1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
|
[[machine]]
== Machine-Level ISA, Version 1.13
This chapter describes the machine-level operations available in
machine-mode (M-mode), which is the highest privilege mode in a RISC-V
hart. M-mode is used for low-level access to a hardware platform and
is the first mode entered at reset. M-mode can also be used to implement
features that are too difficult or expensive to implement in hardware
directly. The RISC-V machine-level ISA contains a common core that is
extended depending on which other privilege levels are supported and
other details of the hardware implementation.
=== Machine-Level CSRs
In addition to the machine-level CSRs described in this section, M-mode
code can access all CSRs at lower privilege levels.
[[misa]]
==== Machine ISA Register `misa`
The `misa` CSR is a *WARL* read-write register reporting the ISA supported by the hart. This register must be readable in any implementation, but a value of zero can be returned to indicate the `misa` register has not been implemented, requiring that CPU capabilities be determined through a separate non-standard mechanism.
.Machine ISA register (misa)
include::images/bytefield/misareg.edn[]
The MXL (Machine XLEN) field encodes the native base integer ISA width as
shown in <<misabase>>. The MXL field is read-only. If `misa` is nonzero, the
MXL field indicates the effective XLEN in M-mode, a constant termed _MXLEN_.
XLEN is never greater than MXLEN, but XLEN might be smaller than MXLEN in
less-privileged modes.
[[misabase]]
.Encoding of MXL field in `misa`
[%autowidth,float="center",align="center",cols=">,>",options="header",]
|===
|MXL |XLEN
|1 +
2 +
3
|32 +
64 +
128
|===
The `misa` CSR is MXLEN bits wide.
[NOTE]
====
The base width can be quickly ascertained using branches on the sign of
the returned `misa` value, and possibly a shift left by one and a second
branch on the sign. These checks can be written in assembly code without
knowing the register width (MXLEN) of the hart. The base width is
given by __MXLEN=2^MXL+4^__.
The base width can also be found if `misa` is zero, by placing the
immediate 4 in a register then shifting the register left by 31 bits at
a time. If zero after one shift, then the hart is RV32. If zero after
two shifts, then the hart is RV64, else RV128.
====
The Extensions field encodes the presence of the standard extensions,
with a single bit per letter of the alphabet (bit 0 encodes presence of
extension "A" , bit 1 encodes presence of extension "B", through to
bit 25 which encodes "Z"). The "I" bit will be set for RV32I, RV64I,
and RV128I base ISAs, and the "E" bit will be set for RV32E and RV64E. The
Extensions field is a *WARL* field that can contain writable bits where the
implementation allows the supported ISA to be modified. At reset, the
Extensions field shall contain the maximal set of supported extensions,
and "I" shall be selected over "E" if both are available.
When a standard extension is disabled by clearing its bit in `misa`, the
instructions and CSRs defined or modified by the extension revert to
their defined or reserved behaviors as if the extension is not
implemented.
[NOTE]
====
For a given RISC-V execution environment, an instruction, extension, or
other feature of the RISC-V ISA is ordinarily judged to be _implemented_
or not by the observable execution behavior in that environment. For
example, the F extension is said to be implemented for an execution
environment if and only if the instructions that the RISC-V Unprivileged
ISA defines for F execute as specified.
With this definition of _implemented_, disabling an extension by
clearing its bit in `misa` results in the extension being considered
_not implemented_ in M-mode. For example, setting `misa`.F=0 results in
the F extension being not implemented for M-mode, because the F
extension's instructions will not act as the Unprivileged ISA requires
but may instead raise an illegal-instruction exception.
Defining the term _implemented_ based strictly on the observable
behavior might conflict with other common understandings of the same
word. In particular, although common usage may allow for the combination
"implemented but disabled," in this document it is considered a
contradiction of terms, because _disabled_ implies execution will not
behave as required for the feature to be considered _implemented_. In
the same vein, "implemented and enabled" is redundant here;
"implemented" suffices.
====
.Encoding of Extensions field in `misa`. All bits that are reserved for future use must return zero when read.
[%autowidth,float="center",align="center",cols=">,>,<",options="header",]
|===
|Bit |Character |Description
|0 +
1 +
2 +
3 +
4 +
5 +
6 +
7 +
8 +
9 +
10 +
11 +
12 +
13 +
14 +
15 +
16 +
17 +
18 +
19 +
20 +
21 +
22 +
23 +
24 +
25 +
|A +
B +
C +
D +
E +
F +
G +
H +
I +
J +
K +
L +
M +
N +
O +
P +
Q +
R +
S +
T +
U +
V +
W +
X +
Y +
Z
|Atomic extension +
B extension +
Compressed extension +
Double-precision floating-point extension +
RV32E/64E base ISA +
Single-precision floating-point extension +
_Reserved_ +
Hypervisor extension +
RV32I/64I/128I base ISA +
_Reserved_ +
_Reserved_ +
_Reserved_ +
Integer Multiply/Divide extension +
_Tentatively reserved for User-Level Interrupts extension_ +
_Reserved_ +
_Tentatively reserved for Packed-SIMD extension_ +
Quad-precision floating-point extension +
_Reserved_ +
Supervisor mode implemented +
_Reserved_ +
User mode implemented +
Vector extension +
_Reserved_ +
Non-standard extensions present +
_Reserved_ +
_Reserved_
|===
The design of the RV128I base ISA is not yet complete, and while much of
the remainder of this specification is expected to apply to RV128, this
version of the document focuses only on RV32 and RV64.
The "U" and "S" bits will be set if there is support for user and
supervisor modes respectively.
The "X" bit will be set if there are any non-standard extensions.
When "B" bit is 1, the implementation supports the instructions provided by the
Zba, Zbb, and Zbs extensions. When "B" bit is 0, it indicates that the
implementation may not support one or more of the Zba, Zbb, or Zbs extensions.
[NOTE]
====
The `misa` CSR exposes a rudimentary catalog of CPU features to
machine-mode code. More extensive information can be obtained in machine
mode by probing other machine registers, and examining other ROM storage
in the system as part of the boot process.
We require that lower privilege levels execute environment calls instead
of reading CPU registers to determine features available at each
privilege level. This enables virtualization layers to alter the ISA
observed at any level, and supports a much richer command interface
without burdening hardware designs.
====
The "E" bit is read-only. Unless `misa` is all read-only zero, the
"E" bit always reads as the complement of the "I" bit. If an
execution environment supports both RV32E and RV32I, software can select
RV32E by clearing the "I" bit.
If an ISA feature _x_ depends on an ISA feature _y_, then attempting to
enable feature _x_ but disable feature _y_ results in both features
being disabled. For example, setting "F"=0 and "D"=1 results in both
"F" and "D" being cleared.
An implementation may impose additional constraints on the collective
setting of two or more `misa` fields, in which case they function
collectively as a single *WARL* field. An attempt to write an unsupported combination causes those bits to be set to some supported combination.
Writing `misa` may increase IALIGN, e.g., by disabling the "C"
extension. If an instruction that would write `misa` increases IALIGN,
and the subsequent instruction's address is not IALIGN-bit aligned, the
write to `misa` is suppressed, leaving `misa` unchanged.
When software enables an extension that was previously disabled, then
all state uniquely associated with that extension is UNSPECIFIED, unless otherwise specified by that extension.
NOTE: Although one of the bits 25--0 in `misa` being set to 1 implies that
the corresponding feature is implemented, the inverse is not necessarily
true: one of these bits being clear does not necessarily imply that the
corresponding feature is not implemented. This follows from the fact that,
when a feature is not implemented, the corresponding opcodes and CSRs become
reserved, not necessarily illegal.
==== Machine Vendor ID Register `mvendorid`
The `mvendorid` CSR is a 32-bit read-only register providing the JEDEC
manufacturer ID of the provider of the core. This register must be
readable in any implementation, but a value of 0 can be returned to
indicate the field is not implemented or that this is a non-commercial
implementation.
//.Vendor ID register (`mvendorid`)
//image::png/mvendorid.png[align="center"]
.Vendor ID register (`mvendorid`)
include::images/bytefield/mvendorid.adoc[]
JEDEC manufacturer IDs are ordinarily encoded as a sequence of one-byte
continuation codes `0x7f`, terminated by a one-byte ID not equal to
`0x7f`, with an odd parity bit in the most-significant bit of each byte.
`mvendorid` encodes the number of one-byte continuation codes in the
Bank field, and encodes the final byte in the Offset field, discarding
the parity bit. For example, the JEDEC manufacturer ID
`0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x8a`
(twelve continuation codes followed by `0x8a`) would be encoded in the
`mvendorid` CSR as `0x60a`.
[NOTE]
====
In JEDEC's parlance, the bank number is one greater than the number of
continuation codes; hence, the `mvendorid` Bank field encodes a value
that is one less than the JEDEC bank number.
***
Previously the vendor ID was to be a number allocated by RISC-V
International, but this duplicates the work of JEDEC in maintaining a
manufacturer ID standard. At time of writing, registering a manufacturer
ID with JEDEC has a one-time cost of $500.
====
==== Machine Architecture ID Register `marchid`
The `marchid` CSR is an MXLEN-bit read-only register encoding the base
microarchitecture of the hart. This register must be readable in any
implementation, but a value of 0 can be returned to indicate the field
is not implemented. The combination of `mvendorid` and `marchid` should
uniquely identify the type of hart microarchitecture that is
implemented.
.Machine Architecture ID register (`marchid`)
include::images/bytefield/marchid.adoc[]
Open-source project architecture IDs are allocated globally by RISC-V
International, and have non-zero architecture IDs with a zero
most-significant-bit (MSB). Commercial architecture IDs are allocated by
each commercial vendor independently, but must have the MSB set and
cannot contain zero in the remaining MXLEN-1 bits.
[NOTE]
====
The intent is for the architecture ID to represent the microarchitecture
associated with the repo around which development occurs rather than a
particular organization. Commercial fabrications of open-source designs
should (and might be required by the license to) retain the original
architecture ID. This will aid in reducing fragmentation and tool
support costs, as well as provide attribution. Open-source architecture
IDs are administered by RISC-V International and should only be
allocated to released, functioning open-source projects. Commercial
architecture IDs can be managed independently by any registered vendor
but are required to have IDs disjoint from the open-source architecture
IDs (MSB set) to prevent collisions if a vendor wishes to use both
closed-source and open-source microarchitectures.
The convention adopted within the following Implementation field can be
used to segregate branches of the same architecture design, including by
organization. The `misa` register also helps distinguish different
variants of a design.
====
==== Machine Implementation ID Register `mimpid`
The `mimpid` CSR provides a unique encoding of the version of the
processor implementation. This register must be readable in any
implementation, but a value of 0 can be returned to indicate that the
field is not implemented. The Implementation value should reflect the
design of the RISC-V processor itself and not any surrounding system.
.Machine Implementation ID register (`mimpid`)
include::images/bytefield/mimpid.adoc[]
[NOTE]
====
The format of this field is left to the provider of the architecture
source code, but will often be printed by standard tools as a
hexadecimal string without any leading or trailing zeros, so the
Implementation value can be left-justified (i.e., filled in from
most-significant nibble down) with subfields aligned on nibble
boundaries to ease human readability.
====
==== Hart ID Register `mhartid`
The `mhartid` CSR is an MXLEN-bit read-only register containing the
integer ID of the hardware thread running the code. This register must
be readable in any implementation. Hart IDs might not necessarily be
numbered contiguously in a multiprocessor system, but at least one hart
must have a hart ID of zero. Hart IDs must be unique within the
execution environment.
.Hart ID register (`mhartid`)
include::images/bytefield/mhartid.adoc[]
[NOTE]
====
In certain cases, we must ensure exactly one hart runs some code (e.g.,
at reset), and so require one hart to have a known hart ID of zero.
For efficiency, system implementers should aim to reduce the magnitude
of the largest hart ID used in a system.
====
==== Machine Status Registers (`mstatus` and `mstatush`)
The `mstatus` register is an MXLEN-bit read/write register formatted as
shown in <<mstatusreg-rv32>> for RV32 and
<<mstatusreg>> for RV64. The `mstatus` register
keeps track of and controls the hart’s current operating state. A
restricted view of `mstatus` appears as the `sstatus` register in the
S-level ISA.
[[mstatusreg-rv32]]
.Machine-mode status register (`mstatus`) for RV32
include::images/bytefield/mstatusreg-rv32.adoc[]
include::images/bytefield/mstatusreg.adoc[]
[[mstatusreg]]
.Machine-mode status register (`mstatus`) for RV64
include::images/bytefield/mstatusreg2.adoc[]
For RV32 only, `mstatush` is a 32-bit read/write register formatted as
shown in <<mstatushreg>>. Bits 30:4 of `mstatush` generally contain the same fields found in bits 62:36 of `mstatus` for RV64. Fields SD, SXL, and UXL do not exist in `mstatush`.
[[mstatushreg]]
.Additional machine-mode status register (`mstatush`) for RV32.
include::images/bytefield/mstatushreg.adoc[]
[[privstack]]
===== Privilege and Global Interrupt-Enable Stack in `mstatus` register
Global interrupt-enable bits, MIE and SIE, are provided for M-mode and
S-mode respectively. These bits are primarily used to guarantee
atomicity with respect to interrupt handlers in the current privilege
mode.
[NOTE]
====
The global __x__IE bits are located in the low-order bits of `mstatus`,
allowing them to be atomically set or cleared with a single CSR
instruction.
====
When a hart is executing in privilege mode _x_, interrupts are globally
enabled when __x__IE=1 and globally disabled when __x__IE=0. Interrupts for
lower-privilege modes, __w__<__x__, are always globally
disabled regardless of the setting of any global __w__IE bit for the
lower-privilege mode. Interrupts for higher-privilege modes,
__y__>__x__, are always globally enabled regardless of the
setting of the global __y__IE bit for the higher-privilege mode.
Higher-privilege-level code can use separate per-interrupt enable bits
to disable selected higher-privilege-mode interrupts before ceding
control to a lower-privilege mode.
[NOTE]
====
A higher-privilege mode _y_ could disable all of its interrupts before
ceding control to a lower-privilege mode but this would be unusual as it
would leave only a synchronous trap, non-maskable interrupt, or reset as
means to regain control of the hart.
