Bug Description
NutShell accepts a final-level Sv39 leaf PTE with V=1, W=1, and R=0. RISC-V defines W=1,R=0 as an invalid PTE encoding. A compliant implementation must reject it and raise a page-fault exception corresponding to the original access type.
In the supplied test program, the final-level PTE has V/W/A/D=1 and R=0, and the test executes a store through that mapping. Spike raises a precise Store/AMO page fault (mcause=15), while NutShell commits the store instead of trapping.
RISC-V Specification Requirement
During Sv39 virtual-address translation, if pte.v = 0, or if pte.r = 0 and pte.w = 1, the implementation must raise a page-fault exception corresponding to the original access type.
Reference: https://docs.riscv.org/reference/isa/v20260120/priv/supervisor.html#_virtual_address_translation_process
Because the original access in this test program is a store, the required architectural exception is Store/AMO page fault (mcause=15).
Steps to Reproduce
- Run the supplied
poc/program.elf under difftest.
- M-mode installs a three-level Sv39 mapping for
MY_VA = 0x40000000.
- The final-level PTE is written with
PTE_VWAD, which sets V/W/A/D=1 while leaving R=0.
- The test enables Sv39 with S-mode effective privilege and executes the faulting store.
Essential setup:
la t0, l0_pt
la t1, bad_data
srli t1, t1, 12
slli t1, t1, 10
ori t1, t1, PTE_VWAD
sd t1, (L0_INDEX * 8)(t0)
li a0, MY_VA
li a1, NEW_VALUE
sd a1, 0(a0)
Expected Result
- The store does not complete.
mcause = 15 (Store/AMO page fault).mepc = store_site (0x800000dc in this build).mtval = 0x40000000.- Memory behind the invalid
W=1,R=0 leaf is not architecturally modified.
Actual Result
NutShell commits the store, while Spike reports the page fault:
[31] commit pc 00000000800000dc ... data 8877665544332211 ... sd a1, 0(a0) <--
pc: 0x0000000080000130 ... mcause: 0x000000000000000f mepc: 0x00000000800000dc
mtval: 0x0000000040000000 ...
mcause different ... right = 0x000000000000000f, wrong = 0x0000000000000000
NS-7.zip
Bug Description
NutShell accepts a final-level Sv39 leaf PTE with
V=1,W=1, andR=0. RISC-V definesW=1,R=0as an invalid PTE encoding. A compliant implementation must reject it and raise a page-fault exception corresponding to the original access type.In the supplied test program, the final-level PTE has
V/W/A/D=1andR=0, and the test executes a store through that mapping. Spike raises a precise Store/AMO page fault (mcause=15), while NutShell commits the store instead of trapping.RISC-V Specification Requirement
During Sv39 virtual-address translation, if
pte.v = 0, or ifpte.r = 0andpte.w = 1, the implementation must raise a page-fault exception corresponding to the original access type.Reference: https://docs.riscv.org/reference/isa/v20260120/priv/supervisor.html#_virtual_address_translation_process
Because the original access in this test program is a store, the required architectural exception is Store/AMO page fault (
mcause=15).Steps to Reproduce
poc/program.elfunder difftest.MY_VA = 0x40000000.PTE_VWAD, which setsV/W/A/D=1while leavingR=0.Essential setup:
Expected Result
mcause = 15(Store/AMO page fault).mepc = store_site(0x800000dcin this build).mtval = 0x40000000.W=1,R=0leaf is not architecturally modified.Actual Result
NutShell commits the store, while Spike reports the page fault:
NS-7.zip