To make the proof of DivInstrStable, this commit adds two helper
properties in the previous step. One that when an instruction is not a
multiply that the multiplier state must never leave ALBL and one that
the writeback stage must have a valid instruction in it if it is
blocking an instruction from proceeding from EX to WB. This allow
DivInstrStable to be proven with Hp 2.
The MType_{Div,DivU,Rem,RemU}_PC properties were proving very slow
before this. They were proving with Hp 45, which was very slow. This
change groups them together so that the engines can help each other out,
the N engine helps with proving these properties much faster than with
Hp alone. In the long-term it is better to capture a relavant assumption
in the proof files instead of putting this in the TCL script.
The old patchfile disabled clock gating and set ResetAll = 1.
We don't need either of these things any more with some minor
invariant tweaks. This also improves the proof script, which
should be faster now.
FetchErrRoot is very slow to prove, and via SST I discovered that it
was exploring the state space where ctrl FSM is in FIRST_FETCH, and
there was a memory load instruction latched by IF, and it causes the stall
logic to think there is a memory-induced stall.
This is unreachable state because in FIRST_FETCH there can't be instructions
latched, so add a helper property to aid the proof.
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
M extension is not currently proven. This should be disabled rather than
assumed as otherwise its property might be used to prove other
properties in the same step (and thus not performing actual work).
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Adds a Nix environment which provides a development shell for the formal
verification flow. All dependencies are fetched and built upon entering the
shell (nix develop .#formal), except for the proprietary Cadence Jasper.
The dev shell (nix develop .#formal-dev) is identical to the normal
shell, but prints some information on how to swap out components. This
is also documented in the README.
Documentation on how to use this environment is added to the dv/formal/README.md
The provided Makefile/.tcl scripts make assumptions about the environment
they are run within which are provided by the Nix environment. Using Nix is
the recommended way to run this flow, but if you cannot do this, you will need
to duplicate the setup done by Nix in terms of environment variables and
provided dependencies.
Jasper Gold options:
- allow_unsupported_OS is required on both the machines I use.
- acquire_proj means that if JG is killed (which happens somewhat
often) the next it runs it will still be able to take ownership
of the project.
Co-authored-by: Louis-Emile Ploix <louis-emile.ploix@lowrisc.org>
Co-authored-by: Marno van der Maas <mvdmaas+git@lowrisc.org>
Co-authored-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
This lets fusesoc do the heavy lifting in identify the correct files for us.
Fusesoc is already extensively used for this purpose for synthesis and simulation.
As part of this step, apply RTL patches that work around some current
restrictions in the formal flow to the /build fileset copied by fusesoc.
Co-authored-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
Here's a high-level overview of what this commit does:
- Compiles Sail into SystemVerilog including patchin compiler bugs
- Create a TCL file that tells JasperGold what to prove and assume
- Check memory operations modelling the LSU
Most of these properties now prove without time-bound on the response
from memory due to alternative LSUs
- Check memory even with Smepmp errors:
Continues on top of https://github.com/riscv/sail-riscv/pull/196
- CSR verification
- Checks for instruction types such as B-Type, I-Type, R-Type
- Check illegal instructions and WFI instructions
- Using psgen language for proof generation
- Documentation on how to use the setup
- Wrap around proof that proves instructions executed in a row still
match the specification.
- Liveness proof to guarantee instructions will retire within a upper
bound of cycles.
All of these proofs make heavy use of the concept of k-induction. All
the different properties and steps are necessary to help the tool get
the useful properties it needs to prove the next step. The instruction
correctness, wrap-around and liveness all give us increased confidence
that Ibex is trace-equivalent to Sail.
Throughout this process an issue was found in Ibex where the pipeline
was not flushing properly on changing PMP registers using clear: #2193
Alternative LSUs:
This makes all top level memory properties prove quickly and at a low
proof effort (1 or 2-induction). Three 'alternative LSUs' representing
three stages of memory instructions:
1. Before the first response is received, in the EX stage
2. After the first response is received, but not the second grant,
also in the EX stage
3. Before the last response is received in the WB stage.
In each case we ask 'if the response came now, would the result
be correct?'. Similar is applied for CSRs/PC though less directly.
This is particularly interesting (read: ugly) in the case of a PMP error
wbexc_exists makes Wrap properties fast to prove. The bottleneck becomes
SpecPastNoWbexcPC, which fails only due to a bug. See the comment
in riscv.proof.
Co-authored-by: Marno van der Maas <mvdmaas+git@lowrisc.org>
Signed-off-by: Louis-Emile Ploix <louis-emile.ploix@lowrisc.org>
Instead of using default values from a package, create a top-level
parameter to define these and pass them down. This allows integrators
to specify them on a per-instance basis.
Signed-off-by: Robert Schilling <rschilling@rivosinc.com>
The "else" part of the if/else check here wasn't possible because the
surrounding else branch (starting at line 406) is already in the case
where instr[26] is zero.
When encountering certain illegal compressed instructions, incorrect instruction information was displayed. Now, illegal instructions can be printed correctly.
