[chip,dv] Fix monitoring alert_major_internal

Currently, the `chip_sw_rv_core_ibex_lockstep_glitch` test fails
with:
```
  Check failed alert_major_internal == exp_alert_major_internal
  (0 [0x0] vs 1 [0x1]) Major alert did not match expectation.
```
which could be quite a serious issue if the lockstep comparison
would not detect mismatches.

However, it turns out that the testbench simply reads the
`alert_major_internal` signal too late. As this signal is
generated purely combinational, the logic asserts this signal as
soon as we are flipping a bit. In the testbench, we though first
wait a couple of cycles before reading this signal, which is often
already too late.

Signed-off-by: Pascal Nasahl <[email protected]>

Author: nasahlpa

hw/top_earlgrey/dv/env/seq_lib/chip_sw_rv_core_ibex_lockstep_glitch_vseq.sv

@@ -583,6 +583,15 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
       endcase
     end
 
+    // Path to the alert_major_internal signal inside the lockstep.
+    alert_major_internal_path = $sformatf("%s.alert_major_internal_o", lockstep_path);
+    alert_major_internal = 1'b0;
+
+    // An alert should be triggered, so we check for that. Depending on the glitched signal and
+    // core it may take several clock cycles for a potential alert to fire. We wait for at most
+    // max_delay_clks cycles.
+    max_delay_clks = 10 + lockstep_offset;
+
     // The MuBi encoded enable_cmp_q signal is responsible for enabling/disabling the
     // lockstep comparison. Due to the encoding and the implemented enabling/disabling
     // logic, we tolerate a fault into this signal. Even when faulting this signal,
@@ -602,115 +611,115 @@ class chip_sw_rv_core_ibex_lockstep_glitch_vseq extends chip_sw_base_vseq;
     // Force the glitched value onto the port for one cycle, then release it again.
     `DV_CHECK_FATAL(uvm_hdl_force(glitch_path, glitched_val));
     `uvm_info(`gfn, $sformatf("Forcing %s to value 'h%0x.", glitch_path, glitched_val), UVM_LOW)
-    if (!glitch_lockstep_core && glitched_port_is_inp) begin
-      // The input ports of the ibex_core module are defined as `logic` without an explicit net
-      // type. According to the standard, simulation tools are thus supposed to model these inputs
-      // using a `var` type. However, it turns out that some tools collapse input ports into a
-      // single object to reduce the number of assignments to improve simulation performance.
-      // As a result, glitches inserted to inputs of the non-lockstep core may propagate back and
-      // also change the input of the lockstep core. If this happens, both cores are glitched
-      // simultaneously without any alerts firing.
-      //
-      // To avoid this, we also glitch the corresponding input of the ibex_lockstep instance to
-      // the opposite value. The ibex_lockstep instance is embedded inside prim_buf cells across
-      // which glitches don't propagate back. Also, the delay lines are embedded inside the
-      // ibex_lockstep instance. It's thus fine to apply the glitch simultaneously.
-      //
-      // It's further worth noting that:
-      //
-      // 1. For some top-level inputs there may exist single points of failure, e.g. some inputs
-      //    without integrity protection, some control signals without spurious enable detection.
-      //    There are always such single points of failures. Where and how many there are depends
-      //    on the surrounding modules, backend etc. and is out of scope for the lockstep
-      //    countermeasure.
-      // 2. To verify the lockstep countermeasure, we should actually be glitching internal core
-      //    signals instead of inputs to the ibex_core module. However, the problem with this is
-      //    that it's infeasible to always correctly model how the glitching of any internal signal
-      //    impacts core behavior and ultimately whether this should be detected. Forcing inputs
-      //    of ibex_core is a way to make the test feasible in the first place.
-      //
-      // For more details refer to https://github.com/lowRISC/ibex/pull/1967 .
-      `DV_CHECK_FATAL(uvm_hdl_force(glitch_path_lockstep, orig_val));
-      `uvm_info(`gfn, $sformatf("Forcing %s to value 'h%0x.", glitch_path_lockstep, orig_val),
-          UVM_LOW)
-    end
-    cfg.chip_vif.cpu_clk_rst_if.wait_n_clks(1);
-    if ((uvm_re_match("irq_*_i", port_name) != 0) && (port_name != "debug_req_i")) begin
-      // If the port is not an interrupt or debug request, which are level-sensitive signals,
-      // release the forcing at this point.
-      `DV_CHECK_FATAL(uvm_hdl_release(glitch_path));
-      `uvm_info(`gfn, $sformatf("Releasing force of %s.", glitch_path), UVM_LOW)
-      if (!glitch_lockstep_core && glitched_port_is_inp) begin
-        // In case we glitched an input port of the non-lockstep core, we must now also release
-        // the force applied to the corresponding port of the ibex_lockstep instance.
-        `DV_CHECK_FATAL(uvm_hdl_release(glitch_path_lockstep));
-        `uvm_info(`gfn, $sformatf("Releasing force of %s.", glitch_path_lockstep), UVM_LOW)
-      end
-    end
 