====
To support nested traps, each privilege mode _x_ that can respond to
interrupts has a two-level stack of interrupt-enable bits and privilege
modes. __x__PIE holds the value of the interrupt-enable bit active prior
to the trap, and __x__PP holds the previous privilege mode. The __x__PP
fields can only hold privilege modes up to _x_, so MPP is two bits wide
and SPP is one bit wide. When a trap is taken from privilege mode _y_
into privilege mode _x_, __x__PIE is set to the value of __x__IE; __x__IE is
set to 0; and __x__PP is set to _y_.
[NOTE]
====
For lower privilege modes, any trap (synchronous or asynchronous) is
usually taken at a higher privilege mode with interrupts disabled upon
entry. The higher-level trap handler will either service the trap and
return using the stacked information, or, if not returning immediately
to the interrupted context, will save the privilege stack before
re-enabling interrupts, so only one entry per stack is required.
====
An MRET or SRET instruction is used to return from a trap in M-mode or
S-mode respectively. When executing an __x__RET instruction, supposing
__x__PP holds the value _y_, __x__IE is set to __x__PIE; the privilege mode is
changed to _y_; __x__PIE is set to 1; and __x__PP is set to the
least-privileged supported mode (U if U-mode is implemented, else M). If
__y__≠M, __x__RET also sets MPRV=0.
[NOTE]
====
Setting __x__PP to the least-privileged supported mode on an __x__RET helps identify software bugs in the management of the two-level privilege-mode stack.
====
[NOTE]
====
Trap handlers must be designed to neither enable interrupts nor cause exceptions
during the phase of handling where the trap handler preserves the critical state
information required to handle and resume from the trap. An exception or
interrupt in this critical phase of trap handling may lead to a trap that can
overwrite such critical state. This could result in the loss of data needed to
recover from the initial trap. Further, if an exception occurs in the code path
needed to handle traps, then such a situation may lead to an infinite loop of
traps. To prevent this, trap handlers must be meticulously designed to identify
and safely manage exceptions within their operational flow.
====
__x__PP fields are *WARL* fields that can hold only privilege mode _x_ and any implemented privilege mode lower than _x_. If privilege mode _x_ is not implemented, then __x__PP must be read-only 0.
[NOTE]
====
M-mode software can determine whether a privilege mode is implemented by
writing that mode to MPP then reading it back.
If the machine provides only U and M modes, then only a single hardware
storage bit is required to represent either 00 or 11 in MPP.
====
[[xlen-control]]
===== Base ISA Control in `mstatus` Register
For RV64 harts, the SXL and UXL fields are *WARL* fields that control the
value of XLEN for S-mode and U-mode, respectively. The encoding of these
fields is the same as the MXL field of `misa`, shown in
<<misabase>>. The effective XLEN in S-mode and
U-mode are termed _SXLEN_ and _UXLEN_, respectively.
When MXLEN=32, the SXL and UXL fields do not exist, and SXLEN=32 and
UXLEN=32.
When MXLEN=64, if S-mode is not supported, then SXL is read-only
zero. Otherwise, it is a *WARL* field that encodes the current value of SXLEN.
In particular, an implementation may make SXL be a read-only field whose
value always ensures that SXLEN=MXLEN.
When MXLEN=64, if U-mode is not supported, then UXL is read-only
zero. Otherwise, it is a *WARL* field that encodes the current value of UXLEN.
In particular, an implementation may make UXL be a read-only field whose
value always ensures that UXLEN=MXLEN or UXLEN=SXLEN.
If S-mode is implemented, the set of legal values that the UXL field may
assume excludes those that would cause UXLEN to be greater than SXLEN.
Whenever XLEN in any mode is set to a value less than the widest
supported XLEN, all operations must ignore source operand register bits
above the configured XLEN, and must sign-extend results to fill the
entire widest supported XLEN in the destination register. Similarly,
`pc` bits above XLEN are ignored, and when the `pc` is written, it is
sign-extended to fill the widest supported XLEN.
[NOTE]
====
We require that operations always fill the entire underlying hardware
registers with defined values to avoid implementation-defined behavior.
To reduce hardware complexity, the architecture imposes no checks that
lower-privilege modes have XLEN settings less than or equal to the
next-higher privilege mode. In practice, such settings would almost
always be a software bug, but machine operation is well-defined even in
this case.
====
===== Memory Privilege in `mstatus` Register
The MPRV (Modify PRiVilege) bit modifies the _effective privilege mode_,
i.e., the privilege level at which loads and stores execute. When
MPRV=0, loads and stores behave as normal, using the translation and
protection mechanisms of the current privilege mode. When MPRV=1, load
and store memory addresses are translated and protected, and endianness
is applied, as though the current privilege mode were set to MPP.
Instruction address-translation and protection are unaffected by the
setting of MPRV. MPRV is read-only 0 if U-mode is not supported.
An MRET or SRET instruction that changes the privilege mode to a mode
less privileged than M also sets MPRV=0.
The MXR (Make eXecutable Readable) bit modifies the privilege with which
loads access virtual memory. When MXR=0, only loads from pages marked
readable (R=1 in <<sv32pte>>) will succeed. When
MXR=1, loads from pages marked either readable or executable (R=1 or
X=1) will succeed. MXR has no effect when page-based virtual memory is
not in effect. MXR is read-only 0 if S-mode is not supported.
[NOTE]
====
The MPRV and MXR mechanisms were conceived to improve the efficiency of
M-mode routines that emulate missing hardware features, e.g., misaligned
loads and stores. MPRV obviates the need to perform address translation
in software. MXR allows instruction words to be loaded from pages marked
execute-only.
The current privilege mode and the privilege mode specified by MPP might
have different XLEN settings. When MPRV=1, load and store memory
addresses are treated as though the current XLEN were set to MPP’s XLEN,
following the rules in <<xlen-control>>.
====
The SUM (permit Supervisor User Memory access) bit modifies the
privilege with which S-mode loads and stores access virtual memory. When
SUM=0, S-mode memory accesses to pages that are accessible by U-mode
(U=1 in <<sv32pte>>) will fault. When SUM=1, these
accesses are permitted. SUM has no effect when page-based virtual memory
is not in effect. Note that, while SUM is ordinarily ignored when not
executing in S-mode, it _is_ in effect when MPRV=1 and MPP=S. SUM is
read-only 0 if S-mode is not supported or if `satp`.MODE is read-only 0.
The MXR and SUM mechanisms only affect the interpretation of permissions
encoded in page-table entries. In particular, they have no impact on
whether access-fault exceptions are raised due to PMAs or PMP.
===== Endianness Control in `mstatus` and `mstatush` Registers
The MBE, SBE, and UBE bits in `mstatus` and `mstatush` are *WARL* fields that
control the endianness of memory accesses other than instruction
fetches. Instruction fetches are always little-endian.
MBE controls whether non-instruction-fetch memory accesses made from
M-mode (assuming `mstatus`.MPRV=0) are little-endian (MBE=0) or
big-endian (MBE=1).
If S-mode is not supported, SBE is read-only 0. Otherwise, SBE controls
whether explicit load and store memory accesses made from S-mode are
little-endian (SBE=0) or big-endian (SBE=1).
If U-mode is not supported, UBE is read-only 0. Otherwise, UBE controls
whether explicit load and store memory accesses made from U-mode are
little-endian (UBE=0) or big-endian (UBE=1).
For _implicit_ accesses to supervisor-level memory management data
structures, such as page tables, endianness is always controlled by SBE.
Since changing SBE alters the implementation’s interpretation of these
data structures, if any such data structures remain in use across a
change to SBE, M-mode software must follow such a change to SBE by
executing an SFENCE.VMA instruction with _rs1_=`x0` and _rs2_=`x0`.
[NOTE]
====
Only in contrived scenarios will a given memory-management data
structure be interpreted as both little-endian and big-endian. In
practice, SBE will only be changed at runtime on world switches, in
which case neither the old nor new memory-management data structure will
be reinterpreted in a different endianness. In this case, no additional
SFENCE.VMA is necessary, beyond what would ordinarily be required for a
world switch.
====
If S-mode is supported, an implementation may make SBE be a read-only
copy of MBE. If U-mode is supported, an implementation may make UBE be a
read-only copy of either MBE or SBE.
[NOTE]
====
An implementation supports only little-endian memory accesses if fields
MBE, SBE, and UBE are all read-only 0. An implementation supports only
big-endian memory accesses (aside from instruction fetches) if MBE is
read-only 1 and SBE and UBE are each read-only 1 when S-mode and U-mode
are supported.
'''
Volume I defines a hart’s address space as a circular sequence of
2^XLEN^ bytes at consecutive addresses. The
correspondence between addresses and byte locations is fixed and not
affected by any endianness mode. Rather, the applicable endianness mode
determines the order of mapping between memory bytes and a multibyte
quantity (halfword, word, etc.).
---
Standard RISC-V ABIs are expected to be purely little-endian-only or
big-endian-only, with no accommodation for mixing endianness.
Nevertheless, endianness control has been defined so as to permit, for
instance, an OS of one endianness to execute user-mode programs of the
opposite endianness. Consideration has been given also to the
possibility of non-standard usages whereby software flips the endianness
of memory accesses as needed.
***
RISC-V instructions are uniformly little-endian to decouple instruction
encoding from the current endianness settings, for the benefit of both
hardware and software. Otherwise, for instance, a RISC-V assembler or
disassembler would always need to know the intended active endianness,
despite that the endianness mode might change dynamically during
execution. In contrast, by giving instructions a fixed endianness, it is
sometimes possible for carefully written software to be
endianness-agnostic even in binary form, much like position-independent
code.
The choice to have instructions be only little-endian does have
consequences, however, for RISC-V software that encodes or decodes
machine instructions. In big-endian mode, such software must account for
the fact that explicit loads and stores have endianness opposite that of
instructions, for example by swapping byte order after loads and before
stores.
====
[[virt-control]]
===== Virtualization Support in `mstatus` Register
The TVM (Trap Virtual Memory) bit is a *WARL* field that supports intercepting
supervisor virtual-memory management operations. When TVM=1, attempts to
read or write the `satp` CSR or execute an SFENCE.VMA or SINVAL.VMA
instruction while executing in S-mode will raise an illegal-instruction
exception. When TVM=0, these operations are permitted in S-mode. TVM is
read-only 0 when S-mode is not supported.
[NOTE]
====
The TVM mechanism improves virtualization efficiency by permitting guest
operating systems to execute in S-mode, rather than classically
virtualizing them in U-mode. This approach obviates the need to trap
accesses to most S-mode CSRs.
Trapping `satp` accesses and the SFENCE.VMA and SINVAL.VMA instructions
provides the hooks necessary to lazily populate shadow page tables.
====
The TW (Timeout Wait) bit is a *WARL* field that supports intercepting the WFI
instruction (see <<wfi>>). When TW=0, the WFI
instruction may execute in lower privilege modes when not prevented for
some other reason. When TW=1, then if WFI is executed in any
less-privileged mode, and it does not complete within an
implementation-specific, bounded time limit, the WFI instruction causes
an illegal-instruction exception. An implementation may have WFI always
raise an illegal-instruction exception in less-privileged modes when
TW=1, even if there are pending globally-disabled interrupts when the
instruction is executed. TW is read-only 0 when there are no modes less
privileged than M.
[NOTE]
====
Trapping the WFI instruction can trigger a world switch to another guest
OS, rather than wastefully idling in the current guest.
====
When S-mode is implemented, then executing WFI in U-mode causes an
illegal-instruction exception, unless it completes within an
implementation-specific, bounded time limit. A future revision of this
specification might add a feature that allows S-mode to selectively
permit WFI in U-mode. Such a feature would only be active when TW=0.
The TSR (Trap SRET) bit is a *WARL* field that supports intercepting the
supervisor exception return instruction, SRET. When TSR=1, attempts to
execute SRET while executing in S-mode will raise an illegal-instruction
exception. When TSR=0, this operation is permitted in S-mode. TSR is
read-only 0 when S-mode is not supported.
[NOTE]
====
Trapping SRET is necessary to emulate the hypervisor extension (see
<<hypervisor>>) on implementations that do not
provide it.
====
===== Extension Context Status in `mstatus` Register
Supporting substantial extensions is one of the primary goals of RISC-V,
and hence we define a standard interface to allow unchanged
privileged-mode code, particularly a supervisor-level OS, to support
arbitrary user-mode state extensions.
[NOTE]
====
To date, the V extension is the only standard extension that defines
additional state beyond the floating-point CSR and data registers.
====
The FS[1:0] and VS[1:0] *WARL* fields and the XS[1:0] read-only field are used
to reduce the cost of context save and restore by setting and tracking
the current state of the floating-point unit and any other user-mode
extensions respectively. The FS field encodes the status of the
floating-point unit state, including the floating-point registers
`f0`–`f31` and the CSRs `fcsr`, `frm`, and `fflags`. The VS field
encodes the status of the vector extension state, including the vector
registers `v0`–`v31` and the CSRs `vcsr`, `vxrm`, `vxsat`, `vstart`,
`vl`, `vtype`, and `vlenb`. The XS field encodes the status of
additional user-mode extensions and associated state. These fields can
be checked by a context switch routine to quickly determine whether a
state save or restore is required. If a save or restore is required,
additional instructions and CSRs are typically required to effect and
optimize the process.
[NOTE]
====
The design anticipates that most context switches will not need to
save/restore state in either or both of the floating-point unit or other
extensions, so provides a fast check via the SD bit.
====
The FS, VS, and XS fields use the same status encoding as shown in
<<fsxsencoding>>, with the four possible status
values being Off, Initial, Clean, and Dirty.
[[fsxsencoding]]
.Encoding of FS[1:0], VS[1:0], and XS[1:0] status fields
[%autowidth,float="center",align="center",cols=">,<,<",options="header",]
|===
|Status |FS and VS Meaning |XS Meaning
|0 +
1 +
2 +
3
|Off +
Initial +
Clean +
Dirty
|All off +
None dirty or clean, some on +
None dirty, some clean +
Some dirty
|===
If the F extension is implemented, the FS field shall not be read-only
zero.
If neither the F extension nor S-mode is implemented, then FS is
read-only zero. If S-mode is implemented but the F extension is not, FS
may optionally be read-only zero.
[NOTE]
====
Implementations with S-mode but without the F extension are permitted,
but not required, to make the FS field be read-only zero. Some such
implementations will choose _not_ to have the FS field be read-only
zero, so as to enable emulation of the F extension for both S-mode and
U-mode via invisible traps into M-mode.
====
If the `v` registers are implemented, the VS field shall not be
read-only zero.
If neither the `v` registers nor S-mode is implemented, then VS is
read-only zero. If S-mode is implemented but the `v` registers are not,
VS may optionally be read-only zero.
In harts without additional user extensions requiring new state, the
XS field is read-only zero. Every additional extension with state
provides a CSR field that encodes the equivalent of the XS states. The
XS field represents a summary of all extensions' status as shown in
<<fsxsencoding>>.
[NOTE]
====
The XS field effectively reports the maximum status value across all
user-extension status fields, though individual extensions can use a
different encoding than XS.
====
The SD bit is a read-only bit that summarizes whether either the FS, VS,
or XS fields signal the presence of some dirty state that will require
saving extended user context to memory. If FS, XS, and VS are all
read-only zero, then SD is also always zero.
When an extension's status is set to Off, any instruction that attempts
to read or write the corresponding state will cause an
illegal-instruction exception. When the status is Initial, the corresponding
state should have an initial constant value. When the status is Clean,
the corresponding state is potentially different from the initial value,
but matches the last value stored on a context swap. When the status is
Dirty, the corresponding state has potentially been modified since the
last context save.
During a context save, the responsible privileged code need only write
out the corresponding state if its status is Dirty, and can then reset
the extension's status to Clean. During a context restore, the context
need only be loaded from memory if the status is Clean (it should never
be Dirty at restore). If the status is Initial, the context must be set
to an initial constant value on context restore to avoid a security
hole, but this can be done without accessing memory. For example, the
floating-point registers can all be initialized to the immediate value
0.
The FS and XS fields are read by the privileged code before saving the
context. The FS field is set directly by privileged code when resuming a
user context, while the XS field is set indirectly by writing to the
status register of the individual extensions. The status fields will
also be updated during execution of instructions, regardless of
privilege mode.
Extensions to the user-mode ISA often include additional user-mode
state, and this state can be considerably larger than the base integer
registers. The extensions might only be used for some applications, or
might only be needed for short phases within a single application. To
improve performance, the user-mode extension can define additional
instructions to allow user-mode software to return the unit to an
initial state or even to turn off the unit.
For example, a coprocessor might require to be configured before use and
can be "unconfigured" after use. The unconfigured state would be
represented as the Initial state for context save. If the same
application remains running between the unconfigure and the next
configure (which would set status to Dirty), there is no need to
actually reinitialize the state at the unconfigure instruction, as all
state is local to the user process, i.e., the Initial state may only
cause the coprocessor state to be initialized to a constant value at
context restore, not at every unconfigure.
Executing a user-mode instruction to disable a unit and place it into
the Off state will cause an illegal-instruction exception to be raised
if any subsequent instruction tries to use the unit before it is turned
back on. A user-mode instruction to turn a unit on must also ensure the
unit's state is properly initialized, as the unit might have been used
by another context meantime.
Changing the setting of FS has no effect on the contents of the
floating-point register state. In particular, setting FS=Off does not
destroy the state, nor does setting FS=Initial clear the contents.
Similarly, the setting of VS has no effect on the contents of the vector
register state. Other extensions, however, might not preserve state when
set to Off.
Implementations may choose to track the dirtiness of the floating-point
register state imprecisely by reporting the state to be dirty even when
it has not been modified. On some implementations, some instructions
that do not mutate the floating-point state may cause the state to
transition from Initial or Clean to Dirty. On other implementations,
dirtiness might not be tracked at all, in which case the valid FS states
are Off and Dirty, and an attempt to set FS to Initial or Clean causes
it to be set to Dirty.
[NOTE]
====
This definition of FS does not disallow setting FS to Dirty as a result
of errant speculation. Some platforms may choose to disallow
speculatively writing FS to close a potential side channel.
====
If an instruction explicitly or implicitly writes a floating-point
register or the `fcsr` but does not alter its contents, and FS=Initial
or FS=Clean, it is implementation-defined whether FS transitions to
Dirty.
Implementations may choose to track the dirtiness of the vector register
state in an analogous imprecise fashion, including possibly setting VS
to Dirty when software attempts to set VS=Initial or VS=Clean. When
VS=Initial or VS=Clean, it is implementation-defined whether an
instruction that writes a vector register or vector CSR but does not
alter its contents causes VS to transition to Dirty.
<<fsxsstates>> shows all the possible state
transitions for the FS, VS, or XS status bits. Note that the standard
floating-point and vector extensions do not support user-mode
unconfigure or disable/enable instructions.
<<<
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
|Current State +
Action |Off |Initial |Clean |Dirty
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|At context save in privileged code
|Save state? +
Next state
|No +
Off
|No +
Initial
|No +
Clean
|Yes +
Clean
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|At context restore in privileged code
|Restore state? +
Next state
|No +
Off
|Yes, to initial +
Initial
|Yes, from memory +
Clean
|N/A +
N/A
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|Execute instruction to read state
|Action? +
Next state
|Exception +
Off
|Execute +
Initial
|Execute +
Clean
|Execute +
Dirty
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|Execute instruction that possibly modifies state, including
configuration
|Action? +
Next state
|Exception +
Off
|Execute +
Dirty
|Execute +
Dirty
|Execute +
Dirty
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|Execute instruction to unconfigure unit
|Action? +
Next state
|Exception +
Off
|Execute +
Initial
|Execute +
Initial
|Execute +
Initial
|===
[width=75,align=center,float=center,cols="<,<,<,<,<"]
|===
5+^|Execute instruction to disable unit
|Action? +
Next state
|Execute +
Off
|Execute +
Off
|Execute +
Off
|Execute +
Off
|===
[[fsxsstates]]
[width=75,align=center,float=center,cols="<,<,<,<,<"]
.FS, FS, and XS state transitions.
|===
5+^|Execute instruction to enable unit
|Action? +
Next state
|Execute +
Initial
|Execute +
Initial
|Execute +
Initial
|Execute +
Initial
|===
Standard privileged instructions to initialize, save, and restore
extension state are provided to insulate privileged code from details of
the added extension state by treating the state as an opaque object.
[NOTE]
====
Many coprocessor extensions are only used in limited contexts that
allows software to safely unconfigure or even disable units when done.
This reduces the context-switch overhead of large stateful coprocessors.
We separate out floating-point state from other extension state, as when
a floating-point unit is present the floating-point registers are part
of the standard calling convention, and so user-mode software cannot
know when it is safe to disable the floating-point unit.
====
The XS field provides a summary of all added extension state, but
additional microarchitectural bits might be maintained in the extension
to further reduce context save and restore overhead.
The SD bit is read-only and is set when either the FS, VS, or XS bits
encode a Dirty state (i.e., SD=((FS==11) OR (XS==11) OR (VS==11))). This
allows privileged code to quickly determine when no additional context
save is required beyond the integer register set and `pc`.
The floating-point unit state is always initialized, saved, and restored
using standard instructions (F, D, and/or Q), and privileged code must
be aware of FLEN to determine the appropriate space to reserve for each
`f` register.
Machine and Supervisor modes share a single copy of the FS, VS, and XS
bits. Supervisor-level software normally uses the FS, VS, and XS bits
directly to record the status with respect to the supervisor-level saved
context. Machine-level software must be more conservative in saving and
restoring the extension state in their corresponding version of the
context.
[NOTE]
====
In any reasonable use case, the number of context switches between user
and supervisor level should far outweigh the number of context switches
to other privilege levels. Note that coprocessors should not require
their context to be saved and restored to service asynchronous
interrupts, unless the interrupt results in a user-level context swap.
====
==== Machine Trap-Vector Base-Address Register (`mtvec`)
The `mtvec` register is an MXLEN-bit *WARL* read/write register that holds
trap vector configuration, consisting of a vector base address (BASE)
and a vector mode (MODE).
.Encoding of mtvec MODE field.
include::images/bytefield/mtvec.adoc[]
The `mtvec` register must always be implemented, but can contain a
read-only value. If `mtvec` is writable, the set of values the register
may hold can vary by implementation. The value in the BASE field must
always be aligned on a 4-byte boundary, and the MODE setting may impose
additional alignment constraints on the value in the BASE field.
[NOTE]
====
We allow for considerable flexibility in implementation of the trap
vector base address. On the one hand, we do not wish to burden low-end
implementations with a large number of state bits, but on the other
hand, we wish to allow flexibility for larger systems.
====
[[mtvec-mode]]
.Encoding of mtvec MODE field.
[%autowidth,float="center",align="center",cols=">,^,<",options="header"]
|===
|Value |Name |Description
|0 +
1 +
≥2
|Direct +
Vectored +
---
|All traps set `pc` to BASE. +
Asynchronous interrupts set `pc` to BASE+4×cause. +
_Reserved_
|===
The encoding of the MODE field is shown in
<<mtvec-mode>>. When MODE=Direct, all traps into
machine mode cause the `pc` to be set to the address in the BASE field.
When MODE=Vectored, all synchronous exceptions into machine mode cause
the `pc` to be set to the address in the BASE field, whereas interrupts
cause the `pc` to be set to the address in the BASE field plus four
times the interrupt cause number. For example, a machine-mode timer
interrupt (see <<mcauses>>) causes the `pc`
to be set to BASE+`0x1c`.
An implementation may have different alignment constraints for different
modes. In particular, MODE=Vectored may have stricter alignment
constraints than MODE=Direct.
[NOTE]
====
Allowing coarser alignments in Vectored mode enables vectoring to be
implemented without a hardware adder circuit.
***
Reset and NMI vector locations are given in a platform specification.
====
==== Machine Trap Delegation Registers (`medeleg` and `mideleg`)
By default, all traps at any privilege level are handled in machine
mode, though a machine-mode handler can redirect traps back to the
appropriate level with the MRET instruction
(<<otherpriv>>). To increase performance,
implementations can provide individual read/write bits within `medeleg`
and `mideleg` to indicate that certain exceptions and interrupts should
be processed directly by a lower privilege level. The machine exception
delegation register (`medeleg`) is a 64-bit read/write register.
The machine interrupt delegation register (`mideleg`) is an MXLEN-bit
read/write register.
In harts with S-mode, the `medeleg` and `mideleg` registers must
exist, and setting a bit in `medeleg` or `mideleg` will delegate the
corresponding trap, when occurring in S-mode or U-mode, to the S-mode
trap handler. In harts without S-mode, the `medeleg` and `mideleg`
registers should not exist.
[NOTE]
====
In versions 1.9.1 and earlier , these registers existed but were
hardwired to zero in M-mode only, or M/U without N harts. There is no
reason to require they return zero in those cases, as the `misa`
register indicates whether they exist.
====
When a trap is delegated to S-mode, the `scause` register is written
with the trap cause; the `sepc` register is written with the virtual
address of the instruction that took the trap; the `stval` register is
written with an exception-specific datum; the SPP field of `mstatus` is
written with the active privilege mode at the time of the trap; the SPIE
field of `mstatus` is written with the value of the SIE field at the
time of the trap; and the SIE field of `mstatus` is cleared. The
`mcause`, `mepc`, and `mtval` registers and the MPP and MPIE fields of
`mstatus` are not written.
An implementation can choose to subset the delegatable traps, with the
supported delegatable bits found by writing one to every bit location,
then reading back the value in `medeleg` or `mideleg` to see which bit
positions hold a one.
An implementation shall not have any bits of `medeleg` be read-only one,
i.e., any synchronous trap that can be delegated must support not being
delegated. Similarly, an implementation shall not fix as read-only one
any bits of `mideleg` corresponding to machine-level interrupts (but may
do so for lower-level interrupts).
[NOTE]
====
Version 1.11 and earlier prohibited having any bits of `mideleg` be
read-only one. Platform standards may always add such restrictions.
====
Traps never transition from a more-privileged mode to a less-privileged
mode. For example, if M-mode has delegated illegal-instruction
exceptions to S-mode, and M-mode software later executes an illegal
instruction, the trap is taken in M-mode, rather than being delegated to
S-mode. By contrast, traps may be taken horizontally. Using the same
example, if M-mode has delegated illegal-instruction exceptions to
S-mode, and S-mode software later executes an illegal instruction, the
trap is taken in S-mode.
Delegated interrupts result in the interrupt being masked at the
delegator privilege level. For example, if the supervisor timer
interrupt (STI) is delegated to S-mode by setting `mideleg`[5], STIs
will not be taken when executing in M-mode. By contrast, if `mideleg`[5]
is clear, STIs can be taken in any mode and regardless of current mode
will transfer control to M-mode.
.Machine Exception Delegation Register `medeleg`.
include::images/bytefield/medeleg.adoc[]
`medeleg` has a bit position allocated for every synchronous exception
shown in <<mcauses>>, with the index of the
bit position equal to the value returned in the `mcause` register (i.e.,
setting bit 8 allows user-mode environment calls to be delegated to a
lower-privilege trap handler).
When XLEN=32, `medelegh` is a 32-bit read/write register
that aliases bits 63:32 of `medeleg`.
Register `medelegh` does not exist when XLEN=64.
.Machine Interrupt Delegation Register `mideleg`.
include::images/bytefield/mideleg.adoc[]
`mideleg` holds trap delegation bits for individual interrupts, with the
layout of bits matching those in the `mip` register (i.e., STIP
interrupt delegation control is located in bit 5).
For exceptions that cannot occur in less privileged modes, the
corresponding `medeleg` bits should be read-only zero. In particular,
`medeleg`[11] is read-only zero.
==== Machine Interrupt Registers (`mip` and `mie`)
The `mip` register is an MXLEN-bit read/write register containing
information on pending interrupts, while `mie` is the corresponding
MXLEN-bit read/write register containing interrupt enable bits.
Interrupt cause number _i_ (as reported in CSR `mcause`,
<<mcause>>) corresponds with bit _i_ in both `mip` and
`mie`. Bits 15:0 are allocated to standard interrupt causes only, while
bits 16 and above are designated for platform use.
NOTE: Interrupts designated for platform use may be designated for custom use
at the platform's discretion.
.Machine Interrupt-Pending Register (mip).
include::images/bytefield/mideleg.adoc[]
.Machine Interrupt-Enable Register (mie)
include::images/bytefield/mideleg.adoc[]
An interrupt _i_ will trap to M-mode (causing the privilege mode to
change to M-mode) if all of the following are true: (a) either the
current privilege mode is M and the MIE bit in the `mstatus` register is
set, or the current privilege mode has less privilege than M-mode;
(b) bit _i_ is set in both `mip` and `mie`; and (c) if register
`mideleg` exists, bit _i_ is not set in `mideleg`.
