ia64/xen-unstable

view xen/arch/x86/x86_emulate.c @ 17180:771c7124bf38

x86_emulate: Emit emulated forms of most FPU instructions as '.byte
xx,yy'. This is arguably clearer than using the mnemonic opcode, since
it is more clearly the instruction we have just decoded. Furthermore,
gas likes to reverse FPU operands on some two-operand FPU instructions
for historical reasons. Finally, 'byte xx,yy' is potentially more
amenable to further macro-isation down the road.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Mar 04 10:32:13 2008 +0000 (2008-03-04)
parents a2359114b6cb
children 96453af916b9
line source
1 /******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005-2007 Keir Fraser
7 * Copyright (c) 2005-2007 XenSource Inc.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
24 #ifndef __XEN__
25 #include <stddef.h>
26 #include <stdint.h>
27 #include <string.h>
28 #include <public/xen.h>
29 #else
30 #include <xen/config.h>
31 #include <xen/types.h>
32 #include <xen/lib.h>
33 #include <asm/regs.h>
34 #undef cmpxchg
35 #endif
36 #include <asm-x86/x86_emulate.h>
38 /* Operand sizes: 8-bit operands or specified/overridden size. */
39 #define ByteOp (1<<0) /* 8-bit operands. */
40 /* Destination operand type. */
41 #define DstBitBase (0<<1) /* Memory operand, bit string. */
42 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
43 #define DstReg (2<<1) /* Register operand. */
44 #define DstMem (3<<1) /* Memory operand. */
45 #define DstMask (3<<1)
46 /* Source operand type. */
47 #define SrcNone (0<<3) /* No source operand. */
48 #define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
49 #define SrcReg (1<<3) /* Register operand. */
50 #define SrcMem (2<<3) /* Memory operand. */
51 #define SrcMem16 (3<<3) /* Memory operand (16-bit). */
52 #define SrcImm (4<<3) /* Immediate operand. */
53 #define SrcImmByte (5<<3) /* 8-bit sign-extended immediate operand. */
54 #define SrcMask (7<<3)
55 /* Generic ModRM decode. */
56 #define ModRM (1<<6)
57 /* Destination is only written; never read. */
58 #define Mov (1<<7)
60 static uint8_t opcode_table[256] = {
61 /* 0x00 - 0x07 */
62 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
63 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
64 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
65 /* 0x08 - 0x0F */
66 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
67 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
68 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, 0,
69 /* 0x10 - 0x17 */
70 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
71 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
72 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
73 /* 0x18 - 0x1F */
74 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
75 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
76 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
77 /* 0x20 - 0x27 */
78 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
79 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
80 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
81 /* 0x28 - 0x2F */
82 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
83 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
84 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
85 /* 0x30 - 0x37 */
86 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
87 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
88 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
89 /* 0x38 - 0x3F */
90 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
91 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
92 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
93 /* 0x40 - 0x4F */
94 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
95 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
96 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
97 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
98 /* 0x50 - 0x5F */
99 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
100 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
101 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
102 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
103 /* 0x60 - 0x67 */
104 ImplicitOps, ImplicitOps, DstReg|SrcMem|ModRM, DstReg|SrcMem16|ModRM|Mov,
105 0, 0, 0, 0,
106 /* 0x68 - 0x6F */
107 ImplicitOps|Mov, DstReg|SrcImm|ModRM|Mov,
108 ImplicitOps|Mov, DstReg|SrcImmByte|ModRM|Mov,
109 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
110 /* 0x70 - 0x77 */
111 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
112 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
113 /* 0x78 - 0x7F */
114 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
115 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
116 /* 0x80 - 0x87 */
117 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImm|ModRM,
118 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
119 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
120 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
121 /* 0x88 - 0x8F */
122 ByteOp|DstMem|SrcReg|ModRM|Mov, DstMem|SrcReg|ModRM|Mov,
123 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
124 DstMem|SrcReg|ModRM|Mov, DstReg|SrcNone|ModRM,
125 DstReg|SrcMem|ModRM|Mov, DstMem|SrcNone|ModRM|Mov,
126 /* 0x90 - 0x97 */
127 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
128 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
129 /* 0x98 - 0x9F */
130 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
131 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
132 /* 0xA0 - 0xA7 */
133 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
134 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
135 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
136 ByteOp|ImplicitOps, ImplicitOps,
137 /* 0xA8 - 0xAF */
138 ByteOp|DstReg|SrcImm, DstReg|SrcImm,
139 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
140 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
141 ByteOp|ImplicitOps, ImplicitOps,
142 /* 0xB0 - 0xB7 */
143 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
144 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
145 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
146 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
147 /* 0xB8 - 0xBF */
148 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
149 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
150 /* 0xC0 - 0xC7 */
151 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
152 ImplicitOps, ImplicitOps,
153 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
154 ByteOp|DstMem|SrcImm|ModRM|Mov, DstMem|SrcImm|ModRM|Mov,
155 /* 0xC8 - 0xCF */
156 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
157 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
158 /* 0xD0 - 0xD7 */
159 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
160 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
161 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
162 /* 0xD8 - 0xDF */
163 0, ImplicitOps|ModRM|Mov, 0, ImplicitOps|ModRM|Mov,
164 0, ImplicitOps|ModRM|Mov, ImplicitOps|ModRM|Mov, ImplicitOps|ModRM|Mov,
165 /* 0xE0 - 0xE7 */
166 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
167 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
168 /* 0xE8 - 0xEF */
169 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
170 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
171 /* 0xF0 - 0xF7 */
172 0, ImplicitOps, 0, 0,
173 ImplicitOps, ImplicitOps,
174 ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM,
175 /* 0xF8 - 0xFF */
176 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
177 ImplicitOps, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM
178 };
180 static uint8_t twobyte_table[256] = {
181 /* 0x00 - 0x07 */
182 0, ImplicitOps|ModRM, 0, 0, 0, 0, ImplicitOps, 0,
183 /* 0x08 - 0x0F */
184 ImplicitOps, ImplicitOps, 0, 0, 0, ImplicitOps|ModRM, 0, 0,
185 /* 0x10 - 0x17 */
186 0, 0, 0, 0, 0, 0, 0, 0,
187 /* 0x18 - 0x1F */
188 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
189 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
190 /* 0x20 - 0x27 */
191 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
192 0, 0, 0, 0,
193 /* 0x28 - 0x2F */
194 0, 0, 0, 0, 0, 0, 0, 0,
195 /* 0x30 - 0x37 */
196 ImplicitOps, ImplicitOps, ImplicitOps, 0, 0, 0, 0, 0,
197 /* 0x38 - 0x3F */
198 0, 0, 0, 0, 0, 0, 0, 0,
199 /* 0x40 - 0x47 */
200 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
201 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
202 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
203 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
204 /* 0x48 - 0x4F */
205 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
206 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
207 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
208 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
209 /* 0x50 - 0x5F */
210 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211 /* 0x60 - 0x6F */
212 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
213 /* 0x70 - 0x7F */
214 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
215 /* 0x80 - 0x87 */
216 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
217 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
218 /* 0x88 - 0x8F */
219 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
220 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
221 /* 0x90 - 0x97 */
222 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
223 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
224 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
225 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
226 /* 0x98 - 0x9F */
227 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
228 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
229 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
230 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
231 /* 0xA0 - 0xA7 */
232 ImplicitOps, ImplicitOps, ImplicitOps, DstBitBase|SrcReg|ModRM,
233 DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
234 /* 0xA8 - 0xAF */
235 ImplicitOps, ImplicitOps, 0, DstBitBase|SrcReg|ModRM,
236 DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, DstReg|SrcMem|ModRM,
237 /* 0xB0 - 0xB7 */
238 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
239 DstReg|SrcMem|ModRM|Mov, DstBitBase|SrcReg|ModRM,
240 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
241 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
242 /* 0xB8 - 0xBF */
243 0, 0, DstBitBase|SrcImmByte|ModRM, DstBitBase|SrcReg|ModRM,
244 DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
245 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
246 /* 0xC0 - 0xC7 */
247 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
248 0, 0, 0, ImplicitOps|ModRM,
249 /* 0xC8 - 0xCF */
250 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
251 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
252 /* 0xD0 - 0xDF */
253 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
254 /* 0xE0 - 0xEF */
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 /* 0xF0 - 0xFF */
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
258 };
260 /* Type, address-of, and value of an instruction's operand. */
261 struct operand {
262 enum { OP_REG, OP_MEM, OP_IMM, OP_NONE } type;
263 unsigned int bytes;
264 unsigned long val, orig_val;
265 union {
266 /* OP_REG: Pointer to register field. */
267 unsigned long *reg;
268 /* OP_MEM: Segment and offset. */
269 struct {
270 enum x86_segment seg;
271 unsigned long off;
272 } mem;
273 };
274 };
276 /* MSRs. */
277 #define MSR_TSC 0x10
279 /* Control register flags. */
280 #define CR0_PE (1<<0)
281 #define CR4_TSD (1<<2)
283 /* EFLAGS bit definitions. */
284 #define EFLG_VIP (1<<20)
285 #define EFLG_VIF (1<<19)
286 #define EFLG_AC (1<<18)
287 #define EFLG_VM (1<<17)
288 #define EFLG_RF (1<<16)
289 #define EFLG_NT (1<<14)
290 #define EFLG_IOPL (3<<12)
291 #define EFLG_OF (1<<11)
292 #define EFLG_DF (1<<10)
293 #define EFLG_IF (1<<9)
294 #define EFLG_TF (1<<8)
295 #define EFLG_SF (1<<7)
296 #define EFLG_ZF (1<<6)
297 #define EFLG_AF (1<<4)
298 #define EFLG_PF (1<<2)
299 #define EFLG_CF (1<<0)
301 /* Exception definitions. */
302 #define EXC_DE 0
303 #define EXC_DB 1
304 #define EXC_BP 3
305 #define EXC_OF 4
306 #define EXC_BR 5
307 #define EXC_UD 6
308 #define EXC_TS 10
309 #define EXC_NP 11
310 #define EXC_SS 12
311 #define EXC_GP 13
312 #define EXC_PF 14
313 #define EXC_MF 16
315 /*
316 * Instruction emulation:
317 * Most instructions are emulated directly via a fragment of inline assembly
318 * code. This allows us to save/restore EFLAGS and thus very easily pick up
319 * any modified flags.
320 */
322 #if defined(__x86_64__)
323 #define _LO32 "k" /* force 32-bit operand */
324 #define _STK "%%rsp" /* stack pointer */
325 #define _BYTES_PER_LONG "8"
326 #elif defined(__i386__)
327 #define _LO32 "" /* force 32-bit operand */
328 #define _STK "%%esp" /* stack pointer */
329 #define _BYTES_PER_LONG "4"
330 #endif
332 /*
333 * These EFLAGS bits are restored from saved value during emulation, and
334 * any changes are written back to the saved value after emulation.