-    // An alert should be triggered, so we check for that. Depending on the glitched signal and
-    // core it may take several clock cycles for a potential alert to fire. We wait for at most
-    // max_delay_clks cycles.
-    max_delay_clks = 10 + lockstep_offset;
-
-    // Assert that `enable_cmp_q` in `ibex_lockstep` is 1.  When coming out of reset and
-    // starting execution, it takes `LockstepOffset` clock cycles for this to happen.
-    for (int i = 0; i < lockstep_offset; i++) begin
-      `DV_CHECK_FATAL(uvm_hdl_read(enable_cmp_path, enable_cmp))
-      if (enable_cmp == ibex_pkg::IbexMuBiOn) begin
-        break;
-      end else begin
+    fork
+      begin : monitor_alert_major_internal
+        // Check that `alert_major_internal_o` of `ibex_lockstep` matches our expectation. Depending
+        // on the glitched signal and core it may take several clock cycles for a potential alert to
+        // fire. We wait for at most max_delay_clks cycles.
+        for (int i = 0; i <= max_delay_clks; i++) begin
+          `uvm_info(`gfn, $sformatf("Checking for potential alert in cycle %0d.", i), UVM_LOW)
+          `DV_CHECK_FATAL(uvm_hdl_read(alert_major_internal_path, alert_major_internal))
+          if (alert_major_internal) begin
+            break;
+          end
+          cfg.chip_vif.cpu_clk_rst_if.wait_n_clks(1);
+        end
+      end : monitor_alert_major_internal
+      begin : determine_response
+        if (!glitch_lockstep_core && glitched_port_is_inp) begin
+          // The input ports of the ibex_core module are defined as `logic` without an explicit net
+          // type. According to the standard, simulation tools are thus supposed to model these inputs
+          // using a `var` type. However, it turns out that some tools collapse input ports into a
+          // single object to reduce the number of assignments to improve simulation performance.
+          // As a result, glitches inserted to inputs of the non-lockstep core may propagate back and
+          // also change the input of the lockstep core. If this happens, both cores are glitched
+          // simultaneously without any alerts firing.
+          //
+          // To avoid this, we also glitch the corresponding input of the ibex_lockstep instance to
+          // the opposite value. The ibex_lockstep instance is embedded inside prim_buf cells across
+          // which glitches don't propagate back. Also, the delay lines are embedded inside the
+          // ibex_lockstep instance. It's thus fine to apply the glitch simultaneously.
+          //
+          // It's further worth noting that:
+          //
+          // 1. For some top-level inputs there may exist single points of failure, e.g. some inputs
+          //    without integrity protection, some control signals without spurious enable detection.
+          //    There are always such single points of failures. Where and how many there are depends
+          //    on the surrounding modules, backend etc. and is out of scope for the lockstep
+          //    countermeasure.
+          // 2. To verify the lockstep countermeasure, we should actually be glitching internal core
+          //    signals instead of inputs to the ibex_core module. However, the problem with this is
+          //    that it's infeasible to always correctly model how the glitching of any internal signal
+          //    impacts core behavior and ultimately whether this should be detected. Forcing inputs
+          //    of ibex_core is a way to make the test feasible in the first place.
+          //
+          // For more details refer to https://github.com/lowRISC/ibex/pull/1967 .
+          `DV_CHECK_FATAL(uvm_hdl_force(glitch_path_lockstep, orig_val));
+          `uvm_info(`gfn, $sformatf("Forcing %s to value 'h%0x.", glitch_path_lockstep, orig_val),
+              UVM_LOW)
+        end
         cfg.chip_vif.cpu_clk_rst_if.wait_n_clks(1);
-      end
-    end
-    `DV_CHECK_NE_FATAL(enable_cmp, ibex_pkg::IbexMuBiOff,
-                       "Lockstep comparison disabled, which is illegal.")
+        if ((uvm_re_match("irq_*_i", port_name) != 0) && (port_name != "debug_req_i")) begin
+          // If the port is not an interrupt or debug request, which are level-sensitive signals,
+          // release the forcing at this point.
+          `DV_CHECK_FATAL(uvm_hdl_release(glitch_path));
+          `uvm_info(`gfn, $sformatf("Releasing force of %s.", glitch_path), UVM_LOW)
+          if (!glitch_lockstep_core && glitched_port_is_inp) begin
+            // In case we glitched an input port of the non-lockstep core, we must now also release
+            // the force applied to the corresponding port of the ibex_lockstep instance.
+            `DV_CHECK_FATAL(uvm_hdl_release(glitch_path_lockstep));
+            `uvm_info(`gfn, $sformatf("Releasing force of %s.", glitch_path_lockstep), UVM_LOW)
+          end
+        end
 
