Comment 12 for bug 947888

> we've confused it somehow

...it opens and parses /proc/self/maps the first time you use a %n in a format string. We used to not implement emulation of /maps in QEMU, which causes libc to disable its "is this read-only?" check, which is one reason this used not to be a problem. We now do have an emulated /maps but it's presumably not entirely correct.