Fix T2C memory visibility race

The T2C compilation thread could set hot2 flag before compiled code was
fully visible to the main thread, causing execution of invalid function
pointers. This resulted in incorrect calculation results in the pi test.

Problem:
- volatile alone doesn't provide memory ordering guarantees
- CPU could reorder operations, making hot2=true visible before block->func
- Led to executing stale or partially written function pointers

Solution:
- Use __atomic_store_n with __ATOMIC_RELEASE when setting hot2
- Use __atomic_load_n with __ATOMIC_ACQUIRE when reading hot2
- Release-Acquire synchronization ensures proper ordering

This creates a happens-before relationship: when the main thread
observes hot2=true via acquire, it is guaranteed to see all writes
(including block->func) that happened before the release.

Author: jserv

src/emulate.c

@@ -278,12 +278,12 @@ static block_t *block_alloc(riscv_t *rv)
 #if RV32_HAS(JIT)
     block->translatable = true;
     block->hot = false;
-    block->hot2 = false;
+    __atomic_store_n(&block->hot2, false, __ATOMIC_RELAXED);
     block->has_loops = false;
     block->n_invoke = 0;
     INIT_LIST_HEAD(&block->list);
 #if RV32_HAS(T2C)
-    block->compiled = false;
+    __atomic_store_n(&block->compiled, false, __ATOMIC_RELAXED);
 #endif
 #endif
     return block;
@@ -918,6 +918,36 @@ static block_t *block_find_or_translate(riscv_t *rv)
         return next_blk;
     }
 
+#if RV32_HAS(T2C)
+    /* Never evict blocks with hot2 set - they may be executing in another
+     * thread
+     */
+    if (__atomic_load_n(&replaced_blk->hot2, __ATOMIC_ACQUIRE)) {
+        /* This block has compiled T2C code - do not evict it.
+         * Try to find the block we actually need in the cache.
+         */
+        block_t *found = cache_get(rv->block_cache, rv->PC, false);
+        pthread_mutex_unlock(&rv->cache_lock);
+
+        if (found) {
+            /* Found the block we need - free the newly allocated one */
+            for (rv_insn_t *ir = next_blk->ir_head, *next_ir; ir; ir = next_ir) {
+                next_ir = ir->next;
+                free(ir->fuse);
+                mpool_free(rv->block_ir_mp, ir);
+            }
+            list_del_init(&next_blk->list);
+            mpool_free(rv->block_mp, next_blk);
+            return found;
+        }
+
+        /* If not found and cache is full of hot2 blocks, return the new block
+         * even though it won't be cached. This prevents deadlock.
+         */
+        return next_blk;
+    }
+#endif
+
     if (prev == replaced_blk)
         prev = NULL;
 
@@ -930,32 +960,25 @@ static block_t *block_find_or_translate(riscv_t *rv)
         rv_insn_t *taken = entry->ir_tail->branch_taken,
                   *untaken = entry->ir_tail->branch_untaken;
 
-        if (taken == replaced_blk_entry) {
+        if (taken == replaced_blk_entry)
             entry->ir_tail->branch_taken = NULL;
-        }
-        if (untaken == replaced_blk_entry) {
+        if (untaken == replaced_blk_entry)
             entry->ir_tail->branch_untaken = NULL;
-        }
 
         /* upadte JALR LUT */
-        if (!entry->ir_tail->branch_table) {
+        if (!entry->ir_tail->branch_table)
             continue;
-        }
 
-        /**
-         * TODO: upadate all JALR instructions which references to this
-         * basic block as the destination.
+        /* TODO: upadate all JALR instructions which references to this basic
+         * block as the destination.
          */
     }
 
     /* free IRs in replaced block */
-    for (rv_insn_t *ir = replaced_blk->ir_head, *next_ir; ir != NULL;
+    for (rv_insn_t *ir = replaced_blk->ir_head, *next_ir; ir;
          ir = next_ir) {
         next_ir = ir->next;
-
-        if (ir->fuse)
-            free(ir->fuse);
-
+        free(ir->fuse);
         mpool_free(rv->block_ir_mp, ir);
     }
 
@@ -1121,15 +1144,20 @@ void rv_step(void *arg)
 #if RV32_HAS(JIT)
 #if RV32_HAS(T2C)
         /* executed through the tier-2 JIT compiler */
-        if (block->hot2) {
-            /* hot2 is volatile, ensuring visibility across threads */
-            ((exec_t2c_func_t) block->func)(rv);
+        if (__atomic_load_n(&block->hot2, __ATOMIC_ACQUIRE)) {
+            /* Lock to ensure block remains valid during execution */
+            pthread_mutex_lock(&rv->cache_lock);
+            /* Re-verify the block is still hot2 after acquiring lock */
+            if (__atomic_load_n(&block->hot2, __ATOMIC_ACQUIRE))
+                ((exec_t2c_func_t) block->func)(rv);
+            pthread_mutex_unlock(&rv->cache_lock);
             prev = NULL;
             continue;
         } /* check if invoking times of t1 generated code exceed threshold */
-        else if (!block->compiled && block->n_invoke >= THRESHOLD) {
+        else if (!__atomic_load_n(&block->compiled, __ATOMIC_ACQUIRE) &&
+                 block->n_invoke >= THRESHOLD) {
             /* Mark block as queued for compilation to avoid re-queueing */
-            block->compiled = true;
+            __atomic_store_n(&block->compiled, true, __ATOMIC_RELEASE);
             queue_entry_t *entry = malloc(sizeof(queue_entry_t));
             entry->block = block;
             pthread_mutex_lock(&rv->wait_queue_lock);

src/riscv_private.h

@@ -85,8 +85,8 @@ typedef struct block {
 
     rv_insn_t *ir_head, *ir_tail; /**< the first and last ir for this block */
 #if RV32_HAS(JIT)
-    bool hot;           /**< Determine the block is potential hotspot or not */
-    volatile bool hot2; /**< Determine the block is strong hotspot or not */
+    bool hot;  /**< Determine the block is potential hotspot or not */
+    bool hot2; /**< Determine the block is strong hotspot or not */
     bool
         translatable; /**< Determine the block has RV32AF insturctions or not */
     bool has_loops;   /**< Determine the block has loop or not */

src/t2c.c

@@ -336,18 +336,26 @@ void t2c_compile(riscv_t *rv, block_t *block)
     }
 
     /* Return the function pointer of T2C generated machine code */
-    block->func = (exec_t2c_func_t) LLVMGetPointerToGlobal(engine, start);
+    exec_t2c_func_t func =
+        (exec_t2c_func_t) LLVMGetPointerToGlobal(engine, start);
 
 #if RV32_HAS(SYSTEM)
     uint64_t key = (uint64_t) block->pc_start | ((uint64_t) block->satp << 32);
 #else
     uint64_t key = (uint64_t) block->pc_start;
 #endif
 
-    jit_cache_update(rv->jit_cache, key, block->func);
+    jit_cache_update(rv->jit_cache, key, func);
 
-    /* hot2 is declared volatile, ensuring visibility across threads */
-    block->hot2 = true;
+    /* Store function pointer - the release barrier below ensures visibility */
+    /* Store function pointer first */
+    block->func = func;
+
+    /* Memory barrier ensures func is visible before hot2 */
+    __atomic_thread_fence(__ATOMIC_RELEASE);
+
+    /* Set hot2 flag to indicate compilation is complete */
+    __atomic_store_n(&block->hot2, true, __ATOMIC_RELEASE);
 }
 
 struct jit_cache *jit_cache_init()