diff --git a/exec.c b/exec.c
index 6b92198..0c48222 100644
--- a/exec.c
+++ b/exec.c
@@ -1356,6 +1356,7 @@ static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
             tb1 = (TranslationBlock *)((long)tb1 & ~3);
             if (n1 == 2)
                 break;
+            assert(tb1);
             tb1 = tb1->jmp_next[n1];
         }
         /* we are now sure now that tb jumps to tb1 */


So how do I know it's a race in the chaining code? Well, it only happens with threaded code. And it only happens when actually chaining. The following patch makes the test case work:

diff --git a/exec-all.h b/exec-all.h
index c211242..c8124e9 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -259,6 +259,7 @@ static inline void tb_set_jmp_target(TranslationBlock *tb,
 static inline void tb_add_jump(TranslationBlock *tb, int n,
                                TranslationBlock *tb_next)
 {
+    if(1) return;
     /* NOTE: this test is only needed for thread safety */
     if (!tb->jmp_next[n]) {
         /* patch the native jump address */