These conditions for an interrupt trap to occur must be evaluated in a
bounded amount of time from when an interrupt becomes, or ceases to be,
pending in `mip`, and must also be evaluated immediately following the
execution of an __x__RET instruction or an explicit write to a CSR on
which these interrupt trap conditions expressly depend (including `mip`,
`mie`, `mstatus`, and `mideleg`).
Interrupts to M-mode take priority over any interrupts to lower
privilege modes.
Each individual bit in register `mip` may be writable or may be
read-only. When bit _i_ in `mip` is writable, a pending interrupt _i_
can be cleared by writing 0 to this bit. If interrupt _i_ can become
pending but bit _i_ in `mip` is read-only, the implementation must
provide some other mechanism for clearing the pending interrupt.
A bit in `mie` must be writable if the corresponding interrupt can ever
become pending. Bits of `mie` that are not writable must be read-only
zero.
The standard portions (bits 15:0) of registers `mip` and `mie` are
formatted as shown in <<mipreg-standard>> and <<miereg-standard>> respectively.
[[mipreg-standard]]
.Standard portion (bits 15:0) of `mip`.
include::images/bytefield/mipreg-standard.adoc[]
[[miereg-standard]]
.Standard portion (bits 15:0) of `mie`.
include::images/bytefield/miereg-standard.adoc[]
[NOTE]
====
The machine-level interrupt registers handle a few root interrupt
sources which are assigned a fixed service priority for simplicity,
while separate external interrupt controllers can implement a more
complex prioritization scheme over a much larger set of interrupts that
are then muxed into the machine-level interrupt sources.
'''
The non-maskable interrupt is not made visible via the `mip` register as
its presence is implicitly known when executing the NMI trap handler.
====
Bits `mip`.MEIP and `mie`.MEIE are the interrupt-pending and
interrupt-enable bits for machine-level external interrupts. MEIP is
read-only in `mip`, and is set and cleared by a platform-specific
interrupt controller.
Bits `mip`.MTIP and `mie`.MTIE are the interrupt-pending and
interrupt-enable bits for machine timer interrupts. MTIP is read-only in
`mip`, and is cleared by writing to the memory-mapped machine-mode timer
compare register.
Bits `mip`.MSIP and `mie`.MSIE are the interrupt-pending and
interrupt-enable bits for machine-level software interrupts. MSIP is
read-only in `mip`, and is written by accesses to memory-mapped control
registers, which are used by remote harts to provide machine-level
interprocessor interrupts. A hart can write its own MSIP bit using the
same memory-mapped control register. If a system has only one hart, or
if a platform standard supports the delivery of machine-level
interprocessor interrupts through external interrupts (MEI) instead,
then `mip`.MSIP and `mie`.MSIE may both be read-only zeros.
If supervisor mode is not implemented, bits SEIP, STIP, and SSIP of
`mip` and SEIE, STIE, and SSIE of `mie` are read-only zeros.
If supervisor mode is implemented, bits `mip`.SEIP and `mie`.SEIE are
the interrupt-pending and interrupt-enable bits for supervisor-level
external interrupts. SEIP is writable in `mip`, and may be written by
M-mode software to indicate to S-mode that an external interrupt is
pending. Additionally, the platform-level interrupt controller may
generate supervisor-level external interrupts. Supervisor-level external
interrupts are made pending based on the logical-OR of the
software-writable SEIP bit and the signal from the external interrupt
controller. When `mip` is read with a CSR instruction, the value of the
SEIP bit returned in the `rd` destination register is the logical-OR of
the software-writable bit and the interrupt signal from the interrupt
controller, but the signal from the interrupt controller is not used to
calculate the value written to SEIP. Only the software-writable SEIP bit
participates in the read-modify-write sequence of a CSRRS or CSRRC
instruction.
[NOTE]
====
For example, if we name the software-writable SEIP bit `B` and the
signal from the external interrupt controller `E`, then if
`csrrs t0, mip, t1` is executed, `t0[9]` is written with `B || E`, then
`B` is written with `B || t1[9]`. If `csrrw t0, mip, t1` is executed,
then `t0[9]` is written with `B || E`, and `B` is simply written with
`t1[9]`. In neither case does `B` depend upon `E`.
The SEIP field behavior is designed to allow a higher privilege layer to
mimic external interrupts cleanly, without losing any real external
interrupts. The behavior of the CSR instructions is slightly modified
from regular CSR accesses as a result.
====
If supervisor mode is implemented, bits `mip`.STIP and `mie`.STIE are
the interrupt-pending and interrupt-enable bits for supervisor-level
timer interrupts. STIP is writable in `mip`, and may be written by
M-mode software to deliver timer interrupts to S-mode.
If supervisor mode is implemented, bits `mip`.SSIP and `mie`.SSIE are
the interrupt-pending and interrupt-enable bits for supervisor-level
software interrupts. SSIP is writable in `mip` and may also be set to 1
by a platform-specific interrupt controller.
If the Sscofpmf extension is implemented, bits `mip`.LCOFIP and `mie`.LCOFIE
are the interrupt-pending and interrupt-enable bits for local counter-overflow
interrupts.
LCOFIP is read-write in `mip` and reflects the occurrence of a local
counter-overflow overflow interrupt request resulting from any of the
`mhpmevent__n__`.OF bits being set.
If the Sscofpmf extension is not implemented, `mip`.LCOFIP and `mie`.LCOFIE are
read-only zeros.
Multiple simultaneous interrupts destined for M-mode are handled in the
following decreasing priority order: MEI, MSI, MTI, SEI, SSI, STI, LCOFI.
[NOTE]
====
The machine-level interrupt fixed-priority ordering rules were developed
with the following rationale.
Interrupts for higher privilege modes must be serviced before interrupts
for lower privilege modes to support preemption.
The platform-specific machine-level interrupt sources in bits 16 and
above have platform-specific priority, but are typically chosen to have
the highest service priority to support very fast local vectored
interrupts.
External interrupts are handled before internal (timer/software)
interrupts as external interrupts are usually generated by devices that
might require low interrupt service times.
Software interrupts are handled before internal timer interrupts,
because internal timer interrupts are usually intended for time slicing,
where time precision is less important, whereas software interrupts are
used for inter-processor messaging. Software interrupts can be avoided
when high-precision timing is required, or high-precision timer
interrupts can be routed via a different interrupt path. Software
interrupts are located in the lowest four bits of `mip` as these are
often written by software, and this position allows the use of a single
CSR instruction with a five-bit immediate.
====
Restricted views of the `mip` and `mie` registers appear as the `sip`
and `sie` registers for supervisor level. If an interrupt is delegated
to S-mode by setting a bit in the `mideleg` register, it becomes visible
in the `sip` register and is maskable using the `sie` register.
Otherwise, the corresponding bits in `sip` and `sie` are read-only zero.
==== Hardware Performance Monitor
M-mode includes a basic hardware performance-monitoring facility. The
`mcycle` CSR counts the number of clock cycles executed by the processor
core on which the hart is running. The `minstret` CSR counts the number
of instructions the hart has retired. The `mcycle` and `minstret`
registers have 64-bit precision on all RV32 and RV64 harts.
The counter registers have an arbitrary value after the hart is reset,
and can be written with a given value. Any CSR write takes effect after
the writing instruction has otherwise completed. The `mcycle` CSR may be
shared between harts on the same core, in which case writes to `mcycle`
will be visible to those harts. The platform should provide a mechanism
to indicate which harts share an `mcycle` CSR.
The hardware performance monitor includes 29 additional 64-bit event
counters, `mhpmcounter3`-`mhpmcounter31`. The event selector CSRs,
`mhpmevent3`-`mhpmevent31`, are MXLEN-bit *WARL* registers that control which
event causes the corresponding counter to increment. The meaning of
these events is defined by the platform, but event 0 is defined to mean
"no event." All counters should be implemented, but a legal
implementation is to make both the counter and its corresponding event
selector be read-only 0.
.Hardware performance monitor counters.
include::images/bytefield/hpmevents.adoc[]
The `mhpmcounters` are *WARL* registers that support up to 64 bits of
precision on RV32 and RV64.
[NOTE]
====
A future revision of this specification will define a mechanism to
generate an interrupt when a hardware performance monitor counter
overflows.
====
When XLEN=32, reads of the `mcycle`, `minstret`, and `mhpmcountern`
CSRs return bits 31-0 of the corresponding counter, and writes change
only bits 31-0; reads of the `mcycleh`, `minstreth`, and `mhpmcounternh`
CSRs return bits 63-32 of the corresponding counter, and writes change
only bits 63-32.
.Upper 32 bits of hardware performance monitor counters, RV32 only.
include::images/bytefield/hpmcounters.adoc[]
[[mcounteren]]
==== Machine Counter-Enable Register (`mcounteren`)
The counter-enable register `mcounteren` is a 32-bit register that
controls the availability of the hardware performance-monitoring
counters to the next-lower privileged mode.
.Counter-enable register (`mcounteren`).
include::images/bytefield/counteren.adoc[]
The settings in this register only control accessibility. The act of
reading or writing this register does not affect the underlying
counters, which continue to increment even when not accessible.
When the CY, TM, IR, or HPM__n__ bit in the `mcounteren` register is
clear, attempts to read the `cycle`, `time`, `instret`, or
`hpmcountern` register while executing in S-mode or U-mode will cause an
illegal-instruction exception. When one of these bits is set, access to
the corresponding register is permitted in the next implemented
privilege mode (S-mode if implemented, otherwise U-mode).
[NOTE]
====
The counter-enable bits support two common use cases with minimal
hardware. For harts that do not need high-performance timers and
counters, machine-mode software can trap accesses and implement all
features in software. For harts that need high-performance timers and
counters but are not concerned with obfuscating the underlying hardware
counters, the counters can be directly exposed to lower privilege modes.
====
The `cycle`, `instret`, and `hpmcountern` CSRs are read-only shadows of
`mcycle`, `minstret`, and `mhpmcounter n`, respectively. The `time` CSR
is a read-only shadow of the memory-mapped `mtime` register.
Analogously, on RV32I the `cycleh`, `instreth` and `hpmcounternh` CSRs
are read-only shadows of `mcycleh`, `minstreth` and `mhpmcounternh`,
respectively. On RV32I the `timeh` CSR is a read-only shadow of the
upper 32 bits of the memory-mapped `mtime` register, while `time`
shadows only the lower 32 bits of `mtime`.
[NOTE]
====
Implementations can convert reads of the `time` and `timeh` CSRs into
loads to the memory-mapped `mtime` register, or emulate this
functionality on behalf of less-privileged modes in M-mode software.
====
In harts with U-mode, the `mcounteren` must be implemented, but all
fields are *WARL* and may be read-only zero, indicating reads to the
corresponding counter will cause an illegal-instruction exception when
executing in a less-privileged mode. In harts without U-mode, the
`mcounteren` register should not exist.
==== Machine Counter-Inhibit CSR (`mcountinhibit`)
.Counter-inhibit register `mcountinhibit`
include::images/bytefield/counterinh.adoc[]
The counter-inhibit register `mcountinhibit` is a 32-bit *WARL* register that
controls which of the hardware performance-monitoring counters
increment. The settings in this register only control whether the
counters increment; their accessibility is not affected by the setting
of this register.
When the CY, IR, or HPM__n__ bit in the `mcountinhibit` register is clear,
the `cycle`, `instret`, or `hpmcountern` register increments as usual.
When the CY, IR, or HPM_n_ bit is set, the corresponding counter does
not increment.
The `mcycle` CSR may be shared between harts on the same core, in which
case the `mcountinhibit.CY` field is also shared between those harts,
and so writes to `mcountinhibit.CY` will be visible to those harts.
If the `mcountinhibit` register is not implemented, the implementation
behaves as though the register were set to zero.
[NOTE]
====
When the `cycle` and `instret` counters are not needed, it is desirable
to conditionally inhibit them to reduce energy consumption. Providing a
single CSR to inhibit all counters also allows the counters to be
atomically sampled.
Because the `time` counter can be shared between multiple cores, it
cannot be inhibited with the `mcountinhibit` mechanism.
====
==== Machine Scratch Register (`mscratch`)
The `mscratch` register is an MXLEN-bit read/write register dedicated
for use by machine mode. Typically, it is used to hold a pointer to a
machine-mode hart-local context space and swapped with a user register
upon entry to an M-mode trap handler.
.Machine-mode scratch register.
include::images/bytefield/mscratch.adoc[]
[NOTE]
====
The MIPS ISA allocated two user registers (`k0`/`k1`) for use by the
operating system. Although the MIPS scheme provides a fast and simple
implementation, it also reduces available user registers, and does not
scale to further privilege levels, or nested traps. It can also require
both registers are cleared before returning to user level to avoid a
potential security hole and to provide deterministic debugging behavior.
The RISC-V user ISA was designed to support many possible privileged
system environments and so we did not want to infect the user-level ISA
with any OS-dependent features. The RISC-V CSR swap instructions can
quickly save/restore values to the `mscratch` register. Unlike the MIPS
design, the OS can rely on holding a value in the `mscratch` register
while the user context is running.
====
==== Machine Exception Program Counter (`mepc`)
`mepc` is an MXLEN-bit read/write register formatted as shown in
<<mepcreg>>. The low bit of `mepc` (`mepc[0]`) is
always zero. On implementations that support only IALIGN=32, the two low
bits (`mepc[1:0]`) are always zero.
If an implementation allows IALIGN to be either 16 or 32 (by changing
CSR `misa`, for example), then, whenever IALIGN=32, bit `mepc[1]` is
masked on reads so that it appears to be 0. This masking occurs also for
the implicit read by the MRET instruction. Though masked, `mepc[1]`
remains writable when IALIGN=32.
`mepc` is a *WARL* register that must be able to hold all valid virtual
addresses. It need not be capable of holding all possible invalid
addresses. Prior to writing `mepc`, implementations may convert an
invalid address into some other invalid address that `mepc` is capable
of holding.
[NOTE]
====
When address translation is not in effect, virtual addresses and
physical addresses are equal. Hence, the set of addresses `mepc` must be
able to represent includes the set of physical addresses that can be
used as a valid `pc` or effective address.
====
When a trap is taken into M-mode, `mepc` is written with the virtual
address of the instruction that was interrupted or that encountered the
exception. Otherwise, `mepc` is never written by the implementation,
though it may be explicitly written by software.
