ia64/xen-unstable

view xen/arch/x86/x86_emulate.c @ 13462:6d832b092857

[XEN] A few emulator fixes.
Signed-off-by: Keir Fraser <keir@xensource.com>
author kfraser@localhost.localdomain
date Wed Jan 17 15:41:39 2007 +0000 (2007-01-17)
parents 0ba81aa56455
children 348c2983ff02
line source
1 /******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005-2007 Keir Fraser
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 #ifndef __XEN__
24 #include <stddef.h>
25 #include <stdint.h>
26 #include <public/xen.h>
27 #else
28 #include <xen/config.h>
29 #include <xen/types.h>
30 #include <xen/lib.h>
31 #include <asm/regs.h>
32 #undef cmpxchg
33 #endif
34 #include <asm-x86/x86_emulate.h>
36 /* Operand sizes: 8-bit operands or specified/overridden size. */
37 #define ByteOp (1<<0) /* 8-bit operands. */
38 /* Destination operand type. */
39 #define DstBitBase (0<<1) /* Memory operand, bit string. */
40 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
41 #define DstReg (2<<1) /* Register operand. */
42 #define DstMem (3<<1) /* Memory operand. */
43 #define DstMask (3<<1)
44 /* Source operand type. */
45 #define SrcNone (0<<3) /* No source operand. */
46 #define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
47 #define SrcReg (1<<3) /* Register operand. */
48 #define SrcMem (2<<3) /* Memory operand. */
49 #define SrcMem16 (3<<3) /* Memory operand (16-bit). */
50 #define SrcImm (4<<3) /* Immediate operand. */
51 #define SrcImmByte (5<<3) /* 8-bit sign-extended immediate operand. */
52 #define SrcMask (7<<3)
53 /* Generic ModRM decode. */
54 #define ModRM (1<<6)
55 /* Destination is only written; never read. */
56 #define Mov (1<<7)
58 static uint8_t opcode_table[256] = {
59 /* 0x00 - 0x07 */
60 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
61 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
62 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
63 /* 0x08 - 0x0F */
64 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
65 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
66 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
67 /* 0x10 - 0x17 */
68 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
69 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
70 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
71 /* 0x18 - 0x1F */
72 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
73 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
74 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, 0,
75 /* 0x20 - 0x27 */
76 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
77 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
78 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
79 /* 0x28 - 0x2F */
80 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
81 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
82 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
83 /* 0x30 - 0x37 */
84 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
85 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
86 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
87 /* 0x38 - 0x3F */
88 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
89 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
90 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
91 /* 0x40 - 0x4F */
92 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
93 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
94 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
95 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
96 /* 0x50 - 0x5F */
97 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
98 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
99 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
100 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
101 /* 0x60 - 0x67 */
102 ImplicitOps, ImplicitOps, DstReg|SrcMem|ModRM, DstReg|SrcMem16|ModRM|Mov,
103 0, 0, 0, 0,
104 /* 0x68 - 0x6F */
105 ImplicitOps|Mov, DstMem|SrcImm|ModRM|Mov,
106 ImplicitOps|Mov, DstMem|SrcImmByte|ModRM|Mov,
107 0, 0, 0, 0,
108 /* 0x70 - 0x77 */
109 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
110 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
111 /* 0x78 - 0x7F */
112 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
113 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
114 /* 0x80 - 0x87 */
115 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImm|ModRM,
116 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
117 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
118 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
119 /* 0x88 - 0x8F */
120 ByteOp|DstMem|SrcReg|ModRM|Mov, DstMem|SrcReg|ModRM|Mov,
121 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
122 0, DstReg|SrcNone|ModRM, 0, DstMem|SrcNone|ModRM|Mov,
123 /* 0x90 - 0x97 */
124 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
125 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
126 /* 0x98 - 0x9F */
127 ImplicitOps, ImplicitOps, 0, 0, 0, 0, ImplicitOps, ImplicitOps,
128 /* 0xA0 - 0xA7 */
129 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
130 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
131 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov, 0, 0,
132 /* 0xA8 - 0xAF */
133 ByteOp|DstReg|SrcImm, DstReg|SrcImm,
134 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
135 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov, 0, 0,
136 /* 0xB0 - 0xB7 */
137 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
138 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
139 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
140 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
141 /* 0xB8 - 0xBF */
142 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
143 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
144 /* 0xC0 - 0xC7 */
145 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
146 ImplicitOps, ImplicitOps,
147 0, 0, ByteOp|DstMem|SrcImm|ModRM|Mov, DstMem|SrcImm|ModRM|Mov,
148 /* 0xC8 - 0xCF */
149 0, 0, 0, 0, 0, 0, 0, 0,
150 /* 0xD0 - 0xD7 */
151 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
152 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
153 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
154 /* 0xD8 - 0xDF */
155 0, 0, 0, 0, 0, 0, 0, 0,
156 /* 0xE0 - 0xE7 */
157 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps, 0, 0, 0, 0,
158 /* 0xE8 - 0xEF */
159 ImplicitOps, ImplicitOps, 0, ImplicitOps, 0, 0, 0, 0,
160 /* 0xF0 - 0xF7 */
161 0, 0, 0, 0,
162 0, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM,
163 /* 0xF8 - 0xFF */
164 ImplicitOps, ImplicitOps, 0, 0,
165 ImplicitOps, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM
166 };
168 static uint8_t twobyte_table[256] = {
169 /* 0x00 - 0x0F */
170 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps|ModRM, 0, 0,
171 /* 0x10 - 0x17 */
172 0, 0, 0, 0, 0, 0, 0, 0,
173 /* 0x18 - 0x1F */
174 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
175 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
176 /* 0x20 - 0x2F */
177 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
178 /* 0x30 - 0x3F */
179 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
180 /* 0x40 - 0x47 */
181 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
182 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
183 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
184 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
185 /* 0x48 - 0x4F */
186 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
187 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
188 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
189 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
190 /* 0x50 - 0x5F */
191 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192 /* 0x60 - 0x6F */
193 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
194 /* 0x70 - 0x7F */
195 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
196 /* 0x80 - 0x87 */
197 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
198 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
199 /* 0x88 - 0x8F */
200 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
201 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
202 /* 0x90 - 0x97 */
203 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
204 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
205 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
206 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
207 /* 0x98 - 0x9F */
208 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
209 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
210 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
211 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
212 /* 0xA0 - 0xA7 */
213 0, 0, 0, DstBitBase|SrcReg|ModRM, 0, 0, 0, 0,
214 /* 0xA8 - 0xAF */
215 0, 0, 0, DstBitBase|SrcReg|ModRM, 0, 0, 0, DstReg|SrcMem|ModRM,
216 /* 0xB0 - 0xB7 */
217 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
218 0, DstBitBase|SrcReg|ModRM,
219 0, 0, ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
220 /* 0xB8 - 0xBF */
221 0, 0, DstBitBase|SrcImmByte|ModRM, DstBitBase|SrcReg|ModRM,
222 DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
223 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
224 /* 0xC0 - 0xC7 */
225 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
226 0, 0, 0, ImplicitOps|ModRM,
227 /* 0xC8 - 0xCF */
228 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
229 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
230 /* 0xD0 - 0xDF */
231 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
232 /* 0xE0 - 0xEF */
233 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
234 /* 0xF0 - 0xFF */
235 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
236 };
238 /* Type, address-of, and value of an instruction's operand. */
239 struct operand {
240 enum { OP_REG, OP_MEM, OP_IMM, OP_NONE } type;
241 unsigned int bytes;
242 unsigned long val, orig_val;
243 union {
244 /* OP_REG: Pointer to register field. */
245 unsigned long *reg;
246 /* OP_MEM: Segment and offset. */
247 struct {
248 enum x86_segment seg;
249 unsigned long off;
250 } mem;
251 };
252 };
254 /* EFLAGS bit definitions. */
255 #define EFLG_OF (1<<11)
256 #define EFLG_DF (1<<10)
257 #define EFLG_SF (1<<7)
258 #define EFLG_ZF (1<<6)
259 #define EFLG_AF (1<<4)
260 #define EFLG_PF (1<<2)
261 #define EFLG_CF (1<<0)
263 /* Exception definitions. */
264 #define EXC_DE 0
265 #define EXC_BR 5
266 #define EXC_UD 6
267 #define EXC_GP 13
269 /*
270 * Instruction emulation:
271 * Most instructions are emulated directly via a fragment of inline assembly
272 * code. This allows us to save/restore EFLAGS and thus very easily pick up
273 * any modified flags.
274 */
276 #if defined(__x86_64__)
277 #define _LO32 "k" /* force 32-bit operand */
278 #define _STK "%%rsp" /* stack pointer */
279 #elif defined(__i386__)
280 #define _LO32 "" /* force 32-bit operand */
281 #define _STK "%%esp" /* stack pointer */
282 #endif
284 /*
285 * These EFLAGS bits are restored from saved value during emulation, and
286 * any changes are written back to the saved value after emulation.
