[PATCH 0/5] target/riscv: A collection of bug fixes

[PATCH 0/5] target/riscv: A collection of bug fixes

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

This is a collection of patches to fix a few of the open RISC-V bugs [1].

1: https://gitlab.com/qemu-project/qemu/-/work_items?first_page_size=20&label_name%5B%5D=target%3A%20riscv&sort=created_date&state=opened

Alistair Francis (5):
  target/riscv: Generate access fault if sc comparison fails
  linux-user/strace: Add a wrapper for read and write
  target/riscv: Don't OR mip.SEIP when mvien is one
  hw/timer: ibex_timer: Update IRQs after writing CTRL
  target/riscv: Use ELEN for Fractional LMUL check

 target/riscv/helper.h                   |  3 +++
 hw/timer/ibex_timer.c                   |  1 +
 linux-user/strace.c                     | 14 ++++++++++++++
 target/riscv/csr.c                      |  8 ++++++++
 target/riscv/op_helper.c                | 14 ++++++++++++++
 target/riscv/vector_helper.c            |  9 ++++-----
 target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
 linux-user/strace.list                  |  4 ++--
 8 files changed, 52 insertions(+), 7 deletions(-)

-- 
2.53.0

[PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states:

"For the purposes of memory protection, a failed SC.W may be treated
like a store."

So if the comparison in sc.w fails we should still check for alignment
and do a probe access to check permissions.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/helper.h                   |  3 +++
 target/riscv/op_helper.c                | 14 ++++++++++++++
 target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
 3 files changed, 23 insertions(+)

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index b785456ee0..af6cfcfc27 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(ssamoswap_disabled, void, env)
 #endif
+
+/* Zalrsc" SC write probe */
+DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index 6ccc127c30..b569366369 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
     /* We don't emulate the cache-hierarchy, so we're done. */
 }
 
+void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
+                           target_ulong size)
+{
+    uintptr_t ra = GETPC();
+    int mmu_idx = riscv_env_mmu_index(env, false);
+
+    if (addr & (size - 1)) {
+        env->badaddr = addr;
+        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
+    }
+
+    probe_write(env, addr, size, mmu_idx, ra);
+}
+
 #ifndef CONFIG_USER_ONLY
 
 target_ulong helper_sret(CPURISCVState *env)
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
index a7a3278d24..62c0fe673d 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
      */
     TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
     tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
+    /*
+     * "For the purposes of memory protection, a failed SC.W may be treated
+     * like a store." so let's check the write access permissions
+     */
+    gen_helper_sc_probe_write(tcg_env, src1,
+                              tcg_constant_tl(memop_size(mop)));
     gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
 
     gen_set_label(l2);
-- 
2.53.0

[PATCH 2/5] linux-user/strace: Add a wrapper for read and write

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

The stack pointer is being truncated as 32-bits for qemu-riscv64, so
let's add a print_read_write helper that ensures all of the bits are
printed.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 linux-user/strace.c    | 14 ++++++++++++++
 linux-user/strace.list |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/linux-user/strace.c b/linux-user/strace.c
index 2cbaf94c89..023173857b 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -4309,6 +4309,20 @@ print_tgkill(CPUArchState *cpu_env, const struct syscallname *name,
 }
 #endif
 
+#if defined(TARGET_NR_read) || defined(TARGET_NR_write)
+static void
+print_read_write(CPUArchState *cpu_env, const struct syscallname *name,
+        abi_long arg0, abi_long arg1, abi_long arg2,
+        abi_long arg3, abi_long arg4, abi_long arg5)
+{
+    print_syscall_prologue(name);
+    print_raw_param("%d", arg0, 0);
+    print_pointer(arg1, 0);
+    print_raw_param("%d", arg2, 1);
+    print_syscall_epilogue(name);
+}
+#endif
+
 #if defined(TARGET_NR_pread64) || defined(TARGET_NR_pwrite64)
 static void
 print_pread64(CPUArchState *cpu_env, const struct syscallname *name,
diff --git a/linux-user/strace.list b/linux-user/strace.list
index 35f001fecd..239b9e18b4 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -1114,7 +1114,7 @@
 { TARGET_NR_quotactl, "quotactl" , NULL, NULL, NULL },
 #endif
 #ifdef TARGET_NR_read
-{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_read, "read" , NULL, print_read_write, NULL },
 #endif
 #ifdef TARGET_NR_readahead
 { TARGET_NR_readahead, "readahead" , NULL, NULL, NULL },
@@ -1674,7 +1674,7 @@
                      print_syscall_ret_waitpid },
 #endif
 #ifdef TARGET_NR_write
-{ TARGET_NR_write, "write" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_write, "write" , NULL, print_read_write, NULL },
 #endif
 #ifdef TARGET_NR_writev
 { TARGET_NR_writev, "writev" , "%s(%d,%p,%#x)", NULL, NULL },
-- 
2.53.0

[PATCH 3/5] target/riscv: Don't OR mip.SEIP when mvien is one

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
is simply the supervisor external interrupt signal from the hart’s
external interrupt controller (APLIC or IMSIC).
"""

From my understanding this means we should remove MIP_SEIP from the
alias mask.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/csr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index a75281539b..2a2f9497db 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3796,6 +3796,14 @@ static RISCVException rmw_mvip64(CPURISCVState *env, int csrno,
         /* Remove bits that are zero in both mideleg and mvien. */
         alias_mask &= (env->mideleg | env->mvien);
         nalias_mask &= (env->mideleg | env->mvien);
+    } else {
+        if (env->mvien & MIP_SEIP) {
+            /*
+             * Bit SEIP in mip is read-only and does not
+             * include the value of bit 9 of mvip
+             */
+            alias_mask &= ~MIP_SEIP;
+        }
     }
 
     /*
-- 
2.53.0

[PATCH 4/5] hw/timer: ibex_timer: Update IRQs after writing CTRL

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

When writing to rv_timer.CTRL after setting the compare values the timer
doesn't fire as we don't update the interrupts. Ensure we update the
interrupts after a write to the rv_timer.CTRL register.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 hw/timer/ibex_timer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/timer/ibex_timer.c b/hw/timer/ibex_timer.c
index 0f12531934..571633803d 100644
--- a/hw/timer/ibex_timer.c
+++ b/hw/timer/ibex_timer.c
@@ -193,6 +193,7 @@ static void ibex_timer_write(void *opaque, hwaddr addr,
         break;
     case R_CTRL:
         s->timer_ctrl = val;
+        ibex_timer_update_irqs(s);
         break;
     case R_CFG0:
         qemu_log_mask(LOG_UNIMP, "Changing prescale or step not supported");
-- 
2.53.0

[PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[alistair23]

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
For a given supported fractional LMUL setting, implementations
must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
"""

We were previously checking VLEN, instead of ELEN, so let's update to
check ELEN instead of VLEN for fractional scaling.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/vector_helper.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 83dd26314d..b4fc791eb7 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
     target_ulong reserved = s2 &
                             MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
                                             xlen - 1 - R_VTYPE_RESERVED_SHIFT);
-    uint16_t vlen = cpu->cfg.vlenb << 3;
     int8_t lmul;
 
     if (vlmul & 4) {
         /*
          * Fractional LMUL, check:
          *
-         * VLEN * LMUL >= SEW
-         * VLEN >> (8 - lmul) >= sew
-         * (vlenb << 3) >> (8 - lmul) >= sew
+         * ELEN * LMUL >= SEW
+         * ELEN >> (8 - vlmul) >= sew
          */
-        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
+        if (vlmul == 4 ||
+            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
             vill = true;
         }
     }
-- 
2.53.0

Re: [PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[Daniel Henrique Barboza]

On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states that
> 
> """
> For a given supported fractional LMUL setting, implementations
> must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
> """
> 
> We were previously checking VLEN, instead of ELEN, so let's update to
> check ELEN instead of VLEN for fractional scaling.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---

Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>


>   target/riscv/vector_helper.c | 9 ++++-----
>   1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
> index 83dd26314d..b4fc791eb7 100644
> --- a/target/riscv/vector_helper.c
> +++ b/target/riscv/vector_helper.c
> @@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
>       target_ulong reserved = s2 &
>                               MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
>                                               xlen - 1 - R_VTYPE_RESERVED_SHIFT);
> -    uint16_t vlen = cpu->cfg.vlenb << 3;
>       int8_t lmul;
>   
>       if (vlmul & 4) {
>           /*
>            * Fractional LMUL, check:
>            *
> -         * VLEN * LMUL >= SEW
> -         * VLEN >> (8 - lmul) >= sew
> -         * (vlenb << 3) >> (8 - lmul) >= sew
> +         * ELEN * LMUL >= SEW
> +         * ELEN >> (8 - vlmul) >= sew
>            */
> -        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
> +        if (vlmul == 4 ||
> +            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
>               vill = true;
>           }
>       }

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Daniel Henrique Barboza]

On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states:
> 
> "For the purposes of memory protection, a failed SC.W may be treated
> like a store."
> 
> So if the comparison in sc.w fails we should still check for alignment
> and do a probe access to check permissions.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136

Typo: "Resoves"


Also, IIRC the bug URL that automatically closes Gitlab issues when
merging the patch is on the format:

"Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"


Maybe this URL with "work_items" also works, but even with the regular
URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
"work_items" to "issues" in all those URLs to be safe.


That said,


Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>   target/riscv/helper.h                   |  3 +++
>   target/riscv/op_helper.c                | 14 ++++++++++++++
>   target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
>   3 files changed, 23 insertions(+)
> 
> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
> index b785456ee0..af6cfcfc27 100644
> --- a/target/riscv/helper.h
> +++ b/target/riscv/helper.h
> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
>   #ifndef CONFIG_USER_ONLY
>   DEF_HELPER_1(ssamoswap_disabled, void, env)
>   #endif
> +
> +/* Zalrsc" SC write probe */
> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
> index 6ccc127c30..b569366369 100644
> --- a/target/riscv/op_helper.c
> +++ b/target/riscv/op_helper.c
> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
>       /* We don't emulate the cache-hierarchy, so we're done. */
>   }
>   
> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
> +                           target_ulong size)
> +{
> +    uintptr_t ra = GETPC();
> +    int mmu_idx = riscv_env_mmu_index(env, false);
> +
> +    if (addr & (size - 1)) {
> +        env->badaddr = addr;
> +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
> +    }
> +
> +    probe_write(env, addr, size, mmu_idx, ra);
> +}
> +
>   #ifndef CONFIG_USER_ONLY
>   
>   target_ulong helper_sret(CPURISCVState *env)
> diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
> index a7a3278d24..62c0fe673d 100644
> --- a/target/riscv/insn_trans/trans_rva.c.inc
> +++ b/target/riscv/insn_trans/trans_rva.c.inc
> @@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
>        */
>       TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
>       tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
> +    /*
> +     * "For the purposes of memory protection, a failed SC.W may be treated
> +     * like a store." so let's check the write access permissions
> +     */
> +    gen_helper_sc_probe_write(tcg_env, src1,
> +                              tcg_constant_tl(memop_size(mop)));
>       gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
>   
>       gen_set_label(l2);

Re: [PATCH 2/5] linux-user/strace: Add a wrapper for read and write

[Daniel Henrique Barboza]

On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The stack pointer is being truncated as 32-bits for qemu-riscv64, so
> let's add a print_read_write helper that ensures all of the bits are
> printed.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---


Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>


>   linux-user/strace.c    | 14 ++++++++++++++
>   linux-user/strace.list |  4 ++--
>   2 files changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/linux-user/strace.c b/linux-user/strace.c
> index 2cbaf94c89..023173857b 100644
> --- a/linux-user/strace.c
> +++ b/linux-user/strace.c
> @@ -4309,6 +4309,20 @@ print_tgkill(CPUArchState *cpu_env, const struct syscallname *name,
>   }
>   #endif
>   
> +#if defined(TARGET_NR_read) || defined(TARGET_NR_write)
> +static void
> +print_read_write(CPUArchState *cpu_env, const struct syscallname *name,
> +        abi_long arg0, abi_long arg1, abi_long arg2,
> +        abi_long arg3, abi_long arg4, abi_long arg5)
> +{
> +    print_syscall_prologue(name);
> +    print_raw_param("%d", arg0, 0);
> +    print_pointer(arg1, 0);
> +    print_raw_param("%d", arg2, 1);
> +    print_syscall_epilogue(name);
> +}
> +#endif
> +
>   #if defined(TARGET_NR_pread64) || defined(TARGET_NR_pwrite64)
>   static void
>   print_pread64(CPUArchState *cpu_env, const struct syscallname *name,
> diff --git a/linux-user/strace.list b/linux-user/strace.list
> index 35f001fecd..239b9e18b4 100644
> --- a/linux-user/strace.list
> +++ b/linux-user/strace.list
> @@ -1114,7 +1114,7 @@
>   { TARGET_NR_quotactl, "quotactl" , NULL, NULL, NULL },
>   #endif
>   #ifdef TARGET_NR_read
> -{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
> +{ TARGET_NR_read, "read" , NULL, print_read_write, NULL },
>   #endif
>   #ifdef TARGET_NR_readahead
>   { TARGET_NR_readahead, "readahead" , NULL, NULL, NULL },
> @@ -1674,7 +1674,7 @@
>                        print_syscall_ret_waitpid },
>   #endif
>   #ifdef TARGET_NR_write
> -{ TARGET_NR_write, "write" , "%s(%d,%#x,%d)", NULL, NULL },
> +{ TARGET_NR_write, "write" , NULL, print_read_write, NULL },
>   #endif
>   #ifdef TARGET_NR_writev
>   { TARGET_NR_writev, "writev" , "%s(%d,%p,%#x)", NULL, NULL },

Re: [PATCH 3/5] target/riscv: Don't OR mip.SEIP when mvien is one

[Daniel Henrique Barboza]

On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states that
> 
> """
> But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
> not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
> is simply the supervisor external interrupt signal from the hart’s
> external interrupt controller (APLIC or IMSIC).
> """
> 
>  From my understanding this means we should remove MIP_SEIP from the
> alias mask.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---


Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

>   target/riscv/csr.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index a75281539b..2a2f9497db 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -3796,6 +3796,14 @@ static RISCVException rmw_mvip64(CPURISCVState *env, int csrno,
>           /* Remove bits that are zero in both mideleg and mvien. */
>           alias_mask &= (env->mideleg | env->mvien);
>           nalias_mask &= (env->mideleg | env->mvien);
> +    } else {
> +        if (env->mvien & MIP_SEIP) {
> +            /*
> +             * Bit SEIP in mip is read-only and does not
> +             * include the value of bit 9 of mvip
> +             */
> +            alias_mask &= ~MIP_SEIP;
> +        }
>       }
>   
>       /*

Re: [PATCH 4/5] hw/timer: ibex_timer: Update IRQs after writing CTRL

[Daniel Henrique Barboza]

On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> When writing to rv_timer.CTRL after setting the compare values the timer
> doesn't fire as we don't update the interrupts. Ensure we update the
> interrupts after a write to the rv_timer.CTRL register.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---


Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

>   hw/timer/ibex_timer.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/hw/timer/ibex_timer.c b/hw/timer/ibex_timer.c
> index 0f12531934..571633803d 100644
> --- a/hw/timer/ibex_timer.c
> +++ b/hw/timer/ibex_timer.c
> @@ -193,6 +193,7 @@ static void ibex_timer_write(void *opaque, hwaddr addr,
>           break;
>       case R_CTRL:
>           s->timer_ctrl = val;
> +        ibex_timer_update_irqs(s);
>           break;
>       case R_CFG0:
>           qemu_log_mask(LOG_UNIMP, "Changing prescale or step not supported");

Re: [PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[LIU Zhiwei]

[-- Attachment #1: Type: text/plain, Size: 2317 bytes --]

Hi Alistair,

On 4/7/26 12:36 PM, alistair23@gmail.com wrote:
> From: Alistair Francis<alistair.francis@wdc.com>
>
> The RISC-V spec states that
>
> """
> For a given supported fractional LMUL setting, implementations
> must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
> """

I think the meaning  of "must support"  in specification is "must at 
least support" instead of "must only support".

