Abort in ohci_frame_boundary
This was originally reported at: https://bugs.launchpad.net/qemu/+bug/1911216
Hello,
Reproducer
cat << EOF | ./qemu-system-i386 -machine q35 -machine accel=qtest, -m \
512M -nodefaults -device pci-ohci -display none -qtest stdio
outl 0xcf8 0x80000801
outl 0xcfc 0x16000000
outl 0xcf8 0x80000813
outl 0xcfc 0x23
clock_step
write 0x23000004 0x1 0x84
clock_step
write 0x0 0x1 0x7e
write 0x1 0x1 0xaa
write 0x3 0x1 0x16
write 0x1600aa8a 0x1 0xa0
write 0xa1 0x1 0x80
write 0xa4 0x1 0x20
clock_step
EOFStack-Trace
Aborted
#1 0x00007ffff620f537 in __GI_abort at abort.c:79
#2 0x000055555685612e in ohci_frame_boundary at ../hw/usb/hcd-ohci.c:1297
#3 0x0000555557998cf6 in timerlist_run_timers at ../util/qemu-timer.c:573
#4 0x000055555799915b in qemu_clock_run_timers at ../util/qemu-timer.c:587
#5 0x000055555739eccd in qtest_clock_warp at ../softmmu/qtest.c:372
#6 0x000055555739c368 in qtest_process_command at ../softmmu/qtest.c:768
#7 0x000055555739a83a in qtest_process_inbuf at ../softmmu/qtest.c:813
#8 0x000055555768d9f9 in fd_chr_read at ../chardev/char-fd.c:73
#9 0x00007ffff7884d6f in g_main_context_dispatch at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00005555579b1cf5 in glib_pollfds_poll at ../util/main-loop.c:232
#11 os_host_main_loop_wait at ../util/main-loop.c:255
#12 main_loop_wait at ../util/main-loop.c:531
#13 0x0000555557279fb7 in qemu_main_loop at ../softmmu/runstate.c:726
#14 0x00005555567997cb in main at ../softmmu/main.c:50OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29176
libqtest Reproducer: 1911216.c
Thank you