This removes several assertions from `ibex_controller`. They aimed to
ensure that controller behaviour was correct on exception behaviour
(e.g. ensuring that a pending interrupt will actually trigger an
interrupt). However they've proved to be flaky and hard to maintain with
multiple edge cases needing to be accounted for.
The co-simulation checking in functional verification will catch the
same issues these assertions catch. The assertions (when working
correctly) would cause a failure directly when the bug happens which
makes debugging easier. However they've added significant effort in
regression triage due to their many false failures so it's not worth the
maintenance burden.
Within formal they don't really add any value now we have the full
end-to-end formal flow.
This fixes#2193, an issue that meant bit clears in PMP related CSRs
didn't immediately apply to an instruction already in the fetch stage
due to a lack of a pipeline flush.
With this change the pipeline will flush in that scenario, fixing the
issue. It now flushes the pipeline on all CSR modifications as this
makes the pipeline more resliant against similar issues in the future
(where the list of CSRs to flush on should have been updated but
wasn't).
Previously the ibex_cs_registers module received the CSR address via the
operand muxes. This has been observed to cause timing issues in some
cases. The CSR address is always read from the same bits of the
instruction so there's no need to go via the operand muxes. With this
change the relevant instruction bits are fed straight out of the decoder
and into the ibex_cs_registers module.
This assertion wasn't quite correct if SecureIbex is false because it
was checking for the magic IbexMuBiOn value instead of just looking at
the bottom bit.
Fixes#2249.
These were noticed by someone responding to issue #2230. I think the
author's original logic was to point out that there's a path from e.g.
raddr_a_i to rdata_a_o which doesn't depend on any clock, so is
"asynchronous".
But that's the same in the other modes and also for the other register
file implementations, which don't have analogous comments.
Drop these ones.
The RISC-V Debug Specification (current release 1.0.0-rc4) in Section
A.2 states that the PMP must not disallow accesses to addresses of the
Debug Module when the hart is in debug mode, regardless of how the PMP
is configured. This commit changes the PMP accordingly.
Signed-off-by: Andreas Kurth <adk@lowrisc.org>
Although the current code isn't wrong as far as I can tell, it would be
better to initialize the lognest_name_length variable when it is
declared to avoid a build warning with older Verilator versions.
When targeting Xilinx FPGAs, we utilize a DSP for counters
with a width of less than 49-bit. In this case, a sync. reset
is needed. However, currently, there is a bug in the RTL
where also a sync. reset is used for the non-DSP counters
on the FPGA.
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
If the counter width is >= 49, we do not use a DSP on the FPGA.
Then, we should use an asynchronous reset to initialize the counter.
This bug was detected when enabling the lockstep for the CW340. A
lockstep mismatch happend as the mcycle counters of the main and
shadow core did not match due to this bug.
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
We have been using GitHub Actions for some time now, both for public CI
and private CI, and it seems to be functioning well.
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
We should use `WordZeroVal` instead of `0` for reads from register `x0` in the
FPGA register file.
This bug was discovered when enabling the `RegFileECC` parameter. When this is
enabled, the core performs ECC checks, expecting that `WordZeroVal` is returned
for `x0`. Else, we get a major alert.
FixeslowRISC/opentitan#25146
Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
- Move background to its own layer
- Make font sizes consistent
- Fix icache and pc background
Previously the background was morphed around the text, this makes it a
background again.
- Remove redundant rectangle
The instruction memory interface had two rectangles, one black and one
purple. I removed the purple one that was bleeding through in the
corners.
- Instruction fetch alignment
The Instruction fetch block was not the same height and was not top
aligned with the other blocks.
- Align text with boxes
This essentially aligns all the text insides the blocks
- Standardize lines as 0.265mm
The lines between blocks and the ones making the triangular shapes were
mostly 0.265mm with a few exceptions.
- Stroke width of block outlines same
Made all the stroke widths for all the blocks 0.5mm. I've made the outer
box a nice round 1.0mm.
- Use lowRISC colors
E0384F for the background (including the start of the gradient)
A21F4F for the outside line
- Alignment of in/out arrows
Many of these arrows were not aligned, this improves that alignment.
- Add white background to instr inf
Instruction memory interface lost its white background when the purple
outline was removed. This commits adds it back in.
- Use Liberation Sans everywhere
Exo 2 is not supported natively in browsers and there was no easy way to
embed fonts in SVG where Inkscape knew about it.
- Fade to white, not transparent
- PMP check font is now smaller
- Add background to debug request input
- Make text under prefetcher bigger so it is rendered on GitHub
- Execute text is now its own block so that it is rendered on GitHub
The previous code here was a bit too hacky, so implement a solution that
directly follows the suggestion in the Cadence support article.
An example was also added to make it clear what this transformation is
achieving.
Add some more typehints, and cleanup names.
Signed-off-by: Harry Callahan <hcallahan@lowrisc.org>
By using top-level straps for the PMP reset configuration its
easier to implement different reset configurations if there are
multiple Ibex cores in the system.
Signed-off-by: Robert Schilling <rschilling@rivosinc.com>
It appears that VCS require expression after `iff` to be wrapped inside
parenthesis otherwise it will complain about syntax error.
This should fix the weekly VCS regression.
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
