On Tue, Jun 16, 2026 at 1:11 AM ZhengXiang Qin
<[email protected]> wrote:
>
> TCG plugins may read registers from the vcpu_init_cb() callback. For
> vtype, this reaches read_vtype() before env->xl has been initialized.
>
> In that case read_vtype() currently hits g_assert_not_reached() because
> env->xl is zero. Fall back to the CPU's maximum XLEN only for this
> early-init case.
>
> Fixes: 638181a180bd ("core/cpu-common: initialise plugin state before thread
> creation")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3545
> Signed-off-by: ZhengXiang Qin <[email protected]>
Thanks!
Applied to riscv-to-apply.next
Alistair
> ---
> target/riscv/csr.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index 5514e0f455..6ade7ccb0b 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -936,7 +936,16 @@ static RISCVException read_vtype(CPURISCVState *env, int
> csrno,
> target_ulong *val)
> {
> uint64_t vill;
> - switch (env->xl) {
> + int xl = env->xl;
> + /*
> + * TCG plugins can read registers before env->xl is initialized.
> + * Fall back to the CPU's maximum XLEN in that early-init case.
> + */
> + if (xl == 0) {
> + xl = riscv_cpu_mxl(env);
> + }
> +
> + switch (xl) {
> case MXL_RV32:
> vill = (uint32_t)env->vill << 31;
> break;
> --
> 2.43.0
>
>
