I’m not sure I follow your response, Oded, but I believe the “decomposed” text in the spec exists specifically so that implementations may break up misaligned accesses. When they do so, it’s allowed that the two halves of the access map to different PMP entries. Both will succeed.

It’s also allowed to consider it as one access and take an exception because the PMP entry doesn’t match all bytes.

On Jan 12, 2022, at 7:04 AM, Oded Yishay <oded.yishay@...> wrote:

 

Please see the embedded reply below.

 

 

From: Ravinder Dasila <ravinder.dasila@...> 
Sent: Wednesday, January 12, 2022 7:57 AM
To: tech-privileged@...
Cc: Sourav Roy <sourav.roy@...>; Jeff Scott <jeff.scott@...>; Oded Yishay <oded.yishay@...>
Subject: Query about PMP spec for misaligned access

 

Hello,

I’ve few queries regarding PMP spec for misaligned access.

 

As per the pmp section in privileged spec, there are two lines as follows:

1. “The matching PMP entry must match all bytes of an access, or the access fails, irrespective of the L, R, W, and X bits.”

 

[<Oded>] “all bytes of an access” means the CPU access – (access_base_address + Access_Size - 1) must be in the same region as access_base_address or the access fails.

 

2. “On some implementations, misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses, some of which may succeed before an access exception occurs.”

 

[<Oded>] “decomposed into multiple accesses”: these are the physical bus transactions.

 

Q. Does an ‘access’ for both these lines mean a ‘physical access’, or does the first one mean a ‘CPU access’ and the second one a ‘physical access’?       [<Oded>]  See above

 

Now, consider a scenario, where a misaligned store is done across 2 pmp regions and both the regions have write permission in pmpcfg csrs. In case:

• If a misaligned store is considered a single access, then as per point #1 above, it should generate an exception.

 

[<Oded>] If it meets the criteria – access_base_address AND (access_ base_address + Access_Size - 1) are in the same region – the access succeeds.  Otherwise, it fails.

 

• However, if the misaligned store is considered as 2 separate physical accesses, then there should be no exception since we have to write permissions for both pmp regions and both accesses should be written to memory.

 

[<Oded>] Both bus transactions must be in the same region to succeed.  Otherwise, the transaction fails (even if both bus transactions of the access succeed in different regions – it should fail – because the entire CPU access does not fail in the same region).

 

 

[<Oded>]  I hope this clarifies the issue.

-Oded

 

 

Is our understanding correct here?

 

Regards,

Ravinder Dasila

 

<image002.png>

 

 

I actually think that Oded has it right. IF the access fails because it crosses a PMP boundary - it's an illegal access fault.

The trap handler could decompose that into two separate transactions, each of which could succeed because neither crosses a boundary

  - but those are no longer part of the original transaction.

A misaligned access could be broken up into two parts by the hardware as part of the original transaction without failing

 - but only if the original request doesn't cross the boundary.

IF the transaction doesn't cross a boundary, but is broken up, then  it is still possible that either of the broken up transactions may fail *for other reasons* 

    (e.g. crosses a page boundary with different access permissions).

In that case the first transaction will succeed, and the second could fail, and memory will be partially updated.

On Wed, Jan 12, 2022 at 11:15 AM Scott Johnson <scott.johnson@...> wrote:

I’m not sure I follow your response, Oded, but I believe the “decomposed” text in the spec exists specifically so that implementations may break up misaligned accesses. When they do so, it’s allowed that the two halves of the access map to different PMP entries. Both will succeed.

It’s also allowed to consider it as one access and take an exception because the PMP entry doesn’t match all bytes.

On Jan 12, 2022, at 7:04 AM, Oded Yishay <oded.yishay@...> wrote:

 

Please see the embedded reply below.

 

 

From: Ravinder Dasila <ravinder.dasila@...> 
Sent: Wednesday, January 12, 2022 7:57 AM
To: tech-privileged@...
Cc: Sourav Roy <sourav.roy@...>; Jeff Scott <jeff.scott@...>; Oded Yishay <oded.yishay@...>
Subject: Query about PMP spec for misaligned access

 

Hello,

I’ve few queries regarding PMP spec for misaligned access.

 

As per the pmp section in privileged spec, there are two lines as follows:

1. “The matching PMP entry must match all bytes of an access, or the access fails, irrespective of the L, R, W, and X bits.”

 

[<Oded>] “all bytes of an access” means the CPU access – (access_base_address + Access_Size - 1) must be in the same region as access_base_address or the access fails.

