This commit adds a directed instruction stream to riscv_pmp_full_random_test
To inject random writes to MSECCFG register.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
When DCSR is set such that ebreak will enter debug mode we were getting
cosim mismatches. This was because Ibex produces the ebreak on the RVFI
interface and spike effectively skips right over it and executes the
first instruction of the debug handler immediately. Traps have similar
but not identical behaviour so we need a special case in the step
function to handle this.
The recent change to add the fetch_enable sequence in to every regression
can very-rarely cause the 3000 cycle timeout for the irq_stimulus check to fail.
This only happens with a large randomized length of the fetch being disabled,
and long latency for memory accesses.
Increase this timeout.
Overrides some riscv-dv classes to create a custom debug_rom for this test,
which is used to setup the breakpoint registers.
I have found it difficult to get stimulus of this hardware feature without
a more directed test. Improvements or ideas are welcome here.
Test-specific timeout of 5min within which I see >90% pass rate.
Adding this behaviour to ibex_asm_program_gen allows all test to benefit
from the option of jumping directly to these label. Previously, ECALL was
used to provide a single path to this code.
Previously it was asserted when an instruction in ID would cause an
exception but an earlier instruction in WB also causes an exception
which takes priority.
This didn't cause a functional bug as the `id_exception_o` signal was
used in a single place ORed with `wb_exception_o`. However it was
confusing behaviour and could cause killed instructions to appear on the
RVFI causing false cosim mismatches.
Update code from upstream repository https://github.com/google/riscv-
dv to revision be9c75fe6911504c0e6e9b89dc2a7766e367c500
* Reserve one extra word when pushing GPRs to kernel stack (Harry
Callahan)
* Store user-stack-pointer on kernel stack when pushing/popping GPRs
(Harry Callahan)
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
It is illegal to see an execution/read/write denied while in Machine
mode if MML is disabled. Add this combination to our illegal bin list.
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
It was triggered only on the debug wakeup actually occurring, so in
particular would never capture debug activity around entering sleep. Now
it just considers if there's something that would trigger debug wakeup.
This cross wasn't much use as many of the transitions it was crossing
with instruction types only occur when the pipeline is empty (so there's
no instruction type to check).
The remaining interesting cases are already covered by other crosses
(e.g. `debug_if_entry_instr_cross` and `pipe_flush_instr_cross`).
Also adds an assertion to check the pipe is empty when we transition to
IRQ_TAKEN (we need this condition to hold to ensure we don't need extra
coverage for instruction types on this transition).
When in the FLUSH state we cannot have `csr_pipe_flush` set as it
depends upon `instr_executing` being set (within `ibex_id_stage`) and
that is only set in the DECODE stage.
Add 180s timeout for pmp_full_random tests (this sees a reasonable pass-rate)
Tweaked to latest api for double_fault detector
Squashed changes from Marno's ongoing work:
[pmp] Adjust full random PMP to use random memory addresses
[pmp] Enable double fault detecter for MML read only test
[dv,pmp] Add double fault pass flag
[dv,pmp] Different parameters for pmp full random test
This coverpoint does not make sense. The hardware breakpoint is
triggered as the instruction moves into the ID/EX stage so it never has
a chance to take an exception (it effectively never begins executing).
We should only indicate an ebreak debug cause if an ebreak leads to a
debug entry (otherwise when single stepping over an ebreak that traps to
an exception we incorrectly enter debug mode with an ebreak cause).
Update code from upstream repository https://github.com/google/riscv-
dv to revision ada58fc57a6bc1265e6c261b0f468a79c946a640
* [pmp] Fix plusarg detection for MML and MMWP (Marno van der Maas)
* [pmp] Add missing line return (Marno van der Maas)
* [pmp] Improve formatting of PMP addresses for debug (Marno van der
Maas)
* [pmp] Add a register for loop counter in PMP traps instead of
mscratch (Marno van der Maas)
* [pmp] Add illegal TOR and NAPOT address mode constraints (Marno van
der Maas)
* [pmp] Try to skip instruction if no PMP match and in MMWP (Marno van
der Maas)
* [pmp] Store and load faults caused by locked PMP regions now skip to
next instruction (Marno van der Maas)
* [pmp] Check for MML before modifying PMP entry in trap handler
(Marno van der Maas)
* [pmp] Allow already configured addresses to be overwritten with
plusargs (Marno van der Maas)
* [pmp] Use kernel_inst_end for end of code entry (Marno van der Maas)
* [pmp] Add end of kernel stack to stack entry (Marno van der Maas)
* [pmp] Put signature and stack in last PMP entries (Marno van der
Maas)
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
This commit protects the core_busy_o signal using a multi-bit encoding
to reduce the chances of an adversary for glitching this signal to low,
thereby putting the core to sleep and e.g. not handling an alert.
