graphic: 0.845
device: 0.754
performance: 0.732
files: 0.715
ppc: 0.683
PID: 0.665
register: 0.633
debug: 0.628
mistranslation: 0.624
i386: 0.608
peripherals: 0.531
architecture: 0.451
hypervisor: 0.416
arm: 0.403
user-level: 0.395
semantic: 0.379
VMM: 0.376
socket: 0.321
permissions: 0.309
boot: 0.281
risc-v: 0.238
vnc: 0.235
x86: 0.228
network: 0.209
kernel: 0.168
assembly: 0.160
TCG: 0.133
KVM: 0.098
virtual: 0.078

Regression in 8.2.90: cpu_physical_memory_snapshot_get_dirty: assertion failed
Description of problem:
On executing the image from QEMU advent calendar 2014, door 12 the following error is shown and QEMU exists.

On Debian (built on git-repo)
```
$ qemu-system-i386 oberon/oberon.qcow2
qemu-system-i386: ../system/physmem.c:948: cpu_physical_memory_snapshot_get_dirty: Zusicherung »start + length <= snap->end« nicht erfüllt.
Abgebrochen
```
On Windows (built on qemu-9.0.0-rc0.tar.xz)
```
$ qemu-system-i386 oberon/oberon.qcow2
ERROR:../qemu-9.0.0-rc0/system/physmem.c:946:cpu_physical_memory_snapshot_get_dirty: assertion failed: (start + length <= snap->end)
Bail out! ERROR:../qemu-9.0.0-rc0/system/physmem.c:946:cpu_physical_memory_snapshot_get_dirty: assertion failed: (start + length <= snap->end)
```
Steps to reproduce:
1. Retrieve oberon.tar.xz with `wget http://qemu-advent-calendar.org/2014/download/oberon.tar.xz`
2. Extract with `tar -xf oberon.tar.xz`
3. Execute with `qemu-system-i386 oberon/oberon.qcow2`
Additional information:
The same error is shown for QEMU advent calendar 2014, door 15 (Plan 9 from Bell Labs) soon after switch to graphical mode.

git bisect result:
```
973a724eb006f674301a0c45f34b3c08dee0fe49 is the first bad commit
commit 973a724eb006f674301a0c45f34b3c08dee0fe49
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon Dec 29 14:48:14 2014 +0100

    vga: implement horizontal pel panning in graphics modes
    
    This implements smooth scrolling, as used for example by Commander Keen
    and Second Reality.
    
    Unfortunately, this is not enough to avoid tearing in Commander Keen,
    because sometimes the wrong start address is used for a frame.
    On real EGA, the panning register is sampled on every line, while
    the display start is latched for the next frame at the start of the
    vertical retrace.  On real VGA, the panning register is also latched,
    but at the end of the vertical retrace.  It looks like Keen exploits
    this by only waiting for horizontal retrace when setting the display
    start, but implementing it breaks the 256-color Keen games...
    
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
```