 

2. “On some implementations, misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses, some of which may succeed before an access exception occurs.”

 

[<Oded>] “decomposed into multiple accesses”: these are the physical bus transactions.

 

Q. Does an ‘access’ for both these lines mean a ‘physical access’, or does the first one mean a ‘CPU access’ and the second one a ‘physical access’?       [<Oded>]  See above

 

Now, consider a scenario, where a misaligned store is done across 2 pmp regions and both the regions have write permission in pmpcfg csrs. In case:

• If a misaligned store is considered a single access, then as per point #1 above, it should generate an exception.

 

[<Oded>] If it meets the criteria – access_base_address AND (access_ base_address + Access_Size - 1) are in the same region – the access succeeds.  Otherwise, it fails.

 

• However, if the misaligned store is considered as 2 separate physical accesses, then there should be no exception since we have to write permissions for both pmp regions and both accesses should be written to memory.

 

[<Oded>] Both bus transactions must be in the same region to succeed.  Otherwise, the transaction fails (even if both bus transactions of the access succeed in different regions – it should fail – because the entire CPU access does not fail in the same region).

 

 

[<Oded>]  I hope this clarifies the issue.

-Oded

 

 

Is our understanding correct here?

 

Regards,

Ravinder Dasila

 

<image002.png>

 

 

Interesting.  I agree with Scott.  It says "The matching PMP entry must match all bytes of an access" and "misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses."  It's not that it must match all bytes that are accessed by a single instruction.  It's that it must match all bytes of each access that gets performed by the implementation (not by a handler).

No matter who is correct, this obviously needs to be clarified.

Thanks,

-Paul

On Wed, Jan 12, 2022 at 11:48 AM Allen Baum <allen.baum@...> wrote:

I actually think that Oded has it right. IF the access fails because it crosses a PMP boundary - it's an illegal access fault.

The trap handler could decompose that into two separate transactions, each of which could succeed because neither crosses a boundary

  - but those are no longer part of the original transaction.

A misaligned access could be broken up into two parts by the hardware as part of the original transaction without failing

 - but only if the original request doesn't cross the boundary.

IF the transaction doesn't cross a boundary, but is broken up, then  it is still possible that either of the broken up transactions may fail *for other reasons* 

    (e.g. crosses a page boundary with different access permissions).

In that case the first transaction will succeed, and the second could fail, and memory will be partially updated.

On Wed, Jan 12, 2022 at 11:15 AM Scott Johnson <scott.johnson@...> wrote:

I’m not sure I follow your response, Oded, but I believe the “decomposed” text in the spec exists specifically so that implementations may break up misaligned accesses. When they do so, it’s allowed that the two halves of the access map to different PMP entries. Both will succeed.

It’s also allowed to consider it as one access and take an exception because the PMP entry doesn’t match all bytes.

On Jan 12, 2022, at 7:04 AM, Oded Yishay <oded.yishay@...> wrote:

 

Please see the embedded reply below.

 

 

From: Ravinder Dasila <ravinder.dasila@...> 
Sent: Wednesday, January 12, 2022 7:57 AM
To: tech-privileged@...
Cc: Sourav Roy <sourav.roy@...>; Jeff Scott <jeff.scott@...>; Oded Yishay <oded.yishay@...>
Subject: Query about PMP spec for misaligned access

 

Hello,

I’ve few queries regarding PMP spec for misaligned access.

 

As per the pmp section in privileged spec, there are two lines as follows:

1. “The matching PMP entry must match all bytes of an access, or the access fails, irrespective of the L, R, W, and X bits.”

 

[<Oded>] “all bytes of an access” means the CPU access – (access_base_address + Access_Size - 1) must be in the same region as access_base_address or the access fails.

 

2. “On some implementations, misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses, some of which may succeed before an access exception occurs.”

 

[<Oded>] “decomposed into multiple accesses”: these are the physical bus transactions.

 

Q. Does an ‘access’ for both these lines mean a ‘physical access’, or does the first one mean a ‘CPU access’ and the second one a ‘physical access’?       [<Oded>]  See above

 

Now, consider a scenario, where a misaligned store is done across 2 pmp regions and both the regions have write permission in pmpcfg csrs. In case:

• If a misaligned store is considered a single access, then as per point #1 above, it should generate an exception.

 

[<Oded>] If it meets the criteria – access_base_address AND (access_ base_address + Access_Size - 1) are in the same region – the access succeeds.  Otherwise, it fails.

 

• However, if the misaligned store is considered as 2 separate physical accesses, then there should be no exception since we have to write permissions for both pmp regions and both accesses should be written to memory.

