Re: [PATCH v3 1/3] target/riscv: Fix IALIGN check in misa write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicholas Piggin <npiggin@gmail.com>
To: Chao Liu <chao.liu.zevorn@gmail.com>
Cc: Alistair Francis <alistair23@gmail.com>,
	qemu-riscv@nongnu.org,  Laurent Vivier <laurent@vivier.eu>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	 Alistair Francis <alistair.francis@wdc.com>,
	Weiwei Li <liwei1518@gmail.com>,
	 Daniel Henrique Barboza <dbarboza@ventanamicro.com>,
	Liu Zhiwei <zhiwei_liu@linux.alibaba.com>,
	qemu-devel@nongnu.org,  Joel Stanley <joel@jms.id.au>,
	Nicholas Joaquin <njoaquin@tenstorrent.com>,
	 Ganesh Valliappan <gvalliappan@tenstorrent.com>
Subject: Re: [PATCH v3 1/3] target/riscv: Fix IALIGN check in misa write
Date: Thu, 26 Mar 2026 16:29:22 +1000	[thread overview]
Message-ID: <acTSDKzeEb3bbv08@lima-default> (raw)
In-Reply-To: <acNYexbXVoMmUMPo@ZEVORN-PC.localdomain>

On Wed, Mar 25, 2026 at 11:40:18AM +0800, Chao Liu wrote:
> On Wed, Mar 25, 2026 at 01:26:56PM +1000, Alistair Francis wrote:
> > On Wed, Mar 25, 2026 at 1:09 PM Chao Liu <chao.liu.zevorn@gmail.com> wrote:
> > >
> > > On Sun, Mar 22, 2026 at 12:45:52AM +1000, Nicholas Piggin wrote:
> > > > The instruction alignment check for the C extension was inverted.
> > > > The new value should be checked for C bit clear (thus increasing
> > > > IALIGN). If IALIGN is incompatible, then the write to misa should
> > > > be suppressed, not just ignoring the update to the C bit.
> > > >
> > > > From the ISA:
> > > >
> > > >   Writing misa may increase IALIGN, e.g., by disabling the "C"
> > > >   extension. If an instruction that would write misa increases IALIGN,
> > > >   and the subsequent instruction’s address is not IALIGN-bit aligned,
> > > >   the write to misa is suppressed, leaving misa unchanged.
> > > >
> > > > This was found with a verification test generator based on RiESCUE.
> > > >
> > > > Reported-by: Nicholas Joaquin <njoaquin@tenstorrent.com>
> > > > Reported-by: Ganesh Valliappan <gvalliappan@tenstorrent.com>
> > > > Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> > > > ---
> > > >  target/riscv/csr.c                        | 16 ++++-
> > > >  tests/tcg/riscv64/Makefile.softmmu-target |  5 ++
> > > >  tests/tcg/riscv64/misa-ialign.S           | 88 +++++++++++++++++++++++
> > > >  3 files changed, 106 insertions(+), 3 deletions(-)
> > > >  create mode 100644 tests/tcg/riscv64/misa-ialign.S
> > > >
> > > > diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> > > > index 5064483917..91421a2dd8 100644
> > > > --- a/target/riscv/csr.c
> > > > +++ b/target/riscv/csr.c
> > > > @@ -2129,9 +2129,19 @@ static RISCVException write_misa(CPURISCVState *env, int csrno,
> > > >      /* Mask extensions that are not supported by this hart */
> > > >      val &= env->misa_ext_mask;
> > > >
> > > > -    /* Suppress 'C' if next instruction is not aligned. */
> > > > -    if ((val & RVC) && (get_next_pc(env, ra) & 3) != 0) {
> > > > -        val &= ~RVC;
> > > > +    /*
> > > > +     * misa writes that increase IALIGN beyond alignment of the next
> > > > +     * instruction cause the write to misa to be suppressed. Clearing
> > > > +     * "C" extension increases IALIGN.
> > > > +     */
> > > > +    if (!(val & RVC) && (get_next_pc(env, ra) & 3) != 0) {
> > > > +        /*
> > > > +         * If the next instruction is unaligned mod 4 then "C" must be
> > > > +         * set or this instruction could not be executing, so we know
> > > > +         * this is is clearing "C" (and not just keeping it clear).
> > > "this is is clearing" — double "is"
> > >
> > > > +         */
> > > > +        g_assert(env->misa_ext & RVC);
> > > > +        return RISCV_EXCP_NONE;
> > > write_misa() is also reachable via riscv_csrrw_debug()
> > > with ra=0, where get_next_pc() falls back to env->pc.
> > 
> > Ah good catch
> > 
> > > A debugger can set PC to a 2-byte-aligned address while C is
> > > already disabled, then write misa keeping C=0. This hits
> > > the condition and fires the g_assert.
> > 
> > I'm not convinced that that's necessarily bad, as that's an odd and
> > invalid thing to be writing. But we probably shouldn't assert
> > 
> > >
> > > The ISA spec language:
> > >
> > >     "if an instruction that would write misa..."
> > >
> > > does not cover debug writes, so the IALIGN suppression
> > > arguably should not apply in that case at all.
> > >
> > > We can:
> > >
> > >     if (ra && !(val & RVC)
> > >         && (get_next_pc(env, ra) & 3) != 0) {
> > >         g_assert(env->misa_ext & RVC);
> > >         return RISCV_EXCP_NONE;
> > >     }
> > 
> > Maybe it's best to change the `g_assert()` to a log GUEST_ERROR
> > instead. That way we flag that something fishy is going on, but don't
> > exit QEMU
> > 
> Agreed!
> 
> Replacing the g_assert() with qemu_log_mask(LOG_GUEST_ERROR, ...)
> sounds like the right balance — it still surfaces the anomaly for
> anyone debugging, without taking down QEMU over what is ultimately
> a debugger-induced corner case.
> 
> The IALIGN suppression logic itself is still correct for the normal
> execution path, so there's no reason to skip it entirely; just don't
> crash on the weird one.

