Skip to content

MPP of MSTATUS CSR register written with the wrong privilege level

Created by: shetalani

Here is an issue found after applying OneSpin 360 DV-Verify RVV App on RI5CY:

Description: we have a load to an address where reads are not allowed followed by a fetch from an address that is outside the instruction match region. As the latter is already taken in decode, it happens before the access fault of the load gets served. However, it gets overwritten by the load access fault before the next instruction gets executed - which almost makes it good again. But one thing that goes wrong is the storing of the privilege level where the exception occurred. The false fetch access error sets the privilege to M mode; thus, the preceding load access fault thinks it was executed in M mode while it was in U mode. Example: for a set of instructions: 32’h3a0a5e73 (csrrwi x28,pmpcfg0,20), 32’h200073 (uret), 32’h1941413 (slli x8,x8,25), 32’h12083 (lw x1, 0(x2)) being decoded at the following time points t##-7, t##-6, t##-1 and t##0, with the following pc values in the decode stage 32’h24, 32’h28, 32’h0 and 32’h2 respectively. Knowing that these instructions were fetched from the memory at the timepoints t##-9, t##-8 and t##-3 respectively (The last two instructions are compressed). Fetching an instruction from the address 32’h4 causes an IAF since this address is outside the instr match region specified by the pmpcfg0 register. This IAF is handled at time point t##2 (closed), so that the current privilege level moves back from U to M mode and the CSRs mepc, mcause and mstatus are written with the associated values. However, the LW instruction tries to read the memory at time point t##1 (closed) when the privilege level is U mode still and since R bit is cleared in pmpcfg0, this causes a LAF that is handled at time point t##4 (closed). This time, mepc, mcause are updated correctly, but mstatus is not. MPP field is written with the value 2’h3 which refers wrongly to M mode, as it should be the value associated with U mode since the LAF happens in the U mode.

The same issue could be encountered in case we move to debug mode while executing a load instruction that causes a LAF in U-mode.

issue_2

Product: OneSpin 360 DV-Verify App: RVV Tool's version: 2019.2.1

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent