Reset state

pc = 0x80000000 · all xreg = 0
x11 = 0x1020 (DTB ptr for Linux)
privilege = PRIV_MACHINE (3)

Memory model

Single flat 128 MiB uint8_t heap.
Address bit 31 distinguishes RAM from MMIO.
addr & 0x7FFFFFFF = physical offset.

ins_ret — result bus

write_reg / write_val — rd writeback
pc_val — next PC
csr_write / csr_val — CSR update
trap — exception/IRQ signal

Why masks?

Different instructions occupy different bit fields. A single opcode byte isn't enough — funct3 and funct7 disambiguate. Each switch uses a mask that exposes only the relevant discriminator bits.

7 mask stages

• 0x0000007f — opcode only (lui, jal)
• 0x0000707f — opcode + funct3 (addi, lw…)
• 0xf800707f — AMO ops
• 0xfc00707f — shift immediates
• 0xfe00707f — R-type arithmetic
• 0xfe007fff — sfence.vma
• 0xffffffff — exact match (ecall, mret…)

AS_SIGNED / AS_UNSIGNED reinterpret bits without conversion — pointer cast trick to avoid UB via *(int32_t*)&val.

Noop default

insReturnNoop() zeroes the struct and sets pc_val = pc + 4. Instruction handlers only populate fields they affect — most only call WR_RD.

Commit phase

After insSelect() returns, emulate() commits all side-effects: apply write_reg, advance pc, write CSR, then call handleIrqAndTrap() to check for exceptions.

x0 hard-wired zero

write_reg == 0 → write is silently discarded at commit time. No special casing inside instruction implementations needed.

Address space layout

• 0x000–0x0FF — User CSRs (U-mode)
• 0x100–0x1FF — Supervisor CSRs
• 0x300–0x3FF — Machine CSRs
• 0xC00–0xCFF — User read-only counters

Key registers

• MSTATUS 0x300 — global interrupt enable, MPP/SPP
• MTVEC 0x305 — trap handler address
• MEPC 0x341 — return address after trap
• MCAUSE 0x342 — trap cause code
• MIE/MIP 0x304/0x344 — enable/pending
• MIDELEG 0x303 — delegate to S-mode

The 0x000de162 mask

Exposes only the SSTATUS-legal bits of MSTATUS: SD, MXR, SUM, XS, FS, SPP, SPIE, SIE. M-mode bits (MPP, MPIE, MIE) are hidden from S-mode.

0x222 delegation mask (SIE/SIP)

Bit pattern 0b001000100010 exposes only SEIP (bit 9), STIP (bit 5), SSIP (bit 1) — the supervisor-visible interrupt bits within MIE/MIP.

No separate storage

SSTATUS, SIE, SIP have no backing storage. They're computed on read and written back as masked updates to the M-mode registers. One source of truth.

Pre-read in insSelect

Before any instruction runs, ins_FormatCSR.value is populated by calling getCsr(). Instructions receive the old value in ins.value — enabling atomic semantics.

Atomicity model

Read happens before dispatch. Write is committed via WR_CSR in the result struct after the instruction returns. The old value goes to rd simultaneously — true read-modify-write with no window.

Immediate variants

CSRRWI / CSRRSI / CSRRCI use a 5-bit zero-extended immediate from ins.rs instead of a register value. Same atomic semantics, different source.

Called every instruction

After commit, handleIrqAndTrap(&ret) checks: did the instruction raise a trap? Are any interrupts pending and enabled?

Priority: traps first

If ret.trap.en is set, skip IRQ scan — handle the synchronous exception. IRQs only checked when no synchronous trap fired.

MIP scan order

MEIP → MSIP → MTIP → SEIP → SSIP → STIP — first match wins. MIP bit is cleared after handling.

TVEC modes

TVEC[1:0] == 0 → Direct: all traps jump to base.
TVEC[1:0] != 0 → Vectored: jump to base + 4 × cause. Vectored mode lets the hardware jump directly to per-interrupt handlers without a dispatch table in software.

MSTATUS update

MIE → saved to MPIE, then MIE = 0 (disable further IRQs).
Current privilege → saved to MPP.
Privilege → new_privilege.
mret reverses this: MPIE→MIE, MPP→privilege.

