Skip to content

CPU Specifications

CPU

CPU Registers
CPU Opcode Encoding
CPU Load/Store Opcodes
CPU ALU Opcodes
CPU Jump Opcodes
CPU Coprocessor Opcodes
CPU Pseudo Opcodes

System Control Coprocessor (COP0)

COP0 - Register Summary
COP0 - Exception Handling
COP0 - Misc
COP0 - Debug Registers

CPU Registers

All registers are 32bit wide.

  Name       Alias    Common Usage
  R0         zero     Constant (always 0)
  R1         at       Assembler temporary (destroyed by some assembler pseudoinstructions!)
  R2-R3      v0-v1    Subroutine return values, may be changed by subroutines
  R4-R7      a0-a3    Subroutine arguments, may be changed by subroutines
  R8-R15     t0-t7    Temporaries, may be changed by subroutines
  R16-R23    s0-s7    Static variables, must be saved by subs
  R24-R25    t8-t9    Temporaries, may be changed by subroutines
  R26-R27    k0-k1    Reserved for kernel (destroyed by some IRQ handlers!)
  R28        gp       Global pointer (rarely used)
  R29        sp       Stack pointer
  R30        fp(s8)   Frame Pointer, or 9th Static variable, must be saved
  R31        ra       Return address (used so by JAL,BLTZAL,BGEZAL opcodes)
  -          pc       Program counter
  -          hi,lo    Multiply/divide results, may be changed by subroutines
R0 is always zero.
R31 can be used as general purpose register, however, some opcodes are using it to store the return address: JAL, BLTZAL, BGEZAL. (Note: JALR can optionally store the return address in R31, or in R1..R30. Exceptions store the return address in cop0r14 - EPC).

R29 (SP) - Full Decrementing Wasted Stack Pointer

The CPU doesn't explicitly have stack-related registers or opcodes, however, conventionally, R29 is used as stack pointer (SP). The stack can be accessed with normal load/store opcodes, which do not automatically increase/decrease SP, so the SP register must be manually modified to (de-)allocate data.
The PSX BIOS is using "Full Decrementing Wasted Stack".
Decrementing means that SP gets decremented when allocating data (that's common for most CPUs) - Full means that SP points to the first ALLOCATED word on the stack, so the allocated memory is at SP+0 and above, free memory at SP-1 and below, Wasted means that when calling a sub-function with N parameters, then the caller must pre-allocate N works on stack, and the sub-function may freely use and destroy these words; at [SP+0..N*4-1].

For example, "push ra,r16,r17" would be implemented as:

  sub  sp,20h
  mov  [sp+14h],ra
  mov  [sp+18h],r16
  mov  [sp+1Ch],r17
where the allocated 20h bytes have the following purpose:
  [sp+00h..0Fh]  wasted stack (may, or may not, be used by sub-functions)
  [sp+10h..13h]  8-byte alignment padding (not used)
  [sp+14h..1Fh]  pushed registers

CPU Opcode Encoding

Primary opcode field (Bit 26..31)

  00h=SPECIAL 08h=ADDI  10h=COP0 18h=N/A   20h=LB   28h=SB   30h=LWC0 38h=SWC0
  01h=BcondZ  09h=ADDIU 11h=COP1 19h=N/A   21h=LH   29h=SH   31h=LWC1 39h=SWC1
  02h=J       0Ah=SLTI  12h=COP2 1Ah=N/A   22h=LWL  2Ah=SWL  32h=LWC2 3Ah=SWC2
  03h=JAL     0Bh=SLTIU 13h=COP3 1Bh=N/A   23h=LW   2Bh=SW   33h=LWC3 3Bh=SWC3
  04h=BEQ     0Ch=ANDI  14h=N/A  1Ch=N/A   24h=LBU  2Ch=N/A  34h=N/A  3Ch=N/A
  05h=BNE     0Dh=ORI   15h=N/A  1Dh=N/A   25h=LHU  2Dh=N/A  35h=N/A  3Dh=N/A
  06h=BLEZ    0Eh=XORI  16h=N/A  1Eh=N/A   26h=LWR  2Eh=SWR  36h=N/A  3Eh=N/A
  07h=BGTZ    0Fh=LUI   17h=N/A  1Fh=N/A   27h=N/A  2Fh=N/A  37h=N/A  3Fh=N/A

Secondary opcode field (Bit 0..5) (when Primary opcode = 00h)

  00h=SLL   08h=JR      10h=MFHI 18h=MULT  20h=ADD  28h=N/A  30h=N/A  38h=N/A
  01h=N/A   09h=JALR    11h=MTHI 19h=MULTU 21h=ADDU 29h=N/A  31h=N/A  39h=N/A
  02h=SRL   0Ah=N/A     12h=MFLO 1Ah=DIV   22h=SUB  2Ah=SLT  32h=N/A  3Ah=N/A
  03h=SRA   0Bh=N/A     13h=MTLO 1Bh=DIVU  23h=SUBU 2Bh=SLTU 33h=N/A  3Bh=N/A
  04h=SLLV  0Ch=SYSCALL 14h=N/A  1Ch=N/A   24h=AND  2Ch=N/A  34h=N/A  3Ch=N/A
  05h=N/A   0Dh=BREAK   15h=N/A  1Dh=N/A   25h=OR   2Dh=N/A  35h=N/A  3Dh=N/A
  06h=SRLV  0Eh=N/A     16h=N/A  1Eh=N/A   26h=XOR  2Eh=N/A  36h=N/A  3Eh=N/A
  07h=SRAV  0Fh=N/A     17h=N/A  1Fh=N/A   27h=NOR  2Fh=N/A  37h=N/A  3Fh=N/A

Opcode/Parameter Encoding

  31..26 |25..21|20..16|15..11|10..6 |  5..0  |
   6bit  | 5bit | 5bit | 5bit | 5bit |  6bit  |
  -------+------+------+------+------+--------+------------
  000000 | N/A  | rt   | rd   | imm5 | 0000xx | shift-imm
  000000 | rs   | rt   | rd   | N/A  | 0001xx | shift-reg
  000000 | rs   | N/A  | N/A  | N/A  | 001000 | jr
  000000 | rs   | N/A  | rd   | N/A  | 001001 | jalr
  000000 | <-----comment20bit------> | 00110x | sys/brk
  000000 | N/A  | N/A  | rd   | N/A  | 0100x0 | mfhi/mflo
  000000 | rs   | N/A  | N/A  | N/A  | 0100x1 | mthi/mtlo
  000000 | rs   | rt   | N/A  | N/A  | 0110xx | mul/div
  000000 | rs   | rt   | rd   | N/A  | 10xxxx | alu-reg
  000001 | rs   | 00000| <--immediate16bit--> | bltz
  000001 | rs   | 00001| <--immediate16bit--> | bgez
  000001 | rs   | 10000| <--immediate16bit--> | bltzal
  000001 | rs   | 10001| <--immediate16bit--> | bgezal
  00001x | <---------immediate26bit---------> | j/jal
  00010x | rs   | rt   | <--immediate16bit--> | beq/bne
  00011x | rs   | N/A  | <--immediate16bit--> | blez/bgtz
  001xxx | rs   | rt   | <--immediate16bit--> | alu-imm
  001111 | N/A  | rt   | <--immediate16bit--> | lui-imm
  100xxx | rs   | rt   | <--immediate16bit--> | load rt,[rs+imm]
  101xxx | rs   | rt   | <--immediate16bit--> | store rt,[rs+imm]
  x1xxxx | <------coprocessor specific------> | coprocessor (see below)

Coprocessor Opcode/Parameter Encoding

  31..26 |25..21|20..16|15..11|10..6 |  5..0  |
   6bit  | 5bit | 5bit | 5bit | 5bit |  6bit  |
  -------+------+------+------+------+--------+------------
  0100nn |0|0000| rt   | rd   | N/A  | 000000 | MFCn rt,rd_dat  ;rt = dat
  0100nn |0|0010| rt   | rd   | N/A  | 000000 | CFCn rt,rd_cnt  ;rt = cnt
  0100nn |0|0100| rt   | rd   | N/A  | 000000 | MTCn rt,rd_dat  ;dat = rt
  0100nn |0|0110| rt   | rd   | N/A  | 000000 | CTCn rt,rd_cnt  ;cnt = rt
  0100nn |0|1000|00000 | <--immediate16bit--> | BCnF target ;jump if false
  0100nn |0|1000|00001 | <--immediate16bit--> | BCnT target ;jump if true
  0100nn |1| <--------immediate25bit--------> | COPn imm25
  010000 |1|0000| N/A  | N/A  | N/A  | 000001 | COP0 01h  ;=TLBR, unused on PS1
  010000 |1|0000| N/A  | N/A  | N/A  | 000010 | COP0 02h  ;=TLBWI, unused on PS1
  010000 |1|0000| N/A  | N/A  | N/A  | 000110 | COP0 06h  ;=TLBWR, unused on PS1
  010000 |1|0000| N/A  | N/A  | N/A  | 001000 | COP0 08h  ;=TLBP, unused on PS1
  010000 |1|0000| N/A  | N/A  | N/A  | 010000 | COP0 10h  ;=RFE
  1100nn | rs   | rt   | <--immediate16bit--> | LWCn rt_dat,[rs+imm]
  1110nn | rs   | rt   | <--immediate16bit--> | SWCn rt_dat,[rs+imm]

Illegal Opcodes

All opcodes that are marked as "N/A" in the Primary and Secondary opcode tables are causing a Reserved Instruction Exception (excode=0Ah).
The unused operand bits (eg. Bit21-25 for LUI opcode) should be usually zero, but do not necessarily trigger exceptions if set to nonzero values.

CPU Load/Store Opcodes

Load instructions

  lb  rt,imm(rs)    rt=[imm+rs]  ;byte sign-extended
  lbu rt,imm(rs)    rt=[imm+rs]  ;byte zero-extended
  lh  rt,imm(rs)    rt=[imm+rs]  ;halfword sign-extended
  lhu rt,imm(rs)    rt=[imm+rs]  ;halfword zero-extended
  lw  rt,imm(rs)    rt=[imm+rs]  ;word
Load instructions can read from the data cache (if the data is not in the cache, or if the memory region is uncached, then the CPU gets halted until it has read the data) (however, the PSX doesn't have a data cache).
Load and store instructions can generate address error exceptions if the memory address is not properly aligned (To a halfword boundary for lh/lhu/sh or a word boundary for lw/sw. lwl/lwr/swl/swr can't access misaligned address as they force align the memory address). Additionally, accessing certain invalid memory locations will cause a bus error exception. If an exception occurs during a load instruction, the rt register is left untouched.

Caution - Load Delay

The loaded data is NOT available to the next opcode, ie. the target register isn't updated until the next opcode has completed. So, if the next opcode tries to read from the load destination register, then it would (usually) receive the OLD value of that register (unless an IRQ occurs between the load and next opcode, in that case the load would complete during IRQ handling, and so, the next opcode would receive the NEW value).
MFC2/CFC2 also have a 1-instruction delay until the target register is loaded with its new value (more info in the GTE section).

Store instructions

  sb  rt,imm(rs)    [imm+rs]=(rt AND FFh)   ;store 8bit
  sh  rt,imm(rs)    [imm+rs]=(rt AND FFFFh) ;store 16bit
  sw  rt,imm(rs)    [imm+rs]=rt             ;store 32bit
Store operations are passed to the write-queue, so they can execute within a single clock cycle (unless the write-queue was full, in that case the CPU gets halted until there's room in the queue). For more information on the write-queue, visit this page.

Caution - 8/16-bit writes to certain IO registers

During an 8-bit or 16-bit store, all 32 bits of the GPR are placed on the bus. As such, when writing to certain 32-bit IO registers with an 8 or 16-bit store, it will behave like a 32-bit store, using the register's full value. The soundscope on some shells is known to rely on this, as it uses sh to write to certain DMA registers. If this is not properly emulated, the soundscope will hang, waiting for an interrupt that will never be fired.

Load/Store Alignment

Halfword addresses must be aligned by 2, word addresses must be aligned by 4, trying to access mis-aligned addresses will cause an exception. There's no alignment restriction for bytes.

Unaligned Load/Store

  lwr   rt,imm(rs)     load right bits of rt from memory (usually imm+0)
  lwl   rt,imm(rs)     load left  bits of rt from memory (usually imm+3)
  swr   rt,imm(rs)     store right bits of rt to memory (usually imm+0)
  swl   rt,imm(rs)     store left  bits of rt to memory (usually imm+3)
There's no delay required between lwl and lwr, so you can use them directly following eachother, eg. to load a word anywhere in memory without regard to alignment:
  lwl   r2,$0003(t0)   ;\no delay required between these
  lwr   r2,$0000(t0)   ;/(although both access r2)
  nop                  ;-requires load delay HERE (before reading from r2)
  and   r2,r2,0ffffh   ;-access r2 (eg. reducing it to unaligned 16bit data)

Unaligned Load/Store (Details)

LWR/SWR transfers the right (=lower) bits of Rt, up-to 32bit memory boundary:

  lwr/swr [N*4+0]     transfer whole 32bit of Rt to/from [N*4+0..3]
  lwr/swr [N*4+1]     transfer lower 24bit of Rt to/from [N*4+1..3]
  lwr/swr [N*4+2]     transfer lower 16bit of Rt to/from [N*4+2..3]
  lwr/swr [N*4+3]     transfer lower  8bit of Rt to/from [N*4+3]
LWL/SWL transfers the left (=upper) bits of Rt, down-to 32bit memory boundary:
  lwl/swl [N*4+0]     transfer upper  8bit of Rt to/from [N*4+0]
  lwl/swl [N*4+1]     transfer upper 16bit of Rt to/from [N*4+0..1]
  lwl/swl [N*4+2]     transfer upper 24bit of Rt to/from [N*4+0..2]
  lwl/swl [N*4+3]     transfer whole 32bit of Rt to/from [N*4+0..3]
The CPU has four separate byte-access signals, so, within a 32bit location, it can transfer all fragments of Rt at once (including for odd 24bit amounts). The transferred data is not zero- or sign-expanded, eg. when transferring 8bit data, the other 24bit of Rt and [mem] will remain intact.

Note: The aligned variant can also misused for blocking memory access on aligned addresses (in that case, if the address is known to be aligned, only one of the opcodes are needed, either LWL or LWR).... Uhhhhhhhm, OR is that NOT allowed... more PROBABLY that doesn't work?

CPU ALU Opcodes

arithmetic instructions

  add   rd,rs,rt         rd=rs+rt (with overflow trap)
  addu  rd,rs,rt         rd=rs+rt
  sub   rd,rs,rt         rd=rs-rt (with overflow trap)
  subu  rd,rs,rt         rd=rs-rt
  addi  rt,rs,imm        rt=rs+(-8000h..+7FFFh) (with ov.trap)
  addiu rt,rs,imm        rt=rs+(-8000h..+7FFFh)
The opcodes "with overflow trap" do trigger an exception (and leave rd unchanged) in case of overflows.

comparison instructions

  slt   rd,rs,rt  if rs<rt (signed comparison) then rd=1 else rd=0
  sltu  rd,rs,rt  if rs<rt (unsigned comparison) then rd=1 else rd=0
  slti  rt,rs,imm if rs<(sign-extended immediate in range [-8000h..+7FFFh], signed comparison) then rt=1 else rt=0
  sltiu rt,rs,imm if rs<(sign-extended immediate in range [0..7FFFh] U [FFFF8000h..FFFFFFFFh], unsigned comparison) then rt=1 else rt=0

logical instructions

  and  rd,rs,rt         rd = rs AND rt
  or   rd,rs,rt         rd = rs OR  rt
  xor  rd,rs,rt         rd = rs XOR rt
  nor  rd,rs,rt         rd = FFFFFFFFh XOR (rs OR rt)
  andi rt,rs,imm        rt = rs AND (0000h..FFFFh)
  ori  rt,rs,imm        rt = rs OR  (0000h..FFFFh)
  xori rt,rs,imm        rt = rs XOR (0000h..FFFFh)

shifting instructions

  sllv rd,rt,rs          rd = rt SHL (rs AND 1Fh)
  srlv rd,rt,rs          rd = rt SHR (rs AND 1Fh)
  srav rd,rt,rs          rd = rt SAR (rs AND 1Fh)
  sll  rd,rt,imm         rd = rt SHL (00h..1Fh)
  srl  rd,rt,imm         rd = rt SHR (00h..1Fh)
  sra  rd,rt,imm         rd = rt SAR (00h..1Fh)
  lui  rt,imm            rt = (0000h..FFFFh) SHL 16
Unlike many other opcodes, shifts use 'rt' as second (not third) operand.
The hardware does NOT generate exceptions on SHL overflows.

Multiply/divide

  mult   rs,rt           hi:lo = rs*rt (signed)
  multu  rs,rt           hi:lo = rs*rt (unsigned)
  div    rs,rt           lo = rs/rt, hi=rs mod rt (signed)
  divu   rs,rt           lo = rs/rt, hi=rs mod rt (unsigned)
  mfhi   rd              rd=hi  ;move from hi
  mflo   rd              rd=lo  ;move from lo
  mthi   rs              hi=rs  ;move to hi
  mtlo   rs              lo=rs  ;move to lo
The mul/div opcodes are starting the multiply/divide operation, starting takes only a single clock cycle, however, trying to read the result from the hi/lo registers while the mul/div operation is busy will halt the CPU until the mul/div has completed. For multiply, the execution time depends on rs (ie. "small*large" can be much faster than "large*small").
  __multu_execution_time_____________________________________________________
  Fast  (6 cycles)   rs = 00000000h..000007FFh
  Med   (9 cycles)   rs = 00000800h..000FFFFFh
  Slow  (13 cycles)  rs = 00100000h..FFFFFFFFh
  __mult_execution_time_____________________________________________________
  Fast  (6 cycles)   rs = 00000000h..000007FFh, or rs = FFFFF800h..FFFFFFFFh
  Med   (9 cycles)   rs = 00000800h..000FFFFFh, or rs = FFF00000h..FFFFF801h
  Slow  (13 cycles)  rs = 00100000h..7FFFFFFFh, or rs = 80000000h..FFF00001h
  __divu/div_execution_time________________________________________________
  Fixed (36 cycles)  no matter of rs and rt values
For example, when executing "multu 123h,12345678h" and "mflo r1", one can insert up to six (cached) ALU opcodes, or read one value from PSX Main RAM (which has 6 cycle access time) between the "multu" and "mflo" opcodes without additional slowdown.
The hardware does NOT generate exceptions on divide overflows, instead, divide errors are returning the following values:
  Opcode  Rs              Rt       Hi/Remainder  Lo/Result
  divu    0..FFFFFFFFh    0   -->  Rs            FFFFFFFFh
  div     0..+7FFFFFFFh   0   -->  Rs            -1
  div     -80000000h..-1  0   -->  Rs            +1
  div     -80000000h      -1  -->  0             -80000000h
For divu, the result is more or less correct (as close to infinite as possible). For div, the results are total garbage (about furthest away from the desired result as possible).
Note: After accessing the lo/hi registers, there seems to be a strange rule that one should not touch the lo/hi registers in the next 2 cycles or so... not yet understood if/when/how that rule applies...?

CPU Jump Opcodes

jumps and branches

Note that the instruction following the branch will always be executed.

  j      dest        pc=(pc and F0000000h)+(imm26bit*4)
  jal    dest        pc=(pc and F0000000h)+(imm26bit*4),ra=$+8
  jr     rs          pc=rs
  jalr (rd,)rs(,rd)  pc=rs, rd=$+8 ;see caution
  beq    rs,rt,dest  if rs=rt  then pc=$+4+(-8000h..+7FFFh)*4
  bne    rs,rt,dest  if rs<>rt then pc=$+4+(-8000h..+7FFFh)*4
  bltz   rs,dest     if rs<0   then pc=$+4+(-8000h..+7FFFh)*4
  bgez   rs,dest     if rs>=0  then pc=$+4+(-8000h..+7FFFh)*4
  bgtz   rs,dest     if rs>0   then pc=$+4+(-8000h..+7FFFh)*4
  blez   rs,dest     if rs<=0  then pc=$+4+(-8000h..+7FFFh)*4
  bltzal rs,dest     if rs<0   then pc=$+4+(..)*4; ra=$+8; 
  bgezal rs,dest     if rs>=0  then pc=$+4+(..)*4; ra=$+8;

jr/jalr can be used to jump to an unaligned address, in which case an address error (AdEL) exception will be raised on the next instruction fetch.
Additionally, bltzal/bgezal will always place the return address in $ra, whether or not the branch is taken. Additionally, if rs is $ra, then the value used for the comparison is $ra's value before linking.

JALR cautions

Caution: The JALR source code syntax varies (IDT79R3041 specs say "jalr rs,rd", but MIPS32 specs say "jalr rd,rs"). Moreover, JALR may not use the same register for both operands (eg. "jalr r31,r31") (doing so would destroy the target address; which is normally no problem, but it can be a problem if an IRQ occurs between the JALR opcode and the following branch delay opcode; in that case BD gets set, and EPC points "back" to the JALR opcode, so JALR is executed twice, with destroyed target address in second execution).

exception opcodes

Unlike for jump/branch opcodes, exception opcodes are immediately executed (ie. without executing the following opcode).

  syscall  imm20        generates a system call exception
  break    imm20        generates a breakpoint exception
The 20bit immediate doesn't affect the CPU (however, the exception handler may interprete it by software; by examing the opcode bits at [epc-4]).

CPU Coprocessor Opcodes

Coprocessor Instructions (COP0..COP3)

  mfc# rt,rd       ;rt = cop#datRd ;data regs
  cfc# rt,rd       ;rt = cop#cntRd ;control regs
  mtc# rt,rd       ;cop#datRd = rt ;data regs
  ctc# rt,rd       ;cop#cntRd = rt ;control regs
  cop# imm25       ;exec cop# command 0..1FFFFFFh
  lwc# rt,imm(rs)  ;cop#dat_rt = [rs+imm]  ;word
  swc# rt,imm(rs)  ;[rs+imm] = cop#dat_rt  ;word
  bc#f dest        ;if cop#flg=false then pc=$+disp
  bc#t dest        ;if cop#flg=true  then pc=$+disp
  rfe              ;return from exception (COP0)
  tlb<xx>          ;virtual memory related (COP0), unused in the PS1
Unknown if any tlb-opcodes (tlbr,tlbwi,tlbwr,tlbp) are implemented in the psx hardware?

Caution - Load Delay

When reading from a coprocessor register, the next opcode cannot use the destination register as operand (much the same as the Load Delays that occur when reading from memory; see there for details).
Reportedly, the Load Delay applies for the next TWO opcodes after coprocessor reads, but, that seems to be nonsense (the PSX does finish both COP0 and COP2 reads after ONE opcode).

Caution - Store Delay

In some cases, a similar delay occurs when writing to a coprocessor register. COP0 is more or less free of store delays (eg. one can read from a cop0 register immediately after writing to it), the only known exception is the cop2 enable bit in cop0r12.bit30 (setting that cop0 bit acts delayed, and cop2 isn't actually enabled until after 2 clock cycles or so).
Writing to cop2 registers has a delay of 2..3 clock cycles. In most cases, that is probably (?) only 2 cycles, but special cases like writing to IRGB (which does additionally affect IR1,IR2,IR3) take 3 cycles until the result arrives in all registers).
Note that Store Delays are counted in numbers of clock cycles (not in numbers of opcodes). For 3 cycle delay, one must usually insert 3 cached opcodes (or one uncached opcode).

CPU Pseudo Opcodes

Pseudo instructions (native/spasm)

  nop                  ;alias for sll r0,r0,0
  move rd,rs           ;alias for addu rd,rs,r0
  la   rx,imm32        ;load address   (alias for lui rx / addiu rx)
  li   rx,imm32        ;load immediate (alias for lui rx / ori   rx)
  li   rx,imm16        ;load immediate (alias for ori, range 0..FFFFh)
  li   rx,-imm15       ;load immediate (alias for addiu, range -1..-8000h)
  li   rx,imm16*10000h ;load immediate (alias for lui)
  lw   rx,imm32        ;load from address (lui rx / lw rx,rx)
  sw   rx,imm32        ;store to address  (lui r1 / sw rx,r1) (destroys r1!)
  lb,lh,lwl,lwr,lbu,lhu;as above pseudo lw
  sb,sh,swl,swr        ;as above pseudo sw (ie. also destroys r1!)
  alu  rx,op           ;alias for alu  rx,rx,op
  alu(u) rx,rx,imm     ;alias for alui(u) rx,rx,imm
  jalr  rx             ;alias for jalr (RA,)rx(,RA)
  subi(u) rt,rs,imm    ;alias for addi(u) rt,rs,-imm
  beqz rx,dest         ;alias for beq rx,r0,dest
  bnez rx,dest         ;alias for bne rx,r0,dest
  b   dest             ;alias for beq r0,r0,dest (jump relative/spasm)
  bra dest             ;alias for bgez r0, r0, dest
  bal dest             ;alias for bgezal r0, r0, dest

Pseudo instructions (nocash/a22i, not present on most other assemblers)

  mov  rx,NNNN0000h    ;alias for lui  rx,NNNNh
  mov  rx,0000NNNNh    ;alias for or   rx,r0,NNNNh  ;max +FFFFh
  mov  rx,-imm15       ;alias for add  rx,r0,-NNNNh ;min -8000h
  mov  rx,ry           ;alias for or   rx,ry,0  (or "addiu")
  jrel dest            ;alias for blez R0,dest   ;relative jump
  crel dest            ;alias for callns R0,dest ;relative call
  jz   rx,dest         ;alias for je   rx,R0,dest
  jnz  rx,dest         ;alias for jne  rx,R0,dest
  call rx              ;alias for call rx,ret=RA
  ret                  ;alias for jmp  ra
  subt rt,rs,imm       ;alias for addt rt,rs,-imm
  sub  rt,rs,imm       ;alias for add  rt,rs,-imm
  alu  rx,op           ;alias for alu  rx,rx,op
  neg(t) rx,ry         ;alias for sub(t) rx,R0,ry
  not    rx,ry         ;alias for nor    rx,R0,ry
  neg(t)/not rx        ;alias for neg(t)/not rx,rx
  setz rx,ry           ;alias for setb rx,ry,1   (set if zero)
  setnz rx,ry          ;alias for setb rx,R0,ry  (set if nonzero)
  syscall/break        ;alias for syscall/break 000000h
Below are pseudo instructions combined of two 32bit opcodes...
  movp rx,imm32        ;alias for lui  rx,imm16 -plus- or rx,rx,imm16)
  mov(bhs)p rx,[imm32] ;load from address (lui rx,imm16 / mov rx,[rx+imm16])
  movu [rs+imm]        ;alias for lwr/swr [rs+imm] plus lwl/swl [rs+imm+3]
  reti                 ;alias for jmp k0 plus rfe
Below are pseudo instructions combined of two or more 32bit opcodes...
  push rlist           ;alias for sub sp,n*4 -- mov [sp+(1..n)*4],r1..rn
  pop  rlist           ;alias for mov r1..rn,[sp+(1..n)*4] -- add sp,n*4
  pop  pc,rlist        ;alias for pop ra,rlist -- jmp ra

Directives (nocash)

  .mips          ;select MIPS instruction set (alternately .hc05 for MC68HC05)
  .bios          ;create a .ROM file (instead of .EXE)
  .auto_nop      ;append NOPs to jumps ;unless next opcode starts with a +
  org imm        ;assume following code to be originated at address "imm"
  db n(,n(..)))  ;define 8bit data values(s) or quoted ASCII strings
  dw n(,n(..)))  ;define 16bit data values(s) (not 32bit data!)
  dd n(,n(..)))  ;define 32bit data values(s)
  .align imm
  0              ;alias for immediate 0 and register R0 (whichever fits)

Directives (native)

  org imm        ;self-explaining (but, default=$80010000 for spasm!)
  align imm      ;self-explaining (probably zeropadded?)
  db n(,n(..)))  ;define 8bit data values(s) or quoted ASCII strings
  dh n(,n(..)))  ;define 16bit data values(s)
  dw n(,n(..)))  ;define 32bit data values(s) (not 16bit data!)
  dcb len,value  ;fill <len> bytes by <value> (different as DCB on ARM CPUs)
  xyz            ;define label "xyz" at current address (without colon)
  xyz equ n      ;assign value n to xyz
  xyz = n        ;probably same/sililar as "equ"
  ;xyz           ;comments invoked with semicolon (spasm)
  incbin file.bin       ;import binary file
  include file.asm      ;import asm file
  zero           ;alias for r0
  >imm32         ;alias for (i-(i AND 8000h))/10000h,  and/or i/10000h ?
  <imm32         ;alias for (i AND 0FFFFh), used for SW(+/-) and ORI(+)?
  end       ;N/A ;no "end" or ".end" directive needed/used by spasm
  r1 aka at ;N/A ;some assemblers may (optionally) reject to use r1/at

Syntax for unknown assembler (for pad.s)

It uses "0x" for HEX values (but doesn't use "$" for registers).
It uses "#" instead of ";" for comments.
It uses ":" for labels (fortunately).
The assembler has at least one directive: ".byte" (equivalent to "db" on other assemblers).
I've no clue which assembler is used for that syntax... could that be the Psy-Q assembler?

COP0 - Register Summary

COP0 Register Summary

  cop0r0-r2   - N/A
  cop0r3      - BPC - Breakpoint on execute (R/W)
  cop0r4      - N/A
  cop0r5      - BDA - Breakpoint on data access (R/W)
  cop0r6      - JUMPDEST - Randomly memorized jump address (R)
  cop0r7      - DCIC - Breakpoint control (R/W)
  cop0r8      - BadVaddr - Bad Virtual Address (R)
  cop0r9      - BDAM - Data Access breakpoint mask (R/W)
  cop0r10     - N/A
  cop0r11     - BPCM - Execute breakpoint mask (R/W)
  cop0r12     - SR - System status register (R/W)
  cop0r13     - CAUSE - Describes the most recently recognised exception (R)
  cop0r14     - EPC - Return Address from Trap (R)
  cop0r15     - PRID - Processor ID (R)
  cop0r16-r31 - Garbage
  cop0r32-r63 - N/A - None such (Control regs)

COP0 - Exception Handling

cop0r13 - CAUSE - (Read-only, except, Bit8-9 are R/W)

Describes the most recently recognised exception

  0-1   -      Not used (zero)
  2-6   Excode Describes what kind of exception occured:
                 00h INT     Interrupt
                 01h MOD     Tlb modification (none such in PSX)
                 02h TLBL    Tlb load         (none such in PSX)
                 03h TLBS    Tlb store        (none such in PSX)
                 04h AdEL    Address error, Data load or Instruction fetch
                 05h AdES    Address error, Data store
                             The address errors occur when attempting to read
                             outside of KUseg in user mode and when the address
                             is misaligned. (See also: BadVaddr register)
                 06h IBE     Bus error on Instruction fetch
                 07h DBE     Bus error on Data load/store
                 08h Syscall Generated unconditionally by syscall instruction
                 09h BP      Breakpoint - break instruction
                 0Ah RI      Reserved instruction
                 0Bh CpU     Coprocessor unusable
                 0Ch Ov      Arithmetic overflow
                 0Dh-1Fh     Not used
  7     -      Not used (zero)
  8-15  Ip     Interrupt pending field. Bit 8 and 9 are R/W, and
               contain the last value written to them. As long
               as any of the bits are set they will cause an
               interrupt if the corresponding bit is set in IM.
  16-27 -      Not used (zero)
  28-29 CE     Contains the coprocessor number if the exception
               occurred because of a coprocessor instuction for
               a coprocessor which wasn't enabled in SR.
  30    -      Not used (zero)
  31    BD     Is set when last exception points to the
               branch instuction instead of the instruction
               in the branch delay slot, where the exception
               occurred.

cop0r12 - SR - System status register (R/W)

  0     IEc Current Interrupt Enable  (0=Disable, 1=Enable) ;rfe pops IUp here
  1     KUc Current Kernel/User Mode  (0=Kernel, 1=User)    ;rfe pops KUp here
  2     IEp Previous Interrupt Enable                       ;rfe pops IUo here
  3     KUp Previous Kernel/User Mode                       ;rfe pops KUo here
  4     IEo Old Interrupt Enable                        ;left unchanged by rfe
  5     KUo Old Kernel/User Mode                        ;left unchanged by rfe
  6-7   -   Not used (zero)
  8-15  Im  8 bit interrupt mask fields. When set the corresponding
            interrupts are allowed to cause an exception.
  16    Isc Isolate Cache (0=No, 1=Isolate)
              When isolated, all load and store operations are targetted
              to the Data cache, and never the main memory.
              (Used by PSX Kernel, in combination with Port FFFE0130h)
  17    Swc Swapped cache mode (0=Normal, 1=Swapped)
              Instruction cache will act as Data cache and vice versa.
              Use only with Isc to access & invalidate Instr. cache entries.
              (Not used by PSX Kernel)
  18    PZ  When set cache parity bits are written as 0.
  19    CM  Shows the result of the last load operation with the D-cache
            isolated. It gets set if the cache really contained data
            for the addressed memory location.
  20    PE  Cache parity error (Does not cause exception)
  21    TS  TLB shutdown. Gets set if a programm address simultaneously
            matches 2 TLB entries.
            (initial value on reset allows to detect extended CPU version?)
  22    BEV Boot exception vectors in RAM/ROM (0=RAM/KSEG0, 1=ROM/KSEG1)
  23-24 -   Not used (zero)
  25    RE  Reverse endianness   (0=Normal endianness, 1=Reverse endianness)
              Reverses the byte order in which data is stored in
              memory. (lo-hi -> hi-lo)
              (Affects only user mode, not kernel mode) (?)
              (The bit doesn't exist in PSX ?)
  26-27 -   Not used (zero)
  28    CU0 COP0 Enable (0=Enable only in Kernel Mode, 1=Kernel and User Mode)
  29    CU1 COP1 Enable (0=Disable, 1=Enable) (none in PSX)
  30    CU2 COP2 Enable (0=Disable, 1=Enable) (GTE in PSX)
  31    CU3 COP3 Enable (0=Disable, 1=Enable) (none in PSX)

cop0r14 - EPC - Return Address from Trap (R)

  0-31  Return Address from Exception
This register points to the address at which an exception occured, unless BD in CAUSE is set, in which case EPC is set to the address of the exception - 4.
Interrupts should always return to EPC+0, no matter of the BD flag. That way, if BD=1, the branch gets executed again, that's required because EPC stores only the current program counter, but not additionally the branch destination address.
Other exceptions may require to handle BD. In simple cases, when BD=0, the exception handler may return to EPC+0 (retry execution of the opcode), or to EPC+4 (skip the opcode that caused the exception). Note that jumps to faulty memory locations are executed without exception, but will trigger address errors and bus errors at the target location, ie. EPC (and BadVAddr, in case of address errors) point to the faulty address, not to the opcode that has jumped to that address).

Interrupts vs GTE Commands

If an interrupt occurs "on" a GTE command (cop2cmd), then the GTE command is executed, but nethertheless, the return address in EPC points to the GTE command. So, if the exeception handler would return to EPC as usually, then the GTE command would be executed twice. In best case, this would be a waste of clock cycles, in worst case it may lead to faulty result (if the results from the 1st execution are re-used as incoming parameters in the 2nd execution). To fix the problem, the exception handler must do:

  if (cause AND 7Ch)=00h                ;if excode=interrupt
   if ([epc] AND FE000000h)=4A000000h   ;and opcode=cop2cmd
    epc=epc+4                           ;then skip that opcode
Note: The above exception handling is working only in newer PSX BIOSes, but in very old PSX BIOSes, it is only incompletely implemented (see "BIOS Patches" chapter for common workarounds; or write your own exception handler without using the BIOS).
Of course, the above exeption handling won't work in branch delays (where BD gets set to indicate that EPC was modified) (best workaround is not to use GTE commands in branch delays).
Several games are known to rely on this, notably including the Crash Bandicoot trilogy, Jinx and Spyro the Dragon, all of which will render broken geometry if running on an emulator which doesn't emulate this, or if the installed interrupt service routine doesn't account for it.

cop0cmd=10h - RFE opcode - Prepare Return from Exception

The RFE opcode moves some bits in cop0r12 (SR): bit2-3 are copied to bit0-1, and bit4-5 are copied to bit2-3, all other bits (including bit4-5) are left unchanged.
The RFE opcode does NOT automatically jump to EPC. Instead, the exception handler must copy EPC into a register (usually R26 aka K0), and then jump to that address. Because of branch delays, that would look like so:

  mov  k0,epc  ;get return address
  push k0      ;save epc in memory (if you expect nested exceptions)
  ...          ;whatever (ie. process CAUSE)
  pop  k0      ;restore from memory (if you expect nested exceptions)
  jmp  k0      ;jump to K0 (after executing the next opcode)
  +rfe         ;move SR bit4/5 --> bit2/3 --> bit0/1
If you expect exceptions to be nested deeply, also push/pop SR. Note that there's no way to leave all registers intact (ie. above code destroys K0).

cop0r8 - BadVaddr - Bad Virtual Address (R)

Contains the address whose reference caused an exception. Set on any MMU type of exceptions, on references outside of kuseg (in User mode) and on any misaligned reference. BadVaddr is updated ONLY by Address errors (Excode 04h and 05h), all other exceptions (including bus errors) leave BadVaddr unchanged.

Exception Vectors (depending on BEV bit in SR register)

  Exception     BEV=0         BEV=1
  Reset         BFC00000h     BFC00000h   (Reset)
  UTLB Miss     80000000h     BFC00100h   (Virtual memory, none such in PSX)
  COP0 Break    80000040h     BFC00140h   (Debug Break)
  General       80000080h     BFC00180h   (General Interrupts & Exceptions)
Note: Changing vectors at 800000xxh (kseg0) seems to be automatically reflected to the instruction cache without needing to flush cache (at least it worked SOMETIMES in my test proggy... but NOT always? ...anyways, it'd be highly recommended to flush cache when changing any opcodes), whilst changing mirrors at 000000xxh (kuseg) seems to require to flush cache.
The PSX uses only the BEV=0 vectors (aside from the reset vector, the PSX BIOS ROM doesn't contain any of the BEV=1 vectors).

Exception Priority

  Reset At any time (highest)            ;-reset
  AdEL Memory (Load instruction)         ;\
  AdES Memory (Store instruction)        ; memory (data load/store)
  DBE  Memory (Load or store)            ;/
  MOD  ALU (Data TLB)                    ;\
  TLBL ALU (DTLB Miss)                   ; none such
  TLBS ALU (DTLB Miss)                   ;/
  Ovf  ALU                               ;-overflow
  Int  ALU                               ;-interrupt
  Sys  RD (Instruction Decode)           ;\
  Bp   RD (Instruction Decode)           ;
  RI   RD (Instruction Decode)           ;
  CpU  RD (Instruction Decode)           ;/
  TLBL I-Fetch (ITLB Miss)               ;-none such
  AdEL IVA (Instruction Virtual Address) ;\memory (opcode fetch)
  IBE  RD (end of I-Fetch, lowest)       ;/

COP0 - Misc

cop0r15 - PRID - Processor ID (R)

  0-7   Revision
  8-15  Implementation
  16-31 Not used
For a Playstation with CXD8606CQ CPU, the PRID value is 00000002h.
Unknown if/which other Playstation CPU versions have other values...?

cop0r6 - JUMPDEST - Randomly memorized jump address (R)

The is a rather strange totally useless register. After certain exceptions, the CPU does memorize a jump destination address in the register. Once when it has memorized an address, the register becomes locked, and the memorized value won't change until it becomes unlocked by a new exception. Exceptions that do unlock the register are Reset and Interrupts (cause.bit10). Exceptions that do NOT unlock the register are syscall/break opcodes, and software generated interrupts (eg. cause.bit8).
In the unlocked state, the CPU does more or less randomly memorize one of the next some jump destinations - eg. the destination from the second jump after reset, or from a jump that occured immediately before executing the IRQ handler, or from a jump inside of the IRQ handler, or even from a later jump that occurs shortly after returning from the IRQ handler.
The register seems to be read-only (although the Kernel initialization code writes 0 to it for whatever reason).

cop0r0..r2, cop0r4, cop0r10, cop0r32..r63 - N/A

Registers 0,1,2,4,10 control virtual memory on some MIPS processors (but there's none such in the PSX), and Registers 32..63 (aka "control registers") aren't used in any MIPS processors. Trying to read any of these registers causes a Reserved Instruction Exception (excode=0Ah).

cop0cmd=01h,02h,06h,08h - TLBR,TLBWI,TLBWR,TLBP

The PSX supports only one cop0cmd (cop0cmd=10h aka RFE). Trying to execute the TLBxx opcodes causes a Reserved Instruction Exception (excode=0Ah).

jf/jt cop0flg,dest - conditional cop0 jumps

mov [mem],cop0reg / mov cop0reg,[mem] - coprocessor cop0 load/store

Not supported by the CPU. Trying to execute these opcodes causes a Coprocessor Unusable Exception (excode=0Bh, ie. unlike above, not 0Ah).

cop0r16-r31 - Garbage

Trying to read these registers returns garbage (but does not trigger an exception). When reading one of the garbage registers shortly after reading a valid cop0 register, the garbage value is usually the same as that of the valid register. When doing the read later on, the return value is usually 00000020h, or when reading much later it returns 00000040h, or even 00000100h. No idea what is causing that effect...?
Note: The garbage registers can be accessed (without causing an exception) even in "User mode with cop0 disabled" (SR.Bit1=1 and SR.Bit28=0); accessing any other existing cop0 registers (or executing the rfe opcode) in that state is causing Coprocessor Unusable Exceptions (excode=0Bh).

COP0 - Debug Registers

The COP0 debug registers seem to be PSX specific, normal R30xx CPUs like IDT's R3041 and R3051 don't have anything similar.

cop0r7 - DCIC - Breakpoint control (R/W)

  0      Automatically set by hardware upon Any break            (R/W)
  1      Automatically set by hardware upon BPC Code break       (R/W)
  2      Automatically set by hardware upon BDA Data break       (R/W)
  3      Automatically set by hardware upon BDA Data-Read break  (R/W)
  4      Automatically set by hardware upon BDA Data-Write break (R/W)
  5      Automatically set by hardware upon any-jump break       (R/W)
  6-11   Not used (always zero)
  12-13  Jump Redirection (0=Disable, 1..3=Enable) (see note)    (R/W)
  14-15  Unknown? (R/W)
  16-22  Not used (always zero)
  23     Super-Master Enable 1 for bit24-29
  24     Execution breakpoint     (0=Disabled, 1=Enabled) (see BPC, BPCM)
  25     Data access breakpoint   (0=Disabled, 1=Enabled) (see BDA, BDAM)
  26     Break on Data-Read       (0=No, 1=Break/when Bit25=1)
  27     Break on Data-Write      (0=No, 1=Break/when Bit25=1)
  28     Break on any-jump        (0=No, 1=Break on branch/jump/call/etc.)
  29     Master Enable for bit28 (..and/or exec-break at address>=80000000h?)
  30     Master Enable for bit24-27
  31     Super-Master Enable 2 for bit24-29
When a breakpoint address match occurs the PSX jumps to 80000040h (ie. unlike normal exceptions, not to 80000080h). The Excode value in the CAUSE register is set to 09h (same as BREAK opcode), and EPC contains the return address, as usually. One of the first things to be done in the exception handler is to disable breakpoints (eg. if the any-jump break is enabled, then it must be disabled BEFORE jumping from 80000040h to the actual exception handler).

cop0r7.bit12-13 - Jump Redirection Note

If one or both of these bits are nonzero, then the PSX seems to check for the following opcode sequence,

  mov rx,[mem]   ;load rx from memory
  ...            ;one or more opcodes that do not change rx
  jmp/call rx    ;jump or call to rx
if it does sense that sequence, then it sets PC=[00000000h], but does not store any useful information in any cop0 registers, namely it does not store the return address in EPC, so it's impossible to determine which opcode has caused the exception. For the jump target address, there are 31 registers, so one could only guess which of them contains the target value; for "POP PC" code it'd be usually R31, but for "JMP [vector]" code it may be any register. So far the feature seems to be more or less unusable...?

cop0r5 - BDA - Breakpoint on Data Access Address (R/W)

cop0r9 - BDAM - Breakpoint on Data Access Mask (R/W)

Break condition is "((addr XOR BDA) AND BDAM)=0".

cop0r3 - BPC - Breakpoint on Execute Address (R/W)

cop0r11 - BPCM - Breakpoint on Execute Mask (R/W)

Break condition is "((PC XOR BPC) AND BPCM)=0".

Note (BREAK Opcode)

Additionally, the BREAK opcode can be used to create further breakpoints by patching the executable code. The BREAK opcode uses the same Excode value (09h) in CAUSE register. However, the BREAK opcode jumps to the normal exception handler at 80000080h (not 80000040h).

Note (LibCrypt)

The debug registers are mis-used by "Legacy of Kain: Soul Reaver" (and maybe also other games) for storing libcrypt copy-protection related values (ie. just as a "hidden" location for storing data, not for actual debugging purposes).
CDROM Protection - LibCrypt

Note (Cheat Devices/Expansion ROMs)

The Expansion ROM header supports only Pre-Boot and Post-Boot vectors, but no Mid-Boot vector. Cheat Devices are often using COP0 breaks for Mid-Boot Hooks, either with BPC=BFC06xxxh (break address in ROM, used in older cheat firmwares), or with BPC=80030000h (break address in RAM aka relocated GUI entrypoint, used in later cheat firmwares). Moreover, aside from the Mid-Boot Hook, the Xplorer cheat device is also supporting a special cheat code that uses the COP0 break feature.

Note (Datasheet)

Note: COP0 debug registers are described in LSI's "L64360" datasheet, chapter 14. And in their LR33300/LR33310 datasheet, chapter 4.