Skip to content

macOS arm64: QEMU 10.* aborts on SPICE client connect (bql_lock_impl assert via reds_handle_channel_event)

Host environment

  • Operating system:

    MacOS 15.4.1

  • OS/kernel version:

    Darwin MacBookPro.fritz.box 24.4.0 Darwin Kernel Version 24.4.0: Fri Apr 11 18:33:47 PDT 2025; root:xnu-11417.101.15~117/RELEASE_ARM64_T6000 arm64

  • Architecture:

    ARM

  • QEMU flavor:

    qemu-system-aarch64

  • QEMU version:

    QEMU emulator version 10.0.3

  • QEMU command line:

    qemu-system-aarch64 -machine virt -m 1024 \
  -drive if=pflash,format=raw,unit=0,readonly=on,file=/Users/Shared/qemu/uefi/c0c78f7443cce15bcc91a8b6966e759c/edk2-aarch64-code.fd \
  -drive if=pflash,format=raw,unit=1,file=./myvm.vars.fd \
  -drive file=./myvm.qcow2,if=virtio,format=qcow2 \
  -device virtio-gpu-pci \
  -spice addr=127.0.0.1,port=5900 \
  -display none

Emulated/Virtualized environment

  • Operating system:

    Debian 12.11

  • OS/kernel version:

    Linux debianvm 6.1.0-37-arm64 #1 SMP Debian 6.1.140-1 (2025-05-22) aarch64 GNU/Linux

  • Architecture:

    ARM

Description of problem

qemu-system-aarch64 crashes immediately after trying to connect with remote-viewer spice://127.0.0.1:5900. This happens with both -accel hvf and with -accel tcg (so it's not the accelerator)

Upon crashing, qemu-system-aarch64 outputs

**

ERROR:../qemu-10.0.3/system/cpus.c:556:bql_lock_impl: assertion failed: (!bql_locked())

Bail out! ERROR:../qemu-10.0.3/system/cpus.c:556:bql_lock_impl: assertion failed: (!bql_locked())

Abort trap: 6

Steps to reproduce

  1. Run the qemu-system-aarch64 command to start the VM
  2. Run remote-viewer spice://127.0.0.1:5900 in from the host OS (mac)
  3. Observe the crash of the qemu-system-aarch64 process

Additional information

Here is an excerpt from a crash report (part of the Translated Report )

qemu crash report excerpt.txt

Analysis

The crash is triggered as soon as a SPICE client connects. The abort comes from QEMU’s BQL assert:

bql_lock_impl # assert: !bql_locked() channel_event → reds_handle_channel_event → DispatcherPrivate::handle_single_read … → aio_dispatch_handler → main_loop_wait

This suggests a re-entrancy/locking issue in the SPICE channel event path under macOS/arm64 with QEMU 10’s stricter BQL checks. It reproduces with both TCG and HVF, and does not occur when using VNC or the Cocoa display, so it appears SPICE-specific. Workaround: use -vnc or -display cocoa instead of -spice.

Edited by Jacob Akkerboom
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information