Escug Systemc GDB
Escug Systemc GDB
Escug Systemc GDB
at the 22 nd European SystemC Users Group Meeting at the School of Electronic and Computer Science, Southampton University on 14 September 2010. Abstract It is common to use SystemC models of processors today. These may be hand-written architectural models or cycle accurate models generated using tools such as Verilator from design RTL. We show how a SystemC model can be integrated with the GNU Debugger via its simulation interface. The user is then able to load, execute and debug programs on the SystemC model using the full range of GDB commands. A follow on from this is that the integration allows the entire GNU regression test suite to be run against the model, providing a comprehensive exercise of the SystemC model. This is an important addition to the verification of the ISA in new processor designs. We illustrate the technique with examples from the OpenRISC 1000. Our work has identified a limitation of SystemC when used as a subsidiary library, and we propose that this be remedied in the future.
1 Introduction
The GNU Debugger (GDB) is a source level debugger for C, C++ and other languages. It may be used standalone or within Eclipse and can run native (i.e. debugging code on the machine on which it is executing) or with a separate embedded target. GDB implements a simple packet protocol, the Remote Serial Protocol (RSP) to connect to an embedded target. Typically that will use TCP/IP to communicate to another process, which acts as a RSP server, and maps the packets into commands to drive the target, for example to JTAG via a FTDI 2232C USB interface. Figure 1 illustrates this mode of operation.
Page 1 of 12
Once the RSP server is up and running, the user can connect from GDB using the target remote command. (gdb) target remote 51000
Figure 2: GDB connecting to a SystemC model of an embedded device. If the SystemC model is cycle accurate, then the interface between the RSP Server and SystemC model will use sc_signals to connect to sc_in and sc_out ports. If the model is transactional, then a TLM 2.0 transactional interface (loosely timed or approximately timed, blocking or non-blocking). The only slight issue is that JTAG is a bit serial interface, and some use of payload extensions is required to model this. For the GDB user, the interface is identical using the target remote command to connect, once the RSP server is up and running. As should be clear, the RSP server must itself be part of the SystemC model, and both it and the model of the embedded device form a single program, and is more accurately shown in
Page 2 of 12
2. The RSP analyzer. This maps each packet into the appropriate set of actions (and responses) for the target processor's debug unit. It sends response packets back to the client as necessary. At its heart it is a large switch statement. A minimal implementation need only implement functions to read and write memory and registers, to set and clear breakpoints and to stall and unstall the processor. It is implemented as a SystemC module. 3. A model of the target processor's debug interface. This maps high level actions supported by the debug unit (read a register, stall the processor etc) into individual JTAG register transfers. It may be a separate SystemC module, or form part of the RSP analyzer 4. The target processor model. This may have a signal or transactional interface. Figure 4 shows how these components make up the system.
Page 3 of 12
Figure 5: IEEE 1149.1 JTAG Test Access Port state machine. The SystemC debugger must run a mirror of this state machine. Driven by the TCK signal from the processor, and the data from the debug interface, this will generate the TMS and TDI signals to send to the processor, and correctly accept the TDO signal being received. Thus the debug interface is acting effectively as a transactor. Taking a high level operation (a transaction) and mapping it into a sequence of signals. The system is complete. Starting the target model we wait for the GDB client to connect. ./Vorpsoc_fpga_top SystemC 2.2.0 --- May 16 2008 10:30:46 Copyright (c) 1996-2006 by all Contributors ALL RIGHTS RESERVED Loading flash image from sim/src/flash.in (orpsoc.v.uart_top) UART INFO: Data bus width is 32. Debug Interf (orpsoc.v.uart_top) UART INFO: Doesn't have baudrate output Listening for RSP on port 51000 We can now connect from the GDB client. $ or32-uclinux-gdb Building automata... done, num uncovered: 0/216.
