[PATCHv2 26/26] leon,tn-0018: work around GRLIB-TN-0018 errata

Daniel Hellstrom daniel at gaisler.com
Fri Oct 16 11:51:55 UTC 2020


Overview
========

The errata is worked around in the kernel without requiring toolchain
modifications. It is triggered the JMPL/RETT return from trap instruction
sequence never generated by the compiler and. There are also other
conditions that must must be true to trigger the errata, for example the
instruction that the trap returns to has to be a JMPL instruction. The
errata can only be triggered if certain data is corrected by ECC
(inflicted by radiation), thus it can not be triggered under normal
operation. For more information see:
	 www.gaisler.com/notes

Affected RTEMS target BSPs:
 * GR712RC
 * UT699
 * UT700/699E

The work around is enabled by defining __FIX_LEON3_TN0018 at build time.
After applying the following GCC patch, GCC will set the define when
compiling for an affected multilib:
  * GR712RC (-mcpu=leon3 -mfix-gr712rc)
  * UT700/UT699E (-mpcu=leon3 -mfix-ut700)
  * UT699 (-mcpu=leon -mfix-ut699)
When building for another multilib and TN0018 is still required, it
is possible to enable it on the RTEMS kernel configure line using the
TARGET_CFLAGS (-D__FIX_LEON3FT_TN0018) or other by other means.

The following GCC patch sets __FIX_LEON3FT_TN0018 for the affected RTEMS
multilibs:
---------
diff --git a/gcc/config/sparc/rtemself.h b/gcc/config/sparc/rtemself.h
index 6570590..ddec98c 100644
--- a/gcc/config/sparc/rtemself.h
+++ b/gcc/config/sparc/rtemself.h
@@ -33,6 +33,8 @@
        builtin_assert ("system=rtems");        \
        if (sparc_fix_b2bst)                    \
          builtin_define ("__FIX_LEON3FT_B2BST"); \
+       if (sparc_fix_gr712rc || sparc_fix_ut700 || sparc_fix_ut699) \
+         builtin_define ("__FIX_LEON3FT_TN0018"); \
     }                                          \
   while (0)
---------

Workaround Implementation
=========================

In general there are two approaches that the workaround uses:
 A) avoid ECC restarting the RETT instruction
 B) avoid returning from trap to a JMPL instruction

Where A) comes at a higher performance cost than B), so B) is used
where posssible. B) can be achived for certain returns from trap
handlers if trap entry is controlled by assembly, such as system calls.

A)
A special JMPL/RETT sequence where instruction cache is disabled
temporarily to avoid RETT containing ECC errors, and reading of RETT
source registers to "clean" them from incorrect ECC just before RETT
is executed.

B)
The work around prevents JMPL after system calls (TA instruction) and
modifies assembly code on return from traps jumping back to application
code. Note that for some traps the trapped instruction is always
re-executed and can therefore not trigger the errata, for example the
SAVE instruction causing window overflow or an float instruction causing
FPU disabled trap.

RTEMS SPARC traps workaround implementation:
   NAME                 NOTE   TRAP   COMMENT
 * window overflow         1 - 0x05   always returns to a SAVE
 * window underflow        1 - 0x06   always returns to a RESTORE
 * interrupt traps         2 - 0x10..1f special rett sequence workaround
 * syscall                 3 - 0x80   shutdown system - never returns
 * ABI flush windows       2 - 0x83   special rett sequence workaround
 * syscall_irqdis          4 - 0x89
 * syscall_irqen           4 - 0x8A
 * syscall_irqdis_fp       1 - 0x8B   always jumps back to FP instruction
 * syscall_lazy_fp_switch  5 - 0x04   A) jumps back to FP instruction, or to
                                      B) _Internal_error() starting with SAVE

 Notes:
 1) no workaround needed because trap always returns to non-JMPL instruction
 2) workaround implemented by special rett sequence
 3) no workaround needed because system call never returns
 4) workaround implemented by inserting NOP in system call generation. Thus
    fall into 1) when workaround is enabled and no trap handler fix needed.
 5) trap handler branches into both 1) and returning to _Internal_error()
    which starts with a SAVE and besides since it shuts down the system that
    RETT should never be in cache (only executed once) so fix not necessary
    in this case.

