Machine: propagate xRET type and add privilege flags illegal instruction checks

Decode MRET/SRET/URET in the decode stage, carry the return
type through the interstage registers, and pass it
to ControlState::exception_return in the memory stage.
Extend instruction metadata with privilege flags (IMF_PRIV_M/H/S)
for privileged operations and use them for masking.

Author: nemecad

src/machine/core.cpp

@@ -127,6 +127,27 @@ Xlen Core::get_xlen() const {
 
 void Core::set_current_privilege(CSR::PrivilegeLevel privilege) {
     state.set_current_privilege(privilege);
+    const unsigned PRIV_BITS = unsigned(IMF_PRIV_M) | unsigned(IMF_PRIV_H) | unsigned(IMF_PRIV_S);
+
+    InstructionFlags base_mask = InstructionFlags(unsigned(check_inst_flags_mask) & ~PRIV_BITS);
+    InstructionFlags base_val = InstructionFlags(unsigned(check_inst_flags_val)  & ~PRIV_BITS);
+
+    unsigned allowed_priv = 0;
+    if (privilege >= CSR::PrivilegeLevel::SUPERVISOR) {
+        allowed_priv |= unsigned(IMF_PRIV_S);
+    }
+    if (privilege >= CSR::PrivilegeLevel::HYPERVISOR) {
+        allowed_priv |= unsigned(IMF_PRIV_H);
+    }
+    if (privilege >= CSR::PrivilegeLevel::MACHINE) {
+        allowed_priv |= unsigned(IMF_PRIV_M);
+    }
+    unsigned disallowed_priv = (PRIV_BITS & ~allowed_priv);
+    InstructionFlags new_mask = InstructionFlags(unsigned(base_mask) | disallowed_priv);
+    InstructionFlags new_val = base_val;
+
+    check_inst_flags_mask = new_mask;
+    check_inst_flags_val  = new_val;
 }
 
 CSR::PrivilegeLevel Core::get_current_privilege() const {
@@ -317,7 +338,18 @@ DecodeState Core::decode(const FetchInterstage &dt) {
     ExceptionCause excause = dt.excause;
 
     dt.inst.flags_alu_op_mem_ctl(flags, alu_op, mem_ctl);
-
+    CSR::PrivilegeLevel inst_xret_priv = CSR::PrivilegeLevel::UNPRIVILEGED;
+    if (flags & IMF_XRET) {
+        if (flags & IMF_PRIV_M) {
+            inst_xret_priv = CSR::PrivilegeLevel::MACHINE;
+        } else if (flags & IMF_PRIV_H) {
+            inst_xret_priv = CSR::PrivilegeLevel::HYPERVISOR;
+        } else if (flags & IMF_PRIV_S) {
+            inst_xret_priv = CSR::PrivilegeLevel::SUPERVISOR;
+        } else {
+            inst_xret_priv = CSR::PrivilegeLevel::UNPRIVILEGED;
+        }
+    }
     if ((flags ^ check_inst_flags_val) & check_inst_flags_mask) { excause = EXCAUSE_INSN_ILLEGAL; }
 
     RegisterId num_rs = (flags & (IMF_ALU_REQ_RS | IMF_ALU_RS_ID)) ? dt.inst.rs() : 0;
@@ -333,7 +365,7 @@ DecodeState Core::decode(const FetchInterstage &dt) {
 
     CSR::Address csr_address = (flags & IMF_CSR) ? dt.inst.csr_address() : CSR::Address(0);
     RegisterValue csr_read_val
-        = ((control_state != nullptr && (flags & IMF_CSR))) ? control_state->read(csr_address) : 0;
+        = ((control_state != nullptr && (flags & IMF_CSR))) ? control_state->read(csr_address, get_current_privilege()) : 0;
     bool csr_write = (flags & IMF_CSR) && (!(flags & IMF_CSR_TO_ALU) || (num_rs != 0));
 
     if ((flags & IMF_EXCEPTION) && (excause == EXCAUSE_NONE)) {
@@ -393,6 +425,7 @@ DecodeState Core::decode(const FetchInterstage &dt) {
                                 .csr_to_alu = bool(flags & IMF_CSR_TO_ALU),
                                 .csr_write = csr_write,
                                 .xret = bool(flags & IMF_XRET),
+                                .xret_privlev = inst_xret_priv,
                                 .insert_stall_before = bool(flags & IMF_CSR) } };
 }
 
