Preface

This post records my QEMU upstream work on the mailing lists. I use the name Chao Liu there. The public archives contain a few email aliases over time, including chao.liu@yeah.net, lc00631@tecorigin.com, chao.liu@zevorn.cn, and chao.liu.zevorn@gmail.com.

You can use the mailing-list archive query here: all QEMU mails matching “Chao Liu”.

The notes below are arranged roughly in reverse chronological order. I separate merged work from RFC or under-review work where the public thread makes that status clear.

Summary by Area

AreaWhat I worked onRepresentative thread / record
RISC-V Debug ModuleModeled a board-visible RISC-V Debug Module, wired it into virt, and added qtests for DMI, run-control, abstract commands, SBA, stepping, and triggers.RISC-V Debug Module support
RISC-V Debug Specification / SdextAdded the CPU-side Debug Mode foundation: DCSR/DPC/DSCRATCH, DRET, EBREAK entry, single-step, and trigger action into Debug Mode.Sdext v6 series
RISC-V TCG CPU reviewAdded myself as reviewer for RISC-V TCG CPU code; Alistair applied it to riscv-to-apply.next.MAINTAINERS patch, applied reply
RISC-V IOMMU testingAdded libqos helpers and a bare-metal qtest for RISC-V IOMMU address translation without a full guest boot.IOMMU qtest v2, merged commits
K230 boardAdded T-Head C908 CPU support, a K230 machine model, K230 watchdog, qtest coverage, and docs.K230 v6 series
RISC-V vector performanceReworked strided vector load/store generation to use TCG nodes and added a vlsseg8e32 TCG test.strided vector v7
QEMU monitor usabilityImproved the info mtree output into a clearer ASCII tree hierarchy.info mtree v5
RISC-V vector correctnessTightened vstart >= vl handling and refactored VSTART_CHECK_EARLY_EXIT().VSTART/VL v3
RISC-V TCG debug ergonomicsProposed helper_print helpers for printing intermediate IR values while developing complex RISC-V instruction models.helper_print RFC
ARM Zynq board cleanupWorked on removing ignore_memory_transaction_failures from xilinx_zynq by adding missing unimplemented-device placeholders and improving test evidence.Zynq v4 series, merged placeholder patch

RISC-V Debug Module Support

The largest current thread is the RISC-V Debug Module model. The series adds a QOM Debug Module device under hw/riscv, wires it into the virt machine, and adds qtest coverage for both register-level protocol behavior and TCG-backed execution paths.

The core design follows the execution-based Debug Module flow from the RISC-V Debug Specification: a hart enters Debug Mode, runs from a Debug Module ROM park loop, and the Debug Module coordinates halt/resume, abstract commands, system bus access, and debug causes through explicit machine-visible state.

The series is split into three layers:

  1. target/riscv support for pending halt requests, Debug Mode ROM flow, ebreak, single-step completion, trigger causes, and itrigger behavior;
  2. hw/riscv Debug Module device modeling: DMI-style MMIO window, per-hart state, run-control, abstract register access, system bus access, and virt wiring;
  3. qtest coverage for DMI registers, halt/resume, abstract commands, register access, single-step, and triggers.

The public v1 series is 28 patches and adds hw/riscv/dm.c, include/hw/riscv/dm.h, and tests/qtest/riscv-dm-test.c.

RISC-V Sdext / Debug Mode Foundation

Before the Debug Module itself, I worked on the CPU-side Sdext foundation. The v6 series introduces the sdext / sdtrig configuration bits and models the key architectural state and transitions needed for RISC-V Debug Mode:

  • DCSR, DPC, and DSCRATCH state;
  • Debug Mode enter/leave helpers;
  • the DRET instruction;
  • entering Debug Mode from EBREAK when the relevant DCSR bits are set;
  • single-step support via TB flags and one-instruction TBs;
  • trigger action debug mode for mcontrol/mcontrol6.

This series deliberately excludes the Debug Module, DMI, halt/resume, debug ROM, program buffer, abstract commands, and SBA. Those are handled by the later Debug Module series.

RISC-V TCG CPU Reviewer

I also sent a MAINTAINERS patch to add myself as a reviewer for RISC-V TCG CPU-related code. Alistair replied that it was applied to riscv-to-apply.next.

This matters because it changes the contribution mode from only sending patches to also helping review other RISC-V TCG work.

RISC-V IOMMU Bare-Metal qtest

The RISC-V IOMMU qtest work adds coverage that does not require a full guest OS boot. The series adds a libqos helper for RISC-V IOMMU setup and a bare-metal qtest that uses iommu-testdev to exercise real address-translation paths.

The tests cover:

  • device context setup;
  • command queue, fault queue, and DDTP programming;
  • bare translation;
  • S-stage SV39 page-table walks;
  • G-stage SV39x4 page-table walks;
  • nested translation;
  • FCTL constraints;
  • end-to-end DMA verification.

The corresponding QEMU commits were merged on the QEMU master branch as:

  • tests/qtest/libqos: Add RISC-V IOMMU helper library;
  • tests/qtest: Add RISC-V IOMMU bare-metal test.

K230 Board and T-Head C908 CPU Support

The K230 series adds enough machine support to boot U-Boot + OpenSBI + a standard Linux kernel with -M k230.

The v6 series contains five patches:

  1. target/riscv: add thead-c908 cpu support;
  2. hw/riscv: add k230 board initial support;
  3. hw/watchdog: add k230 watchdog initial support;
  4. tests/qtest: add test for K230 watchdog;
  5. docs/system/riscv: add documentation for k230 machine.

The series also includes qtest coverage for the watchdog and documentation for the new machine. The v6 revision was rebased onto Alistair’s riscv-to-apply.next branch and picked up Fabiano’s Acked-by on the watchdog test patch.

RISC-V Vector Strided LD/ST TCG Optimization

The strided vector load/store series came from a reverted performance optimization idea. I picked it up, fixed correctness issues, reshaped the implementation for review, and added a TCG test.

The v7 series contains:

  1. target/riscv: Use tcg nodes for strided vector ld/st generation;
  2. tests/tcg/riscv64: Add test for vlsseg8e32 instruction.

The implementation moves more work into TCG nodes instead of helper calls and adds an assembly-level test for vlsseg8e32.

Related blog note: Optimizing QEMU RISC-V Vector Strided LD/ST for a 25× Speedup in Simulation.

info mtree Output Formatting

The info mtree thread is a QEMU monitor usability cleanup. The goal is to make memory-tree output easier to read by printing hierarchy with a concise ASCII tree format.

The patch changes system/memory.c and refines the output across several review rounds. The public v5 cover letter records feedback from Markus, BALATON, and Philippe and shows the intended output style for nested memory regions.

Enhanced VSTART and VL Checks for Vector Instructions

This RISC-V vector correctness series improves handling of instructions where vstart >= vl. The v3 series has two patches:

  1. refactor VSTART_CHECK_EARLY_EXIT() to accept vl as a parameter;
  2. fix NOP handling for vstart >= vl in some vector instructions.

The point is to make vector helper behavior match the architectural expectation more closely and make the check site more explicit.

helper_print RFC for RISC-V TCG Debugging

The helper_print RFC was not intended as a final product patch. It was a proposal for a debugging workflow: when implementing complex RISC-V instructions in QEMU TCG, especially AI-chip-style extended instructions, it can be useful to print intermediate IR/runtime values.

The RFC wrapped printf in helper functions because direct calls from generated code can run into address-space and calling-convention constraints, and QEMU helpers do not support variadic arguments. The thread served as a discussion starter for a cleaner cross-target debugging interface.

Zynq ignore_memory_transaction_failures Cleanup

My first QEMU upstream contribution thread started with the Tinylab RISC-V Linux kernel analysis project. I worked on deprecating ignore_memory_transaction_failures for QEMU’s xilinx_zynq board.

The core problem was that simply clearing the legacy flag was risky: missing unimplemented devices could break existing guest software. Peter Maydell pointed out that removing the flag required stronger evidence than “Linux still boots”. The patch series therefore moved toward two concrete requirements:

  1. add specific unimplemented-device placeholders according to the Zynq memory map and board documentation;
  2. test more than one guest image / board flow to reduce the risk of compatibility regressions.

During the review process, one patch was accepted: hw/arm/xilinx_zynq: Add various missing unimplemented devices. The full flag-removal work required more careful modeling and validation.

Related archived article: Deprecating QEMU xilinx_zynq Board Support for ignore_memory_transaction_failures.

References