direct-io.hg

view xen/arch/x86/x86_emulate.c @ 13380:ba5e80864f9c

[XEN] BSF/BSR set ZF not CF.
Signed-off-by: Keir Fraser <keir@xensource.com>
author kfraser@localhost.localdomain
date Mon Jan 15 14:32:25 2007 +0000 (2007-01-15)
parents 2b50acbdf01b
children 0ba81aa56455
line source
1 /******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005-2007 Keir Fraser
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 #ifndef __XEN__
24 #include <stddef.h>
25 #include <stdint.h>
26 #include <public/xen.h>
27 #else
28 #include <xen/config.h>
29 #include <xen/types.h>
30 #include <xen/lib.h>
31 #include <asm/regs.h>
32 #undef cmpxchg
33 #endif
34 #include <asm-x86/x86_emulate.h>
36 /* Operand sizes: 8-bit operands or specified/overridden size. */
37 #define ByteOp (1<<0) /* 8-bit operands. */
38 /* Destination operand type. */
39 #define DstBitBase (0<<1) /* Memory operand, bit string. */
40 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
41 #define DstReg (2<<1) /* Register operand. */
42 #define DstMem (3<<1) /* Memory operand. */
43 #define DstMask (3<<1)
44 /* Source operand type. */
45 #define SrcNone (0<<3) /* No source operand. */
46 #define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
47 #define SrcReg (1<<3) /* Register operand. */
48 #define SrcMem (2<<3) /* Memory operand. */
49 #define SrcMem16 (3<<3) /* Memory operand (16-bit). */
50 #define SrcImm (4<<3) /* Immediate operand. */
51 #define SrcImmByte (5<<3) /* 8-bit sign-extended immediate operand. */
52 #define SrcMask (7<<3)
53 /* Generic ModRM decode. */
54 #define ModRM (1<<6)
55 /* Destination is only written; never read. */
56 #define Mov (1<<7)
58 static uint8_t opcode_table[256] = {
59 /* 0x00 - 0x07 */
60 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
61 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
62 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
63 /* 0x08 - 0x0F */
64 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
65 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
66 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
67 /* 0x10 - 0x17 */
68 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
69 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
70 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
71 /* 0x18 - 0x1F */
72 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
73 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
74 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
75 /* 0x20 - 0x27 */
76 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
77 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
78 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
79 /* 0x28 - 0x2F */
80 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
81 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
82 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
83 /* 0x30 - 0x37 */
84 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
85 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
86 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
87 /* 0x38 - 0x3F */
88 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
89 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
90 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
91 /* 0x40 - 0x4F */
92 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
93 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
94 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
95 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
96 /* 0x50 - 0x5F */
97 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
98 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
99 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
100 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
101 /* 0x60 - 0x67 */
102 ImplicitOps, ImplicitOps, DstReg|SrcMem|ModRM, DstReg|SrcMem16|ModRM|Mov,
103 0, 0, 0, 0,
104 /* 0x68 - 0x6F */
105 ImplicitOps|Mov, DstMem|SrcImm|ModRM|Mov,
106 ImplicitOps|Mov, DstMem|SrcImmByte|ModRM|Mov,
107 0, 0, 0, 0,
108 /* 0x70 - 0x77 */
109 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
110 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
111 /* 0x78 - 0x7F */
112 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
113 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
114 /* 0x80 - 0x87 */
115 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImm|ModRM,
116 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
117 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
118 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
119 /* 0x88 - 0x8F */
120 ByteOp|DstMem|SrcReg|ModRM|Mov, DstMem|SrcReg|ModRM|Mov,
121 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
122 0, DstReg|SrcNone|ModRM, 0, DstMem|SrcNone|ModRM|Mov,
123 /* 0x90 - 0x97 */
124 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
125 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
126 /* 0x98 - 0x9F */
127 ImplicitOps, ImplicitOps, 0, 0, 0, 0, ImplicitOps, ImplicitOps,
128 /* 0xA0 - 0xA7 */
129 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
130 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
131 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov, 0, 0,
132 /* 0xA8 - 0xAF */
133 ByteOp|DstReg|SrcImm, DstReg|SrcImm,
134 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
135 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov, 0, 0,
136 /* 0xB0 - 0xB7 */
137 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
138 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
139 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
140 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
141 /* 0xB8 - 0xBF */
142 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
143 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
144 /* 0xC0 - 0xC7 */
145 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
146 ImplicitOps, ImplicitOps,
147 0, 0, ByteOp|DstMem|SrcImm|ModRM|Mov, DstMem|SrcImm|ModRM|Mov,
148 /* 0xC8 - 0xCF */
149 0, 0, 0, 0, 0, 0, 0, 0,
150 /* 0xD0 - 0xD7 */
151 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
152 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
153 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
154 /* 0xD8 - 0xDF */
155 0, 0, 0, 0, 0, 0, 0, 0,
156 /* 0xE0 - 0xE7 */
157 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps, 0, 0, 0, 0,
158 /* 0xE8 - 0xEF */
159 ImplicitOps, ImplicitOps, 0, ImplicitOps, 0, 0, 0, 0,
160 /* 0xF0 - 0xF7 */
161 0, 0, 0, 0,
162 0, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM,
163 /* 0xF8 - 0xFF */
164 ImplicitOps, ImplicitOps, 0, 0,
165 ImplicitOps, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM
166 };
168 static uint8_t twobyte_table[256] = {
169 /* 0x00 - 0x0F */
170 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps|ModRM, 0, 0,
171 /* 0x10 - 0x17 */
172 0, 0, 0, 0, 0, 0, 0, 0,
173 /* 0x18 - 0x1F */
174 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
175 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
176 /* 0x20 - 0x2F */
177 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
178 /* 0x30 - 0x3F */
179 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
180 /* 0x40 - 0x47 */
181 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
182 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
183 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
184 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
185 /* 0x48 - 0x4F */
186 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
187 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
188 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
189 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
190 /* 0x50 - 0x5F */
191 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192 /* 0x60 - 0x6F */
193 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
194 /* 0x70 - 0x7F */
195 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
196 /* 0x80 - 0x87 */
197 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
198 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
199 /* 0x88 - 0x8F */
200 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
201 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
202 /* 0x90 - 0x97 */
203 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
204 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
205 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
206 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
207 /* 0x98 - 0x9F */
208 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
209 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
210 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
211 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
212 /* 0xA0 - 0xA7 */
213 0, 0, 0, DstBitBase|SrcReg|ModRM, 0, 0, 0, 0,
214 /* 0xA8 - 0xAF */
215 0, 0, 0, DstBitBase|SrcReg|ModRM, 0, 0, 0, DstReg|SrcMem|ModRM,
216 /* 0xB0 - 0xB7 */
217 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
218 0, DstBitBase|SrcReg|ModRM,
219 0, 0, ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
220 /* 0xB8 - 0xBF */
221 0, 0, DstBitBase|SrcImmByte|ModRM, DstBitBase|SrcReg|ModRM,
222 DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
223 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
224 /* 0xC0 - 0xC7 */
225 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
226 0, 0, 0, ImplicitOps|ModRM,
227 /* 0xC8 - 0xCF */
228 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
229 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
230 /* 0xD0 - 0xDF */
231 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
232 /* 0xE0 - 0xEF */
233 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
234 /* 0xF0 - 0xFF */
235 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
236 };
238 /* Type, address-of, and value of an instruction's operand. */
239 struct operand {
240 enum { OP_REG, OP_MEM, OP_IMM, OP_NONE } type;
241 unsigned int bytes;
242 unsigned long val, orig_val;
243 union {
244 /* OP_REG: Pointer to register field. */
245 unsigned long *reg;
246 /* OP_MEM: Segment and offset. */
247 struct {
248 enum x86_segment seg;
249 unsigned long off;
250 } mem;
251 };
252 };
254 /* EFLAGS bit definitions. */
255 #define EFLG_OF (1<<11)
256 #define EFLG_DF (1<<10)
257 #define EFLG_SF (1<<7)
258 #define EFLG_ZF (1<<6)
259 #define EFLG_AF (1<<4)
260 #define EFLG_PF (1<<2)
261 #define EFLG_CF (1<<0)
263 /* Exception definitions. */
264 #define EXC_DE 0
265 #define EXC_BR 5
266 #define EXC_UD 6
267 #define EXC_GP 13
269 /*
270 * Instruction emulation:
271 * Most instructions are emulated directly via a fragment of inline assembly
272 * code. This allows us to save/restore EFLAGS and thus very easily pick up
273 * any modified flags.
274 */
276 #if defined(__x86_64__)
277 #define _LO32 "k" /* force 32-bit operand */
278 #define _STK "%%rsp" /* stack pointer */
279 #elif defined(__i386__)
280 #define _LO32 "" /* force 32-bit operand */
281 #define _STK "%%esp" /* stack pointer */
282 #endif
284 /*
285 * These EFLAGS bits are restored from saved value during emulation, and
286 * any changes are written back to the saved value after emulation.
