Possible incorrect exception order in RISC-V

Dear all, I have a question about exception priority order in QEMU.

According to RISC-V privileged spec [1] section 3.1.15 "Load/store/AMO address breakpoint" exception has higher priority than any of:

• First encountered page fault or access fault (during address translation for an explicit memory access)
• Load/store/AMO access fault (with physical address for an explicit memory access)
• Load/store/AMO address misaligned

I have made a simple test, which sets breakpoint to a particular memory address and then tires load data from the address. I expect that I should always get load address breakpoint exception. But in fact it is not. In my test I populate the page table, so data load does not trigger page fault. But if omit this step, I get load page fault. I think this contradicts the specification.

I think the reason for such behavior is how mmu_lookup() function from accel/tcg/cputlb.c works. But first I'd like to make sure that my expectation is correct. Can somebody please take a look at my tests and provide comments.

[1]: The RISC-V Instruction Set Manual: Volume II: Privileged Architecture

excp-order-test.tar.xz

Reproducer:

1. Download archive and extract from it: a test, a linker file and Makefile
2. make run-bad - run a test without a page table initialisation
3. Exit from QEMU with Ctrl + a + x.
4. head run-bad.log here we wait to see breakpoint exception but see load_page_fault exception
5. make run-good
6. Exit from QEMU with Ctrl + a + x.
7. head run-good.log here a page table is initialised and we get breakpoint exception.