Memory-mapped registers

• 0x02000000 — MSIP (software IRQ)
• 0x02004000 — MTIMECMP lo
• 0x02004004 — MTIMECMP hi
• 0x0200BFF8 — MTIME lo
• 0x0200BFFC — MTIME hi

Timer interrupt flow

1. OS writes MTIMECMP = MTIME + period
2. Hardware increments MTIME each cycle (via clint_state)
3. When MTIME >= MTIMECMP: MIP.MTIP = 1
4. handleIrqAndTrap() detects MIP_MTIP & MIE.MTIE
5. Trap to MTVEC with cause = trap_MachineTimerInterrupt

Byte-level access

memGetByte / memSetByte have case-per-byte entries for all 8 CLINT registers. Little-endian: byte 0 at base, byte 3 at base+3. 64-bit time split across two 32-bit registers.

Packed registers

Two u32s hold 8 UART registers, each accessed via UART_GET1/2 + shift macros.
rbr_thr_ier_iir: RBR·THR·IER·IIR
lcr_mcr_lsr_scr: LCR·MCR·LSR·SCR

IIR update rule

RBR != 0 && IER.RXINT → IIR_RD_AVAILABLE (4)
THR == 0 && IER.THRE → IIR_THR_EMPTY (2)
Otherwise → IIR_NO_INTERRUPT (7)

SEIP path

uart.interrupting = true → emu.cpp sets MIP.SEIP → handleIrqAndTrap fires trap_SupervisorExternalInterrupt.

Steps

1. Read Elf32_Ehdr (52 bytes)
2. Verify ELFMAG magic
3. Reject ELF64 (not supported)
4. Read all e_shnum section headers
5. Filter SHT_PROGBITS sections
6. Copy each section to data[sh_addr & 0x7FFFFFFF]

Address stripping

ELF virtual addresses start at 0x80000000. Masking with 0x7FFFFFFF gives the physical offset into the 128 MiB flat buffer — byte 0 of RAM.

Bit-31 fast path

memGetByte first asserts addr & 0x80000000. After the MMIO switch table falls through, the final check is return mem[addr & 0x7FFFFFFF] — no branches for the hot path.

DTB access

Device Tree Blob is read from a separate pointer (cpu.dtb), mapped at 0x1020. x11 is pre-set to this address on reset following the Linux boot protocol.

Write path

memSetByte mirrors the structure: same MMIO addresses in a switch. UART writes to THR trigger uartUpdateIir() immediately. CLINT writes update the packed 32-bit fields byte-by-byte.

Emulated peripherals

No DMA, no PCI, no GPU. Just CLINT (timer + software IRQ) and UART 16550-compatible serial port — enough to boot Linux with a console.

make all

Compiles src/*.cpp + ImGui + ImPlot + disassembler. Flags: g++ -std=c++17 -O2 -Wall. Links SDL2 + OpenGL + Cocoa/IOKit (macOS) or libGL + SDL2 (Linux). Output: build/rve.

make run

Builds then launches ./build/rve with no extra flags — GUI mode (SDL2 + ImGui). Emulator paused on start. Load a binary from the UI or pass -e <elf> / -b <bin>.

make isas

Runs all 60 ISA compliance tests: ./build/rve -re <test> per binary. -r = auto-start (emu.running=true), -e <file> = load ELF. All 60 tests must exit cleanly.

make linuxn

Downloads linux-6.1.14-rv32nommu image, then: ./build/rve -n -b Image. Flag -n = headless — no SDL window, pure terminal I/O. stdin set to raw mode so keystrokes go directly to guest UART.

make linux

Same image download, then: ./build/rve -r -b Image. Opens GUI window and auto-starts emulator (-r sets emu.running=true). Linux UART output visible in the ImGui console panel.

Entry point split

main.cpp: if -n → runHeadless() tight loop (while (emu.running) emu.emulate()). Otherwise → App SDL2 window + ImGui render loop calling emu.emulate() each frame.

Test suites — 60 total

• rv32ui-p-* — RV32I integer (43): add/sub/load/store/branch/jump/lui/auipc…
• rv32um-p-* — RV32M multiply/divide (8): mul/mulh/div/rem…
• rv32ua-p-* — RV32A atomics (9): amoswap/amoadd/amoand/lrsc…
• rv32mi/si-p-* — Machine/Supervisor CSR tests

Binary format

Each is a bare-metal ELF32 loaded at 0x80000000. No OS, no MMU (-p- = physical-only mode). Test runs in M-mode with no trap delegation. Exercises raw instruction semantics.

