jefe: fix comparison inversion in timeout handling

cbiffle · cbiffle · commit 43e13b955df9 · 2025-09-19T15:38:40.000-07:00
We recently taught Jefe to impose a restart delay before standing back
up a crashing task. However, the implementation contained a logic error
that could manifest in certain corner cases: it would actually restart
the task _the first time it considered it,_ but only if the deadline
hadn't actually elapsed yet.

Once the deadline elapsed, Jefe would enter an infinite loop of setting
its own timer into the past and responding to the notification, never
yielding the CPU.

It turns out this is relatively easy to trigger by putting a task into a
fast crashloop -- I hit this when forcing the I2C driver to crash while
chasing an unrelated bug.

This commit flips the timestamp comparison logic to implement the
restart timeout for reals, causing Jefe to tolerate fast crashloops
without taking the system down.
diff --git a/task/jefe/src/main.rs b/task/jefe/src/main.rs
@@ -358,19 +358,26 @@ impl idol_runtime::NotificationHandler for ServerImpl<'_> {
         external::check(self.task_states, now);
 
         if bits.has_timer_fired(notifications::TIMER_MASK) {
-            // If our timer went off, we need to reestablish it
+            // If our timer went off, we need to reestablish it. Compute a
+            // baseline deadline, which will be adjusted _down_ below when
+            // processing tasks, if necessary.
             if now >= self.deadline {
                 self.deadline = now.wrapping_add(u64::from(TIMER_INTERVAL));
             }
+
             // Check for tasks in timeout, updating our timer deadline
             if core::mem::take(&mut self.any_tasks_in_timeout) {
                 for (index, status) in self.task_states.iter_mut().enumerate() {
                     if let TaskState::Timeout { restart_at } = &status.state {
-                        if *restart_at >= now {
+                        if *restart_at <= now {
+                            // This deadline has elapsed, go ahead and stand it
+                            // back up.
                             kipc::reinit_task(index, true);
                             status.state =
                                 TaskState::Running { started_at: now };
                         } else {
+                            // This deadline remains in the future, min it into
+                            // our next wake time.
                             self.any_tasks_in_timeout = true;
                             self.deadline = self.deadline.min(*restart_at);
                         }
