ALERT_HANDLER DV document

Goals

DV
- Verify all ALERT_HANDLER IP features by running dynamic simulations with a SV/UVM based testbench
- Develop and run all tests based on the testplan below towards closing code and functional coverage on the IP and all of its sub-modules
- Verify transmitter and receiver pairs for alert (/hw/ip/prim/dv/prim_alert) and escalation (/hw/ip/prim/dv/prim_esc) via direct stimulus.
FPV
- Verify TileLink device protocol compliance with an SVA based testbench
- Verify transmitter and receiver pairs for alert and escalator
- Verify alert_handler_esc_timer and alert_handler_ping_timer

Current status

Design features

For detailed information on ALERT_HANDLER design features, please see the ALERT_HANDLER HWIP technical specification.

Testbench architecture

ALERT_HANDLER testbench has been constructed based on the CIP testbench architecture.

Block diagram

Top level testbench

Top level testbench is located at hw/ip/alert_handler/dv/tb/tb.sv. It instantiates the ALERT_HANDLER DUT module hw/ip/alert_handler/rtl/alert_handler.sv. In addition, it instantiates the following interfaces, connects them to the DUT and sets their handle into uvm_config_db:

Clock and reset interface
TileLink host interface
ALERT_HANDLER IOs
Alerts and escalations(alert_esc_if)
Interrupts (pins_if)
Devmode (pins_if)

The alert_handler testbench environment can be reused in chip level testing.

Common DV utility components

The following utilities provide generic helper tasks and functions to perform activities that are common across the project:

Global types & methods

All common types and methods defined at the package level can be found in alert_handler_env_pkg. Some of them in use are:

  parameter uint NUM_MAX_ESC_SEV = 8;

TL_agent

ALERT_HANDLER testbench instantiates (already handled in CIP base env) tl_agent which provides the ability to drive and independently monitor random traffic via TL host interface into ALERT_HANDLER device.

ALERT_ESC Agent

ALERT_ESC agent is used to drive and monitor transmitter and receiver pairs for the alerts and escalators. Alert_handler DUT includes alert_receivers and esc_senders, so the alert_esc agent will drive output signals of the alert_senders and esc_receivers.

UVM RAL Model

The ALERT_HANDLER RAL model is created with the ralgen FuseSoC generator script automatically when the simulation is at the build stage.

It can be created manually by invoking regtool.

Stimulus strategy

Test sequences

All test sequences reside in hw/ip/alert_handler/dv/env/seq_lib. The alert_handler_base_vseq virtual sequence is extended from cip_base_vseq and serves as a starting point. All test sequences are extended from alert_handler_base_vseq. It provides commonly used handles, variables, functions and tasks that the test sequences can simple use / call. Some of the most commonly used tasks / functions are as follows:

alert_handler_init: Configure alert_handler DUT by writing to intr_en, alert_en_shadowed_*, alert_class_shadowed_*, loc_alert_en_shadowed_*, loc_alert_class_shadowed_* registers.
drive_alert: Drive alert_tx signal pairs through alert_sender_driver.
drive_esc_rsp: Drive esc_rx signal pairs through esc_receiver_driver.
read_ecs_status: Readout registers that reflect escalation status, including classa/b/c/d_accum_cnt, classa/b/c/d_esc_cnt, and classa/b/c/d_state.
wait_alert_handshake_done: Wait for alert_rx/tx handshake to finish. If the alert’s low-power-group(LPG) is enabled, immediately return.
wait_esc_handshake_done: Wait for esc_rx/tx handshake to finish by reading class*_state registers and check esc_rx/tx signals.
set_alert_lpg: Given alert index, find the linked LPG group and enabled the LPG group by driving lpg_cg_en or lpg_rst_en to Mubi4True.
run_esc_rsp_seq_nonblocking: A non-blocking sequence to drive esc_tx when received escalation or escalation-ping requests.
run_alert_ping_rsp_seq_nonblocking: A non-blocking sequence to drive alert_rx when received alert-ping requests.

Functional coverage

To ensure high quality constrained random stimulus, it is necessary to develop a functional coverage model. The detailed covergroups are documented under alert_handler testplan.