Sail or Spike have the same check as this patch to prevent user program 
can run on them, but
can't run on RTLs, as RTLs implementation may support SEW besides the 
SEWMIN and LMUL * ELEN range.

We can refer to discussion here: 
https://github.com/riscv-software-src/riscv-isa-sim/pull/620

In my opinion, we had better add a option such as "frac_sew_check" to 
make user set right value for their RTL implementation.

Otherwise,
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>

Thanks,
Zhiwei

> We were previously checking VLEN, instead of ELEN, so let's update to
> check ELEN instead of VLEN for fractional scaling.
>
> Resolves:https://gitlab.com/qemu-project/qemu/-/work_items/3196
> Signed-off-by: Alistair Francis<alistair.francis@wdc.com>
> ---
>   target/riscv/vector_helper.c | 9 ++++-----
>   1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
> index 83dd26314d..b4fc791eb7 100644
> --- a/target/riscv/vector_helper.c
> +++ b/target/riscv/vector_helper.c
> @@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
>       target_ulong reserved = s2 &
>                               MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
>                                               xlen - 1 - R_VTYPE_RESERVED_SHIFT);
> -    uint16_t vlen = cpu->cfg.vlenb << 3;
>       int8_t lmul;
>   
>       if (vlmul & 4) {
>           /*
>            * Fractional LMUL, check:
>            *
> -         * VLEN * LMUL >= SEW
> -         * VLEN >> (8 - lmul) >= sew
> -         * (vlenb << 3) >> (8 - lmul) >= sew
> +         * ELEN * LMUL >= SEW
> +         * ELEN >> (8 - vlmul) >= sew
>            */
> -        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
> +        if (vlmul == 4 ||
> +            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
>               vill = true;
>           }
>       }

[-- Attachment #2: Type: text/html, Size: 3568 bytes --]

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Chao Liu]

On Tue, Apr 07, 2026 at 02:36:10PM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states:
> 
> "For the purposes of memory protection, a failed SC.W may be treated
> like a store."
> 
> So if the comparison in sc.w fails we should still check for alignment
> and do a probe access to check permissions.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>  target/riscv/helper.h                   |  3 +++
>  target/riscv/op_helper.c                | 14 ++++++++++++++
>  target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
>  3 files changed, 23 insertions(+)
> 
> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
> index b785456ee0..af6cfcfc27 100644
> --- a/target/riscv/helper.h
> +++ b/target/riscv/helper.h
> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
>  #ifndef CONFIG_USER_ONLY
>  DEF_HELPER_1(ssamoswap_disabled, void, env)
>  #endif
> +
> +/* Zalrsc" SC write probe */
stray `"` after Zalrsc.

other LGTM :)

Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>

Thanks,
Chao
> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
> index 6ccc127c30..b569366369 100644
> --- a/target/riscv/op_helper.c
> +++ b/target/riscv/op_helper.c
> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
>      /* We don't emulate the cache-hierarchy, so we're done. */
>  }
>  
> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
> +                           target_ulong size)
> +{
> +    uintptr_t ra = GETPC();
> +    int mmu_idx = riscv_env_mmu_index(env, false);
> +
> +    if (addr & (size - 1)) {
> +        env->badaddr = addr;
> +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
> +    }
> +
> +    probe_write(env, addr, size, mmu_idx, ra);
> +}
> +
>  #ifndef CONFIG_USER_ONLY
>  
>  target_ulong helper_sret(CPURISCVState *env)
> diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
> index a7a3278d24..62c0fe673d 100644
> --- a/target/riscv/insn_trans/trans_rva.c.inc
> +++ b/target/riscv/insn_trans/trans_rva.c.inc
> @@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
>       */
>      TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
>      tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
> +    /*
> +     * "For the purposes of memory protection, a failed SC.W may be treated
> +     * like a store." so let's check the write access permissions
> +     */
> +    gen_helper_sc_probe_write(tcg_env, src1,
> +                              tcg_constant_tl(memop_size(mop)));
>      gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
>  
>      gen_set_label(l2);
> -- 
> 2.53.0
> 

Re: [PATCH 2/5] linux-user/strace: Add a wrapper for read and write

[Chao Liu]

On Tue, Apr 07, 2026 at 02:36:11PM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The stack pointer is being truncated as 32-bits for qemu-riscv64, so
> let's add a print_read_write helper that ensures all of the bits are
> printed.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>  linux-user/strace.c    | 14 ++++++++++++++
>  linux-user/strace.list |  4 ++--
>  2 files changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/linux-user/strace.c b/linux-user/strace.c
> index 2cbaf94c89..023173857b 100644
> --- a/linux-user/strace.c
> +++ b/linux-user/strace.c
> @@ -4309,6 +4309,20 @@ print_tgkill(CPUArchState *cpu_env, const struct syscallname *name,
>  }
>  #endif
>  
> +#if defined(TARGET_NR_read) || defined(TARGET_NR_write)
> +static void
> +print_read_write(CPUArchState *cpu_env, const struct syscallname *name,
> +        abi_long arg0, abi_long arg1, abi_long arg2,
> +        abi_long arg3, abi_long arg4, abi_long arg5)
> +{
> +    print_syscall_prologue(name);
> +    print_raw_param("%d", arg0, 0);
> +    print_pointer(arg1, 0);
> +    print_raw_param("%d", arg2, 1);
If TARGET_NR_read and TARGET_NR_write support 64-bit targets,
abi_long is int64_t, so %d will be truncated. We can use
TARGET_ABI_FMT_ld to replace it.

Otherwise LGTM.

Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>

Thanks,
Chao
> +    print_syscall_epilogue(name);
> +}
> +#endif
> +
>  #if defined(TARGET_NR_pread64) || defined(TARGET_NR_pwrite64)
>  static void
>  print_pread64(CPUArchState *cpu_env, const struct syscallname *name,
> diff --git a/linux-user/strace.list b/linux-user/strace.list
> index 35f001fecd..239b9e18b4 100644
> --- a/linux-user/strace.list
> +++ b/linux-user/strace.list
> @@ -1114,7 +1114,7 @@
>  { TARGET_NR_quotactl, "quotactl" , NULL, NULL, NULL },
>  #endif
>  #ifdef TARGET_NR_read
> -{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
> +{ TARGET_NR_read, "read" , NULL, print_read_write, NULL },
>  #endif
>  #ifdef TARGET_NR_readahead
>  { TARGET_NR_readahead, "readahead" , NULL, NULL, NULL },
> @@ -1674,7 +1674,7 @@
>                       print_syscall_ret_waitpid },
>  #endif
>  #ifdef TARGET_NR_write
> -{ TARGET_NR_write, "write" , "%s(%d,%#x,%d)", NULL, NULL },
> +{ TARGET_NR_write, "write" , NULL, print_read_write, NULL },
>  #endif
>  #ifdef TARGET_NR_writev
>  { TARGET_NR_writev, "writev" , "%s(%d,%p,%#x)", NULL, NULL },
> -- 
> 2.53.0
> 

Re: [PATCH 2/5] linux-user/strace: Add a wrapper for read and write

[Richard Henderson]

On 4/7/26 14:36, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The stack pointer is being truncated as 32-bits for qemu-riscv64, so
> let's add a print_read_write helper that ensures all of the bits are
> printed.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>   linux-user/strace.c    | 14 ++++++++++++++
>   linux-user/strace.list |  4 ++--
>   2 files changed, 16 insertions(+), 2 deletions(-)

This is indicative of incorrect fowarding of values to system fprintf.
We really should be handling the format ourselves so abi_long etc are handled properly.

