While this case is moot, dumping peripheral ROMs has come up before, so
correct information may be useful to someone in the future.

I'm pretty sure that (among other things), I'm knowledgeable, sane and a
programmer.  I was not writing about "the general case".  This thread
was specifically about ROMs embedded in a peripheral.  This is a
different environment from the "general" case, and one where your
comments are off-base.  This is the exception to *never*.  It has
nothing to do with laziness or 'wrong'; I assumed neither.  And PIC is
only one aspect of the problem as presented.

It is true that in a typical OS driver, a CSR base is specified by an
absolute (if possibly mapped) address, with code like

    mov #173100, r0 ; or
    mov csrbase(R5), r0 ; where r5 points to some data structure, and
csrbase contains an absolute I/O address
    bit    #100, 4(r0)

This ensures that the *code* can be moved; *the device is at some fixed
address* determined by SYSGEN, autoconfiguration, or the like.  So the
references are register deferred and/or indexed relative to an
"absolute" address.  The code should be PIC, as most (later) OSs want to
be able to dynamically load drivers.  I'd agree that in this case, PIC
with an absolute device address is the preferred (and sometimes
required) implementation.

In the specific case of a device ROM, CSR access would indeed be
properly done with relative addressing.  There isn't much (sane)
choice.  Calling it 'bad software design' is inappropriate, and
overlooks the environmental constraints and functional requirements of a
device ROM.

The key point is that a device ROM is an integral part of the peripheral
that it serves; its CSRs are at a fixed offset to the code, but both are
at an unknown base address.  *There is no absolute address; both the
CSRs and the code are relocatable* as a unit: when the peripheral is
installed, and when/if an OS maps it to a virtual address.  And
*executing the code requires that the CSRs are emulated*.  Thus, *both
the code and CSR references in the ROM must be position-independent*.

Consider:

* Plugin a device with some CSRs, a boot ROM, and more than one IO
space address.
* (Since we're being pedantic, turn on power.)
* Press (processor) RESET
* Enter the boot ROM address in the switches; load address; start. (Or
the ASCII console equivalent.)

* Later, the OS may have mapped the device at some random (well,
properly aligned) virtual address, and calls into the boot rom for
some function that it provides.  (For a disk, it might be to write a
crash dump.)

Either way, the ROM code is running, and ready to operate the device.

Now, where, exactly is an absolute address for the CSRs going to come
from?  There is no generally useful absolute address that can be encoded
in the ROM.

"Divine inspiration" isn't an option.

For the first case, there's no outside source of data.  No OS data
structure or config file; no base address in a register.  And
implementing autoconfigure is not practical. (You'd probably call a
proposer 'not sane').  The code can't read its CSRs to find its Unibus
address - because the problem is finding its CSRs.  But it does have PC.

For the second case, the OS could pass a CSR address.  But sane coders
will do something that works in both
cases.  And saves code.

Note that the CSRs and the code live on the same (hardware) module.  So
the offset between them is fixed.
(And, no, an OS isn't allowed to change the offset with memory mapping,
even when the distance might allow it.)

So, the CSRs are found using this offset and PC.  That's relative
addressing - though there's more than one possible implementation.

PC-relative addressing is a perfectly valid (and sane) solution.  Here
are some code snippets that illustrate the situation.

    .title DevROM
    .sbttl YMMV

    .psect CSRs D,RW,GBL ; May or may not overlay part of the ROM
CSRBASE: .blkw 8 ; This device has 8 CSRs

    CSR0 = CSRBASE+0
    CSR1 = CSRBASE+2
    CSR3 = CSRBASE+6

    .psect CODE I,RO
     bit    #100, CSR0  ; This is PC-relative

Of course, if CSRs are referenced more than once some space can be saved
by putting one or more CSR addresses into (a) register(s) and using
register deferred addressing.  But those addresses are determined
relative to the PC - so somewhere, there is still PC-relative address
computation.

    move PC, r0
10$: sub #<10$-CSRBASE>, r0
    bit #100, (r0)

    bic #200, 6(r0) ; Indexed - doesn't save space
or, if CSR3 gets used a lot, spend 3 words to save one/reference
    mov r0, r1
    add  #<CSR3-CSR0>, r1
    bic  #200, (r1)

The only case that a peripheral ROM wouldn't find its CSRs using the PC
is where it has no code.  (Or, if ITS coder wasn't 'sane' - e.g. forced
the device to a fixed address in IO space.)

And yes, the code must be PIC - that is, the code's references to itself
must be position-independent since the hardware can be installed at
various addresses, and the OS can later map it to one or more VAs.

As for data; all data references (pointers) need to be
position-independent - self-relative or relative to the base of the ROM.

Device base address:
+----------------------------+
| CSR 0
| CSR 1
| ...
| CSR n
| Gap
| Code
+----------------------------+

Exactly how the hardware is implemented may vary.  Usually the CSRs are
below the code, though the converse can be true.  And whether the gap
exists - and how big varies.  Sometimes CSRs overlay the ROM; others the
gap aligns the code to a convenient boundary for address multiplexing -
no sane hardware designer of this period would have included an adder.

(Note that 'gap' here is not the 'gap' used in floating address
assignments; if in floating address space, it must not NXM modulo 10,
per the address assignment rules.)

This brings us back to my original points:

* To execute code in a peripheral ROM that touches its CSRs, the ROM
must be in I/O space
* (Almost) certainly, the code will find its CSRs using PC-relative
offsets (addressing and/or math)
* Thus, if you load the ROM into RAM, it will assign some RAM location
to the CSRs.  This won't work.
* If the ROM contains code that talks to the device, it is a near
certainty (not a 'risk') that it must be placed in I/O space *and*
that the CSRs are implemented.  E.g. a full device emulation must be
created.
* The code in the ROM must be PIC, as must any pointers to data.

It is always possible that someone built a device that has a single
fixed Unibus address (e.g. no more than one per system, no address
jumpers).  And that the ROM is never called with memory mapping
enabled.  In that case, all the PIC requirements go away.  However, it
would still require working CSRs, however they're found.  But that would
be a design with severe limitations, and I'd be surprised if an engineer
with any PDP-11 background would have created such a beast.

Before quoting doctrine and casting aspersions, it is best to completely
understand the problem.

On Sat, 16 Dec 2017 15:42:59 -0500
And has already been done for the VAX; even simulation of the slower
ROM speed.

Sure, that's trivial.  But a ROM in a peripheral is going to want to
talk to that peripheral, so to "run the code", as the OP said he wanted
to do, the CSRs need to be implemented too.  ROM or RAM, a memory
location doesn't act like a CSR, so the likely result is that the code
will loop, hang waiting for an interrupt, or do something else strange
when the locations that expects are CSRs don't act like a device.

If the goal is to disassemble, loading into I/O space would ensure that
all the addresses are correct.  But if he really wants to *execute* the
code, it's rather more involved.

Again, ROMs embedded in peripherals (he said a robot) are part of a
device, and the code will expect the other parts to be there and to be
functional.  His device's CSRs aren't emulated.  So this is necessary,
but not sufficient.

If it were just a BOOT rom (e.g. a M9301-xx), your suggestion would
work, as it's separate from the device emulation.   (You can read the
M9301 maintenance and operation manual on bitsavers.)