add gitlab issues in toml format

22 files changed, 871 insertions, 0 deletions

diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1022.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1022.toml
new file mode 100644
index 00000000..e198d853
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1022.toml
@@ -0,0 +1,41 @@
+id = 1022
+title = "RISC-V: Simulation terminated with seg fault when encountering `vsra.vx`"
+state = "closed"
+created_at = "2022-05-12T05:58:09.692Z"
+closed_at = "2022-06-02T16:41:37.713Z"
+labels = ["Closed::Fixed", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1022"
+host-os = "Red Hat Enterprise Linux"
+host-arch = "x86"
+qemu-version = "qemu-riscv64 version 7.0.50 (v7.0.0-935-gec11dc41ee)"
+guest-os = "- OS/kernel version:"
+guest-arch = "RISC-V 64"
+description = """QEMU simulation terminated with segmentation fault. Here is the backtrace of the simulation
+
+```
+(gdb) r
+Starting program: qemu/build/qemu-riscv64 -cpu rv64,vext_spec=v1.0,v=true,Zfh=true,Zve32f=true,Zve64f=true,vlen=128 -B 0x100000 a.out
+Missing separate debuginfos, use: yum debuginfo-install glibc-2.28-164.el8_5.3.x86_64
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+[New Thread 0x7ffff4edd700 (LWP 3239772)]
+
+Thread 1 "qemu-riscv64" received signal SIGSEGV, Segmentation fault.
+0x00007fffe8004fad in code_gen_buffer ()
+Missing separate debuginfos, use: yum debuginfo-install glib2-2.56.4-156.el8.x86_64 gmp-6.1.2-10.el8.x86_64 gnutls-3.6.16-4.el8.x86_64 libffi-3.1-22.el8.x86_64 libidn2-2.2.0-1.el8.x86_64 libtasn1-4.13-3.el8.x86_64 libunistring-0.9.9-3.el8.x86_64 p11-kit-0.23.22-1.el8.x86_64 pcre-8.42-6.el8.x86_64
+(gdb) bt
+#0  0x00007fffe8004fad in code_gen_buffer ()
+#1  0x00005555556a0b9b in cpu_tb_exec (tb_exit=<synthetic pointer>, itb=<optimized out>, cpu=0x7fffe8005000 <code_gen_buffer+20435>) at ../accel/tcg/cpu-exec.c:358
+#2  cpu_loop_exec_tb (tb_exit=<synthetic pointer>, last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x7fffe8005000 <code_gen_buffer+20435>) at ../accel/tcg/cpu-exec.c:848
+#3  cpu_exec (cpu=cpu@entry=0x555555eed3d0) at ../accel/tcg/cpu-exec.c:1007
+#4  0x00005555555e6d30 in cpu_loop (env=0x555555ef56f0) at ../linux-user/riscv/cpu_loop.c:37
+#5  0x00005555555df9f7 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../linux-user/main.c:909
+```"""
+reproduce = """1. Checkout to QEMU's latest master (`ec11dc41eec5142b4776db1296972c6323ba5847`)
+2. `mkdir build ; cd build ; ../configure ; make -j24`
+3. `qemu-riscv64 -cpu rv64,vext_spec=v1.0,v=true,Zfh=true,Zve32f=true,Zve64f=true,vlen=128 -B 0x100000 ./a.out`"""
+additional = """Attaching code (output.c) and binary (a.out)
+
+[a.out](/uploads/0ecfb436a439619527ef645bdc781a48/a.out)
+
+[output.c](/uploads/cd492b4c9468f0b48412e76e7f6fcf91/output.c)"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1028.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1028.toml
new file mode 100644
index 00000000..c3cb8fd6
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1028.toml
@@ -0,0 +1,42 @@
+id = 1028
+title = "Assert fail for RISC-V RVV vmv.v.x for e64, vl == vl_max on RV32 guest"
+state = "closed"
+created_at = "2022-05-17T10:13:33.837Z"
+closed_at = "2022-06-09T01:27:05.150Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1028"
+host-os = "(CentOS-8.5.2111)"
+host-arch = "(x86)"
+qemu-version = "(7.0.0)"
+guest-os = "(baremetal)"
+guest-arch = "(RV32)"
+description = """assert message:
+qemu/tcg/tcg-op-gvec.c:1714: tcg_gen_gvec_dup_i32: Assertion `vece <= MO_32' failed.
+
+For a e64 vmv.v.x, in the file trans_rvv.c.inc, function "trans_vmv_v_x", when s->vl_eq_vlmax is true, then "tcg_gen_gvec_dup_tl" (it's defined to tcg_gen_gvec_dup_i32 for RV32) is called. In "tcg_gen_gvec_dup_i32" the assert "tcg_debug_assert(vece <= MO_32) will be triggered, since vece == MO_64 for e64."""
+reproduce = """1.enable cfg.Zve64f
+
+2.Prepare a problem as set e64, vl == vl_max and use vmv.v.x, maybe as below
+```
+  li t0, -1,
+  vsetvli x0, t0, e64,m1,tu,mu
+  li t1, -1
+  vmv.v.x v0, t1
+```"""
+additional = """Below is a possible solution if it's appropriate.
+```
+#if TARGET_LONG_BITS == 32
+            if (s->sew == 3) {
+                TCGv_i64 s1_i64 = tcg_temp_new_i64();
+                tcg_gen_ext_tl_i64(s1_i64, s1);
+                tcg_gen_gvec_dup_i64(s->sew, vreg_ofs(s, a->rd),
+                                     MAXSZ(s), MAXSZ(s), s1_i64);
+                tcg_temp_free_i64(s1_i64);
+            } else {
+#endif
+            tcg_gen_gvec_dup_tl(s->sew, vreg_ofs(s, a->rd),
+                                MAXSZ(s), MAXSZ(s), s1);
+#if TARGET_LONG_BITS == 32
+            }
+#endif
+```"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1053.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1053.toml
new file mode 100644
index 00000000..25ea9481
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1053.toml
@@ -0,0 +1,19 @@
+id = 1053
+title = "Executable PMP regions of size less than 4K always trigger an instruction access fault"
+state = "closed"
+created_at = "2022-06-01T12:51:14.201Z"
+closed_at = "2022-11-06T19:28:00.544Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1053"
+host-os = "Bare-metal"
+host-arch = "RISC-V"
+qemu-version = "master"
+guest-os = "Bare-metal"
+guest-arch = "RISC-V"
+description = """When configuring a PMP region that is less than 4K in size (Page size), and then trying to execute instructions inside said region, TCG always throws a PMP exception, even though the area allows code execution."""
