sparc64 emulation crashes with opcode lduba [ %g5 + %l6 ] (146), %l6

Running stress-ng's random opcode fuzzer I was able to break QEMU as follows inside a QEMU sparce64 debian instance:

git clone https://github.com/ColinIanKing/stress-ng cd stress-ng make clean make ./stress-ng --opcode 1 --opcode-method random

I was able to corner this down to the execution of the opcode 0xec895256 - a C reproducer is as follows:

The following C program causes qemu-system-sparc64 10.0.6 (Debian 1:10.0.6+ds-0+deb13u2) to crash when running Debian sid:

int main(void) { asm volatile(".byte 0xec, 0x89, 0x52, 0x56;\n"); return 0; }

gcc crash.c ./a.out qemu crashes!

The object code for main is as follows:

0000000000000768 : 768: 9d e3 bf 50 save %sp, -176, %sp 76c: ec 89 52 56 lduba [ %g5 + %l6 ] (146), %l6 770: 82 10 20 00 clr %g1 774: 83 38 60 00 sra %g1, 0, %g1 778: b0 10 00 01 mov %g1, %i0 77c: 81 cf e0 08 return %i7 + 8 780: 01 00 00 00 nop

The QEMU crash report is as follows:

QEMU 10.0.6 monitor - type 'help' for more information char device redirected to /dev/pts/3 (label serial0) (qemu) qemu: fatal: Trap 0x0032 while trap level (5) >= MAXTL (5), Error state pc: 0000000000405618 npc: 000000000040561c %g0-3: 0000000000000000 0000000000000200 fffff800043544c0 0000000000000200 %g4-7: fac0046400000000 0000000000000000 fffff80004354000 fac0000000000000 %o0-3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %o4-7: 0000000000000000 0000000000000000 000007feffc04ea1 0000000000000000 %l0-3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %l4-7: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %i0-3: 0000000000000001 000007feffc05bb8 000007feffc05bc8 0000000000000000 %i4-7: fffff8010032ea30 fffff80100600f40 000007feffc04f51 fffff8010032f080 %f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f24: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f32: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f48: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 %f56: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 pstate: 00000015 ccr: 00 (icc: ---- xcc: ----) asi: 82 tl: 5 pil: 0 gl: 2 tbr: 0000000000420000 hpstate: 0000000000000000 htba: 0000000000000000 cansave: 5 canrestore: 1 otherwin: 0 wstate: 1 cleanwin: 1 cwp: 6 fsr: 0000000000000000 y: 0000000000000000 fprs: 0000000000000005

./debian-sparc64.sh: line 15: 10184 Aborted LC_ALL=C QEMU_AUDIO_DRV=none PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/bin/qemu-system-sparc64 -machine sun4u,accel=tcg,usb=off -m 4096M -kernel /srv/virt/vmlinux-5.16.0-5-sparc64 -append 'root=/dev/sda2' -initrd /srv/virt/initrd.img-5.16.0-5-sparc64 -rtc base=utc -no-reboot -no-shutdown -drive file=/srv/virt/debian10-sparc64.qcow2,if=none,id=drive-ide0-0-1,format=qcow2,cache=none,aio=native -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-1,id=ide0-0-1 -msg timestamp=on -serial pty -nographic