335 */
336 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
338 /* Before executing instruction: restore necessary bits in EFLAGS. */
339 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
340 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
341 "movl %"_sav",%"_LO32 _tmp"; " \
342 "push %"_tmp"; " \
343 "push %"_tmp"; " \
344 "movl %"_msk",%"_LO32 _tmp"; " \
345 "andl %"_LO32 _tmp",("_STK"); " \
346 "pushf; " \
347 "notl %"_LO32 _tmp"; " \
348 "andl %"_LO32 _tmp",("_STK"); " \
349 "andl %"_LO32 _tmp",2*"_BYTES_PER_LONG"("_STK"); " \
350 "pop %"_tmp"; " \
351 "orl %"_LO32 _tmp",("_STK"); " \
352 "popf; " \
353 "pop %"_sav"; "
355 /* After executing instruction: write-back necessary bits in EFLAGS. */
356 #define _POST_EFLAGS(_sav, _msk, _tmp) \
357 /* _sav |= EFLAGS & _msk; */ \
358 "pushf; " \
359 "pop %"_tmp"; " \
360 "andl %"_msk",%"_LO32 _tmp"; " \
361 "orl %"_LO32 _tmp",%"_sav"; "
363 /* Raw emulation: instruction has two explicit operands. */
364 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy)\
365 do{ unsigned long _tmp; \
366 switch ( (_dst).bytes ) \
367 { \
368 case 2: \
369 asm volatile ( \
370 _PRE_EFLAGS("0","4","2") \
371 _op"w %"_wx"3,%1; " \
372 _POST_EFLAGS("0","4","2") \
373 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
374 : _wy ((_src).val), "i" (EFLAGS_MASK), \
375 "m" (_eflags), "m" ((_dst).val) ); \
376 break; \
377 case 4: \
378 asm volatile ( \
379 _PRE_EFLAGS("0","4","2") \
380 _op"l %"_lx"3,%1; " \
381 _POST_EFLAGS("0","4","2") \
382 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
383 : _ly ((_src).val), "i" (EFLAGS_MASK), \
384 "m" (_eflags), "m" ((_dst).val) ); \
385 break; \
386 case 8: \
387 __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy); \
388 break; \
389 } \
390 } while (0)
391 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy)\
392 do{ unsigned long _tmp; \
393 switch ( (_dst).bytes ) \
394 { \
395 case 1: \
396 asm volatile ( \
397 _PRE_EFLAGS("0","4","2") \
398 _op"b %"_bx"3,%1; " \
399 _POST_EFLAGS("0","4","2") \
400 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
401 : _by ((_src).val), "i" (EFLAGS_MASK), \
402 "m" (_eflags), "m" ((_dst).val) ); \
403 break; \
404 default: \
405 __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy);\
406 break; \
407 } \
408 } while (0)
409 /* Source operand is byte-sized and may be restricted to just %cl. */
410 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
411 __emulate_2op(_op, _src, _dst, _eflags, \
412 "b", "c", "b", "c", "b", "c", "b", "c")
413 /* Source operand is byte, word, long or quad sized. */
414 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
415 __emulate_2op(_op, _src, _dst, _eflags, \
416 "b", "q", "w", "r", _LO32, "r", "", "r")
417 /* Source operand is word, long or quad sized. */
418 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
419 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
420 "w", "r", _LO32, "r", "", "r")
422 /* Instruction has only one explicit operand (no source operand). */
423 #define emulate_1op(_op,_dst,_eflags) \
424 do{ unsigned long _tmp; \
425 switch ( (_dst).bytes ) \
426 { \
427 case 1: \
428 asm volatile ( \
429 _PRE_EFLAGS("0","3","2") \
430 _op"b %1; " \
431 _POST_EFLAGS("0","3","2") \
432 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
433 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
434 break; \
435 case 2: \
436 asm volatile ( \
437 _PRE_EFLAGS("0","3","2") \
438 _op"w %1; " \
439 _POST_EFLAGS("0","3","2") \
440 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
441 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
442 break; \
443 case 4: \
444 asm volatile ( \
445 _PRE_EFLAGS("0","3","2") \
446 _op"l %1; " \
447 _POST_EFLAGS("0","3","2") \
448 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
449 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
450 break; \
451 case 8: \
452 __emulate_1op_8byte(_op, _dst, _eflags); \
453 break; \
454 } \
455 } while (0)
457 /* Emulate an instruction with quadword operands (x86/64 only). */
458 #if defined(__x86_64__)
459 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
460 do{ asm volatile ( \
461 _PRE_EFLAGS("0","4","2") \
462 _op"q %"_qx"3,%1; " \
463 _POST_EFLAGS("0","4","2") \
464 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
465 : _qy ((_src).val), "i" (EFLAGS_MASK), \
466 "m" (_eflags), "m" ((_dst).val) ); \
467 } while (0)
468 #define __emulate_1op_8byte(_op, _dst, _eflags) \
469 do{ asm volatile ( \
470 _PRE_EFLAGS("0","3","2") \
471 _op"q %1; " \
472 _POST_EFLAGS("0","3","2") \
473 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
474 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
475 } while (0)
476 #elif defined(__i386__)
477 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
478 #define __emulate_1op_8byte(_op, _dst, _eflags)
479 #endif /* __i386__ */
481 #ifdef __XEN__
482 #define __emulate_fpu_insn(_op) \
483 do{ int _exn; \
484 asm volatile ( \
485 "1: " _op "\n" \
486 "2: \n" \
487 ".section .fixup,\"ax\"\n" \
488 "3: mov $1,%0\n" \
489 " jmp 2b\n" \
490 ".previous\n" \
491 ".section __ex_table,\"a\"\n" \
492 " "__FIXUP_ALIGN"\n" \
493 " "__FIXUP_WORD" 1b,3b\n" \
494 ".previous" \
495 : "=r" (_exn) : "0" (0) ); \
496 generate_exception_if(_exn, EXC_MF, -1); \
497 } while (0)
498 #else
499 #define __emulate_fpu_insn(_op) \
500 do{ rc = X86EMUL_UNHANDLEABLE; \
501 goto done; \
502 } while (0)
503 #endif
506 /* Fetch next part of the instruction being emulated. */
507 #define insn_fetch_bytes(_size) \
508 ({ unsigned long _x, _eip = _regs.eip; \
509 if ( !mode_64bit() ) _eip = (uint32_t)_eip; /* ignore upper dword */ \
510 _regs.eip += (_size); /* real hardware doesn't truncate */ \
511 generate_exception_if((uint8_t)(_regs.eip - ctxt->regs->eip) > 15, \
512 EXC_GP, 0); \
513 rc = ops->insn_fetch(x86_seg_cs, _eip, &_x, (_size), ctxt); \
514 if ( rc ) goto done; \
515 _x; \
516 })
517 #define insn_fetch_type(_type) ((_type)insn_fetch_bytes(sizeof(_type)))
519 #define truncate_word(ea, byte_width) \
520 ({ unsigned long __ea = (ea); \
521 unsigned int _width = (byte_width); \
522 ((_width == sizeof(unsigned long)) ? __ea : \
523 (__ea & ((1UL << (_width << 3)) - 1))); \
524 })
525 #define truncate_ea(ea) truncate_word((ea), ad_bytes)
527 #define mode_64bit() (def_ad_bytes == 8)
529 #define fail_if(p) \
530 do { \
531 rc = (p) ? X86EMUL_UNHANDLEABLE : X86EMUL_OKAY; \
532 if ( rc ) goto done; \
533 } while (0)
535 #define generate_exception_if(p, e, ec) \
536 ({ if ( (p) ) { \
537 fail_if(ops->inject_hw_exception == NULL); \
538 rc = ops->inject_hw_exception(e, ec, ctxt) ? : X86EMUL_EXCEPTION; \
539 goto done; \
540 } \
541 })
543 /*
544 * Given byte has even parity (even number of 1s)? SDM Vol. 1 Sec. 3.4.3.1,
545 * "Status Flags": EFLAGS.PF reflects parity of least-sig. byte of result only.
546 */
547 static int even_parity(uint8_t v)
548 {
549 asm ( "test %b0,%b0; setp %b0" : "=a" (v) : "0" (v) );
550 return v;
551 }
553 /* Update address held in a register, based on addressing mode. */
554 #define _register_address_increment(reg, inc, byte_width) \
555 do { \
556 int _inc = (inc); /* signed type ensures sign extension to long */ \
557 unsigned int _width = (byte_width); \
558 if ( _width == sizeof(unsigned long) ) \
559 (reg) += _inc; \
560 else if ( mode_64bit() ) \
561 (reg) = ((reg) + _inc) & ((1UL << (_width << 3)) - 1); \
562 else \
563 (reg) = ((reg) & ~((1UL << (_width << 3)) - 1)) | \
564 (((reg) + _inc) & ((1UL << (_width << 3)) - 1)); \
565 } while (0)
566 #define register_address_increment(reg, inc) \
567 _register_address_increment((reg), (inc), ad_bytes)
569 #define sp_pre_dec(dec) ({ \
570 _register_address_increment(_regs.esp, -(dec), ctxt->sp_size/8); \
571 truncate_word(_regs.esp, ctxt->sp_size/8); \
572 })
573 #define sp_post_inc(inc) ({ \
574 unsigned long __esp = truncate_word(_regs.esp, ctxt->sp_size/8); \
575 _register_address_increment(_regs.esp, (inc), ctxt->sp_size/8); \
576 __esp; \
577 })
579 #define jmp_rel(rel) \
580 do { \
581 int _rel = (int)(rel); \
582 _regs.eip += _rel; \
583 if ( !mode_64bit() ) \
584 _regs.eip = ((op_bytes == 2) \
585 ? (uint16_t)_regs.eip : (uint32_t)_regs.eip); \
586 } while (0)
588 static unsigned long __get_rep_prefix(
589 struct cpu_user_regs *int_regs,
590 struct cpu_user_regs *ext_regs,
591 int ad_bytes)
592 {
593 unsigned long ecx = ((ad_bytes == 2) ? (uint16_t)int_regs->ecx :
594 (ad_bytes == 4) ? (uint32_t)int_regs->ecx :
595 int_regs->ecx);
597 /* Skip the instruction if no repetitions are required. */
598 if ( ecx == 0 )
599 ext_regs->eip = int_regs->eip;
601 return ecx;
602 }
604 #define get_rep_prefix() ({ \
605 unsigned long max_reps = 1; \
606 if ( rep_prefix ) \
607 max_reps = __get_rep_prefix(&_regs, ctxt->regs, ad_bytes); \
608 if ( max_reps == 0 ) \
609 goto done; \
610 max_reps; \
611 })
613 static void __put_rep_prefix(
614 struct cpu_user_regs *int_regs,
615 struct cpu_user_regs *ext_regs,
616 int ad_bytes,
617 unsigned long reps_completed)
618 {
619 unsigned long ecx = ((ad_bytes == 2) ? (uint16_t)int_regs->ecx :
620 (ad_bytes == 4) ? (uint32_t)int_regs->ecx :
621 int_regs->ecx);
623 /* Reduce counter appropriately, and repeat instruction if non-zero. */
624 ecx -= reps_completed;
625 if ( ecx != 0 )
626 int_regs->eip = ext_regs->eip;
628 if ( ad_bytes == 2 )
629 *(uint16_t *)&int_regs->ecx = ecx;
630 else if ( ad_bytes == 4 )
631 int_regs->ecx = (uint32_t)ecx;
632 else
633 int_regs->ecx = ecx;
634 }
636 #define put_rep_prefix(reps_completed) ({ \
637 if ( rep_prefix ) \
638 __put_rep_prefix(&_regs, ctxt->regs, ad_bytes, reps_completed); \
639 })
641 /*
642 * Unsigned multiplication with double-word result.
643 * IN: Multiplicand=m[0], Multiplier=m[1]
644 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
645 */
646 static int mul_dbl(unsigned long m[2])
647 {
648 int rc;
649 asm ( "mul %4; seto %b2"
650 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
651 : "0" (m[0]), "1" (m[1]), "2" (0) );
652 return rc;
653 }
655 /*
656 * Signed multiplication with double-word result.
657 * IN: Multiplicand=m[0], Multiplier=m[1]
658 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
659 */
660 static int imul_dbl(unsigned long m[2])
661 {
662 int rc;
663 asm ( "imul %4; seto %b2"
664 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
665 : "0" (m[0]), "1" (m[1]), "2" (0) );
666 return rc;
667 }
669 /*
670 * Unsigned division of double-word dividend.
671 * IN: Dividend=u[1]:u[0], Divisor=v
672 * OUT: Return 1: #DE
673 * Return 0: Quotient=u[0], Remainder=u[1]
674 */
675 static int div_dbl(unsigned long u[2], unsigned long v)
676 {
677 if ( (v == 0) || (u[1] >= v) )
678 return 1;
679 asm ( "div %4"
680 : "=a" (u[0]), "=d" (u[1])
681 : "0" (u[0]), "1" (u[1]), "r" (v) );
682 return 0;
683 }
685 /*
686 * Signed division of double-word dividend.
687 * IN: Dividend=u[1]:u[0], Divisor=v
688 * OUT: Return 1: #DE
689 * Return 0: Quotient=u[0], Remainder=u[1]
690 * NB. We don't use idiv directly as it's moderately hard to work out
691 * ahead of time whether it will #DE, which we cannot allow to happen.