Any custom trap handlers may also have to be updated. To simplify that,
helper work around assembly code in macros are available in a separate
include file <libcpu/grlib-tn-0018.h>.

Update #4155.
---
 cpukit/score/cpu/sparc/cpu_asm.S                   |  3 +
 cpukit/score/cpu/sparc/headers.am                  |  1 +
 .../score/cpu/sparc/include/libcpu/grlib-tn-0018.h | 85 ++++++++++++++++++++++
 cpukit/score/cpu/sparc/include/rtems/score/sparc.h |  4 +
 cpukit/score/cpu/sparc/sparc-counter-asm.S         |  4 +
 cpukit/score/cpu/sparc/window.S                    |  9 ++-
 6 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 cpukit/score/cpu/sparc/include/libcpu/grlib-tn-0018.h

diff --git a/cpukit/score/cpu/sparc/cpu_asm.S b/cpukit/score/cpu/sparc/cpu_asm.S
index 1251faa..e884fb2 100644
--- a/cpukit/score/cpu/sparc/cpu_asm.S
+++ b/cpukit/score/cpu/sparc/cpu_asm.S
@@ -23,6 +23,7 @@
 
 #include <rtems/asm.h>
 #include <rtems/score/percpu.h>
+#include <libcpu/grlib-tn-0018.h>
 
 #if defined(SPARC_USE_SYNCHRONOUS_FP_SWITCH)
   #define FP_FRAME_OFFSET_FO_F1 (SPARC_MINIMUM_STACK_FRAME_SIZE + 0)
@@ -895,11 +896,13 @@ simple_return:
         save                               ! Back to ISR dispatch window
 
 good_task_window:
+        TN0018_WAIT_IFLUSH %l3,%l4         ! GRLIB-TN-0018 work around macro
 
         mov     %l0, %psr                  !  **** DISABLE TRAPS ****
         nop; nop; nop
                                            !  and restore condition codes.
         ld      [%g1 + ISF_G1_OFFSET], %g1 ! restore g1
+        TN0018_FIX %l3,%l4                 ! GRLIB-TN-0018 work around macro
         jmp     %l1                        ! transfer control and
         rett    %l2                        ! go back to tasks window
 
