Update HyperRAM test software to reflect size changes

Introduce a test for whether storing a capability to an untagged
area of memory raises an exception as intended. Stores to areas
of the HyperRAM that have associated tag bit storage should
complete without an exception.

In each case, check whether an exception does/does not occur as
expected, and check the contents of the memory after the attempted
store.

An exception handler resumes execution after the faulting
instruction but - importantly - is activated only for the very
short time window during which we expect the possible exception to
occur.

Author: alees24

sw/cheri/checks/hyperram_test.cc

@@ -23,10 +23,52 @@
 
 #include "hyperram_memset.h"
 
+// Simulation is much slower than execution on FPGA and these tests are primarily intended for
+// FPGA-based testing. Define this to 1 for use in simulation.
+#define SIMULATION 0
+
 using namespace CHERI;
 
 const int RandTestBlockSize = 256;
-const int HyperramSize      = (1024 * 1024) / 4;
+#if SIMULATION
+// Note that this means many of the tests will be exercising only small fraction of the mapped
+// HyperRAM address range.
+const unsigned HyperramSize = HYPERRAM_BOUNDS / 1024;
+#else
+// Number of 32-bit words within the mapped HyperRAM.
+const unsigned HyperramSize = HYPERRAM_BOUNDS / 4;
+#endif
+
+// The amount of HyperRAM that supports capability stores.
+const unsigned HyperramTagSize = HYPERRAM_TAG_BOUNDS / 4;
+
+// Signals whether an exception should be trapped and the faulting instruction skipped.
+static volatile bool trap_err = false;
+
+// Records whether an attempt to store a capability to the HyperRAM resulted in a
+// TL-UL bus error and thus an exception.
+static volatile bool act_err = false;
+
+// TODO: #429 Presently the debugger cannot perform sub-word writes, so pad the BSS to 4 bytes.
+volatile uint16_t dummy;
+
+extern "C" void exception_handler(void) {
+  if (trap_err) {
+    // Record the fact that an exception occurred.
+    act_err = true;
+    // Advance over the failing instruction; this is a `csc` instruction but it may or may not be
+    // compressed.
+    __asm volatile(
+        "         cspecialr ct0, mepcc\n"
+        "         lh        t2, 0(ct0)\n"
+        "         li        t1, 3\n"
+        "         and       t2, t2, t1\n"
+        "         bne       t2, t1, instr16\n"
+        "         cincoffset ct0, ct0, 2\n"
+        "instr16: cincoffset ct0, ct0, 2\n"
+        "update:  cspecialw  mepcc, ct0");
+  }
+}
 
 // Ensure that all writing of code to memory has completed before commencing execution
 // of that code. Code has been written to [start, end] with both addresses being
@@ -129,10 +171,10 @@ int rand_cap_test(Capability<volatile uint32_t> hyperram_area,
     Capability<volatile uint32_t> read_cap;
 
     do {
-      rand_index = prng() % HyperramSize;
+      rand_index = prng() % HyperramTagSize;
 
       // Capability is double word in size.
-      rand_cap_index = prng() % (HyperramSize / 2);
+      rand_cap_index = prng() % (HyperramTagSize / 2);
     } while (rand_index / 2 == rand_cap_index);
 
     rand_val = prng();
@@ -670,6 +712,110 @@ int linear_execution_test(Capability<volatile uint32_t> hyperram_w_area, ds::xor
   return failures;
 }
 