692 */
693 static int idiv_dbl(unsigned long u[2], unsigned long v)
694 {
695 int negu = (long)u[1] < 0, negv = (long)v < 0;
697 /* u = abs(u) */
698 if ( negu )
699 {
700 u[1] = ~u[1];
701 if ( (u[0] = -u[0]) == 0 )
702 u[1]++;
703 }
705 /* abs(u) / abs(v) */
706 if ( div_dbl(u, negv ? -v : v) )
707 return 1;
709 /* Remainder has same sign as dividend. It cannot overflow. */
710 if ( negu )
711 u[1] = -u[1];
713 /* Quotient is overflowed if sign bit is set. */
714 if ( negu ^ negv )
715 {
716 if ( (long)u[0] >= 0 )
717 u[0] = -u[0];
718 else if ( (u[0] << 1) != 0 ) /* == 0x80...0 is okay */
719 return 1;
720 }
721 else if ( (long)u[0] < 0 )
722 return 1;
724 return 0;
725 }
727 static int
728 test_cc(
729 unsigned int condition, unsigned int flags)
730 {
731 int rc = 0;
733 switch ( (condition & 15) >> 1 )
734 {
735 case 0: /* o */
736 rc |= (flags & EFLG_OF);
737 break;
738 case 1: /* b/c/nae */
739 rc |= (flags & EFLG_CF);
740 break;
741 case 2: /* z/e */
742 rc |= (flags & EFLG_ZF);
743 break;
744 case 3: /* be/na */
745 rc |= (flags & (EFLG_CF|EFLG_ZF));
746 break;
747 case 4: /* s */
748 rc |= (flags & EFLG_SF);
749 break;
750 case 5: /* p/pe */
751 rc |= (flags & EFLG_PF);
752 break;
753 case 7: /* le/ng */
754 rc |= (flags & EFLG_ZF);
755 /* fall through */
756 case 6: /* l/nge */
757 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
758 break;
759 }
761 /* Odd condition identifiers (lsb == 1) have inverted sense. */
762 return (!!rc ^ (condition & 1));
763 }
765 static int
766 get_cpl(
767 struct x86_emulate_ctxt *ctxt,
768 struct x86_emulate_ops *ops)
769 {
770 struct segment_register reg;
772 if ( ctxt->regs->eflags & EFLG_VM )
773 return 3;
775 if ( (ops->read_segment == NULL) ||
776 ops->read_segment(x86_seg_ss, &reg, ctxt) )
777 return -1;
779 return reg.attr.fields.dpl;
780 }
782 static int
783 _mode_iopl(
784 struct x86_emulate_ctxt *ctxt,
785 struct x86_emulate_ops *ops)
786 {
787 int cpl = get_cpl(ctxt, ops);
788 return ((cpl >= 0) && (cpl <= ((ctxt->regs->eflags >> 12) & 3)));
789 }
791 #define mode_ring0() (get_cpl(ctxt, ops) == 0)
792 #define mode_iopl() _mode_iopl(ctxt, ops)
794 static int
795 in_realmode(
796 struct x86_emulate_ctxt *ctxt,
797 struct x86_emulate_ops *ops)
798 {
799 unsigned long cr0;
800 int rc;
802 if ( ops->read_cr == NULL )
803 return 0;
805 rc = ops->read_cr(0, &cr0, ctxt);
806 return (!rc && !(cr0 & CR0_PE));
807 }
809 static int
810 realmode_load_seg(
811 enum x86_segment seg,
812 uint16_t sel,
813 struct x86_emulate_ctxt *ctxt,
814 struct x86_emulate_ops *ops)
815 {
816 struct segment_register reg;
817 int rc;
819 if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 )
820 return rc;
822 reg.sel = sel;
823 reg.base = (uint32_t)sel << 4;
825 return ops->write_segment(seg, &reg, ctxt);
826 }
828 static int
829 protmode_load_seg(
830 enum x86_segment seg,
831 uint16_t sel,
832 struct x86_emulate_ctxt *ctxt,
833 struct x86_emulate_ops *ops)
834 {
835 struct segment_register desctab, cs, segr;
836 struct { uint32_t a, b; } desc;
837 unsigned long val;
838 uint8_t dpl, rpl, cpl;
839 int rc, fault_type = EXC_TS;
841 /* NULL selector? */
842 if ( (sel & 0xfffc) == 0 )
843 {
844 if ( (seg == x86_seg_cs) || (seg == x86_seg_ss) )
845 goto raise_exn;
846 memset(&segr, 0, sizeof(segr));
847 return ops->write_segment(seg, &segr, ctxt);
848 }
850 /* LDT descriptor must be in the GDT. */
851 if ( (seg == x86_seg_ldtr) && (sel & 4) )
852 goto raise_exn;
854 if ( (rc = ops->read_segment(x86_seg_cs, &cs, ctxt)) ||
855 (rc = ops->read_segment((sel & 4) ? x86_seg_ldtr : x86_seg_gdtr,
856 &desctab, ctxt)) )
857 return rc;
859 /* Check against descriptor table limit. */
860 if ( ((sel & 0xfff8) + 7) > desctab.limit )
861 goto raise_exn;
863 do {
864 if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8),
865 &val, 4, ctxt)) )
866 return rc;
867 desc.a = val;
868 if ( (rc = ops->read(x86_seg_none, desctab.base + (sel & 0xfff8) + 4,
869 &val, 4, ctxt)) )
870 return rc;
871 desc.b = val;
873 /* Segment present in memory? */
874 if ( !(desc.b & (1u<<15)) )
875 {
876 fault_type = EXC_NP;
877 goto raise_exn;
878 }
880 /* LDT descriptor is a system segment. All others are code/data. */
881 if ( (desc.b & (1u<<12)) == ((seg == x86_seg_ldtr) << 12) )
882 goto raise_exn;
884 dpl = (desc.b >> 13) & 3;
885 rpl = sel & 3;
886 cpl = cs.sel & 3;
888 switch ( seg )
889 {
890 case x86_seg_cs:
891 /* Code segment? */
892 if ( !(desc.b & (1u<<11)) )
893 goto raise_exn;
894 /* Non-conforming segment: check DPL against RPL. */
895 if ( ((desc.b & (6u<<9)) != 6) && (dpl != rpl) )
896 goto raise_exn;
897 break;
898 case x86_seg_ss:
899 /* Writable data segment? */
900 if ( (desc.b & (5u<<9)) != (1u<<9) )
901 goto raise_exn;
902 if ( (dpl != cpl) || (dpl != rpl) )
903 goto raise_exn;
904 break;
905 case x86_seg_ldtr:
906 /* LDT system segment? */
907 if ( (desc.b & (15u<<8)) != (2u<<8) )
908 goto raise_exn;
909 goto skip_accessed_flag;
910 default:
911 /* Readable code or data segment? */
912 if ( (desc.b & (5u<<9)) == (4u<<9) )
913 goto raise_exn;
914 /* Non-conforming segment: check DPL against RPL and CPL. */
915 if ( ((desc.b & (6u<<9)) != 6) && ((dpl < cpl) || (dpl < rpl)) )
916 goto raise_exn;
917 break;
918 }
920 /* Ensure Accessed flag is set. */
921 rc = ((desc.b & 0x100) ? X86EMUL_OKAY :
922 ops->cmpxchg(
923 x86_seg_none, desctab.base + (sel & 0xfff8) + 4, desc.b,
924 desc.b | 0x100, 4, ctxt));
925 } while ( rc == X86EMUL_CMPXCHG_FAILED );
927 if ( rc )
928 return rc;
930 /* Force the Accessed flag in our local copy. */
931 desc.b |= 0x100;
933 skip_accessed_flag:
934 segr.base = (((desc.b << 0) & 0xff000000u) |
935 ((desc.b << 16) & 0x00ff0000u) |
936 ((desc.a >> 16) & 0x0000ffffu));
937 segr.attr.bytes = (((desc.b >> 8) & 0x00ffu) |
938 ((desc.b >> 12) & 0x0f00u));
939 segr.limit = (desc.b & 0x000f0000u) | (desc.a & 0x0000ffffu);
940 if ( segr.attr.fields.g )
941 segr.limit = (segr.limit << 12) | 0xfffu;
942 segr.sel = sel;
943 return ops->write_segment(seg, &segr, ctxt);
945 raise_exn:
946 if ( ops->inject_hw_exception == NULL )
947 return X86EMUL_UNHANDLEABLE;
948 if ( (rc = ops->inject_hw_exception(fault_type, sel & 0xfffc, ctxt)) )
949 return rc;
950 return X86EMUL_EXCEPTION;
951 }
953 static int
954 load_seg(
955 enum x86_segment seg,
956 uint16_t sel,
957 struct x86_emulate_ctxt *ctxt,
958 struct x86_emulate_ops *ops)
959 {
960 if ( (ops->read_segment == NULL) ||
961 (ops->write_segment == NULL) )
962 return X86EMUL_UNHANDLEABLE;
964 if ( in_realmode(ctxt, ops) )
965 return realmode_load_seg(seg, sel, ctxt, ops);
967 return protmode_load_seg(seg, sel, ctxt, ops);
968 }
970 void *
971 decode_register(
972 uint8_t modrm_reg, struct cpu_user_regs *regs, int highbyte_regs)
973 {
974 void *p;
976 switch ( modrm_reg )
977 {
978 case 0: p = &regs->eax; break;
979 case 1: p = &regs->ecx; break;
980 case 2: p = &regs->edx; break;
981 case 3: p = &regs->ebx; break;
982 case 4: p = (highbyte_regs ?
983 ((unsigned char *)&regs->eax + 1) :
984 (unsigned char *)&regs->esp); break;
985 case 5: p = (highbyte_regs ?
986 ((unsigned char *)&regs->ecx + 1) :
987 (unsigned char *)&regs->ebp); break;
988 case 6: p = (highbyte_regs ?
989 ((unsigned char *)&regs->edx + 1) :
990 (unsigned char *)&regs->esi); break;
991 case 7: p = (highbyte_regs ?
