CD-X 1

home *** CD-ROM | disk | FTP | other *** search

/ CD-X 1 / cdx_01.iso / demodisc / tyrant / docs / 386code / instruct.386 < prev next >

Wrap

Text File | 1994-01-20 | 241.4 KB | 7,213 lines

AAA ── ASCII Adjust after Addition Opcode Instruction Clocks Description 37 AAA 4 ASCII adjust AL after addition Operation IF ((AL AND 0FH) > 9) OR (AF = 1) THEN AL (AL + 6) AND 0FH; AH AH + 1; AF 1; CF 1; ELSE CF 0; AF 0; FI; Description Execute AAA only following an ADD instruction that leaves a byte result in the AL register. The lower nibbles of the operands of the ADD instruction should be in the range 0 through 9 (BCD digits). In this case, AAA adjusts AL to contain the correct decimal digit result. If the addition produced a decimal carry, the AH register is incremented, and the carry and auxiliary carry flags are set to 1. If there was no decimal carry, the carry and auxiliary flags are set to 0 and AH is unchanged. In either case, AL is left with its top nibble set to 0. To convert AL to an ASCII result, follow the AAA instruction with OR AL, 30H. Flags Affected AF and CF as described above; OF, SF, ZF, and PF are undefined Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None AAD ── ASCII Adjust AX before Division Opcode Instruction Clocks Description D5 0A AAD 19 ASCII adjust AX before division Operation AL AH * 10 + AL; AH 0; Description AAD is used to prepare two unpacked BCD digits (the least-significant digit in AL, the most-significant digit in AH) for a division operation that will yield an unpacked result. This is accomplished by setting AL to AL + (10 * AH), and then setting AH to 0. AX is then equal to the binary equivalent of the original unpacked two-digit number. Flags Affected SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None AAM ── ASCII Adjust AX after Multiply Opcode Instruction Clocks Description D4 0A AAM 17 ASCII adjust AX after multiply Operation AH AL / 10; AL AL MOD 10; Description Execute AAM only after executing a MUL instruction between two unpacked BCD digits that leaves the result in the AX register. Because the result is less than 100, it is contained entirely in the AL register. AAM unpacks the AL result by dividing AL by 10, leaving the quotient (most-significant digit) in AH and the remainder (least-significant digit) in AL. Flags Affected SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None AAS ── ASCII Adjust AL after Subtraction Opcode Instruction Clocks Description 3F AAS 4 ASCII adjust AL after subtraction Operation IF (AL AND 0FH) > 9 OR AF = 1 THEN AL AL - 6; AL AL AND 0FH; AH AH - 1; AF 1; CF 1; ELSE CF 0; AF 0; FI; Description Execute AAS only after a SUB instruction that leaves the byte result in the AL register. The lower nibbles of the operands of the SUB instruction must have been in the range 0 through 9 (BCD digits). In this case, AAS adjusts AL so it contains the correct decimal digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the carry and auxiliary carry flags are set to 1. If no decimal carry occurred, the carry and auxiliary carry flags are set to 0, and AH is unchanged. In either case, AL is left with its top nibble set to 0. To convert AL to an ASCII result, follow the AAS with OR AL, 30H. Flags Affected AF and CF as described above; OF, SF, ZF, and PF are undefined Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None ADC ── Add with Carry Opcode Instruction Clocks Description 14 ib ADC AL,imm8 2 Add with carry immediate byte to AL 15 iw ADC AX,imm16 2 Add with carry immediate word to AX 15 id ADC EAX,imm32 2 Add with carry immediate dword to EAX 80 /2 ib ADC r/m8,imm8 2/7 Add with carry immediate byte to r/m byte 81 /2 iw ADC r/m16,imm16 2/7 Add with carry immediate word to r/m word 81 /2 id ADC r/m32,imm32 2/7 Add with CF immediate dword to r/m dword 83 /2 ib ADC r/m16,imm8 2/7 Add with CF sign-extended immediate byte to r/m word 83 /2 ib ADC r/m32,imm8 2/7 Add with CF sign-extended immediate byte into r/m dword 10 /r ADC r/m8,r8 2/7 Add with carry byte register to r/m byte 11 /r ADC r/m16,r16 2/7 Add with carry word register to r/m word 11 /r ADC r/m32,r32 2/7 Add with CF dword register to r/m dword 12 /r ADC r8,r/m8 2/6 Add with carry r/m byte to byte register 13 /r ADC r16,r/m16 2/6 Add with carry r/m word to word register 13 /r ADC r32,r/m32 2/6 Add with CF r/m dword to dword register Operation DEST DEST + SRC + CF; Description ADC performs an integer addition of the two operands DEST and SRC and the carry flag, CF. The result of the addition is assigned to the first operand (DEST), and the flags are set accordingly. ADC is usually executed as part of a multi-byte or multi-word addition operation. When an immediate byte value is added to a word or doubleword operand, the immediate value is first sign-extended to the size of the word or doubleword operand. Flags Affected OF, SF, ZF, AF, CF, and PF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) if page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault ADD ── Add Opcode Instruction Clocks Description 04 ib ADD AL,imm8 2 Add immediate byte to AL 05 iw ADD AX,imm16 2 Add immediate word to AX 05 id ADD EAX,imm32 2 Add immediate dword to EAX 80 /0 ib ADD r/m8,imm8 2/7 Add immediate byte to r/m byte 81 /0 iw ADD r/m16,imm16 2/7 Add immediate word to r/m word 81 /0 id ADD r/m32,imm32 2/7 Add immediate dword to r/m dword 83 /0 ib ADD r/m16,imm8 2/7 Add sign-extended immediate byte to r/m word 83 /0 ib ADD r/m32,imm8 2/7 Add sign-extended immediate byte to r/m dword 00 /r ADD r/m8,r8 2/7 Add byte register to r/m byte 01 /r ADD r/m16,r16 2/7 Add word register to r/m word 01 /r ADD r/m32,r32 2/7 Add dword register to r/m dword 02 /r ADD r8,r/m8 2/6 Add r/m byte to byte register 03 /r ADD r16,r/m16 2/6 Add r/m word to word register 03 /r ADD r32,r/m32 2/6 Add r/m dword to dword register Operation DEST DEST + SRC; Description ADD performs an integer addition of the two operands (DEST and SRC). The result of the addition is assigned to the first operand (DEST), and the flags are set accordingly. When an immediate byte is added to a word or doubleword operand, the immediate value is sign-extended to the size of the word or doubleword operand. Flags Affected OF, SF, ZF, AF, CF, and PF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault AND ── Logical AND Opcode Instruction Clocks Description 24 ib AND AL,imm8 2 AND immediate byte to AL 25 iw AND AX,imm16 2 AND immediate word to AX 25 id AND EAX,imm32 2 AND immediate dword to EAX 80 /4 ib AND r/m8,imm8 2/7 AND immediate byte to r/m byte 81 /4 iw AND r/m16,imm16 2/7 AND immediate word to r/m word 81 /4 id AND r/m32,imm32 2/7 AND immediate dword to r/m dword 83 /4 ib AND r/m16,imm8 2/7 AND sign-extended immediate byte with r/m word 83 /4 ib AND r/m32,imm8 2/7 AND sign-extended immediate byte with r/m dword 20 /r AND r/m8,r8 2/7 AND byte register to r/m byte 21 /r AND r/m16,r16 2/7 AND word register to r/m word 21 /r AND r/m32,r32 2/7 AND dword register to r/m dword 22 /r AND r8,r/m8 2/6 AND r/m byte to byte register 23 /r AND r16,r/m16 2/6 AND r/m word to word register 23 /r AND r32,r/m32 2/6 AND r/m dword to dword register Operation DEST DEST AND SRC; CF 0; OF 0; Description Each bit of the result of the AND instruction is a 1 if both corresponding bits of the operands are 1; otherwise, it becomes a 0. Flags Affected CF = 0, OF = 0; PF, SF, and ZF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault ARPL ── Adjust RPL Field of Selector Opcode Instruction Clocks Description 63 /r ARPL r/m16,r16 pm=20/21 Adjust RPL of r/m16 to not less than RPL of r16 Operation IF RPL bits(0,1) of DEST < RPL bits(0,1) of SRC THEN ZF 1; RPL bits(0,1) of DEST RPL bits(0,1) of SRC; ELSE ZF 0; FI; Description The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register that contains the value of a selector. The second operand is a word register. If the RPL field ("requested privilege level"──bottom two bits) of the first operand is less than the RPL field of the second operand, the zero flag is set to 1 and the RPL field of the first operand is increased to match the second operand. Otherwise, the zero flag is set to 0 and no change is made to the first operand. ARPL appears in operating system software, not in application programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller is allowed. The second operand of ARPL is normally a register that contains the CS selector value of the caller. Flags Affected ZF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; ARPL is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault BOUND ── Check Array Index Against Bounds Opcode Instruction Clocks Description 62 /r BOUND r16,m16&16 10 Check if r16 is within bounds (passes test) 62 /r BOUND r32,m32&32 10 Check if r32 is within bounds (passes test) Operation IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8]) (* Under lower bound or over upper bound *) THEN Interrupt 5; FI; Description BOUND ensures that a signed array index is within the limits specified by a block of memory consisting of an upper and a lower bound. Each bound uses one word for an operand-size attribute of 16 bits and a doubleword for an operand-size attribute of 32 bits. The first operand (a register) must be greater than or equal to the first bound in memory (lower bound), and less than or equal to the second bound in memory (upper bound). If the register is not within bounds, an Interrupt 5 occurs; the return EIP points to the BOUND instruction. The bounds limit data structure is usually placed just before the array itself, making the limits addressable via a constant offset from the beginning of the array. Flags Affected None Protected Mode Exceptions Interrupt 5 if the bounds test fails, as described above; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault The second operand must be a memory operand, not a register. If BOUND is executed with a ModRM byte representing a register as the second operand, #UD occurs. Real Address Mode Exceptions Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the second operand is a register Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault BSF ── Bit Scan Forward Opcode Instruction Clocks Description 0F BC BSF r16,r/m16 10+3n Bit scan forward on r/m word 0F BC BSF r32,r/m32 10+3n Bit scan forward on r/m dword Notes is the number of leading zero bits. Operation IF r/m = 0 THEN ZF 1; register UNDEFINED; ELSE temp 0; ZF 0; WHILE BIT[r/m, temp = 0] DO temp temp + 1; register temp; OD; FI; Description BSF scans the bits in the second word or doubleword operand starting with bit 0. The ZF flag is cleared if the bits are all 0; otherwise, the ZF flag is set and the destination register is loaded with the bit index of the first set bit. Flags Affected ZF as described above Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault BSR ── Bit Scan Reverse Opcode Instruction Clocks Description 0F BD BSR r16,r/m16 10+3n Bit scan reverse on r/m word 0F BD BSR r32,r/m32 10+3n Bit scan reverse on r/m dword Operation IF r/m = 0 THEN ZF 1; register UNDEFINED; ELSE temp OperandSize - 1; ZF 0; WHILE BIT[r/m, temp] = 0 DO temp temp - 1; register temp; OD; FI; Description BSR scans the bits in the second word or doubleword operand from the most significant bit to the least significant bit. The ZF flag is cleared if the bits are all 0; otherwise, ZF is set and the destination register is loaded with the bit index of the first set bit found when scanning in the reverse direction. Flags Affected ZF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault BT ── Bit Test Opcode Instruction Clocks Description 0F A3 BT r/m16,r16 3/12 Save bit in carry flag 0F A3 BT r/m32,r32 3/12 Save bit in carry flag 0F BA /4 ib BT r/m16,imm8 3/6 Save bit in carry flag 0F BA /4 ib BT r/m32,imm8 3/6 Save bit in carry flag Operation CF BIT[LeftSRC, RightSRC]; Description BT saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the carry flag. Flags Affected CF as described above Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by using the immediate bit offset field in combination with the displacement field of the memory operand. The low-order 3 to 5 bits of the immediate bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 bits are shifted and combined with the byte displacement in the addressing mode. When accessing a bit in memory, the 80386 may access four bytes starting from the memory address given by: Effective Address + (4 * (BitOffset DIV 32)) for a 32-bit operand size, or two bytes starting from the memory address given by: Effective Address + (2 * (BitOffset DIV 16)) for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data. BTC ── Bit Test and Complement Opcode Instruction Clocks Description 0F BB BTC r/m16,r16 6/13 Save bit in carry flag and complement 0F BB BTC r/m32,r32 6/13 Save bit in carry flag and complement 0F BA /7 ib BTC r/m16,imm8 6/8 Save bit in carry flag and complement 0F BA /7 ib BTC r/m32,imm8 6/8 Save bit in carry flag and complement Operation CF BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] NOT BIT[LeftSRC, RightSRC]; Description BTC saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the carry flag and then complements the bit. Flags Affected CF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by using the immediate bit offset field in combination with the displacement field of the memory operand. The low-order 3 to 5 bits of the immediate bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 bits are shifted and combined with the byte displacement in the addressing mode. When accessing a bit in memory, the 80386 may access four bytes starting from the memory address given by: Effective Address + (4 * (BitOffset DIV 32)) for a 32-bit operand size, or two bytes starting from the memory address given by: Effective Address + (2 * (BitOffset DIV 16)) for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data. BTR ── Bit Test and Reset Opcode Instruction Clocks Description 0F B3 BTR r/m16,r16 6/13 Save bit in carry flag and reset 0F B3 BTR r/m32,r32 6/13 Save bit in carry flag and reset 0F BA /6 ib BTR r/m16,imm8 6/8 Save bit in carry flag and reset 0F BA /6 ib BTR r/m32,imm8 6/8 Save bit in carry flag and reset Operation CF BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] 0; Description BTR saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the carry flag and then stores 0 in the bit. Flags Affected CF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 (or 15) are supported by using the immediate bit offset field in combination with the displacement field of the memory operand. The low-order 3 to 5 bits of the immediate bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 bits are shifted and combined with the byte displacement in the addressing mode. When accessing a bit in memory, the 80386 may access four bytes starting from the memory address given by: Effective Address + 4 * (BitOffset DIV 32) for a 32-bit operand size, or two bytes starting from the memory address given by: Effective Address + 2 * (BitOffset DIV 16) for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data. BTS ── Bit Test and Set Opcode Instruction Clocks Description 0F AB BTS r/m16,r16 6/13 Save bit in carry flag and set 0F AB BTS r/m32,r32 6/13 Save bit in carry flag and set 0F BA /5 ib BTS r/m16,imm8 6/8 Save bit in carry flag and set 0F BA /5 ib BTS r/m32,imm8 6/8 Save bit in carry flag and set Operation CF BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] 1; Description BTS saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the carry flag and then stores 1 in the bit. Flags Affected CF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by using the immediate bit offset field in combination with the displacement field of the memory operand. The low-order 3 to 5 bits of the immediate bit offset are stored in the immediate bit offset field, and the high order 27 to 29 bits are shifted and combined with the byte displacement in the addressing mode. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by: Effective Address + (4 * (BitOffset DIV 32)) for a 32-bit operand size, or two bytes starting from the memory address given by: Effective Address + (2 * (BitOffset DIV 16)) for a 16-bit operand size. It may do this even when only a single byte needs to be accessed in order to get at the given bit. Thus the programmer must be careful to avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data. CALL ── Call Procedure Opcode Instruction Clocks Values of ts are given by the following table: New Task 386 TSS 386 TSS 286 TSS Old VM = 0 VM = 1 Task Via Task Gate? N Y N Y N Y 386 300 309 217 226 273 282 TSS VM=0 286 298 307 217 226 273 282 TSS Description E8 cw CALL rel16 7+m Call near, displacement relative to next instruction FF /2 CALL r/m16 7+m/10+m Call near, register indirect/memory indirect 9A cd CALL ptr16:16 17+m,pm=34+m Call intersegment, to full pointer given 9A cd CALL ptr16:16 pm=52+m Call gate, same privilege 9A cd CALL ptr16:16 pm=86+m Call gate, more privilege, no parameters 9A cd CALL ptr16:16 pm=94+4x+m Call gate, more privilege, x parameters 9A cd CALL ptr16:16 ts Call to task FF /3 CALL m16:16 22+m,pm=38+m Call intersegment, address at r/m dword FF /3 CALL m16:16 pm=56+m Call gate, same privilege FF /3 CALL m16:16 pm=90+m Call gate, more privilege, no parameters FF /3 CALL m16:16 pm=98+4x+m Call gate, more privilege, x parameters FF /3 CALL m16:16 5 + ts Call to task E8 cd CALL rel32 7+m Call near, displacement relative to next instruction FF /2 CALL r/m32 7+m/10+m Call near, indirect 9A cp CALL ptr16:32 17+m,pm=34+m Call intersegment, to full pointer given 9A cp CALL ptr16:32 pm=52+m Call gate, same privilege 9A cp CALL ptr16:32 pm=86+m Call gate, more privilege, no parameters 9A cp CALL ptr32:32 pm=94+4x+m Call gate, more privilege, x parameters 9A cp CALL ptr16:32 ts Call to task FF /3 CALL m16:32 22+m,pm=38+m Call intersegment, address at r/m dword FF /3 CALL m16:32 pm=56+m Call gate, same privilege FF /3 CALL m16:32 pm=90+m Call gate, more privilege, no parameters FF /3 CALL m16:32 pm=98+4x+m Call gate, more privilege, x parameters FF /3 CALL m16:32 5 + ts Call to task ─────────────────────────────────────────────────────────────────────────── NOTE: Values of ts are given by the following table: New Task 386 TSS 386 TSS 286 TSS Old VM = 0 VM = 1 Task Via Task Gate? N Y N Y N Y 386 300 309 217 226 273 282 TSS VM=0 286 298 307 217 226 273 282 TSS ─────────────────────────────────────────────────────────────────────────── Operation IF rel16 or rel32 type of call THEN (* near relative call *) IF OperandSize = 16 THEN Push(IP); EIP (EIP + rel16) AND 0000FFFFH; ELSE (* OperandSize = 32 *) Push(EIP); EIP EIP + rel32; FI; FI; IF r/m16 or r/m32 type of call THEN (* near absolute call *) IF OperandSize = 16 THEN Push(IP); EIP [r/m16] AND 0000FFFFH; ELSE (* OperandSize = 32 *) Push(EIP); EIP [r/m32]; FI; FI; IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or virtual 8086 mode *) AND instruction = far CALL (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *) THEN IF OperandSize = 16 THEN Push(CS); Push(IP); (* address of next instruction; 16 bits *) ELSE Push(CS); (* padded with 16 high-order bits *) Push(EIP); (* address of next instruction; 32 bits *) FI; IF operand type is m16:16 or m16:32 THEN (* indirect far call *) IF OperandSize = 16 THEN CS:IP [m16:16]; EIP EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP [m16:32]; FI; FI; IF operand type is ptr16:16 or ptr16:32 THEN (* direct far call *) IF OperandSize = 16 THEN CS:IP ptr16:16; EIP EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ptr16:32; FI; FI; FI; IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far CALL THEN If indirect, then check access of EA doubleword; #GP(0) if limit violation; New CS selector must not be null else #GP(0); Check that new CS selector index is within its descriptor table limits; else #GP(new CS selector); Examine AR byte of selected descriptor for various legal values; depending on value: go to CONFORMING-CODE-SEGMENT; go to NONCONFORMING-CODE-SEGMENT; go to CALL-GATE; go to TASK-GATE; go to TASK-STATE-SEGMENT; ELSE #GP(code segment selector); FI; CONFORMING-CODE-SEGMENT: DPL must be ≤ CPL ELSE #GP(code segment selector); Segment must be present ELSE #NP(code segment selector); Stack must be big enough for return address ELSE #SS(0); Instruction pointer must be in code segment limit ELSE #GP(0); Load code segment descriptor into CS register; Load CS with new code segment selector; Load EIP with zero-extend(new offset); IF OperandSize=16 THEN EIP EIP AND 0000FFFFH; FI; NONCONFORMING-CODE-SEGMENT: RPL must be ≤ CPL ELSE #GP(code segment selector) DPL must be = CPL ELSE #GP(code segment selector) Segment must be present ELSE #NP(code segment selector) Stack must be big enough for return address ELSE #SS(0) Instruction pointer must be in code segment limit ELSE #GP(0) Load code segment descriptor into CS register Load CS with new code segment selector Set RPL of CS to CPL Load EIP with zero-extend(new offset); IF OperandSize=16 THEN EIP EIP AND 0000FFFFH; FI; CALL-GATE: Call gate DPL must be ≥ CPL ELSE #GP(call gate selector) Call gate DPL must be ≥ RPL ELSE #GP(call gate selector) Call gate must be present ELSE #NP(call gate selector) Examine code segment selector in call gate descriptor: Selector must not be null ELSE #GP(0) Selector must be within its descriptor table limits ELSE #GP(code segment selector) AR byte of selected descriptor must indicate code segment ELSE #GP(code segment selector) DPL of selected descriptor must be ≤ CPL ELSE #GP(code segment selector) IF non-conforming code segment AND DPL < CPL THEN go to MORE-PRIVILEGE ELSE go to SAME-PRIVILEGE FI; MORE-PRIVILEGE: Get new SS selector for new privilege level from TSS Check selector and descriptor for new SS: Selector must not be null ELSE #TS(0) Selector index must be within its descriptor table