Self-checking strategy

Scoreboard

The alert_handler_scoreboard is primarily used for end to end checking. It creates the following analysis ports to retrieve the data monitored by corresponding interface agents:

tl_a_chan_fifo: tl address channel
tl_d_chan_fifo: tl data channel
alert_fifo: An array of alert_fifo that connects to corresponding alert_monitors
esc_fifo: An array of esc_fifo that connects to corresponding esc_monitors

Alert_handler scoreboard monitors all valid CSR registers, alert handshakes, and escalation handshakes. To ensure certain alert, interrupt, or escalation signals are triggered at the expected time, the alert_handler scoreboard implemented a few counters:

intr_cnter_per_class[NUM_ALERT_HANDLER_CLASSES]: Count number of clock cycles that the interrupt bit stays high. If the stored number is larger than the timeout_cyc registers, the corresponding escalation is expected to be triggered
accum_cnter_per_class[NUM_ALERT_HANDLER_CLASSES]: Count number of alerts triggered under the same class. If the stored number is larger than the accum_threshold registers, the corresponding escalation is expected to be triggered
esc_cnter_per_signal[NUM_ESC_SIGNALS]: Count number of clock cycles that each escalation signal stays high. Compare the counter against phase_cyc registers

The alert_handler scoreboard is parameterized to support different number of classes, alert pairs, and escalation pairs.

Assertions

TLUL assertions: The tb/alert_handler_bind.sv binds the tlul_assert assertions to the IP to ensure TileLink interface protocol compliance.
Unknown checks on DUT outputs: The RTL has assertions to ensure all outputs are initialized to known values after coming out of reset.

Building and running tests

We are using our in-house developed regression tool for building and running our tests and regressions. Please take a look at the link for detailed information on the usage, capabilities, features and known issues. Here’s how to run a smoke test:

$ $REPO_TOP/util/dvsim/dvsim.py $REPO_TOP/hw/$CHIP/ip_autogen/alert_handler/dv/alert_handler_sim_cfg.hjson -i alert_handler_smoke

In this run command, $CHIP can be top_earlgrey, etc.

