Hi, we are currently doing some co-simulation with cva6 and spike, and we found the decoder has an incorrect behavior when meeting a sfence.vma with non-zero rd field.
According to the ISA Specification (Volume II: RISC-V Privileged Architectures V20211203 Page 152) for the SFENCE.VMA format, instr[11:7] should be 5'b00000.
When modified instr[11:7] to 5'b00001. cva6 treats this instruction as SFENCE.VMA as well. No exception occurred. The implementation is missing a check for this field.
// check TVM flag and intercept SFENCE.VMA call if necessary
if (priv_lvl_i ==riscv::PRIV_LVL_S&& tvm_i)
illegal_instr =1'b1;
endelsebegin
illegal_instr =1'b1;
end
end
In the following test case, there is an invalid sfence.vma at 0x80000190, whose rd field is 1, cva6 execute it as normal instruction, while spike throws an excaption.
Hi, we are currently doing some co-simulation with cva6 and spike, and we found the decoder has an incorrect behavior when meeting a sfence.vma with non-zero rd field.
According to the ISA Specification (Volume II: RISC-V Privileged Architectures V20211203 Page 152) for the SFENCE.VMA format, instr[11:7] should be 5'b00000.
When modified instr[11:7] to 5'b00001. cva6 treats this instruction as SFENCE.VMA as well. No exception occurred. The implementation is missing a check for this field.
cva6/core/decoder.sv
Lines 152 to 165 in 44a89b9
In the following test case, there is an invalid sfence.vma at 0x80000190, whose rd field is 1, cva6 execute it as normal instruction, while spike throws an excaption.
cva6-0.zip
The text was updated successfully, but these errors were encountered: