Introduction to Dromajo
Dromajo dumps the architectural state of a reference model and generates boot code that restores it, if needed. It supports up to two cores and links to a simulator as a shared library. The simulator communicates with Dromajo via DPI calls. This article introduces Dromajo. The following sections describe some of its features. You can download and try it out! If you want to create your own virtual hardware, you can also build it yourself!
RTL encapsulation
The semantic model for Dromajo is based on Fabrice Bellard’s TinyEMU and has been extensively verified, bug-fixed, and enhanced for ISA 2.3/priv 1.11. It enables a side-by-side comparison of RTL and reference model. The tool supports interactive transaction-based analysis and can be used by both novices and experienced programmers. Here is a quick overview of some key features.
Random mutation: random mutations in Dromajo can result in translation errors or ITLB entry bugs. The bug occurs when a CVA6 incorrectly sets the mcause register to a different value than the memory address. The CVA6 translation error can be traced by using Dromajo’s traces. Using the trace analysis, we can see that Dromajo flags a mismatch when reading the mtval CSR. In this case, the cores start running the binary in M-privileged mode and write to a CSR named mepc, which is set to 0x196. The mret instruction is supposed to change the privileged mode and return the program flow to mepc address. However, the instruction mret does not revert to privileged mode and throws
Dromajo is encapsulated in RTL as a submodule. The RTL model must populate the main memory and initialize content through Verilog functions. Boot code is called during this phase to boot the cores to identical architectural states. The RTL model must be able to access both cores and run the boot code. When the boot code runs, the RTL models are in the same state.
The Dromajo checkpointed infrastructure enables fully deterministic architectural states. The Dromajo RISC-V model can also be used for fake system calls or DTM 2.0. The proposed verification tools were evaluated on three RISC-V processors. The evaluation results indicate that Dromajo is capable of capturing bugs and exposing their sources. However, there are still many open questions regarding Dromajo’s usability and effectiveness.
Checkpoints
If you are using a simulation tool for RISC-V architecture development, checkpoints are an important part of that tool’s architecture. In this article, we’ll examine the basic concept of a checkpoint and how they work with Dromajo. Basically, a checkpoint is a snapshot of the architectural state of a processor. Dromajo can dump and resume checkpoints to test the functionality of arbitrary RISC-V applications.
In this example, the mtval CSR is read by the cores while they are running a binary in M-privileged mode. Then the cores write a value to the CSR mepc, which is 0x196. This mret instruction is supposed to change the privileged mode to 0x196 and revert the program flow to that address, but instead, it throws an instruction page fault. The ISA requires an instruction page fault in order to reset the mtval value to the address of the exception.
Dromajo checkpoints include architectural states, memory, reprogram interrupts, and performance counters. This can be achieved by creating a small valid bootrom that leverages the RISC-V debug spec. This allows for checkpoints to be shared across different CPUs and architectures. The checkpoints are also easily generated in a virtual environment, making them highly useful for testing.
Memory
A problem in Dromajo causes a translation error when an incorrect value is read from the mtval CSR. The Dromajo trace analysis shows that a single load instruction had a different value than its memory address. After a CVA6 instruction overwrites the value, the program is supposed to return to the mepc address using the mret instruction. Instead, the mret instruction fails, throwing an instruction page fault. The ISA requires the mtval value to be set to the address of the exception.
The DPI wrapper function cosim_init() is called within the initial Verilog block. This function calls the Dromajo initialization API function, passing a path to the configuration file. It returns a pointer to a Dromajo RISC-V reference model initialized to use a given configuration file. The configuration file specifies the location of a checkpoint and contains core-specific information.
Another issue in the RISC-V ISA involves the integer divide unit, which fails to handle some corner cases. A Dromajo test found a mismatch when a core was executing a division of -1/1. The result was a single -1 being written to the destination register while a 0 was written to the same location by the CVA6 code. In addition, the RISC-V ISA specifies when to write to the stval CSR, but Dromajo incorrectly sets the setting.
The Dromajo platform offers many benefits. Its open source nature makes it an ideal candidate for integration with existing RISC-V cores. It also has the advantage of exposing bugs, allowing it to prove its effectiveness in real-life applications. In addition to being able to co-simulate arbitrary RISC-V applications, Dromajo also provides a fully deterministic architectural state.
Performance counters
Dromajo’s performance counters enable you to monitor the execution performance of your program. They show the divergence from the simulation and the state of the registers on failure. They can catch architectural state bugs in their earliest stages, before simulation. Dromajo can also be used with BOOM. This article will describe how to use performance counters in Dromajo. It is licensed under the Apache 2.0 license and can be downloaded for free.
Performance counters in Dromajo are useful for analyzing and monitoring the performance of Linux applications. Dromajo is designed for co-simulation with RTL processors. It has easy APIs that facilitate integration and allows Linux applications to run under a fast software simulation. The checkpoint feature enables the application to capture bugs and generate checkpoints after a pre-set number of cycles. It can also resume checkpoints and capture bugs.
Dromajo includes checkpoints for architectural state, memory, reprogram interrupts, and performance counters. It can also generate checkpoints during a simulation with arbitrary RISC-V applications. It can resume a checkpoint if co-simulation is enabled. Dromajo aims to make simulation time more productive by providing an efficient testing environment for long-running programs. Moreover, it supports arbitrary RISC-V applications and spec benchmarks running on Linux.
When performing trace analysis, Dromajo flagged a mismatch during the reading of the mtval CSR. In this case, the application was running in M-privileged mode, and reads the CSR mepc. This instruction was supposed to change privileged mode and revert program flow to mepc address. Consequently, the mret instruction failed, throwing an ISA.
Bugs exposed
Several Dromajo bugs have been publicly exposed recently. This article will discuss a bug identified in 6.3.1. The issue is caused by a mismatch in the mtval CSR. When Dromajo starts executing a binary in machine-mode, it fails to update the prv bits to the current running privileged level. This leads to a halting of the execution and an error.
To test the effectiveness of Dromajo in finding bugs, we tested it on an open-source RISC-V processor. Our results showed that the new tool identified thirteen bugs. The number of exposed bugs increased from nine to thirteen. These results show that the tool can expose more bugs in the simulation phase compared to Dromajo alone. The Dromajo bug detection tool also increased the number of bugs by a factor of two when used with the Logic Fuzzer.
Dromajo uses checkpoints to test arbitrary RISC-V programs. Each checkpoint is a snapshot of the processor’s architectural state. Dromajo can generate checkpoints with arbitrary RISC-V applications and resume them with co-simulation enabled. Additionally, Dromajo addresses the productivity of simulation time. It can run long programs, such as SPEC benchmarks, on a Linux system. It can also dump checkpoints during a simulation run and co-simulate them across multiple simulations.
In order to start Dromajo, the initialization API is called from the DPI wrapper-function cosim_init() within the initial Verilog block. The callback returns a pointer to a Dromajo-initialized RISC-V reference model. The configuration file contains core-specific information as well as a checkpoint location. These errors can cause significant system failures.