287 */
288 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
290 /* Before executing instruction: restore necessary bits in EFLAGS. */
291 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
292 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); */\
293 "push %"_sav"; " \
294 "movl %"_msk",%"_LO32 _tmp"; " \
295 "andl %"_LO32 _tmp",("_STK"); " \
296 "pushf; " \
297 "notl %"_LO32 _tmp"; " \
298 "andl %"_LO32 _tmp",("_STK"); " \
299 "pop %"_tmp"; " \
300 "orl %"_LO32 _tmp",("_STK"); " \
301 "popf; " \
302 /* _sav &= ~msk; */ \
303 "movl %"_msk",%"_LO32 _tmp"; " \
304 "notl %"_LO32 _tmp"; " \
305 "andl %"_LO32 _tmp",%"_sav"; "
307 /* After executing instruction: write-back necessary bits in EFLAGS. */
308 #define _POST_EFLAGS(_sav, _msk, _tmp) \
309 /* _sav |= EFLAGS & _msk; */ \
310 "pushf; " \
311 "pop %"_tmp"; " \
312 "andl %"_msk",%"_LO32 _tmp"; " \
313 "orl %"_LO32 _tmp",%"_sav"; "
315 /* Raw emulation: instruction has two explicit operands. */
316 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy)\
317 do{ unsigned long _tmp; \
318 switch ( (_dst).bytes ) \
319 { \
320 case 2: \
321 __asm__ __volatile__ ( \
322 _PRE_EFLAGS("0","4","2") \
323 _op"w %"_wx"3,%1; " \
324 _POST_EFLAGS("0","4","2") \
325 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
326 : _wy ((_src).val), "i" (EFLAGS_MASK), \
327 "m" (_eflags), "m" ((_dst).val) ); \
328 break; \
329 case 4: \
330 __asm__ __volatile__ ( \
331 _PRE_EFLAGS("0","4","2") \
332 _op"l %"_lx"3,%1; " \
333 _POST_EFLAGS("0","4","2") \
334 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
335 : _ly ((_src).val), "i" (EFLAGS_MASK), \
336 "m" (_eflags), "m" ((_dst).val) ); \
337 break; \
338 case 8: \
339 __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy); \
340 break; \
341 } \
342 } while (0)
343 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy)\
344 do{ unsigned long _tmp; \
345 switch ( (_dst).bytes ) \
346 { \
347 case 1: \
348 __asm__ __volatile__ ( \
349 _PRE_EFLAGS("0","4","2") \
350 _op"b %"_bx"3,%1; " \
351 _POST_EFLAGS("0","4","2") \
352 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
353 : _by ((_src).val), "i" (EFLAGS_MASK), \
354 "m" (_eflags), "m" ((_dst).val) ); \
355 break; \
356 default: \
357 __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy);\
358 break; \
359 } \
360 } while (0)
361 /* Source operand is byte-sized and may be restricted to just %cl. */
362 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
363 __emulate_2op(_op, _src, _dst, _eflags, \
364 "b", "c", "b", "c", "b", "c", "b", "c")
365 /* Source operand is byte, word, long or quad sized. */
366 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
367 __emulate_2op(_op, _src, _dst, _eflags, \
368 "b", "q", "w", "r", _LO32, "r", "", "r")
369 /* Source operand is word, long or quad sized. */
370 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
371 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
372 "w", "r", _LO32, "r", "", "r")
374 /* Instruction has only one explicit operand (no source operand). */
375 #define emulate_1op(_op,_dst,_eflags) \
376 do{ unsigned long _tmp; \
377 switch ( (_dst).bytes ) \
378 { \
379 case 1: \
380 __asm__ __volatile__ ( \
381 _PRE_EFLAGS("0","3","2") \
382 _op"b %1; " \
383 _POST_EFLAGS("0","3","2") \
384 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
385 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
386 break; \
387 case 2: \
388 __asm__ __volatile__ ( \
389 _PRE_EFLAGS("0","3","2") \
390 _op"w %1; " \
391 _POST_EFLAGS("0","3","2") \
392 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
393 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
394 break; \
395 case 4: \
396 __asm__ __volatile__ ( \
397 _PRE_EFLAGS("0","3","2") \
398 _op"l %1; " \
399 _POST_EFLAGS("0","3","2") \
400 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
401 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
402 break; \
403 case 8: \
404 __emulate_1op_8byte(_op, _dst, _eflags); \
405 break; \
406 } \
407 } while (0)
409 /* Emulate an instruction with quadword operands (x86/64 only). */
410 #if defined(__x86_64__)
411 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
412 do{ __asm__ __volatile__ ( \
413 _PRE_EFLAGS("0","4","2") \
414 _op"q %"_qx"3,%1; " \
415 _POST_EFLAGS("0","4","2") \
416 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
417 : _qy ((_src).val), "i" (EFLAGS_MASK), \
418 "m" (_eflags), "m" ((_dst).val) ); \
419 } while (0)
420 #define __emulate_1op_8byte(_op, _dst, _eflags) \
421 do{ __asm__ __volatile__ ( \
422 _PRE_EFLAGS("0","3","2") \
423 _op"q %1; " \
424 _POST_EFLAGS("0","3","2") \
425 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
426 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
427 } while (0)
428 #elif defined(__i386__)
429 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
430 #define __emulate_1op_8byte(_op, _dst, _eflags)
431 #endif /* __i386__ */
433 /* Fetch next part of the instruction being emulated. */
434 #define insn_fetch_bytes(_size) \
435 ({ unsigned long _x, _eip = _regs.eip; \
436 if ( !mode_64bit() ) _eip = (uint32_t)_eip; /* ignore upper dword */ \
437 _regs.eip += (_size); /* real hardware doesn't truncate */ \
438 generate_exception_if((uint8_t)(_regs.eip - ctxt->regs->eip) > 15, \
439 EXC_GP); \
440 rc = ops->insn_fetch(x86_seg_cs, _eip, &_x, (_size), ctxt); \
441 if ( rc ) goto done; \
442 _x; \
443 })
444 #define insn_fetch_type(_type) ((_type)insn_fetch_bytes(sizeof(_type)))
446 #define _truncate_ea(ea, byte_width) \
447 ({ unsigned long __ea = (ea); \
448 unsigned int _width = (byte_width); \
449 ((_width == sizeof(unsigned long)) ? __ea : \
450 (__ea & ((1UL << (_width << 3)) - 1))); \
451 })
452 #define truncate_ea(ea) _truncate_ea((ea), ad_bytes)
454 #define mode_64bit() (def_ad_bytes == 8)
456 #define fail_if(p) \
457 do { \
458 rc = (p) ? X86EMUL_UNHANDLEABLE : 0; \
459 if ( rc ) goto done; \
460 } while (0)
462 /* In future we will be able to generate arbitrary exceptions. */
463 #define generate_exception_if(p, e) fail_if(p)
465 /* Given byte has even parity (even number of 1s)? */
466 static int even_parity(uint8_t v)
467 {
468 __asm__ ( "test %%al,%%al; setp %%al"
469 : "=a" (v) : "0" (v) );
470 return v;
471 }
473 /* Update address held in a register, based on addressing mode. */
474 #define _register_address_increment(reg, inc, byte_width) \
475 do { \
476 int _inc = (inc); /* signed type ensures sign extension to long */ \
477 unsigned int _width = (byte_width); \
478 if ( _width == sizeof(unsigned long) ) \
479 (reg) += _inc; \
480 else if ( mode_64bit() ) \
481 (reg) = ((reg) + _inc) & ((1UL << (_width << 3)) - 1); \
482 else \
483 (reg) = ((reg) & ~((1UL << (_width << 3)) - 1)) | \
484 (((reg) + _inc) & ((1UL << (_width << 3)) - 1)); \
485 } while (0)
486 #define register_address_increment(reg, inc) \
487 _register_address_increment((reg), (inc), ad_bytes)
489 #define sp_pre_dec(dec) ({ \
490 _register_address_increment(_regs.esp, -(dec), ctxt->sp_size/8); \
491 _truncate_ea(_regs.esp, ctxt->sp_size/8); \
492 })
493 #define sp_post_inc(inc) ({ \
494 unsigned long __esp = _truncate_ea(_regs.esp, ctxt->sp_size/8); \
495 _register_address_increment(_regs.esp, (inc), ctxt->sp_size/8); \
496 __esp; \
497 })
499 #define jmp_rel(rel) \
500 do { \
501 _regs.eip += (int)(rel); \
502 if ( !mode_64bit() ) \
503 _regs.eip = ((op_bytes == 2) \
504 ? (uint16_t)_regs.eip : (uint32_t)_regs.eip); \
505 } while (0)
507 /*
508 * Unsigned multiplication with double-word result.
509 * IN: Multiplicand=m[0], Multiplier=m[1]
510 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
511 */
512 static int mul_dbl(unsigned long m[2])
513 {
514 int rc;
515 asm ( "mul %4; seto %b2"
516 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
517 : "0" (m[0]), "1" (m[1]), "2" (0) );
518 return rc;
519 }
521 /*
522 * Signed multiplication with double-word result.
523 * IN: Multiplicand=m[0], Multiplier=m[1]
524 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
525 */
526 static int imul_dbl(unsigned long m[2])
527 {
528 int rc;
529 asm ( "imul %4; seto %b2"
530 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
531 : "0" (m[0]), "1" (m[1]), "2" (0) );
532 return rc;
533 }
535 /*
536 * Unsigned division of double-word dividend.
537 * IN: Dividend=u[1]:u[0], Divisor=v
538 * OUT: Return 1: #DE
539 * Return 0: Quotient=u[0], Remainder=u[1]
540 */
541 static int div_dbl(unsigned long u[2], unsigned long v)
542 {
543 if ( (v == 0) || (u[1] > v) || ((u[1] == v) && (u[0] != 0)) )
544 return 1;
545 asm ( "div %4"
546 : "=a" (u[0]), "=d" (u[1])
547 : "0" (u[0]), "1" (u[1]), "r" (v) );
548 return 0;
549 }
551 /*
552 * Signed division of double-word dividend.
553 * IN: Dividend=u[1]:u[0], Divisor=v
554 * OUT: Return 1: #DE
555 * Return 0: Quotient=u[0], Remainder=u[1]
556 * NB. We don't use idiv directly as it's moderately hard to work out
557 * ahead of time whether it will #DE, which we cannot allow to happen.