+// Simple test of whether the full HyperRAM is mapped, as well checking that capabilities can
+// only be stored to the intended portion of this mapped range.
+int mapped_tagged_range_test(Capability<volatile uint32_t> hyperram_w_area,
+                             Capability<Capability<volatile uint32_t>> hyperram_cap_area, ds::xoroshiro::P64R32 &prng,
+                             Log &log, int iterations = 1) {
+  const bool verbose = false;
+  int failures       = 0;
+
+  // In the event that the entire HyperRAM supports capabilities, we must reduce two of our
+  // directed choices to be within bounds.
+  uint32_t tag_bounds_plus_8 = HYPERRAM_TAG_BOUNDS + 8;
+  uint32_t tag_bounds        = HYPERRAM_TAG_BOUNDS;
+  if (tag_bounds_plus_8 >= HYPERRAM_BOUNDS) {
+    tag_bounds_plus_8 = HYPERRAM_BOUNDS - 8;
+    tag_bounds        = HYPERRAM_BOUNDS - 16;
+  }
+
+  for (int iter = 0; iter < iterations; ++iter) {
+    Capability<volatile uint32_t> read_cap;
+    unsigned rand_choice = prng() & 7u;
+    uint32_t rand_addr;
+
+    switch (rand_choice) {
+      // Directed choices.
+      case 0u:
+        rand_addr = tag_bounds;
+        break;
+      case 1u:
+        rand_addr = HYPERRAM_TAG_BOUNDS - 8;
+        break;
+      case 2u:
+        rand_addr = HYPERRAM_BOUNDS - 8;
+        break;
+      case 3u:
+        rand_addr = tag_bounds_plus_8;
+        break;
+      case 4u:
+        rand_addr = 0u;
+        break;
+      // Randomised choices.
+      default:
+        rand_addr = prng() & (HYPERRAM_BOUNDS - 8u);
+        break;
+    }
+
+    // Predict whether we should see a TL-UL error in response; only the first portion of the
+    // mapped HyperRAM supports tag bits. Anything at a higher address should raise a TL-UL error.
+    bool exp_err = (rand_addr >= HYPERRAM_TAG_BOUNDS);
+    if (verbose) {
+      log.println("addr {:#x}", rand_addr);
+    }
+
+    // We are expecting to generate a TL-UL error with some store operations.
+    trap_err = true;
+    // First store some data that does not constitute a sensible capability.
+    const uint32_t exp_data1              = 0x87654321u;
+    const uint32_t exp_data0              = ~0u;
+    hyperram_w_area[rand_addr >> 2]       = exp_data0;
+    hyperram_w_area[(rand_addr >> 2) + 1] = exp_data1;
+
+    // Attempt to store a capability to the chosen address.
+    // The capability stored doesn't really matter; just use the HyperRAM base.
+    act_err                           = false;
+    hyperram_cap_area[rand_addr >> 3] = hyperram_w_area;
+    trap_err                          = false;
+    if (verbose) {
+      log.println("done write");
+    }
+    read_cap = hyperram_cap_area[rand_addr >> 3];
+
+    // Check that an error occurred iff expected.
+    failures += (act_err != exp_err);
+    if (verbose) {
+      log.println("Act err {}, exp err {}", (int)act_err, (int)exp_err);
+    }
+
+    // Check the memory contents.
+    if (exp_err) {
+      // If an error occurred then we expect _not_ to have performed the write, so the test data
+      // should still be intact.
+      uint32_t act_data1 = hyperram_w_area[(rand_addr >> 2) + 1];
+      uint32_t act_data0 = hyperram_w_area[rand_addr >> 2];
+      if (verbose) {
+        log.println("Wrote {:#x}:{:#x}, read back {:#x}:{:#x}", exp_data0, exp_data1, act_data0, act_data1);
+      }
+      if (exp_data0 != act_data0 || exp_data1 != act_data1) {
+        failures++;
+      }
+    } else {
+      // If there was no error, the capability should have been stored as expected.
+      if (verbose) {
+        volatile uint32_t *exp = hyperram_w_area.get();
+        volatile uint32_t *act = read_cap.get();
+        log.println("Wrote {:#x}, read back {:#x}", (uint32_t)exp, (uint32_t)act);
+      }
+      if (read_cap != hyperram_w_area) {
+        failures++;
+      }
+    }
+  }
+
+  return failures;
+}
+
 /**
  * C++ entry point for the loader.  This is called from assembly, with the
  * read-write root in the first argument.
@@ -695,23 +841,52 @@ extern "C" [[noreturn]] void entry_point(void *rwRoot) {
 
