vcs/verdi 2020及以上版本+crack

iulx0

原始需求的x问题是
1. 我有一套design只能用 modelsim/questasim 跑，我的目的是 dump fsdb
2. modelsim 10.1 10.2 跑不了，questasim 10.7c能编译，但使用 verdi 2017 的 novas_fli.so 去 dump fsdb 会 sigsegv（原因查不出来）
3. 根据 1. 2. 我需要更新的 vcs/verdi（verdi优先）拿到能适配 questasim 10.7c 的 novas_fli.so
如果有更好的解决方法欢迎补充！

炎焱

VCS/Verdi 2020  链接: https://pan.baidu.com/s/1FBFr97R6pCWOBIQ92vjJPA?pwd=6w3e 提取码: 6w3e

cyberwillis

根据此线程，当 VC 和 Verdi 是不同的反转时就会发生问题。

https://bbs.eetop.cn/thread-918602-1-1.html

cyberwillis

根据此线程，当 VC 和 Verdi 的版本不同时就会发生问题。
https://bbs.eetop.cn/thread-918602-1-1.html

tracy6969

炎焱 发表于 2025-3-13 02:45
VCS/Verdi 2020  链接: https://pan.baidu.com/s/1FBFr97R6pCWOBIQ92vjJPA?pwd=6w3e 提取码: 6w3e

thanks

tracy6969

cyberwillis 发表于 2025-3-13 06:57
根据此线程，当 VC 和 Verdi 的版本不同时就会发生问题。
https://bbs.eetop.cn/thread-918602-1-1.html ...

thanks

cyberwillis

炎焱 发表于 2025-3-13 02:45
VCS/Verdi 2020  链接: https://pan.baidu.com/s/1FBFr97R6pCWOBIQ92vjJPA?pwd=6w3e 提取码: 6w3e

谢谢

ic886

炎焱 发表于 2025-3-13 02:45
VCS/Verdi 2020  链接: https://pan.baidu.com/s/1FBFr97R6pCWOBIQ92vjJPA?pwd=6w3e 提取码: 6w3e

感谢分享

iulx0

cyberwillis 发表于 2025-3-13 06:56
根据此线程，当 VC 和 Verdi 是不同的反转时就会发生问题。

https://bbs.eetop.cn/thread-918602-1-1.html ...

Sorry for not clarifying enough details, I encountered a segfault issue while dumping fsdb instead of the error prompt in the thread you mentioned. I tried to inspect the coredump file with gdb though didn't find anything useful, the debug symbols have been completely stripped off from binaries related.

抱歉我没说清楚，我是dump fsdb时候直接segfault，然后就直接崩了而不是像这个帖子里面提示版本不兼容。我把coredump丢gdb里面但它们二进制里调试符号是一个都没有我也无从下手（不像synopsys家的还留了点东西）

