openhwgroup
[BUG] Jump to Misaligned Address Fails to Trigger Exception
Is there an existing CVA6 bug for this?
- [X] I have searched the existing bug issues
Bug Description
In RISC-V, jumps to misaligned instruction addresses should trigger a misaligned fetch exception. However, in the latest CVA6 core, attempting to jump to a misaligned address dose not throw an exception. For example 0x80000005, which should trigger a misaligned fetch exception. Instead, the core executes the instruction without generating the expected exception. This vulnerability allows code to execute from misaligned addresses without raising an exception, leading to potential instability or undefined behavior.
To reproduce, execute following instruction:
int main(void){
void (*misaligned_jump)() = (void (*)()) 0x80000005; // Misaligned jump address
asm volatile ("jalr %0, 0(%1)" : "=r" (rd_value) : "r" (misaligned_jump));
}
- Spike version: `1.1.1-dev`
- version: `CVA6 commit: f974e105bf88cf81c32f55789b0baab4fe4d16c9`
- OS: `CentOS Linux release 7.9.2009 kernel: 5.15.0-78-generic`
- Simulator: `VCS_2023`
Thanks @riscv914 for this discovery. @AyoubJalali @ASintzoff Have you already tested it, or maybe it was planned? In any case, do you confirm the issue ?
@AyoubJalali We are cleaning the "Github Issues". Do you confirm the issue?
If you try to Jump to a virtual address 0x8000_0005, in the RISCV Spec the jump and branch instructions clear the first bit of the target_address => target_address[0] == 0 to aligned it half-word (this is hard coded in the code), so a RTL configure that support Compressed extension never gonna trigger this kind of exception (Misaligned Address).
But you can try a target address not aligned word (example 0x8000_000e) but with a configuration doesn't support Compressed extension, in this case you gonna succeed to trigger the exception if not you have a bug.