992 ((unsigned char *)&regs->ebx + 1) :
993 (unsigned char *)&regs->edi); break;
994 #if defined(__x86_64__)
995 case 8: p = &regs->r8; break;
996 case 9: p = &regs->r9; break;
997 case 10: p = &regs->r10; break;
998 case 11: p = &regs->r11; break;
999 case 12: p = &regs->r12; break;
1000 case 13: p = &regs->r13; break;
1001 case 14: p = &regs->r14; break;
1002 case 15: p = &regs->r15; break;
1003 #endif
1004 default: p = NULL; break;
1007 return p;
1010 #define decode_segment_failed x86_seg_tr
1011 enum x86_segment
1012 decode_segment(
1013 uint8_t modrm_reg)
1015 switch ( modrm_reg )
1017 case 0: return x86_seg_es;
1018 case 1: return x86_seg_cs;
1019 case 2: return x86_seg_ss;
1020 case 3: return x86_seg_ds;
1021 case 4: return x86_seg_fs;
1022 case 5: return x86_seg_gs;
1023 default: break;
1025 return decode_segment_failed;
1028 int
1029 x86_emulate(
1030 struct x86_emulate_ctxt *ctxt,
1031 struct x86_emulate_ops *ops)
1033 /* Shadow copy of register state. Committed on successful emulation. */
1034 struct cpu_user_regs _regs = *ctxt->regs;
1036 uint8_t b, d, sib, sib_index, sib_base, twobyte = 0, rex_prefix = 0;
1037 uint8_t modrm = 0, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
1038 unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
1039 #define REPE_PREFIX 1
1040 #define REPNE_PREFIX 2
1041 unsigned int lock_prefix = 0, rep_prefix = 0;
1042 int override_seg = -1, rc = X86EMUL_OKAY;
1043 struct operand src, dst;
1045 /* Data operand effective address (usually computed from ModRM). */
1046 struct operand ea;
1048 /* Default is a memory operand relative to segment DS. */
1049 ea.type = OP_MEM;
1050 ea.mem.seg = x86_seg_ds;
1051 ea.mem.off = 0;
1053 ctxt->retire.byte = 0;
1055 op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->addr_size/8;
1056 if ( op_bytes == 8 )
1058 op_bytes = def_op_bytes = 4;
1059 #ifndef __x86_64__
1060 return X86EMUL_UNHANDLEABLE;
1061 #endif
1064 /* Prefix bytes. */
1065 for ( ; ; )
1067 switch ( b = insn_fetch_type(uint8_t) )
1069 case 0x66: /* operand-size override */
1070 op_bytes = def_op_bytes ^ 6;
1071 break;
1072 case 0x67: /* address-size override */
1073 ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6);
1074 break;
1075 case 0x2e: /* CS override */
1076 override_seg = x86_seg_cs;
1077 break;
1078 case 0x3e: /* DS override */
1079 override_seg = x86_seg_ds;
1080 break;
1081 case 0x26: /* ES override */
1082 override_seg = x86_seg_es;
1083 break;
1084 case 0x64: /* FS override */
1085 override_seg = x86_seg_fs;
1086 break;
1087 case 0x65: /* GS override */
1088 override_seg = x86_seg_gs;
1089 break;
1090 case 0x36: /* SS override */
1091 override_seg = x86_seg_ss;
1092 break;
1093 case 0xf0: /* LOCK */
1094 lock_prefix = 1;
1095 break;
1096 case 0xf2: /* REPNE/REPNZ */
1097 rep_prefix = REPNE_PREFIX;
1098 break;
1099 case 0xf3: /* REP/REPE/REPZ */
1100 rep_prefix = REPE_PREFIX;
1101 break;
1102 case 0x40 ... 0x4f: /* REX */
1103 if ( !mode_64bit() )
1104 goto done_prefixes;
1105 rex_prefix = b;
1106 continue;
1107 default:
1108 goto done_prefixes;
1111 /* Any legacy prefix after a REX prefix nullifies its effect. */
1112 rex_prefix = 0;
1114 done_prefixes:
1116 if ( rex_prefix & 8 ) /* REX.W */
1117 op_bytes = 8;
1119 /* Opcode byte(s). */
1120 d = opcode_table[b];
1121 if ( d == 0 )
1123 /* Two-byte opcode? */
1124 if ( b == 0x0f )
1126 twobyte = 1;
1127 b = insn_fetch_type(uint8_t);
1128 d = twobyte_table[b];
1131 /* Unrecognised? */
1132 if ( d == 0 )
1133 goto cannot_emulate;
1136 /* Lock prefix is allowed only on RMW instructions. */
1137 generate_exception_if((d & Mov) && lock_prefix, EXC_GP, 0);
1139 /* ModRM and SIB bytes. */
1140 if ( d & ModRM )
1142 modrm = insn_fetch_type(uint8_t);
1143 modrm_mod = (modrm & 0xc0) >> 6;
1144 modrm_reg = ((rex_prefix & 4) << 1) | ((modrm & 0x38) >> 3);
1145 modrm_rm = modrm & 0x07;
1147 if ( modrm_mod == 3 )
1149 modrm_rm |= (rex_prefix & 1) << 3;
1150 ea.type = OP_REG;
1151 ea.reg = decode_register(
1152 modrm_rm, &_regs, (d & ByteOp) && (rex_prefix == 0));
1154 else if ( ad_bytes == 2 )
1156 /* 16-bit ModR/M decode. */
1157 switch ( modrm_rm )
1159 case 0:
1160 ea.mem.off = _regs.ebx + _regs.esi;
1161 break;
1162 case 1:
1163 ea.mem.off = _regs.ebx + _regs.edi;
1164 break;
1165 case 2:
1166 ea.mem.seg = x86_seg_ss;
1167 ea.mem.off = _regs.ebp + _regs.esi;
1168 break;
1169 case 3:
1170 ea.mem.seg = x86_seg_ss;
1171 ea.mem.off = _regs.ebp + _regs.edi;
1172 break;
1173 case 4:
1174 ea.mem.off = _regs.esi;
1175 break;
1176 case 5:
1177 ea.mem.off = _regs.edi;
1178 break;
1179 case 6:
1180 if ( modrm_mod == 0 )
1181 break;
1182 ea.mem.seg = x86_seg_ss;
1183 ea.mem.off = _regs.ebp;
1184 break;
1185 case 7:
1186 ea.mem.off = _regs.ebx;
1187 break;
1189 switch ( modrm_mod )
1191 case 0:
1192 if ( modrm_rm == 6 )
1193 ea.mem.off = insn_fetch_type(int16_t);
1194 break;
1195 case 1:
1196 ea.mem.off += insn_fetch_type(int8_t);
1197 break;
1198 case 2:
1199 ea.mem.off += insn_fetch_type(int16_t);
1200 break;
1202 ea.mem.off = truncate_ea(ea.mem.off);
1204 else
1206 /* 32/64-bit ModR/M decode. */
1207 if ( modrm_rm == 4 )
1209 sib = insn_fetch_type(uint8_t);
1210 sib_index = ((sib >> 3) & 7) | ((rex_prefix << 2) & 8);
1211 sib_base = (sib & 7) | ((rex_prefix << 3) & 8);
1212 if ( sib_index != 4 )
1213 ea.mem.off = *(long*)decode_register(sib_index, &_regs, 0);
1214 ea.mem.off <<= (sib >> 6) & 3;
1215 if ( (modrm_mod == 0) && ((sib_base & 7) == 5) )
1216 ea.mem.off += insn_fetch_type(int32_t);
1217 else if ( sib_base == 4 )
1219 ea.mem.seg = x86_seg_ss;
1220 ea.mem.off += _regs.esp;
1221 if ( !twobyte && (b == 0x8f) )
1222 /* POP <rm> computes its EA post increment. */
1223 ea.mem.off += ((mode_64bit() && (op_bytes == 4))
1224 ? 8 : op_bytes);
1226 else if ( sib_base == 5 )
1228 ea.mem.seg = x86_seg_ss;
1229 ea.mem.off += _regs.ebp;
1231 else
1232 ea.mem.off += *(long*)decode_register(sib_base, &_regs, 0);
1234 else
1236 modrm_rm |= (rex_prefix & 1) << 3;
1237 ea.mem.off = *(long *)decode_register(modrm_rm, &_regs, 0);
1238 if ( (modrm_rm == 5) && (modrm_mod != 0) )
1239 ea.mem.seg = x86_seg_ss;
1241 switch ( modrm_mod )
1243 case 0:
1244 if ( (modrm_rm & 7) != 5 )
1245 break;
1246 ea.mem.off = insn_fetch_type(int32_t);
1247 if ( !mode_64bit() )
1248 break;
1249 /* Relative to RIP of next instruction. Argh! */
1250 ea.mem.off += _regs.eip;
1251 if ( (d & SrcMask) == SrcImm )
1252 ea.mem.off += (d & ByteOp) ? 1 :
1253 ((op_bytes == 8) ? 4 : op_bytes);
1254 else if ( (d & SrcMask) == SrcImmByte )
1255 ea.mem.off += 1;
1256 else if ( !twobyte && ((b & 0xfe) == 0xf6) &&
1257 ((modrm_reg & 7) <= 1) )
1258 /* Special case in Grp3: test has immediate operand. */
1259 ea.mem.off += (d & ByteOp) ? 1
1260 : ((op_bytes == 8) ? 4 : op_bytes);
1261 else if ( twobyte && ((b & 0xf7) == 0xa4) )
1262 /* SHLD/SHRD with immediate byte third operand. */
1263 ea.mem.off++;
1264 break;
1265 case 1:
1266 ea.mem.off += insn_fetch_type(int8_t);
1267 break;
1268 case 2:
1269 ea.mem.off += insn_fetch_type(int32_t);
1270 break;
1272 ea.mem.off = truncate_ea(ea.mem.off);
1276 if ( override_seg != -1 )
1277 ea.mem.seg = override_seg;
1279 /* Special instructions do their own operand decoding. */
1280 if ( (d & DstMask) == ImplicitOps )
1281 goto special_insn;
1283 /* Decode and fetch the source operand: register, memory or immediate. */
1284 switch ( d & SrcMask )
1286 case SrcNone:
1287 break;
1288 case SrcReg:
1289 src.type = OP_REG;
1290 if ( d & ByteOp )
1292 src.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
1293 src.val = *(uint8_t *)src.reg;
1294 src.bytes = 1;
1296 else
1298 src.reg = decode_register(modrm_reg, &_regs, 0);
1299 switch ( (src.bytes = op_bytes) )
1301 case 2: src.val = *(uint16_t *)src.reg; break;
1302 case 4: src.val = *(uint32_t *)src.reg; break;
1303 case 8: src.val = *(uint64_t *)src.reg; break;
1306 break;
1307 case SrcMem16:
1308 ea.bytes = 2;
1309 goto srcmem_common;
1310 case SrcMem:
1311 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
1312 srcmem_common:
1313 src = ea;
1314 if ( src.type == OP_REG )
1316 switch ( src.bytes )
1318 case 1: src.val = *(uint8_t *)src.reg; break;
1319 case 2: src.val = *(uint16_t *)src.reg; break;
1320 case 4: src.val = *(uint32_t *)src.reg; break;
1321 case 8: src.val = *(uint64_t *)src.reg; break;
1324 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1325 &src.val, src.bytes, ctxt)) )
1326 goto done;
1327 break;
1328 case SrcImm:
1329 src.type = OP_IMM;
1330 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1331 if ( src.bytes == 8 ) src.bytes = 4;
1332 /* NB. Immediates are sign-extended as necessary. */
1333 switch ( src.bytes )
1335 case 1: src.val = insn_fetch_type(int8_t); break;
1336 case 2: src.val = insn_fetch_type(int16_t); break;
1337 case 4: src.val = insn_fetch_type(int32_t); break;
1339 break;
1340 case SrcImmByte:
1341 src.type = OP_IMM;
1342 src.bytes = 1;
1343 src.val = insn_fetch_type(int8_t);
1344 break;
1347 /* Decode and fetch the destination operand: register or memory. */
1348 switch ( d & DstMask )
1350 case DstReg:
1351 dst.type = OP_REG;
1352 if ( d & ByteOp )
1354 dst.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
1355 dst.val = *(uint8_t *)dst.reg;
1356 dst.bytes = 1;
1358 else
1360 dst.reg = decode_register(modrm_reg, &_regs, 0);
1361 switch ( (dst.bytes = op_bytes) )
1363 case 2: dst.val = *(uint16_t *)dst.reg; break;
1364 case 4: dst.val = *(uint32_t *)dst.reg; break;
1365 case 8: dst.val = *(uint64_t *)dst.reg; break;
1368 break;
1369 case DstBitBase:
1370 if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
1372 src.val &= (op_bytes << 3) - 1;
1374 else
1376 /*
1377 * EA += BitOffset DIV op_bytes*8
1378 * BitOffset = BitOffset MOD op_bytes*8
1379 * DIV truncates towards negative infinity.
1380 * MOD always produces a positive result.
1381 */
1382 if ( op_bytes == 2 )
1383 src.val = (int16_t)src.val;
1384 else if ( op_bytes == 4 )
1385 src.val = (int32_t)src.val;
1386 if ( (long)src.val < 0 )
1388 unsigned long byte_offset;
1389 byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
1390 ea.mem.off -= byte_offset;
1391 src.val = (byte_offset << 3) + src.val;
1393 else
1395 ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
1396 src.val &= (op_bytes << 3) - 1;
1399 /* Becomes a normal DstMem operation from here on. */
1400 d = (d & ~DstMask) | DstMem;
1401 case DstMem:
1402 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
1403 dst = ea;
1404 if ( dst.type == OP_REG )
1406 switch ( dst.bytes )
1408 case 1: dst.val = *(uint8_t *)dst.reg; break;
1409 case 2: dst.val = *(uint16_t *)dst.reg; break;
1410 case 4: dst.val = *(uint32_t *)dst.reg; break;
1411 case 8: dst.val = *(uint64_t *)dst.reg; break;
1414 else if ( !(d & Mov) ) /* optimisation - avoid slow emulated read */
1416 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1417 &dst.val, dst.bytes, ctxt)) )
1418 goto done;
1419 dst.orig_val = dst.val;
1421 break;
1424 /* LOCK prefix allowed only on instructions with memory destination. */
1425 generate_exception_if(lock_prefix && (dst.type != OP_MEM), EXC_GP, 0);
1427 if ( twobyte )
1428 goto twobyte_insn;
1430 switch ( b )
1432 case 0x04 ... 0x05: /* add imm,%%eax */
1433 dst.reg = (unsigned long *)&_regs.eax;
1434 dst.val = _regs.eax;
1435 case 0x00 ... 0x03: add: /* add */
1436 emulate_2op_SrcV("add", src, dst, _regs.eflags);
1437 break;
1439 case 0x0c ... 0x0d: /* or imm,%%eax */
1440 dst.reg = (unsigned long *)&_regs.eax;
1441 dst.val = _regs.eax;
1442 case 0x08 ... 0x0b: or: /* or */
1443 emulate_2op_SrcV("or", src, dst, _regs.eflags);
1444 break;
1446 case 0x14 ... 0x15: /* adc imm,%%eax */
1447 dst.reg = (unsigned long *)&_regs.eax;
1448 dst.val = _regs.eax;
1449 case 0x10 ... 0x13: adc: /* adc */
1450 emulate_2op_SrcV("adc", src, dst, _regs.eflags);
1451 break;
1453 case 0x1c ... 0x1d: /* sbb imm,%%eax */
1454 dst.reg = (unsigned long *)&_regs.eax;
1455 dst.val = _regs.eax;
1456 case 0x18 ... 0x1b: sbb: /* sbb */
1457 emulate_2op_SrcV("sbb", src, dst, _regs.eflags);
1458 break;
1460 case 0x24 ... 0x25: /* and imm,%%eax */
1461 dst.reg = (unsigned long *)&_regs.eax;
1462 dst.val = _regs.eax;
1463 case 0x20 ... 0x23: and: /* and */
1464 emulate_2op_SrcV("and", src, dst, _regs.eflags);
1465 break;
1467 case 0x2c ... 0x2d: /* sub imm,%%eax */
1468 dst.reg = (unsigned long *)&_regs.eax;
1469 dst.val = _regs.eax;
1470 case 0x28 ... 0x2b: sub: /* sub */
1471 emulate_2op_SrcV("sub", src, dst, _regs.eflags);
1472 break;
1474 case 0x34 ... 0x35: /* xor imm,%%eax */
1475 dst.reg = (unsigned long *)&_regs.eax;
1476 dst.val = _regs.eax;
1477 case 0x30 ... 0x33: xor: /* xor */
1478 emulate_2op_SrcV("xor", src, dst, _regs.eflags);
1479 break;
1481 case 0x3c ... 0x3d: /* cmp imm,%%eax */
1482 dst.reg = (unsigned long *)&_regs.eax;
1483 dst.val = _regs.eax;
1484 case 0x38 ... 0x3b: cmp: /* cmp */
1485 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1486 break;
1488 case 0x62: /* bound */ {
1489 unsigned long src_val2;
1490 int lb, ub, idx;
1491 generate_exception_if(mode_64bit() || (src.type != OP_MEM),
1492 EXC_UD, -1);
1493 if ( (rc = ops->read(src.mem.seg, src.mem.off + op_bytes,
1494 &src_val2, op_bytes, ctxt)) )
1495 goto done;
1496 ub = (op_bytes == 2) ? (int16_t)src_val2 : (int32_t)src_val2;
1497 lb = (op_bytes == 2) ? (int16_t)src.val : (int32_t)src.val;
1498 idx = (op_bytes == 2) ? (int16_t)dst.val : (int32_t)dst.val;
1499 generate_exception_if((idx < lb) || (idx > ub), EXC_BR, -1);
1500 dst.type = OP_NONE;
1501 break;
1504 case 0x63: /* movsxd (x86/64) / arpl (x86/32) */
1505 if ( mode_64bit() )
1507 /* movsxd */
1508 if ( src.type == OP_REG )
1509 src.val = *(int32_t *)src.reg;
1510 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1511 &src.val, 4, ctxt)) )
1512 goto done;
1513 dst.val = (int32_t)src.val;
1515 else
1517 /* arpl */
1518 uint16_t src_val = dst.val;
1519 dst = src;
1520 _regs.eflags &= ~EFLG_ZF;
1521 _regs.eflags |= ((src_val & 3) > (dst.val & 3)) ? EFLG_ZF : 0;
1522 if ( _regs.eflags & EFLG_ZF )
1523 dst.val = (dst.val & ~3) | (src_val & 3);
1524 else
1525 dst.type = OP_NONE;
1526 generate_exception_if(in_realmode(ctxt, ops), EXC_UD, -1);
1528 break;
1530 case 0x69: /* imul imm16/32 */
1531 case 0x6b: /* imul imm8 */ {
1532 unsigned long src1; /* ModR/M source operand */
1533 if ( ea.type == OP_REG )
1534 src1 = *ea.reg;
1535 else if ( (rc = ops->read(ea.mem.seg, ea.mem.off,
1536 &src1, op_bytes, ctxt)) )
1537 goto done;
1538 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1539 switch ( dst.bytes )
1541 case 2:
1542 dst.val = ((uint32_t)(int16_t)src.val *
1543 (uint32_t)(int16_t)src1);
1544 if ( (int16_t)dst.val != (uint32_t)dst.val )
1545 _regs.eflags |= EFLG_OF|EFLG_CF;
1546 break;
1547 #ifdef __x86_64__
1548 case 4:
1549 dst.val = ((uint64_t)(int32_t)src.val *
1550 (uint64_t)(int32_t)src1);
1551 if ( (int32_t)dst.val != dst.val )
1552 _regs.eflags |= EFLG_OF|EFLG_CF;
1553 break;
1554 #endif
1555 default: {
1556 unsigned long m[2] = { src.val, src1 };
1557 if ( imul_dbl(m) )
1558 _regs.eflags |= EFLG_OF|EFLG_CF;
1559 dst.val = m[0];
1560 break;
1563 break;
1566 case 0x82: /* Grp1 (x86/32 only) */
1567 generate_exception_if(mode_64bit(), EXC_UD, -1);
1568 case 0x80: case 0x81: case 0x83: /* Grp1 */
1569 switch ( modrm_reg & 7 )
1571 case 0: goto add;
1572 case 1: goto or;
1573 case 2: goto adc;
1574 case 3: goto sbb;
1575 case 4: goto and;
1576 case 5: goto sub;
1577 case 6: goto xor;
1578 case 7: goto cmp;
1580 break;
1582 case 0xa8 ... 0xa9: /* test imm,%%eax */
1583 dst.reg = (unsigned long *)&_regs.eax;
1584 dst.val = _regs.eax;
1585 case 0x84 ... 0x85: test: /* test */
1586 emulate_2op_SrcV("test", src, dst, _regs.eflags);
1587 break;
1589 case 0x86 ... 0x87: xchg: /* xchg */
1590 /* Write back the register source. */
1591 switch ( dst.bytes )
1593 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
1594 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
1595 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
1596 case 8: *src.reg = dst.val; break;
1598 /* Write back the memory destination with implicit LOCK prefix. */
1599 dst.val = src.val;
1600 lock_prefix = 1;
1601 break;
1603 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
1604 generate_exception_if((modrm_reg & 7) != 0, EXC_UD, -1);
1605 case 0x88 ... 0x8b: /* mov */
1606 dst.val = src.val;
1607 break;
1609 case 0x8c: /* mov Sreg,r/m */ {
1610 struct segment_register reg;
1611 enum x86_segment seg = decode_segment(modrm_reg);
1612 generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
1613 fail_if(ops->read_segment == NULL);
1614 if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 )
1615 goto done;
1616 dst.val = reg.sel;
1617 if ( dst.type == OP_MEM )
1618 dst.bytes = 2;
1619 break;
1622 case 0x8e: /* mov r/m,Sreg */ {
1623 enum x86_segment seg = decode_segment(modrm_reg);
1624 generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
1625 if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
1626 goto done;
1627 if ( seg == x86_seg_ss )
1628 ctxt->retire.flags.mov_ss = 1;
1629 dst.type = OP_NONE;
1630 break;
1633 case 0x8d: /* lea */
1634 dst.val = ea.mem.off;
1635 break;
1637 case 0x8f: /* pop (sole member of Grp1a) */
1638 generate_exception_if((modrm_reg & 7) != 0, EXC_UD, -1);
1639 /* 64-bit mode: POP defaults to a 64-bit operand. */
1640 if ( mode_64bit() && (dst.bytes == 4) )
1641 dst.bytes = 8;
1642 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
1643 &dst.val, dst.bytes, ctxt)) != 0 )
1644 goto done;
1645 break;
1647 case 0xb0 ... 0xb7: /* mov imm8,r8 */
1648 dst.reg = decode_register(
1649 (b & 7) | ((rex_prefix & 1) << 3), &_regs, (rex_prefix == 0));
1650 dst.val = src.val;
1651 break;
1653 case 0xb8 ... 0xbf: /* mov imm{16,32,64},r{16,32,64} */
1654 if ( dst.bytes == 8 ) /* Fetch more bytes to obtain imm64 */
1655 src.val = ((uint32_t)src.val |
1656 ((uint64_t)insn_fetch_type(uint32_t) << 32));
1657 dst.reg = decode_register(
1658 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1659 dst.val = src.val;
1660 break;
1662 case 0xc0 ... 0xc1: grp2: /* Grp2 */
1663 switch ( modrm_reg & 7 )
1665 case 0: /* rol */
1666 emulate_2op_SrcB("rol", src, dst, _regs.eflags);
1667 break;
1668 case 1: /* ror */
1669 emulate_2op_SrcB("ror", src, dst, _regs.eflags);
1670 break;
1671 case 2: /* rcl */
1672 emulate_2op_SrcB("rcl", src, dst, _regs.eflags);
1673 break;
1674 case 3: /* rcr */
1675 emulate_2op_SrcB("rcr", src, dst, _regs.eflags);
1676 break;
1677 case 4: /* sal/shl */
1678 case 6: /* sal/shl */
1679 emulate_2op_SrcB("sal", src, dst, _regs.eflags);
1680 break;
1681 case 5: /* shr */
1682 emulate_2op_SrcB("shr", src, dst, _regs.eflags);
1683 break;
1684 case 7: /* sar */
1685 emulate_2op_SrcB("sar", src, dst, _regs.eflags);
1686 break;
1688 break;
1690 case 0xc4: /* les */ {
1691 unsigned long sel;
1692 dst.val = x86_seg_es;
1693 les: /* dst.val identifies the segment */
1694 generate_exception_if(src.type != OP_MEM, EXC_UD, -1);
1695 if ( (rc = ops->read(src.mem.seg, src.mem.off + src.bytes,
1696 &sel, 2, ctxt)) != 0 )
1697 goto done;
1698 if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
1699 goto done;
1700 dst.val = src.val;
1701 break;
1704 case 0xc5: /* lds */
1705 dst.val = x86_seg_ds;
1706 goto les;
1708 case 0xd0 ... 0xd1: /* Grp2 */
1709 src.val = 1;
1710 goto grp2;
1712 case 0xd2 ... 0xd3: /* Grp2 */
1713 src.val = _regs.ecx;
1714 goto grp2;
1716 case 0xf6 ... 0xf7: /* Grp3 */
1717 switch ( modrm_reg & 7 )
1719 case 0 ... 1: /* test */
1720 /* Special case in Grp3: test has an immediate source operand. */
1721 src.type = OP_IMM;
1722 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1723 if ( src.bytes == 8 ) src.bytes = 4;
1724 switch ( src.bytes )
1726 case 1: src.val = insn_fetch_type(int8_t); break;
1727 case 2: src.val = insn_fetch_type(int16_t); break;
1728 case 4: src.val = insn_fetch_type(int32_t); break;
1730 goto test;
1731 case 2: /* not */
1732 dst.val = ~dst.val;
1733 break;
1734 case 3: /* neg */
1735 emulate_1op("neg", dst, _regs.eflags);
1736 break;
1737 case 4: /* mul */
1738 src = dst;
1739 dst.type = OP_REG;
1740 dst.reg = (unsigned long *)&_regs.eax;
1741 dst.val = *dst.reg;
1742 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1743 switch ( src.bytes )
1745 case 1:
1746 dst.val = (uint8_t)dst.val;
1747 dst.val *= src.val;
1748 if ( (uint8_t)dst.val != (uint16_t)dst.val )
1749 _regs.eflags |= EFLG_OF|EFLG_CF;
1750 dst.bytes = 2;
1751 break;
1752 case 2:
1753 dst.val = (uint16_t)dst.val;
1754 dst.val *= src.val;
1755 if ( (uint16_t)dst.val != (uint32_t)dst.val )
1756 _regs.eflags |= EFLG_OF|EFLG_CF;
1757 *(uint16_t *)&_regs.edx = dst.val >> 16;
1758 break;
1759 #ifdef __x86_64__
1760 case 4:
1761 dst.val = (uint32_t)dst.val;
1762 dst.val *= src.val;
1763 if ( (uint32_t)dst.val != dst.val )
1764 _regs.eflags |= EFLG_OF|EFLG_CF;
1765 _regs.edx = (uint32_t)(dst.val >> 32);
1766 break;
1767 #endif
1768 default: {
1769 unsigned long m[2] = { src.val, dst.val };
1770 if ( mul_dbl(m) )
1771 _regs.eflags |= EFLG_OF|EFLG_CF;
1772 _regs.edx = m[1];
1773 dst.val = m[0];
1774 break;
1777 break;
1778 case 5: /* imul */
1779 src = dst;
1780 dst.type = OP_REG;
1781 dst.reg = (unsigned long *)&_regs.eax;
1782 dst.val = *dst.reg;
1783 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1784 switch ( src.bytes )
1786 case 1:
1787 dst.val = ((uint16_t)(int8_t)src.val *
1788 (uint16_t)(int8_t)dst.val);
1789 if ( (int8_t)dst.val != (uint16_t)dst.val )
1790 _regs.eflags |= EFLG_OF|EFLG_CF;
1791 dst.bytes = 2;
1792 break;
1793 case 2:
1794 dst.val = ((uint32_t)(int16_t)src.val *
1795 (uint32_t)(int16_t)dst.val);
1796 if ( (int16_t)dst.val != (uint32_t)dst.val )
1797 _regs.eflags |= EFLG_OF|EFLG_CF;
1798 *(uint16_t *)&_regs.edx = dst.val >> 16;
1799 break;
1800 #ifdef __x86_64__
1801 case 4:
1802 dst.val = ((uint64_t)(int32_t)src.val *
1803 (uint64_t)(int32_t)dst.val);
1804 if ( (int32_t)dst.val != dst.val )
1805 _regs.eflags |= EFLG_OF|EFLG_CF;
1806 _regs.edx = (uint32_t)(dst.val >> 32);
1807 break;
1808 #endif
1809 default: {
1810 unsigned long m[2] = { src.val, dst.val };
1811 if ( imul_dbl(m) )
1812 _regs.eflags |= EFLG_OF|EFLG_CF;
1813 _regs.edx = m[1];
1814 dst.val = m[0];
1815 break;
1818 break;
1819 case 6: /* div */ {
1820 unsigned long u[2], v;
1821 src = dst;
1822 dst.type = OP_REG;
1823 dst.reg = (unsigned long *)&_regs.eax;
1824 switch ( src.bytes )
1826 case 1:
1827 u[0] = (uint16_t)_regs.eax;
1828 u[1] = 0;
1829 v = (uint8_t)src.val;
1830 generate_exception_if(
1831 div_dbl(u, v) || ((uint8_t)u[0] != (uint16_t)u[0]),
1832 EXC_DE, -1);
1833 dst.val = (uint8_t)u[0];
1834 ((uint8_t *)&_regs.eax)[1] = u[1];
1835 break;
1836 case 2:
1837 u[0] = ((uint32_t)_regs.edx << 16) | (uint16_t)_regs.eax;
1838 u[1] = 0;
1839 v = (uint16_t)src.val;
1840 generate_exception_if(
1841 div_dbl(u, v) || ((uint16_t)u[0] != (uint32_t)u[0]),
1842 EXC_DE, -1);
1843 dst.val = (uint16_t)u[0];
1844 *(uint16_t *)&_regs.edx = u[1];
1845 break;
1846 #ifdef __x86_64__
1847 case 4:
1848 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1849 u[1] = 0;
1850 v = (uint32_t)src.val;
1851 generate_exception_if(
1852 div_dbl(u, v) || ((uint32_t)u[0] != u[0]),
1853 EXC_DE, -1);
1854 dst.val = (uint32_t)u[0];
1855 _regs.edx = (uint32_t)u[1];
1856 break;
1857 #endif
1858 default:
1859 u[0] = _regs.eax;
1860 u[1] = _regs.edx;
1861 v = src.val;
1862 generate_exception_if(div_dbl(u, v), EXC_DE, -1);
1863 dst.val = u[0];
1864 _regs.edx = u[1];
1865 break;
1867 break;
1869 case 7: /* idiv */ {
1870 unsigned long u[2], v;
1871 src = dst;
1872 dst.type = OP_REG;
1873 dst.reg = (unsigned long *)&_regs.eax;
1874 switch ( src.bytes )
1876 case 1:
1877 u[0] = (int16_t)_regs.eax;
1878 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1879 v = (int8_t)src.val;
1880 generate_exception_if(
1881 idiv_dbl(u, v) || ((int8_t)u[0] != (int16_t)u[0]),
1882 EXC_DE, -1);
1883 dst.val = (int8_t)u[0];
1884 ((int8_t *)&_regs.eax)[1] = u[1];
1885 break;
1886 case 2:
1887 u[0] = (int32_t)((_regs.edx << 16) | (uint16_t)_regs.eax);
1888 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1889 v = (int16_t)src.val;
1890 generate_exception_if(
1891 idiv_dbl(u, v) || ((int16_t)u[0] != (int32_t)u[0]),
1892 EXC_DE, -1);
1893 dst.val = (int16_t)u[0];
1894 *(int16_t *)&_regs.edx = u[1];
1895 break;
1896 #ifdef __x86_64__
1897 case 4:
1898 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1899 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1900 v = (int32_t)src.val;
1901 generate_exception_if(
1902 idiv_dbl(u, v) || ((int32_t)u[0] != u[0]),
1903 EXC_DE, -1);
1904 dst.val = (int32_t)u[0];
1905 _regs.edx = (uint32_t)u[1];
1906 break;
1907 #endif
1908 default:
1909 u[0] = _regs.eax;
1910 u[1] = _regs.edx;
1911 v = src.val;
1912 generate_exception_if(idiv_dbl(u, v), EXC_DE, -1);
1913 dst.val = u[0];
1914 _regs.edx = u[1];
1915 break;
1917 break;
1919 default:
1920 goto cannot_emulate;
1922 break;
1924 case 0xfe: /* Grp4 */
1925 generate_exception_if((modrm_reg & 7) >= 2, EXC_UD, -1);
1926 case 0xff: /* Grp5 */
1927 switch ( modrm_reg & 7 )
1929 case 0: /* inc */
1930 emulate_1op("inc", dst, _regs.eflags);
1931 break;
1932 case 1: /* dec */
1933 emulate_1op("dec", dst, _regs.eflags);
1934 break;
1935 case 2: /* call (near) */
1936 case 4: /* jmp (near) */
1937 if ( (dst.bytes != 8) && mode_64bit() )
1939 dst.bytes = op_bytes = 8;
1940 if ( dst.type == OP_REG )
1941 dst.val = *dst.reg;
1942 else if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1943 &dst.val, 8, ctxt)) != 0 )
1944 goto done;
1946 src.val = _regs.eip;
1947 _regs.eip = dst.val;
1948 if ( (modrm_reg & 7) == 2 )
1949 goto push; /* call */
1950 dst.type = OP_NONE;
1951 break;
1952 case 3: /* call (far, absolute indirect) */
1953 case 5: /* jmp (far, absolute indirect) */ {
1954 unsigned long sel;
1956 generate_exception_if(dst.type != OP_MEM, EXC_UD, -1);
1958 if ( (rc = ops->read(dst.mem.seg, dst.mem.off+dst.bytes,
1959 &sel, 2, ctxt)) )
1960 goto done;
1962 if ( (modrm_reg & 7) == 3 ) /* call */
1964 struct segment_register reg;
1965 fail_if(ops->read_segment == NULL);
1966 if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) ||
1967 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1968 reg.sel, op_bytes, ctxt)) ||
1969 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1970 _regs.eip, op_bytes, ctxt)) )
1971 goto done;
1974 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
1975 goto done;
1976 _regs.eip = dst.val;
1978 dst.type = OP_NONE;
1979 break;
1981 case 6: /* push */
1982 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
1983 if ( mode_64bit() && (dst.bytes == 4) )
1985 dst.bytes = 8;
1986 if ( dst.type == OP_REG )
1987 dst.val = *dst.reg;
1988 else if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1989 &dst.val, 8, ctxt)) != 0 )
1990 goto done;
1992 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
1993 dst.val, dst.bytes, ctxt)) != 0 )
1994 goto done;
1995 dst.type = OP_NONE;
1996 break;
1997 case 7:
1998 generate_exception_if(1, EXC_UD, -1);
1999 default:
2000 goto cannot_emulate;
2002 break;
2005 writeback:
2006 switch ( dst.type )
2008 case OP_REG:
2009 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
2010 switch ( dst.bytes )
2012 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
2013 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
2014 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
2015 case 8: *dst.reg = dst.val; break;
2017 break;
2018 case OP_MEM:
2019 if ( !(d & Mov) && (dst.orig_val == dst.val) &&
2020 !ctxt->force_writeback )
2021 /* nothing to do */;
2022 else if ( lock_prefix )
2023 rc = ops->cmpxchg(
2024 dst.mem.seg, dst.mem.off, dst.orig_val,
2025 dst.val, dst.bytes, ctxt);
2026 else
2027 rc = ops->write(
2028 dst.mem.seg, dst.mem.off, dst.val, dst.bytes, ctxt);
2029 if ( rc != 0 )
2030 goto done;
2031 default:
2032 break;
2035 /* Commit shadow register state. */
2036 _regs.eflags &= ~EFLG_RF;
2037 *ctxt->regs = _regs;
2038 if ( (_regs.eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
2039 (ops->inject_hw_exception != NULL) )
2040 rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
2042 done:
2043 return rc;
2045 special_insn:
2046 dst.type = OP_NONE;
2048 /*
2049 * The only implicit-operands instructions allowed a LOCK prefix are
2050 * CMPXCHG{8,16}B, MOV CRn, MOV DRn.
2051 */
2052 generate_exception_if(lock_prefix &&
2053 ((b < 0x20) || (b > 0x23)) && /* MOV CRn/DRn */
2054 (b != 0xc7), /* CMPXCHG{8,16}B */
2055 EXC_GP, 0);
2057 if ( twobyte )
2058 goto twobyte_special_insn;
2060 switch ( b )
2062 case 0x06: /* push %%es */ {
2063 struct segment_register reg;
2064 src.val = x86_seg_es;
2065 push_seg:
2066 fail_if(ops->read_segment == NULL);
2067 if ( (rc = ops->read_segment(src.val, &reg, ctxt)) != 0 )
2068 return rc;
2069 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
2070 if ( mode_64bit() && (op_bytes == 4) )
2071 op_bytes = 8;
2072 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2073 reg.sel, op_bytes, ctxt)) != 0 )
2074 goto done;
2075 break;
2078 case 0x07: /* pop %%es */
2079 src.val = x86_seg_es;
2080 pop_seg:
2081 fail_if(ops->write_segment == NULL);
2082 /* 64-bit mode: POP defaults to a 64-bit operand. */
2083 if ( mode_64bit() && (op_bytes == 4) )
2084 op_bytes = 8;
2085 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2086 &dst.val, op_bytes, ctxt)) != 0 )
2087 goto done;
2088 if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
2089 return rc;
2090 break;
2092 case 0x0e: /* push %%cs */
2093 src.val = x86_seg_cs;
2094 goto push_seg;
2096 case 0x16: /* push %%ss */
2097 src.val = x86_seg_ss;
2098 goto push_seg;
2100 case 0x17: /* pop %%ss */
2101 src.val = x86_seg_ss;
2102 ctxt->retire.flags.mov_ss = 1;
2103 goto pop_seg;
2105 case 0x1e: /* push %%ds */
2106 src.val = x86_seg_ds;
2107 goto push_seg;
2109 case 0x1f: /* pop %%ds */
2110 src.val = x86_seg_ds;
2111 goto pop_seg;
2113 case 0x27: /* daa */ {
2114 uint8_t al = _regs.eax;
2115 unsigned long eflags = _regs.eflags;
2116 generate_exception_if(mode_64bit(), EXC_UD, -1);
2117 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
2118 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
2120 *(uint8_t *)&_regs.eax += 6;
2121 _regs.eflags |= EFLG_AF;
2123 if ( (al > 0x99) || (eflags & EFLG_CF) )
2125 *(uint8_t *)&_regs.eax += 0x60;
2126 _regs.eflags |= EFLG_CF;
2128 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2129 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2130 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2131 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2132 break;
2135 case 0x2f: /* das */ {
2136 uint8_t al = _regs.eax;
2137 unsigned long eflags = _regs.eflags;
2138 generate_exception_if(mode_64bit(), EXC_UD, -1);
2139 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
2140 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
2142 _regs.eflags |= EFLG_AF;
2143 if ( (al < 6) || (eflags & EFLG_CF) )
2144 _regs.eflags |= EFLG_CF;
2145 *(uint8_t *)&_regs.eax -= 6;
2147 if ( (al > 0x99) || (eflags & EFLG_CF) )
2149 *(uint8_t *)&_regs.eax -= 0x60;
2150 _regs.eflags |= EFLG_CF;
