exception caused when SS instructions access non-SS pages

riscv · Nov 2, 2023 · 0ac708f · 0ac708f
1 parent dabacf9
commit 0ac708f
Showing 1 changed file with 24 additions and 18 deletions.
diff --git a/cfi_backward.adoc b/cfi_backward.adoc
@@ -786,15 +786,18 @@ page. When `menvcfg.SSE=0`, this encoding remains reserved. When `V=1` and
 
 The following faults may occur:
 
-. If the accessed page is a shadow stack page:
+. If the accessed page is a shadow stack page (`pte.xwr=010b`):
 .. Stores other than `SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH` cause store/AMO
    access-fault exception.
 .. Implicit accesses cause an access-fault exception corresponding to the
    original access type.
-. If the accessed page is not a shadow stack page or if the page is in
-  non-idempotent memory:
+. If the accessed page is read-write (`pte.xwr=?11b`) or execute-only
+  (`pte.xwr=100b`) page or if the page is in non-idempotent memory:
 .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault.
 .. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault.
+. If the accessed page has read-only (`pte.xwr=001b`) permissions:
+.. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault.
+.. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault.
 
 [NOTE]
 ====
@@ -818,9 +821,15 @@ On implementations where address-misaligned exception is prioritized higher than
 access-fault exception, a trap handler that emulates misaligned stores must
 cause an access-fault exception if store is being made to a shadow stack page.
 
-Shadow stack instructions cause an access-fault if the accessed page is not a
-shadow stack page or if the page is in non-idempotent memory to similarly
-indicate fatality.
+Shadow stack instructions cause an access-fault if the accessed page is
+read-writeable or is executable or if the page is in non-idempotent memory to
+similarly indicate fatality.
+
+Shadow stack instructions cause a page-fault if the accessed page is read-only
+to support copy-on-write (COW) of a shadow stack page. If the page had been
+marked as read-only due to the page being tracked for COW, the page fault
+handler, in response to the page fault, creates a copy of the page and updates
+the `pte.xwr` to `010b` to designate the each copy as a shadow stack page.
 
 While the specification mandates that an access-fault exception shall be
 generated when either single-stage or VS-stage address translation is invoked
@@ -847,14 +856,14 @@ cite:[PRIV] is modified as follows:
    PAGESIZE` and go to step 2.
 
 5. A leaf PTE has been found. If the memory access is by a shadow stack
-   instruction and `pte.xwr != 010b`, then cause an access-fault exception
-   corresponding to the access type. If the memory access is either a
-   non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then
-   an access-fault exception is raised, corresponding to the original access type.
-   If the requested memory access is not allowed by the `pte.r`, `pte.w`, `pte.x`,
-   and `pte.u` bits, given the current privilege mode and the value of the `SUM`
-   and `MXR` fields of the `mstatus` register, stop and raise a page-fault
-   exception corresponding to the original access type.
+   instruction and `pte.xwr != 010b` or `pte.xwr != 001b`, then cause an
+   access-fault exception corresponding to the access type. If the memory access
+   is either a non-shadow-stack store/AMO or an implicit access, and
+   `pte.xwr == 010b`, then cause an access-fault exception corresponding to the
+   original access type. If the requested memory access is not allowed by the
+   `pte.r`, `pte.w`, `pte.x`, and `pte.u` bits, given the current privilege mode
+   and the value of the `SUM` and `MXR` fields of the `mstatus` register, stop
+   and raise a page-fault exception corresponding to the original access type.
 
 The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`,
 `C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent.
@@ -881,10 +890,7 @@ Shadow stacks are expected to be bounded on each end using guard pages, so that
 no two shadow stacks are adjacent to each other. This guards against accidentally
 underflowing or overflowing from one shadow stack to another. Traditionally,
 a guard page for a stack is a page that is inaccessible to the process owning
-the stack. For shadow stacks, the guard page may also be a non-shadow-stack
-page that is otherwise accessible to the process owning the shadow stack
-because shadow stack loads and stores to non-shadow-stack pages cause an
-access-fault exception.
+the stack.
 ====
 
 The G-stage address translation and protections remain unaffected by the Zicfiss