QMP (32 bit only) segfaults in query-tpm-types when compiled with --enable-tpm

NB: This bug ONLY happens on i686. When qemu is compiled for x86-64, the bug does NOT happen.

$ ./configure --enable-tpm
$ make
$ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
{"return": {}}
Segmentation fault (core dumped)

The stack trace is:

#0 output_type_enum (v=0xb9938228, obj=0x5,
    strings=0xb77f0320 <TpmType_lookup>, kind=0xb767f1d4 "TpmType", name=0x0,
    errp=0xbfec4628) at qapi/qapi-visit-core.c:306
#1 0xb762b3b5 in visit_type_enum (v=v@entry=0xb9938228, obj=0x5,
    strings=0xb77f0320 <TpmType_lookup>, kind=kind@entry=0xb767f1d4 "TpmType",
    name=name@entry=0x0, errp=errp@entry=0xbfec4628)
    at qapi/qapi-visit-core.c:114
#2 0xb74a9ef4 in visit_type_TpmType (errp=0xbfec4628, name=0x0,
    obj=<optimized out>, m=0xb9938228) at qapi-visit.c:5220
#3 visit_type_TpmTypeList (m=0xb9938228, obj=obj@entry=0xbfec4678,
    name=name@entry=0xb76545a6 "unused", errp=errp@entry=0xbfec4674)
    at qapi-visit.c:5206
#4 0xb74c403e in qmp_marshal_output_query_tpm_types (errp=0xbfec4674,
    ret_out=0xbfec46d8, ret_in=0xb993f490) at qmp-marshal.c:3795
#5 qmp_marshal_input_query_tpm_types (mon=0xb9937098, qdict=0xb99379a0,
    ret=0xbfec46d8) at qmp-marshal.c:3817
#6 0xb7581d7a in qmp_call_cmd (cmd=<optimized out>, params=0xb99379a0,
    mon=0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
#7 handle_qmp_command (parser=0xb99370ec, tokens=0xb9941438)
    at /home/rjones/d/qemu/monitor.c:4710
#8 0xb7631d8f in json_message_process_token (lexer=0xb99370f0,
    token=0xb993f3a8, type=JSON_OPERATOR, x=29, y=1)
    at qobject/json-streamer.c:87
#9 0xb764579b in json_lexer_feed_char (lexer=lexer@entry=0xb99370f0,
    ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#10 0xb76458c8 in json_lexer_feed (lexer=lexer@entry=0xb99370f0,
    buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
    at qobject/json-lexer.c:356
#11 0xb7631fab in json_message_parser_feed (parser=0xb99370ec,
    buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
    at qobject/json-streamer.c:110
#12 0xb75803eb in monitor_control_read (opaque=0xb9937098,
    buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=1) at /home/rjones/d/qemu/monitor.c:4731
#13 0xb74b191e in qemu_chr_be_write (len=<optimized out>,
    buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", s=0xb9935800) at qemu-char.c:165
#14 fd_chr_read (chan=0xb9935870, cond=(G_IO_IN | G_IO_HUP), opaque=0xb9935800)
    at qemu-char.c:841
#15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
#18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:234
#19 main_loop_wait (nonblocking=1) at main-loop.c:484
#20 0xb7309f11 in main_loop () at vl.c:2090
#21 main (argc=8, argv=0xbfec5c14, envp=0xbfec5c38) at vl.c:4435