2152 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2153 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2154 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2155 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2156 break;
2159 case 0x37: /* aaa */
2160 case 0x3f: /* aas */
2161 generate_exception_if(mode_64bit(), EXC_UD, -1);
2162 _regs.eflags &= ~EFLG_CF;
2163 if ( ((uint8_t)_regs.eax > 9) || (_regs.eflags & EFLG_AF) )
2165 ((uint8_t *)&_regs.eax)[0] += (b == 0x37) ? 6 : -6;
2166 ((uint8_t *)&_regs.eax)[1] += (b == 0x37) ? 1 : -1;
2167 _regs.eflags |= EFLG_CF | EFLG_AF;
2169 ((uint8_t *)&_regs.eax)[0] &= 0x0f;
2170 break;
2172 case 0x40 ... 0x4f: /* inc/dec reg */
2173 dst.type = OP_REG;
2174 dst.reg = decode_register(b & 7, &_regs, 0);
2175 dst.bytes = op_bytes;
2176 dst.val = *dst.reg;
2177 if ( b & 8 )
2178 emulate_1op("dec", dst, _regs.eflags);
2179 else
2180 emulate_1op("inc", dst, _regs.eflags);
2181 break;
2183 case 0x50 ... 0x57: /* push reg */
2184 src.val = *(unsigned long *)decode_register(
2185 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2186 goto push;
2188 case 0x58 ... 0x5f: /* pop reg */
2189 dst.type = OP_REG;
2190 dst.reg = decode_register(
2191 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2192 dst.bytes = op_bytes;
2193 if ( mode_64bit() && (dst.bytes == 4) )
2194 dst.bytes = 8;
2195 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
2196 &dst.val, dst.bytes, ctxt)) != 0 )
2197 goto done;
2198 break;
2200 case 0x60: /* pusha */ {
2201 int i;
2202 unsigned long regs[] = {
2203 _regs.eax, _regs.ecx, _regs.edx, _regs.ebx,
2204 _regs.esp, _regs.ebp, _regs.esi, _regs.edi };
2205 generate_exception_if(mode_64bit(), EXC_UD, -1);
2206 for ( i = 0; i < 8; i++ )
2207 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2208 regs[i], op_bytes, ctxt)) != 0 )
2209 goto done;
2210 break;
2213 case 0x61: /* popa */ {
2214 int i;
2215 unsigned long dummy_esp, *regs[] = {
2216 (unsigned long *)&_regs.edi, (unsigned long *)&_regs.esi,
2217 (unsigned long *)&_regs.ebp, (unsigned long *)&dummy_esp,
2218 (unsigned long *)&_regs.ebx, (unsigned long *)&_regs.edx,
2219 (unsigned long *)&_regs.ecx, (unsigned long *)&_regs.eax };
2220 generate_exception_if(mode_64bit(), EXC_UD, -1);
2221 for ( i = 0; i < 8; i++ )
2223 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2224 &dst.val, op_bytes, ctxt)) != 0 )
2225 goto done;
2226 switch ( op_bytes )
2228 case 1: *(uint8_t *)regs[i] = (uint8_t)dst.val; break;
2229 case 2: *(uint16_t *)regs[i] = (uint16_t)dst.val; break;
2230 case 4: *regs[i] = (uint32_t)dst.val; break; /* 64b: zero-ext */
2231 case 8: *regs[i] = dst.val; break;
2234 break;
2237 case 0x68: /* push imm{16,32,64} */
2238 src.val = ((op_bytes == 2)
2239 ? (int32_t)insn_fetch_type(int16_t)
2240 : insn_fetch_type(int32_t));
2241 goto push;
2243 case 0x6a: /* push imm8 */
2244 src.val = insn_fetch_type(int8_t);
2245 push:
2246 d |= Mov; /* force writeback */
2247 dst.type = OP_MEM;
2248 dst.bytes = op_bytes;
2249 if ( mode_64bit() && (dst.bytes == 4) )
2250 dst.bytes = 8;
2251 dst.val = src.val;
2252 dst.mem.seg = x86_seg_ss;
2253 dst.mem.off = sp_pre_dec(dst.bytes);
2254 break;
2256 case 0x6c ... 0x6d: /* ins %dx,%es:%edi */ {
2257 unsigned long nr_reps = get_rep_prefix();
2258 generate_exception_if(!mode_iopl(), EXC_GP, 0);
2259 dst.bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2260 dst.mem.seg = x86_seg_es;
2261 dst.mem.off = truncate_ea(_regs.edi);
2262 if ( (nr_reps > 1) && (ops->rep_ins != NULL) &&
2263 ((rc = ops->rep_ins((uint16_t)_regs.edx, dst.mem.seg,
2264 dst.mem.off, dst.bytes,
2265 &nr_reps, ctxt)) != X86EMUL_UNHANDLEABLE) )
2267 if ( rc != 0 )
2268 goto done;
2270 else
2272 fail_if(ops->read_io == NULL);
2273 if ( (rc = ops->read_io((uint16_t)_regs.edx, dst.bytes,
2274 &dst.val, ctxt)) != 0 )
2275 goto done;
2276 dst.type = OP_MEM;
2277 nr_reps = 1;
2279 register_address_increment(
2280 _regs.edi,
2281 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2282 put_rep_prefix(nr_reps);
2283 break;
2286 case 0x6e ... 0x6f: /* outs %esi,%dx */ {
2287 unsigned long nr_reps = get_rep_prefix();
2288 generate_exception_if(!mode_iopl(), EXC_GP, 0);
2289 dst.bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2290 if ( (nr_reps > 1) && (ops->rep_outs != NULL) &&
2291 ((rc = ops->rep_outs(ea.mem.seg, truncate_ea(_regs.esi),
2292 (uint16_t)_regs.edx, dst.bytes,
2293 &nr_reps, ctxt)) != X86EMUL_UNHANDLEABLE) )
2295 if ( rc != 0 )
2296 goto done;
2298 else
2300 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2301 &dst.val, dst.bytes, ctxt)) != 0 )
2302 goto done;
2303 fail_if(ops->write_io == NULL);
2304 if ( (rc = ops->write_io((uint16_t)_regs.edx, dst.bytes,
2305 dst.val, ctxt)) != 0 )
2306 goto done;
2307 nr_reps = 1;
2309 register_address_increment(
2310 _regs.esi,
2311 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2312 put_rep_prefix(nr_reps);
2313 break;
2316 case 0x70 ... 0x7f: /* jcc (short) */ {
2317 int rel = insn_fetch_type(int8_t);
2318 if ( test_cc(b, _regs.eflags) )
2319 jmp_rel(rel);
2320 break;
2323 case 0x90: /* nop / xchg %%r8,%%rax */
2324 if ( !(rex_prefix & 1) )
2325 break; /* nop */
2327 case 0x91 ... 0x97: /* xchg reg,%%rax */
2328 src.type = dst.type = OP_REG;
2329 src.bytes = dst.bytes = op_bytes;
2330 src.reg = (unsigned long *)&_regs.eax;
2331 src.val = *src.reg;
2332 dst.reg = decode_register(
2333 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2334 dst.val = *dst.reg;
2335 goto xchg;
2337 case 0x98: /* cbw/cwde/cdqe */
2338 switch ( op_bytes )
2340 case 2: *(int16_t *)&_regs.eax = (int8_t)_regs.eax; break; /* cbw */
2341 case 4: _regs.eax = (uint32_t)(int16_t)_regs.eax; break; /* cwde */
2342 case 8: _regs.eax = (int32_t)_regs.eax; break; /* cdqe */
2344 break;
2346 case 0x99: /* cwd/cdq/cqo */
2347 switch ( op_bytes )
2349 case 2:
2350 *(int16_t *)&_regs.edx = ((int16_t)_regs.eax < 0) ? -1 : 0;
2351 break;
2352 case 4:
2353 _regs.edx = (uint32_t)(((int32_t)_regs.eax < 0) ? -1 : 0);
2354 break;
2355 case 8:
2356 _regs.edx = (_regs.eax < 0) ? -1 : 0;
2357 break;
2359 break;
2361 case 0x9a: /* call (far, absolute) */ {
2362 struct segment_register reg;
2363 uint16_t sel;
2364 uint32_t eip;
2366 fail_if(ops->read_segment == NULL);
2367 generate_exception_if(mode_64bit(), EXC_UD, -1);
2369 eip = insn_fetch_bytes(op_bytes);
2370 sel = insn_fetch_type(uint16_t);
2372 if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) ||
2373 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2374 reg.sel, op_bytes, ctxt)) ||
2375 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2376 _regs.eip, op_bytes, ctxt)) )
2377 goto done;
2379 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
2380 goto done;
2381 _regs.eip = eip;
2382 break;
2385 case 0x9b: /* wait/fwait */
2386 __emulate_fpu_insn("fwait");
2387 break;
2389 case 0x9c: /* pushf */
2390 src.val = _regs.eflags;
2391 goto push;
2393 case 0x9d: /* popf */ {
2394 uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
2395 if ( !mode_iopl() )
2396 mask |= EFLG_IOPL;
2397 /* 64-bit mode: POP defaults to a 64-bit operand. */
2398 if ( mode_64bit() && (op_bytes == 4) )
2399 op_bytes = 8;
2400 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2401 &dst.val, op_bytes, ctxt)) != 0 )
2402 goto done;
2403 if ( op_bytes == 2 )
2404 dst.val = (uint16_t)dst.val | (_regs.eflags & 0xffff0000u);
2405 dst.val &= 0x257fd5;
2406 _regs.eflags &= mask;
2407 _regs.eflags |= (uint32_t)(dst.val & ~mask) | 0x02;
2408 break;
2411 case 0x9e: /* sahf */
2412 *(uint8_t *)&_regs.eflags = (((uint8_t *)&_regs.eax)[1] & 0xd7) | 0x02;
2413 break;
2415 case 0x9f: /* lahf */
2416 ((uint8_t *)&_regs.eax)[1] = (_regs.eflags & 0xd7) | 0x02;
2417 break;
2419 case 0xa0 ... 0xa1: /* mov mem.offs,{%al,%ax,%eax,%rax} */
2420 /* Source EA is not encoded via ModRM. */
2421 dst.type = OP_REG;
2422 dst.reg = (unsigned long *)&_regs.eax;
2423 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2424 if ( (rc = ops->read(ea.mem.seg, insn_fetch_bytes(ad_bytes),
2425 &dst.val, dst.bytes, ctxt)) != 0 )
2426 goto done;
2427 break;
2429 case 0xa2 ... 0xa3: /* mov {%al,%ax,%eax,%rax},mem.offs */
2430 /* Destination EA is not encoded via ModRM. */
2431 dst.type = OP_MEM;
2432 dst.mem.seg = ea.mem.seg;
2433 dst.mem.off = insn_fetch_bytes(ad_bytes);
2434 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2435 dst.val = (unsigned long)_regs.eax;
2436 break;
2438 case 0xa4 ... 0xa5: /* movs */ {
2439 unsigned long nr_reps = get_rep_prefix();
2440 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2441 dst.mem.seg = x86_seg_es;
2442 dst.mem.off = truncate_ea(_regs.edi);
2443 if ( (nr_reps > 1) && (ops->rep_movs != NULL) &&
2444 ((rc = ops->rep_movs(ea.mem.seg, truncate_ea(_regs.esi),
2445 dst.mem.seg, dst.mem.off, dst.bytes,
2446 &nr_reps, ctxt)) != X86EMUL_UNHANDLEABLE) )
2448 if ( rc != 0 )
2449 goto done;
2451 else
2453 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2454 &dst.val, dst.bytes, ctxt)) != 0 )
2455 goto done;
2456 dst.type = OP_MEM;
2457 nr_reps = 1;
2459 register_address_increment(
2460 _regs.esi,
2461 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2462 register_address_increment(
2463 _regs.edi,
2464 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2465 put_rep_prefix(nr_reps);
2466 break;
2469 case 0xa6 ... 0xa7: /* cmps */ {
2470 unsigned long next_eip = _regs.eip;
2471 get_rep_prefix();
2472 src.bytes = dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2473 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2474 &dst.val, dst.bytes, ctxt)) ||
2475 (rc = ops->read(x86_seg_es, truncate_ea(_regs.edi),
2476 &src.val, src.bytes, ctxt)) )
2477 goto done;
2478 register_address_increment(
2479 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2480 register_address_increment(
2481 _regs.edi, (_regs.eflags & EFLG_DF) ? -src.bytes : src.bytes);
2482 put_rep_prefix(1);
2483 /* cmp: dst - src ==> src=*%%edi,dst=*%%esi ==> *%%esi - *%%edi */
2484 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2485 if ( ((rep_prefix == REPE_PREFIX) && !(_regs.eflags & EFLG_ZF)) ||
2486 ((rep_prefix == REPNE_PREFIX) && (_regs.eflags & EFLG_ZF)) )
2487 _regs.eip = next_eip;
2488 break;
2491 case 0xaa ... 0xab: /* stos */ {
2492 /* unsigned long max_reps = */get_rep_prefix();
2493 dst.type = OP_MEM;
2494 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2495 dst.mem.seg = x86_seg_es;
2496 dst.mem.off = truncate_ea(_regs.edi);
2497 dst.val = _regs.eax;
2498 register_address_increment(
2499 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2500 put_rep_prefix(1);
2501 break;
2504 case 0xac ... 0xad: /* lods */ {
2505 /* unsigned long max_reps = */get_rep_prefix();
2506 dst.type = OP_REG;