287 */
288 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
290 /* Before executing instruction: restore necessary bits in EFLAGS. */
291 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
292 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); */\
293 "push %"_sav"; " \
294 "movl %"_msk",%"_LO32 _tmp"; " \
295 "andl %"_LO32 _tmp",("_STK"); " \
296 "pushf; " \
297 "notl %"_LO32 _tmp"; " \
298 "andl %"_LO32 _tmp",("_STK"); " \
299 "pop %"_tmp"; " \
300 "orl %"_LO32 _tmp",("_STK"); " \
301 "popf; " \
302 /* _sav &= ~msk; */ \
303 "movl %"_msk",%"_LO32 _tmp"; " \
304 "notl %"_LO32 _tmp"; " \
305 "andl %"_LO32 _tmp",%"_sav"; "
307 /* After executing instruction: write-back necessary bits in EFLAGS. */
308 #define _POST_EFLAGS(_sav, _msk, _tmp) \
309 /* _sav |= EFLAGS & _msk; */ \
310 "pushf; " \
311 "pop %"_tmp"; " \
312 "andl %"_msk",%"_LO32 _tmp"; " \
313 "orl %"_LO32 _tmp",%"_sav"; "
315 /* Raw emulation: instruction has two explicit operands. */
316 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy)\
317 do{ unsigned long _tmp; \
318 switch ( (_dst).bytes ) \
319 { \
320 case 2: \
321 __asm__ __volatile__ ( \
322 _PRE_EFLAGS("0","4","2") \
323 _op"w %"_wx"3,%1; " \
324 _POST_EFLAGS("0","4","2") \
325 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
326 : _wy ((_src).val), "i" (EFLAGS_MASK), \
327 "m" (_eflags), "m" ((_dst).val) ); \
328 break; \
329 case 4: \
330 __asm__ __volatile__ ( \
331 _PRE_EFLAGS("0","4","2") \
332 _op"l %"_lx"3,%1; " \
333 _POST_EFLAGS("0","4","2") \
334 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
335 : _ly ((_src).val), "i" (EFLAGS_MASK), \
336 "m" (_eflags), "m" ((_dst).val) ); \
337 break; \
338 case 8: \
339 __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy); \
340 break; \
341 } \
342 } while (0)
343 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy)\
344 do{ unsigned long _tmp; \
345 switch ( (_dst).bytes ) \
346 { \
347 case 1: \
348 __asm__ __volatile__ ( \
349 _PRE_EFLAGS("0","4","2") \
350 _op"b %"_bx"3,%1; " \
351 _POST_EFLAGS("0","4","2") \
352 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
353 : _by ((_src).val), "i" (EFLAGS_MASK), \
354 "m" (_eflags), "m" ((_dst).val) ); \
355 break; \
356 default: \
357 __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy);\
358 break; \
359 } \
360 } while (0)
361 /* Source operand is byte-sized and may be restricted to just %cl. */
362 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
363 __emulate_2op(_op, _src, _dst, _eflags, \
364 "b", "c", "b", "c", "b", "c", "b", "c")
365 /* Source operand is byte, word, long or quad sized. */
366 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
367 __emulate_2op(_op, _src, _dst, _eflags, \
368 "b", "q", "w", "r", _LO32, "r", "", "r")
369 /* Source operand is word, long or quad sized. */
370 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
371 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
372 "w", "r", _LO32, "r", "", "r")
374 /* Instruction has only one explicit operand (no source operand). */
375 #define emulate_1op(_op,_dst,_eflags) \
376 do{ unsigned long _tmp; \
377 switch ( (_dst).bytes ) \
378 { \
379 case 1: \
380 __asm__ __volatile__ ( \
381 _PRE_EFLAGS("0","3","2") \
382 _op"b %1; " \
383 _POST_EFLAGS("0","3","2") \
384 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
385 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
386 break; \
387 case 2: \
388 __asm__ __volatile__ ( \
389 _PRE_EFLAGS("0","3","2") \
390 _op"w %1; " \
391 _POST_EFLAGS("0","3","2") \
392 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
393 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
394 break; \
395 case 4: \
396 __asm__ __volatile__ ( \
397 _PRE_EFLAGS("0","3","2") \
398 _op"l %1; " \
399 _POST_EFLAGS("0","3","2") \
400 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
401 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
402 break; \
403 case 8: \
404 __emulate_1op_8byte(_op, _dst, _eflags); \
405 break; \
406 } \
407 } while (0)
409 /* Emulate an instruction with quadword operands (x86/64 only). */
410 #if defined(__x86_64__)
411 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
412 do{ __asm__ __volatile__ ( \
413 _PRE_EFLAGS("0","4","2") \
414 _op"q %"_qx"3,%1; " \
415 _POST_EFLAGS("0","4","2") \
416 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
417 : _qy ((_src).val), "i" (EFLAGS_MASK), \
418 "m" (_eflags), "m" ((_dst).val) ); \
419 } while (0)
420 #define __emulate_1op_8byte(_op, _dst, _eflags) \
421 do{ __asm__ __volatile__ ( \
422 _PRE_EFLAGS("0","3","2") \
423 _op"q %1; " \
424 _POST_EFLAGS("0","3","2") \
425 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
426 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
427 } while (0)
428 #elif defined(__i386__)
429 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
430 #define __emulate_1op_8byte(_op, _dst, _eflags)
431 #endif /* __i386__ */
433 /* Fetch next part of the instruction being emulated. */
434 #define insn_fetch_bytes(_size) \
435 ({ unsigned long _x, _eip = _regs.eip; \
436 if ( !mode_64bit() ) _eip = (uint32_t)_eip; /* ignore upper dword */ \
437 _regs.eip += (_size); /* real hardware doesn't truncate */ \
438 generate_exception_if((uint8_t)(_regs.eip - ctxt->regs->eip) > 15, \
439 EXC_GP); \
440 rc = ops->insn_fetch(x86_seg_cs, _eip, &_x, (_size), ctxt); \
441 if ( rc ) goto done; \
442 _x; \
443 })
444 #define insn_fetch_type(_type) ((_type)insn_fetch_bytes(sizeof(_type)))
446 #define _truncate_ea(ea, byte_width) \
447 ({ unsigned long __ea = (ea); \
448 (((byte_width) == sizeof(unsigned long)) ? __ea : \
449 (__ea & ((1UL << ((byte_width) << 3)) - 1))); \
450 })
451 #define truncate_ea(ea) _truncate_ea((ea), ad_bytes)
453 #define mode_64bit() (def_ad_bytes == 8)
455 #define fail_if(p) \
456 do { \
457 rc = (p) ? X86EMUL_UNHANDLEABLE : 0; \
458 if ( rc ) goto done; \
459 } while (0)
461 /* In future we will be able to generate arbitrary exceptions. */
462 #define generate_exception_if(p, e) fail_if(p)
464 /* Given byte has even parity (even number of 1s)? */
465 static int even_parity(uint8_t v)
466 {
467 __asm__ ( "test %%al,%%al; setp %%al"
468 : "=a" (v) : "0" (v) );
469 return v;
470 }
472 /* Update address held in a register, based on addressing mode. */
473 #define _register_address_increment(reg, inc, byte_width) \
474 do { \
475 int _inc = (inc); /* signed type ensures sign extension to long */ \
476 if ( (byte_width) == sizeof(unsigned long) ) \
477 (reg) += _inc; \
478 else if ( mode_64bit() ) \
479 (reg) = ((reg) + _inc) & ((1UL << ((byte_width) << 3)) - 1); \
480 else \
481 (reg) = ((reg) & ~((1UL << ((byte_width) << 3)) - 1)) | \
482 (((reg) + _inc) & ((1UL << ((byte_width) << 3)) - 1)); \
483 } while (0)
484 #define register_address_increment(reg, inc) \
485 _register_address_increment((reg), (inc), ad_bytes)
487 #define jmp_rel(rel) \
488 do { \
489 _regs.eip += (int)(rel); \
490 if ( !mode_64bit() ) \
491 _regs.eip = ((op_bytes == 2) \
492 ? (uint16_t)_regs.eip : (uint32_t)_regs.eip); \
493 } while (0)
495 /*
496 * Unsigned multiplication with double-word result.
497 * IN: Multiplicand=m[0], Multiplier=m[1]
498 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
499 */
500 static int mul_dbl(unsigned long m[2])
501 {
502 int rc;
503 asm ( "mul %4; seto %b2"
504 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
505 : "0" (m[0]), "1" (m[1]), "2" (0) );
506 return rc;
507 }
509 /*
510 * Signed multiplication with double-word result.
511 * IN: Multiplicand=m[0], Multiplier=m[1]
512 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
513 */
514 static int imul_dbl(unsigned long m[2])
515 {
516 int rc;
517 asm ( "imul %4; seto %b2"
518 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
519 : "0" (m[0]), "1" (m[1]), "2" (0) );
520 return rc;
521 }
523 /*
524 * Unsigned division of double-word dividend.
525 * IN: Dividend=u[1]:u[0], Divisor=v
526 * OUT: Return 1: #DE
527 * Return 0: Quotient=u[0], Remainder=u[1]
528 */
529 static int div_dbl(unsigned long u[2], unsigned long v)
530 {
531 if ( (v == 0) || (u[1] > v) || ((u[1] == v) && (u[0] != 0)) )
532 return 1;
533 asm ( "div %4"
534 : "=a" (u[0]), "=d" (u[1])
535 : "0" (u[0]), "1" (u[1]), "r" (v) );
536 return 0;
537 }
539 /*
540 * Signed division of double-word dividend.
541 * IN: Dividend=u[1]:u[0], Divisor=v
542 * OUT: Return 1: #DE
543 * Return 0: Quotient=u[0], Remainder=u[1]
544 * NB. We don't use idiv directly as it's moderately hard to work out
545 * ahead of time whether it will #DE, which we cannot allow to happen.
