Misaligned LC/SC is a fatal error #66
Conversation
src/riscv-integration.adoc
Outdated
| @@ -161,6 +161,15 @@ Capability load and store instructions also cause load or store/AMO address | |||
| misaligned exceptions if the address is not naturally aligned to a CLEN | |||
| boundary. | |||
|
|
|||
| Misaligned capability loads and stores are fatal errors. Implementations must | |||
There was a problem hiding this comment.
"fatal" might be a bit strong? To me that reads as "system is broken must reset CPU", maybe the second sentence is sufficient?
There was a problem hiding this comment.
Do you have any preferences for how to describe this in a way that applies to both hardware implementations of the privileged architecture (where the second sentence is sufficient), and things more like qemu user where exceptions aren't meaningful and the environment generates SIGBUS instead?
The relevant terminology from the unprivileged specification §1.6 is "contained trap" (control transfer to a handler within the same conceptual scope, e.g. xtvec or an installed signal handler) or "fatal trap" (terminates execution), but there's a confusing amount of leakage from the privileged spec into that section.
There was a problem hiding this comment.
Is it sufficient to say that implementations must "trap" for misaligned capability loads and stores etc? Trap is ideal because it is sufficiently high-level for the purposes of this section yet a definition is given in the RISC-V privileged spec.
There was a problem hiding this comment.
Fatal Trap
The trap represents a fatal failure and causes the execution environment to terminate execution.
Examples include failing a virtual-memory page-protection check or allowing a watchdog timer to
expire. Each EEI should define how execution is terminated and reported to an external
environment
This does seem appropriate but we haven't used the terms contained trap, fatal trap etc. anywhere in the doc. To start using those terms we'd need another section mapping the CHERI exceptions onto them.
sorear
force-pushed
the
misaligned-lcsc-is-fatal
branch
from
845bb6d to
1ffbda1
Compare
src/riscv-integration.adoc
Outdated
| addresses are aligned. | ||
|
|
||
| NOTE: Since there is only one tag per CLEN bit block in memory, it is not | ||
| possible to represeent a capability value complete with its tag at an |
There was a problem hiding this comment.
| possible to represeent a capability value complete with its tag at an | |
| possible to represent a capability value complete with its tag at an |
src/riscv-integration.adoc
Outdated
|
|
||
| NOTE: Since there is only one tag per CLEN bit block in memory, it is not | ||
| possible to represeent a capability value complete with its tag at an | ||
| address not aligned to CLEN. To transfer CLEN bits without a tag, use |
There was a problem hiding this comment.
| address not aligned to CLEN. To transfer CLEN bits without a tag, use | |
| address not aligned to CLEN. To transfer unaligned CLEN bits without a tag, use |
Maybe add this qualification here since capability loads without C permission can be used to transfer without the tag.
Make it clear in the spec that this overrides Zicclsm and should not be emulated. Resolves riscv#59.
sorear
force-pushed
the
misaligned-lcsc-is-fatal
branch
from
1ffbda1 to
ee6a5fb
Compare
Make it clear in the spec that this overrides Zicclsm and should not be emulated.
Resolves #59.