Dummy instruction frequency can be violated

Created by: silabs-krdosvik

Bug: The frequency of dummy instructions can be violated.

Component: RTL dummy instructions

https://docs.openhwgroup.org/projects/cv32e40s-user-manual/en/latest/xsecure.html We want to ensure the shown requirements.

https://github.com/openhwgroup/cv32e40s/blob/master/rtl/cv32e40s_dummy_instr.sv

The code produces the following waveform:

In the clock tick thatmarked by the red ellipse we observe that cnt_q > lfsr_cnt. Therefor we insert a dummy instruction by setting the signal dummy_insert_o high. The instruction to which a dummy has been inserted does not propagate further into the pipeline because (if_valid_o & id_ready_i) != 1. Nevertheless, the counter is reset.

An illustration of a possible counter example can be the following:

Where i = regular instruction, d = dummy instruction, b1, b2, b3 = branch instructions (which is also regular instructions) and dx = dummy instruction that will not enter the other pipeline stages. The branch instructions are stalled in id stage because of PC hardning. d is not actually reported in the rvfi stage, but if it was, it would look something like what’s shown above. The red symbols count the number of regular instructions in a row, 5, which is more than what we would expect, 4.

Conclusion: The problem is that we reset the counter before making sure that the dummy instruction propagates into the pipeline. We encounter this when inserting the dummy instructions into invalid instructions, instead of valid instructions.

Possible solutions:

1. Check that a dummy instruction was inserted into "valid" instructions. Can be done by changing the dummy_insert_o expression to dummy_insert_o = (cnt_q > lfsr_cnt) && dummy_en && instr_issues_i;
2. Change when you reset the counter. Can be done by changing the cnt_rst expression to cnt_rst = !dummy_en || (dummy_insert_o & instr_issued_i) || xsecure_ctrl_i.cntrst;
3. Other smart fixes.