qemu 2.12.0 qemu-system-ppc illegal instruction on ppc64le, crashes emulator % uname -a Linux tim.floodgap.com 4.16.14-300.fc28.ppc64le #1 SMP Tue Jun 5 15:59:48 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux STR: Start QEMU and boot Mac OS X 10.4.11. Download the current version of TenFourFox (I used G3 so that AltiVec was not a confounder). Try to start TenFourFox in safe mode (hold down Option as you double-click while the icon bounces in the Dock). Expected: TenFourFox starts. Actual: The entire emulator exits with an illegal instruction error. Trace of session (including some disassembly so you can see where TCG went wrong): tim:/home/spectre/src/qemu-2.12.0/ppc-softmmu/% gdb --args ./qemu-system-ppc -M mac99,accel=tcg -m 2048 -prom-env boot-args=-v -boot c -drive file=tigerhd.img,format=raw,cache=none -netdev user,id=mynet0 -device usb-net,netdev=mynet0 -usb -device usb-tablet GNU gdb (GDB) Fedora 8.1-15.fc28 [...] Reading symbols from ./qemu-system-ppc...done. (gdb) run [...] Thread 6 "qemu-system-ppc" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff242ea30 (LWP 7017)] 0xfffffffffffffffc in ?? () #0 0xfffffffffffffffc in () #1 0x00007fffd4edec00 in code_gen_buffer () #2 0x00000000100c9e20 in cpu_tb_exec (itb=, cpu=) at /home/spectre/src/qemu-2.12.0/accel/tcg/cpu-exec.c:169 #3 0x00000000100c9e20 in cpu_loop_exec_tb (tb_exit=, last_tb=, tb=, cpu=) at /home/spectre/src/qemu-2.12.0/accel/tcg/cpu-exec.c:626 #4 0x00000000100c9e20 in cpu_exec (cpu=) at /home/spectre/src/qemu-2.12.0/accel/tcg/cpu-exec.c:734 #5 0x000000001007decc in tcg_cpu_exec (cpu=0x11774e10) at /home/spectre/src/qemu-2.12.0/cpus.c:1362 (gdb) disas 0x00007fffd4edebf0, 0x00007fffd4edec10 Dump of assembler code from 0x7fffd4edebf0 to 0x7fffd4edec10: 0x00007fffd4edebf0 : addi r0,r4,3 0x00007fffd4edebf4 : rlwinm r0,r0,0,0,19 0x00007fffd4edebf8 : cmplw cr7,r0,r12 0x00007fffd4edebfc : bnel cr7,0x7fffd4ed8b64 0x00007fffd4edec00 : lwbrx r14,r3,r4 0x00007fffd4edec04 : stw r14,40(r27) 0x00007fffd4edec08 : clrldi r4,r14,32 0x00007fffd4edec0c : rlwinm r3,r4,25,19,26 End of assembler dump. (gdb) disas 0x7fffd4ed8b60, 0x7fffd4ed8b70 Dump of assembler code from 0x7fffd4ed8b60 to 0x7fffd4ed8b70: 0x00007fffd4ed8b60 : bctrl 0x00007fffd4ed8b64 : mtctr r3 0x00007fffd4ed8b68 : mr r31,r3 0x00007fffd4ed8b6c : li r3,0 End of assembler dump. (gdb) i reg ctr ctr 0xffffffffffffffff 18446744073709551615 It appears that the branch at 0x00007fffd4edebfc caused a jump back (a return?) through CTR, but CTR has -1 in it, hence setting PC to 0xfffffffffffffffc. I am not sure how to debug this further.