In particular,

> +print_read_write(CPUArchState *cpu_env, const struct syscallname *name,
> +        abi_long arg0, abi_long arg1, abi_long arg2,
> +        abi_long arg3, abi_long arg4, abi_long arg5)
> +{
> +    print_syscall_prologue(name);
> +    print_raw_param("%d", arg0, 0);
> +    print_pointer(arg1, 0);
> +    print_raw_param("%d", arg2, 1);
> +    print_syscall_epilogue(name);
> +}
> +#endif

This is more work than we should require for such simple syscalls.

>   #ifdef TARGET_NR_read
> -{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
> +{ TARGET_NR_read, "read" , NULL, print_read_write, NULL },

Ideally, I think %p is the correct format to use for a syscall pointer argument. 
Interpreted, of course, in the context of abi_ptr.


r~

Re: [PATCH 3/5] target/riscv: Don't OR mip.SEIP when mvien is one

[Chao Liu]

On Tue, Apr 07, 2026 at 02:36:12PM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states that
> 
> """
> But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
> not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
> is simply the supervisor external interrupt signal from the hart’s
> external interrupt controller (APLIC or IMSIC).
> """
> 
> From my understanding this means we should remove MIP_SEIP from the
> alias mask.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>  target/riscv/csr.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index a75281539b..2a2f9497db 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -3796,6 +3796,14 @@ static RISCVException rmw_mvip64(CPURISCVState *env, int csrno,
>          /* Remove bits that are zero in both mideleg and mvien. */
>          alias_mask &= (env->mideleg | env->mvien);
>          nalias_mask &= (env->mideleg | env->mvien);
> +    } else {
> +        if (env->mvien & MIP_SEIP) {
> +            /*
> +             * Bit SEIP in mip is read-only and does not
> +             * include the value of bit 9 of mvip
> +             */
> +            alias_mask &= ~MIP_SEIP;
This needs some discussion. I did a simple derivation of the
alias_mask initial value for bit 9 across all four combinations:

  alias_mask = ((S_MODE_INTERRUPTS | LOCAL_INTERRUPTS) &
      (env->mideleg | ~env->mvien)) | MIP_STIP;

  mideleg[9] mvien[9] | ~mvien[9] mideleg|~mvien | alias[9] nalias[9]
  ---------- -------- + --------- -------------- + -------- ---------
       0        0     |     1           1        |    1        0
       0        1     |     0           0        |    0        1
       1        0     |     1           1        |    1        0
       1        1     |     0           1        |    1        0

Checking only mvien[9]=1 actually includes two cases:
 - combo 2: mideleg=0, mvien=1
 - combo 4: mideleg=1, mvien=1

Combo 2 already has alias_mask[9]=0, so the else branch is a
no-op there. The only effective case is combo 4, where
alias_mask[9] goes from 1 to 0. But nalias_mask[9] is also 0
for combo 4, so SEIP disappears from MVIP entirely.

Per the truth table in the function header:

  mideleg[i]=1, mvien[i]=X -> mvip[i] aliases mip[i]

Is there a special intent to break this alias for SEIP? Could
you clarify?

Per the AIA spec, I think the fix should be in rmw_mip64()
instead — make mip.SEIP read-only when mvien[9]=1, similar
to how sstc makes STIP read-only:

  static RISCVException rmw_mip64(CPURISCVState *env, int csrno,
                                  uint64_t *ret_val,
                                  uint64_t new_val, uint64_t wr_mask)
  {
      uint64_t old_mip, mask = wr_mask & delegable_ints;
      uint32_t gin;

  +   /*
  +    * When mvien[9]=1, mip.SEIP is read-only and reflects only
  +    * the external interrupt signal from the interrupt controller.
  +    */
  +   if (env->mvien & MIP_SEIP) {
  +       mask &= ~MIP_SEIP;
  +   }
  +
      if (mask & MIP_SEIP) {
          env->software_seip = new_val & MIP_SEIP;
          new_val |= env->external_seip * MIP_SEIP;
      }
      ...

Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>

Thanks,
Chao
> +        }
>      }
>  
>      /*
> -- 
> 2.53.0
> 

Re: [PATCH 4/5] hw/timer: ibex_timer: Update IRQs after writing CTRL

[Chao Liu]

On Tue, Apr 07, 2026 at 02:36:13PM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> When writing to rv_timer.CTRL after setting the compare values the timer
> doesn't fire as we don't update the interrupts. Ensure we update the
> interrupts after a write to the rv_timer.CTRL register.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>

Thanks,
Chao
> ---
>  hw/timer/ibex_timer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/hw/timer/ibex_timer.c b/hw/timer/ibex_timer.c
> index 0f12531934..571633803d 100644
> --- a/hw/timer/ibex_timer.c
> +++ b/hw/timer/ibex_timer.c
> @@ -193,6 +193,7 @@ static void ibex_timer_write(void *opaque, hwaddr addr,
>          break;
>      case R_CTRL:
>          s->timer_ctrl = val;
> +        ibex_timer_update_irqs(s);
>          break;
>      case R_CFG0:
>          qemu_log_mask(LOG_UNIMP, "Changing prescale or step not supported");
> -- 
> 2.53.0
> 

Re: [PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[Chao Liu]

On Tue, Apr 07, 2026 at 02:36:14PM +1000, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> The RISC-V spec states that
> 
> """
> For a given supported fractional LMUL setting, implementations
> must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
> """
> 
> We were previously checking VLEN, instead of ELEN, so let's update to
> check ELEN instead of VLEN for fractional scaling.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>

Thanks,
Chao
> ---
>  target/riscv/vector_helper.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
> index 83dd26314d..b4fc791eb7 100644
> --- a/target/riscv/vector_helper.c
> +++ b/target/riscv/vector_helper.c
> @@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
>      target_ulong reserved = s2 &
>                              MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
>                                              xlen - 1 - R_VTYPE_RESERVED_SHIFT);
> -    uint16_t vlen = cpu->cfg.vlenb << 3;
>      int8_t lmul;
>  
>      if (vlmul & 4) {
>          /*
>           * Fractional LMUL, check:
>           *
> -         * VLEN * LMUL >= SEW
> -         * VLEN >> (8 - lmul) >= sew
> -         * (vlenb << 3) >> (8 - lmul) >= sew
> +         * ELEN * LMUL >= SEW
> +         * ELEN >> (8 - vlmul) >= sew
>           */
> -        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
> +        if (vlmul == 4 ||
> +            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
>              vill = true;
>          }
>      }
> -- 
> 2.53.0
> 

Re: [PATCH 2/5] linux-user/strace: Add a wrapper for read and write

[Philippe Mathieu-Daudé]

On 7/4/26 18:55, Chao Liu wrote:
> On Tue, Apr 07, 2026 at 02:36:11PM +1000, alistair23@gmail.com wrote:
>> From: Alistair Francis <alistair.francis@wdc.com>
>>
>> The stack pointer is being truncated as 32-bits for qemu-riscv64, so
>> let's add a print_read_write helper that ensures all of the bits are
>> printed.
>>
>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>> ---
>>   linux-user/strace.c    | 14 ++++++++++++++
>>   linux-user/strace.list |  4 ++--
>>   2 files changed, 16 insertions(+), 2 deletions(-)


>> +#if defined(TARGET_NR_read) || defined(TARGET_NR_write)
>> +static void
>> +print_read_write(CPUArchState *cpu_env, const struct syscallname *name,
>> +        abi_long arg0, abi_long arg1, abi_long arg2,
>> +        abi_long arg3, abi_long arg4, abi_long arg5)
>> +{
>> +    print_syscall_prologue(name);
>> +    print_raw_param("%d", arg0, 0);
>> +    print_pointer(arg1, 0);
>> +    print_raw_param("%d", arg2, 1);
> If TARGET_NR_read and TARGET_NR_write support 64-bit targets,
> abi_long is int64_t, so %d will be truncated. We can use
> TARGET_ABI_FMT_ld to replace it.

