The RISC-V Debug Specification (current release 1.0.0-rc4) in Section
A.2 states that the PMP must not disallow accesses to addresses of the
Debug Module when the hart is in debug mode, regardless of how the PMP
is configured. This commit changes the PMP accordingly.
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
The previous code here was a bit too hacky, so implement a solution that
directly follows the suggestion in the Cadence support article.
An example was also added to make it clear what this transformation is
achieving.
Add some more typehints, and cleanup names.
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
It appears that VCS require expression after `iff` to be wrapped inside
parenthesis otherwise it will complain about syntax error.
This should fix the weekly VCS regression.
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Previously the riscv_rf_intg_test skipped certain scenarios where an ECC
error from the register file should trigger an alert. This change stops
it from skipping those scenarios.
A spurious response is one that isn't associated with any on-going
request. With this new feature the memory agent can generate them
randomly when the interface is idle (i.e. there are no outstanding
requests).
This test injects a fault into different MuBi encoded signals within
the prim_ram_1p_scr and prim_ram_1p_adv and checks whether a fatal
alert is triggered.
I have excluded the addr_match signal from FI as its encoding
is not directly checked. If the signal was a MuBi True, a
fault into it is treated by the mubi4_and_hi as a False.
If the signal was a MuBi False, a fault into it is treated
by the mubi4_and_hi also as a False. Hence, no address
collision occurs and the holding register is not returned.
This PR is based on #2182 and closes#2173.
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
When an interrupt is raised the Ibex controller will move from the
DECODE state to the IRQ_TAKEN state when it chooses to handle the
interrupt. When in IRQ_TAKEN it's possible for the interrupt state to
change again which aborts the interrupt entry. This leads to mis-matches
against cosim.
This change adds a warning to flag up cases where this has occurred to
enable quick triage of failures related to this scenario.
The 'pre_val' MIP addresses the scenario where MIP changes as an
instruction is excuting, this means a CSR instruction can observe a
different MIP from the one that decides whether or not that instruction
will be interrupted.
Where an access is unaligned Ibex splits it into two transactions, each
of which undergoes a PMP check. It is possible for the first half to
fail a PMP check and the second to succeed and hence produce a request
on the memory interface.
In Spike it accesses memory byte by byte and if it encounters a PMP
error for a particular byte it won't try any further bytes.
This results in a mis-match between Ibex and spike when an unaligned
transaction is split across two PMP regions, one of which allows the
access and the other doesn't. Ibex generates a transaction and spike
doesn't producing an error.
This adds a fixup into the co-simulation environment. It detects when we
have an access that fails PMP that is misaligned. Where this has
resulted in Ibex producing a memory request that spike would not we
remove it from the list of memory requests to check after checking that
the request passes PMP within spike.
Previous code working with clocking blocks synced to the raw clock
event. Instead they should sync to the clocking block event. This
ensures the values being read are the latest values rather than a cycle
old.
In particular for ibex_mem_intf_agent this meant it was unable to
produce a single cycle response to any memory transaction. With this fix
these are now observed.
The DV flow is expecting log files to be produced with a particular file
name, without it the reporting mechanisms do not work correctly. This
adds VCS log output to a named rather rather than just capturing stdout.
Previously some $value$plusargs calls weren't explictly specifying a
format for a number to read from the plusarg. Under some simulators this
is acceptable under others it generates an error.
An instruction stall on a FENCE.I had been mistakenly placed in an
illegal bin. A FENCE.I acts much like a branch or jump so can produce
instruction stalls just as those instructions can.
It's possible for a TestRunResult to contain an entry that has a path to
a build/run artifact but for that to be None rather than an actual path.
This causes the collect_results.py script to fail.
With this change such paths will be described as 'MISSING' in the
regression log instead.
When SpikeCosim is getting destructed a SIGSEGV was observed on CentOS
7. The root cause hasn't been identified other than it relates to the
deletion of `isa_parser_t`, potentially some kind of use after free
error.
This is an (optional) hacky workaround that simply never deletes the
`isa_parser_t` pointer in SpikeCosim. As in practise this occurs at the
end of simulation when the process is terminating the memory leak is of
little consequence.
Longer term this issue should be investigated and properly fixed.
Fixes two issues observed on CentOS 7 during testbench compile
- pkg-config doesn't behave properly when it receives multiple flags
- riscv-fesvr library needs to be included in build
Currently, the dual-core lockstep FI mitigation is enabled/disabled
using a single bit.
For transient bit-flips, this is not problematic, as one bit-flip
into this signal and one bit into the Ibex is required to threaten
the security of the system.
However, a permanent stuck-at-0 fault could disable the lockstep
completely by targeting this signal. Then, only a single, additional
fault (transient or permanent) is required.
This PR enhances the FI resilience of the Ibex lockstep by encoding
this single bit into a ibex_mubi_t signal, i.e., a 4-bit multi-bit
signal.
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
As described in #20715, a single fault-induced bit-flip inside the
register file could change which of the register file value is
provided to Ibex.
This PR fixes this issue by (i) encoding raddr_a/b to one-hot
encoded signals, (ii) checking these signals for faults, and
(iii) using an one-hot encoded MUX to select which register file
value is forwarded to rdata_a/b.
Area increases by ~1% (Yosys + Nangate45 synthesis).
I conducted a formal fault injection verification at the Yosys
netlist to ensure that the issue really is fixed.
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
The keys in this file get incorporated into the FlowCfg object that
represents a simulation or similar. Adding a spurious key won't cause
any problems, but we actually need it for the next commit, which grabs
the current version of dvsim from OpenTitan. That version of dvsim
expects the "book" key to have been set in common_project_cfg.hjson.
Splitting the two commits like this should make it a bit more obvious
where things have come from.
With the latest versions of all python packages in
python-requirements.txt ibex_cmd.py was seeing a run-time type error.
Data from a YAML file that had previously always been a string could now
be an int as well. This alters the code to allow the int to work.
This shouldn't change the behaviour when it works. On a failure, we
now print out a bit more about what's going on.
When asked to do something impossible now, I think the output is a bit
clearer. For example, if you try to run riscv_bitmanip_full_test with
an OpenTitan configuration (which doesn't have full bitmanip), the
warning message is now:
WARNING:ibex_cmd:Rejecting test: riscv_bitmanip_full_test. It specifies rtl_params of ['ibex_pkg::RV32BFull'], which doesn't contain the expected 'ibex_pkg::RV32BOTEarlGrey'.
(The following stuff that appears is a bit messy, but at least the
first line is now clearer!)
