Replaced mbadaddr with mbadbits register, which can now capture bad

instruction bits on an illegal instruction fault.

4 files changed, 75 insertions, 21 deletions

diff --git a/src/machine.tex b/src/machine.tex
index 29920ed..39dc1e0 100644
--- a/src/machine.tex
+++ b/src/machine.tex
@@ -1686,13 +1686,26 @@ interrupt bit and scale the exception codes to index into a trap
 vector table.
 \end{commentary}
 
-\subsection{Machine Bad Address ({\tt mbadaddr}) Register}
+\subsection{Machine Bad Bits ({\tt mbadbits}) Register}
 
-{\tt mbadaddr} is an XLEN-bit read-write register formatted as shown in
-Figure~\ref{mbadaddrreg}. When a hardware breakpoint is triggered, or an
-instruction-fetch, load, or store address-misaligned or access exception
-occurs, {\tt mbadaddr} is written with the faulting address. {\tt mbadaddr} is
-not modified for other exceptions.
+The {\tt mbadbits} register is an XLEN-bit read-write register
+formatted as shown in Figure~\ref{mbadbitsreg}. When a hardware
+breakpoint is triggered, or an instruction-fetch, load, or store
+address-misaligned or access exception occurs, {\tt mbadbits} is
+written with the faulting address.  On an illegal instruction trap,
+{\tt mbadbits} is written with the first XLEN bits of the faulting
+instruction as described below.  {\tt mbadbits} is not modified for
+other exceptions.
+
+\begin{commentary}
+  The {\tt mbadbits} register replaces the {\tt mbadaddr} register in
+  the previous specification.  In addition to providing bad addresses,
+  the register can now provide the bad instruction that triggered an
+  illegal instruction trap (and may in future be used to return other
+  information).  Returning the instruction bits accelerates instruction emulation and also
+  removes some races that might be present when trying to emulate
+  illegal instructions.
+\end{commentary}  
 
 \begin{figure}[h!]
 {\footnotesize
@@ -1700,21 +1713,58 @@ not modified for other exceptions.
 \begin{tabular}{@{}J}
 \instbitrange{XLEN-1}{0} \\
 \hline
-\multicolumn{1}{|c|}{\tt mbadaddr} \\
+\multicolumn{1}{|c|}{\tt mbadbits} \\
 \hline
 XLEN \\
 \end{tabular}
 \end{center}
 }
 \vspace{-0.1in}
-\caption{Machine bad address register.}
-\label{mbadaddrreg}
+\caption{Machine bad bits register.}
+\label{mbadbitsreg}
 \end{figure}
 
 For instruction-fetch access faults on RISC-V systems with
-variable-length instructions, {\tt mbadaddr} will point to the
-portion of the instruction that caused the fault while {\tt mepc} will
-point to the beginning of the instruction.
+variable-length instructions, {\tt mbadbits} will contain a pointer to
+the portion of the instruction that caused the fault while {\tt mepc}
+will point to the beginning of the instruction.
+
+The {\tt mbadbits} register can optionally also be used to return the
+faulting instruction bits on an illegal instruction exception ({\tt
+  mepc} points to the faulting instruction in memory).
+
+If this feature is not provided, then {\tt mbadbits} is set to zero on
+an illegal instruction fault.
+
+If the feature is provided, after an illegal instruction trap, {\tt
+  mbadbits} will contain the entire faulting instruction provided the
+instruction is no longer than XLEN bits.  If the instruction is less
+than XLEN bits long, the upper bits of {\tt mbadbits} are cleared to
+zero. If the instruction is more than XLEN bits long, {\tt mbadbits}
+will contain the first XLEN bits of the instruction.
+
+\begin{commentary}
+  Capturing the faulting instruction in {\tt mbadinst} reduces the
+  overhead of instruction emulation, potentially avoiding several
+  partial instruction loads if the instruction is misaligned, and
+  likely data cache misses or slow uncached accesses when loads are
+  used to fetch the instruction into a data register.  There is also a
+  problem of atomicity if another agent is manipulating the
+  instruction memory, as might occur in a dynamic translation system.
+
+  A requirement is that the entire instruction (or at least the first
+  XLEN bits) are fetched into {\tt mbadbits} before taking the trap.
+  This should not constrain implementations, which would typically
+  fetch the entire instruction before attempting to decode the
+  instruction, and avoids complicating software handlers.
+
+  A value of zero in {\tt mbadbits} signifies either that the feature is
+  not supported, or an illegal zero instruction was fetched.  A load
+  from the instruction memory pointed to by {\tt mepc} can be used to
+  distinguish these two cases (or alternatively, the system
+  configuration information can be interrogated to install the
+  appropriate trap handling before runtime).
+\end{commentary}
 