Testplan

Testpoints

Milestone	Name	Tests	Description
V1	smoke	alert_handler_smoke	Alert_handler smoke test with one class configured that escalates through all phases after one alert has been triggered Check interrupt pins, alert cause CSR values, escalation pings, and crashdump_o output values Support both synchronous and asynchronous settings
V1	csr_hw_reset	alert_handler_csr_hw_reset	Verify the reset values as indicated in the RAL specification. Write all CSRs with a random value. Apply reset to the DUT as well as the RAL model. Read each CSR and compare it against the reset value. it is mandatory to replicate this test for each reset that affects all or a subset of the CSRs. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_rw	alert_handler_csr_rw	Verify accessibility of CSRs as indicated in the RAL specification. Loop through each CSR to write it with a random value. Read the CSR back and check for correctness while adhering to its access policies. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_bit_bash	alert_handler_csr_bit_bash	Verify no aliasing within individual bits of a CSR. Walk a 1 through each CSR by flipping 1 bit at a time. Read the CSR back and check for correctness while adhering to its access policies. This verify that writing a specific bit within the CSR did not affect any of the other bits. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_aliasing	alert_handler_csr_aliasing	Verify no aliasing within the CSR address space. Loop through each CSR to write it with a random value Shuffle and read ALL CSRs back. All CSRs except for the one that was written in this iteration should read back the previous value. The CSR that was written in this iteration is checked for correctness while adhering to its access policies. It is mandatory to run this test for all available interfaces the CSRs are accessible from. Shuffle the list of CSRs first to remove the effect of ordering.
V1	csr_mem_rw_with_rand_reset	alert_handler_csr_mem_rw_with_rand_reset	Verify random reset during CSR/memory access. Run csr_rw sequence to randomly access CSRs If memory exists, run mem_partial_access in parallel with csr_rw Randomly issue reset and then use hw_reset sequence to check all CSRs are reset to default value It is mandatory to run this test for all available interfaces the CSRs are accessible from.
V1	regwen_csr_and_corresponding_lockable_csr	alert_handler_csr_rw alert_handler_csr_aliasing	Verify regwen CSR and its corresponding lockable CSRs. Randomly access all CSRs Test when regwen CSR is set, its corresponding lockable CSRs become read-only registers Note: If regwen CSR is HW read-only, this feature can be fully tested by common CSR tests - csr_rw and csr_aliasing. If regwen CSR is HW updated, a separate test should be created to test it. This is only applicable if the block contains regwen and locakable CSRs.
V2	esc_accum	alert_handler_esc_alert_accum	Based on the smoke test, this test will focus on testing the escalation accumulation feature. So all the escalations in the test will be triggered by alert accumulation.
V2	esc_timeout	alert_handler_esc_intr_timeout	Based on the smoke test, this test will focus on testing the escalation timeout feature. So all the escalations in the test will be triggered by interrupt timeout.
V2	entropy	alert_handler_entropy	Based on the smoke test, this test enables ping testing, and check if the ping feature correctly pings all devices within certain period of time.
V2	sig_int_fail	alert_handler_sig_int_fail	This test will randomly inject differential pair failures on alert tx/rx pairs and the escalator tx/rx pairs. Then check if integrity failure alert is triggered and escalated.
V2	clk_skew	alert_handler_smoke	This test will randomly inject clock skew within the differential pairs. Then check no alert is raised.
V2	random_alerts	alert_handler_random_alerts	Input random alerts and randomly write phase cycles.
V2	random_classes	alert_handler_random_classes	Based on random_alerts test, this test will also randomly enable interrupt classes.
V2	ping_timeout	alert_handler_ping_timeout	Based on entropy test, this test request alert_sender and esc_receiver drivers to randomly create ping requests timeout stimulus. Checks: Verify interrupt pin and states. Verify alert and local alert causes. Verify escalation states and counts.
V2	lpg	alert_handler_lpg	Test alert_handler low_power_group(lpg) request. Stimulus: Randomly enabled alert_receivers' `alert_en` but disable their ping response. Turn on their low-power control by either set `lpg_cg_en_i` or `lpg_rst_en_i`. Enable alert ping timeout local alert. Run alert_handler_entropy_vseq. Checks: Expect no ping timeout error because the alert_receivers are disabled via low-power group.
V2	stress_all	alert_handler_stress_all	Combine above sequences in one test to run sequentially with the following exclusions: CSR sequences: scoreboard disabled Ping_corner_cases sequence: included reset in the sequence
V2	intr_test	alert_handler_intr_test	Verify common intr_test CSRs that allows SW to mock-inject interrupts. Enable a random set of interrupts by writing random value(s) to intr_enable CSR(s). Randomly "turn on" interrupts by writing random value(s) to intr_test CSR(s). Read all intr_state CSR(s) back to verify that it reflects the same value as what was written to the corresponding intr_test CSR. Check the cfg.intr_vif pins to verify that only the interrupts that were enabled and turned on are set. Clear a random set of interrupts by writing a randomly value to intr_state CSR(s). Repeat the above steps a bunch of times.
V2	tl_d_oob_addr_access	alert_handler_tl_errors	Access out of bounds address and verify correctness of response / behavior