With the 2 "%d" replacements to TARGET_ABI_FMT_ld:
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

> 
> Otherwise LGTM.
> 
> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
> 
> Thanks,
> Chao
>> +    print_syscall_epilogue(name);
>> +}
>> +#endif

Re: [PATCH 4/5] hw/timer: ibex_timer: Update IRQs after writing CTRL

[Philippe Mathieu-Daudé]

On 7/4/26 06:36, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
> 
> When writing to rv_timer.CTRL after setting the compare values the timer
> doesn't fire as we don't update the interrupts. Ensure we update the
> interrupts after a write to the rv_timer.CTRL register.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>   hw/timer/ibex_timer.c | 1 +
>   1 file changed, 1 insertion(+)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Philippe Mathieu-Daudé]

On 7/4/26 11:38, Daniel Henrique Barboza wrote:
> 
> 
> On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
>> From: Alistair Francis <alistair.francis@wdc.com>
>>
>> The RISC-V spec states:
>>
>> "For the purposes of memory protection, a failed SC.W may be treated
>> like a store."
>>
>> So if the comparison in sc.w fails we should still check for alignment
>> and do a probe access to check permissions.
>>
>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
>> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
> 
> Typo: "Resoves"
> 
> 
> Also, IIRC the bug URL that automatically closes Gitlab issues when
> merging the patch is on the format:
> 
> "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"
> 
> 
> Maybe this URL with "work_items" also works, but even with the regular
> URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
> "work_items" to "issues" in all those URLs to be safe.

FWIW I concur :)

> 
> 
> That said,
> 
> 
> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
> 
>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>> ---
>>   target/riscv/helper.h                   |  3 +++
>>   target/riscv/op_helper.c                | 14 ++++++++++++++
>>   target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
>>   3 files changed, 23 insertions(+)
>>
>> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
>> index b785456ee0..af6cfcfc27 100644
>> --- a/target/riscv/helper.h
>> +++ b/target/riscv/helper.h
>> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
>>   #ifndef CONFIG_USER_ONLY
>>   DEF_HELPER_1(ssamoswap_disabled, void, env)
>>   #endif
>> +
>> +/* Zalrsc" SC write probe */
>> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
>> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
>> index 6ccc127c30..b569366369 100644
>> --- a/target/riscv/op_helper.c
>> +++ b/target/riscv/op_helper.c
>> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, 
>> target_ulong address)
>>       /* We don't emulate the cache-hierarchy, so we're done. */
>>   }
>> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
>> +                           target_ulong size)

We could directly use uint64_t for @size. Then after the release the
@addr argument will be converted to vaddr type [*]. We could do that
directly now:


DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, vaddr, i64)

void helper_sc_probe_write(CPURISCVState *env, vaddr addr,
                            uint64_t size)


[*] 
https://lore.kernel.org/qemu-devel/20260401143456.79843-1-philmd@linaro.org/

>> +{
>> +    uintptr_t ra = GETPC();
>> +    int mmu_idx = riscv_env_mmu_index(env, false);
>> +
>> +    if (addr & (size - 1)) {
>> +        env->badaddr = addr;
>> +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
>> +    }
>> +
>> +    probe_write(env, addr, size, mmu_idx, ra);
>> +}

Re: [PATCH 4/5] hw/timer: ibex_timer: Update IRQs after writing CTRL

[Nutty.Liu]

On 4/7/2026 12:36 PM, alistair23@gmail.com wrote:
> From: Alistair Francis <alistair.francis@wdc.com>
>
> When writing to rv_timer.CTRL after setting the compare values the timer
> doesn't fire as we don't update the interrupts. Ensure we update the
> interrupts after a write to the rv_timer.CTRL register.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>

Thanks,
Nutty
> ---
>   hw/timer/ibex_timer.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/hw/timer/ibex_timer.c b/hw/timer/ibex_timer.c
> index 0f12531934..571633803d 100644
> --- a/hw/timer/ibex_timer.c
> +++ b/hw/timer/ibex_timer.c
> @@ -193,6 +193,7 @@ static void ibex_timer_write(void *opaque, hwaddr addr,
>           break;
>       case R_CTRL:
>           s->timer_ctrl = val;
> +        ibex_timer_update_irqs(s);
>           break;
>       case R_CFG0:
>           qemu_log_mask(LOG_UNIMP, "Changing prescale or step not supported");

Re: [PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[Alistair Francis]

On Tue, Apr 7, 2026 at 10:13 PM LIU Zhiwei <zhiwei_liu@linux.alibaba.com> wrote:
>
> Hi Alistair,
>
> On 4/7/26 12:36 PM, alistair23@gmail.com wrote:
>
> From: Alistair Francis <alistair.francis@wdc.com>
>
> The RISC-V spec states that
>
> """
> For a given supported fractional LMUL setting, implementations
> must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
> """
>
> I think the meaning  of "must support"  in specification is "must at least support" instead of "must only support".

Good point, I didn't really think about that.

>
> Sail or Spike have the same check as this patch to prevent user program can run on them, but
> can't run on RTLs, as RTLs implementation may support SEW besides the  SEWMIN and LMUL * ELEN range.
>
> We can refer to discussion here: https://github.com/riscv-software-src/riscv-isa-sim/pull/620

I think this is still the right fix, as it seems like it's unlikely
there will be implementations that expect outside that minimum support
to work, see https://github.com/riscv/riscv-isa-manual/issues/2359#issuecomment-3458627615
for example.

>
> In my opinion, we had better add a option such as "frac_sew_check" to make user set right value for their RTL implementation.

In future if there are implementations that want extra support that we
can add a property. Right now I suspect there isn't any software that
expects it to work, so it probably isn't an issue and will help catch
faulty implementations.

Alistair

>
> Otherwise,
> Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
>
> Thanks,
> Zhiwei
>
> We were previously checking VLEN, instead of ELEN, so let's update to
> check ELEN instead of VLEN for fractional scaling.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>  target/riscv/vector_helper.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
> index 83dd26314d..b4fc791eb7 100644
> --- a/target/riscv/vector_helper.c
> +++ b/target/riscv/vector_helper.c
> @@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
>      target_ulong reserved = s2 &
>                              MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
>                                              xlen - 1 - R_VTYPE_RESERVED_SHIFT);
> -    uint16_t vlen = cpu->cfg.vlenb << 3;
>      int8_t lmul;
>
>      if (vlmul & 4) {
>          /*
>           * Fractional LMUL, check:
>           *
> -         * VLEN * LMUL >= SEW
> -         * VLEN >> (8 - lmul) >= sew
> -         * (vlenb << 3) >> (8 - lmul) >= sew
> +         * ELEN * LMUL >= SEW
> +         * ELEN >> (8 - vlmul) >= sew
>           */
> -        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
> +        if (vlmul == 4 ||
> +            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
>              vill = true;
>          }
>      }

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Alistair Francis]

On Tue, Apr 7, 2026 at 7:38 PM Daniel Henrique Barboza
<daniel.barboza@oss.qualcomm.com> wrote:
>
>
>
> On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> > From: Alistair Francis <alistair.francis@wdc.com>
> >
> > The RISC-V spec states:
> >
> > "For the purposes of memory protection, a failed SC.W may be treated
> > like a store."
> >
> > So if the comparison in sc.w fails we should still check for alignment
> > and do a probe access to check permissions.
> >
> > Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
> > Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
>
> Typo: "Resoves"
>
>
> Also, IIRC the bug URL that automatically closes Gitlab issues when
> merging the patch is on the format:
>
> "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"

Interestingly trying to access

https://gitlab.com/qemu-project/qemu/-/issues/3196

takes me to

https://gitlab.com/qemu-project/qemu/-/work_items/3196

So I think Gitlab is changing from issues to work_items

>
>
> Maybe this URL with "work_items" also works, but even with the regular
> URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
> "work_items" to "issues" in all those URLs to be safe.