546 */
547 static int idiv_dbl(unsigned long u[2], unsigned long v)
548 {
549 int negu = (long)u[1] < 0, negv = (long)v < 0;
551 /* u = abs(u) */
552 if ( negu )
553 {
554 u[1] = ~u[1];
555 if ( (u[0] = -u[0]) == 0 )
556 u[1]++;
557 }
559 /* abs(u) / abs(v) */
560 if ( div_dbl(u, negv ? -v : v) )
561 return 1;
563 /* Remainder has same sign as dividend. It cannot overflow. */
564 if ( negu )
565 u[1] = -u[1];
567 /* Quotient is overflowed if sign bit is set. */
568 if ( negu ^ negv )
569 {
570 if ( (long)u[0] >= 0 )
571 u[0] = -u[0];
572 else if ( (u[0] << 1) != 0 ) /* == 0x80...0 is okay */
573 return 1;
574 }
575 else if ( (long)u[0] < 0 )
576 return 1;
578 return 0;
579 }
581 static int
582 test_cc(
583 unsigned int condition, unsigned int flags)
584 {
585 int rc = 0;
587 switch ( (condition & 15) >> 1 )
588 {
589 case 0: /* o */
590 rc |= (flags & EFLG_OF);
591 break;
592 case 1: /* b/c/nae */
593 rc |= (flags & EFLG_CF);
594 break;
595 case 2: /* z/e */
596 rc |= (flags & EFLG_ZF);
597 break;
598 case 3: /* be/na */
599 rc |= (flags & (EFLG_CF|EFLG_ZF));
600 break;
601 case 4: /* s */
602 rc |= (flags & EFLG_SF);
603 break;
604 case 5: /* p/pe */
605 rc |= (flags & EFLG_PF);
606 break;
607 case 7: /* le/ng */
608 rc |= (flags & EFLG_ZF);
609 /* fall through */
610 case 6: /* l/nge */
611 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
612 break;
613 }
615 /* Odd condition identifiers (lsb == 1) have inverted sense. */
616 return (!!rc ^ (condition & 1));
617 }
619 void *
620 decode_register(
621 uint8_t modrm_reg, struct cpu_user_regs *regs, int highbyte_regs)
622 {
623 void *p;
625 switch ( modrm_reg )
626 {
627 case 0: p = &regs->eax; break;
628 case 1: p = &regs->ecx; break;
629 case 2: p = &regs->edx; break;
630 case 3: p = &regs->ebx; break;
631 case 4: p = (highbyte_regs ?
632 ((unsigned char *)&regs->eax + 1) :
633 (unsigned char *)&regs->esp); break;
634 case 5: p = (highbyte_regs ?
635 ((unsigned char *)&regs->ecx + 1) :
636 (unsigned char *)&regs->ebp); break;
637 case 6: p = (highbyte_regs ?
638 ((unsigned char *)&regs->edx + 1) :
639 (unsigned char *)&regs->esi); break;
640 case 7: p = (highbyte_regs ?
641 ((unsigned char *)&regs->ebx + 1) :
642 (unsigned char *)&regs->edi); break;
643 #if defined(__x86_64__)
644 case 8: p = &regs->r8; break;
645 case 9: p = &regs->r9; break;
646 case 10: p = &regs->r10; break;
647 case 11: p = &regs->r11; break;
648 case 12: p = &regs->r12; break;
649 case 13: p = &regs->r13; break;
650 case 14: p = &regs->r14; break;
651 case 15: p = &regs->r15; break;
652 #endif
653 default: p = NULL; break;
654 }
656 return p;
657 }
659 int
660 x86_emulate(
661 struct x86_emulate_ctxt *ctxt,
662 struct x86_emulate_ops *ops)
663 {
664 /* Shadow copy of register state. Committed on successful emulation. */
665 struct cpu_user_regs _regs = *ctxt->regs;
667 uint8_t b, d, sib, sib_index, sib_base, twobyte = 0, rex_prefix = 0;
668 uint8_t modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
669 unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
670 unsigned int lock_prefix = 0, rep_prefix = 0;
671 int rc = 0;
672 struct operand src, dst;
674 /* Data operand effective address (usually computed from ModRM). */
675 struct operand ea;
677 /* Default is a memory operand relative to segment DS. */
678 ea.type = OP_MEM;
679 ea.mem.seg = x86_seg_ds;
680 ea.mem.off = 0;
682 op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->address_bytes;
683 if ( op_bytes == 8 )
684 {
685 op_bytes = def_op_bytes = 4;
686 #ifndef __x86_64__
687 return -1;
688 #endif
689 }
691 /* Prefix bytes. */
692 for ( ; ; )
693 {
694 switch ( b = insn_fetch_type(uint8_t) )
695 {
696 case 0x66: /* operand-size override */
697 op_bytes = def_op_bytes ^ 6;
698 break;
699 case 0x67: /* address-size override */
700 ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6);
701 break;
702 case 0x2e: /* CS override */
703 ea.mem.seg = x86_seg_cs;
704 break;
705 case 0x3e: /* DS override */
706 ea.mem.seg = x86_seg_ds;
707 break;
708 case 0x26: /* ES override */
709 ea.mem.seg = x86_seg_es;
710 break;
711 case 0x64: /* FS override */
712 ea.mem.seg = x86_seg_fs;
713 break;
714 case 0x65: /* GS override */
715 ea.mem.seg = x86_seg_gs;
716 break;
717 case 0x36: /* SS override */
718 ea.mem.seg = x86_seg_ss;
719 break;
720 case 0xf0: /* LOCK */
721 lock_prefix = 1;
722 break;
723 case 0xf2: /* REPNE/REPNZ */
724 case 0xf3: /* REP/REPE/REPZ */
725 rep_prefix = 1;
726 break;
727 case 0x40 ... 0x4f: /* REX */
728 if ( !mode_64bit() )
729 goto done_prefixes;
730 rex_prefix = b;
731 continue;
732 default:
733 goto done_prefixes;
734 }
736 /* Any legacy prefix after a REX prefix nullifies its effect. */
737 rex_prefix = 0;
738 }
739 done_prefixes:
741 if ( rex_prefix & 8 ) /* REX.W */
742 op_bytes = 8;
744 /* Opcode byte(s). */
745 d = opcode_table[b];
746 if ( d == 0 )
747 {
748 /* Two-byte opcode? */
749 if ( b == 0x0f )
750 {
751 twobyte = 1;
752 b = insn_fetch_type(uint8_t);
753 d = twobyte_table[b];
754 }
756 /* Unrecognised? */
757 if ( d == 0 )
758 goto cannot_emulate;
759 }
761 /* Lock prefix is allowed only on RMW instructions. */
762 generate_exception_if((d & Mov) && lock_prefix, EXC_GP);
764 /* ModRM and SIB bytes. */
765 if ( d & ModRM )
766 {
767 modrm = insn_fetch_type(uint8_t);
768 modrm_mod = (modrm & 0xc0) >> 6;
769 modrm_reg = ((rex_prefix & 4) << 1) | ((modrm & 0x38) >> 3);
770 modrm_rm = modrm & 0x07;
772 if ( modrm_mod == 3 )
773 {
774 modrm_rm |= (rex_prefix & 1) << 3;
775 ea.type = OP_REG;
776 ea.reg = decode_register(
777 modrm_rm, &_regs, (d & ByteOp) && (rex_prefix == 0));
778 }
779 else if ( ad_bytes == 2 )
780 {
781 /* 16-bit ModR/M decode. */
782 switch ( modrm_rm )
783 {
784 case 0: ea.mem.off = _regs.ebx + _regs.esi; break;
785 case 1: ea.mem.off = _regs.ebx + _regs.edi; break;
786 case 2: ea.mem.off = _regs.ebp + _regs.esi; break;
787 case 3: ea.mem.off = _regs.ebp + _regs.edi; break;
788 case 4: ea.mem.off = _regs.esi; break;
789 case 5: ea.mem.off = _regs.edi; break;
790 case 6: ea.mem.off = _regs.ebp; break;
791 case 7: ea.mem.off = _regs.ebx; break;
792 }
793 switch ( modrm_mod )
794 {
795 case 0:
796 if ( modrm_rm == 6 )
797 ea.mem.off = insn_fetch_type(int16_t);
798 break;
799 case 1:
800 ea.mem.off += insn_fetch_type(int8_t);
801 break;
802 case 2:
803 ea.mem.off += insn_fetch_type(int16_t);
804 break;
805 }
806 ea.mem.off = truncate_ea(ea.mem.off);
807 }
808 else
809 {
810 /* 32/64-bit ModR/M decode. */
811 if ( modrm_rm == 4 )
812 {
813 sib = insn_fetch_type(uint8_t);
814 sib_index = ((sib >> 3) & 7) | ((rex_prefix << 2) & 8);
815 sib_base = (sib & 7) | ((rex_prefix << 3) & 8);
816 if ( sib_index != 4 )
817 ea.mem.off = *(long*)decode_register(sib_index, &_regs, 0);
818 ea.mem.off <<= (sib >> 6) & 3;
819 if ( (modrm_mod == 0) && ((sib_base & 7) == 5) )
820 ea.mem.off += insn_fetch_type(int32_t);
821 else if ( (sib_base == 4) && !twobyte && (b == 0x8f) )
822 /* POP <rm> must have its EA calculated post increment. */
823 ea.mem.off += _regs.esp +
824 ((mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes);
825 else
826 ea.mem.off += *(long*)decode_register(sib_base, &_regs, 0);
827 }
828 else
829 {
830 modrm_rm |= (rex_prefix & 1) << 3;
831 ea.mem.off = *(long *)decode_register(modrm_rm, &_regs, 0);
832 }
833 switch ( modrm_mod )
834 {
835 case 0:
836 if ( (modrm_rm & 7) != 5 )
837 break;
838 ea.mem.off = insn_fetch_type(int32_t);
839 if ( !mode_64bit() )
