Index: /trunk/src/VBox/VMM/TM.cpp
===================================================================
--- /trunk/src/VBox/VMM/TM.cpp	(revision 20120)
+++ /trunk/src/VBox/VMM/TM.cpp	(revision 20121)
@@ -2228,4 +2228,11 @@
 
 
+/** @name Saved state values
+ * @{ */
+#define TMTIMERSTATE_SAVED_PENDING_STOP         4
+#define TMTIMERSTATE_SAVED_PENDING_SCHEDULE     7
+/** @}  */
+
+
 /**
  * Saves the state of a timer to a saved state.
@@ -2243,5 +2250,5 @@
         case TMTIMERSTATE_PENDING_STOP:
         case TMTIMERSTATE_PENDING_STOP_SCHEDULE:
-            return SSMR3PutU8(pSSM, (uint8_t)TMTIMERSTATE_PENDING_STOP);
+            return SSMR3PutU8(pSSM, TMTIMERSTATE_SAVED_PENDING_STOP);
 
         case TMTIMERSTATE_PENDING_SCHEDULE_SET_EXPIRE:
@@ -2254,5 +2261,5 @@
         case TMTIMERSTATE_PENDING_SCHEDULE:
         case TMTIMERSTATE_PENDING_RESCHEDULE:
-            SSMR3PutU8(pSSM, (uint8_t)TMTIMERSTATE_PENDING_SCHEDULE);
+            SSMR3PutU8(pSSM, TMTIMERSTATE_SAVED_PENDING_SCHEDULE);
             return SSMR3PutU64(pSSM, pTimer->u64Expire);
 
@@ -2289,14 +2296,22 @@
     if (RT_FAILURE(rc))
         return rc;
-    TMTIMERSTATE enmState = (TMTIMERSTATE)u8State;
-    if (    enmState != TMTIMERSTATE_PENDING_STOP
-        &&  enmState != TMTIMERSTATE_PENDING_SCHEDULE
-        &&  enmState != TMTIMERSTATE_PENDING_STOP_SCHEDULE)
-    {
-        AssertMsgFailed(("enmState=%d %s\n", enmState, tmTimerState(enmState)));
+#if 1 /* Workaround for accidental state shift in r47786 (2009-05-26 19:12:12). */  /** @todo remove this in a few weeks! */
+    if (    u8State == TMTIMERSTATE_SAVED_PENDING_STOP + 1
+        ||  u8State == TMTIMERSTATE_SAVED_PENDING_SCHEDULE + 1)
+        u8State--;
+#endif
+    if (    u8State != TMTIMERSTATE_SAVED_PENDING_STOP
+        &&  u8State != TMTIMERSTATE_SAVED_PENDING_SCHEDULE)
+    {
+        AssertLogRelMsgFailed(("u8State=%d\n", u8State));
         return SSMR3HandleSetStatus(pSSM, VERR_TM_LOAD_STATE);
     }
 
-    if (enmState == TMTIMERSTATE_PENDING_SCHEDULE)
+    /* Enter the critical section to make TMTimerSet/Stop happy. */
+    PPDMCRITSECT pCritSect = pTimer->pCritSect;
+    if (pCritSect)
+        PDMCritSectEnter(pCritSect, VERR_INTERNAL_ERROR);
+
+    if (u8State == TMTIMERSTATE_SAVED_PENDING_SCHEDULE)
     {
         /*
@@ -2311,5 +2326,5 @@
          * Set it.
          */
-        Log(("enmState=%d %s u64Expire=%llu\n", enmState, tmTimerState(enmState), u64Expire));
+        Log(("u8State=%d u64Expire=%llu\n", u8State, u64Expire));
         rc = TMTimerSet(pTimer, u64Expire);
     }
@@ -2319,7 +2334,10 @@
          * Stop it.
          */
-        Log(("enmState=%d %s\n", enmState, tmTimerState(enmState)));
+        Log(("u8State=%d\n", u8State));
         rc = TMTimerStop(pTimer);
     }
+
+    if (pCritSect)
+        PDMCritSectLeave(pCritSect);
 
     /*