Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Writing mseccfg=0x1 will jump to _vectors_start #2237

Open
ha0lyu opened this issue Jan 2, 2025 · 3 comments
Open

Writing mseccfg=0x1 will jump to _vectors_start #2237

ha0lyu opened this issue Jan 2, 2025 · 3 comments
Labels
Type:Bug Bugs

Comments

@ha0lyu
Copy link

ha0lyu commented Jan 2, 2025

Observed Behavior

When write 0x01 to mseccfg(0x747), some unknown behavior happened: ibex jump to _vectors_start. I have tested some values, when we write 0x4 or 0x8, ibex is normal, any other value will jump to _vectors_start. See trace file for more information.

Expected Behavior

Ibex has supported Smepmp extension at PMP Enhancements. I have checked this extension, all mseccfg field, including mseccfg.MML and mseccfg.MMWP are WARL.

Steps to reproduce the issue

#include "simple_system_common.h"

int main(void){
    asm volatile("li t0, 0x1");
    asm volatile("csrw 0x747, t0");
    asm volatile("nop");
    asm volatile("nop");
    asm volatile("nop");
    asm volatile("csrr a0, 0x747");
    return 0;
}

Build this test code like "hello_test.c", run build/lowrisc_ibex_ibex_simple_system_0/sim-verilator/Vibex_simple_system --meminit=ram,./PATH/TO/test.elf -c 300

My Environment

  • build ibex: fusesoc --cores-root=. run --target=sim --setup --build \ lowrisc:ibex:ibex_simple_system $(util/ibex_config.py opentitan fusesoc_opts)

EDA tool and version:
Verilator 4.210 2021-07-07 rev v4.210

Operating system:

Ubuntu Linux 18.04

Version of the Ibex source code:
@ha0lyu ha0lyu added the Type:Bug Bugs label Jan 2, 2025
@ha0lyu
Copy link
Author

ha0lyu commented Jan 3, 2025

I learned how to view waveform diagrams and discovered that when pc=0x1003cc, an exception occurred, and the program jumped to pc=0x100000, which is the location of _vectors_start.
Image

According to the disassembly information, a write operation to the mseccfg register occurred at pc=0x1003cc, which triggered an exception. This exception violated the rules of the Smepmp extension because "All mseccfg fields defined in this proposal are WARL."
Image

@nbdd0121
Copy link
Contributor

nbdd0121 commented Jan 6, 2025

0x1 switches on MML which alters the interpretation of PMPs, maybe you haven't configured PMPs properly so now the instruction memory is unaccessible?

@ha0lyu
Copy link
Author

ha0lyu commented Jan 7, 2025

Hi @nbdd0121, thanks for your reply.
Actually, the test case shown in the picture above is a part of another test case. When I set PMP correctly, I want to change msecfg.MML to 0x1, a trap occurred and the mcause is zero. I have tested other values, such 0b110, 0b10, etc. All failed. I think the root cause is mseccfg is not writable in ibex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug Bugs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nbdd0121 @ha0lyu