840 break;
841 /* Relative to RIP of next instruction. Argh! */
842 ea.mem.off += _regs.eip;
843 if ( (d & SrcMask) == SrcImm )
844 ea.mem.off += (d & ByteOp) ? 1 :
845 ((op_bytes == 8) ? 4 : op_bytes);
846 else if ( (d & SrcMask) == SrcImmByte )
847 ea.mem.off += 1;
848 else if ( ((b == 0xf6) || (b == 0xf7)) &&
849 ((modrm_reg & 7) <= 1) )
850 /* Special case in Grp3: test has immediate operand. */
851 ea.mem.off += (d & ByteOp) ? 1
852 : ((op_bytes == 8) ? 4 : op_bytes);
853 break;
854 case 1:
855 ea.mem.off += insn_fetch_type(int8_t);
856 break;
857 case 2:
858 ea.mem.off += insn_fetch_type(int32_t);
859 break;
860 }
861 ea.mem.off = truncate_ea(ea.mem.off);
862 }
863 }
865 /* Special instructions do their own operand decoding. */
866 if ( (d & DstMask) == ImplicitOps )
867 goto special_insn;
869 /* Decode and fetch the source operand: register, memory or immediate. */
870 switch ( d & SrcMask )
871 {
872 case SrcNone:
873 break;
874 case SrcReg:
875 src.type = OP_REG;
876 if ( d & ByteOp )
877 {
878 src.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
879 src.val = *(uint8_t *)src.reg;
880 src.bytes = 1;
881 }
882 else
883 {
884 src.reg = decode_register(modrm_reg, &_regs, 0);
885 switch ( (src.bytes = op_bytes) )
886 {
887 case 2: src.val = *(uint16_t *)src.reg; break;
888 case 4: src.val = *(uint32_t *)src.reg; break;
889 case 8: src.val = *(uint64_t *)src.reg; break;
890 }
891 }
892 break;
893 case SrcMem16:
894 ea.bytes = 2;
895 goto srcmem_common;
896 case SrcMem:
897 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
898 srcmem_common:
899 src = ea;
900 if ( src.type == OP_REG )
901 {
902 switch ( src.bytes )
903 {
904 case 1: src.val = *(uint8_t *)src.reg; break;
905 case 2: src.val = *(uint16_t *)src.reg; break;
906 case 4: src.val = *(uint32_t *)src.reg; break;
907 case 8: src.val = *(uint64_t *)src.reg; break;
908 }
909 }
910 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
911 &src.val, src.bytes, ctxt)) )
912 goto done;
913 break;
914 case SrcImm:
915 src.type = OP_IMM;
916 src.bytes = (d & ByteOp) ? 1 : op_bytes;
917 if ( src.bytes == 8 ) src.bytes = 4;
918 /* NB. Immediates are sign-extended as necessary. */
919 switch ( src.bytes )
920 {
921 case 1: src.val = insn_fetch_type(int8_t); break;
922 case 2: src.val = insn_fetch_type(int16_t); break;
923 case 4: src.val = insn_fetch_type(int32_t); break;
924 }
925 break;
926 case SrcImmByte:
927 src.type = OP_IMM;
928 src.bytes = 1;
929 src.val = insn_fetch_type(int8_t);
930 break;
931 }
933 /* Decode and fetch the destination operand: register or memory. */
934 switch ( d & DstMask )
935 {
936 case DstReg:
937 dst.type = OP_REG;
938 if ( d & ByteOp )
939 {
940 dst.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
941 dst.val = *(uint8_t *)dst.reg;
942 dst.bytes = 1;
943 }
944 else
945 {
946 dst.reg = decode_register(modrm_reg, &_regs, 0);
947 switch ( (dst.bytes = op_bytes) )
948 {
949 case 2: dst.val = *(uint16_t *)dst.reg; break;
950 case 4: dst.val = *(uint32_t *)dst.reg; break;
951 case 8: dst.val = *(uint64_t *)dst.reg; break;
952 }
953 }
954 break;
955 case DstBitBase:
956 if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
957 {
958 src.val &= (op_bytes << 3) - 1;
959 }
960 else
961 {
962 /*
963 * EA += BitOffset DIV op_bytes*8
964 * BitOffset = BitOffset MOD op_bytes*8
965 * DIV truncates towards negative infinity.
966 * MOD always produces a positive result.
967 */
968 if ( op_bytes == 2 )
969 src.val = (int16_t)src.val;
970 else if ( op_bytes == 4 )
971 src.val = (int32_t)src.val;
972 if ( (long)src.val < 0 )
973 {
974 unsigned long byte_offset;
975 byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
976 ea.mem.off -= byte_offset;
977 src.val = (byte_offset << 3) + src.val;
978 }
979 else
980 {
981 ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
982 src.val &= (op_bytes << 3) - 1;
983 }
984 }
985 /* Becomes a normal DstMem operation from here on. */
986 d = (d & ~DstMask) | DstMem;
987 case DstMem:
988 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
989 dst = ea;
990 if ( dst.type == OP_REG )
991 {
992 switch ( dst.bytes )
993 {
994 case 1: dst.val = *(uint8_t *)dst.reg; break;
995 case 2: dst.val = *(uint16_t *)dst.reg; break;
996 case 4: dst.val = *(uint32_t *)dst.reg; break;
997 case 8: dst.val = *(uint64_t *)dst.reg; break;
998 }
999 }
1000 else if ( !(d & Mov) ) /* optimisation - avoid slow emulated read */
1002 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1003 &dst.val, dst.bytes, ctxt)) )
1004 goto done;
1005 dst.orig_val = dst.val;
1007 break;
1010 /* LOCK prefix allowed only on instructions with memory destination. */
1011 generate_exception_if(lock_prefix && (dst.type != OP_MEM), EXC_GP);
1013 if ( twobyte )
1014 goto twobyte_insn;
1016 switch ( b )
1018 case 0x04 ... 0x05: /* add imm,%%eax */
1019 dst.reg = (unsigned long *)&_regs.eax;
1020 dst.val = _regs.eax;
1021 case 0x00 ... 0x03: add: /* add */
1022 emulate_2op_SrcV("add", src, dst, _regs.eflags);
1023 break;
1025 case 0x0c ... 0x0d: /* or imm,%%eax */
1026 dst.reg = (unsigned long *)&_regs.eax;
1027 dst.val = _regs.eax;
1028 case 0x08 ... 0x0b: or: /* or */
1029 emulate_2op_SrcV("or", src, dst, _regs.eflags);
1030 break;
1032 case 0x14 ... 0x15: /* adc imm,%%eax */
1033 dst.reg = (unsigned long *)&_regs.eax;
1034 dst.val = _regs.eax;
1035 case 0x10 ... 0x13: adc: /* adc */
1036 emulate_2op_SrcV("adc", src, dst, _regs.eflags);
1037 break;
1039 case 0x1c ... 0x1d: /* sbb imm,%%eax */
1040 dst.reg = (unsigned long *)&_regs.eax;
1041 dst.val = _regs.eax;
1042 case 0x18 ... 0x1b: sbb: /* sbb */
1043 emulate_2op_SrcV("sbb", src, dst, _regs.eflags);
1044 break;
1046 case 0x24 ... 0x25: /* and imm,%%eax */
1047 dst.reg = (unsigned long *)&_regs.eax;
1048 dst.val = _regs.eax;
1049 case 0x20 ... 0x23: and: /* and */
1050 emulate_2op_SrcV("and", src, dst, _regs.eflags);
1051 break;
1053 case 0x2c ... 0x2d: /* sub imm,%%eax */
1054 dst.reg = (unsigned long *)&_regs.eax;
1055 dst.val = _regs.eax;
1056 case 0x28 ... 0x2b: sub: /* sub */
1057 emulate_2op_SrcV("sub", src, dst, _regs.eflags);
1058 break;
1060 case 0x34 ... 0x35: /* xor imm,%%eax */
1061 dst.reg = (unsigned long *)&_regs.eax;
1062 dst.val = _regs.eax;
1063 case 0x30 ... 0x33: xor: /* xor */
1064 emulate_2op_SrcV("xor", src, dst, _regs.eflags);
1065 break;
1067 case 0x3c ... 0x3d: /* cmp imm,%%eax */
1068 dst.reg = (unsigned long *)&_regs.eax;
1069 dst.val = _regs.eax;
1070 case 0x38 ... 0x3b: cmp: /* cmp */
1071 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1072 break;
1074 case 0x62: /* bound */ {
1075 unsigned long src_val2;
1076 int lb, ub, idx;
1077 generate_exception_if(mode_64bit() || (src.type != OP_MEM), EXC_UD);
1078 if ( (rc = ops->read(src.mem.seg, src.mem.off + op_bytes,
1079 &src_val2, op_bytes, ctxt)) )
1080 goto done;
1081 ub = (op_bytes == 2) ? (int16_t)src_val2 : (int32_t)src_val2;
1082 lb = (op_bytes == 2) ? (int16_t)src.val : (int32_t)src.val;
1083 idx = (op_bytes == 2) ? (int16_t)dst.val : (int32_t)dst.val;
1084 generate_exception_if((idx < lb) || (idx > ub), EXC_BR);
1085 dst.type = OP_NONE;
1086 break;
1089 case 0x63: /* movsxd (x86/64) / arpl (x86/32) */
1090 if ( mode_64bit() )
1092 /* movsxd */
1093 if ( src.type == OP_REG )
1094 src.val = *(int32_t *)src.reg;
1095 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1096 &src.val, 4, ctxt)) )
1097 goto done;
1098 dst.val = (int32_t)src.val;
1100 else
1102 /* arpl */
1103 uint16_t src_val = dst.val;