558 */
559 static int idiv_dbl(unsigned long u[2], unsigned long v)
560 {
561 int negu = (long)u[1] < 0, negv = (long)v < 0;
563 /* u = abs(u) */
564 if ( negu )
565 {
566 u[1] = ~u[1];
567 if ( (u[0] = -u[0]) == 0 )
568 u[1]++;
569 }
571 /* abs(u) / abs(v) */
572 if ( div_dbl(u, negv ? -v : v) )
573 return 1;
575 /* Remainder has same sign as dividend. It cannot overflow. */
576 if ( negu )
577 u[1] = -u[1];
579 /* Quotient is overflowed if sign bit is set. */
580 if ( negu ^ negv )
581 {
582 if ( (long)u[0] >= 0 )
583 u[0] = -u[0];
584 else if ( (u[0] << 1) != 0 ) /* == 0x80...0 is okay */
585 return 1;
586 }
587 else if ( (long)u[0] < 0 )
588 return 1;
590 return 0;
591 }
593 static int
594 test_cc(
595 unsigned int condition, unsigned int flags)
596 {
597 int rc = 0;
599 switch ( (condition & 15) >> 1 )
600 {
601 case 0: /* o */
602 rc |= (flags & EFLG_OF);
603 break;
604 case 1: /* b/c/nae */
605 rc |= (flags & EFLG_CF);
606 break;
607 case 2: /* z/e */
608 rc |= (flags & EFLG_ZF);
609 break;
610 case 3: /* be/na */
611 rc |= (flags & (EFLG_CF|EFLG_ZF));
612 break;
613 case 4: /* s */
614 rc |= (flags & EFLG_SF);
615 break;
616 case 5: /* p/pe */
617 rc |= (flags & EFLG_PF);
618 break;
619 case 7: /* le/ng */
620 rc |= (flags & EFLG_ZF);
621 /* fall through */
622 case 6: /* l/nge */
623 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
624 break;
625 }
627 /* Odd condition identifiers (lsb == 1) have inverted sense. */
628 return (!!rc ^ (condition & 1));
629 }
631 void *
632 decode_register(
633 uint8_t modrm_reg, struct cpu_user_regs *regs, int highbyte_regs)
634 {
635 void *p;
637 switch ( modrm_reg )
638 {
639 case 0: p = &regs->eax; break;
640 case 1: p = &regs->ecx; break;
641 case 2: p = &regs->edx; break;
642 case 3: p = &regs->ebx; break;
643 case 4: p = (highbyte_regs ?
644 ((unsigned char *)&regs->eax + 1) :
645 (unsigned char *)&regs->esp); break;
646 case 5: p = (highbyte_regs ?
647 ((unsigned char *)&regs->ecx + 1) :
648 (unsigned char *)&regs->ebp); break;
649 case 6: p = (highbyte_regs ?
650 ((unsigned char *)&regs->edx + 1) :
651 (unsigned char *)&regs->esi); break;
652 case 7: p = (highbyte_regs ?
653 ((unsigned char *)&regs->ebx + 1) :
654 (unsigned char *)&regs->edi); break;
655 #if defined(__x86_64__)
656 case 8: p = &regs->r8; break;
657 case 9: p = &regs->r9; break;
658 case 10: p = &regs->r10; break;
659 case 11: p = &regs->r11; break;
660 case 12: p = &regs->r12; break;
661 case 13: p = &regs->r13; break;
662 case 14: p = &regs->r14; break;
663 case 15: p = &regs->r15; break;
664 #endif
665 default: p = NULL; break;
666 }
668 return p;
669 }
671 int
672 x86_emulate(
673 struct x86_emulate_ctxt *ctxt,
674 struct x86_emulate_ops *ops)
675 {
676 /* Shadow copy of register state. Committed on successful emulation. */
677 struct cpu_user_regs _regs = *ctxt->regs;
679 uint8_t b, d, sib, sib_index, sib_base, twobyte = 0, rex_prefix = 0;
680 uint8_t modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
681 unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
682 unsigned int lock_prefix = 0, rep_prefix = 0;
683 int rc = 0;
684 struct operand src, dst;
686 /* Data operand effective address (usually computed from ModRM). */
687 struct operand ea;
689 /* Default is a memory operand relative to segment DS. */
690 ea.type = OP_MEM;
691 ea.mem.seg = x86_seg_ds;
692 ea.mem.off = 0;
694 op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->addr_size/8;
695 if ( op_bytes == 8 )
696 {
697 op_bytes = def_op_bytes = 4;
698 #ifndef __x86_64__
699 return -1;
700 #endif
701 }
703 /* Prefix bytes. */
704 for ( ; ; )
705 {
706 switch ( b = insn_fetch_type(uint8_t) )
707 {
708 case 0x66: /* operand-size override */
709 op_bytes = def_op_bytes ^ 6;
710 break;
711 case 0x67: /* address-size override */
712 ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6);
713 break;
714 case 0x2e: /* CS override */
715 ea.mem.seg = x86_seg_cs;
716 break;
717 case 0x3e: /* DS override */
718 ea.mem.seg = x86_seg_ds;
719 break;
720 case 0x26: /* ES override */
721 ea.mem.seg = x86_seg_es;
722 break;
723 case 0x64: /* FS override */
724 ea.mem.seg = x86_seg_fs;
725 break;
726 case 0x65: /* GS override */
727 ea.mem.seg = x86_seg_gs;
728 break;
729 case 0x36: /* SS override */
730 ea.mem.seg = x86_seg_ss;
731 break;
732 case 0xf0: /* LOCK */
733 lock_prefix = 1;
734 break;
735 case 0xf2: /* REPNE/REPNZ */
736 case 0xf3: /* REP/REPE/REPZ */
737 rep_prefix = 1;
738 break;
739 case 0x40 ... 0x4f: /* REX */
740 if ( !mode_64bit() )
741 goto done_prefixes;
742 rex_prefix = b;
743 continue;
744 default:
745 goto done_prefixes;
746 }
748 /* Any legacy prefix after a REX prefix nullifies its effect. */
749 rex_prefix = 0;
750 }
751 done_prefixes:
753 if ( rex_prefix & 8 ) /* REX.W */
754 op_bytes = 8;
756 /* Opcode byte(s). */
757 d = opcode_table[b];
758 if ( d == 0 )
759 {
760 /* Two-byte opcode? */
761 if ( b == 0x0f )
762 {
763 twobyte = 1;
764 b = insn_fetch_type(uint8_t);
765 d = twobyte_table[b];
766 }
768 /* Unrecognised? */
769 if ( d == 0 )
770 goto cannot_emulate;
771 }
773 /* Lock prefix is allowed only on RMW instructions. */
774 generate_exception_if((d & Mov) && lock_prefix, EXC_GP);
776 /* ModRM and SIB bytes. */
777 if ( d & ModRM )
778 {
779 modrm = insn_fetch_type(uint8_t);
780 modrm_mod = (modrm & 0xc0) >> 6;
781 modrm_reg = ((rex_prefix & 4) << 1) | ((modrm & 0x38) >> 3);
782 modrm_rm = modrm & 0x07;
784 if ( modrm_mod == 3 )
785 {
786 modrm_rm |= (rex_prefix & 1) << 3;
787 ea.type = OP_REG;
788 ea.reg = decode_register(
789 modrm_rm, &_regs, (d & ByteOp) && (rex_prefix == 0));
790 }
791 else if ( ad_bytes == 2 )
792 {
793 /* 16-bit ModR/M decode. */
794 switch ( modrm_rm )
795 {
796 case 0: ea.mem.off = _regs.ebx + _regs.esi; break;
797 case 1: ea.mem.off = _regs.ebx + _regs.edi; break;
798 case 2: ea.mem.off = _regs.ebp + _regs.esi; break;
799 case 3: ea.mem.off = _regs.ebp + _regs.edi; break;
800 case 4: ea.mem.off = _regs.esi; break;
801 case 5: ea.mem.off = _regs.edi; break;
802 case 6: ea.mem.off = _regs.ebp; break;
803 case 7: ea.mem.off = _regs.ebx; break;
804 }
805 switch ( modrm_mod )
806 {
807 case 0:
808 if ( modrm_rm == 6 )
809 ea.mem.off = insn_fetch_type(int16_t);
810 break;
811 case 1:
812 ea.mem.off += insn_fetch_type(int8_t);
813 break;
814 case 2:
815 ea.mem.off += insn_fetch_type(int16_t);
816 break;
817 }
818 ea.mem.off = truncate_ea(ea.mem.off);
819 }
820 else
821 {
822 /* 32/64-bit ModR/M decode. */
823 if ( modrm_rm == 4 )
824 {
825 sib = insn_fetch_type(uint8_t);
826 sib_index = ((sib >> 3) & 7) | ((rex_prefix << 2) & 8);
827 sib_base = (sib & 7) | ((rex_prefix << 3) & 8);
828 if ( sib_index != 4 )
829 ea.mem.off = *(long*)decode_register(sib_index, &_regs, 0);
830 ea.mem.off <<= (sib >> 6) & 3;
831 if ( (modrm_mod == 0) && ((sib_base & 7) == 5) )
832 ea.mem.off += insn_fetch_type(int32_t);
833 else if ( (sib_base == 4) && !twobyte && (b == 0x8f) )
834 /* POP <rm> must have its EA calculated post increment. */
835 ea.mem.off += _regs.esp +
836 ((mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes);
837 else
838 ea.mem.off += *(long*)decode_register(sib_base, &_regs, 0);
839 }
840 else
841 {
842 modrm_rm |= (rex_prefix & 1) << 3;
843 ea.mem.off = *(long *)decode_register(modrm_rm, &_regs, 0);
844 }
845 switch ( modrm_mod )
846 {
847 case 0:
848 if ( (modrm_rm & 7) != 5 )
849 break;
850 ea.mem.off = insn_fetch_type(int32_t);
