms-duk-util: [eval:1:] usr.testev.10: 19200
--
I (13784029) ovms-duk-util: [eval:1:] usr.testev.10: 21300
I (13788059) ovms-duk-util: [eval:1:] usr.testev.10: 21600
W (13791409) events: SignalScheduledEvent: duplicate callback invocation detected
I (13792179) ovms-duk-util: [eval:1:] usr.testev.10: 21900
I (13796239) ovms-duk-util: [eval:1:] usr.testev.10: 22200
…


The bug frequency differs from boot to boot, but as you can see can be very high. I've had runs with ~ 1 occurrence every 300.000 callbacks, and runs like the above with ~ 1 every 3.000 callbacks.

If this is a common effect with timer callbacks, that may cause some of the remaining issues. It's possible this only happens with single shot timers, haven't checked our periodic timers yet.

Any additional input on this is welcome.

Regards,
Michael

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

<test-timer-dupecall.zip>

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26