 

[<Oded>] Both bus transactions must be in the same region to succeed.  Otherwise, the transaction fails (even if both bus transactions of the access succeed in different regions – it should fail – because the entire CPU access does not fail in the same region).

 

 

[<Oded>]  I hope this clarifies the issue.

-Oded

 

 

Is our understanding correct here?

 

Regards,

Ravinder Dasila

 

<image002.png>

 

 

My interpretation of this is if a misaligned store crosses between two PMP regions, both of which allow the write it's permissible for the implementation to allow both of those writes to occur, however you still get an illegal access fault (as all the bytes of the access didn't match a single PMP entry).

On Wed, Jan 12, 2022 at 8:02 PM Paul Donahue <pdonahue@...> wrote:

Interesting.  I agree with Scott.  It says "The matching PMP entry must match all bytes of an access" and "misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses."  It's not that it must match all bytes that are accessed by a single instruction.  It's that it must match all bytes of each access that gets performed by the implementation (not by a handler).

No matter who is correct, this obviously needs to be clarified.

Thanks,

-Paul

On Wed, Jan 12, 2022 at 11:48 AM Allen Baum <allen.baum@...> wrote:

I actually think that Oded has it right. IF the access fails because it crosses a PMP boundary - it's an illegal access fault.

The trap handler could decompose that into two separate transactions, each of which could succeed because neither crosses a boundary

  - but those are no longer part of the original transaction.

A misaligned access could be broken up into two parts by the hardware as part of the original transaction without failing

 - but only if the original request doesn't cross the boundary.

IF the transaction doesn't cross a boundary, but is broken up, then  it is still possible that either of the broken up transactions may fail *for other reasons* 

    (e.g. crosses a page boundary with different access permissions).

In that case the first transaction will succeed, and the second could fail, and memory will be partially updated.

On Wed, Jan 12, 2022 at 11:15 AM Scott Johnson <scott.johnson@...> wrote:

I’m not sure I follow your response, Oded, but I believe the “decomposed” text in the spec exists specifically so that implementations may break up misaligned accesses. When they do so, it’s allowed that the two halves of the access map to different PMP entries. Both will succeed.

It’s also allowed to consider it as one access and take an exception because the PMP entry doesn’t match all bytes.

On Jan 12, 2022, at 7:04 AM, Oded Yishay <oded.yishay@...> wrote:

 

Please see the embedded reply below.

 

 

From: Ravinder Dasila <ravinder.dasila@...> 
Sent: Wednesday, January 12, 2022 7:57 AM
To: tech-privileged@...
Cc: Sourav Roy <sourav.roy@...>; Jeff Scott <jeff.scott@...>; Oded Yishay <oded.yishay@...>
Subject: Query about PMP spec for misaligned access

 

Hello,

I’ve few queries regarding PMP spec for misaligned access.

 

As per the pmp section in privileged spec, there are two lines as follows:

1. “The matching PMP entry must match all bytes of an access, or the access fails, irrespective of the L, R, W, and X bits.”

 

[<Oded>] “all bytes of an access” means the CPU access – (access_base_address + Access_Size - 1) must be in the same region as access_base_address or the access fails.

 

2. “On some implementations, misaligned loads, stores, and instruction fetches may also be decomposed into multiple accesses, some of which may succeed before an access exception occurs.”

 

[<Oded>] “decomposed into multiple accesses”: these are the physical bus transactions.

 

Q. Does an ‘access’ for both these lines mean a ‘physical access’, or does the first one mean a ‘CPU access’ and the second one a ‘physical access’?       [<Oded>]  See above

 

Now, consider a scenario, where a misaligned store is done across 2 pmp regions and both the regions have write permission in pmpcfg csrs. In case:

• If a misaligned store is considered a single access, then as per point #1 above, it should generate an exception.

 

[<Oded>] If it meets the criteria – access_base_address AND (access_ base_address + Access_Size - 1) are in the same region – the access succeeds.  Otherwise, it fails.

 

• However, if the misaligned store is considered as 2 separate physical accesses, then there should be no exception since we have to write permissions for both pmp regions and both accesses should be written to memory.

 

[<Oded>] Both bus transactions must be in the same region to succeed.  Otherwise, the transaction fails (even if both bus transactions of the access succeed in different regions – it should fail – because the entire CPU access does not fail in the same region).

 

 

[<Oded>]  I hope this clarifies the issue.

-Oded

 

 

Is our understanding correct here?

 

Regards,

Ravinder Dasila

 

<image002.png>