limits ELSE #TS(SS selector) Selector's RPL must equal DPL of code segment ELSE #TS(SS selector) Stack segment DPL must equal DPL of code segment ELSE #TS(SS selector) Descriptor must indicate writable data segment ELSE #TS(SS selector) Segment present ELSE #SS(SS selector) IF OperandSize=32 THEN New stack must have room for parameters plus 16 bytes ELSE #SS(0) EIP must be in code segment limit ELSE #GP(0) Load new SS:eSP value from TSS Load new CS:EIP value from gate ELSE New stack must have room for parameters plus 8 bytes ELSE #SS(0) IP must be in code segment limit ELSE #GP(0) Load new SS:eSP value from TSS Load new CS:IP value from gate FI; Load CS descriptor Load SS descriptor Push long pointer of old stack onto new stack Get word count from call gate, mask to 5 bits Copy parameters from old stack onto new stack Push return address onto new stack Set CPL to stack segment DPL Set RPL of CS to CPL SAME-PRIVILEGE: IF OperandSize=32 THEN Stack must have room for 6-byte return address (padded to 8 bytes) ELSE #SS(0) EIP must be within code segment limit ELSE #GP(0) Load CS:EIP from gate ELSE Stack must have room for 4-byte return address ELSE #SS(0) IP must be within code segment limit ELSE #GP(0) Load CS:IP from gate FI; Push return address onto stack Load code segment descriptor into CS register Set RPL of CS to CPL TASK-GATE: Task gate DPL must be ≥ CPL ELSE #TS(gate selector) Task gate DPL must be ≥ RPL ELSE #TS(gate selector) Task Gate must be present ELSE #NP(gate selector) Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit ELSE #TS(TSS selector) Index must be within GDT limits ELSE #TS(TSS selector) TSS descriptor AR byte must specify nonbusy TSS ELSE #TS(TSS selector) Task State Segment must be present ELSE #NP(TSS selector) SWITCH-TASKS (with nesting) to TSS IP must be in code segment limit ELSE #TS(0) TASK-STATE-SEGMENT: TSS DPL must be ≥ CPL else #TS(TSS selector) TSS DPL must be ≥ RPL ELSE #TS(TSS selector) TSS descriptor AR byte must specify available TSS ELSE #TS(TSS selector) Task State Segment must be present ELSE #NP(TSS selector) SWITCH-TASKS (with nesting) to TSS IP must be in code segment limit ELSE #TS(0) Description The CALL instruction causes the procedure named in the operand to be executed. When the procedure is complete (a return instruction is executed within the procedure), execution continues at the instruction that follows the CALL instruction. The action of the different forms of the instruction are described below. Near calls are those with destinations of type r/m16, r/m32, rel16, rel32; changing or saving the segment register value is not necessary. The CALL rel16 and CALL rel32 forms add a signed offset to the address of the instruction following CALL to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16 bits; rel32 is used when the operand-size attribute is 32 bits. The result is stored in the 32-bit EIP register. With rel16, the upper 16 bits of EIP are cleared, resulting in an offset whose value does not exceed 16 bits. CALL r/m16 and CALL r/m32 specify a register or memory location from which the absolute segment offset is fetched. The offset fetched from r/m is 32 bits for an operand-size attribute of 32 (r/m32), or 16 bits for an operand-size of 16 (r/m16). The offset of the instruction following CALL is pushed onto the stack. It will be popped by a near RET instruction within the procedure. The CS register is not changed by this form of CALL. The far calls, CALL ptr16:16 and CALL ptr16:32, use a four-byte or six-byte operand as a long pointer to the procedure called. The CALL m16:16 and m16:32 forms fetch the long pointer from the memory location specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP register (depending on the operand-size attribute). These forms of the instruction push both CS and IP or EIP as a return address. In Protected Mode, both long pointer forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the call will perform one of the following types of control transfers: ■ A far call to the same protection level ■ An inter-protection level far call ■ A task switch For more information on Protected Mode control transfers, refer to Chapter 6 and Chapter 7. Flags Affected All flags are affected if a task switch occurs; no flags are affected if a task switch does not occur Protected Mode Exceptions For far calls: #GP, #NP, #SS, and #TS, as indicated in the list above For near direct calls: #GP(0) if procedure location is beyond the code segment limits; #SS(0) if pushing the return address exceeds the bounds of the stack segment; #PF (fault-code) for a page fault For a near indirect call: #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes Any far call from a 32-bit code segment to 16-bit code segments should be made from the first 64K bytes of the 32-bit code segment, since the operand-size attribute of the instruction is set to 16, thus allowing only a 16-bit return address offset to be saved. CBW/CWDE ── Convert Byte to Word/Convert Word to Doubleword Opcode Instruction Clocks Description 98 CBW 3 AX sign-extend of AL 98 CWDE 3 EAX sign-extend of AX Operation IF OperandSize = 16 (* instruction = CBW *) THEN AX SignExtend(AL); ELSE (* OperandSize = 32, instruction = CWDE *) EAX SignExtend(AX); FI; Description CBW converts the signed byte in AL to a signed word in AX by extending the most significant bit of AL (the sign bit) into all of the bits of AH. CWDE converts the signed word in AX to a doubleword in EAX by extending the most significant bit of AX into the two most significant bytes of EAX. Note that CWDE is different from CWD. CWD uses DX:AX rather than EAX as a destination. Flags Affected None Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None CLC ── Clear Carry Flag Opcode Instruction Clocks Description F8 CLC 2 Clear carry flag Operation CF 0; Description CLC sets the carry flag to zero. It does not affect other flags or registers. Flags Affected CF = 0 Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None CLD ── Clear Direction Flag Opcode Instruction Clocks Description FC CLD 2 Clear direction flag; SI and DI will increment during string instructions Operation DF 0; Description CLD clears the direction flag. No other flags or registers are affected. After CLD is executed, string operations will increment the index registers (SI and/or DI) that they use. Flags Affected DF = 0 Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None CLI ── Clear Interrupt Flag Opcode Instruction Clocks Description FA CLI 3 Clear interrupt flag; interrupts disabled Operation IF 0; Description CLI clears the interrupt flag if the current privilege level is at least as privileged as IOPL. No other flags are affected. External interrupts are not recognized at the end of the CLI instruction or from that point on until the interrupt flag is set. Flags Affected IF = 0 Protected Mode Exceptions #GP(0) if the current privilege level is greater (has less privilege) than the IOPL in the flags register. IOPL specifies the least privileged level at which I/O can be performed. Real Address Mode Exceptions None Virtual 8086 Mode Exceptions #GP(0) as for Protected Mode CLTS ── Clear Task-Switched Flag in CR0 Opcode Instruction Clocks Description OF 06 CLTS 5 Clear task-switched flag Operation TS Flag in CR0 0; Description CLTS clears the task-switched (TS) flag in register CR0. This flag is set by the 80386 every time a task switch occurs. The TS flag is used to manage processor extensions as follows: ■ Every execution of an ESC instruction is trapped if the TS flag is set. ■ Execution of a WAIT instruction is trapped if the MP flag and the TS flag are both set. Thus, if a task switch was made after an ESC instruction was begun, the processor extension's context may need to be saved before a new ESC instruction can be issued. The fault handler saves the context and resets the TS flag. CLTS appears in operating system software, not in application programs. It is a privileged instruction that can only be executed at privilege level 0. Flags Affected TS = 0 (TS is in CR0, not the flag register) Protected Mode Exceptions #GP(0) if CLTS is executed with a current privilege level other than 0 Real Address Mode Exceptions None (valid in Real Address Mode to allow initialization for Protected Mode) Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode CMC ── Complement Carry Flag Opcode Instruction Clocks Description F5 CMC 2 Complement carry flag Operation CF NOT CF; Description CMC reverses the setting of the carry flag. No other flags are affected. Flags Affected CF as described above Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None CMP ── Compare Two Operands Opcode Instruction Clocks Description 3C ib CMP AL,imm8 2 Compare immediate byte to AL 3D iw CMP AX,imm16 2 Compare immediate word to AX 3D id CMP EAX,imm32 2 Compare immediate dword to EAX 80 /7 ib CMP r/m8,imm8 2/5 Compare immediate byte to r/m byte 81 /7 iw CMP r/m16,imm16 2/5 Compare immediate word to r/m word 81 /7 id CMP r/m32,imm32 2/5 Compare immediate dword to r/m dword 83 /7 ib CMP r/m16,imm8 2/5 Compare sign extended immediate byte to r/m word 83 /7 ib CMP r/m32,imm8 2/5 Compare sign extended immediate byte to r/m dword 38 /r CMP r/m8,r8 2/5 Compare byte register to r/m byte 39 /r CMP r/m16,r16 2/5 Compare word register to r/m word 39 /r CMP r/m32,r32 2/5 Compare dword register to r/m dword 3A /r CMP r8,r/m8 2/6 Compare r/m byte to byte register 3B /r CMP r16,r/m16 2/6 Compare r/m word to word register 3B /r CMP r32,r/m32 2/6 Compare r/m dword to dword register Operation LeftSRC - SignExtend(RightSRC); (* CMP does not store a result; its purpose is to set the flags *) Description CMP subtracts the second operand from the first but, unlike the SUB instruction, does not store the result; only the flags are changed. CMP is typically used in conjunction with conditional jumps and the SETcc instruction. (Refer to Appendix D for the list of signed and unsigned flag tests provided.) If an operand greater than one byte is compared to an immediate byte, the byte value is first sign-extended. Flags Affected OF, SF, ZF, AF, PF, and CF as described in Appendix C Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault CMPS/CMPSB/CMPSW/CMPSD ── Compare String Operands Opcode Instruction Clocks Description A6 CMPS m8,m8 10 Compare bytes ES:[(E)DI] (second operand) with [(E)SI] (first operand) A7 CMPS m16,m16 10 Compare words ES:[(E)DI] (second operand) with [(E)SI] (first operand) A7 CMPS m32,m32 10 Compare dwords ES:[(E)DI] (second operand) with [(E)SI] (first operand) A6 CMPSB 10 Compare bytes ES:[(E)DI] with DS:[SI] A7 CMPSW 10 Compare words ES:[(E)DI] with DS:[SI] A7 CMPSD 10 Compare dwords ES:[(E)DI] with DS:[SI] Operation IF (instruction = CMPSD) OR (instruction has operands of type DWORD) THEN OperandSize 32; ELSE OperandSize 16; FI; IF AddressSize = 16 THEN use SI for source-index and DI for destination-index ELSE (* AddressSize = 32 *) use ESI for source-index and EDI for destination-index; FI; IF byte type of instruction THEN [source-index] - [destination-index]; (* byte comparison *) IF DF = 0 THEN IncDec 1 ELSE IncDec -1; FI; ELSE IF OperandSize = 16 THEN [source-index] - [destination-index]; (* word comparison *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; ELSE (* OperandSize = 32 *) [source-index] - [destination-index]; (* dword comparison *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; FI; source-index = source-index + IncDec; destination-index = destination-index + IncDec; Description CMPS compares the byte, word, or doubleword pointed to by the source-index register with the byte, word, or doubleword pointed to by the destination-index register. If the address-size attribute of this instruction is 16 bits, SI and DI will be used for source- and destination-index registers; otherwise ESI and EDI will be used. Load the correct index values into SI and DI (or ESI and EDI) before executing CMPS. The comparison is done by subtracting the operand indexed by the destination-index register from the operand indexed by the source-index register. Note that the direction of subtraction for CMPS is [SI] - [DI] or [ESI] - [EDI]. The left operand (SI or ESI) is the source and the right operand (DI or EDI) is the destination. This is the reverse of the usual Intel convention in which the left operand is the destination and the right operand is the source. The result of the subtraction is not stored; only the flags reflect the change. The types of the operands determine whether bytes, words, or doublewords are compared. For the first operand (SI or ESI), the DS register is used, unless a segment override byte is present. The second operand (DI or EDI) must be addressable from the ES register; no segment override is possible. After the comparison is made, both the source-index register and destination-index register are automatically advanced. If the direction flag is 0 (CLD was executed), the registers increment; if the direction flag is 1 (STD was executed), the registers decrement. The registers increment or decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if a doubleword is compared. CMPSB, CMPSW and CMPSD are synonyms for the byte, word, and doubleword CMPS instructions, respectively. CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX or ECX bytes, words, or doublewords. Refer to the description of the REP instruction for more information on this operation. Flags Affected OF, SF, ZF, AF, PF, and CF as described in Appendix C Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault CWD/CDQ ── Convert Word to Doubleword/Convert Doubleword to Quadword Opcode Instruction Clocks Description 99 CWD 2 DX:AX sign-extend of AX 99 CDQ 2 EDX:EAX sign-extend of EAX Operation IF OperandSize = 16 (* CWD instruction *) THEN IF AX < 0 THEN DX 0FFFFH; ELSE DX 0; FI; ELSE (* OperandSize = 32, CDQ instruction *) IF EAX < 0 THEN EDX 0FFFFFFFFH; ELSE EDX 0; FI; FI; Description CWD converts the signed word in AX to a signed doubleword in DX:AX by extending the most significant bit of AX into all the bits of DX. CDQ converts the signed doubleword in EAX to a signed 64-bit integer in the register pair EDX:EAX by extending the most significant bit of EAX (the sign bit) into all the bits of EDX. Note that CWD is different from CWDE. CWDE uses EAX as a destination, instead of DX:AX. Flags Affected None Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None DAA ── Decimal Adjust AL after Addition Opcode Instruction Clocks Description 27 DAA 4 Decimal adjust AL after addition Operation IF ((AL AND 0FH) > 9) OR (AF = 1) THEN AL AL + 6; AF 1; ELSE AF 0; FI; IF (AL > 9FH) OR (CF = 1) THEN AL AL + 60H; CF 1; ELSE CF 0; FI; Description Execute DAA only after executing an ADD instruction that leaves a two-BCD-digit byte result in the AL register. The ADD operands should consist of two packed BCD digits. The DAA instruction adjusts AL to contain the correct two-digit packed decimal result. Flags Affected AF and CF as described above; SF, ZF, PF, and CF as described in Appendix C. Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None DAS ── Decimal Adjust AL after Subtraction Opcode Instruction Clocks Description 2F DAS 4 Decimal adjust AL after subtraction Operation IF (AL AND 0FH) > 9 OR AF = 1 THEN AL AL - 6; AF 1; ELSE AF 0; FI; IF (AL > 9FH) OR (CF = 1) THEN AL AL - 60H; CF 1; ELSE CF 0; FI; Description Execute DAS only after a subtraction instruction that leaves a two-BCD-digit byte result in the AL register. The operands should consist of two packed BCD digits. DAS adjusts AL to contain the correct packed two-digit decimal result. Flags Affected AF and CF as described above; SF, ZF, and PF as described in Appendix C. Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None DEC ── Decrement by 1 Opcode Instruction Clocks Description FE /1 DEC r/m8 2/6 Decrement r/m byte by 1 FF /1 DEC r/m16 2/6 Decrement r/m word by 1 DEC r/m32 2/6 Decrement r/m dword by 1 48+rw DEC r16 2 Decrement word register by 1 48+rw DEC r32 2 Decrement dword register by 1 Operation DEST DEST - 1; Description DEC subtracts 1 from the operand. DEC does not change the carry flag. To affect the carry flag, use the SUB instruction with an immediate operand of 1. Flags Affected OF, SF, ZF, AF, and PF as described in Appendix C. Protected Mode Exceptions #GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault DIV ── Unsigned Divide Opcode Instruction Clocks Description F6 /6 DIV AL,r/m8 14/17 Unsigned divide AX by r/m byte (AL=Quo, AH=Rem) F7 /6 DIV AX,r/m16 22/25 Unsigned divide DX:AX by r/m word (AX=Quo, DX=Rem) F7 /6 DIV EAX,r/m32 38/41 Unsigned divide EDX:EAX by r/m dword (EAX=Quo, EDX=Rem) Operation temp dividend / divisor; IF temp does not fit in quotient THEN Interrupt 0; ELSE quotient temp; remainder dividend MOD (r/m); FI; ─────────────────────────────────────────────────────────────────────────── Note: Divisions are unsigned. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description." ─────────────────────────────────────────────────────────────────────────── Description DIV performs an unsigned division. The dividend is implicit; only the divisor is given as an operand. The remainder is always less than the divisor. The type of the divisor determines which registers to use as follows: Size Dividend Divisor Quotient Remainder byte AX r/m8 AL AH word DX:AX r/m16 AX DX dword EDX:EAX r/m32 EAX EDX Flags Affected OF, SF, ZF, AR, PF, CF are undefined. Protected Mode Exceptions Interrupt 0 if the quotient is too large to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 0 if the quotient is too big to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault ENTER ── Make Stack Frame for Procedure Parameters Opcode Instruction Clocks Description C8 iw 00 ENTER imm16,0 10 Make procedure stack frame C8 iw 01 ENTER imm16,1 12 Make stack frame for procedure parameters C8 iw ib ENTER imm16,imm8 15+4(n-1) Make stack frame for procedure parameters Operation level level MOD 32 IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) FI; (* Save stack pointer *) frame-ptr eSP IF level > 0 THEN (* level is rightmost parameter *) FOR i 1 TO level - 1 DO IF OperandSize = 16 THEN BP BP - 2; Push[BP] ELSE (* OperandSize = 32 *) EBP EBP - 4; Push[EBP]; FI; OD; Push(frame-ptr) FI; IF OperandSize = 16 THEN BP frame-ptr ELSE EBP frame-ptr; FI; IF StackAddrSize = 16 THEN SP SP - First operand; ELSE ESP ESP - ZeroExtend(First operand); FI; Description ENTER creates the stack frame required by most block-structured high-level languages. The first operand specifies the number of bytes of dynamic storage allocated on the stack for the routine being entered. The second operand gives the lexical nesting level (0 to 31) of the routine within the high-level language source code. It determines the number of stack frame pointers copied into the new stack frame from the preceding frame. BP (or EBP, if the operand-size attribute is 32 bits) is the current stack frame pointer. If the operand-size attribute is 16 bits, the processor uses BP as the frame pointer and SP as the stack pointer. If the operand-size attribute is 32 bits, the processor uses EBP for the frame pointer and ESP for the stack pointer. If the second operand is 0, ENTER pushes the frame pointer (BP or EBP) onto the stack; ENTER then subtracts the first operand from the stack pointer and sets the frame pointer to the current stack-pointer value. For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at its entry point and a LEAVE instruction before every RET. The 12 local bytes would be addressed as negative offsets from the frame pointer. Flags Affected None Protected Mode Exceptions #SS(0) if SP or ESP would exceed the stack limit at any point during instruction execution; #PF(fault-code) for a page fault Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None HLT ── Halt Opcode Instruction Clocks Description F4 HLT 5 Halt Operation Enter Halt state; Description HALT stops instruction execution and places the 80386 in a HALT state. An enabled interrupt, NMI, or a reset will resume execution. If an interrupt (including NMI) is used to resume execution after HLT, the saved CS:IP (or CS:EIP) value points to the instruction following HLT. Flags Affected None Protected Mode Exceptions HLT is a privileged instruction; #GP(0) if the current privilege level is not 0 Real Address Mode Exceptions None Virtual 8086 Mode Exceptions #GP(0); HLT is a privileged instruction IDIV ── Signed Divide Opcode Instruction Clocks Description F6 /7 IDIV r/m8 19 Signed divide AX by r/m byte (AL=Quo, AH=Rem) F7 /7 IDIV AX,r/m16 27 Signed divide DX:AX by EA word (AX=Quo, DX=Rem) F7 /7 IDIV EAX,r/m32 43 Signed divide EDX:EAX by DWORD byte (EAX=Quo, EDX=Rem) Operation temp dividend / divisor; IF temp does not fit in quotient THEN Interrupt 0; ELSE quotient temp; remainder dividend MOD (r/m); FI; ─────────────────────────────────────────────────────────────────────────── Notes: Divisions are signed. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description." ─────────────────────────────────────────────────────────────────────────── Description IDIV performs a signed division. The dividend, quotient, and remainder are implicitly allocated to fixed registers. Only the divisor is given as an explicit r/m operand. The type of the divisor determines which registers to use as follows: Size Divisor Quotient Remainder Dividend byte r/m8 AL AH AX word r/m16 AX DX DX:AX dword r/m32 EAX EDX EDX:EAX If the resulting quotient is too large to fit in the destination, or if the division is 0, an Interrupt 0 is generated. Nonintegral quotients are truncated toward 0. The remainder has the same sign as the dividend and the absolute value of the remainder is always less than the absolute value of the divisor. Flags Affected OF, SF, ZF, AR, PF, CF are undefined. Protected Mode Exceptions Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault IMUL ── Signed Multiply Opcode Instruction Clocks Description F6 /5 IMUL r/m8 9-14/12-17 AX AL * r/m byte F7 /5 IMUL r/m16 9-22/12-25 DX:AX AX * r/m word F7 /5 IMUL r/m32 9-38/12-41 EDX:EAX EAX * r/m dword 0F AF /r IMUL r16,r/m16 9-22/12-25 word register word register * r/m word 0F AF /r IMUL r32,r/m32 9-38/12-41 dword register dword register * r/m dword 6B /r ib IMUL r16,r/m16,imm8 9-14/12-17 word register r/m16 * sign-extended immediate byte 6B /r ib IMUL r32,r/m32,imm8 9-14/12-17 dword register r/m32 * sign-extended immediate byte 6B /r ib IMUL r16,imm8 9-14/12-17 word register word register * sign-extended immediate byte 6B /r ib IMUL r32,imm8 9-14/12-17 dword register dword register * sign-extended immediate byte 69 /r iw IMUL r16,r/m16,imm16 9-22/12-25 word register r/m16 * immediate word 69 /r id IMUL r32,r/m32,imm32 9-38/12-41 dword register r/m32 * immediate dword 69 /r iw IMUL r16,imm16 9-22/12-25 word register r/m16 * immediate word 69 /r id IMUL r32,imm32 9-38/12-41 dword register r/m32 * immediate dword ─────────────────────────────────────────────────────────────────────────── NOTES: The 80386 uses an early-out multiply algorithm. The actual number of clocks depends on the position of the most significant bit in the optimizing multiplier, shown underlined above. The optimization occurs for positive and negative values. Because of the early-out algorithm, clock counts given are minimum to maximum. To calculate the actual clocks, use the following formula: ─────────────────────────────────────────────────────────────────────────── Actual clock = if m <> 0 then max(ceiling(log{2} │m│), 3) + 6 clocks Actual clock = if m = 0 then 9 clocks (where m is the multiplier) Add three clocks if the multiplier is a memory operand. Operation result multiplicand * multiplier; Description IMUL performs signed multiplication. Some forms of the instruction use implicit register operands. The operand combinations for all forms of the instruction are shown in the "Description" column above. IMUL clears the overflow and carry flags under the following conditions: Instruction Form Condition for Clearing CF and OF r/m8 AL = sign-extend of AL to 16 bits r/m16 AX = sign-extend of AX to 32 bits r/m32 EDX:EAX = sign-extend of EAX to 32 bits r16,r/m16 Result exactly fits within r16 r/32,r/m32 Result exactly fits within r32 r16,r/m16,imm16 Result exactly fits within r16 r32,r/m32,imm32 Result exactly fits within r32 Flags Affected OF and CF as described above; SF, ZF, AF, and PF are undefined Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exeptions as in Real Address Mode; #PF(fault-code) for a page fault Notes When using the accumulator forms (IMUL r/m8, IMUL r/m16, or IMUL r/m32), the result of the multiplication is available even if the overflow flag is set because the result is two times the size of the multiplicand and multiplier. This is large enough to handle any possible result. IN ── Input from Port Opcode Instruction Clocks Description E4 ib IN AL,imm8 12,pm=6*/26** Input byte from immediate port into AL E5 ib IN AX,imm8 12,pm=6*/26** Input word from immediate port into AX E5 ib IN EAX,imm8 12,pm=6*/26** Input dword from immediate port into EAX EC IN AL,DX 13,pm=7*/27** Input byte from port DX into AL ED IN AX,DX 13,pm=7*/27** Input word from port DX into AX ED IN EAX,DX 13,pm=7*/27** Input dword from port DX into EAX ─────────────────────────────────────────────────────────────────────────── NOTES: *If CPL ≤ IOPL **If CPL > IOPL or if in virtual 8086 mode ─────────────────────────────────────────────────────────────────────────── Operation IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (SRC, width(SRC)) THEN #GP(0); FI; FI; DEST [SRC]; (* Reads from I/O address space *) Description IN transfers a data byte or data word from the port numbered by the second operand into the register (AL, AX, or EAX) specified by the first operand. Access any port from 0 to 65535 by placing the port number in the DX register and using an IN instruction with DX as the second parameter. These I/O instructions can be shortened by using an 8-bit port I/O in the instruction. The upper eight bits of the port address will be 0 when 8-bit port I/O is used. Flags Affected None Protected Mode Exceptions #GP(0) if the current privilege level is larger (has less privilege) than IOPL and any of the corresponding I/O permission bits in TSS equals 1 Real Address Mode Exceptions None Virtual 8086 Mode Exceptions #GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1 INC ── Increment by 1 Opcode Instruction Clocks Description FE /0 INC r/m8 Increment r/m byte by 1 FF /0 INC r/m16 Increment r/m word by 1 FF /6 INC r/m32 Increment r/m dword by 1 40 + rw INC r16 Increment word register by 1 40 + rd INC r32 Increment dword register by 1 Operation DEST DEST + 1; Description INC adds 1 to the operand. It does not change the carry flag. To affect the carry flag, use the ADD instruction with a second operand of 1. Flags Affected OF, SF, ZF, AF, and PF as described in Appendix C Protected Mode Exceptions #GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault INS/INSB/INSW/INSD ── Input from Port to String Opcode Instruction Clocks Description 6C INS r/m8,DX 15,pm=9*/29** Input byte from port DX into ES:(E)DI 6D INS r/m16,DX 15,pm=9*/29** Input word from port DX into ES:(E)DI 6D INS r/m32,DX 15,pm=9*/29** Input dword from port DX into ES:(E)DI 6C INSB 15,pm=9*/29** Input byte from port DX into ES:(E)DI 6D INSW 15,pm=9*/29** Input word from port DX into ES:(E)DI 6D INSD 15,pm=9*/29** Input dword from port DX into ES:(E)DI ─────────────────────────────────────────────────────────────────────────── NOTES: *If CPL ≤ IOPL **If CPL > IOPL or if in virtual 8086 mode ─────────────────────────────────────────────────────────────────────────── Operation IF AddressSize = 16 THEN use DI for dest-index; ELSE (* AddressSize = 32 *) use EDI for dest-index; FI; IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (SRC, width(SRC)) THEN #GP(0); FI; FI; IF byte type of instruction THEN ES:[dest-index] [DX]; (* Reads byte at DX from I/O address space *) IF DF = 0 THEN IncDec 1 ELSE IncDec -1; FI; FI; IF OperandSize = 16 THEN ES:[dest-index] [DX]; (* Reads word at DX from I/O address space *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; FI; IF OperandSize = 32 THEN ES:[dest-index] [DX]; (* Reads dword at DX from I/O address space *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; dest-index dest-index + IncDec; Description INS transfers data from the input port numbered by the DX register to the memory byte or word at ES:dest-index. The memory operand must be addressable from ES; no segment override is possible. The destination register is DI if the address-size attribute of the instruction is 16 bits, or EDI if the address-size attribute is 32 bits. INS does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into DX before executing the INS instruction. The destination address is determined by the contents of the destination index register. Load the correct index into the destination index register before executing INS. After the transfer is made, DI or EDI advances automatically. If the direction flag is 0 (CLD was executed), DI or EDI increments; if the direction flag is 1 (STD was executed), DI or EDI decrements. DI increments or decrements by 1 if a byte is input, by 2 if a word is input, or by 4 if a doubleword is input. INSB, INSW and INSD are synonyms of the byte, word, and doubleword INS instructions. INS can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP instruction for details of this operation. Flags Affected None Protected Mode Exceptions #GP(0) if CPL is numerically greater than IOPL and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions #GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault INT/INTO ── Call to Interrupt Procedure Opcode Instruction Clocks Description CC INT 3 33 Interrupt 3--trap to debugger CC INT 3 pm=59 Interrupt 3--Protected Mode, same privilege CC INT 3 pm=99 Interrupt 3--Protected Mode, more privilege CC INT 3 pm=119 Interrupt 3--from V86 mode to PL 0 CC INT 3 ts Interrupt 3--Protected Mode, via task gate CD ib INT imm8 37 Interrupt numbered by immediate byte CD ib INT imm8 pm=59 Interrupt--Protected Mode, same privilege CD ib INT imm8 pm=99 Interrupt--Protected Mode, more privilege CD ib INT imm8 pm=119 Interrupt--from V86 mode to PL 0 CD ib INT imm8 ts Interrupt--Protected Mode, via task gate CE INTO Fail:3,pm=3; Pass:35 Interrupt 4--if overflow flag is 1 CE INTO pm=59 Interrupt 4--Protected Mode, same privilege CE INTO pm=99 Interrupt 4--Protected Mode, more privilege CE INTO pm=119 Interrupt 4--from V86 mode to PL 0 CE INTO ts Interrupt 4--Protected Mode, via task gate ─────────────────────────────────────────────────────────────────────────── NOTE: Approximate values of ts are given by the following table: New Task Old Task 386 TSS 386 TSS 286 TSS VM = 0 VM = 1 386 TSS VM=0 309 226 282 386 TSS VM=1 314 231 287 286 TSS 307 224 280 ─────────────────────────────────────────────────────────────────────────── Operation ─────────────────────────────────────────────────────────────────────────── NOTE: The following operational description applies not only to the above instructions but also to external interrupts and exceptions. ─────────────────────────────────────────────────────────────────────────── IF PE = 0 THEN GOTO REAL-ADDRESS-MODE; ELSE GOTO PROTECTED-MODE; FI; REAL-ADDRESS-MODE: Push (FLAGS); IF 0; (* Clear interrupt flag *) TF 0; (* Clear trap flag *) Push(CS); Push(IP); (* No error codes are pushed *) CS IDT[Interrupt number * 4].selector; IP IDT[Interrupt number * 4].offset; PROTECTED-MODE: Interrupt vector must be within IDT table limits, else #GP(vector number * 8+2+EXT); Descriptor AR byte must indicate interrupt gate, trap gate, or task gate, else #GP(vector number * 8+2+EXT); IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *) THEN IF gate descriptor DPL < CPL THEN #GP(vector number * 8+2+EXT); FI; FI; Gate must be present, else #NP(vector number * 8+2+EXT); IF trap gate OR interrupt gate THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE; ELSE GOTO TASK-GATE; FI; TRAP-GATE-OR-INTERRUPT-GATE: Examine CS selector and descriptor given in the gate descriptor; Selector must be non-null, else #GP (EXT); Selector must be within its descriptor table limits ELSE #GP(selector+EXT); Descriptor AR byte must indicate code segment ELSE #GP(selector + EXT); Segment must be present, else #NP(selector+EXT); IF code segment is non-conforming AND DPL < CPL THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE; ELSE IF code segment is conforming OR code segment DPL = CPL THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL; ELSE #GP(CS selector + EXT); FI; FI; INTERRUPT-TO-INNER-PRIVILEGE: Check selector and descriptor for new stack in current TSS; Selector must be non-null, else #GP(EXT); Selector index must be within its descriptor table limits ELSE #TS(SS selector+EXT); Selector's RPL must equal DPL of code segment, else #TS(SS selector+EXT); Stack segment DPL must equal DPL of code segment, else #TS(SS selector+EXT); Descriptor must indicate writable data segment, else #TS(SS selector+EXT); Segment must be present, else #SS(SS selector+EXT); IF 32-bit gate THEN New stack must have room for 20 bytes else #SS(0) ELSE New stack must have room for 10 bytes else #SS(0) FI; Instruction pointer must be within CS segment boundaries else #GP(0); Load new SS and eSP value from TSS; IF 32-bit gate THEN CS:EIP selector:offset from gate; ELSE CS:IP selector:offset from gate; FI; Load CS descriptor into invisible portion of CS register; Load SS descriptor into invisible portion of SS register; IF 32-bit gate THEN Push (long pointer to old stack) (* 3 words padded to 4 *); Push (EFLAGS); Push (long pointer to return location) (* 3 words padded to 4*); ELSE Push (long pointer to old stack) (* 2 words *); Push (FLAGS); Push (long pointer to return location) (* 2 words *); FI; Set CPL to new code segment DPL; Set RPL of CS to CPL; IF interrupt gate THEN IF 0 (* interrupt flag to 0 (disabled) *); FI; TF 0; NT 0; INTERRUPT-FROM-V86-MODE: TempEFlags EFLAGS; VM 0; TF 0; IF service through Interrupt Gate THEN IF 0; TempSS SS; TempESP ESP; SS TSS.SS0; (* Change to level 0 stack segment *) ESP TSS.ESP0; (* Change to level 0 stack pointer *) Push(GS); (* padded to two words *) Push(FS); (* padded to two words *) Push(DS); (* padded to two words *) Push(ES); (* padded to two words *) GS 0; FS 0; DS 0; ES 0; Push(TempSS); (* padded to two words *) Push(TempESP); Push(TempEFlags); Push(CS); (* padded to two words *) Push(EIP); CS:EIP selector:offset from interrupt gate; (* Starts execution of new routine in 80386 Protected Mode *) INTERRUPT-TO-SAME-PRIVILEGE-LEVEL: IF 32-bit gate THEN Current stack limits must allow pushing 10 bytes, else #SS(0); ELSE Current stack limits must allow pushing 6 bytes, else #SS(0); FI; IF interrupt was caused by exception with error code THEN Stack limits must allow push of two more bytes; ELSE #SS(0); FI; Instruction pointer must be in CS limit, else #GP(0); IF 32-bit gate THEN Push (EFLAGS); Push (long pointer to return location); (* 3 words padded to 4 *) CS:EIP selector:offset from gate; ELSE (* 16-bit gate *) Push (FLAGS); Push (long pointer to return location); (* 2 words *) CS:IP selector:offset from gate; FI; Load CS descriptor into invisible portion of CS register; Set the RPL field of CS to CPL; Push (error code); (* if any *) IF interrupt gate THEN IF 0; FI; TF 0; NT 0; TASK-GATE: Examine selector to TSS, given in task gate descriptor; Must specify global in the local/global bit, else #TS(TSS selector); Index must be within GDT limits, else #TS(TSS selector); AR byte must specify available TSS (bottom bits 00001), else #TS(TSS selector; TSS must be present, else #NP(TSS selector); SWITCH-TASKS with nesting to TSS; IF interrupt was caused by fault with error code THEN Stack limits must allow push of two more bytes, else #SS(0); Push error code onto stack; FI; Instruction pointer must be in CS limit, else #GP(0); Description The INT instruction generates via software a call to an interrupt handler. The immediate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table (IDT) of the interrupt routine to be called. In Protected Mode, the IDT consists of an array of eight-byte descriptors; the descriptor for the interrupt invoked must indicate an interrupt, trap, or task gate. In Real Address Mode, the IDT is an array of four byte-long pointers. In Protected and Real Address Modes, the base linear address of the IDT is defined by the contents of the IDTR. The INTO conditional software instruction is identical to the INT interrupt instruction except that the interrupt number is implicitly 4, and the interrupt is made only if the 80386 overflow flag is set. The first 32 interrupts are reserved by Intel for system use. Some of these interrupts are use for internally generated exceptions. INT n generally behaves like a far call except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags and return address from the stack. In Real Address Mode, INT n pushes the flags, CS, and the return IP onto the stack, in that order, then jumps to the long pointer indexed by the interrupt number. Flags Affected None Protected Mode Exceptions #GP, #NP, #SS, and #TS as indicated under "Operation" above Real Address Mode Exceptions None; if the SP or ESP = 1, 3, or 5 before executing INT or INTO, the 80386 will shut down due to insufficient stack space Virtual 8086 Mode Exceptions #GP(0) fault if IOPL is less than 3, for INT only, to permit emulation; Interrupt 3 (0CCH) generates Interrupt 3; INTO generates Interrupt 4 if the overflow flag equals 1 IRET/IRETD ── Interrupt Return Opcode Instruction Clocks Description CF IRET 22,pm=38 Interrupt return (far return and pop flags) CF IRET pm=82 Interrupt return to lesser privilege CF IRET ts Interrupt return, different task (NT = 1) CF IRETD 22,pm=38 Interrupt return (far return and pop flags) CF IRETD pm=82 Interrupt return to lesser privilege CF IRETD pm=60 Interrupt return to V86 mode CF IRETD ts Interrupt return, different task (NT = 1) ─────────────────────────────────────────────────────────────────────────── NOTE: Values of ts are given by the following table: New Task Old Task 386 TSS 386 TSS 286 TSS VM = 0 VM = 1 386 TSS VM=0 275 224 271 286 TSS 265 214 232 ─────────────────────────────────────────────────────────────────────────── Operation IF PE = 0 THEN (* Real-address mode *) IF OperandSize = 32 (* Instruction = IRETD *) THEN EIP Pop(); ELSE (* Instruction = IRET *) IP Pop(); FI; CS Pop(); IF OperandSize = 32 (* Instruction = IRETD *) THEN EFLAGS Pop(); ELSE (* Instruction = IRET *) FLAGS Pop(); FI; ELSE (* Protected mode *) IF VM = 1 THEN #GP(0); ELSE IF NT = 1 THEN GOTO TASK-RETURN; ELSE IF VM = 1 in flags image on stack THEN GO TO STACK-RETURN-TO-V86; ELSE GOTO STACK-RETURN; FI; FI; FI; FI;STACK-RETURN-TO-V86: (* Interrupted procedure was in V86 mode *) IF return CS selector RPL < > 3 THEN #GP(Return selector); FI; IF top 36 bytes of stack not within limits THEN #SS(0); FI; Examine return CS selector and associated descriptor: IF selector is null, THEN #GP(0); FI; IF selector index not within its descriptor table limits; THEN #GP(Return selector); FI; IF AR byte does not indicate code segment THEN #GP(Return selector); FI; IF code segment DPL not = 3; THEN #GP(Return selector); FI; IF code segment not present THEN #NP(Return selector); FI; Examine return SS selector and associated descriptor: IF selector is null THEN #GP(0); FI; IF selector index not within its descriptor table limits THEN #GP(SS selector); FI; IF selector RPL not = RPL of return CS selector THEN #GP(SS selector); FI; IF AR byte does not indicate a writable data segment THEN #GP(SS selector); FI; IF stack segment DPL not = RPL of return CS selector THEN #GP(SS selector); FI; IF SS not present THEN #NP(SS selector); FI; IF instruction pointer not within code segment limit THEN #GP(0); FI; EFLAGS SS:[eSP + 8]; (* Sets VM in interrupted routine *) EIP Pop(); CS Pop(); (* CS behaves as in 8086, due to VM = 1 *) throwaway Pop(); (* pop away EFLAGS already read *) ES Pop(); (* pop 2 words; throw away high-order word *) DS Pop(); (* pop 2 words; throw away high-order word *) FS Pop(); (* pop 2 words; throw away high-order word *) GS Pop(); (* pop 2 words; throw away high-order word *) IF CS.RPL > CPL THEN TempESP Pop(); TempSS Pop(); SS:ESP TempSS:TempESP; FI; (* Resume execution in Virtual 8086 mode *) TASK-RETURN: Examine Back Link Selector in TSS addressed by the current task register: Must specify global in the local/global bit, else #TS(new TSS selector); Index must be within GDT limits, else #TS(new TSS selector); AR byte must specify TSS, else #TS(new TSS selector); New TSS must be busy, else #TS(new TSS selector); TSS must be present, else #NP(new TSS selector); SWITCH-TASKS without nesting to TSS specified by back link selector; Mark the task just abandoned as NOT BUSY; Instruction pointer must be within code segment limit ELSE #GP(0); STACK-RETURN: IF OperandSize=32 THEN Third word on stack must be within stack limits, else #SS(0); ELSE Second word on stack must be within stack limits, else #SS(0); FI; Return CS selector RPL must be ≥ CPL, else #GP(Return selector); IF return selector RPL = CPL THEN GOTO RETURN-SAME-LEVEL; ELSE GOTO RETURN-OUTER-LEVEL; FI; RETURN-SAME-LEVEL: IF OperandSize=32 THEN Top 12 bytes on stack must be within limits, else #SS(0); Return CS selector (at eSP+4) must be non-null, else #GP(0); ELSE Top 6 bytes on stack must be within limits, else #SS(0); Return CS selector (at eSP+2) must be non-null, else #GP(0); FI; Selector index must be within its descriptor table limits, else #GP (Return selector); AR byte must indicate code segment, else #GP(Return selector); IF non-conforming THEN code segment DPL must = CPL; ELSE #GP(Return selector); FI; IF conforming THEN code segment DPL must be ≤ CPL, else #GP(Return selector); Segment must be present, else #NP(Return selector); Instruction pointer must be within code segment boundaries, else #GP(0); FI; IF OperandSize=32 THEN Load CS:EIP from stack; Load CS-register with new code segment descriptor; Load EFLAGS with third doubleword from stack; Increment eSP by 12; ELSE Load CS-register with new code segment descriptor; Load FLAGS with third word on stack; Increment eSP by 6; FI; RETURN-OUTER-LEVEL: IF OperandSize=32 THEN Top 20 bytes on stack must be within limits, else #SS(0); ELSE Top 10 bytes on stack must be within limits, else #SS(0); FI; Examine return CS selector and associated descriptor: Selector must be non-null, else #GP(0); Selector index must be within its descriptor table limits; ELSE #GP(Return selector); AR byte must indicate code segment, else #GP(Return selector); IF non-conforming THEN code segment DPL must = CS selector RPL; ELSE #GP(Return selector); FI; IF conforming THEN code segment DPL must be > CPL; ELSE #GP(Return selector); FI; Segment must be present, else #NP(Return selector); Examine return SS selector and associated descriptor: Selector must be non-null, else #GP(0); Selector index must be within its descriptor table limits ELSE #GP(SS selector); Selector RPL must equal the RPL of the return CS selector ELSE #GP(SS selector); AR byte must indicate a writable data segment, else #GP(SS selector); Stack segment DPL must equal the RPL of the return CS selector ELSE #GP(SS selector); SS must be present, else #NP(SS selector); Instruction pointer must be within code segment limit ELSE #GP(0); IF OperandSize=32 THEN Load CS:EIP from stack; Load EFLAGS with values at (eSP+8); ELSE Load CS:IP from stack; Load FLAGS with values at (eSP+4); FI; Load SS:eSP from stack; Set CPL to the RPL of