@@ -463,6 +496,7 @@ ExecuteState Core::execute(const DecodeInterstage &dt) {
                  .csr = dt.csr,
                  .csr_write = dt.csr_write,
                  .xret = dt.xret,
+                 .xret_privlev = dt.xret_privlev,
              } };
 }
 
@@ -523,11 +557,12 @@ MemoryState Core::memory(const ExecuteInterstage &dt) {
     if (control_state != nullptr && dt.is_valid && dt.excause == EXCAUSE_NONE) {
         control_state->increment_internal(CSR::Id::MINSTRET, 1);
         if (dt.csr_write) {
-            control_state->write(dt.csr_address, dt.alu_val);
+            control_state->write(dt.csr_address, dt.alu_val, get_current_privilege());
             csr_written = true;
         }
         if (dt.xret) {
-            CSR::PrivilegeLevel restored = control_state->exception_return(get_current_privilege());
+            CSR::PrivilegeLevel restored =
+                control_state->exception_return(get_current_privilege(), dt.xret_privlev);
             set_current_privilege(restored);
             if (this->xlen == Xlen::_32)
                 computed_next_inst_addr
@@ -577,6 +612,7 @@ MemoryState Core::memory(const ExecuteInterstage &dt) {
                  .regwrite = regwrite,
                  .is_valid = dt.is_valid,
                  .csr_written = csr_written,
+                 .xret_privlev = dt.xret_privlev,
              } };
 }
 

src/machine/core.h

@@ -115,8 +115,8 @@ class Core : public QObject {
         Address mem_ref_addr);
 
     const Xlen xlen;
-    const InstructionFlags check_inst_flags_val;
-    const InstructionFlags check_inst_flags_mask;
+    InstructionFlags check_inst_flags_val;
+    InstructionFlags check_inst_flags_mask;
     BORROWED Registers *const regs;
     BORROWED CSR::ControlState *const control_state;
     BORROWED BranchPredictor *const predictor;

src/machine/csr/controlstate.cpp

@@ -55,16 +55,22 @@ namespace machine { namespace CSR {
         }
     }
 
-    RegisterValue ControlState::read(Address address) const {
-        // Only machine level privilege is supported so no checking is needed.
+    RegisterValue ControlState::read(Address address, PrivilegeLevel current_priv) const {
         size_t reg_id = get_register_internal_id(address);
+        PrivilegeLevel required = address.get_privilege_level();
+        if (current_priv < required) {
+            throw SIMULATOR_EXCEPTION(
+                UnsupportedInstruction,
+                QString("CSR address %1 not accessible at current privilege level.").arg(address.data),
+                "");
+        }
         RegisterValue value = register_data[reg_id];
         DEBUG("Read CSR[%u] == 0x%" PRIx64, address.data, value.as_u64());
         emit read_signal(reg_id, value);
         return value;
     }
 
-    void ControlState::write(Address address, RegisterValue value) {
+    void ControlState::write(Address address, RegisterValue value, PrivilegeLevel current_priv) {
         DEBUG(
             "Write CSR[%u/%zu] <== 0x%zu", address.data, get_register_internal_id(address),
             value.as_u64());
@@ -74,6 +80,15 @@ namespace machine { namespace CSR {
                 UnsupportedInstruction,
                 QString("CSR address %1 is not writable.").arg(address.data), "");
         }
+
+        PrivilegeLevel required = address.get_privilege_level();
+        if (current_priv < required) {
+            throw SIMULATOR_EXCEPTION(
+                UnsupportedInstruction,
+                QString("CSR address %1 not writable at current privilege level.").arg(address.data),
+                "");
+        }
+
         write_internal(get_register_internal_id(address), value);
     }
 
@@ -190,11 +205,11 @@ namespace machine { namespace CSR {
         emit write_signal(reg_id, reg);
     }
 