851 if ( !mode_64bit() )
852 break;
853 /* Relative to RIP of next instruction. Argh! */
854 ea.mem.off += _regs.eip;
855 if ( (d & SrcMask) == SrcImm )
856 ea.mem.off += (d & ByteOp) ? 1 :
857 ((op_bytes == 8) ? 4 : op_bytes);
858 else if ( (d & SrcMask) == SrcImmByte )
859 ea.mem.off += 1;
860 else if ( ((b == 0xf6) || (b == 0xf7)) &&
861 ((modrm_reg & 7) <= 1) )
862 /* Special case in Grp3: test has immediate operand. */
863 ea.mem.off += (d & ByteOp) ? 1
864 : ((op_bytes == 8) ? 4 : op_bytes);
865 break;
866 case 1:
867 ea.mem.off += insn_fetch_type(int8_t);
868 break;
869 case 2:
870 ea.mem.off += insn_fetch_type(int32_t);
871 break;
872 }
873 ea.mem.off = truncate_ea(ea.mem.off);
874 }
875 }
877 /* Special instructions do their own operand decoding. */
878 if ( (d & DstMask) == ImplicitOps )
879 goto special_insn;
881 /* Decode and fetch the source operand: register, memory or immediate. */
882 switch ( d & SrcMask )
883 {
884 case SrcNone:
885 break;
886 case SrcReg:
887 src.type = OP_REG;
888 if ( d & ByteOp )
889 {
890 src.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
891 src.val = *(uint8_t *)src.reg;
892 src.bytes = 1;
893 }
894 else
895 {
896 src.reg = decode_register(modrm_reg, &_regs, 0);
897 switch ( (src.bytes = op_bytes) )
898 {
899 case 2: src.val = *(uint16_t *)src.reg; break;
900 case 4: src.val = *(uint32_t *)src.reg; break;
901 case 8: src.val = *(uint64_t *)src.reg; break;
902 }
903 }
904 break;
905 case SrcMem16:
906 ea.bytes = 2;
907 goto srcmem_common;
908 case SrcMem:
909 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
910 srcmem_common:
911 src = ea;
912 if ( src.type == OP_REG )
913 {
914 switch ( src.bytes )
915 {
916 case 1: src.val = *(uint8_t *)src.reg; break;
917 case 2: src.val = *(uint16_t *)src.reg; break;
918 case 4: src.val = *(uint32_t *)src.reg; break;
919 case 8: src.val = *(uint64_t *)src.reg; break;
920 }
921 }
922 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
923 &src.val, src.bytes, ctxt)) )
924 goto done;
925 break;
926 case SrcImm:
927 src.type = OP_IMM;
928 src.bytes = (d & ByteOp) ? 1 : op_bytes;
929 if ( src.bytes == 8 ) src.bytes = 4;
930 /* NB. Immediates are sign-extended as necessary. */
931 switch ( src.bytes )
932 {
933 case 1: src.val = insn_fetch_type(int8_t); break;
934 case 2: src.val = insn_fetch_type(int16_t); break;
935 case 4: src.val = insn_fetch_type(int32_t); break;
936 }
937 break;
938 case SrcImmByte:
939 src.type = OP_IMM;
940 src.bytes = 1;
941 src.val = insn_fetch_type(int8_t);
942 break;
943 }
945 /* Decode and fetch the destination operand: register or memory. */
946 switch ( d & DstMask )
947 {
948 case DstReg:
949 dst.type = OP_REG;
950 if ( d & ByteOp )
951 {
952 dst.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
953 dst.val = *(uint8_t *)dst.reg;
954 dst.bytes = 1;
955 }
956 else
957 {
958 dst.reg = decode_register(modrm_reg, &_regs, 0);
959 switch ( (dst.bytes = op_bytes) )
960 {
961 case 2: dst.val = *(uint16_t *)dst.reg; break;
962 case 4: dst.val = *(uint32_t *)dst.reg; break;
963 case 8: dst.val = *(uint64_t *)dst.reg; break;
964 }
965 }
966 break;
967 case DstBitBase:
968 if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
969 {
970 src.val &= (op_bytes << 3) - 1;
971 }
972 else
973 {
974 /*
975 * EA += BitOffset DIV op_bytes*8
976 * BitOffset = BitOffset MOD op_bytes*8
977 * DIV truncates towards negative infinity.
978 * MOD always produces a positive result.
979 */
980 if ( op_bytes == 2 )
981 src.val = (int16_t)src.val;
982 else if ( op_bytes == 4 )
983 src.val = (int32_t)src.val;
984 if ( (long)src.val < 0 )
985 {
986 unsigned long byte_offset;
987 byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
988 ea.mem.off -= byte_offset;
989 src.val = (byte_offset << 3) + src.val;
990 }
991 else
992 {
993 ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
994 src.val &= (op_bytes << 3) - 1;
995 }
996 }
997 /* Becomes a normal DstMem operation from here on. */
998 d = (d & ~DstMask) | DstMem;
999 case DstMem:
1000 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
1001 dst = ea;
1002 if ( dst.type == OP_REG )
1004 switch ( dst.bytes )
1006 case 1: dst.val = *(uint8_t *)dst.reg; break;
1007 case 2: dst.val = *(uint16_t *)dst.reg; break;
1008 case 4: dst.val = *(uint32_t *)dst.reg; break;
1009 case 8: dst.val = *(uint64_t *)dst.reg; break;
1012 else if ( !(d & Mov) ) /* optimisation - avoid slow emulated read */
1014 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1015 &dst.val, dst.bytes, ctxt)) )
1016 goto done;
1017 dst.orig_val = dst.val;
1019 break;
1022 /* LOCK prefix allowed only on instructions with memory destination. */
1023 generate_exception_if(lock_prefix && (dst.type != OP_MEM), EXC_GP);
1025 if ( twobyte )
1026 goto twobyte_insn;
1028 switch ( b )
1030 case 0x04 ... 0x05: /* add imm,%%eax */
1031 dst.reg = (unsigned long *)&_regs.eax;
1032 dst.val = _regs.eax;
1033 case 0x00 ... 0x03: add: /* add */
1034 emulate_2op_SrcV("add", src, dst, _regs.eflags);
1035 break;
1037 case 0x0c ... 0x0d: /* or imm,%%eax */
1038 dst.reg = (unsigned long *)&_regs.eax;
1039 dst.val = _regs.eax;
1040 case 0x08 ... 0x0b: or: /* or */
1041 emulate_2op_SrcV("or", src, dst, _regs.eflags);
1042 break;
1044 case 0x14 ... 0x15: /* adc imm,%%eax */
1045 dst.reg = (unsigned long *)&_regs.eax;
1046 dst.val = _regs.eax;
1047 case 0x10 ... 0x13: adc: /* adc */
1048 emulate_2op_SrcV("adc", src, dst, _regs.eflags);
1049 break;
1051 case 0x1c ... 0x1d: /* sbb imm,%%eax */
1052 dst.reg = (unsigned long *)&_regs.eax;
1053 dst.val = _regs.eax;
1054 case 0x18 ... 0x1b: sbb: /* sbb */
1055 emulate_2op_SrcV("sbb", src, dst, _regs.eflags);
1056 break;
1058 case 0x24 ... 0x25: /* and imm,%%eax */
1059 dst.reg = (unsigned long *)&_regs.eax;
1060 dst.val = _regs.eax;
1061 case 0x20 ... 0x23: and: /* and */
1062 emulate_2op_SrcV("and", src, dst, _regs.eflags);
1063 break;
1065 case 0x2c ... 0x2d: /* sub imm,%%eax */
1066 dst.reg = (unsigned long *)&_regs.eax;
1067 dst.val = _regs.eax;
1068 case 0x28 ... 0x2b: sub: /* sub */
1069 emulate_2op_SrcV("sub", src, dst, _regs.eflags);
1070 break;
1072 case 0x34 ... 0x35: /* xor imm,%%eax */
1073 dst.reg = (unsigned long *)&_regs.eax;
1074 dst.val = _regs.eax;
1075 case 0x30 ... 0x33: xor: /* xor */
1076 emulate_2op_SrcV("xor", src, dst, _regs.eflags);
1077 break;
1079 case 0x3c ... 0x3d: /* cmp imm,%%eax */
1080 dst.reg = (unsigned long *)&_regs.eax;
1081 dst.val = _regs.eax;
1082 case 0x38 ... 0x3b: cmp: /* cmp */
1083 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1084 break;
1086 case 0x62: /* bound */ {
1087 unsigned long src_val2;
1088 int lb, ub, idx;
1089 generate_exception_if(mode_64bit() || (src.type != OP_MEM), EXC_UD);
1090 if ( (rc = ops->read(src.mem.seg, src.mem.off + op_bytes,
1091 &src_val2, op_bytes, ctxt)) )
1092 goto done;
1093 ub = (op_bytes == 2) ? (int16_t)src_val2 : (int32_t)src_val2;
1094 lb = (op_bytes == 2) ? (int16_t)src.val : (int32_t)src.val;
1095 idx = (op_bytes == 2) ? (int16_t)dst.val : (int32_t)dst.val;
1096 generate_exception_if((idx < lb) || (idx > ub), EXC_BR);
1097 dst.type = OP_NONE;
1098 break;
1101 case 0x63: /* movsxd (x86/64) / arpl (x86/32) */
1102 if ( mode_64bit() )
1104 /* movsxd */
1105 if ( src.type == OP_REG )
1106 src.val = *(int32_t *)src.reg;
1107 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1108 &src.val, 4, ctxt)) )
1109 goto done;
1110 dst.val = (int32_t)src.val;
1112 else
1114 /* arpl */
1115 uint16_t src_val = dst.val;
1116 dst = src;
1117 _regs.eflags &= ~EFLG_ZF;
1118 _regs.eflags |= ((src_val & 3) > (dst.val & 3)) ? EFLG_ZF : 0;
1119 if ( _regs.eflags & EFLG_ZF )
1120 dst.val = (dst.val & ~3) | (src_val & 3);
1121 else
1122 dst.type = OP_NONE;
1124 break;
1126 case 0x69: /* imul imm16/32 */
1127 case 0x6b: /* imul imm8 */ {
1128 unsigned long reg = *(long *)decode_register(modrm_reg, &_regs, 0);
1129 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1130 switch ( dst.bytes )
1132 case 2:
1133 dst.val = ((uint32_t)(int16_t)src.val *
1134 (uint32_t)(int16_t)reg);
1135 if ( (int16_t)dst.val != (uint32_t)dst.val )
1136 _regs.eflags |= EFLG_OF|EFLG_CF;
1137 break;
1138 #ifdef __x86_64__
1139 case 4:
1140 dst.val = ((uint64_t)(int32_t)src.val *
1141 (uint64_t)(int32_t)reg);
1142 if ( (int32_t)dst.val != dst.val )
1143 _regs.eflags |= EFLG_OF|EFLG_CF;
1144 break;
1145 #endif
1146 default: {
1147 unsigned long m[2] = { src.val, reg };
1148 if ( imul_dbl(m) )
1149 _regs.eflags |= EFLG_OF|EFLG_CF;
1150 dst.val = m[0];
1151 break;
1154 dst.type = OP_REG;
1155 dst.reg = decode_register(modrm_reg, &_regs, 0);
1156 break;
1159 case 0x82: /* Grp1 (x86/32 only) */
1160 generate_exception_if(mode_64bit(), EXC_UD);
1161 case 0x80: case 0x81: case 0x83: /* Grp1 */
1162 switch ( modrm_reg & 7 )
1164 case 0: goto add;
1165 case 1: goto or;
1166 case 2: goto adc;
1167 case 3: goto sbb;
1168 case 4: goto and;
1169 case 5: goto sub;
1170 case 6: goto xor;
1171 case 7: goto cmp;
1173 break;
1175 case 0xa8 ... 0xa9: /* test imm,%%eax */
1176 dst.reg = (unsigned long *)&_regs.eax;
1177 dst.val = _regs.eax;
1178 case 0x84 ... 0x85: test: /* test */
1179 emulate_2op_SrcV("test", src, dst, _regs.eflags);
1180 break;
1182 case 0x86 ... 0x87: xchg: /* xchg */
1183 /* Write back the register source. */
1184 switch ( dst.bytes )
1186 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
1187 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
1188 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
1189 case 8: *src.reg = dst.val; break;
1191 /* Write back the memory destination with implicit LOCK prefix. */
1192 dst.val = src.val;
1193 lock_prefix = 1;
1194 break;
1196 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
1197 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1198 case 0x88 ... 0x8b: /* mov */
1199 dst.val = src.val;
1200 break;
1202 case 0x8d: /* lea */
1203 dst.val = ea.mem.off;
1204 break;
1206 case 0x8f: /* pop (sole member of Grp1a) */
1207 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1208 /* 64-bit mode: POP defaults to a 64-bit operand. */
1209 if ( mode_64bit() && (dst.bytes == 4) )
1210 dst.bytes = 8;
1211 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
1212 &dst.val, dst.bytes, ctxt)) != 0 )
1213 goto done;
1214 break;
1216 case 0xb0 ... 0xb7: /* mov imm8,r8 */
1217 dst.reg = decode_register(
1218 (b & 7) | ((rex_prefix & 1) << 3), &_regs, (rex_prefix == 0));
1219 dst.val = src.val;
1220 break;
1222 case 0xb8 ... 0xbf: /* mov imm{16,32,64},r{16,32,64} */
1223 if ( dst.bytes == 8 ) /* Fetch more bytes to obtain imm64 */
1224 src.val = ((uint32_t)src.val |
1225 ((uint64_t)insn_fetch_type(uint32_t) << 32));
1226 dst.reg = decode_register(
1227 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1228 dst.val = src.val;
1229 break;
1231 case 0xc0 ... 0xc1: grp2: /* Grp2 */
1232 switch ( modrm_reg & 7 )
1234 case 0: /* rol */
1235 emulate_2op_SrcB("rol", src, dst, _regs.eflags);
1236 break;
1237 case 1: /* ror */
1238 emulate_2op_SrcB("ror", src, dst, _regs.eflags);
1239 break;
1240 case 2: /* rcl */
1241 emulate_2op_SrcB("rcl", src, dst, _regs.eflags);
1242 break;
1243 case 3: /* rcr */
1244 emulate_2op_SrcB("rcr", src, dst, _regs.eflags);
1245 break;
1246 case 4: /* sal/shl */
1247 case 6: /* sal/shl */
1248 emulate_2op_SrcB("sal", src, dst, _regs.eflags);
1249 break;
1250 case 5: /* shr */
1251 emulate_2op_SrcB("shr", src, dst, _regs.eflags);
1252 break;
1253 case 7: /* sar */
1254 emulate_2op_SrcB("sar", src, dst, _regs.eflags);
1255 break;
1257 break;
1259 case 0xd0 ... 0xd1: /* Grp2 */
1260 src.val = 1;
1261 goto grp2;
1263 case 0xd2 ... 0xd3: /* Grp2 */
1264 src.val = _regs.ecx;
1265 goto grp2;
1267 case 0xf6 ... 0xf7: /* Grp3 */
1268 switch ( modrm_reg & 7 )
1270 case 0 ... 1: /* test */
1271 /* Special case in Grp3: test has an immediate source operand. */
1272 src.type = OP_IMM;
1273 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1274 if ( src.bytes == 8 ) src.bytes = 4;
1275 switch ( src.bytes )
1277 case 1: src.val = insn_fetch_type(int8_t); break;
1278 case 2: src.val = insn_fetch_type(int16_t); break;
1279 case 4: src.val = insn_fetch_type(int32_t); break;
1281 goto test;
1282 case 2: /* not */
1283 dst.val = ~dst.val;
1284 break;
1285 case 3: /* neg */
1286 emulate_1op("neg", dst, _regs.eflags);
1287 break;
1288 case 4: /* mul */
1289 src = dst;
1290 dst.type = OP_REG;
1291 dst.reg = (unsigned long *)&_regs.eax;
1292 dst.val = *dst.reg;
1293 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1294 switch ( src.bytes )
1296 case 1:
1297 dst.val *= src.val;
1298 if ( (uint8_t)dst.val != (uint16_t)dst.val )
1299 _regs.eflags |= EFLG_OF|EFLG_CF;
1300 break;
1301 case 2:
1302 dst.val *= src.val;
1303 if ( (uint16_t)dst.val != (uint32_t)dst.val )
1304 _regs.eflags |= EFLG_OF|EFLG_CF;
1305 *(uint16_t *)&_regs.edx = dst.val >> 16;
1306 break;
1307 #ifdef __x86_64__
1308 case 4:
1309 dst.val *= src.val;
1310 if ( (uint32_t)dst.val != dst.val )
1311 _regs.eflags |= EFLG_OF|EFLG_CF;
1312 _regs.edx = (uint32_t)(dst.val >> 32);
1313 break;
1314 #endif
1315 default: {
1316 unsigned long m[2] = { src.val, dst.val };
1317 if ( mul_dbl(m) )
1318 _regs.eflags |= EFLG_OF|EFLG_CF;
1319 _regs.edx = m[1];
1320 dst.val = m[0];
1321 break;
1324 break;
1325 case 5: /* imul */
1326 src = dst;
1327 dst.type = OP_REG;
1328 dst.reg = (unsigned long *)&_regs.eax;
1329 dst.val = *dst.reg;
1330 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1331 switch ( src.bytes )
1333 case 1:
1334 dst.val = ((uint16_t)(int8_t)src.val *
1335 (uint16_t)(int8_t)dst.val);
1336 if ( (int8_t)dst.val != (uint16_t)dst.val )
1337 _regs.eflags |= EFLG_OF|EFLG_CF;
1338 break;
1339 case 2:
1340 dst.val = ((uint32_t)(int16_t)src.val *
1341 (uint32_t)(int16_t)dst.val);
1342 if ( (int16_t)dst.val != (uint32_t)dst.val )
1343 _regs.eflags |= EFLG_OF|EFLG_CF;
1344 *(uint16_t *)&_regs.edx = dst.val >> 16;
1345 break;
1346 #ifdef __x86_64__
1347 case 4:
1348 dst.val = ((uint64_t)(int32_t)src.val *
1349 (uint64_t)(int32_t)dst.val);
1350 if ( (int32_t)dst.val != dst.val )
1351 _regs.eflags |= EFLG_OF|EFLG_CF;
1352 _regs.edx = (uint32_t)(dst.val >> 32);
1353 break;
1354 #endif
1355 default: {
1356 unsigned long m[2] = { src.val, dst.val };
1357 if ( imul_dbl(m) )
1358 _regs.eflags |= EFLG_OF|EFLG_CF;
1359 _regs.edx = m[1];
1360 dst.val = m[0];
1361 break;
1364 break;
1365 case 6: /* div */ {
1366 unsigned long u[2], v;
1367 src = dst;
1368 dst.type = OP_REG;
1369 dst.reg = (unsigned long *)&_regs.eax;
1370 switch ( src.bytes )
1372 case 1:
1373 u[0] = (uint16_t)_regs.eax;
1374 u[1] = 0;
1375 v = (uint8_t)src.val;
1376 generate_exception_if(
1377 div_dbl(u, v) || ((uint8_t)u[0] != (uint16_t)u[0]),
1378 EXC_DE);
1379 dst.val = (uint8_t)u[0];
1380 ((uint8_t *)&_regs.eax)[1] = u[1];
1381 break;
1382 case 2:
1383 u[0] = ((uint32_t)_regs.edx << 16) | (uint16_t)_regs.eax;
