PowerPC specifications says: (section 8.1 of PEM)
"Some instructions fields are reserved or must contain a predefined
value as shown in the individual instruction layouts. If a reserved
field does not have all bits cleared, or if a field that must
contain a
particular value does not contains that value, the instruction form is
invalid ..."
In section 4.1.3.2:
"Invalid forms result when a bit or openrands is coded incorrectly,
for
example, or when a reserved bit (shown as '0') is coded as '1'.
and
"an attempt to execute an invalid form of an instruction either
invokes
the illegal instruction error handler (or program exception) or yields
boundedly-undefined results.
In the case of mtcrf, the PowerPC specification says the bits 11,
21 and
31 (IBM notation) _must_ be zero.
This is what is described in 32 bits PEM as well as 64 bits PEM
(including the latest revision dated on 31/03/2005) and the 740/750
PowerPC user manual (which is the one currently emulated by Qemu).
It would be acceptable to relax the check if it would make MacOS X
10.4
boot.
But in this case, only the bit 11 (which causes the problem here)
should
be relaxed.
Then, the bit mask becomes 0x00000801 (not 0x00000000).