Prevalence of modifying PMP registers via CSR clear instructions in Ibex software

Ascertain how frequently RISC-V software targeting the Ibex core modifies Physical Memory Protection (PMP) registers using CSR clear instructions (e.g., CSRRC/CSRRCI) in practice, to clarify how often the discovered pipeline-flush hazard could be encountered in real code paths.

Background

In the discussion of bugs uncovered during verification, the authors describe a vanilla Ibex issue affecting instruction-fetch PMP checks: if PMP registers are mutated using a CSR clear instruction, the pipeline was not flushed, so the next instruction’s fetch check could be performed with stale PMP settings. Although they provide a mitigation (compilers must flush or ensure the PMP change takes effect before accessing affected regions), they note uncertainty about how often software actually uses CSR clear to modify PMP registers.

This uncertainty about real-world usage patterns directly affects the practical risk of the issue: if modifying PMP via CSR clear is common in toolchains or firmware targeting Ibex, the bug’s impact could be more significant; if it is rare, the risk may be limited. The authors explicitly state that the likelihood of this pattern is unclear, leaving an unresolved question about its prevalence in practice.