1104 dst = src;
1105 _regs.eflags &= ~EFLG_ZF;
1106 _regs.eflags |= ((src_val & 3) > (dst.val & 3)) ? EFLG_ZF : 0;
1107 if ( _regs.eflags & EFLG_ZF )
1108 dst.val = (dst.val & ~3) | (src_val & 3);
1109 else
1110 dst.type = OP_NONE;
1112 break;
1114 case 0x69: /* imul imm16/32 */
1115 case 0x6b: /* imul imm8 */ {
1116 unsigned long reg = *(long *)decode_register(modrm_reg, &_regs, 0);
1117 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1118 switch ( dst.bytes )
1120 case 2:
1121 dst.val = ((uint32_t)(int16_t)src.val *
1122 (uint32_t)(int16_t)reg);
1123 if ( (int16_t)dst.val != (uint32_t)dst.val )
1124 _regs.eflags |= EFLG_OF|EFLG_CF;
1125 break;
1126 #ifdef __x86_64__
1127 case 4:
1128 dst.val = ((uint64_t)(int32_t)src.val *
1129 (uint64_t)(int32_t)reg);
1130 if ( (int32_t)dst.val != dst.val )
1131 _regs.eflags |= EFLG_OF|EFLG_CF;
1132 break;
1133 #endif
1134 default: {
1135 unsigned long m[2] = { src.val, reg };
1136 if ( imul_dbl(m) )
1137 _regs.eflags |= EFLG_OF|EFLG_CF;
1138 dst.val = m[0];
1139 break;
1142 dst.type = OP_REG;
1143 dst.reg = decode_register(modrm_reg, &_regs, 0);
1144 break;
1147 case 0x80 ... 0x83: /* Grp1 */
1148 switch ( modrm_reg & 7 )
1150 case 0: goto add;
1151 case 1: goto or;
1152 case 2: goto adc;
1153 case 3: goto sbb;
1154 case 4: goto and;
1155 case 5: goto sub;
1156 case 6: goto xor;
1157 case 7: goto cmp;
1159 break;
1161 case 0xa8 ... 0xa9: /* test imm,%%eax */
1162 dst.reg = (unsigned long *)&_regs.eax;
1163 dst.val = _regs.eax;
1164 case 0x84 ... 0x85: test: /* test */
1165 emulate_2op_SrcV("test", src, dst, _regs.eflags);
1166 break;
1168 case 0x86 ... 0x87: xchg: /* xchg */
1169 /* Write back the register source. */
1170 switch ( dst.bytes )
1172 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
1173 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
1174 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
1175 case 8: *src.reg = dst.val; break;
1177 /* Write back the memory destination with implicit LOCK prefix. */
1178 dst.val = src.val;
1179 lock_prefix = 1;
1180 break;
1182 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
1183 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1184 case 0x88 ... 0x8b: /* mov */
1185 dst.val = src.val;
1186 break;
1188 case 0x8d: /* lea */
1189 dst.val = ea.mem.off;
1190 break;
1192 case 0x8f: /* pop (sole member of Grp1a) */
1193 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1194 /* 64-bit mode: POP defaults to a 64-bit operand. */
1195 if ( mode_64bit() && (dst.bytes == 4) )
1196 dst.bytes = 8;
1197 if ( (rc = ops->read(x86_seg_ss, truncate_ea(_regs.esp),
1198 &dst.val, dst.bytes, ctxt)) != 0 )
1199 goto done;
1200 register_address_increment(_regs.esp, dst.bytes);
1201 break;
1203 case 0xb0 ... 0xb7: /* mov imm8,r8 */
1204 dst.reg = decode_register(
1205 (b & 7) | ((rex_prefix & 1) << 3), &_regs, (rex_prefix == 0));
1206 dst.val = src.val;
1207 break;
1209 case 0xb8 ... 0xbf: /* mov imm{16,32,64},r{16,32,64} */
1210 if ( dst.bytes == 8 ) /* Fetch more bytes to obtain imm64 */
1211 src.val = ((uint32_t)src.val |
1212 ((uint64_t)insn_fetch_type(uint32_t) << 32));
1213 dst.reg = decode_register(
1214 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1215 dst.val = src.val;
1216 break;
1218 case 0xc0 ... 0xc1: grp2: /* Grp2 */
1219 switch ( modrm_reg & 7 )
1221 case 0: /* rol */
1222 emulate_2op_SrcB("rol", src, dst, _regs.eflags);
1223 break;
1224 case 1: /* ror */
1225 emulate_2op_SrcB("ror", src, dst, _regs.eflags);
1226 break;
1227 case 2: /* rcl */
1228 emulate_2op_SrcB("rcl", src, dst, _regs.eflags);
1229 break;
1230 case 3: /* rcr */
1231 emulate_2op_SrcB("rcr", src, dst, _regs.eflags);
1232 break;
1233 case 4: /* sal/shl */
1234 case 6: /* sal/shl */
1235 emulate_2op_SrcB("sal", src, dst, _regs.eflags);
1236 break;
1237 case 5: /* shr */
1238 emulate_2op_SrcB("shr", src, dst, _regs.eflags);
1239 break;
1240 case 7: /* sar */
1241 emulate_2op_SrcB("sar", src, dst, _regs.eflags);
1242 break;
1244 break;
1246 case 0xd0 ... 0xd1: /* Grp2 */
1247 src.val = 1;
1248 goto grp2;
1250 case 0xd2 ... 0xd3: /* Grp2 */
1251 src.val = _regs.ecx;
1252 goto grp2;
1254 case 0xf6 ... 0xf7: /* Grp3 */
1255 switch ( modrm_reg & 7 )
1257 case 0 ... 1: /* test */
1258 /* Special case in Grp3: test has an immediate source operand. */
1259 src.type = OP_IMM;
1260 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1261 if ( src.bytes == 8 ) src.bytes = 4;
1262 switch ( src.bytes )
1264 case 1: src.val = insn_fetch_type(int8_t); break;
1265 case 2: src.val = insn_fetch_type(int16_t); break;
1266 case 4: src.val = insn_fetch_type(int32_t); break;
1268 goto test;
1269 case 2: /* not */
1270 dst.val = ~dst.val;
1271 break;
1272 case 3: /* neg */
1273 emulate_1op("neg", dst, _regs.eflags);
1274 break;
1275 case 4: /* mul */
1276 src = dst;
1277 dst.type = OP_REG;
1278 dst.reg = (unsigned long *)&_regs.eax;
1279 dst.val = *dst.reg;
1280 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1281 switch ( src.bytes )
1283 case 1:
1284 dst.val *= src.val;
1285 if ( (uint8_t)dst.val != (uint16_t)dst.val )
1286 _regs.eflags |= EFLG_OF|EFLG_CF;
1287 break;
1288 case 2:
1289 dst.val *= src.val;
1290 if ( (uint16_t)dst.val != (uint32_t)dst.val )
1291 _regs.eflags |= EFLG_OF|EFLG_CF;
1292 *(uint16_t *)&_regs.edx = dst.val >> 16;
1293 break;
1294 #ifdef __x86_64__
1295 case 4:
1296 dst.val *= src.val;
1297 if ( (uint32_t)dst.val != dst.val )
1298 _regs.eflags |= EFLG_OF|EFLG_CF;
1299 _regs.edx = (uint32_t)(dst.val >> 32);
1300 break;
1301 #endif
1302 default: {
1303 unsigned long m[2] = { src.val, dst.val };
1304 if ( mul_dbl(m) )
1305 _regs.eflags |= EFLG_OF|EFLG_CF;
1306 _regs.edx = m[1];
1307 dst.val = m[0];
1308 break;
1311 break;
1312 case 5: /* imul */
1313 src = dst;
1314 dst.type = OP_REG;
1315 dst.reg = (unsigned long *)&_regs.eax;
1316 dst.val = *dst.reg;
1317 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1318 switch ( src.bytes )
1320 case 1:
1321 dst.val = ((uint16_t)(int8_t)src.val *
1322 (uint16_t)(int8_t)dst.val);
1323 if ( (int8_t)dst.val != (uint16_t)dst.val )
1324 _regs.eflags |= EFLG_OF|EFLG_CF;
1325 break;
1326 case 2:
1327 dst.val = ((uint32_t)(int16_t)src.val *
1328 (uint32_t)(int16_t)dst.val);
1329 if ( (int16_t)dst.val != (uint32_t)dst.val )
1330 _regs.eflags |= EFLG_OF|EFLG_CF;
1331 *(uint16_t *)&_regs.edx = dst.val >> 16;
1332 break;
1333 #ifdef __x86_64__
1334 case 4:
1335 dst.val = ((uint64_t)(int32_t)src.val *
1336 (uint64_t)(int32_t)dst.val);
1337 if ( (int32_t)dst.val != dst.val )
1338 _regs.eflags |= EFLG_OF|EFLG_CF;
1339 _regs.edx = (uint32_t)(dst.val >> 32);
1340 break;
1341 #endif
1342 default: {
1343 unsigned long m[2] = { src.val, dst.val };
1344 if ( imul_dbl(m) )
1345 _regs.eflags |= EFLG_OF|EFLG_CF;
1346 _regs.edx = m[1];
1347 dst.val = m[0];
1348 break;
1351 break;
1352 case 6: /* div */ {
1353 unsigned long u[2], v;
1354 src = dst;
1355 dst.type = OP_REG;
1356 dst.reg = (unsigned long *)&_regs.eax;
1357 switch ( src.bytes )
1359 case 1:
1360 u[0] = (uint16_t)_regs.eax;
1361 u[1] = 0;
1362 v = (uint8_t)src.val;
1363 generate_exception_if(
1364 div_dbl(u, v) || ((uint8_t)u[0] != (uint16_t)u[0]),
1365 EXC_DE);
1366 dst.val = (uint8_t)u[0];
1367 ((uint8_t *)&_regs.eax)[1] = u[1];
1368 break;
1369 case 2:
1370 u[0] = ((uint32_t)_regs.edx << 16) | (uint16_t)_regs.eax;
1371 u[1] = 0;
1372 v = (uint16_t)src.val;
1373 generate_exception_if(
1374 div_dbl(u, v) || ((uint16_t)u[0] != (uint32_t)u[0]),
