On 6/15/2026 10:24 AM, ZhengXiang Qin wrote:
TCG plugins may read registers from the vcpu_init_cb() callback. For
vtype, this reaches read_vtype() before env->xl has been initialized.
In that case read_vtype() currently hits g_assert_not_reached() because
env->xl is zero. Fall back to the CPU's maximum XLEN only for this
early-init case.
Fixes: 638181a180bd ("core/cpu-common: initialise plugin state before thread
creation")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3545
Signed-off-by: ZhengXiang Qin <[email protected]>
---
Reviewed-by: Daniel Henrique Barboza <[email protected]>
target/riscv/csr.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 5514e0f455..6ade7ccb0b 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -936,7 +936,16 @@ static RISCVException read_vtype(CPURISCVState *env, int
csrno,
target_ulong *val)
{
uint64_t vill;
- switch (env->xl) {
+ int xl = env->xl;
+ /*
+ * TCG plugins can read registers before env->xl is initialized.
+ * Fall back to the CPU's maximum XLEN in that early-init case.
+ */
+ if (xl == 0) {
+ xl = riscv_cpu_mxl(env);
+ }
+
+ switch (xl) {
case MXL_RV32:
vill = (uint32_t)env->vill << 31;
break;