V2	tl_d_illegal_access	alert_handler_tl_errors	Drive unsupported requests via TL interface and verify correctness of response / behavior. Below error cases are tested bases on the [TLUL spec]({{< relref "hw/ip/tlul/doc/_index.md#explicit-error-cases" >}}) TL-UL protocol error cases invalid opcode some mask bits not set when opcode is `PutFullData` mask does not match the transfer size, e.g. `a_address = 0x00`, `a_size = 0`, `a_mask = 'b0010` mask and address misaligned, e.g. `a_address = 0x01`, `a_mask = 'b0001` address and size aren't aligned, e.g. `a_address = 0x01`, `a_size != 0` size is greater than 2 OpenTitan defined error cases access unmapped address, expect `d_error = 1` when `devmode_i == 1` write a CSR with unaligned address, e.g. `a_address[1:0] != 0` write a CSR less than its width, e.g. when CSR is 2 bytes wide, only write 1 byte write a memory with `a_mask != '1` when it doesn't support partial accesses read a WO (write-only) memory write a RO (read-only) memory write with `instr_type = True`
V2	tl_d_outstanding_access	alert_handler_csr_hw_reset alert_handler_csr_rw alert_handler_csr_aliasing alert_handler_same_csr_outstanding	Drive back-to-back requests without waiting for response to ensure there is one transaction outstanding within the TL device. Also, verify one outstanding when back- to-back accesses are made to the same address.
V2	tl_d_partial_access	alert_handler_csr_hw_reset alert_handler_csr_rw alert_handler_csr_aliasing alert_handler_same_csr_outstanding	Access CSR with one or more bytes of data. For read, expect to return all word value of the CSR. For write, enabling bytes should cover all CSR valid fields.
V2S	shadow_reg_update_error	alert_handler_shadow_reg_errors	Verify shadowed registers' update error. Randomly pick a shadowed register in the DUT. Write it twice with different values. Verify that the update error alert is triggered and the register value remains unchanged. Verify the update_error status register field is set to 1. Repeat the above steps a bunch of times.
V2S	shadow_reg_read_clear_staged_value	alert_handler_shadow_reg_errors	Verify reading a shadowed register will clear its staged value. Randomly pick a shadowed register in the DUT. Write it once and read it back to clear the staged value. Then write it twice with the same new value (but different from the previous step). Read it back to verify the new value and ensure that the update error alert did not trigger. Verify the update_error status register field remains the same value. Repeat the above steps a bunch of times.
V2S	shadow_reg_storage_error	alert_handler_shadow_reg_errors	Verify shadowed registers' storage error. Randomly pick a shadowed register in the DUT. Backdoor write to shadowed or committed flops to create a storage fatal alert. Check if fatal alert continuously fires until reset. Verify that all other frontdoor write attempts are blocked during the storage error. Verify that storage_error status register field is set to 1. Reset the DUT. Read all CSRs to ensure the DUT is properly reset. Repeat the above steps a bunch of times.
V2S	shadowed_reset_glitch	alert_handler_shadow_reg_errors	Verify toggle shadowed_rst_n pin can trigger storage error. Randomly drive `shadowed_rst_n` pin to low or `rst_n` pin to low. check if any registers have been written before the reset. If so check if storage error fatal alert is triggered. Check status register. Drive `shadowed_rst_n` pin or `rst_n` pin back to high. If fatal alert is triggered, reset the DUT. Read all CSRs to ensure the DUT is properly reset. Repeat the above steps a bunch of times.
V2S	shadow_reg_update_error_with_csr_rw	alert_handler_shadow_reg_errors_with_csr_rw	Run shadow_reg_update_error sequence in parallel with csr_rw sequence. Randomly select one of the above sequences. Apply csr_rw sequence in parallel but disable the `csr_access_abort` to ensure all shadowed registers' write/read to be executed without aborting. Repeat the above steps a bunch of times.
V2S	tl_intg_err	alert_handler_tl_intg_err	Verify that the data integrity check violation generates an alert. Randomly inject errors on the control, data, or the ECC bits during CSR accesses. Verify that triggers the correct fatal alert.
V2S	sec_cm_bus_integrity		Verify the countermeasure(s) BUS.INTEGRITY.
V2S	sec_cm_config_shadow		Verify the countermeasure(s) CONFIG.SHADOW.
V2S	sec_cm_ping_timer_config_regwen		Verify the countermeasure(s) PING_TIMER.CONFIG.REGWEN.
V2S	sec_cm_alert_config_regwen		Verify the countermeasure(s) ALERT.CONFIG.REGWEN.
V2S	sec_cm_alert_loc_config_regwen		Verify the countermeasure(s) ALERT_LOC.CONFIG.REGWEN.
V2S	sec_cm_class_config_regwen		Verify the countermeasure(s) CLASS.CONFIG.REGWEN.
V2S	sec_cm_alert_intersig_diff		Verify the countermeasure(s) ALERT.INTERSIG.DIFF.
V2S	sec_cm_lpg_intersig_mubi		Verify the countermeasure(s) LPG.INTERSIG.MUBI.
V2S	sec_cm_esc_intersig_diff		Verify the countermeasure(s) ESC.INTERSIG.DIFF.
V2S	sec_cm_alert_rx_intersig_bkgn_chk		Verify the countermeasure(s) ALERT_RX.INTERSIG.BKGN_CHK.
V2S	sec_cm_esc_tx_intersig_bkgn_chk		Verify the countermeasure(s) ESC_TX.INTERSIG.BKGN_CHK.
V2S	sec_cm_esc_rx_intersig_bkgn_chk		Verify the countermeasure(s) ESC_RX.INTERSIG.BKGN_CHK.
V2S	sec_cm_esc_timer_fsm_sparse		Verify the countermeasure(s) ESC_TIMER.FSM.SPARSE.
V2S	sec_cm_ping_timer_fsm_sparse		Verify the countermeasure(s) PING_TIMER.FSM.SPARSE.
V2S	sec_cm_esc_timer_fsm_local_esc		Verify the countermeasure(s) ESC_TIMER.FSM.LOCAL_ESC.
V2S	sec_cm_ping_timer_fsm_local_esc		Verify the countermeasure(s) PING_TIMER.FSM.LOCAL_ESC.
V2S	sec_cm_esc_timer_fsm_global_esc		Verify the countermeasure(s) ESC_TIMER.FSM.GLOBAL_ESC.
V2S	sec_cm_accu_ctr_redun		Verify the countermeasure(s) ACCU.CTR.REDUN.
V2S	sec_cm_esc_timer_ctr_redun		Verify the countermeasure(s) ESC_TIMER.CTR.REDUN.
V2S	sec_cm_ping_timer_ctr_redun		Verify the countermeasure(s) PING_TIMER.CTR.REDUN.
V2S	sec_cm_ping_timer_lfsr_redun		Verify the countermeasure(s) PING_TIMER.LFSR.REDUN.
V3	stress_all_with_rand_reset	alert_handler_stress_all_with_rand_reset	This test runs 3 parallel threads - stress_all, tl_errors and random reset. After reset is asserted, the test will read and check all valid CSR registers.

