hypervisor: 0.804 graphic: 0.726 vnc: 0.687 register: 0.679 TCG: 0.678 virtual: 0.670 x86: 0.661 KVM: 0.632 risc-v: 0.630 VMM: 0.629 peripherals: 0.626 user-level: 0.604 device: 0.581 mistranslation: 0.569 arm: 0.568 i386: 0.549 ppc: 0.541 performance: 0.536 semantic: 0.524 debug: 0.513 permissions: 0.482 assembly: 0.478 architecture: 0.471 network: 0.465 files: 0.463 boot: 0.461 PID: 0.455 socket: 0.452 kernel: 0.413 xhci_find_stream: Assertion `streamid != 0' failed. To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` Attaching a QTest reproducer. ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci -trace usb\* \ -device usb-audio -device usb-storage,drive=mydrive \ -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ -nodefaults -nographic -qtest stdio < repro Close to the crash: 21000@1597111713.503068:usb_xhci_slot_configure slotid 58 21000@1597111713.503074:usb_xhci_ep_disable slotid 58, epid 2 21000@1597111713.503077:usb_xhci_ep_enable slotid 58, epid 2 21000@1597111713.503085:usb_xhci_ep_disable slotid 58, epid 6 21000@1597111713.503088:usb_xhci_ep_enable slotid 58, epid 6 21000@1597111713.503092:usb_xhci_ep_disable slotid 58, epid 24 21000@1597111713.503095:usb_xhci_ep_enable slotid 58, epid 24 21000@1597111713.503099:usb_xhci_ep_disable slotid 58, epid 25 21000@1597111713.503102:usb_xhci_ep_enable slotid 58, epid 25 21000@1597111713.503106:usb_xhci_ep_disable slotid 58, epid 29 21000@1597111713.503109:usb_xhci_ep_enable slotid 58, epid 29 21000@1597111713.503113:usb_xhci_ep_disable slotid 58, epid 30 21000@1597111713.503116:usb_xhci_ep_enable slotid 58, epid 30 21000@1597111713.503121:usb_xhci_fetch_trb addr 0x0000000000000b20, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503127:usb_xhci_slot_enable slotid 59 21000@1597111713.503130:usb_xhci_fetch_trb addr 0x0000000000000b30, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x00004300 21000@1597111713.503135:usb_xhci_fetch_trb addr 0x0000000000000b40, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503140:usb_xhci_slot_enable slotid 60 21000@1597111713.503143:usb_xhci_fetch_trb addr 0x0000000000000b50, CR_EVALUATE_CONTEXT, p 0x0000000000000000, s 0x00000000, c 0x00003600 21000@1597111713.503149:usb_xhci_fetch_trb addr 0x0000000000000b60, CR_STOP_ENDPOINT, p 0x0000000000000000, s 0x00000000, c 0x3afd3c00 21000@1597111713.503154:usb_xhci_ep_stop slotid 58, epid 29 21000@1597111713.503159:usb_xhci_ep_state slotid 58, epid 29, running -> stopped 21000@1597111713.503163:usb_xhci_fetch_trb addr 0x0000000000000b70, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503168:usb_xhci_slot_enable