1375 EXC_DE);
1376 dst.val = (uint16_t)u[0];
1377 *(uint16_t *)&_regs.edx = u[1];
1378 break;
1379 #ifdef __x86_64__
1380 case 4:
1381 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1382 u[1] = 0;
1383 v = (uint32_t)src.val;
1384 generate_exception_if(
1385 div_dbl(u, v) || ((uint32_t)u[0] != u[0]),
1386 EXC_DE);
1387 dst.val = (uint32_t)u[0];
1388 _regs.edx = (uint32_t)u[1];
1389 break;
1390 #endif
1391 default:
1392 u[0] = _regs.eax;
1393 u[1] = _regs.edx;
1394 v = src.val;
1395 generate_exception_if(div_dbl(u, v), EXC_DE);
1396 dst.val = u[0];
1397 _regs.edx = u[1];
1398 break;
1400 break;
1402 case 7: /* idiv */ {
1403 unsigned long u[2], v;
1404 src = dst;
1405 dst.type = OP_REG;
1406 dst.reg = (unsigned long *)&_regs.eax;
1407 switch ( src.bytes )
1409 case 1:
1410 u[0] = (int16_t)_regs.eax;
1411 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1412 v = (int8_t)src.val;
1413 generate_exception_if(
1414 idiv_dbl(u, v) || ((int8_t)u[0] != (int16_t)u[0]),
1415 EXC_DE);
1416 dst.val = (int8_t)u[0];
1417 ((int8_t *)&_regs.eax)[1] = u[1];
1418 break;
1419 case 2:
1420 u[0] = (int32_t)((_regs.edx << 16) | (uint16_t)_regs.eax);
1421 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1422 v = (int16_t)src.val;
1423 generate_exception_if(
1424 idiv_dbl(u, v) || ((int16_t)u[0] != (int32_t)u[0]),
1425 EXC_DE);
1426 dst.val = (int16_t)u[0];
1427 *(int16_t *)&_regs.edx = u[1];
1428 break;
1429 #ifdef __x86_64__
1430 case 4:
1431 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1432 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1433 v = (int32_t)src.val;
1434 generate_exception_if(
1435 idiv_dbl(u, v) || ((int32_t)u[0] != u[0]),
1436 EXC_DE);
1437 dst.val = (int32_t)u[0];
1438 _regs.edx = (uint32_t)u[1];
1439 break;
1440 #endif
1441 default:
1442 u[0] = _regs.eax;
1443 u[1] = _regs.edx;
1444 v = src.val;
1445 generate_exception_if(idiv_dbl(u, v), EXC_DE);
1446 dst.val = u[0];
1447 _regs.edx = u[1];
1448 break;
1450 break;
1452 default:
1453 goto cannot_emulate;
1455 break;
1457 case 0xfe: /* Grp4 */
1458 generate_exception_if((modrm_reg & 7) >= 2, EXC_UD);
1459 case 0xff: /* Grp5 */
1460 switch ( modrm_reg & 7 )
1462 case 0: /* inc */
1463 emulate_1op("inc", dst, _regs.eflags);
1464 break;
1465 case 1: /* dec */
1466 emulate_1op("dec", dst, _regs.eflags);
1467 break;
1468 case 2: /* call (near) */
1469 case 3: /* jmp (near) */
1470 if ( ((op_bytes = dst.bytes) != 8) && mode_64bit() )
1472 dst.bytes = op_bytes = 8;
1473 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1474 &dst.val, 8, ctxt)) != 0 )
1475 goto done;
1477 src.val = _regs.eip;
1478 _regs.eip = dst.val;
1479 if ( (modrm_reg & 7) == 2 )
1480 goto push; /* call */
1481 break;
1482 case 6: /* push */
1483 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
1484 if ( mode_64bit() && (dst.bytes == 4) )
1486 dst.bytes = 8;
1487 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1488 &dst.val, 8, ctxt)) != 0 )
1489 goto done;
1491 register_address_increment(_regs.esp, -dst.bytes);
1492 if ( (rc = ops->write(x86_seg_ss, truncate_ea(_regs.esp),
1493 dst.val, dst.bytes, ctxt)) != 0 )
1494 goto done;
1495 dst.type = OP_NONE;
1496 break;
1497 case 7:
1498 generate_exception_if(1, EXC_UD);
1499 default:
1500 goto cannot_emulate;
1502 break;
1505 writeback:
1506 switch ( dst.type )
1508 case OP_REG:
1509 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1510 switch ( dst.bytes )
1512 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
1513 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
1514 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
1515 case 8: *dst.reg = dst.val; break;
1517 break;
1518 case OP_MEM:
1519 if ( !(d & Mov) && (dst.orig_val == dst.val) )
1520 /* nothing to do */;
1521 else if ( lock_prefix )
1522 rc = ops->cmpxchg(
1523 dst.mem.seg, dst.mem.off, dst.orig_val,
1524 dst.val, dst.bytes, ctxt);
1525 else
1526 rc = ops->write(
1527 dst.mem.seg, dst.mem.off, dst.val, dst.bytes, ctxt);
1528 if ( rc != 0 )
1529 goto done;
1530 default:
1531 break;
1534 /* Commit shadow register state. */
1535 *ctxt->regs = _regs;
1537 done:
1538 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1540 special_insn:
1541 dst.type = OP_NONE;
1543 /*
1544 * The only implicit-operands instruction allowed a LOCK prefix is
1545 * CMPXCHG{8,16}B.
1546 */
1547 generate_exception_if(lock_prefix && (b != 0xc7), EXC_GP);
1549 if ( twobyte )
1550 goto twobyte_special_insn;
1552 if ( rep_prefix )
1554 if ( _regs.ecx == 0 )
1556 ctxt->regs->eip = _regs.eip;
1557 goto done;
1559 _regs.ecx--;
1560 _regs.eip = ctxt->regs->eip;
1563 switch ( b )
1565 case 0x27: /* daa */ {
1566 uint8_t al = _regs.eax;
1567 unsigned long eflags = _regs.eflags;
1568 generate_exception_if(mode_64bit(), EXC_UD);
1569 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1570 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1572 *(uint8_t *)&_regs.eax += 6;
1573 _regs.eflags |= EFLG_AF;
1575 if ( (al > 0x99) || (eflags & EFLG_CF) )
1577 *(uint8_t *)&_regs.eax += 0x60;
1578 _regs.eflags |= EFLG_CF;
1580 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1581 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1582 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1583 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1584 break;
1587 case 0x2f: /* das */ {
1588 uint8_t al = _regs.eax;
1589 unsigned long eflags = _regs.eflags;
1590 generate_exception_if(mode_64bit(), EXC_UD);
1591 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1592 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1594 _regs.eflags |= EFLG_AF;
1595 if ( (al < 6) || (eflags & EFLG_CF) )
1596 _regs.eflags |= EFLG_CF;
1597 *(uint8_t *)&_regs.eax -= 6;
1599 if ( (al > 0x99) || (eflags & EFLG_CF) )
1601 *(uint8_t *)&_regs.eax -= 0x60;
1602 _regs.eflags |= EFLG_CF;
1604 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1605 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1606 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1607 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1608 break;
1611 case 0x37: /* aaa */
1612 case 0x3f: /* aas */
1613 generate_exception_if(mode_64bit(), EXC_UD);
1614 _regs.eflags &= ~EFLG_CF;
1615 if ( ((uint8_t)_regs.eax > 9) || (_regs.eflags & EFLG_AF) )
1617 ((uint8_t *)&_regs.eax)[0] += (b == 0x37) ? 6 : -6;
1618 ((uint8_t *)&_regs.eax)[1] += (b == 0x37) ? 1 : -1;
1619 _regs.eflags |= EFLG_CF | EFLG_AF;
1621 ((uint8_t *)&_regs.eax)[0] &= 0x0f;
1622 break;
1624 case 0x40 ... 0x4f: /* inc/dec reg */
1625 dst.type = OP_REG;
1626 dst.reg = decode_register(b & 7, &_regs, 0);
1627 dst.bytes = op_bytes;
1628 dst.val = *dst.reg;
1629 if ( b & 8 )
1630 emulate_1op("dec", dst, _regs.eflags);
1631 else
1632 emulate_1op("inc", dst, _regs.eflags);
1633 break;
1635 case 0x50 ... 0x57: /* push reg */
1636 src.val = *(unsigned long *)decode_register(
1637 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1638 goto push;
1640 case 0x58 ... 0x5f: /* pop reg */
1641 dst.type = OP_REG;
1642 dst.reg = decode_register(
1643 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1644 dst.bytes = op_bytes;
1645 if ( mode_64bit() && (dst.bytes == 4) )
1646 dst.bytes = 8;
1647 if ( (rc = ops->read(x86_seg_ss, truncate_ea(_regs.esp),
1648 &dst.val, dst.bytes, ctxt)) != 0 )
1649 goto done;
1650 register_address_increment(_regs.esp, dst.bytes);
1651 break;
1653 case 0x60: /* pusha */ {
1654 int i;
1655 unsigned long regs[] = {