1384 u[1] = 0;
1385 v = (uint16_t)src.val;
1386 generate_exception_if(
1387 div_dbl(u, v) || ((uint16_t)u[0] != (uint32_t)u[0]),
1388 EXC_DE);
1389 dst.val = (uint16_t)u[0];
1390 *(uint16_t *)&_regs.edx = u[1];
1391 break;
1392 #ifdef __x86_64__
1393 case 4:
1394 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1395 u[1] = 0;
1396 v = (uint32_t)src.val;
1397 generate_exception_if(
1398 div_dbl(u, v) || ((uint32_t)u[0] != u[0]),
1399 EXC_DE);
1400 dst.val = (uint32_t)u[0];
1401 _regs.edx = (uint32_t)u[1];
1402 break;
1403 #endif
1404 default:
1405 u[0] = _regs.eax;
1406 u[1] = _regs.edx;
1407 v = src.val;
1408 generate_exception_if(div_dbl(u, v), EXC_DE);
1409 dst.val = u[0];
1410 _regs.edx = u[1];
1411 break;
1413 break;
1415 case 7: /* idiv */ {
1416 unsigned long u[2], v;
1417 src = dst;
1418 dst.type = OP_REG;
1419 dst.reg = (unsigned long *)&_regs.eax;
1420 switch ( src.bytes )
1422 case 1:
1423 u[0] = (int16_t)_regs.eax;
1424 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1425 v = (int8_t)src.val;
1426 generate_exception_if(
1427 idiv_dbl(u, v) || ((int8_t)u[0] != (int16_t)u[0]),
1428 EXC_DE);
1429 dst.val = (int8_t)u[0];
1430 ((int8_t *)&_regs.eax)[1] = u[1];
1431 break;
1432 case 2:
1433 u[0] = (int32_t)((_regs.edx << 16) | (uint16_t)_regs.eax);
1434 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1435 v = (int16_t)src.val;
1436 generate_exception_if(
1437 idiv_dbl(u, v) || ((int16_t)u[0] != (int32_t)u[0]),
1438 EXC_DE);
1439 dst.val = (int16_t)u[0];
1440 *(int16_t *)&_regs.edx = u[1];
1441 break;
1442 #ifdef __x86_64__
1443 case 4:
1444 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1445 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1446 v = (int32_t)src.val;
1447 generate_exception_if(
1448 idiv_dbl(u, v) || ((int32_t)u[0] != u[0]),
1449 EXC_DE);
1450 dst.val = (int32_t)u[0];
1451 _regs.edx = (uint32_t)u[1];
1452 break;
1453 #endif
1454 default:
1455 u[0] = _regs.eax;
1456 u[1] = _regs.edx;
1457 v = src.val;
1458 generate_exception_if(idiv_dbl(u, v), EXC_DE);
1459 dst.val = u[0];
1460 _regs.edx = u[1];
1461 break;
1463 break;
1465 default:
1466 goto cannot_emulate;
1468 break;
1470 case 0xfe: /* Grp4 */
1471 generate_exception_if((modrm_reg & 7) >= 2, EXC_UD);
1472 case 0xff: /* Grp5 */
1473 switch ( modrm_reg & 7 )
1475 case 0: /* inc */
1476 emulate_1op("inc", dst, _regs.eflags);
1477 break;
1478 case 1: /* dec */
1479 emulate_1op("dec", dst, _regs.eflags);
1480 break;
1481 case 2: /* call (near) */
1482 case 4: /* jmp (near) */
1483 if ( ((op_bytes = dst.bytes) != 8) && mode_64bit() )
1485 dst.bytes = op_bytes = 8;
1486 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1487 &dst.val, 8, ctxt)) != 0 )
1488 goto done;
1490 src.val = _regs.eip;
1491 _regs.eip = dst.val;
1492 if ( (modrm_reg & 7) == 2 )
1493 goto push; /* call */
1494 break;
1495 case 6: /* push */
1496 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
1497 if ( mode_64bit() && (dst.bytes == 4) )
1499 dst.bytes = 8;
1500 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1501 &dst.val, 8, ctxt)) != 0 )
1502 goto done;
1504 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
1505 dst.val, dst.bytes, ctxt)) != 0 )
1506 goto done;
1507 dst.type = OP_NONE;
1508 break;
1509 case 7:
1510 generate_exception_if(1, EXC_UD);
1511 default:
1512 goto cannot_emulate;
1514 break;
1517 writeback:
1518 switch ( dst.type )
1520 case OP_REG:
1521 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1522 switch ( dst.bytes )
1524 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
1525 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
1526 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
1527 case 8: *dst.reg = dst.val; break;
1529 break;
1530 case OP_MEM:
1531 if ( !(d & Mov) && (dst.orig_val == dst.val) )
1532 /* nothing to do */;
1533 else if ( lock_prefix )
1534 rc = ops->cmpxchg(
1535 dst.mem.seg, dst.mem.off, dst.orig_val,
1536 dst.val, dst.bytes, ctxt);
1537 else
1538 rc = ops->write(
1539 dst.mem.seg, dst.mem.off, dst.val, dst.bytes, ctxt);
1540 if ( rc != 0 )
1541 goto done;
1542 default:
1543 break;
1546 /* Commit shadow register state. */
1547 *ctxt->regs = _regs;
1549 done:
1550 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1552 special_insn:
1553 dst.type = OP_NONE;
1555 /*
1556 * The only implicit-operands instruction allowed a LOCK prefix is
1557 * CMPXCHG{8,16}B.
1558 */
1559 generate_exception_if(lock_prefix && (b != 0xc7), EXC_GP);
1561 if ( twobyte )
1562 goto twobyte_special_insn;
1564 if ( rep_prefix )
1566 if ( _regs.ecx == 0 )
1568 ctxt->regs->eip = _regs.eip;
1569 goto done;
1571 _regs.ecx--;
1572 _regs.eip = ctxt->regs->eip;
1575 switch ( b )
1577 case 0x27: /* daa */ {
1578 uint8_t al = _regs.eax;
1579 unsigned long eflags = _regs.eflags;
1580 generate_exception_if(mode_64bit(), EXC_UD);
1581 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1582 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1584 *(uint8_t *)&_regs.eax += 6;
1585 _regs.eflags |= EFLG_AF;
1587 if ( (al > 0x99) || (eflags & EFLG_CF) )
1589 *(uint8_t *)&_regs.eax += 0x60;
1590 _regs.eflags |= EFLG_CF;
1592 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1593 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1594 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1595 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1596 break;
1599 case 0x2f: /* das */ {
1600 uint8_t al = _regs.eax;
1601 unsigned long eflags = _regs.eflags;
1602 generate_exception_if(mode_64bit(), EXC_UD);
1603 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1604 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1606 _regs.eflags |= EFLG_AF;
1607 if ( (al < 6) || (eflags & EFLG_CF) )
1608 _regs.eflags |= EFLG_CF;
1609 *(uint8_t *)&_regs.eax -= 6;
1611 if ( (al > 0x99) || (eflags & EFLG_CF) )
1613 *(uint8_t *)&_regs.eax -= 0x60;
1614 _regs.eflags |= EFLG_CF;
1616 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1617 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1618 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1619 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1620 break;
1623 case 0x37: /* aaa */
1624 case 0x3f: /* aas */
1625 generate_exception_if(mode_64bit(), EXC_UD);
1626 _regs.eflags &= ~EFLG_CF;
1627 if ( ((uint8_t)_regs.eax > 9) || (_regs.eflags & EFLG_AF) )
1629 ((uint8_t *)&_regs.eax)[0] += (b == 0x37) ? 6 : -6;
1630 ((uint8_t *)&_regs.eax)[1] += (b == 0x37) ? 1 : -1;
1631 _regs.eflags |= EFLG_CF | EFLG_AF;
1633 ((uint8_t *)&_regs.eax)[0] &= 0x0f;
1634 break;
1636 case 0x40 ... 0x4f: /* inc/dec reg */
1637 dst.type = OP_REG;
1638 dst.reg = decode_register(b & 7, &_regs, 0);
1639 dst.bytes = op_bytes;
1640 dst.val = *dst.reg;
1641 if ( b & 8 )
1642 emulate_1op("dec", dst, _regs.eflags);
1643 else
1644 emulate_1op("inc", dst, _regs.eflags);
1645 break;
1647 case 0x50 ... 0x57: /* push reg */
1648 src.val = *(unsigned long *)decode_register(
1649 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1650 goto push;
1652 case 0x58 ... 0x5f: /* pop reg */
1653 dst.type = OP_REG;
1654 dst.reg = decode_register(
1655 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1656 dst.bytes = op_bytes;
1657 if ( mode_64bit() && (dst.bytes == 4) )
1658 dst.bytes = 8;
1659 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
1660 &dst.val, dst.bytes, ctxt)) != 0 )
1661 goto done;
1662 break;
1664 case 0x60: /* pusha */ {
1665 int i;
1666 unsigned long regs[] = {
1667 _regs.eax, _regs.ecx, _regs.edx, _regs.ebx,
1668 _regs.esp, _regs.ebp, _regs.esi, _regs.edi };
1669 generate_exception_if(mode_64bit(), EXC_UD);
1670 for ( i = 0; i < 8; i++ )
1671 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1672 regs[i], op_bytes, ctxt)) != 0 )
1673 goto done;
1674 break;
1677 case 0x61: /* popa */ {
1678 int i;
1679 unsigned long dummy_esp, *regs[] = {
1680 (unsigned long *)&_regs.edi, (unsigned long *)&_regs.esi,
1681 (unsigned long *)&_regs.ebp, (unsigned long *)&dummy_esp,
1682 (unsigned long *)&_regs.ebx, (unsigned long *)&_regs.edx,
1683 (unsigned long *)&_regs.ecx, (unsigned long *)&_regs.eax };
1684 generate_exception_if(mode_64bit(), EXC_UD);
1685 for ( i = 0; i < 8; i++ )
1686 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
1687 regs[i], op_bytes, ctxt)) != 0 )
1688 goto done;
1689 break;
1692 case 0x68: /* push imm{16,32,64} */
1693 src.val = ((op_bytes == 2)
1694 ? (int32_t)insn_fetch_type(int16_t)
1695 : insn_fetch_type(int32_t));
1696 goto push;
1698 case 0x6a: /* push imm8 */
1699 src.val = insn_fetch_type(int8_t);
1700 push:
1701 d |= Mov; /* force writeback */
1702 dst.type = OP_MEM;
1703 dst.bytes = op_bytes;
1704 if ( mode_64bit() && (dst.bytes == 4) )
1705 dst.bytes = 8;
1706 dst.val = src.val;
1707 dst.mem.seg = x86_seg_ss;
1708 dst.mem.off = sp_pre_dec(dst.bytes);
1709 break;
1711 case 0x70 ... 0x7f: /* jcc (short) */ {
1712 int rel = insn_fetch_type(int8_t);
1713 if ( test_cc(b, _regs.eflags) )
1714 jmp_rel(rel);
1715 break;
1718 case 0x90: /* nop / xchg %%r8,%%rax */
1719 if ( !(rex_prefix & 1) )
1720 break; /* nop */
1722 case 0x91 ... 0x97: /* xchg reg,%%rax */
1723 src.type = dst.type = OP_REG;
1724 src.bytes = dst.bytes = op_bytes;
1725 src.reg = (unsigned long *)&_regs.eax;
1726 src.val = *src.reg;
1727 dst.reg = decode_register(
1728 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1729 dst.val = *dst.reg;
1730 goto xchg;
1732 case 0x98: /* cbw/cwde/cdqe */
1733 switch ( op_bytes )
1735 case 2: *(int16_t *)&_regs.eax = (int8_t)_regs.eax; break; /* cbw */
1736 case 4: _regs.eax = (uint32_t)(int16_t)_regs.eax; break; /* cwde */
1737 case 8: _regs.eax = (int32_t)_regs.eax; break; /* cdqe */
1739 break;
1741 case 0x99: /* cwd/cdq/cqo */
1742 switch ( op_bytes )
1744 case 2:
1745 *(int16_t *)&_regs.edx = ((int16_t)_regs.eax < 0) ? -1 : 0;
1746 break;
1747 case 4:
1748 _regs.edx = (uint32_t)(((int32_t)_regs.eax < 0) ? -1 : 0);
1749 break;
1750 case 8:
1751 _regs.edx = (_regs.eax < 0) ? -1 : 0;
1752 break;
1754 break;
1756 case 0x9e: /* sahf */
1757 *(uint8_t *)_regs.eflags = (((uint8_t *)&_regs.eax)[1] & 0xd7) | 0x02;
1758 break;
1760 case 0x9f: /* lahf */
1761 ((uint8_t *)&_regs.eax)[1] = (_regs.eflags & 0xd7) | 0x02;
1762 break;
1764 case 0xa0 ... 0xa1: /* mov mem.offs,{%al,%ax,%eax,%rax} */
1765 /* Source EA is not encoded via ModRM. */
1766 dst.type = OP_REG;
1767 dst.reg = (unsigned long *)&_regs.eax;
1768 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1769 if ( (rc = ops->read(ea.mem.seg, insn_fetch_bytes(ad_bytes),
1770 &dst.val, dst.bytes, ctxt)) != 0 )
1771 goto done;
1772 break;
1774 case 0xa2 ... 0xa3: /* mov {%al,%ax,%eax,%rax},mem.offs */
1775 /* Destination EA is not encoded via ModRM. */
1776 dst.type = OP_MEM;
1777 dst.mem.seg = ea.mem.seg;
1778 dst.mem.off = insn_fetch_bytes(ad_bytes);
1779 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1780 dst.val = (unsigned long)_regs.eax;
1781 break;
1783 case 0xa4 ... 0xa5: /* movs */
1784 dst.type = OP_MEM;
1785 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1786 dst.mem.seg = x86_seg_es;
1787 dst.mem.off = truncate_ea(_regs.edi);
1788 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
1789 &dst.val, dst.bytes, ctxt)) != 0 )
1790 goto done;
1791 register_address_increment(
1792 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1793 register_address_increment(
1794 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1795 break;
1797 case 0xaa ... 0xab: /* stos */
1798 dst.type = OP_MEM;
1799 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1800 dst.mem.seg = x86_seg_es;
1801 dst.mem.off = truncate_ea(_regs.edi);
1802 dst.val = _regs.eax;
1803 register_address_increment(
1804 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1805 break;
1807 case 0xac ... 0xad: /* lods */
1808 dst.type = OP_REG;
1809 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1810 dst.reg = (unsigned long *)&_regs.eax;
1811 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
1812 &dst.val, dst.bytes, ctxt)) != 0 )
1813 goto done;
1814 register_address_increment(
1815 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
1816 break;
1818 case 0xc2: /* ret imm16 (near) */
1819 case 0xc3: /* ret (near) */ {
1820 int offset = (b == 0xc2) ? insn_fetch_type(uint16_t) : 0;
1821 op_bytes = mode_64bit() ? 8 : op_bytes;
1822 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes + offset),
1823 &dst.val, op_bytes, ctxt)) != 0 )
1824 goto done;
1825 _regs.eip = dst.val;
1826 break;
1829 case 0xd4: /* aam */ {
1830 unsigned int base = insn_fetch_type(uint8_t);
1831 uint8_t al = _regs.eax;
1832 generate_exception_if(mode_64bit(), EXC_UD);
1833 generate_exception_if(base == 0, EXC_DE);
1834 *(uint16_t *)&_regs.eax = ((al / base) << 8) | (al % base);
1835 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1836 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1837 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1838 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1839 break;
1842 case 0xd5: /* aad */ {
1843 unsigned int base = insn_fetch_type(uint8_t);
1844 uint16_t ax = _regs.eax;
1845 generate_exception_if(mode_64bit(), EXC_UD);
1846 *(uint16_t *)&_regs.eax = (uint8_t)(ax + ((ax >> 8) * base));
1847 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1848 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1849 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1850 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1851 break;
1854 case 0xd6: /* salc */
1855 generate_exception_if(mode_64bit(), EXC_UD);
1856 *(uint8_t *)&_regs.eax = (_regs.eflags & EFLG_CF) ? 0xff : 0x00;
1857 break;
1859 case 0xd7: /* xlat */ {
1860 unsigned long al = (uint8_t)_regs.eax;
1861 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.ebx + al),
1862 &al, 1, ctxt)) != 0 )
1863 goto done;
1864 *(uint8_t *)&_regs.eax = al;
1865 break;
1868 case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
1869 int rel = insn_fetch_type(int8_t);
1870 int do_jmp = !(_regs.eflags & EFLG_ZF); /* loopnz */
1871 if ( b == 0xe1 )
1872 do_jmp = !do_jmp; /* loopz */
1873 else if ( b == 0xe2 )
1874 do_jmp = 1; /* loop */
1875 switch ( ad_bytes )
1877 case 2:
1878 do_jmp &= --(*(uint16_t *)&_regs.ecx) != 0;
1879 break;
1880 case 4:
1881 do_jmp &= --(*(uint32_t *)&_regs.ecx) != 0;
1882 _regs.ecx = (uint32_t)_regs.ecx; /* zero extend in x86/64 mode */
1883 break;
1884 default: /* case 8: */
1885 do_jmp &= --_regs.ecx != 0;
1886 break;
1888 if ( do_jmp )
1889 jmp_rel(rel);
1890 break;
1893 case 0xe3: /* jcxz/jecxz (short) */ {
1894 int rel = insn_fetch_type(int8_t);
1895 if ( (ad_bytes == 2) ? !(uint16_t)_regs.ecx :
1896 (ad_bytes == 4) ? !(uint32_t)_regs.ecx : !_regs.ecx )
1897 jmp_rel(rel);
1898 break;
1901 case 0xe8: /* call (near) */ {
1902 int rel = (((op_bytes == 2) && !mode_64bit())
1903 ? (int32_t)insn_fetch_type(int16_t)
1904 : insn_fetch_type(int32_t));
1905 op_bytes = mode_64bit() ? 8 : op_bytes;
1906 src.val = _regs.eip;
1907 jmp_rel(rel);
1908 goto push;
1911 case 0xe9: /* jmp (near) */ {
1912 int rel = (((op_bytes == 2) && !mode_64bit())
1913 ? (int32_t)insn_fetch_type(int16_t)
1914 : insn_fetch_type(int32_t));
1915 jmp_rel(rel);
1916 break;
1919 case 0xeb: /* jmp (short) */
1920 jmp_rel(insn_fetch_type(int8_t));
1921 break;
1923 case 0xf5: /* cmc */
1924 _regs.eflags ^= EFLG_CF;
1925 break;
1927 case 0xf8: /* clc */
1928 _regs.eflags &= ~EFLG_CF;
1929 break;
1931 case 0xf9: /* stc */
1932 _regs.eflags |= EFLG_CF;
1933 break;
1935 case 0xfc: /* cld */
1936 _regs.eflags &= ~EFLG_DF;
1937 break;
1939 case 0xfd: /* std */
1940 _regs.eflags |= EFLG_DF;
1941 break;
1943 goto writeback;
1945 twobyte_insn:
1946 switch ( b )
1948 case 0x40 ... 0x4f: /* cmovcc */
1949 dst.val = src.val;
1950 if ( !test_cc(b, _regs.eflags) )
1951 dst.type = OP_NONE;
1952 break;
1954 case 0x90 ... 0x9f: /* setcc */
1955 dst.val = test_cc(b, _regs.eflags);
1956 break;
1958 case 0xb0 ... 0xb1: /* cmpxchg */
1959 /* Save real source value, then compare EAX against destination. */
1960 src.orig_val = src.val;
1961 src.val = _regs.eax;
1962 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1963 /* Always write back. The question is: where to? */
1964 d |= Mov;
1965 if ( _regs.eflags & EFLG_ZF )
1967 /* Success: write back to memory. */
1968 dst.val = src.orig_val;
1970 else
1972 /* Failure: write the value we saw to EAX. */
1973 dst.type = OP_REG;
1974 dst.reg = (unsigned long *)&_regs.eax;
1976 break;
1978 case 0xa3: bt: /* bt */
1979 emulate_2op_SrcV_nobyte("bt", src, dst, _regs.eflags);
1980 break;
1982 case 0xb3: btr: /* btr */
1983 emulate_2op_SrcV_nobyte("btr", src, dst, _regs.eflags);
1984 break;
1986 case 0xab: bts: /* bts */
1987 emulate_2op_SrcV_nobyte("bts", src, dst, _regs.eflags);
1988 break;
1990 case 0xaf: /* imul */
1991 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1992 switch ( dst.bytes )
1994 case 2:
1995 dst.val = ((uint32_t)(int16_t)src.val *
1996 (uint32_t)(int16_t)dst.val);
1997 if ( (int16_t)dst.val != (uint32_t)dst.val )
1998 _regs.eflags |= EFLG_OF|EFLG_CF;
1999 break;
2000 #ifdef __x86_64__
2001 case 4:
2002 dst.val = ((uint64_t)(int32_t)src.val *
2003 (uint64_t)(int32_t)dst.val);
2004 if ( (int32_t)dst.val != dst.val )
2005 _regs.eflags |= EFLG_OF|EFLG_CF;
2006 break;
2007 #endif
2008 default: {
2009 unsigned long m[2] = { src.val, dst.val };
2010 if ( imul_dbl(m) )
2011 _regs.eflags |= EFLG_OF|EFLG_CF;
2012 dst.val = m[0];
2013 break;
2016 break;
2018 case 0xb6: /* movzx rm8,r{16,32,64} */
2019 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2020 dst.reg = decode_register(modrm_reg, &_regs, 0);
2021 dst.bytes = op_bytes;
2022 dst.val = (uint8_t)src.val;
2023 break;
2025 case 0xbc: /* bsf */ {
2026 int zf;
2027 asm ( "bsf %2,%0; setz %b1"
2028 : "=r" (dst.val), "=q" (zf)
2029 : "r" (src.val), "1" (0) );
2030 _regs.eflags &= ~EFLG_ZF;
2031 _regs.eflags |= zf ? EFLG_ZF : 0;
2032 break;
2035 case 0xbd: /* bsr */ {
2036 int zf;
2037 asm ( "bsr %2,%0; setz %b1"
2038 : "=r" (dst.val), "=q" (zf)
2039 : "r" (src.val), "1" (0) );
2040 _regs.eflags &= ~EFLG_ZF;
2041 _regs.eflags |= zf ? EFLG_ZF : 0;
2042 break;
2045 case 0xb7: /* movzx rm16,r{16,32,64} */
2046 dst.val = (uint16_t)src.val;
2047 break;
2049 case 0xbb: btc: /* btc */
2050 emulate_2op_SrcV_nobyte("btc", src, dst, _regs.eflags);
2051 break;
2053 case 0xba: /* Grp8 */
2054 switch ( modrm_reg & 7 )
2056 case 4: goto bt;
2057 case 5: goto bts;
2058 case 6: goto btr;
2059 case 7: goto btc;
2060 default: generate_exception_if(1, EXC_UD);
2062 break;
2064 case 0xbe: /* movsx rm8,r{16,32,64} */
2065 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2066 dst.reg = decode_register(modrm_reg, &_regs, 0);
2067 dst.bytes = op_bytes;
2068 dst.val = (int8_t)src.val;
2069 break;
2071 case 0xbf: /* movsx rm16,r{16,32,64} */
2072 dst.val = (int16_t)src.val;
2073 break;
2075 case 0xc0 ... 0xc1: /* xadd */
2076 /* Write back the register source. */
2077 switch ( dst.bytes )
2079 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
2080 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
2081 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
2082 case 8: *src.reg = dst.val; break;
2084 goto add;
2086 goto writeback;
2088 twobyte_special_insn:
2089 switch ( b )
2091 case 0x0d: /* GrpP (prefetch) */
2092 case 0x18: /* Grp16 (prefetch/nop) */
2093 case 0x19 ... 0x1f: /* nop (amd-defined) */
2094 break;
2096 case 0x80 ... 0x8f: /* jcc (near) */ {
2097 int rel = (((op_bytes == 2) && !mode_64bit())
2098 ? (int32_t)insn_fetch_type(int16_t)
2099 : insn_fetch_type(int32_t));
2100 if ( test_cc(b, _regs.eflags) )
2101 jmp_rel(rel);
2102 break;
2105 case 0xc7: /* Grp9 (cmpxchg8b) */
2106 #if defined(__i386__)
2108 unsigned long old_lo, old_hi;
2109 generate_exception_if((modrm_reg & 7) != 1, EXC_UD);
2110 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0, &old_lo, 4, ctxt)) ||
2111 (rc = ops->read(ea.mem.seg, ea.mem.off+4, &old_hi, 4, ctxt)) )
2112 goto done;
2113 if ( (old_lo != _regs.eax) || (old_hi != _regs.edx) )
2115 _regs.eax = old_lo;
2116 _regs.edx = old_hi;
2117 _regs.eflags &= ~EFLG_ZF;
2119 else if ( ops->cmpxchg8b == NULL )
2121 rc = X86EMUL_UNHANDLEABLE;
2122 goto done;
2124 else
2126 if ( (rc = ops->cmpxchg8b(ea.mem.seg, ea.mem.off, old_lo, old_hi,
2127 _regs.ebx, _regs.ecx, ctxt)) != 0 )
2128 goto done;
2129 _regs.eflags |= EFLG_ZF;
2131 break;
2133 #elif defined(__x86_64__)
2135 unsigned long old, new;
2136 generate_exception_if((modrm_reg & 7) != 1, EXC_UD);
2137 if ( (rc = ops->read(ea.mem.seg, ea.mem.off, &old, 8, ctxt)) != 0 )
2138 goto done;
2139 if ( ((uint32_t)(old>>0) != (uint32_t)_regs.eax) ||
2140 ((uint32_t)(old>>32) != (uint32_t)_regs.edx) )
2142 _regs.eax = (uint32_t)(old>>0);
2143 _regs.edx = (uint32_t)(old>>32);
2144 _regs.eflags &= ~EFLG_ZF;
2146 else
2148 new = (_regs.ecx<<32)|(uint32_t)_regs.ebx;
2149 if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old,
2150 new, 8, ctxt)) != 0 )
2151 goto done;
2152 _regs.eflags |= EFLG_ZF;
2154 break;
2156 #endif
2158 case 0xc8 ... 0xcf: /* bswap */
2159 dst.type = OP_REG;
2160 dst.reg = decode_register(b & 7, &_regs, 0);
2161 dst.val = *dst.reg;
2162 switch ( dst.bytes = op_bytes )
2164 case 2:
2165 dst.val = (((dst.val & 0x00FFUL) << 8) |
2166 ((dst.val & 0xFF00UL) >> 8));
2167 break;
2168 case 4:
2169 dst.val = (((dst.val & 0x000000FFUL) << 24) |
2170 ((dst.val & 0x0000FF00UL) << 8) |
2171 ((dst.val & 0x00FF0000UL) >> 8) |
2172 ((dst.val & 0xFF000000UL) >> 24));
2173 break;
2174 #ifdef __x86_64__
2175 case 8:
2176 dst.val = (((dst.val & 0x00000000000000FFUL) << 56) |
2177 ((dst.val & 0x000000000000FF00UL) << 40) |
2178 ((dst.val & 0x0000000000FF0000UL) << 24) |
2179 ((dst.val & 0x00000000FF000000UL) << 8) |
2180 ((dst.val & 0x000000FF00000000UL) >> 8) |
2181 ((dst.val & 0x0000FF0000000000UL) >> 24) |
2182 ((dst.val & 0x00FF000000000000UL) >> 40) |
2183 ((dst.val & 0xFF00000000000000UL) >> 56));
2184 break;
2185 #endif
2187 break;
2189 goto writeback;
2191 cannot_emulate:
2192 #ifdef __XEN__
2193 gdprintk(XENLOG_DEBUG, "Instr:");
2194 for ( ea.mem.off = ctxt->regs->eip; ea.mem.off < _regs.eip; ea.mem.off++ )
2196 unsigned long x;
2197 ops->insn_fetch(x86_seg_cs, ea.mem.off, &x, 1, ctxt);
2198 printk(" %02x", (uint8_t)x);
2200 printk("\n");
2201 #endif
2202 return -1;