+reproduce = "n/a"
+additional = """I've debugged the issue already, and it's happening because of the following optimization in TCG:
+
+TCG uses `get_page_addr_code_hostp` in order to try and get the translation cached for a whole page of instructions; if this function is unable to translate a whole page, it's supposed to simply return `-1`, and then the caller is supposed to translate and execute on a per-instruction basis. In this case `get_page_addr_code_hostp` calls `tlb_fill`, which then calls `riscv_cpu_tlb_fill`, which then calls `get_physical_address_pmp` to perform the PMP access checks. When said instructions are covered by a PMP region which is smaller than a page, this check then fails, since PMP regions must cover the whole access in order to allow it. At this point `riscv_cpu_tlb_fill` will see that a PMP fault happened, and since `probe` is set to false by `get_page_addr_code_hostp`, it will throw a RISC-V access fault exception instead of just returning a failure that `get_page_addr_code_hostp` can handle (by only accessing the memory of the specific instruction instead, which will be fully covered by the PMP region).
+
+I haven't tried to fix it myself (my first idea is to simply make `get_page_addr_code_hostp` set the probe flag), since I'm not sure if changing that part of TCG will affect other architectures that I'm not aware of."""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1060.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1060.toml
new file mode 100644
index 00000000..d1603567
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1060.toml
@@ -0,0 +1,41 @@
+id = 1060
+title = "RISC-V: mtval/stval is not correctly set to the instruction itself on illegal instructions"
+state = "closed"
+created_at = "2022-06-03T19:27:05.176Z"
+closed_at = "2022-07-03T04:38:37.975Z"
+labels = ["Closed::Fixed", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1060"
+host-os = "NixOS unstable, git commit 692517bf851f2d8d999f0ad50f53fa1d2dd5c8f9"
+host-arch = "x86-64"
+qemu-version = "7.0.0"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """QEMU 7.0 claims to support `stval`/`mtval` for illegal instructions, but `mtval`/`stval` is actually set to `0`"""
+reproduce = """1. Assemble and link `mtval-illegal.elf`. The code simply sets up a trap handler and generates an illegal instruction exception
+
+2. Start QEMU with:
+
+  ```
+  qemu-system-riscv64 -cpu rv64,h=off -bios mtval-illegal.elf -nographic -icount shift=0 -s -S
+  ```
+
+3. Attach with GDB:
+
+  ```
+  gdb mtval-illegal.elf
+
+  # Within GDB
+  target extended-remote :1234
+  break trap
+  disp $mtval
+
+  # Keep single stepping until breakpoint
+  stepi
+  ```
+
+4. When control flow reaches `trap`, `mtval` is written with `0` instead of the encoding of `csrw time, x0` (`0xc0101073`)"""
+additional = """Writing `0` to `mtval` on a illegal instruction trap is allowed by the specs, but since the [changelog of QEMU 7.0][changelog] says it should be supported, I would consider it a bug.
+
+[changelog]: https://wiki.qemu.org/ChangeLog/7.0#RISC-V
+
+I encountered this when trying to figure out why my program worked with QEMU 6 but breaks with QEMU 7. It's more complicated, but in that case I managed to get `mtval` written with neither `0` nor the actual illegal instruction, but a different illegal instruction. I will try gathering up all the dependencies and write down the steps to reproduce if needed and if I find the time."""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1155.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1155.toml
new file mode 100644
index 00000000..fe576219
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1155.toml
@@ -0,0 +1,35 @@
+id = 1155
+title = "RISC-V: Instruction fetch exceptions can have invalid tval/epc combination"
+state = "closed"
+created_at = "2022-08-13T16:28:02.519Z"
+closed_at = "2022-09-06T11:32:04.595Z"
+labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1155"
+host-os = "NixOS (unstable)"
+host-arch = "x86_64"
+qemu-version = "7.0.0 or master (a6b1c53e79d08a99a28cc3e67a3e1a7c34102d6b)"
+guest-os = "Linux 5.19"
+guest-arch = "riscv64"
+description = """Instruction page fault / guest-page fault / access fault exceptions can have invalid `epc`/`tval` combinations, for example as shown in the debug log:
+
+```
+riscv_cpu_do_interrupt: hart:0, async:0, cause:0000000000000014, epc:0xffffffff802fec76, tval:0xffffffff802ff000, desc=guest_exec_page_fault
+riscv_cpu_do_interrupt: hart:0, async:0, cause:0000000000000014, epc:0xffffffff80243fe6, tval:0xffffffff80244000, desc=guest_exec_page_fault
+```
+
+From the privileged spec:
+
+> If `mtval` is written with a nonzero value when an instruction access-fault or page-fault exception occurs on a system with variable-length instructions, then `mtval` will contain the virtual address of the portion of the instruction that caused the fault, while `mepc` will point to the beginning of the instruction.
+
+Currently RISC-V only has 32-bit and 16-bit instructions, so the difference `tval - epc` should be either `0` or `2`. In the examples above the differences are `906` and `26` respectively.
+
+Possibly notable: all occurrences of these invalid combinations to have `tval` aligned to a page-boundary."""
+reproduce = """This one only gives invalid `tval`/`epc` combinations with instruction guest-page faults, but I've found it to be the easiest reproducer to describe, since presumably running KVM in RISC-V QEMU is a standard setup. I have not otherwise been able to find a more minimal case.
+
+1. Start a QEMU-based `riscv64` machine
+2. Start a KVM-based virtual machine with QEMU inside it
+3. Do some stuff in the KVM-based virtual machine to increase the chance of page faults
+4. Look in the debug log of the outer QEMU for `guest_exec_page_fault` exceptions with `tval` ending in `000`, but `epc` ending in neither `000` nor `ffe`
+
+Everything in both layers of guests should otherwise work without issue, but other/future software that relies on the spec-mandated relationship of `epc`/`tval` may break."""
+additional = """"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1224.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1224.toml
new file mode 100644
index 00000000..2ce5c165
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1224.toml
@@ -0,0 +1,22 @@
+id = 1224
+title = "QEMU crashes with failed assertion when executing compressed instructions with C extension support disabled"
+state = "closed"
+created_at = "2022-09-21T15:26:47.231Z"
+closed_at = "2023-01-07T13:07:39.908Z"
+labels = ["Closed::Fixed", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1224"
+host-os = "n/a"
+host-arch = "riscv64"
+qemu-version = "master"
+guest-os = "n/a"
+guest-arch = "riscv64"
+description = """When executing compressed instructions with compressed instruction support disabled (c=off), the tcg riscv translations fails an assertion.