   // Default is word-based accesses, which is sufficient for most tests.
   Capability<volatile uint32_t> hyperram_area = root.cast<volatile uint32_t>();
-  hyperram_area.address()                     = HYPERRAM_ADDRESS;
-  hyperram_area.bounds()                      = HYPERRAM_BOUNDS;
+  uint32_t bounds                             = HYPERRAM_BOUNDS;
+  // Unfortunately it is not possible to construct a capability that covers exactly the 8MiB range
+  // of the HyperRAM because of the encoding limitations of the CHERIoT capabilities.
+  switch (1) {
+    // Courtesy of Leo; CHERIoT can construct a capability that covers 8MiB - 16KiB.
+    case 0:
+      hyperram_area.address() = HYPERRAM_ADDRESS;
+      bounds                  = HYPERRAM_BOUNDS - 0x4000;
+      break;
+    // Cover only the tagged region.
+    case 1:
+      hyperram_area.address() = HYPERRAM_ADDRESS;
+      bounds                  = HYPERRAM_TAG_BOUNDS;
+      break;
+    // Cover just the untagged region.
+    case 2:
+      hyperram_area.address() = HYPERRAM_ADDRESS + HYPERRAM_TAG_BOUNDS;
+      bounds                  = HYPERRAM_BOUNDS - HYPERRAM_TAG_BOUNDS;
+      break;
+    // Map twice the valid region.
+    case 3:
+      hyperram_area.address() = HYPERRAM_ADDRESS;
+      bounds                  = 2 * HYPERRAM_BOUNDS;
+      break;
+    // This case does not work because the exponent becomes too large to be able to represent the
+    // 8MiB range, and instead we end up with bounds of 16MiB and an invalid capability.
+    default:
+      hyperram_area.address() = HYPERRAM_ADDRESS;
+      bounds                  = HYPERRAM_TAG_BOUNDS;
+      break;
+  }
 
   Capability<Capability<volatile uint32_t>> hyperram_cap_area = root.cast<Capability<volatile uint32_t>>();
   hyperram_cap_area.address()                                 = HYPERRAM_ADDRESS;
-  hyperram_cap_area.bounds()                                  = HYPERRAM_BOUNDS;
+  hyperram_cap_area.bounds()                                  = bounds;
 
   // We also want byte, hword and dword access for some tests.
   Capability<volatile uint8_t> hyperram_b_area  = root.cast<volatile uint8_t>();
   hyperram_b_area.address()                     = HYPERRAM_ADDRESS;
-  hyperram_b_area.bounds()                      = HYPERRAM_BOUNDS;
+  hyperram_b_area.bounds()                      = bounds;
   Capability<volatile uint16_t> hyperram_h_area = root.cast<volatile uint16_t>();
   hyperram_h_area.address()                     = HYPERRAM_ADDRESS;
-  hyperram_h_area.bounds()                      = HYPERRAM_BOUNDS;
+  hyperram_h_area.bounds()                      = bounds;
   Capability<volatile uint64_t> hyperram_d_area = root.cast<volatile uint64_t>();
   hyperram_d_area.address()                     = HYPERRAM_ADDRESS;
-  hyperram_d_area.bounds()                      = HYPERRAM_BOUNDS;
+  hyperram_d_area.bounds()                      = bounds;
 
   // Run indefinitely, soak testing until we observe one or more failures.
   int failures = 0;
@@ -821,6 +996,10 @@ extern "C" [[noreturn]] void entry_point(void *rwRoot) {
     }
     log.print("  result...");
     write_test_result(log, failures);
+
+    log.println("Running mapped/tagged range test...");
+    failures += mapped_tagged_range_test(hyperram_area, hyperram_cap_area, prng, log, 0x400u);
+    write_test_result(log, failures);
   }
 
   // Report test failure.