the return CS selector; Load the CS register with the CS descriptor; Load the SS register with the SS descriptor; FOR each of ES, FS, GS, and DS DO; IF the current value of the register is not valid for the outer level; THEN zero the register and clear the valid flag; FI; To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits; AR byte must indicate data or readable code segment; IF segment is data or non-conforming code, THEN DPL must be ≥ CPL, or DPL must be ≥ RPL; OD; Description In Real Address Mode, IRET pops the instruction pointer, CS, and the flags register from the stack and resumes the interrupted routine. In Protected Mode, the action of IRET depends on the setting of the nested task flag (NT) bit in the flag register. When popping the new flag image from the stack, the IOPL bits in the flag register are changed only when CPL equals 0. If NT equals 0, IRET returns from an interrupt procedure without a task switch. The code returned to must be equally or less privileged than the interrupt routine (as indicated by the RPL bits of the CS selector popped from the stack). If the destination code is less privileged, IRET also pops the stack pointer and SS from the stack. If NT equals 1, IRET reverses the operation of a CALL or INT that caused a task switch. The updated state of the task executing IRET is saved in its task state segment. If the task is reentered later, the code that follows IRET is executed. Flags Affected All; the flags register is popped from stack Protected Mode Exceptions #GP, #NP, or #SS, as indicated under "Operation" above Real Address Mode Exceptions Interrupt 13 if any part of the operand being popped lies beyond address 0FFFFH Virtual 8086 Mode Exceptions #GP(0) fault if IOPL is less than 3, to permit emulation Jcc ── Jump if Condition is Met Opcode Instruction Clocks Description 77 cb JA rel8 7+m,3 Jump short if above (CF=0 and ZF=0) 73 cb JAE rel8 7+m,3 Jump short if above or equal (CF=0) 72 cb JB rel8 7+m,3 Jump short if below (CF=1) 76 cb JBE rel8 7+m,3 Jump short if below or equal (CF=1 or ZF=1) 72 cb JC rel8 7+m,3 Jump short if carry (CF=1) E3 cb JCXZ rel8 9+m,5 Jump short if CX register is 0 E3 cb JECXZ rel8 9+m,5 Jump short if ECX register is 0 74 cb JE rel8 7+m,3 Jump short if equal (ZF=1) 74 cb JZ rel8 7+m,3 Jump short if 0 (ZF=1) 7F cb JG rel8 7+m,3 Jump short if greater (ZF=0 and SF=OF) 7D cb JGE rel8 7+m,3 Jump short if greater or equal (SF=OF) 7C cb JL rel8 7+m,3 Jump short if less (SF<>OF) 7E cb JLE rel8 7+m,3 Jump short if less or equal (ZF=1 and SF<>OF) 76 cb JNA rel8 7+m,3 Jump short if not above (CF=1 or ZF=1) 72 cb JNAE rel8 7+m,3 Jump short if not above or equal (CF=1) 73 cb JNB rel8 7+m,3 Jump short if not below (CF=0) 77 cb JNBE rel8 7+m,3 Jump short if not below or equal (CF=0 and ZF=0) 73 cb JNC rel8 7+m,3 Jump short if not carry (CF=0) 75 cb JNE rel8 7+m,3 Jump short if not equal (ZF=0) 7E cb JNG rel8 7+m,3 Jump short if not greater (ZF=1 or SF<>OF) 7C cb JNGE rel8 7+m,3 Jump short if not greater or equal (SF<>OF) 7D cb JNL rel8 7+m,3 Jump short if not less (SF=OF) 7F cb JNLE rel8 7+m,3 Jump short if not less or equal (ZF=0 and SF=OF) 71 cb JNO rel8 7+m,3 Jump short if not overflow (OF=0) 7B cb JNP rel8 7+m,3 Jump short if not parity (PF=0) 79 cb JNS rel8 7+m,3 Jump short if not sign (SF=0) 75 cb JNZ rel8 7+m,3 Jump short if not zero (ZF=0) 70 cb JO rel8 7+m,3 Jump short if overflow (OF=1) 7A cb JP rel8 7+m,3 Jump short if parity (PF=1) 7A cb JPE rel8 7+m,3 Jump short if parity even (PF=1) 7B cb JPO rel8 7+m,3 Jump short if parity odd (PF=0) 78 cb JS rel8 7+m,3 Jump short if sign (SF=1) 74 cb JZ rel8 7+m,3 Jump short if zero (ZF = 1) 0F 87 cw/cd JA rel16/32 7+m,3 Jump near if above (CF=0 and ZF=0) 0F 83 cw/cd JAE rel16/32 7+m,3 Jump near if above or equal (CF=0) 0F 82 cw/cd JB rel16/32 7+m,3 Jump near if below (CF=1) 0F 86 cw/cd JBE rel16/32 7+m,3 Jump near if below or equal (CF=1 or ZF=1) 0F 82 cw/cd JC rel16/32 7+m,3 Jump near if carry (CF=1) 0F 84 cw/cd JE rel16/32 7+m,3 Jump near if equal (ZF=1) 0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1) 0F 8F cw/cd JG rel16/32 7+m,3 Jump near if greater (ZF=0 and SF=OF) 0F 8D cw/cd JGE rel16/32 7+m,3 Jump near if greater or equal (SF=OF) 0F 8C cw/cd JL rel16/32 7+m,3 Jump near if less (SF<>OF) 0F 8E cw/cd JLE rel16/32 7+m,3 Jump near if less or equal (ZF=1 and SF<>OF) 0F 86 cw/cd JNA rel16/32 7+m,3 Jump near if not above (CF=1 or ZF=1) 0F 82 cw/cd JNAE rel16/32 7+m,3 Jump near if not above or equal (CF=1) 0F 83 cw/cd JNB rel16/32 7+m,3 Jump near if not below (CF=0) 0F 87 cw/cd JNBE rel16/32 7+m,3 Jump near if not below or equal (CF=0 and ZF=0) 0F 83 cw/cd JNC rel16/32 7+m,3 Jump near if not carry (CF=0) 0F 85 cw/cd JNE rel16/32 7+m,3 Jump near if not equal (ZF=0) 0F 8E cw/cd JNG rel16/32 7+m,3 Jump near if not greater (ZF=1 or SF<>OF) 0F 8C cw/cd JNGE rel16/32 7+m,3 Jump near if not greater or equal (SF<>OF) 0F 8D cw/cd JNL rel16/32 7+m,3 Jump near if not less (SF=OF) 0F 8F cw/cd JNLE rel16/32 7+m,3 Jump near if not less or equal (ZF=0 and SF=OF) 0F 81 cw/cd JNO rel16/32 7+m,3 Jump near if not overflow (OF=0) 0F 8B cw/cd JNP rel16/32 7+m,3 Jump near if not parity (PF=0) 0F 89 cw/cd JNS rel16/32 7+m,3 Jump near if not sign (SF=0) 0F 85 cw/cd JNZ rel16/32 7+m,3 Jump near if not zero (ZF=0) 0F 80 cw/cd JO rel16/32 7+m,3 Jump near if overflow (OF=1) 0F 8A cw/cd JP rel16/32 7+m,3 Jump near if parity (PF=1) 0F 8A cw/cd JPE rel16/32 7+m,3 Jump near if parity even (PF=1) 0F 8B cw/cd JPO rel16/32 7+m,3 Jump near if parity odd (PF=0) 0F 88 cw/cd JS rel16/32 7+m,3 Jump near if sign (SF=1) 0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1) ─────────────────────────────────────────────────────────────────────────── NOTES: The first clock count is for the true condition (branch taken); the second clock count is for the false condition (branch not taken). rel16/32 indicates that these instructions map to two; one with a 16-bit relative displacement, the other with a 32-bit relative displacement, depending on the operand-size attribute of the instruction. ─────────────────────────────────────────────────────────────────────────── Operation IF condition THEN EIP EIP + SignExtend(rel8/16/32); IF OperandSize = 16 THEN EIP EIP AND 0000FFFFH; FI; FI; Description Conditional jumps (except JCXZ) test the flags which have been set by a previous instruction. The conditions for each mnemonic are given in parentheses after each description above. The terms "less" and "greater" are used for comparisons of signed integers; "above" and "below" are used for unsigned integers. If the given condition is true, a jump is made to the location provided as the operand. Instruction coding is most efficient when the target for the conditional jump is in the current code segment and within -128 to +127 bytes of the next instruction's first byte. The jump can also target -32768 thru +32767 (segment size attribute 16) or -2^(31) thru +2^(31) -1 (segment size attribute 32) relative to the next instruction's first byte. When the target for the conditional jump is in a different segment, use the opposite case of the jump instruction (i.e., JE and JNE), and then access the target with an unconditional far jump to the other segment. For example, you cannot code── JZ FARLABEL; You must instead code── JNZ BEYOND; JMP FARLABEL; BEYOND: Because there can be several ways to interpret a particular state of the flags, ASM386 provides more than one mnemonic for most of the conditional jump opcodes. For example, if you compared two characters in AX and want to jump if they are equal, use JE; or, if you ANDed AX with a bit field mask and only want to jump if the result is 0, use JZ, a synonym for JE. JCXZ differs from other conditional jumps because it tests the contents of the CX or ECX register for 0, not the flags. JCXZ is useful at the beginning of a conditional loop that terminates with a conditional loop instruction (such as LOOPNE TARGET LABEL. The JCXZ prevents entering the loop with CX or ECX equal to zero, which would cause the loop to execute 64K or 32G times instead of zero times. Flags Affected None Protected Mode Exceptions #GP(0) if the offset jumped to is beyond the limits of the code segment Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None JMP ── Jump Opcode Instruction Clocks Description EB cb JMP rel8 7+m Jump short E9 cw JMP rel16 7+m Jump near, displacement relative to next instruction FF /4 JMP r/m16 7+m/10+m Jump near indirect EA cd JMP ptr16:16 12+m,pm=27+m Jump intersegment, 4-byte immediate address EA cd JMP ptr16:16 pm=45+m Jump to call gate, same privilege EA cd JMP ptr16:16 ts Jump via task state segment EA cd JMP ptr16:16 ts Jump via task gate FF /5 JMP m16:16 43+m,pm=31+m Jump r/m16:16 indirect and intersegment FF /5 JMP m16:16 pm=49+m Jump to call gate, same privilege FF /5 JMP m16:16 5 + ts Jump via task state segment FF /5 JMP m16:16 5 + ts Jump via task gate E9 cd JMP rel32 7+m Jump near, displacement relative to next instruction FF /4 JMP r/m32 7+m,10+m Jump near, indirect EA cp JMP ptr16:32 12+m,pm=27+m Jump intersegment, 6-byte immediate address EA cp JMP ptr16:32 pm=45+m Jump to call gate, same privilege EA cp JMP ptr16:32 ts Jump via task state segment EA cp JMP ptr16:32 ts Jump via task gate FF /5 JMP m16:32 43+m,pm=31+m Jump intersegment, address at r/m dword FF /5 JMP m16:32 pm=49+m Jump to call gate, same privilege FF /5 JMP m16:32 5 + ts Jump via task state segment FF /5 JMP m16:32 5 + ts Jump via task gate ─────────────────────────────────────────────────────────────────────────── NOTE: Values of ts are given by the following table: New Task 386 TSS 386 TASK 286 TSS VM = 0 VM = 1 Old Task Via Task Gate? N Y N Y N Y 386 TSS VM=0 303 312 220 229 276 285 286 TSS 301 310 218 227 274 283 ─────────────────────────────────────────────────────────────────────────── Operation IF instruction = relative JMP (* i.e. operand is rel8, rel16, or rel32 *) THEN EIP EIP + rel8/16/32; IF OperandSize = 16 THEN EIP EIP AND 0000FFFFH; FI; FI; IF instruction = near indirect JMP (* i.e. operand is r/m16 or r/m32 *) THEN IF OperandSize = 16 THEN EIP [r/m16] AND 0000FFFFH; ELSE (* OperandSize = 32 *) EIP [r/m32]; FI; FI; IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *) AND instruction = far JMP (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *) THEN GOTO REAL-OR-V86-MODE; IF operand type = m16:16 or m16:32 THEN (* indirect *) IF OperandSize = 16 THEN CS:IP [m16:16]; EIP EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP [m16:32]; FI; FI; IF operand type = ptr16:16 or ptr16:32 THEN IF OperandSize = 16 THEN CS:IP ptr16:16; EIP EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ptr16:32; FI; FI; FI; IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far JMP THEN IF operand type = m16:16 or m16:32 THEN (* indirect *) check access of EA dword; #GP(0) or #SS(0) IF limit violation; FI; Destination selector is not null ELSE #GP(0) Destination selector index is within its descriptor table limits ELSE #GP(selector) Depending on AR byte of destination descriptor: GOTO CONFORMING-CODE-SEGMENT; GOTO NONCONFORMING-CODE-SEGMENT; GOTO CALL-GATE; GOTO TASK-GATE; GOTO TASK-STATE-SEGMENT; ELSE #GP(selector); (* illegal AR byte in descriptor *) FI; CONFORMING-CODE-SEGMENT: Descriptor DPL must be ≤ CPL ELSE #GP(selector); Segment must be present ELSE #NP(selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from destination pointer; ELSE Load CS:IP from destination pointer; FI; Load CS register with new segment descriptor; NONCONFORMING-CODE-SEGMENT: RPL of destination selector must be ≤ CPL ELSE #GP(selector); Descriptor DPL must be = CPL ELSE #GP(selector); Segment must be present ELSE # NP(selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from destination pointer; ELSE Load CS:IP from destination pointer; FI; Load CS register with new segment descriptor; Set RPL field of CS register to CPL; CALL-GATE: Descriptor DPL must be ≥ CPL ELSE #GP(gate selector); Descriptor DPL must be ≥ gate selector RPL ELSE #GP(gate selector); Gate must be present ELSE #NP(gate selector); Examine selector to code segment given in call gate descriptor: Selector must not be null ELSE #GP(0); Selector must be within its descriptor table limits ELSE #GP(CS selector); Descriptor AR byte must indicate code segment ELSE #GP(CS selector); IF non-conforming THEN code-segment descriptor, DPL must = CPL ELSE #GP(CS selector); FI; IF conforming THEN code-segment descriptor DPL must be ≤ CPL; ELSE #GP(CS selector); Code segment must be present ELSE #NP(CS selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from call gate; ELSE Load CS:IP from call gate; FI; Load CS register with new code-segment descriptor; Set RPL of CS to CPL TASK-GATE: Gate descriptor DPL must be ≥ CPL ELSE #GP(gate selector); Gate descriptor DPL must be ≥ gate selector RPL ELSE #GP(gate selector); Task Gate must be present ELSE #NP(gate selector); Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit ELSE #GP(TSS selector); Index must be within GDT limits ELSE #GP(TSS selector); Descriptor AR byte must specify available TSS (bottom bits 00001); ELSE #GP(TSS selector); Task State Segment must be present ELSE #NP(TSS selector); SWITCH-TASKS (without nesting) to TSS; Instruction pointer must be within code-segment limit ELSE #GP(0); TASK-STATE-SEGMENT: TSS DPL must be ≥ CPL ELSE #GP(TSS selector); TSS DPL must be ≥ TSS selector RPL ELSE #GP(TSS selector); Descriptor AR byte must specify available TSS (bottom bits 00001) ELSE #GP(TSS selector); Task State Segment must be present ELSE #NP(TSS selector); SWITCH-TASKS (without nesting) to TSS; Instruction pointer must be within code-segment limit ELSE #GP(0); Description The JMP instruction transfers control to a different point in the instruction stream without recording return information. The action of the various forms of the instruction are shown below. Jumps with destinations of type r/m16, r/m32, rel16, and rel32 are near jumps and do not involve changing the segment register value. The JMP rel16 and JMP rel32 forms of the instruction add an offset to the address of the instruction following the JMP to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16 bits (segment size attribute 16 only); rel32 is used when the operand-size attribute is 32 bits (segment size attribute 32 only). The result is stored in the 32-bit EIP register. With rel16, the upper 16 bits of EIP are cleared, which results in an offset whose value does not exceed 16 bits. JMP r/m16 and JMP r/m32 specifies a register or memory location from which the absolute offset from the procedure is fetched. The offset fetched from r/m is 32 bits for an operand-size attribute of 32 bits (r/m32), or 16 bits for an operand-size attribute of 16 bits (r/m16). The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte or six-byte operand as a long pointer to the destination. The JMP and forms fetch the long pointer from the memory location specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP register (depending on the operand-size attribute). In Protected Mode, both long pointer forms consult the Access Rights (AR) byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the jump will perform one of the following types of control transfers: ■ A jump to a code segment at the same privilege level ■ A task switch For more information on protected mode control transfers, refer to Chapter 6 and Chapter 7. Flags Affected All if a task switch takes place; none if no task switch occurs Protected Mode Exceptions Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above. Near direct jumps: #GP(0) if procedure location is beyond the code segment limits. Near indirect jumps: #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #GP if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault. Real Address Mode Exceptions Interrupt 13 if any part of the operand would be outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as under Real Address Mode; #PF(fault-code) for a page fault LAHF ── Load Flags into AH Register Opcode Instruction Clocks Description 9F LAHF 2 Load: AH = flags SF ZF xx AF xx PF xx CF Operation AH SF:ZF:xx:AF:xx:PF:xx:CF; Description LAHF transfers the low byte of the flags word to AH. The bits, from MSB to LSB, are sign, zero, indeterminate, auxiliary, carry, indeterminate, parity, indeterminate, and carry. Flags Affected None Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None LAR ── Load Access Rights Byte Opcode Instruction Clocks Description 0F 02 /r LAR r16,r/m16 pm=15/16 r16 r/m16 masked by FF00 0F 02 /r LAR r32,r/m32 pm=15/16 r32 r/m32 masked by 00FxFF00 Description The LAR instruction stores a marked form of the second doubleword of the descriptor for the source selector if the selector is visible at the CPL (modified by the selector's RPL) and is a valid descriptor type. The destination register is loaded with the high-order doubleword of the descriptor masked by 00FxFF00, and ZF is set to 1. The x indicates that the four bits corresponding to the upper four bits of the limit are undefined in the value loaded by LAR. If the selector is invisible or of the wrong type, ZF is cleared. If the 32-bit operand size is specified, the entire 32-bit value is loaded into the 32-bit destination register. If the 16-bit operand size is specified, the lower 16-bits of this value are stored in the 16-bit destination register. All code and data segment descriptors are valid for LAR. The valid special segment and gate descriptor types for LAR are given in the following table: Type Name Valid/Invalid 0 Invalid Invalid 1 Available 80286 TSS Valid 2 LDT Valid 3 Busy 80286 TSS Valid 4 80286 call gate Valid 5 80286/80386 task gate Valid 6 80286 trap gate Valid 7 80286 interrupt gate Valid 8 Invalid Invalid 9 Available 80386 TSS Valid A Invalid Invalid B Busy 80386 TSS Valid C 80386 call gate Valid D Invalid Invalid E 80386 trap gate Valid F 80386 interrupt gate Valid Flags Affected ZF as described above Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; LAR is unrecognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode LEA ── Load Effective Address Opcode Instruction Clocks Description 8D /r LEA r16,m 2 Store effective address for m in register r16 8D /r LEA r32,m 2 Store effective address for m in register r32 8D /r LEA r16,m 2 Store effective address for m in register r16 8D /r LEA r32,m 2 Store effective address for m in register r32 Operation IF OperandSize = 16 AND AddressSize = 16 THEN r16 Addr(m); ELSE IF OperandSize = 16 AND AddressSize = 32 THEN r16 Truncate_to_16bits(Addr(m)); (* 32-bit address *) ELSE IF OperandSize = 32 AND AddressSize = 16 THEN r32 Truncate_to_16bits(Addr(m)); ELSE IF OperandSize = 32 AND AddressSize = 32 THEN r32 Addr(m); FI; FI; FI; FI; Description LEA calculates the effective address (offset part) and stores it in the specified register. The operand-size attribute of the instruction (represented by OperandSize in the algorithm under "Operation" above) is determined by the chosen register. The address-size attribute (represented by AddressSize) is determined by the USE attribute of the segment containing the second operand. The address-size and operand-size attributes affect the action performed by LEA, as follows: Operand Size Address Size Action Performed 16 16 16-bit effective address is calculated and stored in requested 16-bit register destination. 16 32 32-bit effective address is calculated. The lower 16 bits of the address are stored in the requested 16-bit register destination. 32 16 16-bit effective address is calculated. The 16-bit address is zero-extended and stored in the requested 32-bit register destination. 