Merge pull request #88 from riscv/issue/62

add check for pa width during MTT walk

chapter4.adoc

@@ -233,49 +233,61 @@ supervisor domain are ascertained as follows:
 is 2^12^; MTT_PTE_SIZE = 8 bytes (for RV32, MTT_PTE_SIZE = 4 bytes). The `mttp`
 register must be active, i.e., the effective privilege mode must not be M-mode.
 
-2. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_
+2. If _pa_ is greater than maximum-addressable physical address under the
+current MTT mode, or is greater than a platform-defined maximum-addressable
+physical address for the hart, then stop and raise an access-fault exception
+corresponding to the original access type.
+
+[NOTE]
+====
+Restricting the _pa_ to the maximum-addressable PA width supported by a platform
+allows for optimizing memory requirements of the MTT structures such as the
+MTTL2 and MTTL3 entry tables, when the PA width is not 34, 46, or 56 bits.
+====
+
+3. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_
  x MTT_PTE_SIZE. If accessing _mpte_ violates a PMA or PMP check, raise
 an access-fault exception corresponding to the original access type.
 
-3. If any bits or encodings that are reserved for future standard use are
+4. If any bits or encodings that are reserved for future standard use are
 set within _mpte_, stop and raise an access-fault exception corresponding to
 the original access type.
 
-4. Otherwise, the _mpte_ is valid. If (_i_=1) or (_i_=2 and _mpte.type_ is not
-`MTT_L1_DIR`), go to step 5. Otherwise, the _mpte_ is a pointer to the next
+5. Otherwise, the _mpte_ is valid. If (_i_=1) or (_i_=2 and _mpte.type_ is not
+`MTT_L1_DIR`), go to step 6. Otherwise, the _mpte_ is a pointer to the next
 level of the `MTT`. Let _i_ = _i_-1. Let _a_ = _mpte.ppn_ x PAGESIZE and go to
-step 2. Note that when _mpte.type_ = `MTT_L1_DIR`, the _mpte.ppn_ is the value
+step 3. Note that when _mpte.type_ = `MTT_L1_DIR`, the _mpte.ppn_ is the value
 of the _mpte.info_ field.
 
-5. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_
+6. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_
 and _mpte.info_ that are reserved for future standard use, per
 <<Smmtt-rw-l2-encoding>>, are set within _mpte_, stop and raise an access-fault
 exception corresponding to the access type.
 
-6. The _mpte_ is a valid leaf _mpte_. Fetch the access-permissions for the
+7. The _mpte_ is a valid leaf _mpte_. Fetch the access-permissions for the
 physical address per the steps described below:
 
 * if _i_=2, and the _mpte.type_ field directly specifies the access-permissions
 for 1 GiB page regions (via 32 MTTL2 entries with identical _mpte.type_ values -
-see <<Smmtt-rw-l2-encoding>>); go to step 7, else
+see <<Smmtt-rw-l2-encoding>>); go to step 8, else
 
 * if _i_=2, and for XLEN = 64 and the _mpte.type_ field value `2M_PAGES`, the
 _mpte.info_[31:0] field contains 16 entries of 2-bit access-permission encodings
 for 16 2 MiB address regions; For XLEN=32 and _mpte.type_ field value of
 `4M_PAGES`, the _mpte.info_[16:0] field contains 8 entries of 2-bit
 access-permission encodings for 8 4 MiB regions - see <<Smmtt-rw-l2-encoding>>;
-go to step 7, else
+go to step 8, else
 
 * if _i_=1, the _mpte_ contains XLEN/4 4-bit entries that hold access-permission
 encodings for 4 KiB pages. The entry is selected by _pa.pn[0]_. The least
 significant 2 bits of each entry specify the access-permission encoding for the
 _pa_. The encodings are specified in <<Smmtt-rw-l1-encoding>>.
 
-7. Determine if the requested physical memory access is allowed per the
+8. Determine if the requested physical memory access is allowed per the
 access-permissions. If access is not permitted, stop and raise an access-fault
 exception corresponding to the original access type.
 
-8. The access is allowed per the `MTT` lookup.
+9. The access is allowed per the `MTT` lookup.
 
 All implicit accesses to the memory tracking table data structures in
 this algorithm are performed using width MTT_PTE_SIZE.
@@ -302,7 +314,7 @@ MTT is checked for all accesses to physical memory, unless the effective privile
 mode is M, including accesses that have undergone virtual to physical memory
 translation, but excluding MTT checker accesses to MTT structures. Data accesses
 in M-mode when the MPRV bit in mstatus is set and the MPP field in mstatus contains S
-or U are subject to MTT checks. MTT checker accesses to MTT structures are to be 
+or U are subject to MTT checks. MTT checker accesses to MTT structures are to be
 treated as implicit M-mode accesses and are subject to PMP/Smepmp and
 IOPMP checks. The MTT checker indexes the MTT using the
 physical address of the access to lookup and enforce the access permissions.