Qemu doesn't exit with the proper code when dieing from an uncaught signal. Exit codes for uncaught signals are -<signum>. Unfortunately the kernel filters values from exit() and _exit().
A solution is to actually die from an uncaught signal. This patch detects an uncaught signal, installs the default handler, and then sends itself the signal and waits for it. It depends on the previous 48_signal_xlate.patch that I sent.
Index: qemu/linux-user/signal.c =================================================================== --- qemu.orig/linux-user/signal.c 2007-12-12 11:17:26.000000000 -0700 +++ qemu/linux-user/signal.c 2007-12-12 11:26:42.000000000 -0700 @@ -330,20 +330,31 @@ { int host_sig; host_sig = target_to_host_signal(target_sig); + struct sigaction act; fprintf(stderr, "qemu: uncaught target signal %d (%s) - exiting\n", target_sig, strsignal(host_sig)); -#if 1 - _exit(-host_sig); -#else - { - struct sigaction act; - sigemptyset(&act.sa_mask); - act.sa_flags = SA_SIGINFO; - act.sa_sigaction = SIG_DFL; - sigaction(SIGABRT, &act, NULL); - abort(); - } -#endif + + /* The proper exit code for dieing from an uncaught signal is + * -<signal>. The kernel doesn't allow exit() or _exit() to pass + * a negative value. To get the proper exit code we need to + * actually die from an uncaught signal. Here the default signal + * handler is installed, we send ourself a signal and we wait for + * it to arrive. */ + sigfillset(&act.sa_mask); + act.sa_handler = SIG_DFL; + sigaction(host_sig, &act, NULL); + + /* For some reason raise(host_sig) doesn't send the signal when + * statically linked on x86-64. */ + kill(getpid(), host_sig); + + /* Make sure the signal isn't masked (just reuse the mask inside + of act) */ + sigdelset(&act.sa_mask, host_sig); + sigsuspend(&act.sa_mask); + + /* unreachable */ + assert(0); } /* queue a target signal so that it will be sent to the virtual CPU as