How about using a helper function (not sure what the best name is though) for the simple case where it just depends on an extension being enabled?

existsIfEnabled(Ext_S) or accessibleIfEnabled(Ext_S)?

Either of these sound good to me. I think it might also make sense to have a variant for the *h CSRs to avoid complicated if then else

So currently these have exactly the same effect? What will the difference be in future? I think we need a comment for that.

CSRNotExist at least doesn't feel like the right name here, even if it is the right behaviour. The CSR can still exist, but just be temporarily inaccessible if supervisor mode is disabled for example.

I guess you could say it effectively doesn't exist at that time... maybe we can think of a better name. Probably the names should refer to the actual effect that returning them has, but as it is the same at the moment I don't know what to suggest.

then we use CSRNotEffective and CSREffectiveIfEnabled(Ext_S)? And only use CSRNotExist in fallback.

How is this different from CSRAccessIllegal? I think those two cases could be merged?

I am just thinking out loud here but CSRAccessIllegal could mean in the current context that U-mode is accessing an M-mode CSR or that the CSR does not exist, or writing into a read-only CSR. CSRNotEnabled would apply if FP or vector CSRs are currently disabled, so the CSR exists but access is not permitted at the moment. But my thoughts do not match the comments in the code above.

I guess both of those are just a special case of the "illegal" case. Do we need to distinguish this for anything other than improved logging? Looking at the current diff, handling those specializations adds significant extra logic that could be simpler otherwise:

function clause is_CSR_accessible(0xC02, priv, _) = if currentlyEnabled(Ext_Zicntr) then
                                                        if currentlyEnabled(Ext_Zicntr) & counter_enabled(2, priv) then CSRAccessSuccess else CSRAccessIllegal
                                                    else CSRNotEnabled // instret

Could just be

function clause is_CSR_accessible(0xC02, priv, _) = CSREnabledIf(Ext_Zicntr, counter_enabled(2, priv)) // instret

I do think it's valuable to differentiate CSRAccessIllegal and CSRNotDefined, since the trace can then show "access to unknown CSR" and for CSRAccessIllegal "access constraints not met" or similar.

Another reason for the distinction is that there are a few CSRs that are explicitly defined to throw illegal instruction exceptions, but the general case of accessing an undefined CSR is implementation dependent. Right now the model throws an illegal instruction exception, but it is equally legal to not take a trap and just continue execution.

I agree this is confusing and I'm not sure it makes sense to distinguish these cases until we actually do do something different with them (e.g. log them differently or abort on reserved behaviour).

Alternatively perhaps the behavioural and non-behavioural information could be split by turning it into an enum where the Illegal variant has a reason enum, or something like that.

I initially assumed that an external debugger would differentiate between these cases (see riscv/riscv-debug-spec#1140), but that does not seem to be the case (even though we could propagate this kind of information to an external debugger that certain CSR's are currently disabled if openocd plays along). Currently, we do not distinguish at all between not enabled and not implemented. I believe it would be beneficial to differentiate them for potential future use cases, logging as you described (or cases like the one @jordancarlin described).

I'm just a bit worried that because RISC-V itself doesn't make any distinction between them, and if we also don't make use of the distinction, then it's going to be really hard to tell what it actually means.

Adding a reason string would be a great solution. I've debugged issues in. Qemu in the past where a csr was incorrectly marked as inaccessible and if I'd had a trace telling me why I'm getting the illegal instruction fault that would have been so much easier to diagnose.

I'm just a bit worried that because RISC-V itself doesn't make any distinction between them, and if we also don't make use of the distinction, then it's going to be really hard to tell what it actually means.

Yeah I agree it could get messy pretty quickly.

I like your idea of passing the reason as an enum we could use internally/logging, without tying it to the spec itself.

For consistency with the other functions?

Maybe it's just me but I dont think we should check whether we access a read-only CSR (while performing a write, etc.) in check_CSR_priv(). This functions (according to the name) should only check whether we have the sufficient privileges. It might make sense to define a new function to check that?

I am curious what others think, but I feel it might be a bit unfortunate that we have two functions with the same signature, one overloaded and the other not. I understand the reasoning behind it, but I am not sure it would be immediately obvious to someone new contributing to the project.

They might have to dive deep into the code to notice the difference.

But to be honest, I dont have an alternative for now :D