There seems to be an issue when trying to keep a pointer in bottom 32-bits
of a 64-bit floating point register. Load and store instructions accessing
this address for some reason use the whole 64-bit content of floating point
register rather than truncated 32-bit value. The following load uses
incorrect address which leads to a crash if upper 32 bits of $f0 isn't 0:
0x00400c60: mfc1 t8,$f0
0x00400c64: lw t9,0(t8)
It can be reproduced with the following linux userland program when running
on a MIPS32 with CP0.Status.FR=1 (by default mips32r5-generic and
mips32r6-generic CPUs have this bit set in linux-user).
int main(int argc, char *argv[])
{
int tmp = 0x11111111;
/* Set f0 */
__asm__ ("mtc1 %0, $f0\n"
"mthc1 %1, $f0\n"
: : "r" (&tmp), "r" (tmp));
/* At this point $f0: w:76fff040 d:1111111176fff040 */
__asm__ ("mfc1 $t8, $f0\n"
"lw $t9, 0($t8)\n"); /* <--- crash! */
return 0;
}