1656 _regs.eax, _regs.ecx, _regs.edx, _regs.ebx,
1657 _regs.esp, _regs.ebp, _regs.esi, _regs.edi };
1658 generate_exception_if(mode_64bit(), EXC_UD);
1659 for ( i = 0; i < 8; i++ )
1660 if ( (rc = ops->write(x86_seg_ss,
1661 truncate_ea(_regs.esp-(i+1)*op_bytes),
1662 regs[i], op_bytes, ctxt)) != 0 )
1663 goto done;
1664 register_address_increment(_regs.esp, -8*op_bytes);
1665 break;
1668 case 0x61: /* popa */ {
1669 int i;
1670 unsigned long dummy_esp, *regs[] = {
1671 (unsigned long *)&_regs.edi, (unsigned long *)&_regs.esi,
1672 (unsigned long *)&_regs.ebp, (unsigned long *)&dummy_esp,
1673 (unsigned long *)&_regs.ebx, (unsigned long *)&_regs.edx,
1674 (unsigned long *)&_regs.ecx, (unsigned long *)&_regs.eax };
1675 generate_exception_if(mode_64bit(), EXC_UD);
1676 for ( i = 0; i < 8; i++ )
1677 if ( (rc = ops->read(x86_seg_ss,
1678 truncate_ea(_regs.esp+i*op_bytes),
1679 regs[i], op_bytes, ctxt)) != 0 )
1680 goto done;
1681 register_address_increment(_regs.esp, 8*op_bytes);
1682 break;
1685 case 0x68: /* push imm{16,32,64} */
1686 src.val = ((op_bytes == 2)
1687 ? (int32_t)insn_fetch_type(int16_t)
1688 : insn_fetch_type(int32_t));
1689 goto push;
1691 case 0x6a: /* push imm8 */
1692 src.val = insn_fetch_type(int8_t);
1693 push:
1694 d |= Mov; /* force writeback */
1695 dst.type = OP_MEM;
1696 dst.bytes = op_bytes;
1697 if ( mode_64bit() && (dst.bytes == 4) )
1698 dst.bytes = 8;
1699 dst.val = src.val;
1700 register_address_increment(_regs.esp, -dst.bytes);
1701 dst.mem.seg = x86_seg_ss;
1702 dst.mem.off = truncate_ea(_regs.esp);
1703 break;
1705 case 0x70 ... 0x7f: /* jcc (short) */ {
1706 int rel = insn_fetch_type(int8_t);
1707 if ( test_cc(b, _regs.eflags) )
1708 jmp_rel(rel);
1709 break;
1712 case 0x90: /* nop / xchg %%r8,%%rax */
1713 if ( !(rex_prefix & 1) )
1714 break; /* nop */
1716 case 0x91 ... 0x97: /* xchg reg,%%rax */
1717 src.type = dst.type = OP_REG;
1718 src.bytes = dst.bytes = op_bytes;
1719 src.reg = (unsigned long *)&_regs.eax;
1720 src.val = *src.reg;
1721 dst.reg = decode_register(
1722 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1723 dst.val = *dst.reg;
1724 goto xchg;
1726 case 0x98: /* cbw/cwde/cdqe */
1727 switch ( op_bytes )
1729 case 2: *(int16_t *)&_regs.eax = (int8_t)_regs.eax; break; /* cbw */
1730 case 4: _regs.eax = (uint32_t)(int16_t)_regs.eax; break; /* cwde */
1731 case 8: _regs.eax = (int32_t)_regs.eax; break; /* cdqe */
1733 break;
1735 case 0x99: /* cwd/cdq/cqo */
1736 switch ( op_bytes )
1738 case 2:
1739 *(int16_t *)&_regs.edx = ((int16_t)_regs.eax < 0) ? -1 : 0;
1740 break;
1741 case 4:
1742 _regs.edx = (uint32_t)(((int32_t)_regs.eax < 0) ? -1 : 0);
1743 break;
1744 case 8:
1745 _regs.edx = (_regs.eax < 0) ? -1 : 0;
1746 break;
1748 break;
1750 case 0x9e: /* sahf */
1751 *(uint8_t *)_regs.eflags = (((uint8_t *)&_regs.eax)[1] & 0xd7) | 0x02;
1752 break;
1754 case 0x9f: /* lahf */
1755 ((uint8_t *)&_regs.eax)[1] = (_regs.eflags & 0xd7) | 0x02;
1756 break;
1758 case 0xa0 ... 0xa1: /* mov mem.offs,{%al,%ax,%eax,%rax} */
1759 /* Source EA is not encoded via ModRM. */
1760 dst.type = OP_REG;
1761 dst.reg = (unsigned long *)&_regs.eax;
1762 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1763 if ( (rc = ops->read(ea.mem.seg, insn_fetch_bytes(ad_bytes),
1764 &dst.val, dst.bytes, ctxt)) != 0 )
1765 goto done;
1766 break;
1768 case 0xa2 ... 0xa3: /* mov {%al,%ax,%eax,%rax},mem.offs */
1769 /* Destination EA is not encoded via ModRM. */
1770 dst.type = OP_MEM;
1771 dst.mem.seg = ea.mem.seg;
1772 dst.mem.off = insn_fetch_bytes(ad_bytes);
1773 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1774 dst.val = (unsigned long)_regs.eax;
1775 break;
1777 case 0xa4 ... 0xa5: /* movs */
1778 dst.type = OP_MEM;
1779 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1780 dst.mem.seg = x86_seg_es;
1781 dst.mem.off = truncate_ea(_regs.edi);
1782 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
1783 &dst.val, dst.bytes, ctxt)) != 0 )
1784 goto done;
1785 register_address_increment(
1786 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1787 register_address_increment(
1788 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1789 break;
1791 case 0xaa ... 0xab: /* stos */
1792 dst.type = OP_MEM;
1793 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1794 dst.mem.seg = x86_seg_es;
1795 dst.mem.off = truncate_ea(_regs.edi);
1796 dst.val = _regs.eax;
1797 register_address_increment(
1798 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1799 break;
1801 case 0xac ... 0xad: /* lods */
1802 dst.type = OP_REG;
1803 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1804 dst.reg = (unsigned long *)&_regs.eax;
1805 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
1806 &dst.val, dst.bytes, ctxt)) != 0 )
1807 goto done;
1808 register_address_increment(
1809 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1810 break;
1812 case 0xc2: /* ret imm16 (near) */
1813 case 0xc3: /* ret (near) */ {
1814 int offset = (b == 0xc2) ? insn_fetch_type(uint16_t) : 0;
1815 op_bytes = mode_64bit() ? 8 : op_bytes;
1816 if ( (rc = ops->read(x86_seg_ss, truncate_ea(_regs.esp),
1817 &dst.val, op_bytes, ctxt)) != 0 )
1818 goto done;
1819 _regs.eip = dst.val;
1820 register_address_increment(_regs.esp, op_bytes + offset);
1821 break;
1824 case 0xd4: /* aam */ {
1825 unsigned int base = insn_fetch_type(uint8_t);
1826 uint8_t al = _regs.eax;
1827 generate_exception_if(mode_64bit(), EXC_UD);
1828 generate_exception_if(base == 0, EXC_DE);
1829 *(uint16_t *)&_regs.eax = ((al / base) << 8) | (al % base);
1830 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1831 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1832 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1833 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1834 break;
1837 case 0xd5: /* aad */ {
1838 unsigned int base = insn_fetch_type(uint8_t);
1839 uint16_t ax = _regs.eax;
1840 generate_exception_if(mode_64bit(), EXC_UD);
1841 *(uint16_t *)&_regs.eax = (uint8_t)(ax + ((ax >> 8) * base));
1842 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1843 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1844 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1845 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1846 break;
1849 case 0xd6: /* salc */
1850 generate_exception_if(mode_64bit(), EXC_UD);
1851 *(uint8_t *)&_regs.eax = (_regs.eflags & EFLG_CF) ? 0xff : 0x00;
1852 break;
1854 case 0xd7: /* xlat */ {
1855 unsigned long al = (uint8_t)_regs.eax;
1856 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.ebx + al),
1857 &al, 1, ctxt)) != 0 )
1858 goto done;
1859 *(uint8_t *)&_regs.eax = al;
1860 break;
1863 case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
1864 int rel = insn_fetch_type(int8_t);
1865 int do_jmp = !(_regs.eflags & EFLG_ZF); /* loopnz */
1866 if ( b == 0xe1 )
1867 do_jmp = !do_jmp; /* loopz */
1868 else if ( b == 0xe2 )
1869 do_jmp = 1; /* loop */
1870 switch ( ad_bytes )
1872 case 2:
1873 do_jmp &= --(*(uint16_t *)&_regs.ecx) != 0;
1874 break;
1875 case 4:
1876 do_jmp &= --(*(uint32_t *)&_regs.ecx) != 0;
1877 _regs.ecx = (uint32_t)_regs.ecx; /* zero extend in x86/64 mode */
1878 break;
1879 default: /* case 8: */
1880 do_jmp &= --_regs.ecx != 0;
1881 break;
1883 if ( do_jmp )
1884 jmp_rel(rel);
1885 break;
1888 case 0xe3: /* jcxz/jecxz (short) */ {
1889 int rel = insn_fetch_type(int8_t);
1890 if ( (ad_bytes == 2) ? !(uint16_t)_regs.ecx :
1891 (ad_bytes == 4) ? !(uint32_t)_regs.ecx : !_regs.ecx )