-    PrivilegeLevel ControlState::exception_return(enum PrivilegeLevel act_privlev) {
+    PrivilegeLevel ControlState::exception_return(enum PrivilegeLevel act_privlev, enum PrivilegeLevel xret_privlev) {
         size_t reg_id = Id::MSTATUS;
         RegisterValue &reg = register_data[reg_id];
         PrivilegeLevel restored_privlev = PrivilegeLevel::MACHINE;
-        if (act_privlev == PrivilegeLevel::MACHINE) {
+        if (xret_privlev == PrivilegeLevel::MACHINE) {
             // MRET semantics:
             //   MIE  <- MPIE
             //   MPIE <- 1
@@ -212,7 +227,7 @@ namespace machine { namespace CSR {
             default: restored_privlev = PrivilegeLevel::UNPRIVILEGED; break;
             }
             write_field(Field::mstatus::MPP, (uint64_t)0); // clear MPP per spec
-        } else if (act_privlev == PrivilegeLevel::SUPERVISOR) {
+        } else if (xret_privlev == PrivilegeLevel::SUPERVISOR) {
             // SRET semantics:
             //   SIE  <- SPIE
             //   SPIE <- 1
@@ -229,6 +244,12 @@ namespace machine { namespace CSR {
             restored_privlev = PrivilegeLevel::UNPRIVILEGED;
         }
 
+        // If the instruction was executed in M-mode and the restored privilege is less-privileged
+        // than M, clear MPRV per the privileged spec.
+        if (act_privlev == PrivilegeLevel::MACHINE && restored_privlev != PrivilegeLevel::MACHINE) {
+            write_field(Field::mstatus::MPRV, (uint64_t)0);
+        }
+
         emit write_signal(reg_id, reg);
 
         return restored_privlev;

src/machine/csr/controlstate.h

@@ -99,7 +99,7 @@ namespace machine { namespace CSR {
         ControlState(const ControlState &);
 
         /** Read CSR register with ISA specified address. */
-        [[nodiscard]] RegisterValue read(Address address) const;
+        [[nodiscard]] RegisterValue read(Address address, PrivilegeLevel current_priv) const;
 
         /**
          * Read CSR register with an internal id.
@@ -110,7 +110,7 @@ namespace machine { namespace CSR {
         [[nodiscard]] RegisterValue read_internal(size_t internal_id) const;
 
         /** Write value to CSR register by ISA specified address and receive the previous value. */
-        void write(Address address, RegisterValue value);
+        void write(Address address, RegisterValue value, PrivilegeLevel current_priv);
 
         /** Used for writes occurring as a side-effect (instruction count update...) and
          * internally by the write method. */
@@ -150,7 +150,7 @@ namespace machine { namespace CSR {
     public slots:
         void set_interrupt_signal(uint irq_num, bool active);
         void exception_initiate(PrivilegeLevel act_privlev, PrivilegeLevel to_privlev);
-        PrivilegeLevel exception_return(enum PrivilegeLevel act_privlev);
+        PrivilegeLevel exception_return(enum PrivilegeLevel act_privlev, enum PrivilegeLevel xret_privlev);
 
     private:
         static size_t get_register_internal_id(Address address);
@@ -211,6 +211,7 @@ namespace machine { namespace CSR {
             static constexpr RegisterFieldDesc MIE = { "MIE", Id::MSTATUS, {1, 3}, "Machine global interrupt-enable"};
             static constexpr RegisterFieldDesc SPIE = { "SPIE", Id::MSTATUS, {1, 5}, "Previous SIE before the trap"};
             static constexpr RegisterFieldDesc MPIE = { "MPIE", Id::MSTATUS, {1, 7}, "Previous MIE before the trap"};
+            static constexpr RegisterFieldDesc MPRV = { "MPRV", Id::MSTATUS, {1, 17}, "Modify privilege for loads/stores/fetches" };
             static constexpr RegisterFieldDesc SPP = { "SPP", Id::MSTATUS, {1, 8}, "System previous privilege mode"};
             static constexpr RegisterFieldDesc MPP = { "MPP", Id::MSTATUS, {2, 11}, "Machine previous privilege mode"};
             static constexpr RegisterFieldDesc UXL = { "UXL", Id::MSTATUS, {2, 32}, "User mode XLEN (RV64 only)"};

src/machine/instruction.cpp

@@ -464,7 +464,7 @@ static const struct InstructionMap SYSTEM_PRIV_map[] = {
     IM_UNKNOWN,
     IM_UNKNOWN,
     IM_UNKNOWN,
-    {"sret", IT_I, NOALU, NOMEM, nullptr, {}, 0x10200073, 0xffffffff, { .flags = IMF_SUPPORTED | IMF_XRET }, nullptr},
+    {"sret", IT_I, NOALU, NOMEM, nullptr, {}, 0x10200073, 0xffffffff, { .flags = IMF_SUPPORTED | IMF_XRET | IMF_PRIV_S }, nullptr},
     IM_UNKNOWN,
     IM_UNKNOWN,
     IM_UNKNOWN,
@@ -480,7 +480,7 @@ static const struct InstructionMap SYSTEM_PRIV_map[] = {
     IM_UNKNOWN,
     IM_UNKNOWN,
     IM_UNKNOWN,
-    {"mret", IT_I, NOALU, NOMEM, nullptr, {}, 0x30200073, 0xffffffff, { .flags = IMF_SUPPORTED | IMF_XRET }, nullptr},
+    {"mret", IT_I, NOALU, NOMEM, nullptr, {}, 0x30200073, 0xffffffff, { .flags = IMF_SUPPORTED | IMF_XRET | IMF_PRIV_M }, nullptr},
     IM_UNKNOWN,
     IM_UNKNOWN,
     IM_UNKNOWN,
@@ -749,6 +749,27 @@ void Instruction::flags_alu_op_mem_ctl(
     flags = (enum InstructionFlags)im.flags;
     alu_op = im.alu;
     mem_ctl = im.mem_ctl;
+    if (flags & IMF_CSR) {
+        machine::CSR::Address csr = csr_address();
+        uint32_t csr12 = csr.data & 0xfffu;
+        uint32_t min_bits = (csr12 >> 8) & 0x3u; // csr[9:8]
+        switch (min_bits) {
+            case 0u:
+                // User (no extra flag required)
+                break;
+            case 1u:
+                flags = InstructionFlags(flags | IMF_PRIV_S);
+                break;
+            case 2u:
+                flags = InstructionFlags(flags | IMF_PRIV_H);
+                break;
+            case 3u:
+                flags = InstructionFlags(flags | IMF_PRIV_M);
+                break;
+            default:
+                break;
+        }
+    }
 }
 
 bool Instruction::operator==(const Instruction &c) const {

src/machine/instruction.h

@@ -60,6 +60,11 @@ enum InstructionFlags : unsigned {
     // TODO do we want to add those signals to the visualization?
 
     IMF_RV64 = 1L << 24, /**< Mark instructions which are available in 64-bit mode only. */
+
+    /* Privilege requirement flags */
+    IMF_PRIV_S = 1L << 25, /**< Requires at least Supervisor privilege */
+    IMF_PRIV_H = 1L << 26, /**< Requires at least Hypervisor privilege */
+    IMF_PRIV_M = 1L << 27, /**< Requires Machine privilege */
 };
 
 /**

src/machine/pipeline.h

@@ -116,7 +116,8 @@ struct DecodeInterstage {
     bool csr = false;         // Zicsr, implies csr read and csr write
     bool csr_to_alu = false;
     bool csr_write = false;
-    bool xret = false; // Return from exception, MRET and SRET
+    bool xret = false;        // Return from exception, MRET and SRET
+    CSR::PrivilegeLevel xret_privlev = CSR::PrivilegeLevel::UNPRIVILEGED;
     bool insert_stall_before = false;
 
 public:
@@ -179,6 +180,7 @@ struct ExecuteInterstage {
     bool csr = false;
     bool csr_write = false;
     bool xret = false;
+    CSR::PrivilegeLevel xret_privlev = CSR::PrivilegeLevel::UNPRIVILEGED;
 
 public:
     /** Reset to value corresponding to NOP. */
@@ -245,6 +247,7 @@ struct MemoryInterstage {
     bool regwrite = false;
     bool is_valid = false;
     bool csr_written = false;
+    CSR::PrivilegeLevel xret_privlev = CSR::PrivilegeLevel::UNPRIVILEGED;
 
 public:
     /** Reset to value corresponding to NOP. */