Why are the return addresses of prefetch abort and data abort different in ARM exceptions?

Question

for prefetch, the return address is: R14_abt = address of the aborted instruction + 4

and for data abort, the return address is: R14_abt = address of the aborted instruction + 8

Answer 1

These offsets are due to the processor's pipelining and the fetch/decode/execute stages.

The processor's program counter (PC) is updated at specific points during execution. Exceptions can occur during different phases of fetching/decoding/execution.

In the case of the prefetch abort, the instruction cannot be (has not been) executed; the exception occurs only when the processor actually attempts to execute the instruction (some prefetched instructions may not be executed).

In the case of the data abort, the instruction is being executed, and the instruction's execution causes the exception.

From the ARM documentation:

Regarding prefetch abort:

[The prefetch abort exception] Occurs when the processor attempts to execute an instruction that has prefetched from an illegal address, that is, an address that the memory management subsystem has determined is inaccessible to the processor in its current mode.

... Instructions already in the pipeline continue to execute until the invalid instruction is reached, at which point a prefetch abort is generated.

... because the program counter is not updated at the time the prefetch abort is issued, lr_ABT points to the instruction following the one that caused the exception. The handler must return to lr_ABT – 4

And regarding the data abort:

[The Data Abort exception] Occurs when a data transfer instruction attempts to load or store data at an illegal address.

When a load or store instruction tries to access memory, the program counter has been updated. A stored value of (pc – 4) in lr_ABT points to the second instruction beyond the address where the exception was generated. When the MMU has loaded the appropriate address into physical memory, the handler should return to the original, aborted instruction so that a second attempt can be made to execute it. The return address is therefore two words (eight bytes) less than that in lr_ABT

So in other words, for the data abort, the handler must return to lr_ABT – 8 (two words/instructions previous)

Answer 2

I don't remember seeing an official explanation, but if you think about it, it's pretty logical.

Let's consider this example:

00000 INSN1 [PC = 08]
00004 INSN2 [PC = 0C]
00008 INSN3 [PC = 10]

If processor can't fetch the INSN3, the abort happens before executing it, so the PC value is still the one of INSN2, i.e. 0C.

If a data abort happens during execution of INSN3, the PC value is already updated to 10.