Not sure this is a bug in QEMU usermode, but I've tracked a crash that happens when running ARM guest code linked against bionic (from Android). More specifically when a detached thread exits.
In bionic, threads are created with the flag CLONE_CHILD_CLEARTID [1]. When a detached thread exits normally, bionic calls set_tid_address with nullptr to reset the address, before unmapping the thread memory [2] and exiting. The problem seems to be that the handling of TARGET_NR_set_tid_address does not reset TaskState->child_tidptr, and this lead to a SIGSEGV during handling of TARGET_NR_exit [3] [1] https://github.com/aosp-mirror/platform_bionic/blob/android-10.0.0_r33/libc/bionic/pthread_create.cpp#L390 [2] https://github.com/aosp-mirror/platform_bionic/blob/android-10.0.0_r33/libc/bionic/pthread_exit.cpp#L123 [3] https://github.com/qemu/qemu/blob/master/linux-user/syscall.c#L7650