[[mepcreg]]
.Machine exception program counter register.
include::images/bytefield/mepcreg.adoc[]
[[mcause]]
==== Machine Cause Register (`mcause`)
The `mcause` register is an MXLEN-bit read-write register formatted as
shown in <<mcausereg>>. When a trap is taken into
M-mode, `mcause` is written with a code indicating the event that
caused the trap. Otherwise, `mcause` is never written by the
implementation, though it may be explicitly written by software.
The Interrupt bit in the `mcause` register is set if the trap was caused
by an interrupt. The Exception Code field contains a code identifying
the last exception or interrupt. <<mcauses>> lists
the possible machine-level exception codes. The Exception Code is a
*WLRL* field, so is only guaranteed to hold supported exception codes.
[[mcausereg]]
.Machine Cause register `mcause`.
include::images/bytefield/mcausereg.adoc[]
Note that load and load-reserved instructions generate load exceptions,
whereas store, store-conditional, and AMO instructions generate
store/AMO exceptions.
[NOTE]
====
Interrupts can be separated from other traps with a single branch on the
sign of the `mcause` register value. A shift left can remove the
interrupt bit and scale the exception codes to index into a trap vector
table.
***
We do not distinguish privileged instruction exceptions from
illegal-instruction exceptions. This simplifies the architecture and also hides
details of which higher-privilege instructions are supported by an
implementation. The privilege level servicing the trap can implement a
policy on whether these need to be distinguished, and if so, whether a
given opcode should be treated as illegal or privileged.
====
If an instruction may raise multiple synchronous exceptions, the
decreasing priority order of
<<exception-priority>> indicates which
exception is taken and reported in `mcause`. The priority of any custom
synchronous exceptions is implementation-defined.
<<<
[[mcauses]]
.Machine cause register (mcause) values after trap.
[%autowidth,float="center",align="center",cols=">,>,<",options="header",]
|===
|Interrupt |Exception Code |Description
|1 +
1 +
1 +
1
|0 +
1 +
2 +
3
|_Reserved_ +
Supervisor software interrupt +
_Reserved_ +
Machine software interrupt
|1 +
1 +
1 +
1
|4 +
5 +
6 +
7
|_Reserved_ +
Supervisor timer interrupt +
_Reserved_ +
Machine timer interrupt
|1 +
1 +
1 +
1
|8 +
9 +
10 +
11
|_Reserved_ +
Supervisor external interrupt +
_Reserved_ +
Machine external interrupt
|1 +
1 +
1 +
1
|12 +
13 +
14-15 +
≥16
|_Reserved_ +
Counter-overflow interrupt +
_Reserved_ +
_Designated for platform use_
|0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0 +
0
|0 +
1 +
2 +
3 +
4 +
5 +
6 +
7 +
8 +
9 +
10 +
11 +
12 +
13 +
14 +
15 +
16-17 +
18 +
19 +
20-23 +
24-31 +
32-47 +
48-63 +
≥64
|Instruction address misaligned +
Instruction access fault +
Illegal instruction +
Breakpoint +
Load address misaligned +
Load access fault +
Store/AMO address misaligned +
Store/AMO access fault +
Environment call from U-mode +
Environment call from S-mode +
_Reserved_ +
Environment call from M-mode +
Instruction page fault +
Load page fault +
_Reserved_ +
Store/AMO page fault +
_Reserved_ +
Software check +
Hardware error +
_Reserved_ +
_Designated for custom use_ +
_Reserved_ +
_Designated for custom use_ +
_Reserved_
|===
<<<
[[exception-priority]]
.Synchronous exception priority in decreasing priority order.
[%autowidth,float="center",align="center",cols="<,>,<",options="header",]
|===
|Priority |Exc.Code |Description
|_Highest_ |3 |Instruction address breakpoint
| .>|12, 1 .<|During instruction address translation: +
First encountered page fault or access fault
| .>|1 .<|With physical address for instruction: +
Instruction access fault
| .>|2 +
0 +
8,9,11 +
3 +
3 .<|Illegal instruction +
Instruction address misaligned +
Environment call +
Environment break +
Load/store/AMO address breakpoint
| .>|4,6 .<|Optionally: +
Load/store/AMO address misaligned
| .>|13, 15, 5, 7 .<|During address translation for an explicit memory access: +
First encountered page fault or access fault
| .>|5,7 .<|With physical address for an explicit memory access: +
Load/store/AMO access fault
.>|_Lowest_ .>|4,6 .<|If not higher priority: +
Load/store/AMO address misaligned
|===
When a virtual address is translated into a physical address, the
address translation algorithm determines what specific exception may be
raised.
Load/store/AMO address-misaligned exceptions may have either higher or
lower priority than load/store/AMO page-fault and access-fault
exceptions.
[NOTE]
====
The relative priority of load/store/AMO address-misaligned and
page-fault exceptions is implementation-defined to flexibly cater to two
design points. Implementations that never support misaligned accesses
can unconditionally raise the misaligned-address exception without
performing address translation or protection checks. Implementations
that support misaligned accesses only to some physical addresses must
translate and check the address before determining whether the
misaligned access may proceed, in which case raising the page-fault
exception or access is more appropriate.
***
Instruction address breakpoints have the same cause value as, but
different priority than, data address breakpoints (a.k.a. watchpoints)
and environment break exceptions (which are raised by the EBREAK
instruction).
***
Instruction address misaligned exceptions are raised by control-flow
instructions with misaligned targets, rather than by the act of fetching
an instruction. Therefore, these exceptions have lower priority than
other instruction address exceptions.
====
[NOTE]
====
A Software Check exception is a synchronous exception that is triggered when
there are violations of checks and assertions defined by ISA extensions that
aim to safeguard the integrity of software assets, including e.g. control-flow
and memory-access constraints. When this exception is raised, the `__x__tval`
register is set either to 0 or to an informative value defined by the extension
that stipulated the exception be raised. The priority of this exception,
relative to other synchronous exceptions, depends on the cause of this exception
and is defined by the extension that stipulated the exception be raised.
A Hardware Error exception is a synchronous exception triggered when corrupted or
uncorrectable data is accessed explicitly or implicitly by an instruction. In
this context, "data" encompasses all types of information used within a RISC-V
hart. Upon a hardware error exception, the `__x__epc` register is set to the
address of the instruction that attempted to access corrupted data, while the
`__x__tval` register is set either to 0 or to the virtual address of an
instruction fetch, load, or store that attempted to access corrupted data. The
priority of Hardware Error exception is implementation-defined, but any given
occurrence is generally expected to be recognized at the point in the overall
priority order at which the hardware error is discovered.
====
==== Machine Trap Value Register (`mtval`)
The `mtval` register is an MXLEN-bit read-write register formatted as
shown in <<mtvalreg>>. When a trap is taken into
M-mode, `mtval` is either set to zero or written with exception-specific
information to assist software in handling the trap. Otherwise, `mtval`
is never written by the implementation, though it may be explicitly
written by software. The hardware platform will specify which exceptions
must set `mtval` informatively, which may unconditionally set it to
zero, and which may exhibit either behavior, depending on the underlying event
that caused the exception.
If the hardware platform specifies that no exceptions set `mtval`
to a nonzero value, then `mtval` is read-only zero.
If `mtval` is written with a nonzero value when a breakpoint,
address-misaligned, access-fault, or page-fault exception occurs on an
instruction fetch, load, or store, then `mtval` will contain the
faulting virtual address.
When page-based virtual memory is enabled, `mtval` is written with the
faulting virtual address, even for physical-memory access-fault
exceptions. This design reduces datapath cost for most implementations,
particularly those with hardware page-table walkers.
[[mtvalreg]]
.Machine Trap Value register.
include::images/bytefield/mtvalreg.adoc[]
If `mtval` is written with a nonzero value when a misaligned load or
store causes an access-fault or page-fault exception, then `mtval` will
contain the virtual address of the portion of the access that caused the
fault.
If `mtval` is written with a nonzero value when an instruction
access-fault or page-fault exception occurs on a hart with
variable-length instructions, then `mtval` will contain the virtual
address of the portion of the instruction that caused the fault, while
`mepc` will point to the beginning of the instruction.
The `mtval` register can optionally also be used to return the faulting
instruction bits on an illegal-instruction exception (`mepc` points to
the faulting instruction in memory). If `mtval` is written with a
nonzero value when an illegal-instruction exception occurs, then `mtval`
will contain the shortest of:
* the actual faulting instruction
* the first ILEN bits of the faulting instruction
* the first MXLEN bits of the faulting instruction
The value loaded into `mtval` on an illegal-instruction exception is
right-justified and all unused upper bits are cleared to zero.
[NOTE]
====
Capturing the faulting instruction in `mtval` reduces the overhead of
instruction emulation, potentially avoiding several partial instruction
loads if the instruction is misaligned, and likely data cache misses or
slow uncached accesses when loads are used to fetch the instruction into
a data register. There is also a problem of atomicity if another agent
is manipulating the instruction memory, as might occur in a dynamic
translation system.
A requirement is that the entire instruction (or at least the first
MXLEN bits) are fetched into `mtval` before taking the trap. This should
not constrain implementations, which would typically fetch the entire
instruction before attempting to decode the instruction, and avoids
complicating software handlers.
A value of zero in `mtval` signifies either that the feature is not
supported, or an illegal zero instruction was fetched. A load from the
instruction memory pointed to by `mepc` can be used to distinguish these
two cases (or alternatively, the system configuration information can be
interrogated to install the appropriate trap handling before runtime).
====
For other traps, `mtval` is set to zero, but a future standard may
redefine `mtval`’s setting for other traps.
If `mtval` is not read-only zero, it is a *WARL* register that must be able to
hold all valid virtual addresses and the value zero. It need not be
capable of holding all possible invalid addresses. Prior to writing
`mtval`, implementations may convert an invalid address into some other
invalid address that `mtval` is capable of holding. If the feature to
return the faulting instruction bits is implemented, `mtval` must also
be able to hold all values less than 2^__N__^, where
_N_ is the smaller of MXLEN and ILEN.
==== Machine Configuration Pointer Register (`mconfigptr`)
`mconfigptr` is an MXLEN-bit read-only CSR, formatted as shown in
<<mconfigptrreg>>, that holds the physical
address of a configuration data structure. Software can traverse this
data structure to discover information about the harts, the platform,
and their configuration.
[[mconfigptrreg]]
.Machine Configuration Pointer register.
include::images/bytefield/mconfigptrreg.adoc[]
The pointer alignment in bits must be no smaller than MXLEN:
i.e., if MXLEN is
latexmath:[$8\times n$], then `mconfigptr`[latexmath:[$\log_2n$]-1:0]
must be zero.
`mconfigptr` must be implemented, but it may be zero to indicate the
configuration data structure does not exist or that an alternative
mechanism must be used to locate it.
[NOTE]
====
The format and schema of the configuration data structure have yet to be
standardized.
***
While `mconfigptr` will simply be hardwired in some implementations,
other implementations may provide a means to configure the value
returned on CSR reads. For example, `mconfigptr` might present the value
of a memory-mapped register that is programmed by the platform or by
M-mode software towards the beginning of the boot process.
====
[[sec:menvcfg]]
==== Machine Environment Configuration Register (`menvcfg`)
The `menvcfg` CSR is a 64-bit read/write register, formatted
as shown in [[menvcfg]], that controls
certain characteristics of the execution environment for modes less
privileged than M.
.Machine environment configuration register (`menvcfg`).
include::images/bytefield/menvcfgreg.adoc[]
If bit FIOM (Fence of I/O implies Memory) is set to one in `menvcfg`,
FENCE instructions executed in modes less privileged than M are modified
so the requirement to order accesses to device I/O implies also the
requirement to order main memory accesses. <<menvcfg-FIOM>>
details the modified interpretation of FENCE instruction bits PI, PO,
SI, and SO for modes less privileged than M when FIOM=1.
Similarly, for modes less privileged than M when FIOM=1, if an atomic
instruction that accesses a region ordered as device I/O has its _aq_
and/or _rl_ bit set, then that instruction is ordered as though it
accesses both device I/O and memory.
If S-mode is not supported, or if `satp`.MODE is read-only zero (always
Bare), the implementation may make FIOM read-only zero.
[[menvcfg-FIOM]]
.Modified interpretation of FENCE predecessor and successor sets for modes less privileged than M when FIOM=1.
[%autowidth,float="center",align="center",cols="^,<",options="header"]
|===
|Instruction bit |Meaning when set
|PI +
PO
|Predecessor device input and memory reads (PR implied) +
Predecessor device output and memory writes (PW implied)
|SI +
SO
|Successor device input and memory reads (SR implied) +
Successor device output and memory writes (SW implied)
|===
[NOTE]
====
Bit FIOM is needed in `menvcfg` so M-mode can emulate the hypervisor
extension of <<hypervisor>>, which has an
equivalent FIOM bit in the hypervisor CSR `henvcfg`.
====
The PBMTE bit controls whether the Svpbmt extension is available for use
in S-mode and G-stage address translation (i.e., for page tables pointed
to by `satp` or `hgatp`). When PBMTE=1, Svpbmt is available for S-mode
and G-stage address translation. When PBMTE=0, the implementation
behaves as though Svpbmt were not implemented. If Svpbmt is not
implemented, PBMTE is read-only zero. Furthermore, for implementations
with the hypervisor extension, `henvcfg`.PBMTE is read-only zero if
`menvcfg`.PBMTE is zero.
After changing `menvcfg`.PBMTE, executing an SFENCE.VMA instruction with
_rs1_=`x0` and _rs2_=`x0` suffices to synchronize address-translation caches
with respect to the altered interpretation of page-table entries' PBMT fields.
See <<hyp-mm-fences>> for additional synchronization requirements when the
hypervisor extension is implemented.
If the Svadu extension is implemented, the ADUE bit controls whether hardware
updating of PTE A/D bits is enabled for S-mode and G-stage address
translations.
When ADUE=1, hardware updating of PTE A/D bits is enabled during S-mode
address translation, and the implementation behaves as though the Svade
extension were not implemented for S-mode address translation.
When the hypervisor extension is implemented, if ADUE=1, hardware updating of
PTE A/D bits is enabled during G-stage address translation, and the
implementation behaves as though the Svade extension were not implemented for
G-stage address translation.
