segfault in thread-pool.c:246:5:

Building qemu-2.5.0 with -fsanitize=undefined shows, e.g.:

markus@x4 linux % qemu-system-x86_64 -s -enable-kvm -net nic,vlan=0,model=virtio -net user -fsdev local,security_model=none,id=root,path=/ -device virtio-9p-pci,id=root,fsdev
=root,mount_tag=/dev/root -m 512 -smp 2 -kernel /usr/src/linux/arch/x86/boot/bzImage -nographic -append "init=/bin/zsh root=/dev/root console=ttyS0 kgdboc=ttyS0 rootflags=rw,
trans=virtio rootfstype=9p ip=dhcp earlyprintk=ttyS0"
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/exec.c:307:5: runtime error: variable length array bound evaluates to non-positive value 0
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/hw/i386/kvm/apic.c:37:47: runtime error: left shift of 15 by 28 places cannot be represented in type 'int'
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/include/qemu/rcu.h:85:21: runtime error: member access within null pointer of type 'struct rcu_reader_data'
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/include/qemu/rcu.h:101:5: runtime error: member access within null pointer of type 'struct rcu_reader_data'
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/include/qemu/rcu.h:102:8: runtime error: member access within null pointer of type 'struct rcu_reader_data'
...
ALSA device list:
  No soundcards found.
/var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/thread-pool.c:246:5: runtime error: member access within null pointer of type 'struct ThreadPool'
[1]    9295 segmentation fault  qemu-system-x86_64 -s -enable-kvm -net nic,vlan=0,model=virtio -net user  

As you can see it segfaults when build with upcoming gcc-6, that is more aggressive when it comes to undefined behavior.
The compiler just assumes that "this" can never be NULL and optimizes accordingly.

It also segfaults when build with gcc-4.9.4 or gcc-5.3.

Program received signal SIGSEGV, Segmentation fault.
thread_pool_submit_aio (pool=0x0, func=0x555555820bc0 <coroutine_enter_func>, arg=0x5555579db430, cb=<optimized out>, opaque=<optimized out>)
    at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/thread-pool.c:246
246         QLIST_INSERT_HEAD(&pool->head, req, all);
(gdb) bt
#0  thread_pool_submit_aio (pool=0x0, func=0x555555820bc0 <coroutine_enter_func>, arg=0x5555579db430, cb=<optimized out>, opaque=<optimized out>)
    at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/thread-pool.c:246
#1  0x00005555559451cd in aio_bh_call (bh=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/async.c:64
#2  aio_bh_poll (ctx=ctx@entry=0x5555561c1da0) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/async.c:92
#3  0x00005555559524f0 in aio_dispatch (ctx=0x5555561c1da0) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/aio-posix.c:305
#4  0x0000555555944f4e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/async.c:231
#5  0x00007ffff726ce2e in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#6  0x0000555555950baa in glib_pollfds_poll () at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/main-loop.c:211
#7  os_host_main_loop_wait (timeout=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/main-loop.c:256
#8  main_loop_wait (nonblocking=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/main-loop.c:504
#9  0x00005555556ddf46 in main_loop () at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/vl.c:1923
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.5.0/work/qemu-2.5.0/vl.c:4684
(gdb) p pool
$1 = (ThreadPool *) 0x0


This issue was fixed with the following upstream commit:

http://git.qemu.org/?p=qemu.git;a=commit;h=4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6

Shipped in QEMU 2.5.1 and 2.6.