Without this commit, the glitch would only be detected once both the
main core and the shadow core wake up again and the comparison of the
core_busy_o signals continues.
This resolveslowRISC/Ibex#1827.
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
Previously if a dummy instruction entered the pipeline whilst it
wouldn't make RVFI stage 0 valid, it would make RVFI stage 1 valid.
Now stage 1 can only become valid if stage 0 was valid.
Use a DPI call to unix 'date' to implement a wall-clock timeout entirely within
a simulation. This allows the UVM environment to gracefully end when the
threshold is reached, and for things like logs and coverage databases to be
generated correctly.
Previously, a process-level timeout was used, which gave the running simulation
no time to commit any logs/databases to disk before ending. Hence we would not
gather any coverage from timed-out tests.
A plusarg 'test_timeout_s' can be specified to each test to set the timeout. The
default timeout is 1800s.
Adding the key 'timeout_s' to the testlist.yaml file for each test
now sets the timeout for all iterations of that test. Value in seconds.
e.g.
Set all iterations of the pmp_full_random test to have a 10s timeout.
```
- test: riscv_pmp_full_random_test
timeout_s: 10
```
Give the sequence a handle to the cosim_agent, upon which it can call a method
to update the cosim memory model directly.
This required a small restructure of the mem_intf packages to prevent a circular dependency.
Reading uninit DMEM returns a random value.
Reading uninit IMEM returns returns {2{C.unimp}}.
Inserting intg errors upon uninit accesses is now gated with a plusarg
"+enable_bad_intg_on_uninit_access=1"
Fix missing update of the rtl mem_model when returning random data.
Update code from upstream repository https://github.com/google/riscv-
dv to revision e0eae9e0ca69770c519c82c48421005f65521eac
* [sv] Explicit type casting for VCS compability (Canberk Topal)
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Add a plusargs "+is_double_fault_detected_fatal" to the top-level cfg,
which is set to 1 by default.
Set the default for the "+enable_double_fault_detector" to 1.
Add a new scoreboard component to the core_ibex uvm environment, which contains
a double_fault detector task. This uses the top-level output
'double_fault_seen_o' to count the number of total and consecutive double_faults
seen with a test. A helper task allows the base_test to wait upon each of these
counters reaching the configured thresholds, and then to end the test early with
a passing result.
The default thresholds are 100 for consecutive faults, and 1000 for total faults.
The double_fault detector is disabled by default.
A plusarg '+enable_double_fault_detector=1' enables the checker.
This commit enables it for only the 'pmp_full_random_test', as that is a useful
test candidate to begin with.
Previously the time over which fetch enable was disabled was randomized
at the start of the sequence and kept constant throught. Now it is
randomized for every `send_req`.
Stop generating FetchEnableOn as a possible fetch_enable value to set
and use the SecureIbex parameter to decide if full randomisation off all
of the non FetchEnableOn MUBI values if needed or we just always switch
between FetchEnableOn/FetchEnableOff
Tweaks the default min/max delay values for how long fetch remains
disabled.
Previously `fetch_enable_i` only controlled the request going into the
instruction fetch stage. Due to buffering in the prefetch queue and
icache when this request is dropped it's possible for multiple
instructions to still be available for the ID/EX stage to consume. So
when `fetch_enable_i` was set to off you would get a 'soft stop'. Some
finite number of instructions may still execute and Ibex would come to
an eventual halt.
Now `fetch_enable_i` also gates the instruction moving between the fetch
stage and the ID/EX stage. This gives a 'hard stop' where once fetch is
disabled Ibex comes to an immediate halt.
This commit changes when we cath the debug causes. Since debug_cause_o
only gets latched when `csr_save_cause_o` is high, it would work if
we change the cause with a mux that is connected to the input signals.
Resolves#1772
Signed-off-by: Canberk Topal <ctopal@lowrisc.org>
Previously Ibex signalled a major alert on an integrity error (where
incoming read data doesn't match its integrity bits) for both read and
write responses. This was removed as the data part of a response to a
write is ignored.
This brings it back in a more measured way. This provides a little extra
fault injection hardening as an attacker glitching the memory bus will
generate an alert on both read and write responses.