+```
+qemu-system-riscv64: qemu/accel/tcg/translate-all.c:1449: tb_gen_code: Assertion `tb->size != 0' failed.
+```
+
+I believe that the issue is caused due to the fact that the compressed instruction without RVC support branch of the `decode_opc` function does not update `ctx->pc_succ_insn`, which causes `ctx->base.pc_next` to not be updated in `riscv_tr_translate_insn`, which then finally triggers the assertion once the tcg generation returns to `tb_gen_code`.
+
+Side note, it also seems like the `gen_exception_illegal` call in the same if case is not needed, since we also call it again at the end of the function."""
+reproduce = "n/a"
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1339.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1339.toml
new file mode 100644
index 00000000..0359cea2
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1339.toml
@@ -0,0 +1,24 @@
+id = 1339
+title = "RVV vfncvt.rtz.x.f.w Assertion failed"
+state = "closed"
+created_at = "2022-11-25T06:14:02.568Z"
+closed_at = "2023-01-18T04:33:24.825Z"
+labels = ["accel: TCG", "target: riscv", "workflow::Patch available"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1339"
+host-os = "Ubuntu 22.04"
+host-arch = "x86"
+qemu-version = "7.0.50"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """when execute 
+``` 
+vsetvli        t0,       x0,         e16,      m1
+vfncvt.rtz.x.f.w v0, v4
+```
+report error:
+
+qemu-riscv64: ../target/riscv/translate.c:212: decode_save_opc: Assertion \\`ctx->insn_start != NULL' failed. Segmentation fault (core dumped)"""
+reproduce = """1. write the code
+2. compile
+3. excute"""
+additional = """"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1353.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1353.toml
new file mode 100644
index 00000000..22eccbba
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1353.toml
@@ -0,0 +1,183 @@
+id = 1353
+title = "QEMU crashes when executing a RISC-V compressed instruction with C extension disabled."
+state = "closed"
+created_at = "2022-12-01T23:15:15.201Z"
+closed_at = "2022-12-03T17:55:51.273Z"
+labels = ["Closed::Duplicate", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1353"
+host-os = "Debian 11"
+host-arch = "x86_64"
+qemu-version = "v7.2.0-rc3 (c4ffd91aba1c3d878e99a3e7ba8aad4826728ece) - I was also able to reproduce this as far back as v6.2.0"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """When binaries are built with compressed instructions, but QEMU is launched with C extension disabled we get a crash instead of a trap that can be handled by the fault handler. It is quite possible that this only asserts if the compressed instruction is the first instruction after a new translation block due to the unconditional trap generated by:
+```
+         if (!has_ext(ctx, RVC)) {
+            gen_exception_illegal(ctx);
+        } else {
+```
+Although I would not expect the TB to be empty. Unfortunately it appears to crash before `-d op` prints any output."""
+reproduce = """1. Compile the following assembly code to an ELF32 binary: `clang --target=riscv32-none-elf -nostdlib -o crash.elf ./crash.S -Wl,--section-start=.text=0x80000000`
+```asm
+.text
+.global _start
+.type _start,@function
+_start:
+       # .4byte 0x300022f3  # csrr    t0,mstatus
+       # NB: compressed instruction, if we start qemu with c=false,
+       # this results in the following error:
+       # qemu-system-riscv32: ../../upstream-qemu/accel/tcg/translate-all.c:762: int setjmp_gen_code(CPUArchState *, TranslationBlock *, target_ulong, void *, int *, int64_t *): Assertion `tb->size != 0' failed.
+       bne t0, t1, .Lfoo  # This instruction is not strictly necessary, but it makes the debug output a bit more useful
+.Lfoo:
+       .2byte 0x6309      # lui     t1,0x2
+       j _start
+```
+2. `qemu-system-riscv32 -monitor none -serial none -machine virt,accel=tcg -cpu rv32,i=true,c=false -kernel crash.elf -nographic -bios none -d in_asm,op,op_opt,unimp`
+3. Assertion failure: `qemu-system-riscv32: ../../upstream-qemu/accel/tcg/translate-all.c:762: int setjmp_gen_code(CPUArchState *, TranslationBlock *, target_ulong, void *, int *, int64_t *): Assertion `tb->size != 0' failed.`"""
+additional = """Here is the output of `-d in_asm,op,op_opt,unimp,nochain`:
+```
+----------------
+IN: 
+Priv: 3; Virt: 0
+0x00001000:  00000297          auipc                   t0,0                    # 0x1000
+0x00001004:  02828613          addi                    a2,t0,40
+0x00001008:  f1402573          csrrs                   a0,mhartid,zero
+
+OP:
+ ld_i32 tmp1,env,$0xfffffffffffffff0
+ brcond_i32 tmp1,$0x0,lt,$L0
+
+ ---- 00001000 00000000
+ mov_i32 x5/t0,$0x1000
+
+ ---- 00001004 00000000
+ add_i32 x12/a2,x5/t0,$0x28
+
+ ---- 00001008 f1402573
+ call csrr,$0x0,$1,x10/a0,env,$0xf14
+ mov_i32 pc,$0x100c
+ exit_tb $0x0
+ set_label $L0
+ exit_tb $0x7f5824000043
+
+OP after optimization and liveness analysis:
+ ld_i32 tmp1,env,$0xfffffffffffffff0      pref=0xffff
+ brcond_i32 tmp1,$0x0,lt,$L0              dead: 0 1
+
+ ---- 00001000 00000000                
+ mov_i32 x5/t0,$0x1000                    sync: 0  dead: 0 1  pref=0xffff
+
+ ---- 00001004 00000000                
+ mov_i32 x12/a2,$0x1028                   sync: 0  dead: 0 1  pref=0xffff
+
+ ---- 00001008 f1402573                
+ call csrr,$0x0,$1,x10/a0,env,$0xf14      sync: 0  dead: 0 1 2  pref=none
+ mov_i32 pc,$0x100c                       sync: 0  dead: 0 1  pref=0xffff
