summary refs log tree commit diff stats
path: root/results/classifier/105/device/1886076
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/device/1886076')
-rw-r--r--results/classifier/105/device/188607665
1 files changed, 65 insertions, 0 deletions
diff --git a/results/classifier/105/device/1886076 b/results/classifier/105/device/1886076
new file mode 100644
index 000000000..04c4ff4aa
--- /dev/null
+++ b/results/classifier/105/device/1886076
@@ -0,0 +1,65 @@
+device: 0.849
+vnc: 0.847
+instruction: 0.841
+graphic: 0.810
+other: 0.797
+semantic: 0.764
+socket: 0.714
+network: 0.650
+boot: 0.641
+assembly: 0.566
+KVM: 0.517
+mistranslation: 0.442
+
+risc-v pmp implementation error
+
+QEMU Commit fc1bff958998910ec8d25db86cd2f53ff125f7ab
+
+
+RISC-V PMP implementation is not correct on QEMU.
+
+When an access is granted there is no more PMP check on the 4KB memory range of the accessed location.
+A cache flush is needed in order to force a PMP check on next access to this 4KB memory range.
+A correct implementation would be to grant access to the maximum allowed area around the accessed location within the 4KB memory range.
+
+For instance, if PMP is configured to block all accesses from 0x80003000 to 0x800037FF and from 0x80003C00 to 0x80003FFF:
+1st case:
+    1) A read access is done @0x80003900 --> access OK as expected
+    2) Then a read access is done @0x80003400 --> access OK while it must be blocked!
+2nd case:
+    1) A read access is done @0x80003900 --> access OK as expected
+    2) Cache is flushed (__asm__ __volatile__ ("sfence.vma" : : : "memory");)  
+    3) A read access is done @0x80003400 --> access blocked as expected
+
+Analysis:
+    After the 1st read @0x80003900 QEMU add the memory range 0x80003000 to 0x80003FFF into a TLB entry.
+    Then no more PMP check is done from 0x80003000 to 0x80003FFF until the TLB is flushed.
+What should be done:
+    Only the range 0x80003800 to 0x80003BFF should be added to the TLB entry.
+
+The 4KB range is the default size of a TLB page on QEMU for RISCV.
+The minimum size that can be set is 64Bytes. However the PMP granularity can be as low as 4Bytes.
+
+I tested a quick fix and PMP is working as expected.
+The quick fix consist in replacing this line:
+tlb_set_page(cs, address & TARGET_PAGE_MASK, pa & TARGET_PAGE_MASK, prot, mmu_idx, TARGET_PAGE_SIZE);
+By this one in target/riscv/cpu_helper.c:
+tlb_set_page(cs, address & ~0x3, pa & ~0x3, prot, mmu_idx, size);
+
+This quick fix has to be optimized in order to consume less HW resources, as explained at the beginning.
+
+
+
+Nicolas,
+
+to be reviewed your patch must be sent to <email address hidden>
+
+This should be fixed once the current RISC-V branch is merged into master.
+
+You can see the patch that fixes this here: https://<email address hidden><email address hidden>/
+
+I'm marking this as fix committed, although the fix isn't yet in master it's in the RISC-V tree and will be in master soon.
+
+Fix has been included here:
+https://gitlab.com/qemu-project/qemu/-/commit/af3fc195e3c8e98b
+