diff --git a/cpukit/score/cpu/sparc/headers.am b/cpukit/score/cpu/sparc/headers.am
index f5fc1aa..25eaeaa 100644
--- a/cpukit/score/cpu/sparc/headers.am
+++ b/cpukit/score/cpu/sparc/headers.am
@@ -1,6 +1,7 @@
 ## This file was generated by "./boostrap -H".
 include_libcpu_HEADERS += score/cpu/sparc/include/libcpu/access.h
 include_libcpu_HEADERS += score/cpu/sparc/include/libcpu/byteorder.h
+include_libcpu_HEADERS += score/cpu/sparc/include/libcpu/grlib-tn-0018.h
 include_machine_HEADERS += score/cpu/sparc/include/machine/elf_machdep.h
 include_rtems_HEADERS += score/cpu/sparc/include/rtems/asm.h
 include_rtems_score_HEADERS += score/cpu/sparc/include/rtems/score/cpu.h
diff --git a/cpukit/score/cpu/sparc/include/libcpu/grlib-tn-0018.h b/cpukit/score/cpu/sparc/include/libcpu/grlib-tn-0018.h
new file mode 100644
index 0000000..62f33da
--- /dev/null
+++ b/cpukit/score/cpu/sparc/include/libcpu/grlib-tn-0018.h
@@ -0,0 +1,85 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+
+/*
+ * Copyright (C) 2020 Cobham Gailer AB
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* NOTE: the lda should be on offset 0x18 */
+#if defined(__FIX_LEON3FT_TN0018)
+
+/* LEON3 Cache controller register accessed via ASI 2 */
+#define ASI_CTRL 0x02
+#define CCTRL_IP_BIT 15
+#define CCTRL_ICS 0x3
+
+/*
+ * l3: (out) original cctrl
+ * l4: (out) original cctrl with ics=0
+ * NOTE: This macro modifies psr.icc.
+ */
+.macro TN0018_WAIT_IFLUSH out1 out2
+1:
+        ! wait for pending iflush to complete
+        lda     [%g0] ASI_CTRL, \out1
+        srl     \out1, CCTRL_IP_BIT, \out2
+        andcc   \out2, 1, %g0
+        bne     1b
+         andn   \out1, CCTRL_ICS, \out2
+.endm
+
+
+.macro TN0018_WRITE_PSR src
+        wr      \src, %psr
+.endm
+
+/* Prevent following jmp;rett sequence from "re-executing" due to cached RETT or source
+ * registers (l1 and l2) containing bit faults triggering ECC.
+ *
+ * l3: (in) original cctrl
+ * l4: (in) original cctrl with ics=0
+ * NOTE: This macro MUST be immediately followed by the "jmp;rett" pair.
+ */
+.macro TN0018_FIX in1 in2
+        .align  0x20                    ! align the sta for performance
+        sta     \in2, [%g0] ASI_CTRL    ! disable icache
+        nop                             ! delay for sta to have effect on rett
+        or      %l1, %l1, %l1           ! delay + catch rf parity error on l1
+        or      %l2, %l2, %l2           ! delay + catch rf parity error on l2
+        sta     \in1, [%g0] ASI_CTRL     ! re-enable icache after rett
+        nop                             ! delay ensures insn after gets cached
+.endm
+
+#else
+
+.macro TN0018_WAIT_IFLUSH out1 out2
+.endm
+
+.macro TN0018_WRITE_PSR src
+.endm
+
+.macro TN0018_FIX in1 in2
+.endm
+
+#endif
+
diff --git a/cpukit/score/cpu/sparc/include/rtems/score/sparc.h b/cpukit/score/cpu/sparc/include/rtems/score/sparc.h
index 4846520..3ef3d17 100644
--- a/cpukit/score/cpu/sparc/include/rtems/score/sparc.h
+++ b/cpukit/score/cpu/sparc/include/rtems/score/sparc.h
@@ -319,7 +319,11 @@ void _SPARC_Set_TBR( uint32_t new_tbr );
 static inline uint32_t sparc_disable_interrupts(void)
 {
   register uint32_t psr __asm__("g1"); /* return value of trap handler */
+#ifdef __FIX_LEON3FT_TN0018
+  __asm__ volatile ( "ta %1\n\tnop\n\t" : "=r" (psr) : "i" (SPARC_SWTRAP_IRQDIS));
+#else
   __asm__ volatile ( "ta %1\n\t" : "=r" (psr) : "i" (SPARC_SWTRAP_IRQDIS));
+#endif
   return psr;
 }
 
diff --git a/cpukit/score/cpu/sparc/sparc-counter-asm.S b/cpukit/score/cpu/sparc/sparc-counter-asm.S
index fb7783e..44c3fa8 100644
--- a/cpukit/score/cpu/sparc/sparc-counter-asm.S
+++ b/cpukit/score/cpu/sparc/sparc-counter-asm.S
@@ -116,6 +116,10 @@ SYM(_SPARC_Get_timecount_clock):
 	bne	.Lpending
 	 ld	[%o5 + 20], %o4
 	ta	SPARC_SWTRAP_IRQEN
+#ifdef __FIX_LEON3FT_TN0018
+	/* A nop is added to work around the GRLIB-TN-0018 errata */
+	nop
+#endif
 	jmp	%o7 + 8
 	 sub	%o4, %o0, %o0
 .Lpending:
diff --git a/cpukit/score/cpu/sparc/window.S b/cpukit/score/cpu/sparc/window.S
index 5a36fd6..4675248 100644
--- a/cpukit/score/cpu/sparc/window.S
+++ b/cpukit/score/cpu/sparc/window.S
@@ -22,6 +22,7 @@
  */
 
 #include <rtems/asm.h>
+#include <libcpu/grlib-tn-0018.h>
 
         .section    ".text"
         /*
@@ -247,12 +248,18 @@ done_flushing:
          *  Restore the global registers we used
          */
 
-        mov     %l3, %g1
         mov     %l4, %g2
         mov     %l5, %g3
+
+        TN0018_WAIT_IFLUSH %l4,%l5
+        TN0018_WRITE_PSR %g1
+
+        mov     %l3, %g1
         mov     %l6, %g4
         mov     %l7, %g5
 
+        TN0018_FIX %l4,%l5
+
         jmpl    %l2, %g0
         rett    %l2 + 4
 
-- 
2.7.4



More information about the devel mailing list