Fix T2C memory visibility race

jserv · jserv · commit 55f0d9c10a8e · 2025-09-22T10:35:36.000+08:00
The T2C compilation thread could set hot2 flag before compiled code was
fully visible to the main thread, causing execution of invalid function
pointers. This resulted in incorrect calculation results in the pi test.

Problem:
- volatile alone doesn't provide memory ordering guarantees
- CPU could reorder operations, making hot2=true visible before block-&gt;func
- Led to executing stale or partially written function pointers

Solution:
- Use __atomic_store_n with __ATOMIC_RELEASE when setting hot2
- Use __atomic_load_n with __ATOMIC_ACQUIRE when reading hot2
- Release-Acquire synchronization ensures proper ordering

This creates a happens-before relationship: when the main thread
observes hot2=true via acquire, it is guaranteed to see all writes
(including block-&gt;func) that happened before the release.
diff --git a/src/emulate.c b/src/emulate.c
@@ -278,12 +278,12 @@ static block_t *block_alloc(riscv_t *rv)
 #if RV32_HAS(JIT)
     block->translatable = true;
     block->hot = false;
-    block->hot2 = false;
+    __atomic_store_n(&block->hot2, false, __ATOMIC_RELAXED);
     block->has_loops = false;
     block->n_invoke = 0;
     INIT_LIST_HEAD(&block->list);
 #if RV32_HAS(T2C)
-    block->compiled = false;
+    __atomic_store_n(&block->compiled, false, __ATOMIC_RELAXED);
 #endif
 #endif
     return block;
@@ -1121,15 +1121,21 @@ void rv_step(void *arg)
 #if RV32_HAS(JIT)
 #if RV32_HAS(T2C)
         /* executed through the tier-2 JIT compiler */
-        if (block->hot2) {
-            /* hot2 is volatile, ensuring visibility across threads */
-            ((exec_t2c_func_t) block->func)(rv);
+        if (__atomic_load_n(&block->hot2, __ATOMIC_ACQUIRE)) {
+            /* Hold cache lock to prevent block from being freed while executing
+             */
+            pthread_mutex_lock(&rv->cache_lock);
+            /* Double-check hot2 under lock in case it changed */
+            if (__atomic_load_n(&block->hot2, __ATOMIC_ACQUIRE))
+                ((exec_t2c_func_t) block->func)(rv);
+            pthread_mutex_unlock(&rv->cache_lock);
             prev = NULL;
             continue;
         } /* check if invoking times of t1 generated code exceed threshold */
-        else if (!block->compiled && block->n_invoke >= THRESHOLD) {
+        else if (!__atomic_load_n(&block->compiled, __ATOMIC_ACQUIRE) &&
+                 block->n_invoke >= THRESHOLD) {
             /* Mark block as queued for compilation to avoid re-queueing */
-            block->compiled = true;
+            __atomic_store_n(&block->compiled, true, __ATOMIC_RELEASE);
             queue_entry_t *entry = malloc(sizeof(queue_entry_t));
             entry->block = block;
             pthread_mutex_lock(&rv->wait_queue_lock);
diff --git a/src/riscv_private.h b/src/riscv_private.h
@@ -85,8 +85,8 @@ typedef struct block {
 
     rv_insn_t *ir_head, *ir_tail; /**< the first and last ir for this block */
 #if RV32_HAS(JIT)
-    bool hot;           /**< Determine the block is potential hotspot or not */
-    volatile bool hot2; /**< Determine the block is strong hotspot or not */
+    bool hot;  /**< Determine the block is potential hotspot or not */
+    bool hot2; /**< Determine the block is strong hotspot or not */
     bool
         translatable; /**< Determine the block has RV32AF insturctions or not */
     bool has_loops;   /**< Determine the block has loop or not */
diff --git a/src/t2c.c b/src/t2c.c
@@ -336,18 +336,26 @@ void t2c_compile(riscv_t *rv, block_t *block)
     }
 
     /* Return the function pointer of T2C generated machine code */
-    block->func = (exec_t2c_func_t) LLVMGetPointerToGlobal(engine, start);
+    exec_t2c_func_t func =
+        (exec_t2c_func_t) LLVMGetPointerToGlobal(engine, start);
 
 #if RV32_HAS(SYSTEM)
     uint64_t key = (uint64_t) block->pc_start | ((uint64_t) block->satp << 32);
 #else
     uint64_t key = (uint64_t) block->pc_start;
 #endif
 
-    jit_cache_update(rv->jit_cache, key, block->func);
+    jit_cache_update(rv->jit_cache, key, func);
 
-    /* hot2 is declared volatile, ensuring visibility across threads */
-    block->hot2 = true;
+    /* Store function pointer - the release barrier below ensures visibility */
+    /* Store function pointer first */
+    block->func = func;
+
+    /* Memory barrier ensures func is visible before hot2 */
+    __atomic_thread_fence(__ATOMIC_RELEASE);
+
+    /* Set hot2 flag to indicate compilation is complete */
+    __atomic_store_n(&block->hot2, true, __ATOMIC_RELEASE);
 }
 
 struct jit_cache *jit_cache_init()