Maybe using "issues" is the problem?

I'm thinking of leaving these as-is, as issues seem to be replaced now.

I even see https://docs.gitlab.com/development/work_items/#migration-strategy
and https://gitlab.com/groups/gitlab-org/-/work_items/6033 with more
details on this

Alistair

>
>
> That said,
>
>
> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
>
> > Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> > ---
> >   target/riscv/helper.h                   |  3 +++
> >   target/riscv/op_helper.c                | 14 ++++++++++++++
> >   target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
> >   3 files changed, 23 insertions(+)
> >
> > diff --git a/target/riscv/helper.h b/target/riscv/helper.h
> > index b785456ee0..af6cfcfc27 100644
> > --- a/target/riscv/helper.h
> > +++ b/target/riscv/helper.h
> > @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
> >   #ifndef CONFIG_USER_ONLY
> >   DEF_HELPER_1(ssamoswap_disabled, void, env)
> >   #endif
> > +
> > +/* Zalrsc" SC write probe */
> > +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
> > diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
> > index 6ccc127c30..b569366369 100644
> > --- a/target/riscv/op_helper.c
> > +++ b/target/riscv/op_helper.c
> > @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
> >       /* We don't emulate the cache-hierarchy, so we're done. */
> >   }
> >
> > +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
> > +                           target_ulong size)
> > +{
> > +    uintptr_t ra = GETPC();
> > +    int mmu_idx = riscv_env_mmu_index(env, false);
> > +
> > +    if (addr & (size - 1)) {
> > +        env->badaddr = addr;
> > +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
> > +    }
> > +
> > +    probe_write(env, addr, size, mmu_idx, ra);
> > +}
> > +
> >   #ifndef CONFIG_USER_ONLY
> >
> >   target_ulong helper_sret(CPURISCVState *env)
> > diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
> > index a7a3278d24..62c0fe673d 100644
> > --- a/target/riscv/insn_trans/trans_rva.c.inc
> > +++ b/target/riscv/insn_trans/trans_rva.c.inc
> > @@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
> >        */
> >       TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
> >       tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
> > +    /*
> > +     * "For the purposes of memory protection, a failed SC.W may be treated
> > +     * like a store." so let's check the write access permissions
> > +     */
> > +    gen_helper_sc_probe_write(tcg_env, src1,
> > +                              tcg_constant_tl(memop_size(mop)));
> >       gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
> >
> >       gen_set_label(l2);
>

Re: [PATCH 5/5] target/riscv: Use ELEN for Fractional LMUL check

[LIU Zhiwei]

On 4/9/26 1:32 PM, Alistair Francis wrote:
> On Tue, Apr 7, 2026 at 10:13 PM LIU Zhiwei <zhiwei_liu@linux.alibaba.com> wrote:
>> Hi Alistair,
>>
>> On 4/7/26 12:36 PM, alistair23@gmail.com wrote:
>>
>> From: Alistair Francis <alistair.francis@wdc.com>
>>
>> The RISC-V spec states that
>>
>> """
>> For a given supported fractional LMUL setting, implementations
>> must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
>> """
>>
>> I think the meaning  of "must support"  in specification is "must at least support" instead of "must only support".
> Good point, I didn't really think about that.
>
>> Sail or Spike have the same check as this patch to prevent user program can run on them, but
>> can't run on RTLs, as RTLs implementation may support SEW besides the  SEWMIN and LMUL * ELEN range.
>>
>> We can refer to discussion here: https://github.com/riscv-software-src/riscv-isa-sim/pull/620
> I think this is still the right fix, as it seems like it's unlikely
> there will be implementations that expect outside that minimum support
> to work, see https://github.com/riscv/riscv-isa-manual/issues/2359#issuecomment-3458627615
> for example.
Make sense.
>
>> In my opinion, we had better add a option such as "frac_sew_check" to make user set right value for their RTL implementation.
> In future if there are implementations that want extra support that we
> can add a property.
Agree.
> Right now I suspect there isn't any software that
> expects it to work, so it probably isn't an issue and will help catch
> faulty implementations.

Some RTLs can issue more vector instructions one cycle when lmul = 1/2 
than lmul = 1. It is useful for some workloads, such as H264, which 
typical calculation unit is 128 bit.
If vlen is 256bit, software can set lmul to 1/2 (64bit sew is allowed by 
specification, but forbidden by this patch) to issue more vector 
instructions one cycle for this type workload.

Standard software should use this feature by vsetvl and vill detection.  
So it should also work with this patch.

Thanks,
Zhiwei

>
> Alistair
>
>> Otherwise,
>> Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
>>
>> Thanks,
>> Zhiwei
>>
>> We were previously checking VLEN, instead of ELEN, so let's update to
>> check ELEN instead of VLEN for fractional scaling.
>>
>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>> ---
>>   target/riscv/vector_helper.c | 9 ++++-----
>>   1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
>> index 83dd26314d..b4fc791eb7 100644
>> --- a/target/riscv/vector_helper.c
>> +++ b/target/riscv/vector_helper.c
>> @@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_ulong s1,
>>       target_ulong reserved = s2 &
>>                               MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
>>                                               xlen - 1 - R_VTYPE_RESERVED_SHIFT);
>> -    uint16_t vlen = cpu->cfg.vlenb << 3;
>>       int8_t lmul;
>>
>>       if (vlmul & 4) {
>>           /*
>>            * Fractional LMUL, check:
>>            *
>> -         * VLEN * LMUL >= SEW
>> -         * VLEN >> (8 - lmul) >= sew
>> -         * (vlenb << 3) >> (8 - lmul) >= sew
>> +         * ELEN * LMUL >= SEW
>> +         * ELEN >> (8 - vlmul) >= sew
>>            */
>> -        if (vlmul == 4 || (vlen >> (8 - vlmul)) < sew) {
>> +        if (vlmul == 4 ||
>> +            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
>>               vill = true;
>>           }
>>       }

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Alistair Francis]

On Wed, Apr 8, 2026 at 6:48 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> On 7/4/26 11:38, Daniel Henrique Barboza wrote:
> >
> >
> > On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> >> From: Alistair Francis <alistair.francis@wdc.com>
> >>
> >> The RISC-V spec states:
> >>
> >> "For the purposes of memory protection, a failed SC.W may be treated
> >> like a store."
> >>
> >> So if the comparison in sc.w fails we should still check for alignment
> >> and do a probe access to check permissions.
> >>
> >> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
> >> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
> >
> > Typo: "Resoves"
> >
> >
> > Also, IIRC the bug URL that automatically closes Gitlab issues when
> > merging the patch is on the format:
> >
> > "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"
> >
> >
> > Maybe this URL with "work_items" also works, but even with the regular
> > URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
> > "work_items" to "issues" in all those URLs to be safe.
>
> FWIW I concur :)
>
> >
> >
> > That said,
> >
> >
> > Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
> >
> >> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> >> ---
> >>   target/riscv/helper.h                   |  3 +++
> >>   target/riscv/op_helper.c                | 14 ++++++++++++++
> >>   target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
> >>   3 files changed, 23 insertions(+)
> >>
> >> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
> >> index b785456ee0..af6cfcfc27 100644
> >> --- a/target/riscv/helper.h
> >> +++ b/target/riscv/helper.h
> >> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
> >>   #ifndef CONFIG_USER_ONLY
> >>   DEF_HELPER_1(ssamoswap_disabled, void, env)
> >>   #endif
> >> +
> >> +/* Zalrsc" SC write probe */
> >> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
> >> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
> >> index 6ccc127c30..b569366369 100644
> >> --- a/target/riscv/op_helper.c
> >> +++ b/target/riscv/op_helper.c
> >> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env,
> >> target_ulong address)
> >>       /* We don't emulate the cache-hierarchy, so we're done. */
> >>   }
> >> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
> >> +                           target_ulong size)
>
> We could directly use uint64_t for @size. Then after the release the
> @addr argument will be converted to vaddr type [*]. We could do that
> directly now:
>
>
> DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, vaddr, i64)
>
> void helper_sc_probe_write(CPURISCVState *env, vaddr addr,
>                             uint64_t size)

