I have tried to repeat this bug on latest snapshot of kvm, and kvm get fall  in same places.
I talked with Jan Kiszka. bt commands on three experiments in same conditions:

-------------------------------------------------
(gdb) bt
#0  0xb7412500 in main_arena () from /lib/tls/i686/cmov/libc.so.6
#1  0x080b1a36 in scsi_write_complete (opaque=0x9f4bef0, ret=0) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/hw/scsi-disk.c:231
#2  0x08095281 in qcow_aio_write_cb (opaque=0x9fef530, ret=0) at block/qcow2.c:640
#3  0x080849bf in posix_aio_process_queue (opaque=0x9ddb798) at posix-aio-compat.c:460
#4  0x08084a77 in posix_aio_read (opaque=0x9ddb798) at posix-aio-compat.c:501
#5  0x0805e3d8 in main_loop_wait (nonblocking=0) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1300
#6  0x0806ea84 in kvm_main_loop () at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/qemu-kvm.c:1710
#7  0x08060a73 in main_loop (argc=14, argv=0xbf959ef4, envp=0xbf959f30) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1340
#8  main (argc=14, argv=0xbf959ef4, envp=0xbf959f30) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:3069
-------------------------------------------------
(gdb) bt
#0  0xb7778430 in __kernel_vsyscall ()
#1  0xb7309651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb730ca82 in *__GI_abort () at abort.c:92
#3  0xb734049d in __libc_message (do_abort=2, fmt=0xb7414f98 "*** glibc detected *** %s: %s: 0x%s ***\n")   at ../sysdeps unix/sysv/linux/libc_fatal.c:189
#4  0xb734a591 in malloc_printerr (action=<value optimized out>, str=0x6 <Address 0x6 out of bounds>, ptr=0x9aca398) at malloc.c:6264
#5  0xb734bde8 in _int_free (av=<value optimized out>, p=<value optimized out>) at malloc.c:4792
#6  0xb734eecd in *__GI___libc_free (mem=0x9aca398) at malloc.c:3738
#7  0x080b186c in scsi_remove_request (r=0x9aca398) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/hw/scsi-disk.c:86
#8  0x08095281 in qcow_aio_write_cb (opaque=0x9abee58, ret=0) at block/qcow2.c:640
#9  0x080849bf in posix_aio_process_queue (opaque=0x994e798) at posix-aio-compat.c:460
#10 0x08084a77 in posix_aio_read (opaque=0x994e798) at posix-aio-compat.c:501
#11 0x0805e3d8 in main_loop_wait (nonblocking=0) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1300
#12 0x0806ea84 in kvm_main_loop () at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/qemu-kvm.c:1710
#13 0x08060a73 in main_loop (argc=14, argv=0xbffb66e4, envp=0xbffb6720) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1340
#14 main (argc=14, argv=0xbffb66e4, envp=0xbffb6720) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:3069
--------------------------------------------------------
#0  0x08d134f0 in ?? ()
#1  0x080b1936 in scsi_command_complete (r=0x8d083f0, status=<value optimized out>, sense=<value optimized out>) at home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/hw/scsi-disk.c:106
#2  0x08095281 in qcow_aio_write_cb (opaque=0x8dab488, ret=0) at block/qcow2.c:640
#3  0x080849bf in posix_aio_process_queue (opaque=0x8b97798) at posix-aio-compat.c:460
#4  0x08084a77 in posix_aio_read (opaque=0x8b97798) at posix-aio-compat.c:501
#5  0x0805e3d8 in main_loop_wait (nonblocking=0) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1300
#6  0x0806ea84 in kvm_main_loop () at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/qemu-kvm.c:1710
#7  0x08060a73 in main_loop (argc=14, argv=0xbffa54e4, envp=0xbffa5520) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:1340
#8  main (argc=14, argv=0xbffa54e4, envp=0xbffa5520) at /home/mmarkk/src/KVM/Latest/qemu-kvm-d4adede/vl.c:3069
-------------------------------------------------