slotid 61 21000@1597111713.503171:usb_xhci_fetch_trb addr 0x0000000000000b80, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x3afd4300 21000@1597111713.503177:usb_xhci_ep_set_dequeue slotid 58, epid 29, streamid 0, ptr 0x0000000000000000 qemu-system-i386: hw/usb/hcd-xhci.c:1016: XHCIStreamContext *xhci_find_stream(XHCIEPContext *, unsigned int, uint32_t *): Assertion `streamid != 0' failed. Aborted Can you still reproduce this assertion with the latest version 6.0 of QEMU? ... I cannot trigger it here, so I assume this issue has been fixed? I don't think it is fixed yet.. This is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28571#c4 Bash Reproducer: ./qemu-system-i386 -display none -machine accel=qtest, -m 512M \ -machine q35 -nodefaults -drive \ file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci \ -device usb-tablet,bus=xhci.0 -device usb-bot -device \ usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 \ -device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid \ -device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 -device\ usb-tablet -device usb-wacom-tablet -device usb-audio -qtest /dev/null \ -qtest stdio < attachment Testcase: /* * Autogenerated Fuzzer Test Case * * Copyright (c) 2021 * * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 512M -machine q35 -nodefaults -drive " "file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci -device " "usb-tablet,bus=xhci.0 -device usb-bot -device usb-storage,drive=disk0 -chardev " "null,id=cd0 -chardev null,id=cd1 -device usb-braille,chardev=cd0 -device " "usb-ccid -device usb-ccid -device usb-kbd -device usb-mouse -device " "usb-serial,chardev=cd1 -device usb-tablet -device usb-wacom-tablet -device " "usb-audio -qtest /dev/null"); qtest_outl(s, 0xcf8, 0x80000816); qtest_outl(s, 0xcfc, 0xffff); qtest_outl(s, 0xcf8, 0x80000803); qtest_outl(s, 0xcfc, 0x0600); qtest_outl(s, 0xcf8, 0x80000810); qtest_outl(s, 0xcfc, 0x2e654000); qtest_writel(s, 0xffff00002e654040, 0xffffff05); qtest_bufwrite(s, 0x4d, "\x04", 0x1); qtest_bufwrite(s, 0x5d, "\x04", 0x1); qtest_bufwrite(s, 0x6d, "\x04", 0x1); qtest_bufwrite(s, 0x7d, "\x04", 0x1); qtest_bufwrite(s, 0x8d, "\x04", 0x1); qtest_bufwrite(s, 0x9d, "\x04", 0x1); qtest_bufwrite(s, 0xad, "\x04", 0x1); qtest_bufwrite(s, 0xbd, "\x04", 0x1); qtest_bufwrite(s, 0xcd, "\x04", 0x1); qtest_bufwrite(s, 0xdd, "\x04", 0x1); qtest_bufwrite(s, 0xed, "\x04", 0x1); qtest_bufwrite(s, 0xfd, "\x04", 0x1); qtest_bufwrite(s, 0x10d, "\x04", 0x1); qtest_bufwrite(s, 0x11d, "\x04", 0x1); qtest_bufwrite(s, 0x12d, "\x04", 0x1); qtest_bufwrite(s, 0x13d, "\x04", 0x1); qtest_bufwrite(s, 0x14d, "\x04", 0x1); qtest_bufwrite(s, 0x15d, "\x04", 0x1); qtest_bufwrite(s, 0x16d, "\x04", 0x1); qtest_bufwrite(s, 0x17d, "\x04", 0x1); qtest_bufwrite(s, 0x18d, "\x04", 0x1); qtest_bufwrite(s, 0x19d, "\x04", 0x1); qtest_bufwrite(s, 0x1ad, "\x04", 0x1); qtest_bufwrite(s, 0x1bd, "\x04", 0x1); qtest_bufwrite(s, 0x1cd, "\x04", 0x1); qtest_bufwrite(s, 0x1dd, "\x04", 0x1); qtest_bufwrite(s, 0x1ed, "\x04", 0x1); qtest_bufwrite(s, 0x1fd, "\x04", 0x1); qtest_bufwrite(s, 0x20d, "\x04", 0x1); qtest_bufwrite(s, 0x21d, "\x04", 0x1); qtest_bufwrite(s, 0x22d, "\x04", 0x1); qtest_bufwrite(s, 0x23d, "\x04", 0x1); qtest_bufwrite(s, 0x24d, "\x04", 0x1); qtest_bufwrite(s, 0x25d, "\x04", 0x1); qtest_bufwrite(s, 0x26d, "\x04", 0x1); qtest_bufwrite(s, 0x27d, "\x04", 0x1); qtest_bufwrite(s, 0x28d, "\x04", 0x1); qtest_bufwrite(s, 0x29d, "\x04", 0x1); qtest_bufwrite(s, 0x2ad, "\x04", 0x1); qtest_bufwrite(s, 0x2bd, "\x04", 0x1); qtest_bufwrite(s, 0x2cd, "\x04", 0x1); qtest_bufwrite(s, 0x2dd, "\x04", 0x1); qtest_bufwrite(s, 0x2ed, "\x04", 0x1); qtest_bufwrite(s, 0x2fd, "\x04", 0x1); qtest_bufwrite(s, 0x30d, "\x04", 0x1); qtest_bufwrite(s, 0x31d, "\x04", 0x1); qtest_bufwrite(s, 0x32d, "\x04", 0x1); qtest_bufwrite(s, 0x33d, "\x04", 0x1); qtest_bufwrite(s, 0x34d, "\x04", 0x1); qtest_bufwrite(s, 0x35d, "\x04", 0x1); qtest_bufwrite(s, 0x36d, "\x04", 0x1); qtest_bufwrite(s, 0x37d, "\x04", 0x1); qtest_bufwrite(s, 0x38d, "\x04", 0x1); qtest_bufwrite(s, 0x39d, "\x04", 0x1); qtest_bufwrite(s, 0x3ad, "\x04", 0x1); qtest_bufwrite(s, 0x3bd, "\x04", 0x1); qtest_bufwrite(s, 0x3cd, "\x04", 0x1); qtest_bufwrite(s, 0x3dd, "\x04", 0x1); qtest_bufwrite(s, 0x3ed, "\x04", 0x1); qtest_bufwrite(s, 0x3fd, "\x04", 0x1); qtest_bufwrite(s, 0x40d, "\x04", 0x1); qtest_bufwrite(s, 0x41d, "\x04", 0x1); qtest_bufwrite(s, 0x42d, "\x04", 0x1); qtest_bufwrite(s, 0x43d, "\x04", 0x1); qtest_bufwrite(s, 0x44d, "\x04", 0x1); qtest_bufwrite(s, 0x45d, "\x04", 0x1); qtest_bufwrite(s, 0x46d, "\x04", 0x1); qtest_bufwrite(s, 0x47d, "\x04", 0x1); qtest_bufwrite(s, 0x48d, "\x04", 0x1); qtest_bufwrite(s, 0x49d, "\x04", 0x1); qtest_bufwrite(s, 0x4ad, "\x04", 0x1); qtest_bufwrite(s, 0x4bd, "\x04", 0x1); qtest_bufwrite(s, 0x4cd, "\x04", 0x1); qtest_bufwrite(s, 0x4dd, "\x04", 0x1); qtest_bufwrite(s, 0x4ed, "\x04", 0x1); qtest_bufwrite(s, 0x4fd, "\x04", 0x1); qtest_bufwrite(s, 0x50d, "\x04", 0x1); qtest_bufwrite(s, 0x51d, "\x04", 0x1); qtest_bufwrite(s, 0x52d, "\x04", 0x1); qtest_bufwrite(s, 