id = 2371
title = "A bug in RISC-V froundnx.h instruction"
state = "closed"
created_at = "2024-06-02T05:26:42.308Z"
closed_at = "2024-08-01T08:38:08.083Z"
labels = ["Closed::Fixed", "accel: TCG", "kind::Bug", "target: riscv"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2371"
host-os = "Ubuntu 22.04"
host-arch = "x86-64"
qemu-version = "qemu-riscv64 version 9.0.50 (v9.0.0-1123-g74abb45dac)"
guest-os = "N/A (qemu-user)"
guest-arch = "riscv64"
description = """According to the RISCV ISA manual, the froundnx.h instruction rounds a half-precision floating-point number in the source register to an integer and writes the integer, represented as a half-precision floating-point number, to the destination register. Because the values are stored in 64-bit width registers, they must be NaN-unboxed/boxed before/after the operation. When an input value lacks the proper form of NaN-boxing, it should be treated as a canonical NaN.
However, when an incorrectly NaN-boxed value is passed to froundnx.h, QEMU produces 0 instead of the canonical NaN. This is because there is a typo in the definition of helper_froundnx_h:
```
// target/riscv/fpu_helper.c
uint64_t helper_froundnx_h(CPURISCVState *env, uint64_t rs1)
{
    float16 frs1 = check_nanbox_s(env, rs1); // This should be check_nanbox_h.
    frs1 = float16_round_to_int(frs1, &env->fp_status);
    return nanbox_h(env, frs1);
}
```"""
reproduce = """1. Write `test.c`.
```
#include <stdio.h>

char i_F6[8] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };
char o_F5[8];

void __attribute__ ((noinline)) show_state() {
    for (int i = 0; i < 8; i++) {
        printf("%02x ", o_F5[i]);
    }
    printf("\\n");
}

void __attribute__ ((noinline)) run() {
    __asm__ (
        "lui t5, %hi(i_F6)\\n"
        "addi t5, t5, %lo(i_F6)\\n"
        "fld ft6, 0(t5)\\n"
        ".insn 0x445372d3\\n" // froundnx.h ft5, ft6
        "lui t5, %hi(o_F5)\\n"
        "addi t5, t5, %lo(o_F5)\\n"
        "fsd ft5, 0(t5)\\n"
    );
}

int main(int argc, char **argv) {
    run();
    show_state();

    return 0;
}
```
2. Compile `test.bin` using this command: `riscv64-linux-gnu-gcc-12 -O2 -no-pie -march=rv64iv ./test.c -o ./test.bin`.
3. Run QEMU using this command: `qemu-riscv64 -L /usr/riscv64-linux-gnu/ ./test.bin`.
4. The program, runs on top of the buggy QEMU, prints `00 00 ff ff ff ff ff ff`. It should print `00 7e ff ff ff ff ff ff` after the bug is fixed."""
additional = """"""