Skip to content

RISC-V: Hypervisor extension - Incorrect handling of lr/sc reservation stations

Host environment

  • Operating system: Ubuntu 22.04.5 LTS
  • OS/kernel version: 6.8.0-79-generic
  • Architecture: x86
  • QEMU flavor: qemu-system-riscv64
  • QEMU version: 10.1.0 (commit f8b2f64e)
  • QEMU command line: 
    ./qemu-system-riscv64
     -nographic \
     -machine virt \
     -cpu rv64,g=on,c=on,h=on\
     -m 512M \
     -bios none \
     -kernel "build/qemu/rvh_test.bin"

Emulated/Virtualized environment

  • Operating system: - (baremetal)
  • OS/kernel version: - (baremetal)
  • Architecture: RISC-V (riscv64-softmmu)

Description of problem

I am executing tests for the riscv hypervisor extension from https://github.com/josecm/riscv-hyp-tests. In particular, test correct tinst when executing a sc.w which results in a spf in the tinst_tests category fails. Following is the analysis of what the test is checking, what the test expects and what QEMU does.

What the test checks Together with the previous test, correct tinst when executing a lr.w which results in a lpf, this test checks the correctness of the execution of LR/SC pairs that provide atomicity across the entire address space regardless of addresses. To check that an LR and a SC instruction are paired, a reservation station is used. This reservation station is a register in which the LR instruction stores the accessed address. Later, the SC instruction checks if its address and that in the reservation station match. If those addresses are not equal, the SC instruction fails returning an error in its rd register.

What the test expects When executing a lr.w instruction, even if the accessed address faults, the reservation station is modified with that address. A following sc.w instruction to the same address, after checking that the address matches that in the reservation station, should raise an spf exception when accessing the faulting address.

What QEMU does When QEMU executed the translated block (TB) created for the lr.w instruction and detected the lpf exception, the state of the emulator is rolled back to the beginning of that TB, losing also the modification of the reservation station (the emitted faulting address). When the TB corresponding to the sc.w instruction is executed, the TB firstly checks if the address of the sc.w and that of the reservation station match. Since this checking fails, QEMU returns an error in the rd register of sc.w instead of raising a spf exception.

Comments QEMU should not modify the value stored in the reservation station in the lr.w TB under an exception.

Steps to reproduce

Assuming a riscv64-unknown-elf- cross compiler is installed in the machine:

  1. git clone https://github.com/josecm/riscv-hyp-tests.git
  2. cd riscv-hyp-tests
  3. LOG_LEVEL=LOG_VERBOSE PLAT=qemu make
  4. Execute the previous command line.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information