1892 jmp_rel(rel);
1893 break;
1896 case 0xe8: /* call (near) */ {
1897 int rel = (((op_bytes == 2) && !mode_64bit())
1898 ? (int32_t)insn_fetch_type(int16_t)
1899 : insn_fetch_type(int32_t));
1900 op_bytes = mode_64bit() ? 8 : op_bytes;
1901 src.val = _regs.eip;
1902 jmp_rel(rel);
1903 goto push;
1906 case 0xe9: /* jmp (near) */ {
1907 int rel = (((op_bytes == 2) && !mode_64bit())
1908 ? (int32_t)insn_fetch_type(int16_t)
1909 : insn_fetch_type(int32_t));
1910 jmp_rel(rel);
1911 break;
1914 case 0xeb: /* jmp (short) */
1915 jmp_rel(insn_fetch_type(int8_t));
1916 break;
1918 case 0xf5: /* cmc */
1919 _regs.eflags ^= EFLG_CF;
1920 break;
1922 case 0xf8: /* clc */
1923 _regs.eflags &= ~EFLG_CF;
1924 break;
1926 case 0xf9: /* stc */
1927 _regs.eflags |= EFLG_CF;
1928 break;
1930 case 0xfc: /* cld */
1931 _regs.eflags &= ~EFLG_DF;
1932 break;
1934 case 0xfd: /* std */
1935 _regs.eflags |= EFLG_DF;
1936 break;
1938 goto writeback;
1940 twobyte_insn:
1941 switch ( b )
1943 case 0x40 ... 0x4f: /* cmovcc */
1944 dst.val = src.val;
1945 if ( !test_cc(b, _regs.eflags) )
1946 dst.type = OP_NONE;
1947 break;
1949 case 0x90 ... 0x9f: /* setcc */
1950 dst.val = test_cc(b, _regs.eflags);
1951 break;
1953 case 0xb0 ... 0xb1: /* cmpxchg */
1954 /* Save real source value, then compare EAX against destination. */
1955 src.orig_val = src.val;
1956 src.val = _regs.eax;
1957 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1958 /* Always write back. The question is: where to? */
1959 d |= Mov;
1960 if ( _regs.eflags & EFLG_ZF )
1962 /* Success: write back to memory. */
1963 dst.val = src.orig_val;
1965 else
1967 /* Failure: write the value we saw to EAX. */
1968 dst.type = OP_REG;
1969 dst.reg = (unsigned long *)&_regs.eax;
1971 break;
1973 case 0xa3: bt: /* bt */
1974 emulate_2op_SrcV_nobyte("bt", src, dst, _regs.eflags);
1975 break;
1977 case 0xb3: btr: /* btr */
1978 emulate_2op_SrcV_nobyte("btr", src, dst, _regs.eflags);
1979 break;
1981 case 0xab: bts: /* bts */
1982 emulate_2op_SrcV_nobyte("bts", src, dst, _regs.eflags);
1983 break;
1985 case 0xaf: /* imul */
1986 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1987 switch ( dst.bytes )
1989 case 2:
1990 dst.val = ((uint32_t)(int16_t)src.val *
1991 (uint32_t)(int16_t)dst.val);
1992 if ( (int16_t)dst.val != (uint32_t)dst.val )
1993 _regs.eflags |= EFLG_OF|EFLG_CF;
1994 break;
1995 #ifdef __x86_64__
1996 case 4:
1997 dst.val = ((uint64_t)(int32_t)src.val *
1998 (uint64_t)(int32_t)dst.val);
1999 if ( (int32_t)dst.val != dst.val )
2000 _regs.eflags |= EFLG_OF|EFLG_CF;
2001 break;
2002 #endif
2003 default: {
2004 unsigned long m[2] = { src.val, dst.val };
2005 if ( imul_dbl(m) )
2006 _regs.eflags |= EFLG_OF|EFLG_CF;
2007 dst.val = m[0];
2008 break;
2011 break;
2013 case 0xb6: /* movzx rm8,r{16,32,64} */
2014 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2015 dst.reg = decode_register(modrm_reg, &_regs, 0);
2016 dst.bytes = op_bytes;
2017 dst.val = (uint8_t)src.val;
2018 break;
2020 case 0xbc: /* bsf */ {
2021 int zf;
2022 asm ( "bsf %2,%0; setz %b1"
2023 : "=r" (dst.val), "=q" (zf)
2024 : "r" (src.val), "1" (0) );
2025 _regs.eflags &= ~EFLG_ZF;
2026 _regs.eflags |= zf ? EFLG_ZF : 0;
2027 break;
2030 case 0xbd: /* bsr */ {
2031 int zf;
2032 asm ( "bsr %2,%0; setz %b1"
2033 : "=r" (dst.val), "=q" (zf)
2034 : "r" (src.val), "1" (0) );
2035 _regs.eflags &= ~EFLG_ZF;
2036 _regs.eflags |= zf ? EFLG_ZF : 0;
2037 break;
2040 case 0xb7: /* movzx rm16,r{16,32,64} */
2041 dst.val = (uint16_t)src.val;
2042 break;
2044 case 0xbb: btc: /* btc */
2045 emulate_2op_SrcV_nobyte("btc", src, dst, _regs.eflags);
2046 break;
2048 case 0xba: /* Grp8 */
2049 switch ( modrm_reg & 3 )
2051 case 0: goto bt;
2052 case 1: goto bts;
2053 case 2: goto btr;
2054 case 3: goto btc;
2056 break;
2058 case 0xbe: /* movsx rm8,r{16,32,64} */
2059 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2060 dst.reg = decode_register(modrm_reg, &_regs, 0);
2061 dst.bytes = op_bytes;
2062 dst.val = (int8_t)src.val;
2063 break;
2065 case 0xbf: /* movsx rm16,r{16,32,64} */
2066 dst.val = (int16_t)src.val;
2067 break;
2069 case 0xc0 ... 0xc1: /* xadd */
2070 /* Write back the register source. */
2071 switch ( dst.bytes )
2073 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
2074 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
2075 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
2076 case 8: *src.reg = dst.val; break;
2078 goto add;
2080 goto writeback;
2082 twobyte_special_insn:
2083 switch ( b )
2085 case 0x0d: /* GrpP (prefetch) */
2086 case 0x18: /* Grp16 (prefetch/nop) */
2087 case 0x19 ... 0x1f: /* nop (amd-defined) */
2088 break;
2090 case 0x80 ... 0x8f: /* jcc (near) */ {
2091 int rel = (((op_bytes == 2) && !mode_64bit())
2092 ? (int32_t)insn_fetch_type(int16_t)
2093 : insn_fetch_type(int32_t));
2094 if ( test_cc(b, _regs.eflags) )
2095 jmp_rel(rel);
2096 break;
2099 case 0xc7: /* Grp9 (cmpxchg8b) */
2100 #if defined(__i386__)
2102 unsigned long old_lo, old_hi;
2103 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0, &old_lo, 4, ctxt)) ||
2104 (rc = ops->read(ea.mem.seg, ea.mem.off+4, &old_hi, 4, ctxt)) )
2105 goto done;
2106 if ( (old_lo != _regs.eax) || (old_hi != _regs.edx) )
2108 _regs.eax = old_lo;
2109 _regs.edx = old_hi;
2110 _regs.eflags &= ~EFLG_ZF;
2112 else if ( ops->cmpxchg8b == NULL )
2114 rc = X86EMUL_UNHANDLEABLE;
2115 goto done;
2117 else
2119 if ( (rc = ops->cmpxchg8b(ea.mem.seg, ea.mem.off, old_lo, old_hi,
2120 _regs.ebx, _regs.ecx, ctxt)) != 0 )
2121 goto done;
2122 _regs.eflags |= EFLG_ZF;
2124 break;
2126 #elif defined(__x86_64__)
2128 unsigned long old, new;
2129 if ( (rc = ops->read(ea.mem.seg, ea.mem.off, &old, 8, ctxt)) != 0 )
2130 goto done;
2131 if ( ((uint32_t)(old>>0) != (uint32_t)_regs.eax) ||
2132 ((uint32_t)(old>>32) != (uint32_t)_regs.edx) )
2134 _regs.eax = (uint32_t)(old>>0);
2135 _regs.edx = (uint32_t)(old>>32);
2136 _regs.eflags &= ~EFLG_ZF;
2138 else
2140 new = (_regs.ecx<<32)|(uint32_t)_regs.ebx;
2141 if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old,
2142 new, 8, ctxt)) != 0 )
2143 goto done;
2144 _regs.eflags |= EFLG_ZF;
2146 break;
2148 #endif
2150 case 0xc8 ... 0xcf: /* bswap */
2151 dst.type = OP_REG;
2152 dst.reg = decode_register(b & 7, &_regs, 0);
2153 dst.val = *dst.reg;
2154 switch ( dst.bytes = op_bytes )
2156 case 2:
2157 dst.val = (((dst.val & 0x00FFUL) << 8) |
2158 ((dst.val & 0xFF00UL) >> 8));
2159 break;
2160 case 4:
2161 dst.val = (((dst.val & 0x000000FFUL) << 24) |
2162 ((dst.val & 0x0000FF00UL) << 8) |
2163 ((dst.val & 0x00FF0000UL) >> 8) |
2164 ((dst.val & 0xFF000000UL) >> 24));
2165 break;
2166 #ifdef __x86_64__
2167 case 8:
2168 dst.val = (((dst.val & 0x00000000000000FFUL) << 56) |
2169 ((dst.val & 0x000000000000FF00UL) << 40) |
2170 ((dst.val & 0x0000000000FF0000UL) << 24) |
2171 ((dst.val & 0x00000000FF000000UL) << 8) |
2172 ((dst.val & 0x000000FF00000000UL) >> 8) |
2173 ((dst.val & 0x0000FF0000000000UL) >> 24) |
2174 ((dst.val & 0x00FF000000000000UL) >> 40) |
2175 ((dst.val & 0xFF00000000000000UL) >> 56));
2176 break;
2177 #endif
2179 break;
2181 goto writeback;
2183 cannot_emulate:
2184 #ifdef __XEN__
2185 gdprintk(XENLOG_DEBUG, "Instr:");
2186 for ( ea.mem.off = ctxt->regs->eip; ea.mem.off < _regs.eip; ea.mem.off++ )
2188 unsigned long x;
2189 ops->insn_fetch(x86_seg_cs, ea.mem.off, &x, 1, ctxt);
2190 printk(" %02x", (uint8_t)x);
2192 printk("\n");
2193 #endif
2194 return -1;