agent: post-erase verify must use register-mode read past 1 MB (#91)

widgetii · claude · web-flow · commit 6913b014c4c2 · 2026-05-11T23:44:10.000+03:00
## Summary `flash_verify_erased` (the post-erase smoke test) read sample bytes directly from `FLASH_MEM` (the memory-mapped window). On hi3516ev300 — and apparently every SoC where `flash_read_full` already takes the register-mode-read path with the comment *"boot mode memory window wraps at 1 MB on some SoCs"* — that direct read **wraps at 1 MB**. For any sector at flash offset ≥ `0x100000` the verify read returned bytes from `(offset % 0x100000)` instead of the actual just-erased sector, the bytes weren't `0xFF`, and the smoke test reported `ACK_FLASH_ERROR (0x02)` — even though the erase had completed cleanly. Visible on W25Q128 (16 MB NOR): 12 sectors of a kernel write completed, then sector 13 at flash offset `0x110000` failed. Same chip programmed fine via U-Boot's `sf write`, and the agent's higher-level CRC32 verify (which uses `flash_read()` indirectly) also succeeded when bypassing the smoke test — the bug was localised to this one read path. Fix: route the verify reads through `flash_read()`, the same register-mode SPI READ path `flash_read_full` has used since the 1 MB window workaround originally landed. ## Verification on rack pod `10.216.128.69` (hi3516ev300 + W25Q128) ``` Before fix: 0x00050000: OK in 6.4s CRC match=True ← <1 MB 0x000C0000: OK in 6.8s CRC match=True ← <1 MB 0x00110000: FAIL in 6.1s ← =1 MB + 0x10000 0x00350000: FAIL in 6.1s ← 3.3 MB 0x00F00000: FAIL in 6.1s ← 15 MB After fix: 0x00050000: OK in 6.4s CRC match=True 0x000C0000: OK in 6.3s CRC match=True 0x00110000: OK in 6.2s CRC match=True ✓ 0x00350000: OK in 6.3s CRC match=True ✓ 0x00F00000: OK in 6.3s CRC match=True ✓ ``` Full OpenIPC nor-neo install through the agent (kernel 2.0 MB + rootfs 4.2 MB) now completes end-to-end in **92 s at 81 KB/s sustained**, Linux boots to `openipc-hi3516ev300 login:`. ## Test plan - [ ] `uv run pytest tests/ -x -v --ignore=tests/fuzz` — 480 passed / 2 skipped - [ ] `make -C agent test HOST_CC=gcc` — 5406/5406 agent C tests pass - [ ] Regression: smaller writes (<1 MB) continue to work — verified on 0x50000 and 0xC0000 offsets. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Dmitry Ilyin <widgetii@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/agent/spi_flash.c b/agent/spi_flash.c
@@ -649,16 +649,26 @@ uint8_t flash_read_status(void) {
  * Samples first/last 16 bytes of the range — fast (one register-mode
  * cycle each) and high-signal: real silent-erase leaves the original
  * data verbatim, which is essentially never all-FF in practice.
- * Returns 0 if all sampled bytes are 0xFF, -1 otherwise. */
+ * Returns 0 if all sampled bytes are 0xFF, -1 otherwise.
+ *
+ * Uses flash_read() (register-mode SPI READ) instead of direct
+ * memory-mapped access.  The boot-mode memory window at FLASH_MEM
+ * wraps at 1 MB on some SoCs (hi3516ev300 confirmed), so for any
+ * sector at offset ≥ 0x100000 a direct memory-mapped read returns
+ * stale data from sector (addr % 0x100000) and falsely fails the
+ * verify even though the erase succeeded. flash_read() goes through
+ * the FMC's normal-mode SPI READ path which addresses the full chip. */
 static int flash_verify_erased(uint32_t addr, uint32_t len) {
-    const uint8_t *p = (const uint8_t *)(FLASH_MEM + addr);
-    uint32_t head = len < 16 ? len : 16;
+    uint8_t buf[16];
+    uint32_t head = len < sizeof(buf) ? len : sizeof(buf);
+    flash_read(addr, buf, head);
     for (uint32_t i = 0; i < head; i++) {
-        if (p[i] != 0xFF) return -1;
+        if (buf[i] != 0xFF) return -1;
     }
     if (len > 32) {
-        for (uint32_t i = len - 16; i < len; i++) {
-            if (p[i] != 0xFF) return -1;
+        flash_read(addr + len - sizeof(buf), buf, sizeof(buf));
+        for (uint32_t i = 0; i < sizeof(buf); i++) {
+            if (buf[i] != 0xFF) return -1;
         }
     }
     return 0;