 \section{Machine-Mode Privileged Instructions}
 
diff --git a/src/priv-csrs.tex b/src/priv-csrs.tex
index fe0bce2..02298e4 100644
--- a/src/priv-csrs.tex
+++ b/src/priv-csrs.tex
@@ -159,7 +159,7 @@ Number    & Privilege & Name & Description \\
 \tt 0x040 & URW  &\tt uscratch   & Scratch register for user trap handlers. \\
 \tt 0x041 & URW  &\tt uepc       & User exception program counter. \\
 \tt 0x042 & URW  &\tt ucause     & User trap cause. \\
-\tt 0x043 & URW  &\tt ubadaddr   & User bad address. \\
+\tt 0x043 & URW  &\tt ubadbits   & User bad address or instruction. \\
 \tt 0x044 & URW  &\tt uip        & User interrupt pending. \\
 \hline
 \multicolumn{4}{|c|}{User Floating-Point CSRs} \\
@@ -212,7 +212,7 @@ Number    & Privilege & Name & Description \\
 \tt 0x140 & SRW  &\tt sscratch   & Scratch register for supervisor trap handlers. \\
 \tt 0x141 & SRW  &\tt sepc       & Supervisor exception program counter. \\
 \tt 0x142 & SRW  &\tt scause     & Supervisor trap cause. \\
-\tt 0x143 & SRW  &\tt sbadaddr   & Supervisor bad address. \\
+\tt 0x143 & SRW  &\tt sbadbits   & Supervisor bad address. \\
 \tt 0x144 & SRW  &\tt sip        & Supervisor interrupt pending. \\
 \hline
 \multicolumn{4}{|c|}{Supervisor Protection and Translation} \\
@@ -245,7 +245,7 @@ Number    & Privilege & Name & Description \\
 %% \tt 0x240 & HRW  &\tt hscratch   & Scratch register for hypervisor trap handlers. \\
 %% \tt 0x241 & HRW  &\tt hepc       & Hypervisor exception program counter. \\
 %% \tt 0x242 & HRW  &\tt hcause     & Hypervisor trap cause. \\
-%% \tt 0x243 & HRW  &\tt hbadaddr   & Hypervisor bad address. \\
+%% \tt 0x243 & HRW  &\tt hbadbits   & Hypervisor bad address or instruction. \\
 %% \tt 0x244 & HRW  &\tt hip        & Hypervisor interrupt pending. \\
 %% \hline
 %% \multicolumn{4}{|c|}{Hypervisor Protection and Translation} \\
@@ -287,7 +287,7 @@ Number    & Privilege & Name & Description \\
 \tt 0x340 & MRW  &\tt mscratch   & Scratch register for machine trap handlers. \\
 \tt 0x341 & MRW  &\tt mepc       & Machine exception program counter. \\
 \tt 0x342 & MRW  &\tt mcause     & Machine trap cause. \\
-\tt 0x343 & MRW  &\tt mbadaddr   & Machine bad address. \\
+\tt 0x343 & MRW  &\tt mbadbits   & Machine bad address or instruction. \\
 \tt 0x344 & MRW  &\tt mip        & Machine interrupt pending. \\
 \hline
 \multicolumn{4}{|c|}{Machine Protection and Translation} \\
diff --git a/src/priv-preface.tex b/src/priv-preface.tex
index 356b289..f6a74ff 100644
--- a/src/priv-preface.tex
+++ b/src/priv-preface.tex
@@ -20,6 +20,10 @@ architecture proposal.  Changes from version 1.9.1 include:
   and user modes has been added to the {\tt mstatus} CSR, and the
   field previously called Base in {\tt misa} has been renamed to {\tt
     MXL} for consistency.
+  \item The {\tt mbadaddr} register has been subsumed by a more
+    general {\tt mbadbits} register that can now capture bad
+    instruction bits on an illegal instruction fault to speed
+    instruction emulation.
 \item The machine-mode base-and-bounds translation and protection
   schemes have been removed from the specification as part of moving
   the virtual memory configuration to {\tt sptbr}.  Some of the
diff --git a/src/supervisor.tex b/src/supervisor.tex
index 5e57fee..1a03f15 100644
--- a/src/supervisor.tex
+++ b/src/supervisor.tex
@@ -546,13 +546,13 @@ so is only guaranteed to hold supported exception codes.
 \label{scauses}
 \end{table*}
 
-\subsection{Supervisor Bad Address ({\tt sbadaddr}) Register}
+\subsection{Supervisor Bad Address ({\tt sbadbits}) Register}
 
-{\tt sbadaddr} is an XLEN-bit read/write register formatted as shown in
+{\tt sbadbits} is an XLEN-bit read/write register formatted as shown in
 Figure~\ref{badvaddrreg}.  When a hardware breakpoint is triggered, or
 an instruction-fetch, load, or store access exception occurs,
 or an instruction-fetch or AMO address-misaligned exception occurs,
-{\tt sbadaddr} is written with the faulting address.  {\tt sbadaddr}
+{\tt sbadbits} is written with the faulting address.  {\tt sbadbits}
 is not modified for other exceptions.
 
 \begin{figure}[h!]
@@ -561,7 +561,7 @@ is not modified for other exceptions.
 \begin{tabular}{@{}J}
 \instbitrange{XLEN-1}{0} \\
 \hline
-\multicolumn{1}{|c|}{\tt sbadaddr} \\
+\multicolumn{1}{|c|}{\tt sbadbits} \\
 \hline
 XLEN \\
 \end{tabular}
@@ -573,7 +573,7 @@ XLEN \\
 \end{figure}
 
 For instruction fetch access faults on RISC-V systems with
-variable-length instructions, {\tt sbadaddr} will point to the portion
+variable-length instructions, {\tt sbadbits} will point to the portion
 of the instruction that caused the fault while {\tt sepc} will point
 to the beginning of the instruction.