-    // Calculate whether we expect a major alert.
-    exp_alert_major_internal = 1'b0;
-    if (glitched_port_is_inp) begin
-      // Expect a major alert for a *used* glitched input.
-      if (glitched_inp_used) begin
-        exp_alert_major_internal = 1'b1;
-        `uvm_info(`gfn, "Expecting an internal major alert because glitched input is used.",
-                  UVM_LOW)
-      end else begin
+        // An alert should be triggered, so we check for that. Depending on the glitched signal and
+        // core it may take several clock cycles for a potential alert to fire. We wait for at most
+        // max_delay_clks cycles.
+        max_delay_clks = 10 + lockstep_offset;
+
+        // Assert that `enable_cmp_q` in `ibex_lockstep` is 1.  When coming out of reset and
+        // starting execution, it takes `LockstepOffset` clock cycles for this to happen.
+        for (int i = 0; i < lockstep_offset; i++) begin
+          `DV_CHECK_FATAL(uvm_hdl_read(enable_cmp_path, enable_cmp))
+          if (enable_cmp == ibex_pkg::IbexMuBiOn) begin
+            break;
+          end else begin
+            cfg.chip_vif.cpu_clk_rst_if.wait_n_clks(1);
+          end
+        end
+        `DV_CHECK_NE_FATAL(enable_cmp, ibex_pkg::IbexMuBiOff,
+                          "Lockstep comparison disabled, which is illegal.")
+
+        // Calculate whether we expect a major alert.
         exp_alert_major_internal = 1'b0;
-        `uvm_info(`gfn, "Expecting no internal major alert because glitched input is not used.",
-                  UVM_LOW)
-      end
-    end else begin
-      // Always expect a major alert for a glitched output.
-      exp_alert_major_internal = 1'b1;
-      `uvm_info(`gfn, "Expecting an internal major alert due to glitched output.", UVM_LOW)
-    end
+        if (glitched_port_is_inp) begin
+          // Expect a major alert for a *used* glitched input.
+          if (glitched_inp_used) begin
+            exp_alert_major_internal = 1'b1;
+            `uvm_info(`gfn, "Expecting an internal major alert because glitched input is used.",
+                      UVM_LOW)
+          end else begin
+            exp_alert_major_internal = 1'b0;
+            `uvm_info(`gfn, "Expecting no internal major alert because glitched input is not used.",
+                      UVM_LOW)
+          end
+        end else begin
+          // Always expect a major alert for a glitched output.
+          exp_alert_major_internal = 1'b1;
+          `uvm_info(`gfn, "Expecting an internal major alert due to glitched output.", UVM_LOW)
+        end
+      end : determine_response
+    join
 
+    // If we expect a major internal alert, check if we have seen it.
     if (exp_alert_major_internal) begin
       seen_top_level_alert = 1'b0;
       // Give the rv_core_ibex_fatal_hw_err alert a few more cycles to propagate out compared to the
       // alert signal at the ibex top level.
       check_alert_occurs("rv_core_ibex_fatal_hw_err", max_delay_clks + 5);
     end
 
-    // Check that `alert_major_internal_o` of `ibex_lockstep` matches our expectation. Depending on
-    // the glitched signal and core it may take several clock cycles for a potential alert to fire.
-    // We wait for at most max_delay_clks cycles.
-    alert_major_internal_path = $sformatf("%s.alert_major_internal_o", lockstep_path);
-    for (int i = 0; i <= max_delay_clks; i++) begin
-      `uvm_info(`gfn, $sformatf("Checking for potential alert in cycle %0d.", i), UVM_MEDIUM)
-      `DV_CHECK_FATAL(uvm_hdl_read(alert_major_internal_path, alert_major_internal))
-      if (exp_alert_major_internal) begin
-        if (alert_major_internal) begin
-          `uvm_info(`gfn, $sformatf("Major alert expectedly fired in cycle %0d.", i), UVM_LOW)
-          break;
-        end
-      end else begin
-        `DV_CHECK_EQ_FATAL(alert_major_internal, exp_alert_major_internal,
-                           $sformatf("Major alert unexpectedly fired in cycle %0d.", i))
-      end
-      cfg.chip_vif.cpu_clk_rst_if.wait_n_clks(1);
-    end
-
     `DV_CHECK_EQ_FATAL(alert_major_internal, exp_alert_major_internal,
                        "Major alert did not match expectation.")