I found the exact same bug. Tested on several hosts and qemu releases. The newest one I tested was on FreeBSD 12.1 host and qemu-4.1.1_1 built from ports.
Instructions: 4000d0: 0320f809 jalr t9 4000d4: 45454545 0x45454545 # bc1any4t $fcc1,0x800101f8 I was running qemu-mips as: qemu-system-mipsel -s -m 1024 -M malta \ -kernel vmlinux-3.16.0-6-4kc-malta -initrd initrd.img-3.16.0-6-4kc-malta \ -device virtio-blk-pci,drive=hd0 -drive if=none,id=hd0,format=qcow2,file=debian_wheezy_mipsel_standard.qcow2 \ -append "root=/dev/vda1" \ -device virtio-net-pci,netdev=net0 \ -netdev user,id=net0,hostfwd=tcp::1666-:22,ipv6=off \ -curses abort() was in target/mips/translate.c:12945, in gen_branch(). Doesn't really matter if the instruction is supported on given CPU, user can crash the qemu within guest. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1663287 Title: Illegal delay slot code causes abort on mips64 Status in QEMU: New Bug description: During some randomised testing of an experimental MIPS implementation I found an instruction sequence that also causes aborts on mainline qemu's MIPS support. The problem is triggered by an MSA branch instruction appearing in a delay slot when emulating a processor without MSA support. For example, with the current repository HEAD (f073cd3a2bf1054135271b837c58a7da650dd84b) configured for mips64-softmmu, if I run the attached binary using mips64-softmmu/qemu-system-mips64 -bios ../abort2.bin -machine mipssim -nographic it will report unknown branch 0x13000 Aborted (core dumped) The binary contains the following two instructions: 00200008 jr at 47081e61 bz.b w8,0xffffffffbfc0798c The jr sets up a jump, and hflags is set accordingly in gen_compute_branch (in target/mips/translate.c). When processing the bz.b, check_insn generates an exception because the instruction isn't support, but gen_msa_branch skips the usual delay slot check for the same reason, and sets more bits in hflags, leading to an abort in gen_branch because the hflags are now invalid. I suspect the best fix is to remove the instruction set condition from the delay slot check in gen_msa_branch. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1663287/+subscriptions