Carl-Daniel Hailfinger wrote:
One hour, probably longer. A payload is not guaranteed to poke the TCO timer, so as long as the payload is running, the TCO timer could fire in theory.
Yes, in the end we have to disable the watchdog before jumping to the payload, or we will only be able to support payloads we get our hands on.
To be honest, I care mostly about v3, so if there is no strong opposition to this in v2, I won't authoritatively veto it although I think even risking an interrupt before we can handle it is bad design.
The watchdog is quite unrelated to interrupts in the common sense.
However, once that code comes anywhere near v3, expect it to explode badly, especially when the machine is already unable to boot and loads recovery code over serial. Do not expect us to sprinkle watchdog pokes all over the codebase in v3.
It might be worth thinking about this, though. It's not uglier than sprinkling the code with post_ outputs or print_debug and it would force developers to think carefully about their loops and exit conditions.
Stefan