That fails for RV32 linux-user

../target/riscv/insn_trans/trans_rva.c.inc:97:40: error: passing
argument 2 of ‘gen_helper_sc_probe_write’ from incompatible pointer
type [-Wincompatible-po
inter-types]
  97 |     gen_helper_sc_probe_write(tcg_env, src1,
     |                                        ^~~~
     |                                        |
     |                                        TCGv {aka struct TCGv_i32_d *}
In file included from
/var/mnt/scratch/alistair/software/qemu/include/qemu/osdep.h:53,
                from ../target/riscv/translate.c:19:
/var/mnt/scratch/alistair/software/qemu/include/exec/helper-head.h.inc:128:57:
note: expected ‘TCGv_i64’ {aka ‘struct TCGv_i64_d *’} but argument is
of type
‘TCGv’ {aka ‘struct TCGv_i32_d *’}
 128 | #define dh_arg_decl(t, n) glue(TCGv_, dh_alias(t)) glue(arg, n)
     |                                                         ^
/var/mnt/scratch/alistair/software/qemu/include/qemu/compiler.h:29:21:
note: in definition of macro ‘xglue’
  29 | #define xglue(x, y) x ## y
     |                     ^
/var/mnt/scratch/alistair/software/qemu/include/exec/helper-head.h.inc:128:52:
note: in expansion of macro ‘glue’
 128 | #define dh_arg_decl(t, n) glue(TCGv_, dh_alias(t)) glue(arg, n)
     |                                                    ^~~~
/var/mnt/scratch/alistair/software/qemu/include/exec/helper-gen.h.inc:44:25:
note: in expansion of macro ‘dh_arg_decl’
  44 |     dh_arg_decl(t1, 1), dh_arg_decl(t2, 2), dh_arg_decl(t3, 3))         \
     |                         ^~~~~~~~~~~
../target/riscv/helper.h:1294:1: note: in expansion of macro
‘DEF_HELPER_FLAGS_3’
1294 | DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, vaddr, i64)
     | ^~~~~~~~~~~~~~~~~~
In file included from
/var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op-common.h:11,
                from
/var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op.h:11,
                from ../target/riscv/translate.c:22:
/var/mnt/scratch/alistair/software/qemu/include/tcg/tcg.h:202:28:
note: ‘TCGv_i64’ declared here
 202 | typedef struct TCGv_i64_d *TCGv_i64;
     |                            ^~~~~~~~
/var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op.h:32:18:
note: ‘TCGv’ declared here
  32 | typedef TCGv_i32 TCGv;
     |                  ^~~~

Am I missing something?

Alistair

>
>
> [*]
> https://lore.kernel.org/qemu-devel/20260401143456.79843-1-philmd@linaro.org/
>
> >> +{
> >> +    uintptr_t ra = GETPC();
> >> +    int mmu_idx = riscv_env_mmu_index(env, false);
> >> +
> >> +    if (addr & (size - 1)) {
> >> +        env->badaddr = addr;
> >> +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
> >> +    }
> >> +
> >> +    probe_write(env, addr, size, mmu_idx, ra);
> >> +}

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Philippe Mathieu-Daudé]

On 9/4/26 08:21, Alistair Francis wrote:
> On Wed, Apr 8, 2026 at 6:48 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>>
>> On 7/4/26 11:38, Daniel Henrique Barboza wrote:
>>>
>>>
>>> On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
>>>> From: Alistair Francis <alistair.francis@wdc.com>
>>>>
>>>> The RISC-V spec states:
>>>>
>>>> "For the purposes of memory protection, a failed SC.W may be treated
>>>> like a store."
>>>>
>>>> So if the comparison in sc.w fails we should still check for alignment
>>>> and do a probe access to check permissions.
>>>>
>>>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
>>>> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
>>>
>>> Typo: "Resoves"
>>>
>>>
>>> Also, IIRC the bug URL that automatically closes Gitlab issues when
>>> merging the patch is on the format:
>>>
>>> "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"
>>>
>>>
>>> Maybe this URL with "work_items" also works, but even with the regular
>>> URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
>>> "work_items" to "issues" in all those URLs to be safe.
>>
>> FWIW I concur :)
>>
>>>
>>>
>>> That said,
>>>
>>>
>>> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
>>>
>>>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>>>> ---
>>>>    target/riscv/helper.h                   |  3 +++
>>>>    target/riscv/op_helper.c                | 14 ++++++++++++++
>>>>    target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
>>>>    3 files changed, 23 insertions(+)
>>>>
>>>> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
>>>> index b785456ee0..af6cfcfc27 100644
>>>> --- a/target/riscv/helper.h
>>>> +++ b/target/riscv/helper.h
>>>> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
>>>>    #ifndef CONFIG_USER_ONLY
>>>>    DEF_HELPER_1(ssamoswap_disabled, void, env)
>>>>    #endif
>>>> +
>>>> +/* Zalrsc" SC write probe */
>>>> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
>>>> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
>>>> index 6ccc127c30..b569366369 100644
>>>> --- a/target/riscv/op_helper.c
>>>> +++ b/target/riscv/op_helper.c
>>>> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env,
>>>> target_ulong address)
>>>>        /* We don't emulate the cache-hierarchy, so we're done. */
>>>>    }
>>>> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
>>>> +                           target_ulong size)
>>
>> We could directly use uint64_t for @size. Then after the release the
>> @addr argument will be converted to vaddr type [*]. We could do that
>> directly now:
>>
>>
>> DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, vaddr, i64)
>>
>> void helper_sc_probe_write(CPURISCVState *env, vaddr addr,
>>                              uint64_t size)
> 
> That fails for RV32 linux-user
> 
> ../target/riscv/insn_trans/trans_rva.c.inc:97:40: error: passing
> argument 2 of ‘gen_helper_sc_probe_write’ from incompatible pointer
> type [-Wincompatible-po
> inter-types]
>    97 |     gen_helper_sc_probe_write(tcg_env, src1,
>       |                                        ^~~~
>       |                                        |
>       |                                        TCGv {aka struct TCGv_i32_d *}
> In file included from
> /var/mnt/scratch/alistair/software/qemu/include/qemu/osdep.h:53,
>                  from ../target/riscv/translate.c:19:
> /var/mnt/scratch/alistair/software/qemu/include/exec/helper-head.h.inc:128:57:
> note: expected ‘TCGv_i64’ {aka ‘struct TCGv_i64_d *’} but argument is
> of type
> ‘TCGv’ {aka ‘struct TCGv_i32_d *’}
>   128 | #define dh_arg_decl(t, n) glue(TCGv_, dh_alias(t)) glue(arg, n)
>       |                                                         ^
> /var/mnt/scratch/alistair/software/qemu/include/qemu/compiler.h:29:21:
> note: in definition of macro ‘xglue’
>    29 | #define xglue(x, y) x ## y
>       |                     ^
> /var/mnt/scratch/alistair/software/qemu/include/exec/helper-head.h.inc:128:52:
> note: in expansion of macro ‘glue’
>   128 | #define dh_arg_decl(t, n) glue(TCGv_, dh_alias(t)) glue(arg, n)
>       |                                                    ^~~~
> /var/mnt/scratch/alistair/software/qemu/include/exec/helper-gen.h.inc:44:25:
> note: in expansion of macro ‘dh_arg_decl’
>    44 |     dh_arg_decl(t1, 1), dh_arg_decl(t2, 2), dh_arg_decl(t3, 3))         \
>       |                         ^~~~~~~~~~~
> ../target/riscv/helper.h:1294:1: note: in expansion of macro
> ‘DEF_HELPER_FLAGS_3’
> 1294 | DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, vaddr, i64)
>       | ^~~~~~~~~~~~~~~~~~
> In file included from
> /var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op-common.h:11,
>                  from
> /var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op.h:11,
>                  from ../target/riscv/translate.c:22:
> /var/mnt/scratch/alistair/software/qemu/include/tcg/tcg.h:202:28:
> note: ‘TCGv_i64’ declared here
>   202 | typedef struct TCGv_i64_d *TCGv_i64;
>       |                            ^~~~~~~~
> /var/mnt/scratch/alistair/software/qemu/include/tcg/tcg-op.h:32:18:
> note: ‘TCGv’ declared here
>    32 | typedef TCGv_i32 TCGv;
>       |                  ^~~~
> 
> Am I missing something?

Oh, RISCV needs more work than :( Discard my suggestion then,
thanks for trying it and sorry for the delay.

Regards,

Phil.

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Daniel Henrique Barboza]

On 4/9/2026 2:38 AM, Alistair Francis wrote:
> On Tue, Apr 7, 2026 at 7:38 PM Daniel Henrique Barboza
> <daniel.barboza@oss.qualcomm.com> wrote:
>>
>>
>>
>> On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
>>> From: Alistair Francis <alistair.francis@wdc.com>
>>>
>>> The RISC-V spec states:
>>>
>>> "For the purposes of memory protection, a failed SC.W may be treated
>>> like a store."
>>>
>>> So if the comparison in sc.w fails we should still check for alignment
>>> and do a probe access to check permissions.
>>>
>>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
>>> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
>>
>> Typo: "Resoves"
>>
>>
>> Also, IIRC the bug URL that automatically closes Gitlab issues when
>> merging the patch is on the format:
>>
>> "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"
> 
> Interestingly trying to access
> 
> https://gitlab.com/qemu-project/qemu/-/issues/3196
> 
> takes me to
> 
> https://gitlab.com/qemu-project/qemu/-/work_items/3196
> 
> So I think Gitlab is changing from issues to work_items
> 
>>
>>
>> Maybe this URL with "work_items" also works, but even with the regular
>> URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
>> "work_items" to "issues" in all those URLs to be safe.
> 
> Maybe using "issues" is the problem?
> 
> I'm thinking of leaving these as-is, as issues seem to be replaced now.
> 
> I even see https://docs.gitlab.com/development/work_items/#migration-strategy
> and https://gitlab.com/groups/gitlab-org/-/work_items/6033 with more
> details on this

Seems like you're ahead of the curve then :D let's leave it as is and
see if the bug autocloses when the patches are merged.


Thanks,
Daniel

> 
> Alistair
> 
>>
>>
>> That said,
>>
>>
>> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
>>
>>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
>>> ---
>>>    target/riscv/helper.h                   |  3 +++
>>>    target/riscv/op_helper.c                | 14 ++++++++++++++
>>>    target/riscv/insn_trans/trans_rva.c.inc |  6 ++++++
>>>    3 files changed, 23 insertions(+)
>>>
>>> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
>>> index b785456ee0..af6cfcfc27 100644
>>> --- a/target/riscv/helper.h
>>> +++ b/target/riscv/helper.h
>>> @@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
>>>    #ifndef CONFIG_USER_ONLY
>>>    DEF_HELPER_1(ssamoswap_disabled, void, env)
>>>    #endif
>>> +
>>> +/* Zalrsc" SC write probe */
>>> +DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
>>> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
>>> index 6ccc127c30..b569366369 100644
>>> --- a/target/riscv/op_helper.c
>>> +++ b/target/riscv/op_helper.c
>>> @@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
>>>        /* We don't emulate the cache-hierarchy, so we're done. */
>>>    }
>>>
>>> +void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
>>> +                           target_ulong size)
>>> +{
>>> +    uintptr_t ra = GETPC();
>>> +    int mmu_idx = riscv_env_mmu_index(env, false);
>>> +
>>> +    if (addr & (size - 1)) {
>>> +        env->badaddr = addr;
>>> +        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
>>> +    }
>>> +
>>> +    probe_write(env, addr, size, mmu_idx, ra);
>>> +}
>>> +
>>>    #ifndef CONFIG_USER_ONLY
>>>
>>>    target_ulong helper_sret(CPURISCVState *env)
>>> diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
>>> index a7a3278d24..62c0fe673d 100644
>>> --- a/target/riscv/insn_trans/trans_rva.c.inc
>>> +++ b/target/riscv/insn_trans/trans_rva.c.inc
>>> @@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
>>>         */
>>>        TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
>>>        tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
>>> +    /*
>>> +     * "For the purposes of memory protection, a failed SC.W may be treated
>>> +     * like a store." so let's check the write access permissions
>>> +     */
>>> +    gen_helper_sc_probe_write(tcg_env, src1,
>>> +                              tcg_constant_tl(memop_size(mop)));
>>>        gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
>>>
>>>        gen_set_label(l2);
>>

Re: [PATCH 1/5] target/riscv: Generate access fault if sc comparison fails

[Alistair Francis]

On Thu, Apr 9, 2026 at 8:02 PM Daniel Henrique Barboza
<daniel.barboza@oss.qualcomm.com> wrote:
>
>
>
> On 4/9/2026 2:38 AM, Alistair Francis wrote:
> > On Tue, Apr 7, 2026 at 7:38 PM Daniel Henrique Barboza
> > <daniel.barboza@oss.qualcomm.com> wrote:
> >>
> >>
> >>
> >> On 4/7/2026 1:36 AM, alistair23@gmail.com wrote:
> >>> From: Alistair Francis <alistair.francis@wdc.com>
> >>>
> >>> The RISC-V spec states:
> >>>
> >>> "For the purposes of memory protection, a failed SC.W may be treated
> >>> like a store."
> >>>
> >>> So if the comparison in sc.w fails we should still check for alignment
> >>> and do a probe access to check permissions.
> >>>
> >>> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
> >>> Resoves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
> >>
> >> Typo: "Resoves"
> >>
> >>
> >> Also, IIRC the bug URL that automatically closes Gitlab issues when
> >> merging the patch is on the format:
> >>
> >> "Resolves: https://gitlab.com/qemu-project/qemu/-/issues/(number)"
> >
> > Interestingly trying to access
> >
> > https://gitlab.com/qemu-project/qemu/-/issues/3196
> >
> > takes me to
> >
> > https://gitlab.com/qemu-project/qemu/-/work_items/3196
> >
> > So I think Gitlab is changing from issues to work_items
> >
> >>
> >>
> >> Maybe this URL with "work_items" also works, but even with the regular
> >> URL Gitlab fails to autoclose the bug sometimes.  I suggest changing the
> >> "work_items" to "issues" in all those URLs to be safe.
> >
> > Maybe using "issues" is the problem?
> >
> > I'm thinking of leaving these as-is, as issues seem to be replaced now.
> >
> > I even see https://docs.gitlab.com/development/work_items/#migration-strategy
> > and https://gitlab.com/groups/gitlab-org/-/work_items/6033 with more
> > details on this
>
> Seems like you're ahead of the curve then :D let's leave it as is and
> see if the bug autocloses when the patches are merged.

I didn't know that when I started, I just tried to open the issue link
and it went to work_items :)

Seems like it does work though:
https://gitlab.com/qemu-project/qemu/-/work_items/2796

Alistair