22nd ESCUG meeting, 14 September 2010 Page 4 of 12
Parsing operands data... done. GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licens This is free software: you are free to change and redistribute it There is NO WARRANTY, to the extent permitted by law. Type "show and "show warranty" for details. This GDB was configured as "--host=i686-pc-linux-gnu --target=or3 (gdb) file hello Reading symbols from .../sw/test-progs/hello...done. (gdb) target remote :51000 Remote debugging using :51000 0x040001f0 in ?? () (gdb) load hello Loading section .text, size 0x1350 lma 0x0 Loading section .rodata, size 0x1f lma 0x1350 Start address 0x100, load size 4975 Transfer rate: 323 bytes/sec, 236 bytes/write. (gdb) continue Continuing. Remote connection closed (gdb) Meanwhile the target model has run to completion having hit an exit opcode. Hello World! The answer is 42 546960700.00 ns: Exiting (42) SystemC: simulation stopped by user. Closing connection real 2708.49 user 87.82 sys 0.53 Note that the output is generated by the target model, and appears on its screen, not in the GDB session.
Page 5 of 12
The TLM 2.0 payload extension mechanism comes to the rescue here. We define an extension class, JtagExtensionSC, offering two additional attributes The type of JTAG transaction (SHIFT_IR, SHIFT_DR or RESET). The payload size in bits. We can make this an ignorable extension, by treating addresses 0, 1 and anything else as respectively SHIFT_IR, SHIFT_DR or RESET, multiplying the byte size by 8 to get the bit size. The generic payload tlm_command is ignoredall JTAG transactions are combined write and read. SystemC TLM 2.0 encourages the use of ignorable extensions for portability. However its value here is debatable. It is doubtful that any processor has a JTAG interface whose packets are always a multiple of 8 bits long. With this interface used by both the RSP debug interface, and the target we have a working GDB interface. The usage is identical to the cycle accurate version, but the user will notice a substantial increase in performance, due to the faster target model.
The top level class diagram is very simple. A RSP server class (RspServerSC), performing the architecture specific analysis, communicating using a generic payload with extensions to a transactional JTAG interface (JtagSC), which then drives the target. A class (JtagRegister) is defined to hold the information needed to populate the generic payload. This is shown in Figure 7.
Figure 7: Top level class diagram for a unified RSP to SystemC JTAG interface. We can then add a set of transactors, which map the JTAG TLM interface to specific implementations as shown in Figure 8.
Figure 8: Derived classes for different SystemC JTAG interfaces. This provides an ideal separation. The transactors only need to be written once for each type of interface (loosely timed TLM, approximately timed TLM, cycle accurate SystemC, VPI simulation interface, FTDI 2232C USB etc). Similarly for each new architecture, the RSP analyser need only be written once. As a derived class it need only implement new architecture specific functionality. For convenience we can define derived classes to represent the different types of JTAG registers that are used (for example to access memory, access registers, control the CPU). This is shown in Figure 9.
Page 7 of 12
Figure 9: Derived remote serial protocol classes for different target architectures The result is that having implemented the architecture specific functionality at an early stage, the user has a full RSP server implementation that can be used with no further work throughout the project, from initial model through to final silicon.
Program exited normally. (gdb) This approach provides an added benefit that the simulator is also compiled as a standalone program, run, allowing programs to be tested from the command line, thus. $ or32-elf-run hello Hello World $ The beauty of this is that the run command is used by the entire GNU tool chan for its regression testing (although it is possible to use remote targets as well). So if we can integrate our SystemC model into the GDB simulator, we immediately have an easy way of testing our target model with the entire GNU tool chain regression suite.
1 Source lines in GDB 7.2 gdb and sim directories as measured by John D Wheeler's sloccount program.
22nd ESCUG meeting, 14 September 2010 Page 9 of 12
There are some failures, since this is a GCC compiler that is still not fully developed. Not all the tests involve executing codemany are tests of compilation and linking. However there are a total of 7,916 tests which execute code and give a result. We can then compare this against the same test suite run using a SystemC model generated from the OpenRISC 1000 Verilog RTL using Verilator. === gcc Summary === # # # # # of of of of of expected passes unexpected failures expected failures unresolved testcases unsupported tests 52677 228 77 122 716
There are more failures. Some of these are tests which gave a different result, and 51 are tests which timed out. We are interested in those tests which passed with the golden reference and which failed with the RTL model. We can identify three causes of these new failures. 1. The test timed out, because the SystemC model based on RTL is 20-50 times slower than the TLM model, and this was a long running test which just needed more processor time. 2. The test timed out, because the model hit a problem and would never terminate.
22nd ESCUG meeting, 14 September 2010 Page 10 of 12
3. The test returned a different result. The second and third of these are indicators of possible bugs in the RTL. They provide test case code, which the design engineer can then use to isolate implementation errors.
5 Commercial Adoption
Integrating SystemC models with the GNU debugger has been a standard part of the OpenRISC development environment for some time [4]. More recently, Adapteva Inc worked with Embecosm to integrate GDB with Verilator models of their new processor pre-silicon. These models were subsequently used to test the Verilog using the GNU tool chain regression suite as described above, and identified 5060 RTL errors, which were able to be fixed before tape out.
6 Conclusions
Integrating a SystemC model of a processor as a GDB remote target using the remote serial protocol is a straightforward task. SystemC provides the functionality required for both TLM and cycle accurate models. The class inheritance mechanism of C++ when combined with SystemC's TLM 2.0 infrastructure allows a generic debug interface mechanism to be constructed. This minimises the effort in implementing a GDB interface to a model for a new architecture. Integrating SystemC models within GDB directly is more of a challenge. To do this efficiently requires SystemC to be usable as a library interface. This in turn requires that SystemC can suspend are return control to a caller mid-simulation. A consequence of integrating with GDB is that hardware design verification can take advantage of the GNU tool chain regression suite for hardware testing.
7 Further Reading
Embecosm has published a number of application notes, which address the issues of modeling processors using TLM 2.0 [1], using JTAG with SystemC [2] and integrating GDB with SystemC models [3].
8 Acknowledgements
Julius Baxter of ORSoC AB worked with the author to integrate Verilator SystemC modeling into the standard OpenRISC 1000 design flow.
9 References
1 Jeremy Bennett. Building a Loosely Timed SoC Model with OSCI TLM 2.0: A Case Study Using an Open Source ISS and Linux 2.6 Kernel. Embecosm Application Note 1, Issue 2, May 2010. Jeremy Bennett. Using JTAG with SystemC: Implementation of a Cycle Accurate Interface. Embecosm Application Note 5, Issue 1, January 2009. Jeremy Bennett. Integrating the GNU Debugger with Cycle Accurate Models: A Case Study using a Verilator SystemC Model of the OpenRISC 1000. Embecosm Application Note 7, Issue 1, March 2009.
Page 11 of 12
2 3
About the Author Dr Jeremy Bennett is Chief Executive of Embecosm Limited (www.embecosm.com). We want our users to develop embedded software seamlessly, using standard open source tools, whether the target is an early model of the architecture or final silicon. Embecosm's services include: Comprehensive GNU tool chain porting and optimization for embedded processors. Standards based cycle accurate and transaction level hardware modeling, including OSCI SystemC TLM 2.0 compliance. Seamless, unified SoC firmware development and debugging from initial model to final silicon. Support, consultancy, tutorials and training throughout the product life cycle Jeremy Bennett is an active contributor to the OpenCores (www.opencores.org). Contact him at [email protected]. project
This paper was presented at the 22 nd European SystemC Users Group Meeting at the School of Electronic and Computer Science, Southampton University on 14 September 2010. Licensing This work is licensed under the Creative Commons Attribution 2.0 UK: England & Wales License. To view a copy of this license, visit creativecommons.org/licenses/by/2.0/uk/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. This license means you are free: to copy, distribute, display, and perform the work to make derivative works Attribution. You must give the original author, Jeremy Bennett, credit; For any reuse or distribution, you must make clear to others the license terms of this work; Any of these conditions can be waived if you get permission from the copyright holder, Embecosm; and Nothing in this license impairs or restricts the author's moral rights.
Page 12 of 12