tcg/arm emits UNPREDICTABLE LDRD insn

We have a report on IRC that qemu (any guest arch) system mode crashes with a SIGILL on a Cortex-A7 host.

Thread 2 "qemu-system-x86" received signal SIGILL, Illegal instruction.
[Switching to Thread 326.329]
0xb3dc04c0 in code_gen_buffer ()
(gdb) bt
#0  0xb3dc04c0 in code_gen_buffer ()
#1  0x00b44fec in cpu_tb_exec ()
#2  0x00b4627c in cpu_loop_exec_tb ()
#3  0x00b46718 in cpu_exec ()
#4  0x00b6c550 in tcg_cpus_exec ()
#5  0x00b6dca8 in rr_cpu_thread_fn ()
#6  0x00d49b60 in qemu_thread_start ()
#7  0xb6824a04 in start_thread (arg=0xab9ff020) at pthread_create.c:442
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) display/i $pc
1: x/i $pc
=> 0xb3dc04c0 <code_gen_buffer+1840292>:	ldrd	r0, [r4, r1]
(gdb) x/w $pc
=> 0xb3dc04c0 <code_gen_buffer+1840292>:        0xe18400d1

This is bogus, because it hits one of the UNPREDICTABLE cases of the LDRD (register) encoding: Rt is 0, and Rm is 1, and m == t + 1 is UNPREDICTABLE. (That is, the insn loads to r0 and r1 but r1 is involved in the address calculation.) It looks like the Cortex-A7 chooses to UNDEF for this.