Pass / fail mechanism

Pass: test writes 0x55 to SYSCON at 0x11100000 → syscon_cmd = 0x5555 → emulator prints SYSCON POWEROFF and halts. Fail: any illegal instruction trap or loop timeout before SYSCON write.

Dump files

Each test ships with a *.dump disassembly, excluded from the run by filter-out %.dump. Cross-reference the dump with a failing PC to locate the broken instruction.

Image format

Not an ELF — a flat binary: Linux 6.1.14 rv32nommu kernel + BusyBox initramfs. Load address is 0x80000000; loading at buffer offset 0 is identical since 0x80000000 & 0x7FFFFFFF = 0.

Device Tree Blob (DTB)

A compiled .dtb mapped at mem[0x1020] via a separate cpu.dtb pointer. Describes the machine: 1 hart at 100 MHz, RAM at 0x80000000 (128 MiB), UART at 0x10000000, CLINT at 0x02000000.

RISC-V Linux boot ABI

Standard convention: a0 = hart ID, a1 = physical DTB address. Kernel entry reads DTB immediately to discover memory map, configure UART and CLINT drivers, then starts the scheduler. No firmware (BBL/OpenSBI) layer needed — kernel boots directly in M-mode.

4 KiB page PA

PPN[1]<<22 | PPN[0]<<12 | offset[11:0]

4 MiB superpage

Leaf at level 0; PPN[0] must be 0 (else fault).
PPN[1]<<22 | VPN[0]<<12 | offset[11:0]

Page fault types

• InstructionPageFault (12) — fetch failed
• LoadPageFault (13) — data read failed
• StorePageFault (15) — data write failed

All set ret.trap.en and propagate through handleIrqAndTrap(). Delegated to S-mode if MEDELEG bit is set — kernel's page fault handler runs.

A & D bit requirement

Hardware does not auto-set A or D bits — the OS must set them before a page is accessed. Any access to A=0, or write to D=0, faults identically to a permission failure and must be handled by the kernel.

nommu Linux — zero MMU cost

rv32nommu kernel never executes csrw satp. mmu.mode stays MMU_MODE_OFF = 0 for the entire run. Every memory access hits the first branch and returns the physical address immediately — the full Sv32 walk code is compiled in but never reached at runtime.

FCSR — Control & Status Register

Bits [7:5]: frm — rounding mode (RNE · RTZ · RDN · RUP · RMM)
Bits [4:0]: fflags — exception flags (NV · DZ · OF · UF · NX)
Accessible as CSR_FFLAGS (0x001), CSR_FRM (0x002), CSR_FCSR (0x003)

RV32F — Single Precision

• FADD/FSUB/FMUL/FDIV/FSQRT — arithmetic
• FMADD/FMSUB/FNMADD/FNMSUB — fused multiply-add
• FSGNJ/FSGNJN/FSGNJX — sign injection
• FMIN/FMAX — IEEE 754-2008 minNum/maxNum
• FEQ/FLT/FLE — compare → integer result
• FCVT.W.S / FCVT.S.W — int ↔ float convert

RV32D — Double Precision

• Same arithmetic & FMA ops as F on 64-bit doubles
• FCVT.D.S / FCVT.S.D — widen / narrow
• FCVT.W.D / FCVT.D.W — int ↔ double convert
• Shares freg[32] — no extra register file

ISA Tests

All rv32{f,d} ISA tests pass. hello_linux printf of floats runs natively — musl libc soft-float helpers (__adddf3, __floatsidf) execute correctly via the F/D extensions.

10 Render Patterns

• SMPTE bars — broadcast colour reference
• HSV gradient / colour wheel — float hsv2rgb()
• Mandelbrot / Julia set — fixed-point 4.12 (int64 mul)
• Plasma — sin lookup table + interference
• 3-D wireframe cube — float rotation & perspective
• Sierpinski / Rings / Lissajous

Why it works

RVE's Linux kernel exposes /dev/fb0 via MMIO. The program uses standard POSIX calls (open / ioctl / write) — no special emulator hooks needed. The entire graphics stack runs as normal Linux userspace.

Float in action

hsv2rgb() uses fmodf / fabsf. The 3-D cube uses cosf / sinf for rotation and float perspective divide — all running as native RV32F instructions through the emulator's F-extension.