risc-v: 0.995 register: 0.872 device: 0.835 performance: 0.823 architecture: 0.815 graphic: 0.776 hypervisor: 0.701 peripherals: 0.634 permissions: 0.566 ppc: 0.541 semantic: 0.515 mistranslation: 0.513 debug: 0.500 socket: 0.481 vnc: 0.472 network: 0.466 i386: 0.452 KVM: 0.450 VMM: 0.428 PID: 0.417 kernel: 0.404 arm: 0.399 x86: 0.358 user-level: 0.350 TCG: 0.340 files: 0.325 boot: 0.323 assembly: 0.322 virtual: 0.302 -------------------- risc-v: 0.981 register: 0.801 virtual: 0.670 debug: 0.167 peripherals: 0.150 hypervisor: 0.112 TCG: 0.089 assembly: 0.076 architecture: 0.052 kernel: 0.041 semantic: 0.039 device: 0.033 files: 0.030 performance: 0.015 socket: 0.011 PID: 0.010 vnc: 0.009 user-level: 0.008 VMM: 0.007 network: 0.006 permissions: 0.006 arm: 0.002 boot: 0.002 ppc: 0.002 KVM: 0.002 mistranslation: 0.001 graphic: 0.001 i386: 0.001 x86: 0.000 RISC-V APLIC emulation: interrupt pending state of direct-delivery level-triggered interrupts is wrong after masking Description of problem: According to the APLIC specification, the interrupt pending state of a level-triggered interrupt in direct delivery mode should always match the (rectified) input signal: > When an interrupt domain is in direct delivery mode, the pending bit for a level-sensitive source is always just a copy of the rectified input value. (From Section 4.7 "Precise effects on interrupt-pending bits" of the specification. See also the more detailed paragraph starting with "If the source mode is Level1 or Level0 and the interrupt domain is configured in direct delivery mode [...]".) However, **this is not true in Qemu's emulation**. In particular, in some situations, **a level-triggered interrupt in direct delivery mode can be raised even though the rectified input signal is off**. Steps to reproduce: 1. Set `-machine virt,acpi=off,aia=aplic` to use AIA without IMSIC. 2. Program APLIC to direct delivery. Program some level triggered interrupt (e.g., an interrupt of a PCIe ECAM controller). 4. Wait until the IRQ is raised by a device (i.e., `claimi` returns the IRQ). 5. Mask the interrupt by writing to `clrie`. 6. Clear the interrupt at the device level. 7. The state of Qemu's APLIC registers is now: ``` Rectified input = 0 (correct) Pending = 1 (incorrect) topi = 0 (correct) ``` Furthermore, if `setie` is written to unmask the IRQ in this situation, the IRQ is raised (in `topi` / `claimi`) despite the signal being off.