When ADUE=0, the implementation behaves as though Svade were implemented for
S-mode and G-stage address translation.
If Svadu is not implemented, ADUE is read-only zero.
Furthermore, for implementations with the hypervisor extension, `henvcfg`.ADUE
is read-only zero if `menvcfg`.ADUE is zero.
NOTE: The Svade extension requires page-fault exceptions be raised when PTE
A/D bits need be set, hence Svade is implemented when ADUE=0.
If the Smcdeleg extension is implemented, the CDE (Counter Delegation Enable) bit controls whether Zicntr and Zihpm counters can be delegated to S-mode. When CDE=1, the Smcdeleg extension is enabled, see <<smcdeleg>>. When CDE=0, the Smcdeleg and Ssccfg extensions appear to be not implemented. If Smcdeleg is not implemented, CDE is read-only zero.
The definition of the STCE field will be furnished by the forthcoming
Sstc extension. Its allocation within `menvcfg` may change prior to the
ratification of that extension.
The definition of the CBZE field will be furnished by the forthcoming
Zicboz extension. Its allocation within `menvcfg` may change prior to
the ratification of that extension.
The definitions of the CBCFE and CBIE fields will be furnished by the
forthcoming Zicbom extension. Their allocations within `menvcfg` may
change prior to the ratification of that extension.
The definition of the PMM field will be furnished by the forthcoming
Smnpm extension. Its allocation within `menvcfg` may change prior to the
ratification of that extension.
When XLEN=32, `menvcfgh` is a 32-bit read/write register
that aliases bits 63:32 of `menvcfg`.
Register `menvcfgh` does not exist when XLEN=64.
If U-mode is not supported, then registers `menvcfg` and `menvcfgh` do
not exist.
==== Machine Security Configuration Register (`mseccfg`)
`mseccfg` is an optional 64-bit read/write register, formatted as
shown in <<mseccfg>>, that controls security features.
[[mseccfg]]
.Machine security configuration register (`mseccfg`).
include::images/bytefield/mseccfg.adoc[]
The definitions of the SSEED and USEED fields will be furnished by the
forthcoming entropy-source extension, Zkr. Their allocations within
`mseccfg` may change prior to the ratification of that extension.
The definitions of the RLB, MMWP, and MML fields will be furnished by
the forthcoming PMP-enhancement extension, Smepmp. Their allocations
within `mseccfg` may change prior to the ratification of that extension.
The definition of the PMM field will be furnished by the forthcoming
Smmpm extension. Its allocation within `mseccfg` may change prior to the
ratification of that extension.
When XLEN=32 only, `mseccfgh` is a 32-bit read/write register that
aliases bits 63:32 of `mseccfg`.
Register `mseccfgh` does not exist when XLEN=64.
=== Machine-Level Memory-Mapped Registers
==== Machine Timer Registers (`mtime` and `mtimecmp`)
Platforms provide a real-time counter, exposed as a memory-mapped
machine-mode read-write register, `mtime`. `mtime` must increment at
constant frequency, and the platform must provide a mechanism for
determining the period of an `mtime` tick. The `mtime` register will
wrap around if the count overflows.
The `mtime` register has a 64-bit precision on all RV32 and RV64
systems. Platforms provide a 64-bit memory-mapped machine-mode timer
compare register (`mtimecmp`). A machine timer interrupt becomes pending
whenever `mtime` contains a value greater than or equal to `mtimecmp`,
treating the values as unsigned integers. The interrupt remains posted
until `mtimecmp` becomes greater than `mtime` (typically as a result of
writing `mtimecmp`). The interrupt will only be taken if interrupts are
enabled and the MTIE bit is set in the `mie` register.
.Machine time register (memory-mapped control register).
include::images/bytefield/mtime.adoc[]
.Machine time compare register (memory-mapped control register).
include::images/bytefield/mtimecmp.adoc[]
[NOTE]
====
The timer facility is defined to use wall-clock time rather than a cycle
counter to support modern processors that run with a highly variable
clock frequency to save energy through dynamic voltage and frequency
scaling.
Accurate real-time clocks (RTCs) are relatively expensive to provide
(requiring a crystal or MEMS oscillator) and have to run even when the
rest of system is powered down, and so there is usually only one in a
system located in a different frequency/voltage domain from the
processors. Hence, the RTC must be shared by all the harts in a system
and accesses to the RTC will potentially incur the penalty of a
voltage-level-shifter and clock-domain crossing. It is thus more natural
to expose `mtime` as a memory-mapped register than as a CSR.
Lower privilege levels do not have their own `timecmp` registers.
Instead, machine-mode software can implement any number of virtual
timers on a hart by multiplexing the next timer interrupt into the
`mtimecmp` register.
Simple fixed-frequency systems can use a single clock for both cycle
counting and wall-clock time.
====
Writes to `mtime` and `mtimecmp` are guaranteed to be reflected in MTIP
eventually, but not necessarily immediately.
[NOTE]
====
A spurious timer interrupt might occur if an interrupt handler
increments `mtimecmp` then immediately returns, because MTIP might not
yet have fallen in the interim. All software should be written to assume
this event is possible, but most software should assume this event is
extremely unlikely. It is almost always more performant to incur an
occasional spurious timer interrupt than to poll MTIP until it falls.
====
In RV32, memory-mapped writes to `mtimecmp` modify only one 32-bit part
of the register. The following code sequence sets a 64-bit `mtimecmp`
value without spuriously generating a timer interrupt due to the
intermediate value of the comparand:
For RV64, naturally aligned 64-bit memory accesses to the `mtime` and
`mtimecmp` registers are additionally supported and are atomic.
.Sample code for setting the 64-bit time comparand in RV32 assuming a little-endian memory system and that the registers live in a strongly ordered I/O region. Storing -1 to the low-order bits of `mtimecmp` prevents `mtimecmp` from temporarily becoming smaller than the lesser of the old and new values.
....
# New comparand is in a1:a0.
li t0, -1
la t1, mtimecmp
sw t0, 0(t1) # No smaller than old value.
sw a1, 4(t1) # No smaller than new value.
sw a0, 0(t1) # New value.
....
=== Machine-Mode Privileged Instructions
==== Environment Call and Breakpoint
include::images/wavedrom/mm-env-call.adoc[]
The ECALL instruction is used to make a request to the supporting
execution environment. When executed in U-mode, S-mode, or M-mode, it
generates an environment-call-from-U-mode exception,
environment-call-from-S-mode exception, or environment-call-from-M-mode
exception, respectively, and performs no other operation.
[NOTE]
====
ECALL generates a different exception for each originating privilege
mode so that environment call exceptions can be selectively delegated. A
typical use case for Unix-like operating systems is to delegate to
S-mode the environment-call-from-U-mode exception but not the others.
====
The EBREAK instruction is used by debuggers to cause control to be
transferred back to a debugging environment. It generates a breakpoint
exception and performs no other operation.
[NOTE]
====
As described in the "C" Standard Extension for Compressed Instructions
in Volume I of this manual, the C.EBREAK instruction performs the same
operation as the EBREAK instruction.
====
ECALL and EBREAK cause the receiving privilege mode’s `epc` register to
be set to the address of the ECALL or EBREAK instruction itself, _not_
the address of the following instruction. As ECALL and EBREAK cause
synchronous exceptions, they are not considered to retire, and should
not increment the `minstret` CSR.
[[otherpriv]]
==== Trap-Return Instructions
Instructions to return from trap are encoded under the PRIV minor
opcode.
include::images/wavedrom/trap-return.adoc[]
To return after handling a trap, there are separate trap return
instructions per privilege level, MRET and SRET. MRET is always
provided. SRET must be provided if supervisor mode is supported, and
should raise an illegal-instruction exception otherwise. SRET should
also raise an illegal-instruction exception when TSR=1 in `mstatus`, as
described in <<virt-control>>. An __x__RET instruction
can be executed in privilege mode _x_ or higher, where executing a
lower-privilege __x__RET instruction will pop the relevant lower-privilege
interrupt enable and privilege mode stack. In addition to manipulating
the privilege stack as described in <<privstack>>,
__x__RET sets the `pc` to the value stored in the `__x__epc` register.
If the A extension is supported, the __x__RET instruction is allowed to
clear any outstanding LR address reservation but is not required to.
Trap handlers should explicitly clear the reservation if required (e.g.,
by using a dummy SC) before executing the __x__RET.
[NOTE]
====
If __x__RET instructions always cleared LR reservations, it would be
impossible to single-step through LR/SC sequences using a debugger.
====
[[wfi]]
==== Wait for Interrupt
The Wait for Interrupt instruction (WFI) informs the
implementation that the current hart can be stalled until an interrupt
might need servicing. Execution of the WFI instruction can also be used
to inform the hardware platform that suitable interrupts should
preferentially be routed to this hart. WFI is available in all
privileged modes, and optionally available to U-mode. This instruction
may raise an illegal-instruction exception when TW=1 in `mstatus`, as
described in <<virt-control>>.
include::images/wavedrom/wfi.adoc[]
If an enabled interrupt is present or later becomes present while the
hart is stalled, the interrupt trap will be taken on the following
instruction, i.e., execution resumes in the trap handler and `mepc` =
`pc` + 4.
[NOTE]
====
The following instruction takes the interrupt trap so that a simple
return from the trap handler will execute code after the WFI
instruction.
====
Implementations are permitted to resume execution for any reason, even if an
enabled interrupt has not become pending. Hence, a legal implementation is to
simply implement the WFI instruction as a NOP.
[NOTE]
====
If the implementation does not stall the hart on execution of the
instruction, then the interrupt will be taken on some instruction in the
idle loop containing the WFI, and on a simple return from the handler,
the idle loop will resume execution.
====
The WFI instruction can also be executed when interrupts are disabled.
The operation of WFI must be unaffected by the global interrupt bits in
`mstatus` (MIE and SIE) and the delegation register `mideleg` (i.e.,
the hart must resume if a locally enabled interrupt becomes pending,
even if it has been delegated to a less-privileged mode), but should
honor the individual interrupt enables (e.g, MTIE) (i.e.,
implementations should avoid resuming the hart if the interrupt is
pending but not individually enabled). WFI is also required to resume
execution for locally enabled interrupts pending at any privilege level,
regardless of the global interrupt enable at each privilege level.
If the event that causes the hart to resume execution does not cause an
interrupt to be taken, execution will resume at `pc` + 4, and software
must determine what action to take, including looping back to repeat the
WFI if there was no actionable event.
[NOTE]
====
By allowing wakeup when interrupts are disabled, an alternate entry
point to an interrupt handler can be called that does not require saving
the current context, as the current context can be saved or discarded
before the WFI is executed.
As implementations are free to implement WFI as a NOP, software must
explicitly check for any relevant pending but disabled interrupts in the
code following an WFI, and should loop back to the WFI if no suitable
interrupt was detected. The `mip` or `sip` registers can be interrogated
to determine the presence of any interrupt in machine or supervisor mode
respectively.
The operation of WFI is unaffected by the delegation register settings.
WFI is defined so that an implementation can trap into a higher
privilege mode, either immediately on encountering the WFI or after some
interval to initiate a machine-mode transition to a lower power state,
for example.
***
The same "wait-for-event" template might be used for possible future
extensions that wait on memory locations changing, or message arrival.
====
==== Custom SYSTEM Instructions
The subspace of the SYSTEM major opcode shown in <<customsys>> is designated for custom use. It is recommended that these instructions use bits 29:28 to designate the
minimum required privilege mode, as do other SYSTEM instructions.
[[customsys]]
.SYSTEM instruction encodings designated for custom use.
include::images/bytefield/cust-sys-instr.adoc[]
[[reset]]
=== Reset
Upon reset, a hart’s privilege mode is set to M. The `mstatus` fields
MIE and MPRV are reset to 0. If little-endian memory accesses are
supported, the `mstatus`/`mstatush` field MBE is reset to 0. The `misa`
register is reset to enable the maximal set of supported extensions,
as described in <<misa>>. For
implementations with the "A" standard extension, there is no valid
load reservation. The `pc` is set to an implementation-defined reset
vector. The `mcause` register is set to a value indicating the cause of
the reset. Writable PMP registers’ A and L fields are set to 0, unless
the platform mandates a different reset value for some PMP registers’ A
and L fields. If the hypervisor extension is implemented, the
`hgatp`.MODE and `vsatp`.MODE fields are reset to 0. If the Smrnmi
extension is implemented, the `mnstatus`.NMIE field is reset to 0. No
*WARL* field contains an illegal value. All other hart state is UNSPECIFIED.
The `mcause` values after reset have implementation-specific
interpretation, but the value 0 should be returned on implementations
that do not distinguish different reset conditions. Implementations that
distinguish different reset conditions should only use 0 to indicate the
most complete reset.
[NOTE]
====
Some designs may have multiple causes of reset (e.g., power-on reset,
external hard reset, brownout detected, watchdog timer elapse,
sleep-mode wakeup), which machine-mode software and debuggers may wish
to distinguish.
`mcause` reset values may alias `mcause` values following synchronous
exceptions. There should be no ambiguity in this overlap, since on reset
the `pc` is typically set to a different value than on other traps.
====
[[nmi]]
=== Non-Maskable Interrupts
Non-maskable interrupts (NMIs) are only used for hardware error
conditions, and cause an immediate jump to an implementation-defined NMI
vector running in M-mode regardless of the state of a hart’s interrupt
enable bits. The `mepc` register is written with the virtual address of
the instruction that was interrupted, and `mcause` is set to a value
indicating the source of the NMI. The NMI can thus overwrite state in an
active machine-mode interrupt handler.
The values written to `mcause` on an NMI are implementation-defined. The
high Interrupt bit of `mcause` should be set to indicate that this was
an interrupt. An Exception Code of 0 is reserved to mean "unknown
cause" and implementations that do not distinguish sources of NMIs via
the `mcause` register should return 0 in the Exception Code.
Unlike resets, NMIs do not reset processor state, enabling diagnosis,
reporting, and possible containment of the hardware error.
[[pma]]
=== Physical Memory Attributes
The physical memory map for a complete system includes various address
ranges, some corresponding to memory regions, some to memory-mapped
control registers, and some to vacant holes in the address space. Some
memory regions might not support reads, writes, or execution; some might
not support subword or subblock accesses; some might not support atomic
operations; and some might not support cache coherence or might have
different memory models. Similarly, memory-mapped control registers vary
in their supported access widths, support for atomic operations, and
whether read and write accesses have associated side effects. In RISC-V
systems, these properties and capabilities of each region of the
machine's physical address space are termed _physical memory attributes_
(PMAs). This section describes RISC-V PMA terminology and how RISC-V
systems implement and check PMAs.
