Fix T2C memory visibility race

jserv · jserv · commit 97314af10e31 · 2025-09-22T09:02:41.000+08:00
The T2C compilation thread could set hot2 flag before compiled code was
fully visible to the main thread, causing execution of invalid function
pointers. This resulted in incorrect calculation results in the pi test.

Problem:
- volatile alone doesn't provide memory ordering guarantees
- CPU could reorder operations, making hot2=true visible before block-&gt;func
- Led to executing stale or partially written function pointers

Solution:
- Use __atomic_store_n with __ATOMIC_RELEASE when setting hot2
- Use __atomic_load_n with __ATOMIC_ACQUIRE when reading hot2
- Release-Acquire synchronization ensures proper ordering

This creates a happens-before relationship: when the main thread
observes hot2=true via acquire, it is guaranteed to see all writes
(including block-&gt;func) that happened before the release.
diff --git a/src/emulate.c b/src/emulate.c
@@ -278,7 +278,7 @@ static block_t *block_alloc(riscv_t *rv)
 #if RV32_HAS(JIT)
     block->translatable = true;
     block->hot = false;
-    block->hot2 = false;
+    __atomic_store_n(&block->hot2, false, __ATOMIC_RELAXED);
     block->has_loops = false;
     block->n_invoke = 0;
     INIT_LIST_HEAD(&block->list);
@@ -1121,8 +1121,8 @@ void rv_step(void *arg)
 #if RV32_HAS(JIT)
 #if RV32_HAS(T2C)
         /* executed through the tier-2 JIT compiler */
-        if (block->hot2) {
-            /* hot2 is volatile, ensuring visibility across threads */
+        if (__atomic_load_n(&block->hot2, __ATOMIC_ACQUIRE)) {
+            /* Acquire ensures we see all writes from before hot2 was set */
             ((exec_t2c_func_t) block->func)(rv);
             prev = NULL;
             continue;
diff --git a/src/riscv_private.h b/src/riscv_private.h
@@ -85,8 +85,8 @@ typedef struct block {
 
     rv_insn_t *ir_head, *ir_tail; /**< the first and last ir for this block */
 #if RV32_HAS(JIT)
-    bool hot;           /**< Determine the block is potential hotspot or not */
-    volatile bool hot2; /**< Determine the block is strong hotspot or not */
+    bool hot;  /**< Determine the block is potential hotspot or not */
+    bool hot2; /**< Determine the block is strong hotspot or not */
     bool
         translatable; /**< Determine the block has RV32AF insturctions or not */
     bool has_loops;   /**< Determine the block has loop or not */
diff --git a/src/t2c.c b/src/t2c.c
@@ -346,8 +346,8 @@ void t2c_compile(riscv_t *rv, block_t *block)
 
     jit_cache_update(rv->jit_cache, key, block->func);
 
-    /* hot2 is declared volatile, ensuring visibility across threads */
-    block->hot2 = true;
+    /* Ensure all previous writes are visible before setting hot2 */
+    __atomic_store_n(&block->hot2, true, __ATOMIC_RELEASE);
 }
 
 struct jit_cache *jit_cache_init()

Original file line number	Diff line number	Diff line change
`@@ -346,8 +346,8 @@ void t2c_compile(riscv_t rv, block_t block)`
`346`	`346`
`347`	`347`	`jit_cache_update(rv->jit_cache, key, block->func);`
`348`	`348`
`349`		`- /* hot2 is declared volatile, ensuring visibility across threads */`
`350`		`- block->hot2 = true;`
	`349`	`+ /* Ensure all previous writes are visible before setting hot2 */`
	`350`	`+ __atomic_store_n(&block->hot2, true, __ATOMIC_RELEASE);`
`351`	`351`	`}`
`352`	`352`
`353`	`353`	`struct jit_cache *jit_cache_init()`