Okay good feedback, thanks to you both. I agree, I'll make the changes
and resend.

Thanks,
Nick

next prev parent reply	other threads:[~2026-03-26  6:30 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-21 14:45 [PATCH v3 0/3] target/riscv: corner case fixes Nicholas Piggin
2026-03-21 14:45 ` [PATCH v3 1/3] target/riscv: Fix IALIGN check in misa write Nicholas Piggin
2026-03-25  1:35   ` Alistair Francis
2026-03-25  3:08   ` Chao Liu
2026-03-25  3:26     ` Alistair Francis
2026-03-25  3:40       ` Chao Liu
2026-03-26  6:29         ` Nicholas Piggin [this message]
2026-03-21 14:45 ` [PATCH v3 2/3] target/riscv: Fix vector whole ldst vstart check Nicholas Piggin
2026-03-25  1:57   ` Alistair Francis
2026-03-25  2:10   ` Chao Liu
2026-03-21 14:45 ` [PATCH v3 3/3] tests/tcg: Add riscv test for interrupted vector ops Nicholas Piggin
2026-03-25  2:08   ` Alistair Francis
2026-03-25  3:19   ` Chao Liu
2026-03-26  6:32     ` Nicholas Piggin
2026-03-25  2:20 ` [PATCH v3 0/3] target/riscv: corner case fixes Alistair Francis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=acTSDKzeEb3bbv08@lima-default \
    --to=npiggin@gmail.com \
    --cc=alistair.francis@wdc.com \
    --cc=alistair23@gmail.com \
    --cc=chao.liu.zevorn@gmail.com \
    --cc=dbarboza@ventanamicro.com \
    --cc=gvalliappan@tenstorrent.com \
    --cc=joel@jms.id.au \
    --cc=laurent@vivier.eu \
    --cc=liwei1518@gmail.com \
    --cc=njoaquin@tenstorrent.com \
    --cc=palmer@dabbelt.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-riscv@nongnu.org \
    --cc=zhiwei_liu@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.