0x53d, "\x04", 0x1); qtest_bufwrite(s, 0x54d, "\x04", 0x1); qtest_bufwrite(s, 0x55d, "\x04", 0x1); qtest_bufwrite(s, 0x56d, "\x04", 0x1); qtest_bufwrite(s, 0x57d, "\x04", 0x1); qtest_bufwrite(s, 0x58d, "\x04", 0x1); qtest_bufwrite(s, 0x59d, "\x04", 0x1); qtest_bufwrite(s, 0x5ad, "\x04", 0x1); qtest_bufwrite(s, 0x5bd, "\x04", 0x1); qtest_bufwrite(s, 0x5cd, "\x04", 0x1); qtest_bufwrite(s, 0x5dd, "\x04", 0x1); qtest_bufwrite(s, 0x5ed, "\x04", 0x1); qtest_bufwrite(s, 0x5fd, "\x04", 0x1); qtest_bufwrite(s, 0x60d, "\x04", 0x1); qtest_bufwrite(s, 0x61d, "\x04", 0x1); qtest_bufwrite(s, 0x62d, "\x04", 0x1); qtest_bufwrite(s, 0x63d, "\x04", 0x1); qtest_bufwrite(s, 0x64d, "\x04", 0x1); qtest_bufwrite(s, 0x65d, "\x04", 0x1); qtest_bufwrite(s, 0x66d, "\x04", 0x1); qtest_bufwrite(s, 0x67d, "\x04", 0x1); qtest_bufwrite(s, 0x68d, "\x04", 0x1); qtest_bufwrite(s, 0x69d, "\x04", 0x1); qtest_bufwrite(s, 0x6ad, "\x04", 0x1); qtest_bufwrite(s, 0x6bd, "\x04", 0x1); qtest_bufwrite(s, 0x6cd, "\x04", 0x1); qtest_bufwrite(s, 0x6dd, "\x04", 0x1); qtest_bufwrite(s, 0x6ed, "\x04", 0x1); qtest_bufwrite(s, 0x6fd, "\x04", 0x1); qtest_bufwrite(s, 0x70d, "\x04", 0x1); qtest_bufwrite(s, 0x71d, "\x04", 0x1); qtest_bufwrite(s, 0x72d, "\x04", 0x1); qtest_bufwrite(s, 0x73d, "\x04", 0x1); qtest_bufwrite(s, 0x74d, "\x04", 0x1); qtest_bufwrite(s, 0x75d, "\x04", 0x1); qtest_bufwrite(s, 0x76d, "\x04", 0x1); qtest_bufwrite(s, 0x77d, "\x04", 0x1); qtest_bufwrite(s, 0x78d, "\x04", 0x1); qtest_bufwrite(s, 0x79d, "\x04", 0x1); qtest_bufwrite(s, 0x7ad, "\x04", 0x1); qtest_bufwrite(s, 0x7bd, "\x04", 0x1); qtest_bufwrite(s, 0x7cd, "\x04", 0x1); qtest_bufwrite(s, 0x7dd, "\x04", 0x1); qtest_bufwrite(s, 0x7ed, "\x04", 0x1); qtest_bufwrite(s, 0x7fd, "\x04", 0x1); qtest_bufwrite(s, 0x80d, "\x04", 0x1); qtest_bufwrite(s, 0x81d, "\x04", 0x1); qtest_bufwrite(s, 0x82d, "\x04", 0x1); qtest_bufwrite(s, 0x83d, "\x04", 0x1); qtest_bufwrite(s, 0x84d, "\x04", 0x1); qtest_bufwrite(s, 0x85d, "\x04", 0x1); qtest_bufwrite(s, 0x86d, "\x04", 0x1); qtest_bufwrite(s, 0x87d, "\x04", 0x1); qtest_bufwrite(s, 0x88d, "\x04", 0x1); qtest_bufwrite(s, 0x89d, "\x04", 0x1); qtest_bufwrite(s, 0x8ad, "\x04", 0x1); qtest_bufwrite(s, 0x8bd, "\x04", 0x1); qtest_bufwrite(s, 0x8cd, "\x04", 0x1); qtest_bufwrite(s, 0x8dd, "\x04", 0x1); qtest_bufwrite(s, 0x8ed, "\x04", 0x1); qtest_bufwrite(s, 0x8fd, "\x04", 0x1); qtest_bufwrite(s, 0x90d, "\x04", 0x1); qtest_bufwrite(s, 0x91d, "\x04", 0x1); qtest_bufwrite(s, 0x92d, "\x04", 0x1); qtest_bufwrite(s, 0x93d, "\x04", 0x1); qtest_bufwrite(s, 0x94d, "\x04", 0x1); qtest_bufwrite(s, 0x95d, "\x04", 0x1); qtest_bufwrite(s, 0x96d, "\x04", 0x1); qtest_bufwrite(s, 0x97d, "\x04", 0x1); qtest_bufwrite(s, 0x98d, "\x04", 0x1); qtest_bufwrite(s, 0x99d, "\x04", 0x1); qtest_bufwrite(s, 0x9ad, "\x04", 0x1); qtest_bufwrite(s, 0x9bd, "\x04", 0x1); qtest_bufwrite(s, 0x9cd, "\x04", 0x1); qtest_bufwrite(s, 0x9dd, "\x04", 0x1); qtest_bufwrite(s, 0x9ed, "\x04", 0x1); qtest_bufwrite(s, 0x9fd, "\x04", 0x1); qtest_bufwrite(s, 0xa0d, "\x04", 0x1); qtest_bufwrite(s, 0xa1d, "\x04", 0x1); qtest_bufwrite(s, 0xa2d, "\x04", 0x1); qtest_bufwrite(s, 0xa3d, "\x04", 0x1); qtest_bufwrite(s, 0xa4d, "\x04", 0x1); qtest_bufwrite(s, 0xa5d, "\x04", 0x1); qtest_bufwrite(s, 0xa6d, "\x04", 0x1); qtest_bufwrite(s, 0xa7d, "\x04", 0x1); qtest_bufwrite(s, 0xa8d, "\x04", 0x1); qtest_bufwrite(s, 0xa9d, "\x04", 0x1); qtest_bufwrite(s, 0xaad, "\x04", 0x1); qtest_bufwrite(s, 0xabd, "\x04", 0x1); qtest_bufwrite(s, 0xacd, "\x04", 0x1); qtest_bufwrite(s, 0xadd, "\x04", 0x1); qtest_bufwrite(s, 0xaed, "\x04", 0x1); qtest_bufwrite(s, 0xafd, "\x04", 0x1); qtest_bufwrite(s, 0xb0d, "\x04", 0x1); qtest_bufwrite(s, 0xb1d, "\x04", 0x1); qtest_bufwrite(s, 0xb2d, "\x04", 0x1); qtest_bufwrite(s, 0xb3d, "\x04", 0x1); qtest_bufwrite(s, 0xb4d, "\x04", 0x1); qtest_bufwrite(s, 0xb5d, "\x04", 0x1); qtest_bufwrite(s, 0xb6d, "\x04", 0x1); qtest_bufwrite(s, 0xb7d, "\x04", 0x1); qtest_bufwrite(s, 0xb8d, "\x04", 0x1); qtest_bufwrite(s, 0xb9d, "\x04", 0x1); qtest_bufwrite(s, 0xbad, "\x04", 0x1); qtest_bufwrite(s, 0xbbd, "\x04", 0x1); qtest_bufwrite(s, 0xbcd, "\x04", 0x1); qtest_bufwrite(s, 0xbdd, "\x04", 0x1); qtest_bufwrite(s, 0xbed, "\x04", 0x1); qtest_bufwrite(s, 0xbfd, "\x04", 0x1); qtest_bufwrite(s, 0xc0d, "\x04", 0x1); qtest_bufwrite(s, 0xc1d, "\x04", 0x1); qtest_bufwrite(s, 0xc2d, "\x04", 0x1); qtest_bufwrite(s, 0xc3d, "\x04", 0x1); qtest_bufwrite(s, 0xc4d, "\x04", 0x1); qtest_bufwrite(s, 0xc5d, "\x04", 0x1); qtest_bufwrite(s, 0xc6d, "\x04", 0x1); qtest_bufwrite(s, 0xc7d, "\x04", 0x1); qtest_bufwrite(s, 0xc8d, "\x04", 0x1); qtest_bufwrite(s, 0xc9d, "\x04", 0x1); qtest_bufwrite(s, 0xcad, "\x04", 0x1); qtest_bufwrite(s, 0xcbd, "\x04", 0x1); qtest_bufwrite(s, 0xccd, "\x04", 0x1); qtest_bufwrite(s, 0xcdd, "\x04", 0x1); qtest_bufwrite(s, 0xced, "\x04", 0x1); qtest_bufwrite(s, 0xcfd, "\x04", 0x1); qtest_bufwrite(s, 0xd0d, "\x04", 0x1); qtest_bufwrite(s, 0xd1d, "\x04", 0x1); qtest_bufwrite(s, 0xd2d, "\x04", 0x1); qtest_bufwrite(s, 0xd3d, "\x04", 0x1); qtest_bufwrite(s, 0xd4d, "\x04", 0x1); qtest_bufwrite(s, 0xd5d, "\x04", 0x1); qtest_bufwrite(s, 0xd6d, "\x04", 0x1); qtest_bufwrite(s, 