AArch64 CRASH from some stolen register handling bug

On a proprietary app we are seeing a crash where the app reads from the address 0x100. The bug goes away with -steal_reg 29 and seems to be some kind of stolen register mangling bug.

The problematic code involves reading from the thread reg into x28:

   0xaaaab55ec634 +116:    mrs     x28, tpidr_el0
   0xaaaab55ec638 +120:    mov     w8, #0x1                        // #1
   0xaaaab55ec63c +124:    ldr     w10, [x20]
   0xaaaab55ec640 +128:    cbz     w10, 0xaaaab55ec660 +160
   0xaaaab55ec644 +132:    mov     w9, w10
   0xaaaab55ec648 +136:    sub     w11, w10, #0x1
   0xaaaab55ec64c +140:    casa    w9, w11, [x20]
   0xaaaab55ec650 +144:    cmp     w9, w10
   0xaaaab55ec654 +148:    b.eq    0xaaaab55ec730 +368  // b.none
   0xaaaab55ec658 +152:    mov     w10, w9
   0xaaaab55ec65c +156:    cbnz    w9, 0xaaaab55ec648 +136
   0xaaaab55ec660 +160:    tbnz    w8, #0, 0xaaaab55ec68c +204

This is DR linked statically into the app, so the thread reg holds the app value. It looks like DR mangles the thread reg when static, which it shouldn't (filed #4459 (closed)) but fixing that doesn't eliminate the problem here.

I don't know where the mangling bug is: I'm using the workaround to work around it.