Add 4-byte alignment check on pc in branching instructions

rvgo/fast/vm.go

@@ -631,6 +631,11 @@ func (inst *InstrumentedState) riscvStep() (outErr error) {
 			// So it's really 13 bits with a hardcoded 0 bit.
 			pc = add64(pc, imm)
 		}
+
+		if pc&3 != 0 { // quick target alignment check
+			revertWithCode(riscv.ErrNotAlignedAddr, fmt.Errorf("pc %d not aligned with 4 bytes", pc))
+		}
+
 		// not like the other opcodes: nothing to write to rd register, and PC has already changed
 		setPC(pc)
 	case 0x13: // 001_0011: immediate arithmetic and logic

rvgo/slow/vm.go

@@ -804,6 +804,11 @@ func Step(calldata []byte, po PreimageOracle) (stateHash common.Hash, outErr err
 			// So it's really 13 bits with a hardcoded 0 bit.
 			pc = add64(pc, imm)
 		}
+
+		if and64(pc, toU64(3)) != (U64{}) { // quick target alignment check
+			revertWithCode(riscv.ErrNotAlignedAddr, fmt.Errorf("pc %d not aligned with 4 bytes", pc))
+		}
+
 		// not like the other opcodes: nothing to write to rd register, and PC has already changed
 		setPC(pc)
 	case 0x13: // 001_0011: immediate arithmetic and logic

rvsol/src/RISCV.sol

@@ -1206,6 +1206,12 @@ contract RISCV is IBigStepper {
                     // So it's really 13 bits with a hardcoded 0 bit.
                     _pc := add64(_pc, imm)
                 }
+
+                if and64(_pc, toU64(3)) {
+                    // quick target alignment check
+                    revertWithCode(0xbad10ad0) // target not aligned with 4 bytes
+                }
+
                 // not like the other opcodes: nothing to write to rd register, and PC has already changed
                 setPC(_pc)
             }

rvsol/test/RISCV.t.sol

@@ -2034,7 +2034,7 @@ contract RISCV_Test is CommonTest {
     function test_beq_succeeds() public {
         uint16 imm = 0x19cd;
         uint32 insn = encodeBType(0x63, 0, 23, 20, imm); // beq x23, x20, offset
-        (State memory state, bytes memory proof) = constructRISCVState(0x139a, insn);
+        (State memory state, bytes memory proof) = constructRISCVState(0x139c, insn);
         state.registers[23] = 0x2152;
         state.registers[20] = 0x2152;
         bytes memory encodedState = encodeState(state);
@@ -2060,7 +2060,7 @@ contract RISCV_Test is CommonTest {
     }
 
     function test_bne_succeeds() public {
-        uint16 imm = 0x1d7e;
+        uint16 imm = 0x1d7c;
         uint32 insn = encodeBType(0x63, 1, 20, 26, imm); // bne x20, x26, offset
         (State memory state, bytes memory proof) = constructRISCVState(0x1afc, insn);
         state.registers[20] = 0x14b6;
@@ -2144,9 +2144,9 @@ contract RISCV_Test is CommonTest {
     }
 
     function test_bltu_succeeds() public {
-        uint16 imm = 0x171d;
+        uint16 imm = 0x171c;
         uint32 insn = encodeBType(0x63, 6, 13, 22, imm); // bltu x13, x22, offset
-        (State memory state, bytes memory proof) = constructRISCVState(0x2e3a, insn);
+        (State memory state, bytes memory proof) = constructRISCVState(0x2e3c, insn);
         state.registers[13] = 0xa0cc;
         state.registers[22] = 0xffffffff_ffff795c;
         bytes memory encodedState = encodeState(state);
@@ -2174,7 +2174,7 @@ contract RISCV_Test is CommonTest {
     function test_bgeu_succeeds() public {
         uint16 imm = 0x14b5;
         uint32 insn = encodeBType(0x63, 7, 7, 16, imm); // bgeu x7, x16, offset
-        (State memory state, bytes memory proof) = constructRISCVState(0x296a, insn);
+        (State memory state, bytes memory proof) = constructRISCVState(0x296c, insn);
         state.registers[7] = 0xffffffff_ffff35e5;
         state.registers[16] = 0x7c3c;
         bytes memory encodedState = encodeState(state);