(No debugging symbols found in /opt/tools/mentor/questasim_10.7c/questasim/linux_x86_64/vsimk)
[New LWP 148307]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/tools/mentor/questasim_10.7c/questasim/linux_x86_64/--Type <RET> for more, q to quit, c to continue without paging--q
Quit
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000000000075e336 in ?? ()
#2  0x0000000000d84bc4 in ?? ()
#3  0x00000000009c8a97 in ?? ()
#4  0x0000000001392ad4 in ?? ()
#5  0x00000000009cf53c in ?? ()
#6  <signal handler called>
#7  0x000000000075e336 in ?? ()
#8  0x0000000000d84bc4 in ?? ()
#9  0x0000000000dccca4 in ?? ()
#10 0x000000000142d0cd in TclInvokeStringCommand ()
#11 0x0000000001431526 in ?? ()
#12 0x0000000001432c11 in ?? ()
#13 0x0000000001432f76 in Tcl_EvalEx ()
#14 0x0000000000fb1d6b in ?? ()
#15 0x00000000014d2e7f in Tcl_NotifyChannel ()
#16 0x00000000015269e7 in ?? ()
#17 0x00000000014e98e7 in Tcl_ServiceEvent ()
#18 0x00000000014e9bc9 in Tcl_DoOneEvent ()
#19 0x0000000001337686 in ?? ()
#20 0x0000000000b2fbe6 in ?? ()
#21 0x00000000009cdbd1 in ?? ()
#22 0x00007ffff782a1ca in __libc_start_call_main (
--Type <RET> for more, q to quit, c to continue without paging--q
Quit
(gdb) f 10
#10 0x000000000142d0cd in TclInvokeStringCommand ()
(gdb) disas
Dump of assembler code for function TclInvokeStringCommand:
   0x000000000142d050 <+0>:    push   r15
   0x000000000142d052 <+2>:    mov    r15,rdi
   0x000000000142d055 <+5>:    push   r14
   0x000000000142d057 <+7>:    push   r13
   0x000000000142d059 <+9>:    mov    r13d,edx
   0x000000000142d05c <+12>:    push   r12
   0x000000000142d05e <+14>:    push   rbp
   0x000000000142d05f <+15>:    mov    rbp,rcx
   0x000000000142d062 <+18>:    push   rbx
   0x000000000142d063 <+19>:    sub    rsp,0x18
   0x000000000142d067 <+23>:    mov    QWORD PTR [rsp+0x8],rsi
   0x000000000142d06c <+28>:    mov    rdi,QWORD PTR [rsp+0x8]
   0x000000000142d071 <+33>:    lea    esi,[rdx*8+0x8]
   0x000000000142d078 <+40>:    call   0x14b0f20 <TclStackAlloc>
   0x000000000142d07d <+45>:    test   r13d,r13d
   0x000000000142d080 <+48>:    mov    rbx,rax
   0x000000000142d083 <+51>:    jle    0x142d0af <TclInvokeStringCommand+95>
   0x000000000142d085 <+53>:    lea    eax,[r13-0x1]
   0x000000000142d089 <+57>:    xor    r14d,r14d
   0x000000000142d08c <+60>:    lea    r12,[rax*8+0x8]
   0x000000000142d094 <+68>:    nop    DWORD PTR [rax+0x0]
   0x000000000142d098 <+72>:    mov    rdi,QWORD PTR [rbp+r14*1+0x0]
--Type <RET> for more, q to quit, c to continue without paging--
   0x000000000142d09d <+77>:    call   0x14eabf0 <Tcl_GetString>
   0x000000000142d0a2 <+82>:    mov    QWORD PTR [rbx+r14*1],rax
   0x000000000142d0a6 <+86>:    add    r14,0x8
   0x000000000142d0aa <+90>:    cmp    r14,r12
   0x000000000142d0ad <+93>:    jne    0x142d098 <TclInvokeStringCommand+72>
   0x000000000142d0af <+95>:    movsxd rax,r13d
   0x000000000142d0b2 <+98>:    mov    rcx,rbx
   0x000000000142d0b5 <+101>:    mov    edx,r13d
   0x000000000142d0b8 <+104>:    mov    QWORD PTR [rbx+rax*8],0x0
   0x000000000142d0c0 <+112>:    mov    rsi,QWORD PTR [rsp+0x8]
   0x000000000142d0c5 <+117>:    mov    rdi,QWORD PTR [r15+0x38]
   0x000000000142d0c9 <+121>:    call   QWORD PTR [r15+0x30]
=> 0x000000000142d0cd <+125>:    mov    rdi,QWORD PTR [rsp+0x8]
   0x000000000142d0d2 <+130>:    mov    rsi,rbx
   0x000000000142d0d5 <+133>:    mov    DWORD PTR [rsp],eax
   0x000000000142d0d8 <+136>:    call   0x14b0e40 <TclStackFree>
   0x000000000142d0dd <+141>:    mov    eax,DWORD PTR [rsp]
   0x000000000142d0e0 <+144>:    add    rsp,0x18
   0x000000000142d0e4 <+148>:    pop    rbx
   0x000000000142d0e5 <+149>:    pop    rbp
   0x000000000142d0e6 <+150>:    pop    r12
   0x000000000142d0e8 <+152>:    pop    r13
   0x000000000142d0ea <+154>:    pop    r14
--Type <RET> for more, q to quit, c to continue without paging--q
Quit
(gdb) i r r15
r15            0x326b270           52867696
(gdb) p/x *(0x326b270+0x30)
$1 = 0xdccc60
(gdb) x/5i 0xdccc60
   0xdccc60:    push   rbp
   0xdccc61:    mov    edi,0x2a2c120
   0xdccc66:    mov    rbp,rsp
   0xdccc69:    sub    rsp,0x10
   0xdccc6d:    mov    DWORD PTR [rip+0x1a1e869],0x1        # 0x27eb4e0

so in frame 6 whose function name is TclInvokeStringCommand, intuitively I guess it runs some tcl command and starts executing function 0xdccc60(some user space function I suppose)
栈帧6跑了TclInvokeStringCommand这个函数，然后跳转到0xdccc60的地址开始执行用户态的函数

and yeah since there are no symbols I just give up driving blind, don't wanna waste further time on this
不带符号调试好比闭眼开车，我没继续深挖下去

let me know if you could shed any light on this, thanks for your answers still.
如果你有高招望不吝赐教，感谢

iulx0

多谢各位的帮助尤其是 @炎焱 @cyberwillis 我后来搞清楚为啥 crash 了
Much appreciation for all of you that helped especially @炎焱 @cyberwillis and it took me some while to figure out why I ran into crash

先说结论，只要 novas_fli.so 所在的目录在 LD_LIBRARY_PATH 内就行，例如 LD_LIBRARY_PATH=/opt/tools/synopsys/verdi/T-2022.06/share/PLI/MODELSIM/LINUX64
conclusion is, make sure directory to novas_fli.so is in your LD_LIBRARY_PATH, e.g. (see above)

昨天还是拿 gdb 看栈帧追了下去，找到了 crash 点在于 <novas_misc_func+7> 这条指令 jmp qword ptr [rax] 跳转 rax 这里指向了空指针
I dive into the stack frame with gdb and found it crashed at the instruction `jmp qword ptr [rax]` located at <novas_misc_func+7> where rax points to a null pointer

拖进 ida 发现这里 rax 的地址本来应该存 novas_misc_func 的指针，而 novas_misc_func 这个符号其实啥都没干，我用nm -D 扫了一下 verdi 内所有.so .a 发现 novas_misc_func 这个符号本身是从 libNovasCDI.so 的 NovasCDIInit 初始化函数面读入 ，请看附件
I dump it into ida and found rax should have stored a function pointer to novas_misc_func which does actually nothing(maybe verification, no?), so I did a wide scan using `nm -D` to see if any .so or .a libraries exported this symbol. Eventually I landed on function NovasCDIInit who loads this symbol in libNovasCDI.so, see attachment for further details

长话短说，就只要保证 libNovasCDI.so 在 LD_LIBRARY_PATH 被读取就行，且它和 novas_fli.so 在同级目录
in short, we just need to make sure libNovasCDI.so is inside our LD_LIBRARY_PATH, which is same path to novas_fli.so