+ exit_tb $0x0                           
+ set_label $L0                          
+ exit_tb $0x7f5824000043                
+
+----------------
+IN: 
+Priv: 3; Virt: 0
+0x0000100c:  0202a583          lw                      a1,32(t0)
+0x00001010:  0182a283          lw                      t0,24(t0)
+0x00001014:  00028067          jr                      t0
+
+OP:
+ ld_i32 tmp1,env,$0xfffffffffffffff0
+ brcond_i32 tmp1,$0x0,lt,$L0
+
+ ---- 0000100c 00000000
+ add_i32 tmp1,x5/t0,$0x20
+ qemu_ld_i32 x11/a1,tmp1,leul,3
+
+ ---- 00001010 00000000
+ add_i32 tmp1,x5/t0,$0x18
+ qemu_ld_i32 x5/t0,tmp1,leul,3
+
+ ---- 00001014 00000000
+ mov_i32 pc,x5/t0
+ and_i32 pc,pc,$0xfffffffe
+ and_i32 tmp1,pc,$0x2
+ brcond_i32 tmp1,$0x0,ne,$L1
+ call lookup_tb_ptr,$0x6,$1,tmp6,env
+ goto_ptr tmp6
+ set_label $L1
+ st_i32 pc,env,$0x1228
+ mov_i32 pc,$0x1014
+ call raise_exception,$0x8,$0,env,$0x0
+ set_label $L0
+ exit_tb $0x7f5824000183
+
+OP after optimization and liveness analysis:
+ ld_i32 tmp1,env,$0xfffffffffffffff0      pref=0xffff
+ brcond_i32 tmp1,$0x0,lt,$L0              dead: 0
+
+ ---- 0000100c 00000000                
+ add_i32 tmp1,x5/t0,$0x20                 dead: 2  pref=0xff3f
+ qemu_ld_i32 x11/a1,tmp1,leul,3           sync: 0  dead: 0 1  pref=0xffff
+
+ ---- 00001010 00000000                
+ add_i32 tmp1,x5/t0,$0x18                 dead: 1 2  pref=0xff3f
+ qemu_ld_i32 x5/t0,tmp1,leul,3            sync: 0  dead: 1  pref=0xffff
+
+ ---- 00001014 00000000                
+ mov_i32 pc,x5/t0                         dead: 1  pref=0xffff
+ and_i32 pc,pc,$0xfffffffe                sync: 0  dead: 1 2  pref=0xffff
+ and_i32 tmp1,pc,$0x2                     dead: 1 2  pref=0xffff
+ brcond_i32 tmp1,$0x0,ne,$L1              dead: 0 1
+ call lookup_tb_ptr,$0x6,$1,tmp6,env      dead: 1  pref=none
+ goto_ptr tmp6                            dead: 0
+ set_label $L1                          
+ st_i32 pc,env,$0x1228                    dead: 0
+ mov_i32 pc,$0x1014                       sync: 0  dead: 0 1  pref=0xffff
+ call raise_exception,$0x8,$0,env,$0x0    dead: 0 1
+ set_label $L0                          
+ exit_tb $0x7f5824000183                
+
+----------------
+IN: 
+Priv: 3; Virt: 0
+0x80000000:  00629263          bne                     t0,t1,4                 # 0x80000004
+
+OP:
+ ld_i32 tmp1,env,$0xfffffffffffffff0
+ brcond_i32 tmp1,$0x0,lt,$L0
+
+ ---- 80000000 00000000
+ mov_i32 tmp1,x5/t0
+ mov_i32 tmp2,x6/t1
+ brcond_i32 tmp1,tmp2,ne,$L1
+ mov_i32 pc,$0x80000004
+ call lookup_tb_ptr,$0x6,$1,tmp4,env
+ goto_ptr tmp4
+ set_label $L1
+ mov_i32 pc,$0x80000004
+ call lookup_tb_ptr,$0x6,$1,tmp4,env
+ goto_ptr tmp4
+ set_label $L0
+ exit_tb $0x7f5824000383
+
+OP after optimization and liveness analysis:
+ ld_i32 tmp1,env,$0xfffffffffffffff0      pref=0xffff
+ brcond_i32 tmp1,$0x0,lt,$L0              dead: 0 1
+
+ ---- 80000000 00000000                
+ brcond_i32 x5/t0,x6/t1,ne,$L1            dead: 0 1
+ mov_i32 pc,$0x80000004                   sync: 0  dead: 0 1  pref=0xffff
+ call lookup_tb_ptr,$0x6,$1,tmp4,env      dead: 1  pref=none
+ goto_ptr tmp4                            dead: 0
+ set_label $L1                          
+ mov_i32 pc,$0x80000004                   sync: 0  dead: 0 1  pref=0xffff
+ call lookup_tb_ptr,$0x6,$1,tmp4,env      dead: 1  pref=none
+ goto_ptr tmp4                            dead: 0
+ set_label $L0                          
+ exit_tb $0x7f5824000383                
+
+----------------
+IN: 
+Priv: 3; Virt: 0
+
+qemu-system-riscv32: ../../upstream-qemu/accel/tcg/translate-all.c:762: int setjmp_gen_code(CPUArchState *, TranslationBlock *, target_ulong, void *, int *, int64_t *): Assertion `tb->size != 0' failed.
+```"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1441.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1441.toml
new file mode 100644
index 00000000..e42225ce
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1441.toml
@@ -0,0 +1,42 @@
+id = 1441
+title = "Assertion failure when executing RISC-V vfncvt.rtz.x.f.w instruction"
+state = "closed"
+created_at = "2023-01-13T22:10:02.691Z"
+closed_at = "2023-01-17T17:39:50.962Z"
+labels = ["Closed::Duplicate", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1441"
+host-os = "RHEL 8.6"
+host-arch = "x86"
+qemu-version = "7.2.50"
+guest-os = "n/a"
+guest-arch = "RISC-V"
+description = """When emulating the `vfncvt.rtz.x.f.w` instruction, QEMU crashes with an assertion failure at `target/riscv/translate.c:211`, complaining that ```decode_save_opc: Assertion `ctx->insn_start != NULL' failed.```
+
+It appears this problem first emerged with https://gitlab.com/qemu-project/qemu/-/commit/a9814e3e08d2aacbd9018c36c77c2fb652537848"""
+reproduce = """The following C program triggers the assertion failure when built a sufficiently recent version of the Clang cross compiler (in my case 15.0.6):
+```
+/* test.c */
+#include <riscv_vector.h>
+
+#define LEN 4
+
+int main(int argc, char *argv[]) {
+  double in[LEN];
+  int out[LEN];
+
+  vfloat64m1_t vf = vle64_v_f64m1(in, LEN);
+  vint32mf2_t vi = vfncvt_rtz_x_f_w_i32mf2(vf, LEN);
+  vse32_v_i32mf2(out, vi, LEN);
+
+  return 0;
+}
+```
+
+The above `test.c` can be compiled and run as follows:
+```
+clang -O3 -march=rv64gcv -static test.c
+qemu-riscv64 -cpu "rv64,zba=true,zbb=true,zbc=true,zbs=true,v=true,vlen=512,elen=64,vext_spec=v1.0" a.out
+qemu-riscv64: ../target/riscv/translate.c:211: decode_save_opc: Assertion `ctx->insn_start != NULL' failed.
+Segmentation fault (core dumped)
+```"""
+additional = """"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1555.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1555.toml
new file mode 100644
index 00000000..92bc503c
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1555.toml
@@ -0,0 +1,40 @@
+id = 1555
+title = "virt platform mrom"
+state = "closed"
+created_at = "2023-03-24T03:47:07.313Z"
+closed_at = "2023-05-17T05:00:04.128Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1555"
+host-os = "ubuntu22.04"
+host-arch = "x86"
+qemu-version = "7.2.0"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """qemu-system-riscv32 to emulated the lowrisc ibex simple system hello, when debug with riscv32-unknown-elf-gdb, there kept logging "Invalid read at addr 0x0, size 2, region '(null)', reason: rejected".  
+I saw qemu virt platform codes related to this error, it load reset_vec to 0x1000 called VIRT_MROM. I still not understand why this error happens."""
+reproduce = """1.git clone https://github.com/lowRISC/ibex.git  
+2.cd ibex  
+3.make -C examples/sw/simple_system/hello_test  
+4.using the qemu command line above  
+5.`riscv32-unknown-elf-gdb -ex target remote localhost:1234 examples/sw/simple_system/hello_test` in another terminal, type bt, the error happens."""
+additional = """```gdb
+(gdb) x/16i $pc 
+=> 0x1000:\tauipc\tt0,0x0
+   0x1004:\taddi\ta2,t0,40
+   0x1008:\tcsrr\ta0,mhartid
+   0x100c:\tlw\ta1,32(t0)
+   0x1010:\tlw\tt0,24(t0)
+   0x1014:\tjr\tt0
+   0x1018:\tunimp
+   0x101a:\t.2byte\t0x8000
+   0x101c:\tunimp
+   0x101e:\tunimp
+   0x1020:\tunimp
+   0x1022:\t.2byte\t0x7fe0
+   0x1024:\tunimp
+   0x1026:\tunimp
+   0x1028:\t.4byte\t0x4942534f
+   0x102c:\tc.slli64\tzero
+(gdb) bt
+#0  0x00001000 in ?? ()
+```"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1587.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1587.toml
new file mode 100644
index 00000000..96766678
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1587.toml
@@ -0,0 +1,33 @@
+id = 1587
+title = "Invalid memory access allowed (possibly due to TLB bypassing PMP after mret)"
+state = "closed"
+created_at = "2023-04-08T20:36:34.624Z"
+closed_at = "2023-05-17T05:06:35.011Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1587"
+host-os = "Fedora 37"
+host-arch = "Host: x86-64, Guest: RISCV64"
+qemu-version = "QEMU emulator version 7.2.93 (v8.0.0-rc3-dirty)"
+guest-os = "Bare metal"
+guest-arch = "RISC-V 64"
+description = """A load instruction that should be blocked by PMP due to MPRV changing the effective privilege mode to U is allowed.  The sequence that I observed was:
+
+
+1. Be in machine mode.
+2. Set MPP to U (0).
+3. Set MPRV to 1.
+4. Enter an ISR, setting MPP to M (3).
+5. Load from address xxxx (populating the QEMU TLB).
+6. Execute mret, setting MPP back to U (0).
+7. Load from address xxxx, which should fail but succeeds without any TLB fill."""
+reproduce = """```
+git clone https://github.com/dreiss/qemu_pmp_repro
+cd qemu_pmp_repro
+./build_and_run.sh
+```
+The `build_and_run.sh` script expects `riscv-none-elf-gcc` and `qemu-system-riscv64` on PATH.  It will also attempt to run the reproducer with `spike`, the reference RISC-V emulator, which succeeds."""
+additional = """Adding a call to `tlb_flush` to `helper_mret` causes this test to pass in QEMU, but I don't know if that's a valid fix.
+
+Output from `build_and_run.sh`:
+
+[output.txt](/uploads/108547bcb160a8f0bfffe72ea77b215f/output.txt)"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1724.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1724.toml
new file mode 100644
index 00000000..907aa171
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1724.toml
@@ -0,0 +1,53 @@
+id = 1724
+title = "qemu-system-riscv64 can't break by gdb"
+state = "opened"
+created_at = "2023-06-23T10:32:51.184Z"
+closed_at = "n/a"
+labels = ["GDB", "accel: TCG", "target: riscv", "workflow::Needs Info"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1724"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """The qemu-system-riscv64 can't break by gdb.  
+( => The target is not responding to interrupt requests.  
+Stop debugging it? (y or n) Quit)  
+
+I using old qemu-system-risc64(7.2) don't has this issue.  
+
+This test case running simple OS(riscv-xv6)."""
+reproduce = """1.qemu-system-riscv64 -machine virt -bios none -kernel kernel/kernel -m 128M -smp 3 -nographic -global   virtio-mmio.force-legacy=false -drive file=fs.img,if=none,format=raw,id=x0 -device virtio-blk-  device,drive=x0,bus=virtio-mmio-bus.0 -S -gdb tcp::26000  
+  
+  
+2.test@test-VirtualBox:~$ riscv64-unknown-linux-gnu-gdb -q                                                                                                                                                 
+(gdb) target remote :26000  
+Remote debugging using :26000  
+warning: No executable has been specified and target does not support  
+determining executable automatically.  Try using the "file" command.  
+0x0000000000001000 in ?? ()  
+(gdb) c  
+Continuing.  
+
+3.check xv6 is running.  
+xv6 kernel is booting  
+
+hart 2 starting  
+hart 1 starting  
+init: starting sh  
+$  
+
+4.Can't stop by GDB.  
+(gdb) c  
+Continuing.  
+^C^CThe target is not responding to interrupt requests.  
+Stop debugging it? (y or n) Quit  
+(gdb)"""
+additional = """Test on new QEMU.  
+
+```
+commit cab35c73be9d579db105ef73fa8a60728a890098 (HEAD -> master, origin/staging, origin/master, origin/HEAD)
+Merge: 48ab886d3d d7ee93e243
+Author: Richard Henderson <richard.henderson@linaro.org>
+Date:   Tue Jun 20 10:26:53 2023 +0200
+```"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1823.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1823.toml
new file mode 100644
index 00000000..0153d32b
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1823.toml
@@ -0,0 +1,19 @@
+id = 1823
+title = "qemu-system-riscv64 Property 'virt-machine.aclint' not found"
+state = "closed"
+created_at = "2023-08-10T00:45:36.097Z"
+closed_at = "2023-08-12T01:15:41.283Z"
+labels = ["Regression", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1823"
+host-os = "NA"
+host-arch = "x86_64"
+qemu-version = "v8.1.0-rc2"
+guest-os = "NA"
+guest-arch = "riscv64"
+description = """"""
+reproduce = """1.  run ./qemu-system-riscv64 -M virt,aclint=on
+2. command output: 
+```
+qemu-system-riscv64: Property 'virt-machine.aclint' not found
+```"""
+additional = """The aclint property is registered in the virt_machine_class_init function and depends on the condition tcg_enabled(), but the initialization of tcg_enabled() is later than the call of virt_machine_class_init. This caused the aclint property to never be registered."""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1961.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1961.toml
new file mode 100644
index 00000000..f0e2c952
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1961.toml
@@ -0,0 +1,15 @@
+id = 1961
+title = "Commit accel/tcg: Always require can_do_io breaks riscv64 bare metal firmware"
+state = "closed"
+created_at = "2023-10-26T08:47:11.094Z"
+closed_at = "2023-11-15T18:27:36.138Z"
+labels = ["Closed::Fixed", "accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1961"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = "n/a"
+reproduce = "n/a"
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/1976.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/1976.toml
new file mode 100644
index 00000000..357a0e89
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/1976.toml
@@ -0,0 +1,59 @@
+id = 1976
+title = "SIGILL (ILL_OPC) on RISC-V Vector Operations, Bad MSTATUS_VS register"
+state = "closed"
+created_at = "2023-11-09T18:29:26.854Z"
+closed_at = "2024-03-22T12:58:06.802Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1976"
+host-os = "Debian"
+host-arch = "x86_64"
+qemu-version = "v8.1.0-3111-gad6ef0a42e-dirty"
+guest-os = "Android (AOSP)"
+guest-arch = "riscv64"
+description = """When building AOSP Android and launching the public Cuttlefish RISC-V image, various binaries on the system will crash on boot with SIGILL, ILL_OPC. The crashes are random - binaries will crash largely at boot and then only crash infrequently after that. It is not always the case that the same binary will crash first, but if a binary crashes, it will always crash at the same location, usually the first vector instruction. At the time of writing, this is often the 'vsetvli' or 'vfirst.m' instruction.
+
+After building QEMU at head and intentionally triggering a SIGABRT prior to the ILL_OPC exception, I caught the following backtrace in gdb:
+
+```
+(gdb) bt
+#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
+#1  0x00007f8e570bb15f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
+#2  0x00007f8e5706d472 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
+#3  0x00007f8e570574b2 in __GI_abort () at ./stdlib/abort.c:79
+#4  0x0000565536e817d7 in vs (env=<optimized out>, csrno=<optimized out>) at ../target/riscv/csr.c:101
+#5  vs (env=<optimized out>, csrno=<optimized out>) at ../target/riscv/csr.c:95
+#6  0x0000565536e83d5b in riscv_csrrw_check (write_mask=false, csrno=3106, env=0x7f8e4e2b0ed0) at ../target/riscv/csr.c:4286
+#7  riscv_csrrw (env=env@entry=0x7f8e4e2b0ed0, csrno=3106, ret_value=ret_value@entry=0x7f8bdedfbee0, new_value=new_value@entry=0, write_mask=write_mask@entry=0)
+    at ../target/riscv/csr.c:4366
+#8  0x0000565536e86b52 in helper_csrr (env=0x7f8e4e2b0ed0, csr=<optimized out>) at ../target/riscv/op_helper.c:54
+#9  0x00007f8de9f1af73 in code_gen_buffer ()
+#10 0x0000565536fa39cb in cpu_tb_exec (cpu=cpu@entry=0x7f8e4e2ae710, itb=itb@entry=0x7f8de9f1ab40 <code_gen_buffer+99724051>, tb_exit=tb_exit@entry=0x7f8bdedfc444)
+    at ../accel/tcg/cpu-exec.c:458
+#11 0x0000565536fa3ea1 in cpu_loop_exec_tb
+    (tb_exit=0x7f8bdedfc444, last_tb=<synthetic pointer>, pc=<optimized out>, tb=0x7f8de9f1ab40 <code_gen_buffer+99724051>, cpu=<optimized out>)
+    at ../accel/tcg/cpu-exec.c:920
+#12 cpu_exec_loop (cpu=cpu@entry=0x7f8e4e2ae710, sc=sc@entry=0x7f8bdedfc4f0) at ../accel/tcg/cpu-exec.c:1041
+#13 0x0000565536fa469d in cpu_exec_setjmp (cpu=cpu@entry=0x7f8e4e2ae710, sc=sc@entry=0x7f8bdedfc4f0) at ../accel/tcg/cpu-exec.c:1058
+#14 0x0000565536fa4c6b in cpu_exec (cpu=cpu@entry=0x7f8e4e2ae710) at ../accel/tcg/cpu-exec.c:1084
+#15 0x0000565536fbfedf in tcg_cpus_exec (cpu=cpu@entry=0x7f8e4e2ae710) at ../accel/tcg/tcg-accel-ops.c:76
+#16 0x0000565536fc0023 in mttcg_cpu_thread_fn (arg=arg@entry=0x7f8e4e2ae710) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
+#17 0x0000565537144288 in qemu_thread_start (args=0x565538c01840) at ../util/qemu-thread-posix.c:541
+#18 0x00007f8e570b93ec in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:444
+#19 0x00007f8e57139a4c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
+```
+
+Debugging in this path, it appears that the reason we're experiencing a SIGILL here is that when building a qemu-system-riscv64 binary (and thus !CONFIG_USER_ONLY), we check to see if 'riscv_cpu_vector_enabled(env)', which checks if `env->mstatus & MSTATUS_VS`.
+
+Interestingly, logging in this path confirms that the CPU environment of this thread does think the RVV extension is enabled (verified with `riscv_has_ext(env, RVV)`. My rough guess as to what's happening:
+
+1. We're not setting the MSTATUS_VS flag on initialization of the CPU, nor are we setting the mstatus_vs state to INITIALIZED. Without this, when a new thread is spawned for a vCPU, it's incorrectly determining that it can't handle vector instructions.
+2. It's working sometimes because in some of the 'write_*' calls in `riscv/csr.c`, we flip the MSTATUS_VS flag on, so if one of those calls occurs first, all subsequent vector operations work too. (To be honest, I'm not quite following why we make the decision to set MSTATUS in these calls, shouldn't this be configured at CPU initialization?)"""
+reproduce = """Please forgive the poor reproduction case, I'm still trying to wrap my head around what's going on, so haven't been able to harden a smaller example yet that would reproduce. In theory, tip-of-tree QEMU + a stock Linux system with a program that triggers a call to QEMU's vlenb instruction ahead of all other vector instructions would be the ideal case, but I'm still figuring out how to go about doing that.
+
+My current reproduction case is as follows:
+
+1. Introduce a small hack in `target/riscv/csr.c`'s `vs` function - add an `abort` call here: https://github.com/qemu/qemu/blob/master/target/riscv/csr.c#L99
+2. Build tip-of-tree QEMU for qemu-system-riscv64.
+3. Use https://github.com/google/android-riscv64#can-i-try-it to build the Android RISC-V emulator. When launching the emulator, use the '-qemu_binary_dir' option to point to the directory containing the QEMU built in the previous step.
+4. In a few moments, the emulator will attempt to start but abort fairly quickly (I've got a 128-core machine, and it fails consistently in about 5 seconds)."""
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/2166.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/2166.toml
new file mode 100644
index 00000000..c14d10b5
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/2166.toml
@@ -0,0 +1,15 @@
+id = 2166
+title = "RISC-V qemu has bug on the return value of function qemu_plugin_mem_size_shift()"
+state = "opened"
+created_at = "2024-02-14T19:37:59.722Z"
+closed_at = "n/a"
+labels = ["TCG plugins", "accel: TCG", "target: riscv", "workflow::Triaged"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2166"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = "n/a"
+reproduce = "n/a"
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/2259.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/2259.toml
new file mode 100644
index 00000000..86680fb2
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/2259.toml
@@ -0,0 +1,22 @@
+id = 2259
+title = "The cause code of a trap changes when qemu is nested in another qemu"
+state = "opened"
+created_at = "2024-04-01T12:11:11.116Z"
+closed_at = "n/a"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2259"
+host-os = "Ubuntu"
+host-arch = "x86"
+qemu-version = "7.2"
+guest-os = "Ubuntu"
+guest-arch = "RiscV64"
+description = """I am studying the feasibility of doing some practical work on RISCV plates. Since I don't have these boards yet, I'm emulating it with qemu. The practice in turn consists of launching with qemu a very small operating system with two tasks that make a series of system calls.
+
+When I run this practice on my host it works correctly, but when I run it on an Ubuntu emulated in riscv with qemu, the cause code for the trap changes (the first bit of the code).
+
+The demo can be found in this repository: https://github.com/Sft570/qemu-bug-report"""
+reproduce = """1. Clone the repository on the host and run the demo with "make qemu"
+2. Emulate with qemu ubuntu in riscv, clone the repository and run the demo with "make qemu".
+
+The error displayed shows the change of the cause code bit. You can analyze its behavior in the trap.c file in the src folder."""
+additional = """"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/2371.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/2371.toml
new file mode 100644
index 00000000..0b6a10c6
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/2371.toml
@@ -0,0 +1,60 @@
+id = 2371
+title = "A bug in RISC-V froundnx.h instruction"
+state = "closed"
+created_at = "2024-06-02T05:26:42.308Z"
+closed_at = "2024-08-01T08:38:08.083Z"
+labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2371"
+host-os = "Ubuntu 22.04"
+host-arch = "x86-64"
+qemu-version = "qemu-riscv64 version 9.0.50 (v9.0.0-1123-g74abb45dac)"
+guest-os = "N/A (qemu-user)"
+guest-arch = "riscv64"
+description = """According to the RISCV ISA manual, the froundnx.h instruction rounds a half-precision floating-point number in the source register to an integer and writes the integer, represented as a half-precision floating-point number, to the destination register. Because the values are stored in 64-bit width registers, they must be NaN-unboxed/boxed before/after the operation. When an input value lacks the proper form of NaN-boxing, it should be treated as a canonical NaN.
+However, when an incorrectly NaN-boxed value is passed to froundnx.h, QEMU produces 0 instead of the canonical NaN. This is because there is a typo in the definition of helper_froundnx_h:
+```
+// target/riscv/fpu_helper.c
+uint64_t helper_froundnx_h(CPURISCVState *env, uint64_t rs1)
+{
+    float16 frs1 = check_nanbox_s(env, rs1); // This should be check_nanbox_h.
+    frs1 = float16_round_to_int(frs1, &env->fp_status);
+    return nanbox_h(env, frs1);
+}
+```"""
+reproduce = """1. Write `test.c`.
+```
+#include <stdio.h>
+
+char i_F6[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };
+char o_F5[8];
+
+void __attribute__ ((noinline)) show_state() {
+    for (int i = 0; i < 8; i++) {
+        printf("%02x ", o_F5[i]);
+    }
+    printf("\\n");
+}
+
+void __attribute__ ((noinline)) run() {
+    __asm__ (
+        "lui t5, %hi(i_F6)\\n"
+        "addi t5, t5, %lo(i_F6)\\n"
+        "fld ft6, 0(t5)\\n"
+        ".insn 0x445372d3\\n" // froundnx.h ft5, ft6
+        "lui t5, %hi(o_F5)\\n"
+        "addi t5, t5, %lo(o_F5)\\n"
+        "fsd ft5, 0(t5)\\n"
+    );
+}
+
+int main(int argc, char **argv) {
+    run();
+    show_state();
+
+    return 0;
+}
+```
+2. Compile `test.bin` using this command: `riscv64-linux-gnu-gcc-12 -O2 -no-pie -march=rv64iv ./test.c -o ./test.bin`.
+3. Run QEMU using this command: `qemu-riscv64 -L /usr/riscv64-linux-gnu/ ./test.bin`.
+4. The program, runs on top of the buggy QEMU, prints `00 00 ff ff ff ff ff ff`. It should print `00 7e ff ff ff ff ff ff` after the bug is fixed."""
+additional = """"""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/2820.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/2820.toml
new file mode 100644
index 00000000..b6952620
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/2820.toml
@@ -0,0 +1,39 @@
+id = 2820
+title = "STOPI CSR Incorrect Value for Virtual Supervisor External Interrupt in QEMU (AIA Extension)"
+state = "opened"
+created_at = "2025-02-18T18:30:17.361Z"
+closed_at = "n/a"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2820"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """We are developing a RISC-V core and have implemented tests for the AIA extension. One of these tests reveals a bug when running in QEMU in a bare-metal environment. The issue relates to the value of the STOPI CSR. Although the CSR behaves correctly in most cases, when a virtual supervisor external interrupt is generated using the IMSIC (i.e., both hip.vseip and hie.vseip are set to 1) while executing in supervisor mode with hideleg.vseip set to 0, the STOPI CSR always returns the value 0. However, according to the specifications, it should return 10, which is the major identity number for the virtual supervisor external interrupt.
+
+According to the RISC-V specs:
+
+> The value of stopi is zero unless: (a) there is an interrupt that is both pending in sip and enabled in
+sie, or, if the hypervisor extension is implemented, both pending in hip and enabled in hie; and (b)
+the interrupt is not delegated to a lower privilege level (by hideleg, if the hypervisor extension is
+implemented). When there is a pending-and-enabled major interrupt for supervisor level, field IID is
+the major identity number of the highest-priority interrupt, and field IPRIO indicates its priority.
+
+Upon reviewing the QEMU AIA code, I found the following snippet in `qemu/target/riscv/cpu_helper.c` that might be causing the problem:
+```
+int riscv_cpu_sirq_pending(CPURISCVState *env)
+{
+    uint64_t irqs = riscv_cpu_all_pending(env) & env->mideleg &
+                    ~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP);
+    uint64_t irqs_f = env->mvip & env->mvien & ~env->mideleg & env->sie;
+
+    return riscv_cpu_pending_to_irq(env, IRQ_S_EXT, IPRIO_DEFAULT_S,
+                                    irqs | irqs_f, env->siprio);
+}
+```
+It appears that virtual supervisor (VS) interrupts are being masked (via the `~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP)` operation) when they likely should not be, which could explain why the STOPI CSR does not reflect the correct value.
+
+Thank you for your time, and please let me know if any details require further clarification or if my interpretation is incorrect."""
+reproduce = "n/a"
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/285.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/285.toml
new file mode 100644
index 00000000..6fdcac4a
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/285.toml
@@ -0,0 +1,15 @@
+id = 285
+title = "qemu-user child process hangs when forking due to glib allocation"
+state = "closed"
+created_at = "2021-05-13T13:44:05.881Z"
+closed_at = "2023-03-29T13:01:28.954Z"
+labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "linux-user", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/285"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = "n/a"
+reproduce = "n/a"
+additional = "n/a"
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/2855.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/2855.toml
new file mode 100644
index 00000000..a558f36f
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/2855.toml
@@ -0,0 +1,37 @@
+id = 2855
+title = "masking mode field in mepc before mret"
+state = "opened"
+created_at = "2025-03-06T09:38:42.439Z"
+closed_at = "n/a"
+labels = ["accel: TCG", "kind::Bug", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2855"
+host-os = "all"
+host-arch = "riscv"
+qemu-version = "QEMU emulator version 9.2.0 (v9.2.0)"
+guest-os = "qemu-system-riscv64"
+guest-arch = "riscv"
+description = """I thought I found a bug in OpenSBI (https://github.com/riscv-software-src/opensbi/issues/391) but it actually is a QEMU bug.
+It is described here: https://lists.infradead.org/pipermail/opensbi/2025-March/008166.html"""
+reproduce = """1. use an application with vectored mode enabled (The RISC-V Instruction Set Manual: Volume II: Privileged Architecture / chapter 10.1.2) in QEMU 
+2. trigger an illegal instruction interrupt (handle it in machine mode - not by medeleg)
+3. in a machine mode trap: Store STVEC in MEPC.
+4. do a mret 
+5. the first bits of mepc are not masked so the address in mepc (comming from (v)stvec) will be false after mret"""
+additional = """My guess is that the instructions from the following quote (masking of lower bits in mepc) from the official spec must be implemented here:
+https://gitlab.com/qemu-project/qemu/-/blob/master/target/riscv/op_helper.c?ref_type=heads#L387
+Maybe also somewhere else. 
+
+> 3.1.14. Machine Exception Program Counter (mepc)
+> 
+> mepc is an MXLEN-bit read/write register formatted as shown in Figure 21. The low bit of mepc
+> (mepc[0]) is always zero. On implementations that support only IALIGN=32, the two low bits
+> (mepc[1:0]) are always zero.
+> 
+> If an implementation allows IALIGN to be either 16 or 32 (by changing CSR misa, for example), then,
+> whenever IALIGN=32, bit mepc[1] is masked on reads so that it appears to be 0. This masking occurs
+> also for the implicit read by the MRET instruction. Though masked, mepc[1] remains writable when
+> IALIGN=32.
+> 
+> mepc is a WARL register that must be able to hold all valid virtual addresses. It need not be capable of
+> holding all possible invalid addresses. Prior to writing mepc, implementations may convert an invalid
+> address into some other invalid address that mepc is capable of holding."""
diff --git a/gitlab/issues/target_riscv/host_missing/accel_TCG/594.toml b/gitlab/issues/target_riscv/host_missing/accel_TCG/594.toml
new file mode 100644
index 00000000..a4ae8353
--- /dev/null
+++ b/gitlab/issues/target_riscv/host_missing/accel_TCG/594.toml
@@ -0,0 +1,15 @@
+id = 594
+title = "faults due to a amo instruction result in load faults instead of store/amo faults"
+state = "closed"
+created_at = "2021-09-02T19:18:52.486Z"
+closed_at = "2024-11-01T09:58:28.367Z"
+labels = ["accel: TCG", "target: riscv"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/594"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = "n/a"
+reproduce = "n/a"
+additional = "n/a"