PMAs are inherent properties of the underlying hardware and rarely
change during system operation. Unlike physical memory protection values
described in <<pmp>>, PMAs do not vary by execution
context. The PMAs of some memory regions are fixed at chip design
time—for example, for an on-chip ROM. Others are fixed at board design
time, depending, for example, on which other chips are connected to
off-chip buses. Off-chip buses might also support devices that could be
changed on every power cycle (cold pluggable) or dynamically while the
system is running (hot pluggable). Some devices might be configurable at
run time to support different uses that imply different PMAs—for
example, an on-chip scratchpad RAM might be cached privately by one core
in one end-application, or accessed as a shared non-cached memory in
another end-application.
Most systems will require that at least some PMAs are dynamically
checked in hardware later in the execution pipeline after the physical
address is known, as some operations will not be supported at all
physical memory addresses, and some operations require knowing the
current setting of a configurable PMA attribute. While many other
architectures specify some PMAs in the virtual memory page tables and
use the TLB to inform the pipeline of these properties, this approach
injects platform-specific information into a virtualized layer and can
cause system errors unless attributes are correctly initialized in each
page-table entry for each physical memory region. In addition, the
available page sizes might not be optimal for specifying attributes in
the physical memory space, leading to address-space fragmentation and
inefficient use of expensive TLB entries.
For RISC-V, we separate out specification and checking of PMAs into a
separate hardware structure, the _PMA checker_. In many cases, the
attributes are known at system design time for each physical address
region, and can be hardwired into the PMA checker. Where the attributes
are run-time configurable, platform-specific memory-mapped control
registers can be provided to specify these attributes at a granularity
appropriate to each region on the platform (e.g., for an on-chip SRAM
that can be flexibly divided between cacheable and uncacheable uses).
PMAs are checked for any access to physical memory, including accesses
that have undergone virtual to physical memory translation. To aid in
system debugging, we strongly recommend that, where possible, RISC-V
processors precisely trap physical memory accesses that fail PMA checks.
Precisely trapped PMA violations manifest as instruction, load, or store
access-fault exceptions, distinct from virtual-memory page-fault
exceptions. Precise PMA traps might not always be possible, for example,
when probing a legacy bus architecture that uses access failures as part
of the discovery mechanism. In this case, error responses from
peripheral devices will be reported as imprecise bus-error interrupts.
PMAs must also be readable by software to correctly access certain
devices or to correctly configure other hardware components that access
memory, such as DMA engines. As PMAs are tightly tied to a given
physical platform’s organization, many details are inherently
platform-specific, as is the means by which software can learn the PMA
values for a platform. Some devices, particularly legacy buses, do not
support discovery of PMAs and so will give error responses or time out
if an unsupported access is attempted. Typically, platform-specific
machine-mode code will extract PMAs and ultimately present this
information to higher-level less-privileged software using some standard
representation.
Where platforms support dynamic reconfiguration of PMAs, an interface
will be provided to set the attributes by passing requests to a
machine-mode driver that can correctly reconfigure the platform. For
example, switching cacheability attributes on some memory regions might
involve platform-specific operations, such as cache flushes, that are
available only to machine-mode.
==== Main Memory versus I/O versus Vacant Regions
The most important characterization of a given memory address range is
whether it holds regular main memory, or I/O devices, or is vacant.
Regular main memory is required to have a number of properties,
specified below, whereas I/O devices can have a much broader range of
attributes. Memory regions that do not fit into regular main memory, for
example, device scratchpad RAMs, are categorized as I/O regions. Vacant
regions are also classified as I/O regions but with attributes
specifying that no accesses are supported.
==== Supported Access Type PMAs
Access types specify which access widths, from 8-bit byte to long
multi-word burst, are supported, and also whether misaligned accesses
are supported for each access width.
[NOTE]
====
Although software running on a RISC-V hart cannot directly generate
bursts to memory, software might have to program DMA engines to access
I/O devices and might therefore need to know which access sizes are
supported.
====
Main memory regions always support read and write of all access widths
required by the attached devices, and can specify whether instruction
fetch is supported.
[NOTE]
====
Some platforms might mandate that all of main memory support instruction
fetch. Other platforms might prohibit instruction fetch from some main
memory regions.
***
In some cases, the design of a processor or device accessing main memory
might support other widths, but must be able to function with the types
supported by the main memory.
====
I/O regions can specify which combinations of read, write, or execute
accesses to which data widths are supported.
For systems with page-based virtual memory, I/O and memory regions can
specify which combinations of hardware page-table reads and hardware
page-table writes are supported.
[NOTE]
====
Unix-like operating systems generally require that all of cacheable main
memory supports page-table walks.
====
==== Atomicity PMAs
Atomicity PMAs describes which atomic instructions are supported in this
address region. Support for atomic instructions is divided into two
categories: _LR/SC_ and _AMOs_.
[NOTE]
====
Some platforms might mandate that all of cacheable main memory support
all atomic operations required by the attached processors.
====
===== AMO PMA
Within AMOs, there are four levels of support: _AMONone_, _AMOSwap_,
_AMOLogical_, and _AMOArithmetic_. AMONone indicates that no AMO
operations are supported. AMOSwap indicates that only `amoswap`
instructions are supported in this address range. AMOLogical indicates
that swap instructions plus all the logical AMOs (`amoand`, `amoor`,
`amoxor`) are supported. AMOArithmetic indicates that all RISC-V AMOs
are supported. For each level of support, naturally aligned AMOs of a
given width are supported if the underlying memory region supports reads
and writes of that width. Main memory and I/O regions may only support a
subset or none of the processor-supported atomic operations.
.Classes of AMOs supported by I/O regions.
[i%autowidth,float="center",align="center",cols="<,<",options="header"]
|===
|AMO Class |Supported Operations
|AMONone +
AMOSwap +
AMOLogical +
AMOArithmetic
|_None_ +
`amoswap` +
above + `amoand`, `amoor`, `amoxor` +
above + `amoadd`, `amomin`, `amomax`, `amominu`,
`amomaxu`
|===
[NOTE]
====
We recommend providing at least AMOLogical support for I/O regions where
possible.
====
===== Reservability PMA
For _LR/SC_, there are three levels of support indicating combinations
of the reservability and eventuality properties: _RsrvNone_,
_RsrvNonEventual_, and _RsrvEventual_. RsrvNone indicates that no LR/SC
operations are supported (the location is non-reservable).
RsrvNonEventual indicates that the operations are supported (the
location is reservable), but without the eventual success guarantee
described in the unprivileged ISA specification. RsrvEventual indicates
that the operations are supported and provide the eventual success
guarantee.
[NOTE]
====
We recommend providing RsrvEventual support for main memory regions
where possible. Most I/O regions will not support LR/SC accesses, as
these are most conveniently built on top of a cache-coherence scheme,
but some may support RsrvNonEventual or RsrvEventual.
***
When LR/SC is used for memory locations marked RsrvNonEventual, software
should provide alternative fall-back mechanisms used when lack of
progress is detected.
====
==== Misaligned Atomicity Granule PMA
The misaligned atomicity granule PMA provides constrained support for
misaligned AMOs.
This PMA, if present, specifies the size of a _misaligned atomicity granule_,
a naturally aligned power-of-two number of bytes.
Specific supported values for this PMA are represented by MAG__NN__, e.g.,
MAG16 indicates the misaligned atomicity granule is at least 16 bytes.
The misaligned atomicity granule PMA applies only to AMOs, loads and stores
defined in the base ISAs, and loads and stores of no more than MXLEN bits
defined in the F, D, and Q extensions.
For an instruction in that set, if all accessed bytes lie within the same
misaligned atomicity granule, the instruction will not raise an exception for
reasons of address alignment, and the instruction will give rise to only one
memory operation for the purposes of RVWMO--i.e., it will execute atomically.
If a misaligned AMO accesses a region that does not specify a misaligned
atomicity granule PMA, or if not all accessed bytes lie within the same
misaligned atomicity granule, then an exception is raised.
For regular loads and stores that access such a region or for which not all
accessed bytes lie within the same atomicity granule, then either an exception
is raised, or the access proceeds but is not guaranteed to be atomic.
Implementations may raise access-fault exceptions instead of
address-misaligned exceptions for some misaligned accesses, indicating the
instruction should not be emulated by a trap handler.
NOTE: LR/SC instructions are unaffected by this PMA and so always raise an
exception when misaligned. Vector memory accesses are also unaffected, so
might execute non-atomically even when contained within a misaligned atomicity
granule. Implicit accesses are similarly unaffected by this PMA.
==== Memory-Ordering PMAs
Regions of the address space are classified as either _main memory_ or
_I/O_ for the purposes of ordering by the FENCE instruction and
atomic-instruction ordering bits.
Accesses by one hart to main memory regions are observable not only by
other harts but also by other devices with the capability to initiate
requests in the main memory system (e.g., DMA engines). Coherent main
memory regions always have either the RVWMO or RVTSO memory model.
Incoherent main memory regions have an implementation-defined memory
model.
Accesses by one hart to an I/O region are observable not only by other
harts and bus mastering devices but also by the targeted I/O devices,
and I/O regions may be accessed with either _relaxed_ or _strong_
ordering. Accesses to an I/O region with relaxed ordering are generally
observed by other harts and bus mastering devices in a manner similar to
the ordering of accesses to an RVWMO memory region, as discussed in
Section A.4.2 in Volume I of this specification. By contrast, accesses
to an I/O region with strong ordering are generally observed by other
harts and bus mastering devices in program order.
Each strongly ordered I/O region specifies a numbered ordering channel,
which is a mechanism by which ordering guarantees can be provided
between different I/O regions. Channel 0 is used to indicate
point-to-point strong ordering only, where only accesses by the hart to
the single associated I/O region are strongly ordered.
Channel 1 is used to provide global strong ordering across all I/O
regions. Any accesses by a hart to any I/O region associated with
channel 1 can only be observed to have occurred in program order by all
other harts and I/O devices, including relative to accesses made by that
hart to relaxed I/O regions or strongly ordered I/O regions with
different channel numbers. In other words, any access to a region in
channel 1 is equivalent to executing a `fence io,io` instruction before
and after the instruction.
Other larger channel numbers provide program ordering to accesses by
that hart across any regions with the same channel number.
Systems might support dynamic configuration of ordering properties on
each memory region.
[NOTE]
====
Strong ordering can be used to improve compatibility with legacy device
driver code, or to enable increased performance compared to insertion of
explicit ordering instructions when the implementation is known to not
reorder accesses.
Local strong ordering (channel 0) is the default form of strong ordering
as it is often straightforward to provide if there is only a single
in-order communication path between the hart and the I/O device.
Generally, different strongly ordered I/O regions can share the same
ordering channel without additional ordering hardware if they share the
same interconnect path and the path does not reorder requests.
====
==== Coherence and Cacheability PMAs
Coherence is a property defined for a single physical address, and
indicates that writes to that address by one agent will eventually be
made visible to other coherent agents in the system. Coherence is not to be
confused with the memory consistency model of a system, which defines
what values a memory read can return given the previous history of reads
and writes to the entire memory system. In RISC-V platforms, the use of
hardware-incoherent regions is discouraged due to software complexity,
performance, and energy impacts.
The cacheability of a memory region should not affect the software view
of the region except for differences reflected in other PMAs, such as
main memory versus I/O classification, memory ordering, supported
accesses and atomic operations, and coherence. For this reason, we treat
cacheability as a platform-level setting managed by machine-mode
software only.
Where a platform supports configurable cacheability settings for a
memory region, a platform-specific machine-mode routine will change the
settings and flush caches if necessary, so the system is only incoherent
during the transition between cacheability settings. This transitory
state should not be visible to lower privilege levels.
[NOTE]
====
Coherence is straightforward to provide for a shared memory region that
is not cached by any agent. The PMA for such a region would simply
indicate it should not be cached in a private or shared cache.
Coherence is also straightforward for read-only regions, which can be
safely cached by multiple agents without requiring a cache-coherence
scheme. The PMA for this region would indicate that it can be cached,
but that writes are not supported.
Some read-write regions might only be accessed by a single agent, in
which case they can be cached privately by that agent without requiring
a coherence scheme. The PMA for such regions would indicate they can be
cached. The data can also be cached in a shared cache, as other agents
should not access the region.
If an agent can cache a read-write region that is accessible by other
agents, whether caching or non-caching, a cache-coherence scheme is
required to avoid use of stale values. In regions lacking hardware cache
coherence (hardware-incoherent regions), cache coherence can be
implemented entirely in software, but software coherence schemes are
notoriously difficult to implement correctly and often have severe
performance impacts due to the need for conservative software-directed
cache-flushing. Hardware cache-coherence schemes require more complex
hardware and can impact performance due to the cache-coherence probes,
but are otherwise invisible to software.
For each hardware cache-coherent region, the PMA would indicate that the
region is coherent and which hardware coherence controller to use if the
system has multiple coherence controllers. For some systems, the
coherence controller might be an outer-level shared cache, which might
itself access further outer-level cache-coherence controllers
hierarchically.
Most memory regions within a platform will be coherent to software,
because they will be fixed as either uncached, read-only, hardware
cache-coherent, or only accessed by one agent.
====
If a PMA indicates non-cacheability, then accesses to that region must
be satisfied by the memory itself, not by any caches.
[NOTE]
====
For implementations with a cacheability-control mechanism, the situation
may arise that a program uncacheably accesses a memory location that is
currently cache-resident. In this situation, the cached copy must be
ignored. This constraint is necessary to prevent more-privileged modes’
speculative cache refills from affecting the behavior of less-privileged
modes’ uncacheable accesses.
====
==== Idempotency PMAs
Idempotency PMAs describe whether reads and writes to an address region
are idempotent. Main memory regions are assumed to be idempotent. For
I/O regions, idempotency on reads and writes can be specified separately
(e.g., reads are idempotent but writes are not). If accesses are
non-idempotent, i.e., there is potentially a side effect on any read or
write access, then speculative or redundant accesses must be avoided.
For the purposes of defining the idempotency PMAs, changes in observed
memory ordering created by redundant accesses are not considered a side
effect.
