[Bug Report] Rocket incorrectly masks lower bits of mtvec, causing misdirected exception handler jump

[ha0lyu]

Our fuzzing methodology uncovered anomalous behavior in the Rocket f517abb, using Spike as the reference model.

Test Case Description: At pc = 0x80000054, the mepc is 0x8000005e, which corresponds to an illegal instruction. As a result, the processor should jump to the address according to mtvec.BASE & mtvec.MODE for exception handling. As shown in the figure, mtval = 0x8000fa79 (in spike).

But, Rocket incorrectly jumped to the wrong address, pc = 0x8000fa04.

The corresponding test cases and waveform files are available in files.zip. The issue was reproduced in FireSim, 72690b07c version, and the corresponding waveform was collected for analysis.

If any information is missing, please feel free to point it out. We sincerely appreciate your feedback.