Covergroups

Name	Description
accum_cnt_cg	Covers escalation due to accumulated alerts. Collect the threshold of accumulated alerts. Collect which alert_class exceeds the accumulated count. Cross the above coverpoints.
alert_cause_cg	Covers alert_cause register and related items. Collect which alert causes the alert_cause register to set. Collect the alert_class that this alert belongs to. Cross the above coverpoints.
alert_class_regwen_cg	Covers if regwen is locked for alert_class registers.
alert_en_regwen_cg	Covers if regwen is locked for alert_en registers.
alert_handshake_complete_cg	Cover if the alert handshake completes.
alert_loc_alert_cause_cg	Covers loc_alert_cause register regarding alert. Collect two loc_alert causes: alert_ping_fail and alert_integrity_fail. Collect which alert triggers this loc_alert. Collect the alert_class that this local alert belongs to. Cross the first coverpoint with the rest of the coverpoints.
alert_lpg_cg	Covers alert lpg status during an alert request. Cover if its lower-power-group (lpg) is enabled or disabled during an alert request.
alert_ping_lpg_cg	Covers alert lpg status during a ping request. Cover if its lower-power-group (lpg) is enabled or disabled during a ping request.
alert_trans_cg	Cover if the transaction is a ping request or an actual alert request.
class_accum_thresh_regwen_cg	Covers if regwen is locked for class_accum_thresh registers.
class_clr_regwen_cg	Covers if regwen is locked for class_clr registers.
class_crashdump_trigger_regwen_cg	Covers if regwen is locked for class_crashdump_trigger registers.
class_ctrl_regwen_cg	Covers if regwen is locked for class_ctrl registers.
class_phase_cyc_regwen_cg	Covers if regwen is locked for class_phase_cyc registers.
class_timeout_cyc_regwen_cg	Covers if regwen is locked for class_timeout_cyc registers.
clear_esc_cnt_cg	Covers escalation counter being cleared by class_clr_shadowed register.
clear_intr_cnt_cg	Covers interrupt counter being cleared by class_clr_shadowed register.
crashdump_trigger_cg	Covers which phase triggers crashdump.
esc_handshake_complete_cg	Cover if the escalation handshake completes.
esc_loc_alert_cause_cg	Covers loc_alert_cause register regarding escalation. Collect two loc_alert causes: esc_ping_fail and esc_integrity_fail. Collect which escalation triggers this loc_alert. Collect the alert_class that this local alert belongs to. Cross the first coverpoint with the rest of the coverpoints.
esc_sig_length_cg	Covers escalation signal length for each escalation signal.
esc_trans_cg	Cover if the transaction is a ping request or an actual escalation request.
intr_timeout_cnt_cg	Covers escalation due to interrupt timeout. Collect the threshold of interrupt timeout cycles. Collect which alert_class exceeds the timeout threshold. Cross the above coverpoints.
loc_alert_class_regwen_cg	Covers if regwen is locked for loc_alert_class registers.
loc_alert_en_regwen_cg	Covers if regwen is locked for loc_alert_en registers.
regwen_val_when_new_value_written_cg	Cover each lockable reg field with these 2 cases: When regwen = 1, a different value is written to the lockable CSR field, and a read occurs after that. When regwen = 0, a different value is written to the lockable CSR field, and a read occurs after that. This is only applicable if the block contains regwen and locakable CSRs.
tl_errors_cg	Cover the following error cases on TL-UL bus: TL-UL protocol error cases. OpenTitan defined error cases, refer to testpoint `tl_d_illegal_access`.
tl_intg_err_cg	Cover all kinds of integrity errors (command, data or both) and cover number of error bits on each integrity check. Cover the kinds of integrity errors with byte enabled write on memory if applicable: Some memories store the integrity values. When there is a subword write, design re-calculate the integrity with full word data and update integrity in the memory. This coverage ensures that memory byte write has been issued and the related design logic has been verfied.