[NOTE]
====
While hardware should always be designed to avoid speculative or
redundant accesses to memory regions marked as non-idempotent, it is
also necessary to ensure software or compiler optimizations do not
generate spurious accesses to non-idempotent memory regions.
Non-idempotent regions might not support misaligned accesses. Misaligned
accesses to such regions should raise access-fault exceptions rather
than address-misaligned exceptions, indicating that software should not
emulate the misaligned access using multiple smaller accesses, which
could cause unexpected side effects.
====
For non-idempotent regions, implicit reads and writes must not be
performed early or speculatively, with the following exceptions. When a
non-speculative implicit read is performed, an implementation is
permitted to additionally read any of the bytes within a naturally
aligned power-of-2 region containing the address of the non-speculative
implicit read. Furthermore, when a non-speculative instruction fetch is
performed, an implementation is permitted to additionally read any of
the bytes within the _next_ naturally aligned power-of-2 region of the
same size (with the address of the region taken modulo
2^XLEN^. The results of these additional reads
may be used to satisfy subsequent early or speculative implicit reads.
The size of these naturally aligned power-of-2 regions is
implementation-defined, but, for systems with page-based virtual memory,
must not exceed the smallest supported page size.
[[pmp]]
=== Physical Memory Protection
To support secure processing and contain faults, it is desirable to
limit the physical addresses accessible by software running on a hart.
An optional physical memory protection (PMP) unit provides per-hart
machine-mode control registers to allow physical memory access
privileges (read, write, execute) to be specified for each physical
memory region. The PMP values are checked in parallel with the PMA
checks described in <<pma>>.
The granularity of PMP access control settings are platform-specific,
but the standard PMP encoding supports regions as small as four bytes.
Certain regions’ privileges can be hardwired—for example, some regions
might only ever be visible in machine mode but in no lower-privilege
layers.
[NOTE]
====
Platforms vary widely in demands for physical memory protection, and
some platforms may provide other PMP structures in addition to or
instead of the scheme described in this section.
====
PMP checks are applied to all accesses whose effective privilege mode is
S or U, including instruction fetches and data accesses in S and U mode,
and data accesses in M-mode when the MPRV bit in `mstatus` is set and
the MPP field in `mstatus` contains S or U. PMP checks are also applied
to page-table accesses for virtual-address translation, for which the
effective privilege mode is S. Optionally, PMP checks may additionally
apply to M-mode accesses, in which case the PMP registers themselves are
locked, so that even M-mode software cannot change them until the hart
is reset. In effect, PMP can _grant_ permissions to S and U modes, which
by default have none, and can _revoke_ permissions from M-mode, which by
default has full permissions.
PMP violations are always trapped precisely at the processor.
==== Physical Memory Protection CSRs
PMP entries are described by an 8-bit configuration register and one
MXLEN-bit address register. Some PMP settings additionally use the
address register associated with the preceding PMP entry. Up to 64 PMP
entries are supported. Implementations may implement zero, 16, or 64 PMP
entries; the lowest-numbered PMP entries must be implemented first. All
PMP CSR fields are *WARL* and may be read-only zero. PMP CSRs are only
accessible to M-mode.
The PMP configuration registers are densely packed into CSRs to minimize
context-switch time. For RV32, sixteen CSRs, `pmpcfg0`–`pmpcfg15`, hold
the configurations `pmp0cfg`–`pmp63cfg` for the 64 PMP entries, as shown
in <<pmpcfg-rv32>>. For RV64, eight
even-numbered CSRs, `pmpcfg0`, `pmpcfg2`, …, `pmpcfg14`, hold the
configurations for the 64 PMP entries, as shown in
<<pmpcfg-rv64>>. For RV64, the odd-numbered
configuration registers, `pmpcfg1`, `pmpcfg3`, …, `pmpcfg15`, are
illegal.
[NOTE]
====
RV64 harts use `pmpcfg2`, rather than `pmpcfg1`, to hold
configurations for PMP entries 8-15. This design reduces the cost of
supporting multiple MXLEN values, since the configurations for PMP
entries 8-11 appear in `pmpcfg2`[31:0] for both RV32 and RV64.
====
[[pmpcfg-rv32]]
.RV32 PMP configuration CSR layout.
include::images/bytefield/pmp-rv32.adoc[]
[[pmpcfg-rv64]]
.RV64 PMP configuration CSR layout.
include::images/bytefield/pmp-rv64.adoc[]
The PMP address registers are CSRs named `pmpaddr0`-`pmpaddr63`. Each
PMP address register encodes bits 33-2 of a 34-bit physical address for
RV32, as shown in <<pmpaddr-rv32>>. For RV64,
each PMP address register encodes bits 55-2 of a 56-bit physical
address, as shown in <<pmpaddr-rv64>>. Not all
physical address bits may be implemented, and so the `pmpaddr` registers
are *WARL*.
[NOTE]
====
The Sv32 page-based virtual-memory scheme described in
<<sv32>> supports 34-bit physical addresses for
RV32, so the PMP scheme must support addresses wider than XLEN for RV32.
The Sv39 and Sv48 page-based virtual-memory schemes described in
<<sv39>> and <<sv48>> support a
56-bit physical address space, so the RV64 PMP address registers impose
the same limit.
====
[[pmpaddr-rv32]]
.PMP address register format, RV32.
include::images/bytefield/pmpaddr-rv32.adoc[]
[[pmpaddr-rv64]]
.PMP address register format, RV64.
include::images/bytefield/pmpaddr-rv64.adoc[]
<<pmpcfg>> shows the layout of a PMP configuration
register. The R, W, and X bits, when set, indicate that the PMP entry
permits read, write, and instruction execution, respectively. When one
of these bits is clear, the corresponding access type is denied. The R,
W, and X fields form a collective *WARL* field for which the combinations with R=0 and W=1 are reserved. The remaining two fields, A and L, are described in the following sections.
[[pmpcfg]]
.PMP configuration register format.
include::images/bytefield/pmpcfg.adoc[]
Attempting to fetch an instruction from a PMP region that does not have
execute permissions raises an instruction access-fault exception.
Attempting to execute a load or load-reserved instruction which accesses
a physical address within a PMP region without read permissions raises a
load access-fault exception. Attempting to execute a store,
store-conditional, or AMO instruction which accesses a physical address
within a PMP region without write permissions raises a store
access-fault exception.
===== Address Matching
The A field in a PMP entry's configuration register encodes the
address-matching mode of the associated PMP address register. The
encoding of this field is shown in <<pmpcfg-a>>.
When A=0, this PMP entry is disabled and matches no addresses. Two other
address-matching modes are supported: naturally aligned power-of-2
regions (NAPOT), including the special case of naturally aligned
four-byte regions (NA4); and the top boundary of an arbitrary range
(TOR). These modes support four-byte granularity.
[[pmpcfg-a]]
.Encoding of A field in PMP configuration registers.
[%autowidth,float="center",align="center",cols=">,^,<",options="header"]
|===
|A |Name |Description
|0 +
1 +
2 +
3
|OFF +
TOR +
NA4 +
NAPOT
|Null region (disabled) +
Top of range +
Naturally aligned four-byte region +
Naturally aligned power-of-two region, ≥8
bytes
|===
NAPOT ranges make use of the low-order bits of the associated address
register to encode the size of the range, as shown in
<<pmpcfg-napot>>.
[[pmpcfg-napot]]
.`NAPOT` range encoding in PMP address and configuration registers.
[%autowidth,float="center",align="center",cols="^,^,<",options="header"]
|===
|`pmpaddr` |`pmpcfg`.A |Match type and size
|`yyyy...yyyy` +
`yyyy...yyy0` +
`yyyy...yy01` +
`yyyy...y011` +
... +
`yy01...1111` +
`y011...1111` +
`0111...1111` +
`1111...1111`
|NA4 +
NAPOT +
NAPOT +
NAPOT +
... +
NAPOT +
NAPOT +
NAPOT +
NAPOT
|4-byte NAPOT range +
8-byte NAPOT range +
16-byte NAPOT range +
32-byte NAPOT range +
… +
2^XLEN^-byte NAPOT range +
2^XLEN+1^-byte NAPOT range +
2^XLEN+2^-byte NAPOT range +
2^XLEN+3^-byte NAPOT range
|===
If TOR is selected, the associated address register forms the top of the
address range, and the preceding PMP address register forms the bottom
of the address range. If PMP entry __i__'s A field is set to
TOR, the entry matches any address _y_ such that `pmpaddr~i-1~`≤__y__<``pmpaddr~i~`` (irrespective of the value of `pmpcfg~i-1~`). If PMP entry 0's A field is set to TOR, zero is used for the lower bound, and so it matches
any address `y<pmpaddr~0~`.
[NOTE]
====
If `pmpaddr~i-1~≥``pmpaddr~i~``` and `pmpcfg~i~.A`=TOR, then PMP entry _i_ matches no addresses.
====
Although the PMP mechanism supports regions as small as four bytes,
platforms may specify coarser PMP regions. In general, the PMP grain is
latexmath:[$2^{G+2}$] bytes and must be the same across all PMP regions.
When latexmath:[$G \geq 1$], the NA4 mode is not selectable. When
latexmath:[$G \geq 2$] and latexmath:[${\tt pmpcfg}_i$].A[1] is set,
i.e. the mode is NAPOT, then bits latexmath:[${\tt pmpaddr}_i$][G-2:0]
read as all ones. When latexmath:[$G \geq 1$] and
latexmath:[${\tt pmpcfg}_i$].A[1] is clear, i.e. the mode is OFF or TOR,
then bits latexmath:[${\tt pmpaddr}_i$][G-1:0] read as all zeros. Bits
latexmath:[${\tt
pmpaddr}_i$][G-1:0] do not affect the TOR address-matching logic.
Although changing latexmath:[${\tt pmpcfg}_i$].A[1] affects the value
read from latexmath:[${\tt pmpaddr}_i$], it does not affect the
underlying value stored in that register—in particular,
latexmath:[${\tt pmpaddr}_i$][G-1] retains its original value when
latexmath:[${\tt pmpcfg}_i$].A is changed from NAPOT to TOR/OFF then
back to NAPOT.
[NOTE]
====
Software may determine the PMP granularity by writing zero to `pmp0cfg`, then writing all ones to `pmpaddr0`, then reading back `pmpaddr0`. If _G_ is the index of the least-significant bit set, the PMP granularity is 2^G+2^ bytes.
====
If the current XLEN is greater than MXLEN, the PMP address registers are
zero-extended from MXLEN to XLEN bits for the purposes of address
matching.
===== Locking and Privilege Mode
The L bit indicates that the PMP entry is locked, i.e., writes to the
configuration register and associated address registers are ignored.
Locked PMP entries remain locked until the hart is reset. If PMP entry
_i_ is locked, writes to ``pmp``__i__``cfg`` and ``pmpaddr``__i__ are ignored. Additionally, if PMP
entry _i_ is locked and ``pmp``__i__``cfg.A`` is set
to TOR, writes to ``pmpaddr``__i__-1 are ignored.
[NOTE]
====
Setting the L bit locks the PMP entry even when the A field is set to
OFF.
====
In addition to locking the PMP entry, the L bit indicates whether the
R/W/X permissions are enforced on M-mode accesses. When the L bit is
set, these permissions are enforced for all privilege modes. When the L
bit is clear, any M-mode access matching the PMP entry will succeed; the
R/W/X permissions apply only to S and U modes.
===== Priority and Matching Logic
PMP entries are statically prioritized. The lowest-numbered PMP entry
that matches any byte of an access determines whether that access
succeeds or fails. The matching PMP entry must match all bytes of an
access, or the access fails, irrespective of the L, R, W, and X bits.
For example, if a PMP entry is configured to match the four-byte range
`0xC`–`0xF`, then an 8-byte access to the range `0x8`–`0xF` will fail,
assuming that PMP entry is the highest-priority entry that matches those
addresses.
If a PMP entry matches all bytes of an access, then the L, R, W, and X
bits determine whether the access succeeds or fails. If the L bit is
clear and the privilege mode of the access is M, the access succeeds.
Otherwise, if the L bit is set or the privilege mode of the access is S
or U, then the access succeeds only if the R, W, or X bit corresponding
to the access type is set.
If no PMP entry matches an M-mode access, the access succeeds. If no PMP
entry matches an S-mode or U-mode access, but at least one PMP entry is
implemented, the access fails.
[NOTE]
====
If at least one PMP entry is implemented, but all PMP entries’ A fields
are set to OFF, then all S-mode and U-mode memory accesses will fail.
====
Failed accesses generate an instruction, load, or store access-fault
exception. Note that a single instruction may generate multiple
accesses, which may not be mutually atomic. An access-fault exception is
generated if at least one access generated by an instruction fails,
though other accesses generated by that instruction may succeed with
visible side effects. Notably, instructions that reference virtual
memory are decomposed into multiple accesses.
On some implementations, misaligned loads, stores, and instruction
fetches may also be decomposed into multiple accesses, some of which may
succeed before an access-fault exception occurs. In particular, a
portion of a misaligned store that passes the PMP check may become
visible, even if another portion fails the PMP check. The same behavior
may manifest for stores wider than XLEN bits (e.g., the FSD instruction
in RV32D), even when the store address is naturally aligned.
[[pmp-vmem]]
==== Physical Memory Protection and Paging
The Physical Memory Protection mechanism is designed to compose with the
page-based virtual memory systems described in
<<supervisor>>. When paging is enabled,
instructions that access virtual memory may result in multiple
physical-memory accesses, including implicit references to the page
tables. The PMP checks apply to all of these accesses. The effective
privilege mode for implicit page-table accesses is S.
Implementations with virtual memory are permitted to perform address
translations speculatively and earlier than required by an explicit
memory access, and are permitted to cache them in address translation
cache structures—including possibly caching the identity mappings from
effective address to physical address used in Bare translation modes and
M-mode. The PMP settings for the resulting physical address may be
checked (and possibly cached) at any point between the address
translation and the explicit memory access. Hence, when the PMP settings
are modified, M-mode software must synchronize the PMP settings with the
virtual memory system and any PMP or address-translation caches. This is
accomplished by executing an SFENCE.VMA instruction with _rs1_=`x0` and
_rs2_=`x0`, after the PMP CSRs are written.
See <<hyp-mm-fences>> for additional synchronization requirements when the
hypervisor extension is implemented.
If page-based virtual memory is not implemented, memory accesses check
the PMP settings synchronously, so no SFENCE.VMA is needed.
|