MP.RT.inv+dmb+ctrl-trfi

Description

It seems that write forwarding should not allowed down speculative paths. Allowing it could be problematic, as forwarding in a non-taken path from a write to the translate for a read would make it possible for the read to read from device memory, which the device could observe.

Source

[download toml source]
Page table setup Code
physical pa1 pa2; w |-> invalid; w ?-> pa1; x |-> pa1; *pa1 = 0; y |-> pa2; identity 0x1000 with code;
Thread 0
{R0=extz(0b1, 64), R1=x, R2=extz(0b1, 64), R3=y}
STR X0,[X1] DMB SY STR X2,[X3]
Thread 1
{R1=y, R2=mkdesc3(oa=pa1), R3=pte3(w, page_table_base), R5=w, VBAR_EL1=extz(0x1000, 64), PSTATE.SP=0b0, PSTATE.EL=0b00}
LDR X0,[X1] CBZ X0,LC00 LC00: STR X2,[X3] LDR X4,[X5]
thread1_el1_handler
MOV X4,#2 MRS X13,ELR_EL1 ADD X13,X13,#4 MSR ELR_EL1,X13 ERET
Final State
1:X0 = 1 & 1:X4=0

Execution Diagrams

Results

ETS MP.RT.inv+dmb+ctrl-trfi forbidden (0 of 4) 6144ms
strong MP.RT.inv+dmb+ctrl-trfi forbidden (0 of 4) 6011ms

Command-line invocation

isla-axiomatic --arch=/path/to/rems-project/isla-snapshots/aarch64.ir --config=/path/to/rems-project/isla/configs/aarch64_mmu_on.toml --footprint-config=/path/to/rems-project/isla/configs/aarch64.toml --model=/path/to/rems-project/systems-isla-tests/models/aarch64_mmu_strong_ETS.cat --armv8-page-tables --check-sat-using "(then dt2bv qe simplify solve-eqs bv)" --remove-uninteresting safe --dot . -t /path/to/litmus-tests/litmus-tests-armv8a-system-vmsa/tests/pgtable/HAND/MP.RT.inv+dmb+ctrl-trfi.litmus.toml

To generate diagrams we use model aarch64_mmu_no_axioms.cat to get diagrams of forbidden executions. To generate LaTeX sources of each test, pass --latex=.