32 32 32-bit effective address is calculated and stored in the requested 32-bit register destination. Flags Affected None Protected Mode Exceptions #UD if the second operand is a register Real Address Mode Exceptions Interrupt 6 if the second operand is a register Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode LEAVE ── High Level Procedure Exit Opcode Instruction Clocks Description C9 LEAVE 4 Set SP to BP, then pop BP C9 LEAVE 4 Set ESP to EBP, then pop EBP Operation IF StackAddrSize = 16 THEN SP BP; ELSE (* StackAddrSize = 32 *) ESP EBP; FI; IF OperandSize = 16 THEN BP Pop(); ELSE (* OperandSize = 32 *) EBP Pop(); FI; Description LEAVE reverses the actions of the ENTER instruction. By copying the frame pointer to the stack pointer, LEAVE releases the stack space used by a procedure for its local variables. The old frame pointer is popped into BP or EBP, restoring the caller's frame. A subsequent RET instruction removes any arguments pushed onto the stack of the exiting procedure. Flags Affected None Protected Mode Exceptions #SS(0) if BP does not point to a location within the limits of the current stack segment Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode LGDT/LIDT ── Load Global/Interrupt Descriptor Table Register Opcode Instruction Clocks Description 0F 01 /2 LGDT m16&32 11 Load m into GDTR 0F 01 /3 LIDT m16&32 11 Load m into IDTR Operation IF instruction = LIDT THEN IF OperandSize = 16 THEN IDTR.Limit:Base m16:24 (* 24 bits of base loaded *) ELSE IDTR.Limit:Base m16:32 FI; ELSE (* instruction = LGDT *) IF OperandSize = 16 THEN GDTR.Limit:Base m16:24 (* 24 bits of base loaded *) ELSE GDTR.Limit:Base m16:32; FI; FI; Description The LGDT and LIDT instructions load a linear base address and limit value from a six-byte data operand in memory into the GDTR or IDTR, respectively. If a 16-bit operand is used with LGDT or LIDT, the register is loaded with a 16-bit limit and a 24-bit base, and the high-order eight bits of the six-byte data operand are not used. If a 32-bit operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order eight bits of the six-byte operand are used as high-order base address bits. The SGDT and SIDT instructions always store into all 48 bits of the six-byte data operand. With the 80286, the upper eight bits are undefined after SGDT or SIDT is executed. With the 80386, the upper eight bits are written with the high-order eight address bits, for both a 16-bit operand and a 32-bit operand. If LGDT or LIDT is used with a 16-bit operand to load the register stored by SGDT or SIDT, the upper eight bits are stored as zeros. LGDT and LIDT appear in operating system software; they are not used in application programs. They are the only instructions that directly load a linear address (i.e., not a segment relative address) in 80386 Protected Mode. Flags Affected None Protected Mode Exceptions #GP(0) if the current privilege level is not 0; #UD if the source operand is a register; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a register ─────────────────────────────────────────────────────────────────────────── Note: These instructions are valid in Real Address Mode to allow power-up initialization for Protected Mode ─────────────────────────────────────────────────────────────────────────── Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault LGS/LSS/LDS/LES/LFS ── Load Full Pointer Opcode Instruction Clocks Description C5 /r LDS r16,m16:16 7,p=22 Load DS:r16 with pointer from memory C5 /r LDS r32,m16:32 7,p=22 Load DS:r32 with pointer from memory 0F B2 /r LSS r16,m16:16 7,p=22 Load SS:r16 with pointer from memory 0F B2 /r LSS r32,m16:32 7,p=22 Load SS:r32 with pointer from memory C4 /r LES r16,m16:16 7,p=22 Load ES:r16 with pointer from memory C4 /r LES r32,m16:32 7,p=22 Load ES:r32 with pointer from memory 0F B4 /r LFS r16,m16:16 7,p=25 Load FS:r16 with pointer from memory 0F B4 /r LFS r32,m16:32 7,p=25 Load FS:r32 with pointer from memory 0F B5 /r LGS r16,m16:16 7,p=25 Load GS:r16 with pointer from memory 0F B5 /r LGS r32,m16:32 7,p=25 Load GS:r32 with pointer from memory Operation CASE instruction OF LSS: Sreg is SS; (* Load SS register *) LDS: Sreg is DS; (* Load DS register *) LES: Sreg is ES; (* Load ES register *) LFS: Sreg is FS; (* Load FS register *) LGS: Sreg is DS; (* Load GS register *) ESAC; IF (OperandSize = 16) THEN r16 [Effective Address]; (* 16-bit transfer *) Sreg [Effective Address + 2]; (* 16-bit transfer *) (* In Protected Mode, load the descriptor into the segment register *) ELSE (* OperandSize = 32 *) r32 [Effective Address]; (* 32-bit transfer *) Sreg [Effective Address + 4]; (* 16-bit transfer *) (* In Protected Mode, load the descriptor into the segment register *) FI; Description These instructions read a full pointer from memory and store it in the selected segment register:register pair. The full pointer loads 16 bits into the segment register SS, DS, ES, FS, or GS. The other register loads 32 bits if the operand-size attribute is 32 bits, or loads 16 bits if the operand-size attribute is 16 bits. The other 16- or 32-bit register to be loaded is determined by the r16 or r32 register operand specified. When an assignment is made to one of the segment registers, the descriptor is also loaded into the segment register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into DS, ES, FS, or GS registers without causing a protection exception. (Any subsequent reference to a segment whose corresponding segment register is loaded with a null selector to address memory causes a #GP(0) exception. No memory reference to the segment occurs.) The following is a listing of the Protected Mode checks and actions taken in the loading of a segment register: IF SS is loaded: IF selector is null THEN #GP(0); FI; Selector index must be within its descriptor table limits ELSE #GP(selector); Selector's RPL must equal CPL ELSE #GP(selector); AR byte must indicate a writable data segment ELSE #GP(selector); DPL in the AR byte must equal CPL ELSE #GP(selector); Segment must be marked present ELSE #SS(selector); Load SS with selector; Load SS with descriptor; IF DS, ES, FS, or GS is loaded with non-null selector: Selector index must be within its descriptor table limits ELSE #GP(selector); AR byte must indicate data or readable code segment ELSE #GP(selector); IF data or nonconforming code THEN both the RPL and the CPL must be less than or equal to DPL in AR byte; ELSE #GP(selector); Segment must be marked present ELSE #NP(selector); Load segment register with selector and RPL bits; Load segment register with descriptor; IF DS, ES, FS or GS is loaded with a null selector: Clear descriptor valid bit; Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; the second operand must be a memory operand, not a register; #GP(0) if a null selector is loaded into SS; #PF(fault-code) for a page fault Real Address Mode Exceptions The second operand must be a memory operand, not a register; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault LLDT ── Load Local Descriptor Table Register Opcode Instruction Clocks Description 0F 00 /2 LLDT r/m16 20 Load selector r/m16 into LDTR Operation LDTR SRC; Description LLDT loads the Local Descriptor Table register (LDTR). The word operand (memory or register) to LLDT should contain a selector to the Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If so, then the LDTR is loaded from the entry. The descriptor registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the task state segment does not change. The selector operand can be 0; if so, the LDTR is marked invalid. All descriptor references (except by the LAR, VERR, VERW or LSL instructions) cause a #GP fault. LLDT is used in operating system software; it is not used in application programs. Flags Affected None Protected Mode Exceptions #GP(0) if the current privilege level is not 0; #GP(selector) if the selector operand does not point into the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table; #NP(selector) if the LDT descriptor is not present; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; LLDT is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not execute or perform a memory reference) Note The operand-size attribute has no effect on this instruction. LMSW ── Load Machine Status Word Opcode Instruction Clocks Description 0F 01 /6 LMSW r/m16 10/13 Load r/m16 in machine status word Operation MSW r/m16; (* 16 bits is stored in the machine status word *) Description LMSW loads the machine status word (part of CR0) from the source operand. This instruction can be used to switch to Protected Mode; if so, it must be followed by an intrasegment jump to flush the instruction queue. LMSW will not switch back to Real Address Mode. LMSW is used only in operating system software. It is not used in application programs. Flags Affected None Protected Mode Exceptions #GP(0) if the current privilege level is not 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The operand-size attribute has no effect on this instruction. This instruction is provided for compatibility with the 80286; 80386 programs should use MOV CR0, ... instead. LOCK ── Assert LOCK# Signal Prefix Opcode Instruction Clocks Description F0 LOCK 0 Assert LOCK# signal for the next instruction Description The LOCK prefix causes the LOCK# signal of the 80386 to be asserted during execution of the instruction that follows it. In a multiprocessor environment, this signal can be used to ensure that the 80386 has exclusive use of any shared memory while LOCK# is asserted. The read-modify-write sequence typically used to implement test-and-set on the 80386 is the BTS instruction. The LOCK prefix functions only with the following instructions: BT, BTS, BTR, BTC mem, reg/imm XCHG reg, mem XCHG mem, reg ADD, OR, ADC, SBB, AND, SUB, XOR mem, reg/imm NOT, NEG, INC, DEC mem An undefined opcode trap will be generated if a LOCK prefix is used with any instruction not listed above. XCHG always asserts LOCK# regardless of the presence or absence of the LOCK prefix. The integrity of the LOCK is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields. Locked access is not assured if another 80386 processor is executing an instruction concurrently that has one of the following characteristics: ■ Is not preceded by a LOCK prefix ■ Is not one of the instructions in the preceding list ■ Specifies a memory operand that does not exactly overlap the destination operand. Locking is not guaranteed for partial overlap, even if one memory operand is wholly contained within another. Flags Affected None Protected Mode Exceptions #UD if LOCK is used with an instruction not listed in the "Description" section above; other exceptions can be generated by the subsequent (locked) instruction Real Address Mode Exceptions Interrupt 6 if LOCK is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction Virtual 8086 Mode Exceptions #UD if LOCK is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction LODS/LODSB/LODSW/LODSD ── Load String Operand Opcode Instruction Clocks Description AC LODS m8 5 Load byte [(E)SI] into AL AD LODS m16 5 Load word [(E)SI] into AX AD LODS m32 5 Load dword [(E)SI] into EAX AC LODSB 5 Load byte DS:[(E)SI] into AL AD LODSW 5 Load word DS:[(E)SI] into AX AD LODSD 5 Load dword DS:[(E)SI] into EAX Operation IF AddressSize = 16 THEN use SI for source-index ELSE (* AddressSize = 32 *) use ESI for source-index; FI; IF byte type of instruction THEN AL [source-index]; (* byte load *) IF DF = 0 THEN IncDec 1 ELSE IncDec -1; FI; ELSE IF OperandSize = 16 THEN AX [source-index]; (* word load *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; ELSE (* OperandSize = 32 *) EAX [source-index]; (* dword load *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; FI; source-index source-index + IncDec Description LODS loads the AL, AX, or EAX register with the memory byte, word, or doubleword at the location pointed to by the source-index register. After the transfer is made, the source-index register is automatically advanced. If the direction flag is 0 (CLD was executed), the source index increments; if the direction flag is 1 (STD was executed), it decrements. The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded, or 4 if a doubleword is loaded. If the address-size attribute for this instruction is 16 bits, SI is used for the source-index register; otherwise the address-size attribute is 32 bits, and the ESI register is used. The address of the source data is determined solely by the contents of ESI/SI. Load the correct index value into SI before executing the LODS instruction. LODSB, LODSW, LODSD are synonyms for the byte, word, and doubleword LODS instructions. LODS can be preceded by the REP prefix; however, LODS is used more typically within a LOOP construct, because further processing of the data moved into EAX, AX, or AL is usually necessary. Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault LOOP/LOOPcond ── Loop Control with CX Counter Opcode Instruction Clocks Description E2 cb LOOP rel8 11+m DEC count; jump short if count <> 0 E1 cb LOOPE rel8 11+m DEC count; jump short if count <> 0 and ZF=1 E1 cb LOOPZ rel8 11+m DEC count; jump short if count <> 0 and ZF=1 E0 cb LOOPNE rel8 11+m DEC count; jump short if count <> 0 and ZF=0 E0 cb LOOPNZ rel8 11+m DEC count; jump short if count <> 0 and ZF=0 Operation IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI; CountReg CountReg - 1; IF instruction <> LOOP THEN IF (instruction = LOOPE) OR (instruction = LOOPZ) THEN BranchCond (ZF = 1) AND (CountReg <> 0); FI; IF (instruction = LOOPNE) OR (instruction = LOOPNZ) THEN BranchCond (ZF = 0) AND (CountReg <> 0); FI; FI; IF BranchCond THEN IF OperandSize = 16 THEN IP IP + SignExtend(rel8); ELSE (* OperandSize = 32 *) EIP EIP + SignExtend(rel8); FI; FI; Description LOOP decrements the count register without changing any of the flags. Conditions are then checked for the form of LOOP being used. If the conditions are met, a short jump is made to the label given by the operand to LOOP. If the address-size attribute is 16 bits, the CX register is used as the count register; otherwise the ECX register is used. The operand of LOOP must be in the range from 128 (decimal) bytes before the instruction to 127 bytes ahead of the instruction. The LOOP instructions provide iteration control and combine loop index management with conditional branching. Use the LOOP instruction by loading an unsigned iteration count into the count register, then code the LOOP at the end of a series of instructions to be iterated. The destination of LOOP is a label that points to the beginning of the iteration. Flags Affected None Protected Mode Exceptions #GP(0) if the offset jumped to is beyond the limits of the current code segment Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None LSL ── Load Segment Limit Opcode Instruction Clocks Description 0F 03 /r LSL r16,r/m16 pm=20/21 Load: r16 segment limit, selector r/m16 (byte granular) 0F 03 /r LSL r32,r/m32 pm=20/21 Load: r32 segment limit, selector r/m32 (byte granular) 0F 03 /r LSL r16,r/m16 pm=25/26 Load: r16 segment limit, selector r/m16 (page granular) 0F 03 /r LSL r32,r/m32 pm=25/26 Load: r32 segment limit, selector r/m32 (page granular) Description The LSL instruction loads a register with an unscrambled segment limit, and sets ZF to 1, provided that the source selector is visible at the CPL weakened by RPL, and that the descriptor is a type accepted by LSL. Otherwise, ZF is cleared to 0, and the destination register is unchanged. The segment limit is loaded as a byte granular value. If the descriptor has a page granular segment limit, LSL will translate it to a byte limit before loading it in the destination register (shift left 12 the 20-bit "raw" limit from descriptor, then OR with 00000FFFH). The 32-bit forms of this instruction store the 32-bit byte granular limit in the 16-bit destination register. Code and data segment descriptors are valid for LSL. The valid special segment and gate descriptor types for LSL are given in the following table: Type Name Valid/Invalid 0 Invalid Invalid 1 Available 80286 TSS Valid 2 LDT Valid 3 Busy 80286 TSS Valid 4 80286 call gate Invalid 5 80286/80386 task gate Invalid 6 80286 trap gate Invalid 7 80286 interrupt gate Invalid 8 Invalid Valid 9 Available 80386 TSS Valid A Invalid Invalid B Busy 80386 TSS Valid C 80386 call gate Invalid D Invalid Invalid E 80386 trap gate Invalid F 80386 interrupt gate Invalid Flags Affected ZF as described above Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; LSL is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode LTR ── Load Task Register Opcode Instruction Clocks Description 0F 00 /3 LTR r/m16 pm=23/27 Load EA word into task register Description LTR loads the task register from the source register or memory location specified by the operand. The loaded task state segment is marked busy. A task switch does not occur. LTR is used only in operating system software; it is not used in application programs. Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the current privilege level is not 0; #GP(selector) if the object named by the source selector is not a TSS or is already busy; #NP(selector) if the TSS is marked "not present"; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; LTR is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode Notes The operand-size attribute has no effect on this instruction. MOV ── Move Data Opcode Instruction Clocks Description 88 /r MOV r/m8,r8 2/2 Move byte register to r/m byte 89 /r MOV r/m16,r16 2/2 Move word register to r/m word 89 /r MOV r/m32,r32 2/2 Move dword register to r/m dword 8A /r MOV r8,r/m8 2/4 Move r/m byte to byte register 8B /r MOV r16,r/m16 2/4 Move r/m word to word register 8B /r MOV r32,r/m32 2/4 Move r/m dword to dword register 8C /r MOV r/m16,Sreg 2/2 Move segment register to r/m word 8D /r MOV Sreg,r/m16 2/5,pm=18/19 Move r/m word to segment register A0 MOV AL,moffs8 4 Move byte at (seg:offset) to AL A1 MOV AX,moffs16 4 Move word at (seg:offset) to AX A1 MOV EAX,moffs32 4 Move dword at (seg:offset) to EAX A2 MOV moffs8,AL 2 Move AL to (seg:offset) A3 MOV moffs16,AX 2 Move AX to (seg:offset) A3 MOV moffs32,EAX 2 Move EAX to (seg:offset) B0 + rb MOV reg8,imm8 2 Move immediate byte to register B8 + rw MOV reg16,imm16 2 Move immediate word to register B8 + rd MOV reg32,imm32 2 Move immediate dword to register C6 MOV r/m8,imm8 2/2 Move immediate byte to r/m byte C7 MOV r/m16,imm16 2/2 Move immediate word to r/m word C7 MOV r/m32,imm32 2/2 Move immediate dword to r/m dword ─────────────────────────────────────────────────────────────────────────── NOTES: moffs8, moffs16, and moffs32 all consist of a simple offset relative to the segment base. The 8, 16, and 32 refer to the size of the data. The address-size attribute of the instruction determines the size of the offset, either 16 or 32 bits. ─────────────────────────────────────────────────────────────────────────── Operation DEST SRC; Description MOV copies the second operand to the first operand. If the destination operand is a segment register (DS, ES, SS, etc.), then data from a descriptor is also loaded into the register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into DS and ES registers without causing an exception; however, use of DS or ES causes a #GP(0), and no memory reference occurs. A MOV into SS inhibits all interrupts until after the execution of the next instruction (which is presumably a MOV into eSP). Loading a segment register under 80386 Protected Mode results in special checks and actions, as described in the following listing: IF SS is loaded; THEN IF selector is null THEN #GP(0); FI; Selector index must be within its descriptor table limits else #GP(selector); Selector's RPL must equal CPL else #GP(selector); AR byte must indicate a writable data segment else #GP(selector); DPL in the AR byte must equal CPL else #GP(selector); Segment must be marked present else #SS(selector); Load SS with selector; Load SS with descriptor. FI; IF DS, ES, FS or GS is loaded with non-null selector; THEN Selector index must be within its descriptor table limits else #GP(selector); AR byte must indicate data or readable code segment else #GP(selector); IF data or nonconforming code segment THEN both the RPL and the CPL must be less than or equal to DPL in AR byte; ELSE #GP(selector); FI; Segment must be marked present else #NP(selector); Load segment register with selector; Load segment register with descriptor; FI; IF DS, ES, FS or GS is loaded with a null selector; THEN Load segment register with selector; Clear descriptor valid bit; FI; Flags Affected None Protected Mode Exceptions #GP, #SS, and #NP if a segment register is being loaded; otherwise, #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault MOV ── Move to/from Special Registers Opcode Instruction Clocks Description 0F 20 /r MOV r32,CR0/CR2/CR3 6 Move (control register) to (register) 0F 22 /r MOV CR0/CR2/CR3,r32 10/4/5 Move (register) to (control register) 0F 21 /r MOV r32,DR0 -- 3 22 Move (debug register) to (register) 0F 21 /r MOV r32,DR6/DR7 14 Move (debug register) to (register) 0F 23 /r MOV DR0 -- 3,r32 22 Move (register) to (debug register) 0F 23 /r MOV DR6/DR7,r32 16 Move (register) to (debug register) 0F 24 /r MOV r32,TR6/TR7 12 Move (test register) to (register) 0F 26 /r MOV TR6/TR7,r32 12 Move (register) to (test register) Operation DEST SRC; Description The above forms of MOV store or load the following special registers in or from a general purpose register: ■ Control registers CR0, CR2, and CR3 ■ Debug Registers DR0, DR1, DR2, DR3, DR6, and DR7 ■ Test Registers TR6 and TR7 32-bit operands are always used with these instructions, regardless of the operand-size attribute. Flags Affected OF, SF, ZF, AF, PF, and CF are undefined Protected Mode Exceptions #GP(0) if the current privilege level is not 0 Real Address Mode Exceptions None Virtual 8086 Mode Exceptions #GP(0) if instruction execution is attempted Notes The instructions must be executed at privilege level 0 or in real-address mode; otherwise, a protection exception will be raised. The reg field within the ModRM byte specifies which of the special registers in each category is involved. The two bits in the field are always 11. The r/m field specifies the general register involved. MOVS/MOVSB/MOVSW/MOVSD ── Move Data from String to String Opcode Instruction Clocks Description A4 MOVS m8,m8 7 Move byte [(E)SI] to ES:[(E)DI] A5 MOVS m16,m16 7 Move word [(E)SI] to ES:[(E)DI] A5 MOVS m32,m32 7 Move dword [(E)SI] to ES:[(E)DI] A4 MOVSB 7 Move byte DS:[(E)SI] to ES:[(E)DI] A5 MOVSW 7 Move word DS:[(E)SI] to ES:[(E)DI] A5 MOVSD 7 Move dword DS:[(E)SI] to ES:[(E)DI] Operation IF (instruction = MOVSD) OR (instruction has doubleword operands) THEN OperandSize 32; ELSE OperandSize 16; IF AddressSize = 16 THEN use SI for source-index and DI for destination-index; ELSE (* AddressSize = 32 *) use ESI for source-index and EDI for destination-index; FI; IF byte type of instruction THEN [destination-index] [source-index]; (* byte assignment *) IF DF = 0 THEN IncDec 1 ELSE IncDec -1; FI; ELSE IF OperandSize = 16 THEN [destination-index] [source-index]; (* word assignment *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; ELSE (* OperandSize = 32 *) [destination-index] [source-index]; (* doubleword assignment *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; FI; source-index source-index + IncDec; destination-index destination-index + IncDec; Description MOVS copies the byte or word at [(E)SI] to the byte or word at ES:[(E)DI]. The destination operand must be addressable from the ES register; no segment override is possible for the destination. A segment override can be used for the source operand; the default is DS. The addresses of the source and destination are determined solely by the contents of (E)SI and (E)DI. Load the correct index values into (E)SI and (E)DI before executing the MOVS instruction. MOVSB, MOVSW, and MOVSD are synonyms for the byte, word, and doubleword MOVS instructions. After the data is moved, both (E)SI and (E)DI are advanced automatically. If the direction flag is 0 (CLD was executed), the registers are incremented; if the direction flag is 1 (STD was executed), the registers are decremented. The registers are incremented or decremented by 1 if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved. MOVS can be preceded by the REP prefix for block movement of CX bytes or words. Refer to the REP instruction for details of this operation. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault MOVSX ── Move with Sign-Extend Opcode Instruction Clocks Description 0F BE /r MOVSX r16,r/m8 3/6 Move byte to word with sign-extend 0F BE /r MOVSX r32,r/m8 3/6 Move byte to dword, sign-extend 0F BF /r MOVSX r32,r/m16 3/6 Move word to dword, sign-extend Operation DEST SignExtend(SRC); Description MOVSX reads the contents of the effective address or register as a byte or a word, sign-extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register. Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault MOVZX ── Move with Zero-Extend Opcode Instruction Clocks Description 0F B6 /r MOVZX r16,r/m8 3/6 Move byte to word with zero-extend 0F B6 /r MOVZX r32,r/m8 3/6 Move byte to dword, zero-extend 0F B7 /r MOVZX r32,r/m16 3/6 Move word to dword, zero-extend Operation DEST ZeroExtend(SRC); Description MOVZX reads the contents of the effective address or register as a byte or a word, zero extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register. Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault MUL ── Unsigned Multiplication of AL or AX Opcode Instruction Clocks Description F6 /4 MUL AL,r/m8 9-14/12-17 Unsigned multiply (AX AL * r/m byte) F7 /4 MUL AX,r/m16 9-22/12-25 Unsigned multiply (DX:AX AX * r/m word) F7 /4 MUL EAX,r/m32 9-38/12-41 Unsigned multiply (EDX:EAX EAX * r/m dword) ─────────────────────────────────────────────────────────────────────────── NOTES: The 80386 uses an early-out multiply algorithm. The actual number of clocks depends on the position of the most significant bit in the optimizing multiplier, shown underlined above. The optimization occurs for positive and negative multiplier values. Because of the early-out algorithm, clock counts given are minimum to maximum. To calculate the actual clocks, use the following formula: Actual clock = if <> 0 then max(ceiling(log{2} │m│), 3) + 6 clocks; Actual clock = if = 0 then 9 clocks where m is the multiplier. ─────────────────────────────────────────────────────────────────────────── Operation IF byte-size operation THEN AX AL * r/m8 ELSE (* word or doubleword operation *) IF OperandSize = 16 THEN DX:AX AX * r/m16 ELSE (* OperandSize = 32 *) EDX:EAX EAX * r/m32 FI; FI; Description MUL performs unsigned multiplication. Its actions depend on the size of its operand, as follows: ■ A byte operand is multiplied by AL; the result is left in AX. The carry and overflow flags are set to 0 if AH is 0; otherwise, they are set to 1. ■ A word operand is multiplied by AX; the result is left in DX:AX. DX contains the high-order 16 bits of the product. The carry and overflow flags are set to 0 if DX is 0; otherwise, they are set to 1. ■ A doubleword operand is multiplied by EAX and the result is left in EDX:EAX. EDX contains the high-order 32 bits of the product. The carry and overflow flags are set to 0 if EDX is 0; otherwise, they are set to 1. Flags Affected OF and CF as described above; SF, ZF, AF, PF, and CF are undefined Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault NEG ── Two's Complement Negation Opcode Instruction Clocks Description F6 /3 NEG r/m8 2/6 Two's complement negate r/m byte F7 /3 NEG r/m16 2/6 Two's complement negate r/m word F7 /3 NEG r/m32 2/6 Two's complement negate r/m dword Operation IF r/m = 0 THEN CF 0 ELSE CF 1; FI; r/m - r/m; Description NEG replaces the value of a register or memory operand with its two's complement. The operand is subtracted from zero, and the result is placed in the operand. The carry flag is set to 1, unless the operand is zero, in which case the carry flag is cleared to 0. Flags Affected CF as described above; OF, SF, ZF, and PF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault NOP ── No Operation Opcode Instruction Clocks Description 90 NOP 3 No operation Description NOP performs no operation. NOP is a one-byte instruction that takes up space but affects none of the machine context except (E)IP. NOP is an alias mnemonic for the XCHG (E)AX, (E)AX instruction. Flags Affected None Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None NOT ── One's Complement Negation Opcode Instruction Clocks Description F6 /2 NOT r/m8 2/6 Reverse each bit of r/m byte F7 /2 NOT r/m16 2/6 Reverse each bit of r/m word F7 /2 NOT r/m32 2/6 Reverse each bit of r/m dword Operation r/m NOT r/m; Description NOT inverts the operand; every 1 becomes a 0, and vice versa. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault OR ── Logical Inclusive OR Opcode Instruction Clocks Description 0C ib OR AL,imm8 2 OR immediate byte to AL 0D iw OR AX,imm16 2 OR immediate word to AX 0D id OR EAX,imm32 2 OR immediate dword to EAX 80 /1 ib OR r/m8,imm8 2/7 OR immediate byte to r/m byte 81 /1 iw OR r/m16,imm16 2/7 OR immediate word to r/m word 81 /1 id OR r/m32,imm32 2/7 OR immediate dword to r/m dword 83 /1 ib OR r/m16,imm8 2/7 OR sign-extended immediate byte with r/m word 83 /1 ib OR r/m32,imm8 2/7 OR sign-extended immediate byte with r/m dword 08 /r OR r/m8,r8 2/6 OR byte register to r/m byte 09 /r OR r/m16,r16 2/6 OR word register to r/m word 09 /r OR r/m32,r32 2/6 OR dword register to r/m dword 0A /r OR r8,r/m8 2/7 OR byte register to r/m byte 0B /r OR r16,r/m16 2/7 OR word register to r/m word 0B /r OR r32,r/m32 2/7 OR dword register to r/m dword Operation DEST DEST OR SRC; CF 0; OF 0 Description OR computes the inclusive OR of its two operands and places the result in the first operand. Each bit of the result is 0 if both corresponding bits of the operands are 0; otherwise, each bit is 1. Flags Affected OF 0, CF 0; SF, ZF, and PF as described in Appendix C; AF is undefined Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault OUT ── Output to Port Opcode Instruction Clocks Description E6 ib OUT imm8,AL 10,pm=4*/24** Output byte AL to immediate port number E7 ib OUT imm8,AX 10,pm=4*/24** Output word AL to immediate port number E7 ib OUT imm8,EAX 10,pm=4*/24** Output dword AL to immediate port number EE OUT DX,AL 11,pm=5*/25** Output byte AL to port number in DX EF OUT DX,AX 11,pm=5*/25** Output word AL to port number in DX EF OUT DX,EAX 11,pm=5*/25** Output dword AL to port number in DX ─────────────────────────────────────────────────────────────────────────── NOTES: *If CPL ≤ IOPL **If CPL > IOPL or if in virtual 8086 mode ─────────────────────────────────────────────────────────────────────────── Operation IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (DEST, width(DEST)) THEN #GP(0); FI; FI; [DEST] SRC; (* I/O address space used *) Description OUT transfers a data byte or data word from the register (AL, AX, or EAX) given as the second operand to the output port numbered by the first operand. Output to any port from 0 to 65535 is performed by placing the port number in the DX register and then using an OUT instruction with DX as the first operand. If the instruction contains an eight-bit port ID, that value is zero-extended to 16 bits. Flags Affected None Protected Mode Exceptions #GP(0) if the current privilege level is higher (has less privilege) than IOPL and any of the corresponding I/O permission bits in TSS equals 1 Real Address Mode Exceptions None Virtual 8086 Mode Exceptions #GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1 OUTS/OUTSB/OUTSW/OUTSD ── Output String to Port Opcode Instruction Clocks Description 6E OUTS DX,r/m8 14,pm=8*/28** Output byte [(E)SI] to port in DX 6F OUTS DX,r/m16 14,pm=8*/28** Output word [(E)SI] to port in DX 6F OUTS DX,r/m32 14,pm=8*/28** Output dword [(E)SI] to port in DX 6E OUTSB 14,pm=8*/28** Output byte DS:[(E)SI] to port in DX 6F OUTSW 14,pm=8*/28** Output word DS:[(E)SI] to port in DX 6F OUTSD 14,pm=8*/28** Output dword DS:[(E)SI] to port in DX ─────────────────────────────────────────────────────────────────────────── NOTES: *If CPL ≤ IOPL **If CPL > IOPL or if in virtual 8086 mode ─────────────────────────────────────────────────────────────────────────── Operation IF AddressSize = 16 THEN use SI for source-index; ELSE (* AddressSize = 32 *) use ESI for source-index; FI; IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (DEST, width(DEST)) THEN #GP(0); FI; FI; IF byte type of instruction THEN [DX] [source-index]; (* Write byte at DX I/O address *) IF DF = 0 THEN IncDec 1 ELSE IncDec -1; FI; FI; IF OperandSize = 16 THEN [DX] [source-index]; (* Write word at DX I/O address *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; FI; IF OperandSize = 32 THEN [DX] [source-index]; (* Write dword at DX I/O address *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; FI; source-index source-index + IncDec; Description OUTS transfers data from the memory byte, word, or doubleword at the source-index register to the output port addressed by the DX register. If the address-size attribute for this instruction is 16 bits, SI is used for the source-index register; otherwise, the address-size attribute is 32 bits, and ESI is used for the source-index register. OUTS does not allow specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into DX before executing the OUTS instruction. The address of the source data is determined by the contents of source-index register. Load the correct index value into SI or ESI before executing the OUTS instruction. After the transfer, source-index register is advanced automatically. If the direction flag is 0 (CLD was executed), the source-index register is incremented; if the direction flag is 1 (STD was executed), it is decremented. The amount of the increment or decrement is 1 if a byte is output, 2 if a word is output, or 4 if a doubleword is output. OUTSB, OUTSW, and OUTSD are synonyms for the byte, word, and doubleword OUTS instructions. OUTS can be preceded by the REP prefix for block output of CX bytes or words. Refer to the REP instruction for details on this operation. Flags Affected None Protected Mode Exceptions #GP(0) if CPL is greater than IOPL and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) for an illegal memory operand effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions #GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault POP ── Pop a Word from the Stack Opcode Instruction Clocks Description 8F /0 POP m16 5 Pop top of stack into memory word 8F /0 POP m32 5 Pop top of stack into memory dword 58 + rw POP r16 4 Pop top of stack into word register 58 + rd POP r32 4 Pop top of stack into dword register 1F POP DS 7,pm=21 Pop top of stack into DS 07 POP ES 7,pm=21 Pop top of stack into ES 17 POP SS 7,pm=21 Pop top of stack into SS 0F A1 POP FS 7,pm=21 Pop top of stack into FS 0F A9 POP GS 7,pm=21 Pop top of stack into GS Operation IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN DEST (SS:SP); (* copy a word *) SP SP + 2; ELSE (* OperandSize = 32 *) DEST (SS:SP); (* copy a dword *) SP SP + 4; FI; ELSE (* StackAddrSize = 32 * ) IF OperandSize = 16 THEN DEST (SS:ESP); (* copy a word *) ESP ESP + 2; ELSE (* OperandSize = 32 *) DEST (SS:ESP); (* copy a dword *) ESP ESP + 4; FI; FI; Description POP replaces the previous contents of the memory, the register, or the segment register operand with the word on the top of the 80386 stack, addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP (addresssize attribute of 32 bits). The stack pointer SP is incremented by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits. It then points to the new top of stack. POP CS is not an 80386 instruction. Popping from the stack into the CS register is accomplished with a RET instruction. If the destination operand is a segment register (DS, ES, FS, GS, or SS), the value popped must be a selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates validation of both the selector and the descriptor information. A null value (0000-0003) may be popped into the DS, ES, FS, or GS register without causing a protection exception. An attempt to reference a segment whose corresponding segment register is loaded with a null value causes a #GP(0) exception. No memory reference occurs. The saved value of the segment register is null. A POP SS instruction inhibits all interrupts, including NMI, until after execution of the next instruction. This allows sequential execution of POP SS and POP eSP instructions without danger of having an invalid stack during an interrupt. However, use of the LSS instruction is the preferred method of loading the SS and eSP registers. Loading a segment register while in protected mode results in special checks and actions, as described in the following listing: IF SS is loaded: IF selector is null THEN #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector); Selector's RPL must equal CPL ELSE #GP(selector); AR byte must indicate a writable data segment ELSE #GP(selector); DPL in the AR byte must equal CPL ELSE #GP(selector); Segment must be marked present ELSE #SS(selector); Load SS register with selector; Load SS register with descriptor; IF DS, ES, FS or GS is loaded with non-null selector: AR byte must indicate data or readable code segment ELSE #GP(selector); IF data or nonconforming code THEN both the RPL and the CPL must be less than or equal to DPL in AR byte ELSE #GP(selector); FI; Segment must be marked present ELSE #NP(selector); Load segment register with selector; Load segment register with descriptor; IF DS, ES, FS, or GS is loaded with a null selector: Load segment register with selector Clear valid bit in invisible portion of register Flags Affected None Protected Mode Exceptions #GP, #SS, and #NP if a segment register is being loaded; #SS(0) if the current top of stack is not within the stack segment; #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault POPA/POPAD ── Pop all General Registers Opcode Instruction Clocks Description 61 POPA 24 Pop DI, SI, BP, SP, BX, DX, CX, and AX 61 POPAD 24 Pop EDI, ESI, EBP, ESP, EDX, ECX, and EAX Operation IF OperandSize = 16 (* instruction = POPA *) THEN DI Pop(); SI Pop(); BP Pop(); throwaway Pop (); (* Skip SP *) BX Pop(); DX Pop(); CX Pop(); AX Pop(); ELSE (* OperandSize = 32, instruction = POPAD *) EDI Pop(); ESI Pop(); EBP Pop(); throwaway Pop (); (* Skip ESP *) EBX Pop(); EDX Pop(); ECX Pop(); EAX Pop(); FI; Description POPA pops the eight 16-bit general registers. However, the SP value is discarded instead of loaded into SP. POPA reverses a previous PUSHA, restoring the general registers to their values before PUSHA was executed. The first register popped is DI. POPAD pops the eight 32-bit general registers. The ESP value is discarded instead of loaded into ESP. POPAD reverses the previous PUSHAD, restoring the general registers to their values before PUSHAD was executed. The first register popped is EDI. Flags Affected None Protected Mode Exceptions #SS(0) if the starting or ending stack address is not within the stack segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault POPF/POPFD ── Pop Stack into FLAGS or EFLAGS Register Opcode Instruction Clocks Description 9D POPF 5 Pop top of stack FLAGS 9D POPFD 5 Pop top of stack into EFLAGS Operation Flags Pop(); Description POPF/POPFD pops the word or doubleword on the top of the stack and stores the value in the flags register. If the operand-size attribute of the instruction is 16 bits, then a word is popped and the value is stored in FLAGS. If the operand-size attribute is 32 bits, then a doubleword is popped and the value is stored in EFLAGS. Refer to Chapter 2 and Chapter 4 for information about the FLAGS and EFLAGS registers. Note that bits 16 and 17 of EFLAGS, called VM and RF, respectively, are not affected by POPF or POPFD. The I/O privilege level is altered only when executing at privilege level 0. The interrupt flag is altered only when executing at a level at least as privileged as the I/O privilege level. (Real-address mode is equivalent to privilege level 0.) If a POPF instruction is executed with insufficient privilege, an exception does not occur, but the privileged bits do not change. Flags Affected All flags except VM and RF Protected Mode Exceptions #SS(0) if the top of stack is not within the stack segment Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions #GP(0) fault if IOPL is less than 3, to permit emulation PUSH ── Push Operand onto the Stack Opcode Instruction Clocks Description FF /6 PUSH m16 5 Push memory word FF /6 PUSH m32 5 Push memory dword 50 + /r PUSH r16 2 Push register word 50 + /r PUSH r32 2 Push register dword 6A PUSH imm8 2 Push immediate byte 68 PUSH imm16 2 Push immediate word 68 PUSH imm32 2 Push immediate dword 0E PUSH CS 2 Push CS 16 PUSH SS 2 Push SS 1E PUSH DS 2 Push DS 06 PUSH ES 2 Push ES 0F A0 PUSH FS 2 Push FS OF A8 PUSH GS 2 Push GS Operation IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN SP SP - 2; (SS:SP) (SOURCE); (* word assignment *) ELSE SP SP - 4; (SS:SP) (SOURCE); (* dword assignment *) FI; ELSE (* StackAddrSize = 32 *) IF OperandSize = 16 THEN ESP ESP - 2; (SS:ESP) (SOURCE); (* word assignment *) ELSE ESP ESP - 4; (SS:ESP) (SOURCE); (* dword assignment *) FI; FI; Description PUSH decrements the stack pointer by 2 if the operand-size attribute of the instruction is 16 bits; otherwise, it decrements the stack pointer by 4. PUSH then places the operand on the new top of stack, which is pointed to by the stack pointer. The 80386 PUSH eSP instruction pushes the value of eSP as it existed before the instruction. This differs from the 8086, where PUSH SP pushes the new value (decremented by 2). Flags Affected None Protected Mode Exceptions #SS(0) if the new value of SP or ESP is outside the stack segment limit; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions None; if SP or ESP is 1, the 80386 shuts down due to a lack of stack space Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault PUSHA/PUSHAD ── Push all General Registers Opcode Instruction Clocks Description 60 PUSHA 18 Push AX, CX, DX, BX, original SP, BP, SI, and DI 60 PUSHAD 18 Push EAX, ECX, EDX, EBX, original ESP, EBP, ESI, and EDI Operation IF OperandSize = 16 (* PUSHA instruction *) THEN Temp (SP); Push(AX); Push(CX); Push(DX); Push(BX); Push(Temp); Push(BP); Push(SI); Push(DI); ELSE (* OperandSize = 32, PUSHAD instruction *) Temp (ESP); Push(EAX); Push(ECX); Push(EDX); Push(EBX); Push(Temp); Push(EBP); Push(ESI); Push(EDI); FI; Description PUSHA and PUSHAD save the 16-bit or 32-bit general registers, respectively, on the 80386 stack. PUSHA decrements the stack pointer (SP) by 16 to hold the eight word values. PUSHAD decrements the stack pointer (ESP) by 32 to hold the eight doubleword values. Because the registers are pushed onto the stack in the order in which they were given, they appear in the 16 or 32 new stack bytes in reverse order. The last register pushed is DI or EDI. Flags Affected None Protected Mode Exceptions #SS(0) if the starting or ending stack address is outside the stack segment limit; #PF(fault-code) for a page fault Real Address Mode Exceptions Before executing PUSHA or PUSHAD, the 80386 shuts down if SP or ESP equals 1, 3, or 5; if SP or ESP equals 7, 9, 11, 13, or 15, exception 13 occurs Virtual 8086 Mode Exceptions Same exceptions as in real-address mode; #PF(fault-code) for a page fault PUSHF/PUSHFD ── Push Flags Register onto the Stack Opcode Instruction Clocks Description 9C PUSHF 4 Push FLAGS 9C PUSHFD 4 Push EFLAGS Operation IF OperandSize = 32 THEN push(EFLAGS); ELSE push(FLAGS); FI; Description PUSHF decrements the stack pointer by 2 and copies the FLAGS register to the new top of stack; PUSHFD decrements the stack pointer by 4, and the 80386 EFLAGS register is copied to the new top of stack which is pointed to by SS:eSP. Refer to Chapter 2 and Chapter 4 for information on the EFLAGS register. Flags Affected None Protected Mode Exceptions #SS(0) if the new value of eSP is outside the stack segment boundaries Real Address Mode Exceptions None; the 80386 shuts down due to a lack of stack space Virtual 8086 Mode Exceptions #GP(0) fault if IOPL is less than 3, to permit emulation RCL/RCR/ROL/ROR ── Rotate Opcode Instruction Clocks Description D0 /2 RCL r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) left once D2 /2 RCL r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) left CL times C0 /2 ib RCL r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) left imm8 times D1 /2 RCL r/m16,1 9/10 Rotate 17 bits (CF,r/m word) left once D3 /2 RCL r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) left CL times C1 /2 ib RCL r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) left imm8 times D1 /2 RCL r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) left once D3 /2 RCL r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) left CL times C1 /2 ib RCL r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) left imm8 times D0 /3 RCR r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) right once D2 /3 RCR r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) right CL times C0 /3 ib RCR r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) right imm8 times D1 /3 RCR r/m16,1 9/10 Rotate 17 bits (CF,r/m word) right once D3 /3 RCR r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) right CL times C1 /3 ib RCR r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) right imm8 times D1 /3 RCR r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) right once D3 /3 RCR r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) right CL times C1 /3 ib RCR r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) right imm8 times D0 /0 ROL r/m8,1 3/7 Rotate 8 bits r/m