0xd7d, "\x04", 0x1); qtest_bufwrite(s, 0xd8d, "\x04", 0x1); qtest_bufwrite(s, 0xd9d, "\x04", 0x1); qtest_bufwrite(s, 0xdad, "\x04", 0x1); qtest_bufwrite(s, 0xdbd, "\x04", 0x1); qtest_bufwrite(s, 0xdcd, "\x04", 0x1); qtest_bufwrite(s, 0xddd, "\x04", 0x1); qtest_bufwrite(s, 0xded, "\x04", 0x1); qtest_bufwrite(s, 0xdfd, "\x04", 0x1); qtest_bufwrite(s, 0xe0d, "\x04", 0x1); qtest_bufwrite(s, 0xe1d, "\x04", 0x1); qtest_bufwrite(s, 0xe2d, "\x04", 0x1); qtest_bufwrite(s, 0xe3d, "\x04", 0x1); qtest_bufwrite(s, 0xe4d, "\x04", 0x1); qtest_bufwrite(s, 0xe5d, "\x04", 0x1); qtest_bufwrite(s, 0xe6d, "\x04", 0x1); qtest_bufwrite(s, 0xe7d, "\x04", 0x1); qtest_bufwrite(s, 0xe8d, "\x04", 0x1); qtest_bufwrite(s, 0xe9d, "\x04", 0x1); qtest_bufwrite(s, 0xead, "\x04", 0x1); qtest_bufwrite(s, 0xebd, "\x04", 0x1); qtest_bufwrite(s, 0xecd, "\x04", 0x1); qtest_bufwrite(s, 0xedd, "\x04", 0x1); qtest_bufwrite(s, 0xeed, "\x04", 0x1); qtest_bufwrite(s, 0xefd, "\x04", 0x1); qtest_bufwrite(s, 0xf0d, "\x04", 0x1); qtest_bufwrite(s, 0xf1d, "\x04", 0x1); qtest_bufwrite(s, 0xf2d, "\x04", 0x1); qtest_bufwrite(s, 0xf3d, "\x04", 0x1); qtest_bufwrite(s, 0xf4d, "\x04", 0x1); qtest_bufwrite(s, 0xf5d, "\x04", 0x1); qtest_bufwrite(s, 0xf6d, "\x04", 0x1); qtest_bufwrite(s, 0xf7d, "\x04", 0x1); qtest_bufwrite(s, 0xf8d, "\x04", 0x1); qtest_bufwrite(s, 0xf9d, "\x04", 0x1); qtest_bufwrite(s, 0xfad, "\x04", 0x1); qtest_bufwrite(s, 0xfbd, "\x04", 0x1); qtest_bufwrite(s, 0xfcd, "\x04", 0x1); qtest_bufwrite(s, 0xfdd, "\x04", 0x1); qtest_bufwrite(s, 0xfed, "\x24", 0x1); qtest_bufwrite(s, 0xffd, "\x24", 0x1); qtest_bufwrite(s, 0x100d, "\x24", 0x1); qtest_bufwrite(s, 0x101d, "\x24", 0x1); qtest_bufwrite(s, 0x102d, "\x24", 0x1); qtest_bufwrite(s, 0x1041, "\x6d", 0x1); qtest_bufwrite(s, 0x104d, "\x2c", 0x1); qtest_bufwrite(s, 0x104f, "\x05", 0x1); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_bufwrite(s, 0x6d04, "\x03", 0x1); qtest_bufwrite(s, 0x6d26, "\x04", 0x1); qtest_bufwrite(s, 0x6d41, "\x04", 0x1); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_bufwrite(s, 0xffff00002e656014, "\x01\x00\x00\x00", 0x4); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } Ok, with the new attachment from comment #5, I can also reporoduce the bug again. It does not reproduce with the attachments from comment #1 or #2 anymore, so this now seems to be a different way to run into this assert. Anyway, setting the status back to Confirmed since it is reproducible again. This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here: https://gitlab.com/qemu-project/qemu/-/issues/273