Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] mtinst corrupted #2831

Open
1 task done
KatCe opened this issue Mar 17, 2025 · 1 comment
Open
1 task done

[BUG] mtinst corrupted #2831

KatCe opened this issue Mar 17, 2025 · 1 comment
Labels
notCV32A65X It is not an CV32A65X issue Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system

Comments

@KatCe
Copy link
Contributor

KatCe commented Mar 17, 2025

Is there an existing CVA6 bug for this?

  • I have searched the existing bug issues

Bug Description

Hello,
I have noticed an unexpected behavior.
The signal x_exception_o in cvxif_fu has several unconnected fields, which is partially intentional (at least for tval) according to the specification.
In certain scenarios, and with the hypervisor extension enabled, it is possible that these undriven fields are read and the CSR mtinst is written with these arbitrary values.
I have created a small test bench here: https://github.com/KatCe/cva6/tree/bug_mtinst_corruption/bug_simulations/x_exception_mtinst
In this test bench, the bug is triggered by an unexpected bus response that also triggers an assertion:

** Fatal: Trying to pop data although the FIFO is empty.
#    Time: 25 ns Started: 25 ns  Scope: tb_top.i_ariane.gen_cache_wt.i_cache_subsystem.i_adapter.i_rd_icache_id.empty_read File:../core/cva6_fifo_v3.sv Line: 228

To model what would happen in silicon I have initialized the tinst field of x_exception_o with an arbitrary value for demonstration (https://github.com/KatCe/cva6/blob/bug_mtinst_corruption/core/cvxif_fu.sv#66) and converted the assertion to a warning (https://github.com/KatCe/cva6/blob/bug_mtinst_corruption/core/cva6_fifo_v3.sv#228).
In that case we see the arbitrary value written to the mtinst CSR.

While this exact scenario can only happen if cva6 is integrated with another component that does not follow the bus protocol, I believe that cva6 should not rely on a bug free external world. Furthermore, a fault injection attack could trigger this CSR corruption.

I have not yet investigated whether this corruption can also be triggered by other scenarios.
@KatCe KatCe added the Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system label Mar 17, 2025
@JeanRochCoulon JeanRochCoulon added the notCV32A65X It is not an CV32A65X issue label Mar 17, 2025
@Gchauvon Gchauvon mentioned this issue Mar 19, 2025
Merged
JeanRochCoulon added a commit that referenced this issue Mar 19, 2025
@Gchauvon @github-actions @JeanRochCoulon
[CVXIF] Initialize exception fields for RVH (#2844)
b258d27 
Following what was done in branch_unit, I set up a default value for hypervisor exception fields in cvxif_fu.
Should fix issue #2831

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: JeanRochCoulon <[email protected]>
@Gchauvon
Copy link
Contributor

Does #2844 fix this issue ?

If it does please close it.

BR, Guillaume

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
notCV32A65X It is not an CV32A65X issue Type:Bug For bugs in the RTL, Documentation, Verification environment or Tool and Build system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KatCe @JeanRochCoulon @Gchauvon