byte left once D2 /0 ROL r/m8,CL 3/7 Rotate 8 bits r/m byte left CL times C0 /0 ib ROL r/m8,imm8 3/7 Rotate 8 bits r/m byte left imm8 times D1 /0 ROL r/m16,1 3/7 Rotate 16 bits r/m word left once D3 /0 ROL r/m16,CL 3/7 Rotate 16 bits r/m word left CL times C1 /0 ib ROL r/m16,imm8 3/7 Rotate 16 bits r/m word left imm8 times D1 /0 ROL r/m32,1 3/7 Rotate 32 bits r/m dword left once D3 /0 ROL r/m32,CL 3/7 Rotate 32 bits r/m dword left CL times C1 /0 ib ROL r/m32,imm8 3/7 Rotate 32 bits r/m dword left imm8 times D0 /1 ROR r/m8,1 3/7 Rotate 8 bits r/m byte right once D2 /1 ROR r/m8,CL 3/7 Rotate 8 bits r/m byte right CL times C0 /1 ib ROR r/m8,imm8 3/7 Rotate 8 bits r/m word right imm8 times D1 /1 ROR r/m16,1 3/7 Rotate 16 bits r/m word right once D3 /1 ROR r/m16,CL 3/7 Rotate 16 bits r/m word right CL times C1 /1 ib ROR r/m16,imm8 3/7 Rotate 16 bits r/m word right imm8 times D1 /1 ROR r/m32,1 3/7 Rotate 32 bits r/m dword right once D3 /1 ROR r/m32,CL 3/7 Rotate 32 bits r/m dword right CL times C1 /1 ib ROR r/m32,imm8 3/7 Rotate 32 bits r/m dword right imm8 times Operation (* ROL - Rotate Left *) temp COUNT; WHILE (temp <> 0) DO tmpcf high-order bit of (r/m); r/m r/m * 2 + (tmpcf); temp temp - 1; OD; IF COUNT = 1 THEN IF high-order bit of r/m <> CF THEN OF 1; ELSE OF 0; FI; ELSE OF undefined; FI; (* ROR - Rotate Right *) temp COUNT; WHILE (temp <> 0 ) DO tmpcf low-order bit of (r/m); r/m r/m / 2 + (tmpcf * 2^(width(r/m))); temp temp - 1; DO; IF COUNT = 1 THEN IF (high-order bit of r/m) <> (bit next to high-order bit of r/m) THEN OF 1; ELSE OF 0; FI; ELSE OF undefined; FI; Description Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all the bits upward, except for the top bit, which is returned to the bottom. The right rotate instructions do the reverse: the bits shift downward until the bottom bit arrives at the top. For the RCL and RCR instructions, the carry flag is part of the rotated quantity. RCL shifts the carry flag into the bottom bit and shifts the top bit into the carry flag; RCR shifts the carry flag into the top bit and shifts the bottom bit into the carry flag. For the ROL and ROR instructions, the original value of the carry flag is not a part of the result, but the carry flag receives a copy of the bit that was shifted from one end to the other. The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum instruction execution time, the 80386 does not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the rotation are used. The 8086 does not mask rotation counts. The 80386 in Virtual 8086 Mode does mask rotation counts. The overflow flag is defined only for the single-rotate forms of the instructions (second operand = 1). It is undefined in all other cases. For left shifts/rotates, the CF bit after the shift is XORed with the high-order result bit. For right shifts/rotates, the high-order two bits of the result are XORed to get OF. Flags Affected OF only for single rotates; OF is undefined for multi-bit rotates; CF as described above Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault REP/REPE/REPZ/REPNE/REPNZ ── Repeat Following String Operation Opcode Instruction Clocks Description F3 6C REP INS r/m8, DX 13+6*(E)CX, pm=7+6*(E)CX If CPL ≤ IOPL/ 27+6*(E)CX If CPL > IOPL or if in virtual 8086 mode Input (E)CX bytes from port DX into ES:[(E)DI] F3 6D REP INS r/m16,DX 13+6*(E)CX, pm=7+6*(E)CX If CPL ≤ IOPL/ 27+6*(E)CX If CPL > IOPL or if in virtual 8086 mode Input (E)CX words from port DX into ES:[(E)DI] F3 6D REP INS r/m32,DX 13+6*(E)CX, pm=7+6*(E)CX If CPL ≤ IOPL/ 27+6*(E)CX If CPL > IOPL or if in virtual 8086 mode Input (E)CX dwords from port DX into ES:[(E)DI] F3 A4 REP MOVS m8,m8 5+4*(E)CX Move (E)CX bytes from [(E)SI] to ES:[(E)DI] F3 A5 REP MOVS m16,m16 5+4*(E)CX Move (E)CX words from [(E)SI] to ES:[(E)DI] F3 A5 REP MOVS m32,m32 5+4*(E)CX Move (E)CX dwords from [(E)SI] to ES:[(E)DI] F3 6E REP OUTS DX,r/m8 5+12*(E)CX, pm=6+5*(E)CX If CPL ≤ IOPL/ 26+5*(E)CX If CPL > IOPL or if in virtual 8086 mode Output (E)CX bytes from [(E)SI] to port DX F3 6F REP OUTS DX,r/m16 5+12*(E)CX, pm=6+5*(E)CX If CPL ≤ IOPL/ 26+5*(E)CX If CPL > IOPL or if in virtual 8086 mode Output (E)CX words from [(E)SI] to port DX F3 6F REP OUTS DX,r/m32 5+12*(E)CX, pm=6+5*(E)CX If CPL ≤ IOPL/ 26+5*(E)CX If CPL > IOPL or if in virtual 8086 mode Output (E)CX dwords from [(E)SI] to port DX F3 AA REP STOS m8 5+5*(E)CX Fill (E)CX bytes at ES:[(E)DI] with AL F3 AB REP STOS m16 5+5*(E)CX Fill (E)CX words at ES:[(E)DI] with AX F3 AB REP STOS m32 5+5*(E)CX Fill (E)CX dwords at ES:[(E)DI] with EAX F3 A6 REPE CMPS m8,m8 5+9*N Find nonmatching bytes in ES:[(E)DI] and [(E)SI] F3 A7 REPE CMPS m16,m16 5+9*N Find nonmatching words in ES:[(E)DI] and [(E)SI] F3 A7 REPE CMPS m32,m32 5+9*N Find nonmatching dwords in ES:[(E)DI] and [(E)SI] F3 AE REPE SCAS m8 5+8*N Find non-AL byte starting at ES:[(E)DI] F3 AF REPE SCAS m16 5+8*N Find non-AX word starting at ES:[(E)DI] F3 AF REPE SCAS m32 5+8*N Find non-EAX dword starting at ES:[(E)DI] F2 A6 REPNE CMPS m8,m8 5+9*N Find matching bytes in ES:[(E)DI] and [(E)SI] F2 A7 REPNE CMPS m16,m16 5+9*N Find matching words in ES:[(E)DI] and [(E)SI] F2 A7 REPNE CMPS m32,m32 5+9*N Find matching dwords in ES:[(E)DI] and [(E)SI] F2 AE REPNE SCAS m8 5+8*N Find AL, starting at ES:[(E)DI] F2 AF REPNE SCAS m16 5+8*N Find AX, starting at ES:[(E)DI] F2 AF REPNE SCAS m32 5+8*N Find EAX, starting at ES:[(E)DI] Operation IF AddressSize = 16 THEN use CX for CountReg; ELSE (* AddressSize = 32 *) use ECX for CountReg; FI; WHILE CountReg <> 0 DO service pending interrupts (if any); perform primitive string instruction; CountReg CountReg - 1; IF primitive operation is CMPB, CMPW, SCAB, or SCAW THEN IF (instruction is REP/REPE/REPZ) AND (ZF=1) THEN exit WHILE loop ELSE IF (instruction is REPNZ or REPNE) AND (ZF=0) THEN exit WHILE loop; FI; FI; FI; OD; Description REP, REPE (repeat while equal), and REPNE (repeat while not equal) are prefix that are applied to string operation. Each prefix cause the string instruction that follows to be repeated the number of times indicated in the count register or (for REPE and REPNE) until the indicated condition in the zero flag is no longer met. Synonymous forms of REPE and REPNE are REPZ and REPNZ, respectively. The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use the LOOP instruction or another looping construct. The precise action for each iteration is as follows: 1. If the address-size attribute is 16 bits, use CX for the count register; if the address-size attribute is 32 bits, use ECX for the count register. 2. Check CX. If it is zero, exit the iteration, and move to the next instruction. 3. Acknowledge any pending interrupts. 4. Perform the string operation once. 5. Decrement CX or ECX by one; no flags are modified. 6. Check the zero flag if the string operation is SCAS or CMPS. If the repeat condition does not hold, exit the iteration and move to the next instruction. Exit the iteration if the prefix is REPE and ZF is 0 (the last comparison was not equal), or if the prefix is REPNE and ZF is one (the last comparison was equal). 7. Return to step 1 for the next iteration. Repeated CMPS and SCAS instructions can be exited if the count is exhausted or if the zero flag fails the repeat condition. These two cases can be distinguished by using either the JCXZ instruction, or by using the conditional jumps that test the zero flag (JZ, JNZ, and JNE). Flags Affected ZF by REP CMPS and REP SCAS as described above Protected Mode Exceptions #UD if a repeat prefix is used before an instruction that is not in the list above; further exceptions can be generated when the string operation is executed; refer to the descriptions of the string instructions themselves Real Address Mode Exceptions Interrupt 6 if a repeat prefix is used before an instruction that is not in the list above; further exceptions can be generated when the string operation is executed; refer to the descriptions of the string instructions themselves Virtual 8086 Mode Exceptions #UD if a repeat prefix is used before an instruction that is not in the list above; further exceptions can be generated when the string operation is executed; refer to the descriptions of the string instructions themselves Notes Not all input/output ports can handle the rate at which the REP INS and REP OUTS instructions execute. RET ── Return from Procedure Opcode Instruction Clocks Description C3 RET 10+m Return (near) to caller CB RET 18+m,pm=32+m Return (far) to caller, same privilege CB RET pm=68 Return (far), lesser privilege, switch stacks C2 iw RET imm16 10+m Return (near), pop imm16 bytes of parameters CA iw RET imm16 18+m,pm=32+m Return (far), same privilege, pop imm16 bytes CA iw RET imm16 pm=68 Return (far), lesser privilege, pop imm16 bytes Operation IF instruction = near RET THEN; IF OperandSize = 16 THEN IP Pop(); EIP EIP AND 0000FFFFH; ELSE (* OperandSize = 32 *) EIP Pop(); FI; IF instruction has immediate operand THEN eSP eSP + imm16; FI; FI; IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or virtual 8086 mode *) AND instruction = far RET THEN; IF OperandSize = 16 THEN IP Pop(); EIP EIP AND 0000FFFFH; CS Pop(); (* 16-bit pop *) ELSE (* OperandSize = 32 *) EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) FI; IF instruction has immediate operand THEN eSP eSP + imm16; FI; FI; IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far RET THEN IF OperandSize=32 THEN Third word on stack must be within stack limits else #SS(0); ELSE Second word on stack must be within stack limits else #SS(0); FI; Return selector RPL must be ≥ CPL ELSE #GP(return selector) IF return selector RPL = CPL THEN GOTO SAME-LEVEL; ELSE GOTO OUTER-PRIVILEGE-LEVEL; FI; FI; SAME-LEVEL: Return selector must be non-null ELSE #GP(0) Selector index must be within its descriptor table limits ELSE #GP(selector) Descriptor AR byte must indicate code segment ELSE #GP(selector) IF non-conforming THEN code segment DPL must equal CPL; ELSE #GP(selector); FI; IF conforming THEN code segment DPL must be ≤ CPL; ELSE #GP(selector); FI; Code segment must be present ELSE #NP(selector); Top word on stack must be within stack limits ELSE #SS(0); IP must be in code segment limit ELSE #GP(0); IF OperandSize=32 THEN Load CS:EIP from stack Load CS register with descriptor Increment eSP by 8 plus the immediate offset if it exists ELSE (* OperandSize=16 *) Load CS:IP from stack Load CS register with descriptor Increment eSP by 4 plus the immediate offset if it exists FI; OUTER-PRIVILEGE-LEVEL: IF OperandSize=32 THEN Top (16+immediate) bytes on stack must be within stack limits ELSE #SS(0); ELSE Top (8+immediate) bytes on stack must be within stack limits ELSE #SS(0); FI; Examine return CS selector and associated descriptor: Selector must be non-null ELSE #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector) Descriptor AR byte must indicate code segment ELSE #GP(selector); IF non-conforming THEN code segment DPL must equal return selector RPL ELSE #GP(selector); FI; IF conforming THEN code segment DPL must be ≤ return selector RPL; ELSE #GP(selector); FI; Segment must be present ELSE #NP(selector) Examine return SS selector and associated descriptor: Selector must be non-null ELSE #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector); Selector RPL must equal the RPL of the return CS selector ELSE #GP(selector); Descriptor AR byte must indicate a writable data segment ELSE #GP(selector); Descriptor DPL must equal the RPL of the return CS selector ELSE #GP(selector); Segment must be present ELSE #NP(selector); IP must be in code segment limit ELSE #GP(0); Set CPL to the RPL of the return CS selector; IF OperandMode=32 THEN Load CS:EIP from stack; Set CS RPL to CPL; Increment eSP by 8 plus the immediate offset if it exists; Load SS:eSP from stack; ELSE (* OperandMode=16 *) Load CS:IP from stack; Set CS RPL to CPL; Increment eSP by 4 plus the immediate offset if it exists; Load SS:eSP from stack; FI; Load the CS register with the return CS descriptor; Load the SS register with the return SS descriptor; For each of ES, FS, GS, and DS DO IF the current register setting is not valid for the outer level, set the register to null (selector AR 0); To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits; Descriptor AR byte must indicate data or readable code segment; IF segment is data or non-conforming code, THEN DPL must be ≥ CPL, or DPL must be ≥ RPL; FI; OD; Description RET transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL. The optional numeric parameter to RET gives the number of stack bytes (OperandMode=16) or words (OperandMode=32) to be released after the return address is popped. These items are typically used as input parameters to the procedure called. For the intrasegment (near) return, the address on the stack is a segment offset, which is popped into the instruction pointer. The CS register is unchanged. For the intersegment (far) return, the address on the stack is a long pointer. The offset is popped first, followed by the selector. In real mode, CS and IP are loaded directly. In Protected Mode, an intersegment return causes the processor to check the descriptor addressed by the return selector. The AR byte of the descriptor must indicate a code segment of equal or lesser privilege (or greater or equal numeric value) than the current privilege level. Returns to a lesser privilege level cause the stack to be reloaded from the value saved beyond the parameter block. The DS, ES, FS, and GS segment registers can be set to 0 by the RET instruction during an interlevel transfer. If these registers refer to segments that cannot be used by the new privilege level, they are set to 0 to prevent unauthorized access from the new privilege level. Flags Affected None Protected Mode Exceptions #GP, #NP, or #SS, as described under "Operation" above; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would be outside the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SAHF ── Store AH into Flags Opcode Instruction Clocks Description 9E SAHF 3 Store AH into flags SF ZF xx AF xx PF xx CF Operation SF:ZF:xx:AF:xx:PF:xx:CF AH; Description SAHF loads the flags listed above with values from the AH register, from bits 7, 6, 4, 2, and 0, respectively. Flags Affected SF, ZF, AF, PF, and CF as described above Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None SAL/SAR/SHL/SHR ── Shift Instructions Opcode Instruction Clocks Description D0 /4 SAL r/m8,1 3/7 Multiply r/m byte by 2, once D2 /4 SAL r/m8,CL 3/7 Multiply r/m byte by 2, CL times C0 /4 ib SAL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8 times D1 /4 SAL r/m16,1 3/7 Multiply r/m word by 2, once D3 /4 SAL r/m16,CL 3/7 Multiply r/m word by 2, CL times C1 /4 ib SAL r/m16,imm8 3/7 Multiply r/m word by 2, imm8 times D1 /4 SAL r/m32,1 3/7 Multiply r/m dword by 2, once D3 /4 SAL r/m32,CL 3/7 Multiply r/m dword by 2, CL times C1 /4 ib SAL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8 times D0 /7 SAR r/m8,1 3/7 Signed divide^(1) r/m byte by 2, once D2 /7 SAR r/m8,CL 3/7 Signed divide^(1) r/m byte by 2, CL times C0 /7 ib SAR r/m8,imm8 3/7 Signed divide^(1) r/m byte by 2, imm8 times D1 /7 SAR r/m16,1 3/7 Signed divide^(1) r/m word by 2, once D3 /7 SAR r/m16,CL 3/7 Signed divide^(1) r/m word by 2, CL times C1 /7 ib SAR r/m16,imm8 3/7 Signed divide^(1) r/m word by 2, imm8 times D1 /7 SAR r/m32,1 3/7 Signed divide^(1) r/m dword by 2, once D3 /7 SAR r/m32,CL 3/7 Signed divide^(1) r/m dword by 2, CL times C1 /7 ib SAR r/m32,imm8 3/7 Signed divide^(1) r/m dword by 2, imm8 times D0 /4 SHL r/m8,1 3/7 Multiply r/m byte by 2, once D2 /4 SHL r/m8,CL 3/7 Multiply r/m byte by 2, CL times C0 /4 ib SHL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8 times D1 /4 SHL r/m16,1 3/7 Multiply r/m word by 2, once D3 /4 SHL r/m16,CL 3/7 Multiply r/m word by 2, CL times C1 /4 ib SHL r/m16,imm8 3/7 Multiply r/m word by 2, imm8 times D1 /4 SHL r/m32,1 3/7 Multiply r/m dword by 2, once D3 /4 SHL r/m32,CL 3/7 Multiply r/m dword by 2, CL times C1 /4 ib SHL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8 times D0 /5 SHR r/m8,1 3/7 Unsigned divide r/m byte by 2, once D2 /5 SHR r/m8,CL 3/7 Unsigned divide r/m byte by 2, CL times C0 /5 ib SHR r/m8,imm8 3/7 Unsigned divide r/m byte by 2, imm8 times D1 /5 SHR r/m16,1 3/7 Unsigned divide r/m word by 2, once D3 /5 SHR r/m16,CL 3/7 Unsigned divide r/m word by 2, CL times C1 /5 ib SHR r/m16,imm8 3/7 Unsigned divide r/m word by 2, imm8 times D1 /5 SHR r/m32,1 3/7 Unsigned divide r/m dword by 2, once D3 /5 SHR r/m32,CL 3/7 Unsigned divide r/m dword by 2, CL times C1 /5 ib SHR r/m32,imm8 3/7 Unsigned divide r/m dword by 2, imm8 times Not the same division as IDIV; rounding is toward negative infinity. Operation (* COUNT is the second parameter *) (temp) COUNT; WHILE (temp <> 0) DO IF instruction is SAL or SHL THEN CF high-order bit of r/m; FI; IF instruction is SAR or SHR THEN CF low-order bit of r/m; FI; IF instruction = SAL or SHL THEN r/m r/m * 2; FI; IF instruction = SAR THEN r/m r/m /2 (*Signed divide, rounding toward negative infinity*); FI; IF instruction = SHR THEN r/m r/m / 2; (* Unsigned divide *); FI; temp temp - 1; OD; (* Determine overflow for the various instructions *) IF COUNT = 1 THEN IF instruction is SAL or SHL THEN OF high-order bit of r/m <> (CF); FI; IF instruction is SAR THEN OF 0; FI; IF instruction is SHR THEN OF high-order bit of operand; FI; ELSE OF undefined; FI; Description SAL (or its synonym, SHL) shifts the bits of the operand upward. The high-order bit is shifted into the carry flag, and the low-order bit is set to 0. SAR and SHR shift the bits of the operand downward. The low-order bit is shifted into the carry flag. The effect is to divide the operand by 2. SAR performs a signed divide with rounding toward negative infinity (not the same as IDIV); the high-order bit remains the same. SHR performs an unsigned divide; the high-order bit is set to 0. The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum execution time, the 80386 does not allow shift counts greater than 31. If a shift count greater than 31 is attempted, only the bottom five bits of the shift count are used. (The 8086 uses all eight bits of the shift count.) The overflow flag is set only if the single-shift forms of the instructions are used. For left shifts, OF is set to 0 if the high bit of the answer is the same as the result of the carry flag (i.e., the top two bits of the original operand were the same); OF is set to 1 if they are different. For SAR, OF is set to 0 for all single shifts. For SHR, OF is set to the high-order bit of the original operand. Flags Affected OF for single shifts; OF is undefined for multiple shifts; CF, ZF, PF, and SF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SBB ── Integer Subtraction with Borrow Opcode Instruction Clocks Description 1C ib SBB AL,imm8 2 Subtract with borrow immediate byte from AL 1D iw SBB AX,imm16 2 Subtract with borrow immediate word from AX 1D id SBB EAX,imm32 2 Subtract with borrow immediate dword from EAX 80 /3 ib SBB r/m8,imm8 2/7 Subtract with borrow immediate byte from r/m byte 81 /3 iw SBB r/m16,imm16 2/7 Subtract with borrow immediate word from r/m word 81 /3 id SBB r/m32,imm32 2/7 Subtract with borrow immediate dword from r/m dword 83 /3 ib SBB r/m16,imm8 2/7 Subtract with borrow sign-extended immediate byte from r/m word 83 /3 ib SBB r/m32,imm8 2/7 Subtract with borrow sign-extended immediate byte from r/m dword 18 /r SBB r/m8,r8 2/6 Subtract with borrow byte register from r/m byte 19 /r SBB r/m16,r16 2/6 Subtract with borrow word register from r/m word 19 /r SBB r/m32,r32 2/6 Subtract with borrow dword register from r/m dword 1A /r SBB r8,r/m8 2/7 Subtract with borrow byte register from r/m byte 1B /r SBB r16,r/m16 2/7 Subtract with borrow word register from r/m word 1B /r SBB r32,r/m32 2/7 Subtract with borrow dword register from r/m dword Operation IF SRC is a byte and DEST is a word or dword THEN DEST = DEST - (SignExtend(SRC) + CF) ELSE DEST DEST - (SRC + CF); Description SBB adds the second operand (DEST) to the carry flag (CF) and subtracts the result from the first operand (SRC). The result of the subtraction is assigned to the first operand (DEST), and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended. Flags Affected OF, SF, ZF, AF, PF, and CF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SCAS/SCASB/SCASW/SCASD ── Compare String Data Opcode Instruction Clocks Description AE SCAS m8 7 Compare bytes AL-ES:[DI], update (E)DI AF SCAS m16 7 Compare words AX-ES:[DI], update (E)DI AF SCAS m32 7 Compare dwords EAX-ES:[DI], update (E)DI AE SCASB 7 Compare bytes AL-ES:[DI], update (E)DI AF SCASW 7 Compare words AX-ES:[DI], update (E)DI AF SCASD 7 Compare dwords EAX-ES:[DI], update (E)DI Operation IF AddressSize = 16 THEN use DI for dest-index; ELSE (* AddressSize = 32 *) use EDI for dest-index; FI; IF byte type of instruction THEN AL - [dest-index]; (* Compare byte in AL and dest *) IF DF = 0 THEN IndDec 1 ELSE IncDec -1; FI; ELSE IF OperandSize = 16 THEN AX - [dest-index]; (* compare word in AL and dest *) IF DF = 0 THEN IncDec 2 ELSE IncDec -2; FI; ELSE (* OperandSize = 32 *) EAX - [dest-index];(* compare dword in EAX & dest *) IF DF = 0 THEN IncDec 4 ELSE IncDec -4; FI; FI; FI; dest-index = dest-index + IncDec Description SCAS subtracts the memory byte or word at the destination register from the AL, AX or EAX register. The result is discarded; only the flags are set. The operand must be addressable from the ES segment; no segment override is possible. If the address-size attribute for this instruction is 16 bits, DI is used as the destination register; otherwise, the address-size attribute is 32 bits and EDI is used. The address of the memory data being compared is determined solely by the contents of the destination register, not by the operand to SCAS. The operand validates ES segment addressability and determines the data type. Load the correct index value into DI or EDI before executing SCAS. After the comparison is made, the destination register is automatically updated. If the direction flag is 0 (CLD was executed), the destination register is incremented; if the direction flag is 1 (STD was executed), it is decremented. The increments or decrements are by 1 if bytes are compared, by 2 if words are compared, or by 4 if doublewords are compared. SCASB, SCASW, and SCASD are synonyms for the byte, word and doubleword SCAS instructions that don't require operands. They are simpler to code, but provide no type or segment checking. SCAS can be preceded by the REPE or REPNE prefix for a block search of CX or ECX bytes or words. Refer to the REP instruction for further details. Flags Affected OF, SF, ZF, AF, PF, and CF as described in Appendix C Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SETcc ── Byte Set on Condition Opcode Instruction Clocks Description 0F 97 SETA r/m8 4/5 Set byte if above (CF=0 and ZF=0) 0F 93 SETAE r/m8 4/5 Set byte if above or equal (CF=0) 0F 92 SETB r/m8 4/5 Set byte if below (CF=1) 0F 96 SETBE r/m8 4/5 Set byte if below or equal (CF=1 or (ZF=1) 0F 92 SETC r/m8 4/5 Set if carry (CF=1) 0F 94 SETE r/m8 4/5 Set byte if equal (ZF=1) 0F 9F SETG r/m8 4/5 Set byte if greater (ZF=0 or SF=OF) 0F 9D SETGE r/m8 4/5 Set byte if greater or equal (SF=OF) 0F 9C SETL r/m8 4/5 Set byte if less (SF<>OF) 0F 9E SETLE r/m8 4/5 Set byte if less or equal (ZF=1 and SF<>OF) 0F 96 SETNA r/m8 4/5 Set byte if not above (CF=1) 0F 92 SETNAE r/m8 4/5 Set byte if not above or equal (CF=1) 0F 93 SETNB r/m8 4/5 Set byte if not below (CF=0) 0F 97 SETNBE r/m8 4/5 Set byte if not below or equal (CF=0 and ZF=0) 0F 93 SETNC r/m8 4/5 Set byte if not carry (CF=0) 0F 95 SETNE r/m8 4/5 Set byte if not equal (ZF=0) 0F 9E SETNG r/m8 4/5 Set byte if not greater (ZF=1 or SF<>OF) 0F 9C SETNGE r/m8 4/5 Set if not greater or equal (SF<>OF) 0F 9D SETNL r/m8 4/5 Set byte if not less (SF=OF) 0F 9F SETNLE r/m8 4/5 Set byte if not less or equal (ZF=1 and SF<>OF) 0F 91 SETNO r/m8 4/5 Set byte if not overflow (OF=0) 0F 9B SETNP r/m8 4/5 Set byte if not parity (PF=0) 0F 99 SETNS r/m8 4/5 Set byte if not sign (SF=0) 0F 95 SETNZ r/m8 4/5 Set byte if not zero (ZF=0) 0F 90 SETO r/m8 4/5 Set byte if overflow (OF=1) 0F 9A SETP r/m8 4/5 Set byte if parity (PF=1) 0F 9A SETPE r/m8 4/5 Set byte if parity even (PF=1) 0F 9B SETPO r/m8 4/5 Set byte if parity odd (PF=0) 0F 98 SETS r/m8 4/5 Set byte if sign (SF=1) 0F 94 SETZ r/m8 4/5 Set byte if zero (ZF=1) Operation IF condition THEN r/m8 1 ELSE r/m8 0; FI; Description SETcc stores a byte at the destination specified by the effective address or register if the condition is met, or a 0 byte if the condition is not met. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a non-writable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SGDT/SIDT ── Store Global/Interrupt Descriptor Table Register Opcode Instruction Clocks Description 0F 01 /0 SGDT m 9 Store GDTR to m 0F 01 /1 SIDT m 9 Store IDTR to m Operation DEST 48-bit BASE/LIMIT register contents; Description SGDT/SIDT copies the contents of the descriptor table register the six bytes of memory indicated by the operand. The LIMIT field of the register is assigned to the first word at the effective address. If the operand-size attribute is 32 bits, the next three bytes are assigned the BASE field of the register, and the fourth byte is written with zero. The last byte is undefined. Otherwise, if the operand-size attribute is 16 bits, the next four bytes are assigned the 32-bit BASE field of the register. SGDT and SIDT are used only in operating system software; they are not used in application programs. Flags Affected None Protected Mode Exceptions Interrupt 6 if the destination operand is a register; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6 if the destination operand is a register; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Compatability Note The 16-bit forms of the SGDT/SIDT instructions are compatible with the 80286, if the value in the upper eight bits is not referenced. The 80286 stores 1's in these upper bits, whereas the 80386 stores 0's if the operand-size attribute is 16 bits. These bits were specified as undefined by the SGDT/SIDT instructions in the iAPX 286 Programmer's Reference Manual. SHLD ── Double Precision Shift Left Opcode Instruction Clocks Description 0F A4 SHLD r/m16,r16,imm8 3/7 r/m16 gets SHL of r/m16 concatenated with r16 0F A4 SHLD r/m32,r32,imm8 3/7 r/m32 gets SHL of r/m32 concatenated with r32 0F A5 SHLD r/m16,r16,CL 3/7 r/m16 gets SHL of r/m16 concatenated with r16 0F A5 SHLD r/m32,r32,CL 3/7 r/m32 gets SHL of r/m32 concatenated with r32 Operation (* count is an unsigned integer corresponding to the last operand of the instruction, either an immediate byte or the byte in register CL *) ShiftAmt count MOD 32; inBits register; (* Allow overlapped operands *) IF ShiftAmt = 0 THEN no operation ELSE IF ShiftAmt ≥ OperandSize THEN (* Bad parameters *) r/m UNDEFINED; CF, OF, SF, ZF, AF, PF UNDEFINED; ELSE (* Perform the shift *) CF BIT[Base, OperandSize - ShiftAmt]; (* Last bit shifted out on exit *) FOR i OperandSize - 1 DOWNTO ShiftAmt DO BIT[Base, i] BIT[Base, i - ShiftAmt]; OF; FOR i ShiftAmt - 1 DOWNTO 0 DO BIT[Base, i] BIT[inBits, i - ShiftAmt + OperandSize]; OD; Set SF, ZF, PF (r/m); (* SF, ZF, PF are set according to the value of the result *) AF UNDEFINED; FI; FI; Description SHLD shifts the first operand provided by the r/m field to the left as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the right (starting with bit 0). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified registers, the operation is useful for multiprecision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. CS is set to the value of the last bit shifted out. OF and AF are left undefined. Flags Affected OF, SF, ZF, PF, and CF as described above; AF and OF are undefined Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SHRD ── Double Precision Shift Right Opcode Instruction Clocks Description 0F AC SHRD r/m16,r16,imm8 3/7 r/m16 gets SHR of r/m16 concatenated with r16 0F AC SHRD r/m32,r32,imm8 3/7 r/m32 gets SHR of r/m32 concatenated with r32 0F AD SHRD r/m16,r16,CL 3/7 r/m16 gets SHR of r/m16 concatenated with r16 0F AD SHRD r/m32,r32,CL 3/7 r/m32 gets SHR of r/m32 concatenated with r32 Operation (* count is an unsigned integer corresponding to the last operand of the instruction, either an immediate byte or the byte in register CL *) ShiftAmt count MOD 32; inBits register; (* Allow overlapped operands *) IF ShiftAmt = 0 THEN no operation ELSE IF ShiftAmt ≥ OperandSize THEN (* Bad parameters *) r/m UNDEFINED; CF, OF, SF, ZF, AF, PF UNDEFINED; ELSE (* Perform the shift *) CF BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *) FOR i 0 TO OperandSize - 1 - ShiftAmt DO BIT[r/m, i] BIT[r/m, i - ShiftAmt]; OD; FOR i OperandSize - ShiftAmt TO OperandSize - 1 DO BIT[r/m,i] BIT[inBits,i+ShiftAmt - OperandSize]; OD; Set SF, ZF, PF (r/m); (* SF, ZF, PF are set according to the value of the result *) Set SF, ZF, PF (r/m); AF UNDEFINED; FI; FI; Description SHRD shifts the first operand provided by the r/m field to the right as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the left (starting with bit 31). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified register, the operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. CS is set to the value of the last bit shifted out. OF and AF are left undefined. Flags Affected OF, SF, ZF, PF, and CF as described above; AF and OF are undefined Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault SLDT ── Store Local Descriptor Table Register Opcode Instruction Clocks Description 0F 00 /0 SLDT r/m16 pm=2/2 Store LDTR to EA word Operation r/m16 LDTR; Description SLDT stores the Local Descriptor Table Register (LDTR) in the two-byte register or memory location indicated by the effective address operand. This register is a selector that points into the Global Descriptor Table. SLDT is used only in operating system software. It is not used in application programs. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; SLDT is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes The operand-size attribute has no effect on the operation of the instruction. SMSW ── Store Machine Status Word Opcode Instruction Clocks Description 0F 01 /4 SMSW r/m16 2/3,pm=2/2 Store machine status word to EA word Operation r/m16 MSW; Description SMSW stores the machine status word (part of CR0) in the two-byte register or memory location indicated by the effective address operand. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault Notes This instruction is provided for compatibility with the 80286; 80386 programs should use MOV ..., CR0. STC ── Set Carry Flag Opcode Instruction Clocks Description F9 STC 2 Set carry flag Operation CF 1; Description STC sets the carry flag to 1. Flags Affected CF = 1 Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None STD ── Set Direction Flag Opcode Instruction Clocks Description FD STD 2 Set direction flag so (E)SI and/or (E)DI decrement Operation DF 1; Description STD sets the direction flag to 1, causing all subsequent string operations to decrement the index registers, (E)SI and/or (E)DI, on which they operate. Flags Affected DF = 1 Protected Mode Exceptions None Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None STI ── Set Interrupt Flag Opcode Instruction Clocks Description F13 STI 3 Set interrupt flag; interrupts enabled at the end of the next instruction Operation IF 1 Description STI sets the interrupt flag to 1. The 80386 then responds to external interrupts after executing the next instruction if the next instruction allows the interrupt flag to remain enabled. If external interrupts are disabled and you code STI, RET (such as at the end of a subroutine), the RET is allowed to execute before external interrupts are recognized. Also, if external interrupts are disabled and you code STI, CLI, then external interrupts are not recognized because the CLI instruction clears the interrupt flag during its execution. Flags Affected IF = 1 Protected Mode Exceptions #GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege level Real Address Mode Exceptions None Virtual 8086 Mode Exceptions None STOS/STOSB/STOSW/STOSD ── Store String Data Opcode Instruction Clocks Description AA STOS m8 4 Store AL in byte ES:[(E)DI], update (E)DI AB STOS m16 4 Store AX in word ES:[(E)DI], update (E)DI AB STOS m32 4 Store EAX in dword ES:[(E)DI], update (E)DI AA STOSB 4 Store AL in byte ES:[(E)DI], update (E)DI AB STOSW 4 Store AX in word ES:[(E)DI], update (E)DI AB STOSD 4 Store EAX in dword ES:[(E)DI], update (E)DI Operation IF AddressSize = 16 THEN use ES:DI for DestReg ELSE (* AddressSize = 32 *) use ES:EDI for DestReg; FI; IF byte type of instruction THEN (ES:DestReg) AL; IF DF = 0 THEN DestReg DestReg + 1; ELSE DestReg DestReg - 1; FI; ELSE IF OperandSize = 16 THEN (ES:DestReg) AX; IF DF = 0 THEN DestReg DestReg + 2; ELSE DestReg DestReg - 2; FI; ELSE (* OperandSize = 32 *) (ES:DestReg) EAX; IF DF = 0 THEN DestReg DestReg + 4; ELSE DestReg DestReg - 4; FI; FI; FI; Description STOS transfers the contents of all AL, AX, or EAX register to the memory byte or word given by the destination register relative to the ES segment. The destination register is DI for an address-size attribute of 16 bits or EDI for an address-size attribute of 32 bits. The destination operand must be addressable from the ES register. A segment override is not possible. The address of the destination is determined by the contents of the destination register, not by the explicit operand of STOS. This operand is used only to validate ES segment addressability and to determine the data type. Load the correct index value into the destination register before executing STOS. After the transfer is made, DI is automatically updated. If the direction flag is 0 (CLD was executed), DI is incremented; if the direction flag is 1 (STD was executed), DI is decremented. DI is incremented or decremented by 1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is stored. STOSB, STOSW, and STOSD are synonyms for the byte, word, and doubleword STOS instructions, that do not require an operand. They are simpler to use, but provide no type or segment checking. STOS can be preceded by the REP prefix for a block fill of CX or ECX bytes, words, or doublewords. Refer to the REP instruction for further details. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault STR ── Store Task Register Opcode Instruction Clocks Description 0F 00 /1 STR r/m16 pm=23/27 Load EA word into task register Operation r/m task register; Description The contents of the task register are copied to the two-byte register or memory location indicated by the effective address operand. STR is used only in operating system software. It is not used in application programs. Flags Affected None Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; STR is not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode Notes The operand-size attribute has no effect on this instruction. SUB ── Integer Subtraction Opcode Instruction Clocks Description 2C ib SUB AL,imm8 2 Subtract immediate byte from AL 2D iw SUB AX,imm16 2 Subtract immediate word from AX 2D id SUB EAX,imm32 2 Subtract immediate dword from EAX 80 /5 ib SUB r/m8,imm8 2/7 Subtract immediate byte from r/m byte 81 /5 iw SUB r/m16,imm16 2/7 Subtract immediate word from r/m word 81 /5 id SUB r/m32,imm32 2/7 Subtract immediate dword from r/m dword 83 /5 ib SUB r/m16,imm8 2/7 Subtract sign-extended immediate byte from r/m word 83 /5 ib SUB r/m32,imm8 2/7 Subtract sign-extended immediate byte from r/m dword 28 /r SUB r/m8,r8 2/6 Subtract byte register from r/m byte 29 /r SUB r/m16,r16 2/6 Subtract word register from r/m word 29 /r SUB r/m32,r32 2/6 Subtract dword register from r/m dword 2A /r SUB r8,r/m8 2/7 Subtract byte register from r/m byte 2B /r SUB r16,r/m16 2/7 Subtract word register from r/m word 2B /r SUB r32,r/m32 2/7 Subtract dword register from r/m dword Operation IF SRC is a byte and DEST is a word or dword THEN DEST = DEST - SignExtend(SRC); ELSE DEST DEST - SRC; FI; Description SUB subtracts the second operand (SRC) from the first operand (DEST). The first operand is assigned the result of the subtraction, and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended to the size of the destination operand. Flags Affected OF, SF, ZF, AF, PF, and CF as described in Appendix C Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault TEST ── Logical Compare Opcode Instruction Clocks Description A8 ib TEST AL,imm8 2 AND immediate byte with AL A9 iw TEST AX,imm16 2 AND immediate word with AX A9 id TEST EAX,imm32 2 AND immediate dword with EAX F6 /0 ib TEST r/m8,imm8 2/5 AND immediate byte with r/m byte F7 /0 iw TEST r/m16,imm16 2/5 AND immediate word with r/m word F7 /0 id TEST r/m32,imm32 2/5 AND immediate dword with r/m dword 84 /r TEST r/m8,r8 2/5 AND byte register with r/m byte 85 /r TEST r/m16,r16 2/5 AND word register with r/m word 85 /r TEST r/m32,r32 2/5 AND dword register with r/m dword Operation DEST : = LeftSRC AND RightSRC; CF 0; OF 0; Description TEST computes the bit-wise logical AND of its two operands. Each bit of the result is 1 if both of the corresponding bits of the operands are 1; otherwise, each bit is 0. The result of the operation is discarded and only the flags are modified. Flags Affected OF = 0, CF = 0; SF, ZF, and PF as described in Appendix C Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault VERR, VERW ── Verify a Segment for Reading or Writing Opcode Instruction Clocks Description 0F 00 /4 VERR r/m16 pm=10/11 Set ZF=1 if segment can be read, selector in r/m16 0F 00 /5 VERW r/m16 pm=15/16 Set ZF=1 if segment can be written, selector in r/m16 Operation IF segment with selector at (r/m) is accessible with current protection level AND ((segment is readable for VERR) OR (segment is writable for VERW)) THEN ZF 0; ELSE ZF 1; FI; Description The two-byte register or memory operand of VERR and VERW contains the value of a selector. VERR and VERW determine whether the segment denoted by the selector is reachable from the current privilege level and whether the segment is readable (VERR) or writable (VERW). If the segment is accessible, the zero flag is set to 1; if the segment is not accessible, the zero flag is set to 0. To set ZF, the following conditions must be met: ■ The selector must denote a descriptor within the bounds of the table (GDT or LDT); the selector must be "defined." ■ The selector must denote the descriptor of a code or data segment (not that of a task state segment, LDT, or a gate). ■ For VERR, the segment must be readable. For VERW, the segment must be a writable data segment. ■ If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any value for VERR. Otherwise, the DPL must be greater than or equal to (have less or the same privilege as) both the current privilege level and the selector's RPL. The validation performed is the same as if the segment were loaded into DS, ES, FS, or GS, and the indicated access (read or write) were performed. The zero flag receives the result of the validation. The selector's value cannot result in a protection exception, enabling the software to anticipate possible segment access problems. Flags Affected ZF as described above Protected Mode Exceptions Faults generated by illegal addressing of the memory operand that contains the selector, the selector is not loaded into any segment register, and no faults attributable to the selector operand are generated #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 6; VERR and VERW are not recognized in Real Address Mode Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault WAIT ── Wait until BUSY# Pin is Inactive (HIGH) Opcode Instruction Clocks Description 9B WAIT 6 min. Wait until BUSY pin is inactive (HIGH) Description WAIT suspends execution of 80386 instructions until the BUSY# pin is inactive (high). The BUSY# pin is driven by the 80287 numeric processor extension. Flags Affected None Protected Mode Exceptions #NM if the task-switched flag in the machine status word (the lower 16 bits of register CR0) is set; #MF if the ERROR# input pin is asserted (i.e., the 80287 has detected an unmasked numeric error) Real Address Mode Exceptions Same exceptions as in Protected Mode Virtual 8086 Mode Exceptions Same exceptions as in Protected Mode XCHG ── Exchange Register/Memory with Register Opcode Instruction Clocks Description 90 + r XCHG AX,r16 3 Exchange word register with AX 90 + r XCHG r16,AX 3 Exchange word register with AX 90 + r XCHG EAX,r32 3 Exchange dword register with EAX 90 + r XCHG r32,EAX 3 Exchange dword register with EAX 86 /r XCHG r/m8,r8 3 Exchange byte register with EA byte 86 /r XCHG r8,r/m8 3/5 Exchange byte register with EA byte 87 /r XCHG r/m16,r16 3 Exchange word register with EA word 87 /r XCHG r16,r/m16 3/5 Exchange word register with EA word 87 /r XCHG r/m32,r32 3 Exchange dword register with EA dword 87 /r XCHG r32,r/m32 3/5 Exchange dword register with EA dword Operation temp DEST DEST SRC SRC temp Description XCHG exchanges two operands. The operands can be in either order. If a memory operand is involved, BUS LOCK is asserted for the duration of the exchange, regardless of the presence or absence of the LOCK prefix or of the value of the IOPL. Flags Affected None Protected Mode Exceptions #GP(0) if either operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault XLAT/XLATB ── Table Look-up Translation D7 XLAT m8 5 Set AL to memory byte DS:[(E)BX + unsigned AL] D7 XLATB 5 Set AL to memory byte DS:[(E)BX + unsigned AL] Operation IF AddressSize = 16 THEN AL (BX + ZeroExtend(AL)) ELSE (* AddressSize = 32 *) AL (EBX + ZeroExtend(AL)); FI; Description XLAT changes the AL register from the table index to the table entry. AL should be the unsigned index into a table addressed by DS:BX (for an address-size attribute of 16 bits) or DS:EBX (for an address-size attribute of 32 bits). The operand to XLAT allows for the possibility of a segment override. XLAT uses the contents of BX even if they differ from the offset of the operand. The offset of the operand should have been moved intoBX/EBX with a previous instruction. The no-operand form, XLATB, can be used if the BX/EBX table will always reside in the DS segment. Flags Affected None Protected Mode Exceptions #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault XOR ── Logical Exclusive OR Opcode Instruction Clocks Description 34 ib XOR AL,imm8 2 Exclusive-OR immediate byte to AL 35 iw XOR AX,imm16 2 Exclusive-OR immediate word to AX 35 id XOR EAX,imm32 2 Exclusive-OR immediate dword to EAX 80 /6 ib XOR r/m8,imm8 2/7 Exclusive-OR immediate byte to r/m byte 81 /6 iw XOR r/m16,imm16 2/7 Exclusive-OR immediate word to r/m word 81 /6 id XOR r/m32,imm32 2/7 Exclusive-OR immediate dword to r/m dword 83 /6 ib XOR r/m16,imm8 2/7 XOR sign-extended immediate byte with r/m word 83 /6 ib XOR r/m32,imm8 2/7 XOR sign-extended immediate byte with r/m dword 30 /r XOR r/m8,r8 2/6 Exclusive-OR byte register to r/m byte 31 /r XOR r/m16,r16 2/6 Exclusive-OR word register to r/m word 31 /r XOR r/m32,r32 2/6 Exclusive-OR dword register to r/m dword 32 /r XOR r8,r/m8 2/7 Exclusive-OR byte register to r/m byte 33 /r XOR r16,r/m16 2/7 Exclusive-OR word register to r/m word 33 /r XOR r32,r/m32 2/7 Exclusive-OR dword register to r/m dword Operation DEST LeftSRC XOR RightSRC CF 0 OF 0 Description XOR computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer replaces the first operand. Flags Affected CF = 0, OF = 0; SF, ZF, and PF as described in Appendix C; AF is undefined Protected Mode Exceptions #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault