summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/118/debug/1053
blob: 534bdc48dc0c59c5423ee612d65293b2099dbb43 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

debug: 0.993
TCG: 0.973
architecture: 0.925
risc-v: 0.858
device: 0.726
performance: 0.624
graphic: 0.463
x86: 0.446
semantic: 0.437
ppc: 0.422
socket: 0.389
i386: 0.360
peripherals: 0.359
kernel: 0.356
vnc: 0.319
boot: 0.315
network: 0.297
KVM: 0.276
register: 0.271
arm: 0.266
user-level: 0.255
mistranslation: 0.242
PID: 0.233
permissions: 0.225
VMM: 0.220
assembly: 0.212
hypervisor: 0.202
virtual: 0.148
files: 0.086

Executable PMP regions of size less than 4K always trigger an instruction access fault
Description of problem:
When configuring a PMP region that is less than 4K in size (Page size), and then trying to execute instructions inside said region, TCG always throws a PMP exception, even though the area allows code execution.
Additional information:
I've debugged the issue already, and it's happening because of the following optimization in TCG:

TCG uses `get_page_addr_code_hostp` in order to try and get the translation cached for a whole page of instructions; if this function is unable to translate a whole page, it's supposed to simply return `-1`, and then the caller is supposed to translate and execute on a per-instruction basis. In this case `get_page_addr_code_hostp` calls `tlb_fill`, which then calls `riscv_cpu_tlb_fill`, which then calls `get_physical_address_pmp` to perform the PMP access checks. When said instructions are covered by a PMP region which is smaller than a page, this check then fails, since PMP regions must cover the whole access in order to allow it. At this point `riscv_cpu_tlb_fill` will see that a PMP fault happened, and since `probe` is set to false by `get_page_addr_code_hostp`, it will throw a RISC-V access fault exception instead of just returning a failure that `get_page_addr_code_hostp` can handle (by only accessing the memory of the specific instruction instead, which will be fully covered by the PMP region).

I haven't tried to fix it myself (my first idea is to simply make `get_page_addr_code_hostp` set the probe flag), since I'm not sure if changing that part of TCG will affect other architectures that I'm not aware of.