sw/cheri/common/sonata-devices.hh

@@ -77,9 +77,12 @@ using PinmuxPtrs = std::pair<PinSinksPtr, BlockSinksPtr>;
 }
 
 [[maybe_unused]] static HyperramPtr hyperram_ptr(CapRoot root) {
+  // Unfortunately it is not possible to construct a capability that covers exactly the 8MiB range
+  // of the HyperRAM because of the encoding limitations of the CHERIoT capabilities.
+  // We therefore leave the final 16KiB inaccessible.
   CHERI::Capability<volatile uint32_t> hyperram = root.cast<volatile uint32_t>();
   hyperram.address()                            = HYPERRAM_ADDRESS;
-  hyperram.bounds()                             = HYPERRAM_BOUNDS;
+  hyperram.bounds()                             = HYPERRAM_BOUNDS - 0x4000u;
   return hyperram;
 }
 

sw/cheri/tests/hyperram_tests.hh

@@ -33,19 +33,24 @@ using namespace CHERI;
  * It can be overwride with a compilation flag
  */
 #ifndef TEST_COVERAGE_AREA
-// Test only 1% of the total memory to be fast enough for Verilator.
-#define TEST_COVERAGE_AREA 1
+// Test only n/1024 of the total memory to be fast enough for Verilator.
+//
+// Note: we are deliberately using power-of-two quantities here because of the addressing
+//       limitations of CHERIoT capabilities. There is 8MiB available but we must keep the
+//       testing short, so we choose to use just ca. 0.2%
+#define TEST_COVERAGE_AREA 2
 #endif
-_Static_assert(TEST_COVERAGE_AREA <= 100, "TEST_COVERAGE_AREA Should be less than 100");
+static_assert(TEST_COVERAGE_AREA <= 1024, "TEST_COVERAGE_AREA Should be less than 1024");
 
 #define TEST_BLOCK_SIZE 256
-#define HYPERRAM_SIZE (1024 * 1024) / 4
+// Size of mapped, tag-capable portion of HyperRAM, in 32-bit words.
+#define HYPERRAM_TAG_SIZE (HYPERRAM_TAG_BOUNDS / 4)
 
 /*
  * Compute the number of addresses that will be tested.
  * We mask the LSB 8bits to makes sure it is aligned.
  */
-#define HYPERRAM_TEST_SIZE (uint32_t)((HYPERRAM_SIZE * TEST_COVERAGE_AREA / 100) & ~0xFF)
+#define HYPERRAM_TEST_SIZE (uint32_t)((HYPERRAM_TAG_SIZE * TEST_COVERAGE_AREA / 0x400u) & ~0xFF)
 
 /*
  * Write random values to a block of memory (size given by 'TEST_BLOCK_SIZE'
@@ -301,11 +306,15 @@ int perf_burst_test(Capability<volatile uint32_t> hyperram_area, ds::xoroshiro::
 }
 
 void hyperram_tests(CapRoot root, Log &log) {
-  auto hyperram_area = hyperram_ptr(root);
+  // Unfortunately it is not possible to construct a capability that covers exactly the 8MiB range
+  // of the HyperRAM because of the encoding limitations of the CHERIoT capabilities, but here we
+  // are only concerned with testing a much smaller portion of the address range anyway.
+  const uint32_t hr_bounds = HYPERRAM_TEST_SIZE * 4u;
+  auto hyperram_area       = hyperram_ptr(root);
 
   Capability<Capability<volatile uint32_t>> hyperram_cap_area = root.cast<Capability<volatile uint32_t>>();
   hyperram_cap_area.address()                                 = HYPERRAM_ADDRESS;
-  hyperram_cap_area.bounds()                                  = HYPERRAM_BOUNDS;
+  hyperram_cap_area.bounds()                                  = hr_bounds;
 
   ds::xoroshiro::P64R32 prng;
   prng.set_state(0xDEADBEEF, 0xBAADCAFE);

sw/common/defs.h

@@ -13,7 +13,9 @@
 #define SRAM_BOUNDS (0x0002'0000)
 
 #define HYPERRAM_ADDRESS (0x4000'0000)
-#define HYPERRAM_BOUNDS (0x0010'0000)
+#define HYPERRAM_BOUNDS (0x0080'0000)
+// The portion of the HyperRAM that can support capabilities.
+#define HYPERRAM_TAG_BOUNDS (0x0040'0000)
 
 #define SYSTEM_INFO_ADDRESS (0x8000'C000)
 #define SYSTEM_INFO_BOUNDS (0x0000'0020)