exception caused when SS instructions access non-SS pages

riscv · Nov 2, 2023 · 3e8b36a · 3e8b36a
1 parent c0195ba
commit 3e8b36a
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/cfi_backward.adoc b/cfi_backward.adoc
@@ -786,16 +786,16 @@ page. When `menvcfg.SSE=0`, this encoding remains reserved. When `V=1` and
 
 The following faults may occur:
 
-. If the accessed page is a shadow stack page:
+. If the accessed page is a shadow stack page (`pte.xwr=010b`):
 .. Stores other than `SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH` cause store/AMO
    access-fault exception.
 .. Implicit accesses cause an access-fault exception corresponding to the
    original access type.
-. If the accessed page has write or execute permission or if the page is in
-  non-idempotent memory:
+. If the accessed page is read-write (`pte.xwr=?11b`) or execute-only
+  (`pte.xwr=100b`) page or if the page is in non-idempotent memory:
 .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault.
 .. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault.
-. If the accessed page has read-only permissions:
+. If the accessed page has read-only (`pte.xwr=001b`) permissions:
 .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault.
 .. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault.
 
@@ -821,9 +821,9 @@ On implementations where address-misaligned exception is prioritized higher than
 access-fault exception, a trap handler that emulates misaligned stores must
 cause an access-fault exception if store is being made to a shadow stack page.
 
-Shadow stack instructions cause an access-fault if the accessed page is writeable
-or executable or if the page is in non-idempotent memory to similarly indicate
-fatality.
+Shadow stack instructions cause an access-fault if the accessed page is
+read-writeable or is executable or if the page is in non-idempotent memory to
+similarly indicate fatality.
 
 Shadow stack instructions cause a page-fault if the accessed page is read-only
 to support copy-on-write (COW) of a shadow stack page. If the page had been
@@ -856,14 +856,14 @@ cite:[PRIV] is modified as follows:
    PAGESIZE` and go to step 2.
 
 5. A leaf PTE has been found. If the memory access is by a shadow stack
-   instruction and `pte.x == 1b` or `pte.w == 1b`, then cause an access-fault
-   exception corresponding to the access type. If the memory access is either a
-   non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then
-   cause an access-fault exception corresponding to the original access type.
-   If the requested memory access is not allowed by the `pte.r`, `pte.w`,
-   `pte.x`, and `pte.u` bits, given the current privilege mode and the value of
-   the `SUM` and `MXR` fields of the `mstatus` register, stop and raise a
-   page-fault exception corresponding to the original access type.
+   instruction and `pte.xwr != 010b` or `pte.xwr != 001b`, then cause an
+   access-fault exception corresponding to the access type. If the memory access
+   is either a non-shadow-stack store/AMO or an implicit access, and
+   `pte.xwr == 010b`, then cause an access-fault exception corresponding to the
+   original access type. If the requested memory access is not allowed by the
+   `pte.r`, `pte.w`, `pte.x`, and `pte.u` bits, given the current privilege mode
+   and the value of the `SUM` and `MXR` fields of the `mstatus` register, stop
+   and raise a page-fault exception corresponding to the original access type.
 
 The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`,
 `C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent.