Move gen_update_pc call before conditional logic to ensure consistent PC state regardless of execution path.
Previously, the host instructions generated to update the cpu_pc were only executed in the failure path when shadow stack validation failed. This created inconsistent PC synchronization. This inconsistency caused issues in CF_PCREL mode where subsequent instructions calculated wrong relative offsets from stale pc_save values, and could lead to incorrect exception return addresses. This fix ensures PC is always synchronized before any helper that might raise an exception, maintaining consistent translator state across all execution paths. Signed-off-by: Max Chou <[email protected]> --- target/riscv/insn_trans/trans_rvzicfiss.c.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/target/riscv/insn_trans/trans_rvzicfiss.c.inc b/target/riscv/insn_trans/trans_rvzicfiss.c.inc index 0b6ad57965c..f76697b8a11 100644 --- a/target/riscv/insn_trans/trans_rvzicfiss.c.inc +++ b/target/riscv/insn_trans/trans_rvzicfiss.c.inc @@ -32,6 +32,9 @@ static bool trans_sspopchk(DisasContext *ctx, arg_sspopchk *a) TCGLabel *skip = gen_new_label(); uint32_t tmp = (get_xl(ctx) == MXL_RV64) ? 8 : 4; TCGv data = tcg_temp_new(); + + gen_update_pc(ctx, 0); + tcg_gen_ld_tl(addr, tcg_env, offsetof(CPURISCVState, ssp)); decode_save_opc(ctx, RISCV_UW2_ALWAYS_STORE_AMO); tcg_gen_qemu_ld_tl(data, addr, SS_MMU_INDEX(ctx), @@ -40,7 +43,6 @@ static bool trans_sspopchk(DisasContext *ctx, arg_sspopchk *a) tcg_gen_brcond_tl(TCG_COND_EQ, data, rs1, skip); tcg_gen_st_tl(tcg_constant_tl(RISCV_EXCP_SW_CHECK_BCFI_TVAL), tcg_env, offsetof(CPURISCVState, sw_check_code)); - gen_update_pc(ctx, 0); gen_helper_raise_exception(tcg_env, tcg_constant_i32(RISCV_EXCP_SW_CHECK)); gen_set_label(skip); -- 2.43.0