2507 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2508 dst.reg = (unsigned long *)&_regs.eax;
2509 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2510 &dst.val, dst.bytes, ctxt)) != 0 )
2511 goto done;
2512 register_address_increment(
2513 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2514 put_rep_prefix(1);
2515 break;
2518 case 0xae ... 0xaf: /* scas */ {
2519 unsigned long next_eip = _regs.eip;
2520 get_rep_prefix();
2521 src.bytes = dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2522 dst.val = _regs.eax;
2523 if ( (rc = ops->read(x86_seg_es, truncate_ea(_regs.edi),
2524 &src.val, src.bytes, ctxt)) != 0 )
2525 goto done;
2526 register_address_increment(
2527 _regs.edi, (_regs.eflags & EFLG_DF) ? -src.bytes : src.bytes);
2528 put_rep_prefix(1);
2529 /* cmp: dst - src ==> src=*%%edi,dst=%%eax ==> %%eax - *%%edi */
2530 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2531 if ( ((rep_prefix == REPE_PREFIX) && !(_regs.eflags & EFLG_ZF)) ||
2532 ((rep_prefix == REPNE_PREFIX) && (_regs.eflags & EFLG_ZF)) )
2533 _regs.eip = next_eip;
2534 break;
2537 case 0xc2: /* ret imm16 (near) */
2538 case 0xc3: /* ret (near) */ {
2539 int offset = (b == 0xc2) ? insn_fetch_type(uint16_t) : 0;
2540 op_bytes = mode_64bit() ? 8 : op_bytes;
2541 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes + offset),
2542 &dst.val, op_bytes, ctxt)) != 0 )
2543 goto done;
2544 _regs.eip = dst.val;
2545 break;
2548 case 0xc8: /* enter imm16,imm8 */ {
2549 uint16_t size = insn_fetch_type(uint16_t);
2550 uint8_t depth = insn_fetch_type(uint8_t) & 31;
2551 int i;
2553 dst.type = OP_REG;
2554 dst.bytes = (mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes;
2555 dst.reg = (unsigned long *)&_regs.ebp;
2556 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2557 _regs.ebp, dst.bytes, ctxt)) )
2558 goto done;
2559 dst.val = _regs.esp;
2561 if ( depth > 0 )
2563 for ( i = 1; i < depth; i++ )
2565 unsigned long ebp, temp_data;
2566 ebp = truncate_word(_regs.ebp - i*dst.bytes, ctxt->sp_size/8);
2567 if ( (rc = ops->read(x86_seg_ss, ebp,
2568 &temp_data, dst.bytes, ctxt)) ||
2569 (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2570 temp_data, dst.bytes, ctxt)) )
2571 goto done;
2573 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2574 dst.val, dst.bytes, ctxt)) )
2575 goto done;
2578 sp_pre_dec(size);
2579 break;
2582 case 0xc9: /* leave */
2583 /* First writeback, to %%esp. */
2584 dst.type = OP_REG;
2585 dst.bytes = (mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes;
2586 dst.reg = (unsigned long *)&_regs.esp;
2587 dst.val = _regs.ebp;
2589 /* Flush first writeback, since there is a second. */
2590 switch ( dst.bytes )
2592 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
2593 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
2594 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
2595 case 8: *dst.reg = dst.val; break;
2598 /* Second writeback, to %%ebp. */
2599 dst.reg = (unsigned long *)&_regs.ebp;
2600 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
2601 &dst.val, dst.bytes, ctxt)) )
2602 goto done;
2603 break;
2605 case 0xca: /* ret imm16 (far) */
2606 case 0xcb: /* ret (far) */ {
2607 int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0;
2608 op_bytes = mode_64bit() ? 8 : op_bytes;
2609 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2610 &dst.val, op_bytes, ctxt)) ||
2611 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes + offset),
2612 &src.val, op_bytes, ctxt)) ||
2613 (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
2614 goto done;
2615 _regs.eip = dst.val;
2616 break;
2619 case 0xcc: /* int3 */
2620 src.val = EXC_BP;
2621 goto swint;
2623 case 0xcd: /* int imm8 */
2624 src.val = insn_fetch_type(uint8_t);
2625 swint:
2626 fail_if(ops->inject_sw_interrupt == NULL);
2627 rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
2628 ctxt) ? : X86EMUL_EXCEPTION;
2629 goto done;
2631 case 0xce: /* into */
2632 generate_exception_if(mode_64bit(), EXC_UD, -1);
2633 if ( !(_regs.eflags & EFLG_OF) )
2634 break;
2635 src.val = EXC_OF;
2636 goto swint;
2638 case 0xcf: /* iret */ {
2639 unsigned long cs, eip, eflags;
2640 uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
2641 if ( !mode_iopl() )
2642 mask |= EFLG_IOPL;
2643 fail_if(!in_realmode(ctxt, ops));
2644 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2645 &eip, op_bytes, ctxt)) ||
2646 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2647 &cs, op_bytes, ctxt)) ||
2648 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2649 &eflags, op_bytes, ctxt)) )
2650 goto done;
2651 if ( op_bytes == 2 )
2652 eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u);
2653 eflags &= 0x257fd5;
2654 _regs.eflags &= mask;
2655 _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
2656 _regs.eip = eip;
2657 if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
2658 goto done;
2659 break;
2662 case 0xd4: /* aam */ {
2663 unsigned int base = insn_fetch_type(uint8_t);
2664 uint8_t al = _regs.eax;
2665 generate_exception_if(mode_64bit(), EXC_UD, -1);
2666 generate_exception_if(base == 0, EXC_DE, -1);
2667 *(uint16_t *)&_regs.eax = ((al / base) << 8) | (al % base);
2668 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2669 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2670 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2671 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2672 break;
2675 case 0xd5: /* aad */ {
2676 unsigned int base = insn_fetch_type(uint8_t);
2677 uint16_t ax = _regs.eax;
2678 generate_exception_if(mode_64bit(), EXC_UD, -1);
2679 *(uint16_t *)&_regs.eax = (uint8_t)(ax + ((ax >> 8) * base));
2680 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2681 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2682 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2683 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2684 break;
2687 case 0xd6: /* salc */
2688 generate_exception_if(mode_64bit(), EXC_UD, -1);
2689 *(uint8_t *)&_regs.eax = (_regs.eflags & EFLG_CF) ? 0xff : 0x00;
2690 break;
2692 case 0xd7: /* xlat */ {
2693 unsigned long al = (uint8_t)_regs.eax;
2694 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.ebx + al),
2695 &al, 1, ctxt)) != 0 )
2696 goto done;
2697 *(uint8_t *)&_regs.eax = al;
2698 break;
2701 case 0xd9: /* FPU 0xd9 */
2702 fail_if(ops->load_fpu_ctxt == NULL);
2703 ops->load_fpu_ctxt(ctxt);
2704 switch ( modrm )
2706 case 0xc0: __emulate_fpu_insn(".byte 0xd9,0xc0"); break;
2707 case 0xc1: __emulate_fpu_insn(".byte 0xd9,0xc1"); break;
2708 case 0xc2: __emulate_fpu_insn(".byte 0xd9,0xc2"); break;
2709 case 0xc3: __emulate_fpu_insn(".byte 0xd9,0xc3"); break;
2710 case 0xc4: __emulate_fpu_insn(".byte 0xd9,0xc4"); break;
2711 case 0xc5: __emulate_fpu_insn(".byte 0xd9,0xc5"); break;
2712 case 0xc6: __emulate_fpu_insn(".byte 0xd9,0xc6"); break;
2713 case 0xc7: __emulate_fpu_insn(".byte 0xd9,0xc7"); break;
2714 case 0xe0: __emulate_fpu_insn(".byte 0xd9,0xe0"); break;
2715 case 0xe8: __emulate_fpu_insn(".byte 0xd9,0xe8"); break;
2716 case 0xee: __emulate_fpu_insn(".byte 0xd9,0xee"); break;
2717 default:
2718 fail_if((modrm_reg & 7) != 7);
2719 fail_if(modrm >= 0xc0);
2720 /* fnstcw m2byte */
2721 ea.bytes = 2;
2722 dst = ea;
2723 asm volatile ( "fnstcw %0" : "=m" (dst.val) );
2725 break;
2727 case 0xdb: /* FPU 0xdb */
2728 fail_if(ops->load_fpu_ctxt == NULL);
2729 ops->load_fpu_ctxt(ctxt);
2730 fail_if(modrm != 0xe3);
2731 /* fninit */
2732 asm volatile ( "fninit" );
2733 break;
2735 case 0xdd: /* FPU 0xdd */
2736 fail_if(ops->load_fpu_ctxt == NULL);
2737 ops->load_fpu_ctxt(ctxt);
2738 fail_if((modrm_reg & 7) != 7);
2739 fail_if(modrm >= 0xc0);
2740 /* fnstsw m2byte */
2741 ea.bytes = 2;
2742 dst = ea;
2743 asm volatile ( "fnstsw %0" : "=m" (dst.val) );
2744 break;
2746 case 0xde: /* FPU 0xde */
2747 fail_if(ops->load_fpu_ctxt == NULL);
2748 ops->load_fpu_ctxt(ctxt);
2749 switch ( modrm )
2751 case 0xd9: __emulate_fpu_insn(".byte 0xde,0xd9"); break;
2752 case 0xf8: __emulate_fpu_insn(".byte 0xde,0xf8"); break;
2753 case 0xf9: __emulate_fpu_insn(".byte 0xde,0xf9"); break;
2754 case 0xfa: __emulate_fpu_insn(".byte 0xde,0xfa"); break;
2755 case 0xfb: __emulate_fpu_insn(".byte 0xde,0xfb"); break;
2756 case 0xfc: __emulate_fpu_insn(".byte 0xde,0xfc"); break;
2757 case 0xfd: __emulate_fpu_insn(".byte 0xde,0xfd"); break;
2758 case 0xfe: __emulate_fpu_insn(".byte 0xde,0xfe"); break;
2759 case 0xff: __emulate_fpu_insn(".byte 0xde,0xff"); break;
2760 default: goto cannot_emulate;
2762 break;
2764 case 0xdf: /* FPU 0xdf */
2765 fail_if(ops->load_fpu_ctxt == NULL);
2766 ops->load_fpu_ctxt(ctxt);
2767 fail_if(modrm != 0xe0);
2768 /* fnstsw %ax */
2769 dst.bytes = 2;
2770 dst.type = OP_REG;
2771 dst.reg = (unsigned long *)&_regs.eax;
2772 asm volatile ( "fnstsw %0" : "=m" (dst.val) );
2773 break;
2775 case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
2776 int rel = insn_fetch_type(int8_t);
2777 int do_jmp = !(_regs.eflags & EFLG_ZF); /* loopnz */
2778 if ( b == 0xe1 )
2779 do_jmp = !do_jmp; /* loopz */
2780 else if ( b == 0xe2 )
2781 do_jmp = 1; /* loop */
2782 switch ( ad_bytes )
2784 case 2:
2785 do_jmp &= --(*(uint16_t *)&_regs.ecx) != 0;
2786 break;
2787 case 4:
2788 do_jmp &= --(*(uint32_t *)&_regs.ecx) != 0;
2789 _regs.ecx = (uint32_t)_regs.ecx; /* zero extend in x86/64 mode */
2790 break;
2791 default: /* case 8: */
2792 do_jmp &= --_regs.ecx != 0;
2793 break;
2795 if ( do_jmp )
2796 jmp_rel(rel);
2797 break;
2800 case 0xe3: /* jcxz/jecxz (short) */ {
2801 int rel = insn_fetch_type(int8_t);
2802 if ( (ad_bytes == 2) ? !(uint16_t)_regs.ecx :
2803 (ad_bytes == 4) ? !(uint32_t)_regs.ecx : !_regs.ecx )
2804 jmp_rel(rel);
2805 break;
2808 case 0xe4: /* in imm8,%al */
2809 case 0xe5: /* in imm8,%eax */
2810 case 0xe6: /* out %al,imm8 */
2811 case 0xe7: /* out %eax,imm8 */
2812 case 0xec: /* in %dx,%al */
2813 case 0xed: /* in %dx,%eax */
2814 case 0xee: /* out %al,%dx */
2815 case 0xef: /* out %eax,%dx */ {
2816 unsigned int port = ((b < 0xe8)
2817 ? insn_fetch_type(uint8_t)
2818 : (uint16_t)_regs.edx);
2819 generate_exception_if(!mode_iopl(), EXC_GP, 0);
2820 op_bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2821 if ( b & 2 )
2823 /* out */
2824 fail_if(ops->write_io == NULL);
2825 rc = ops->write_io(port, op_bytes, _regs.eax, ctxt);
2828 else
2830 /* in */
2831 dst.type = OP_REG;
2832 dst.bytes = op_bytes;
2833 dst.reg = (unsigned long *)&_regs.eax;
2834 fail_if(ops->read_io == NULL);
2835 rc = ops->read_io(port, dst.bytes, &dst.val, ctxt);
2837 if ( rc != 0 )
2838 goto done;
2839 break;
2842 case 0xe8: /* call (near) */ {
2843 int rel = (((op_bytes == 2) && !mode_64bit())
2844 ? (int32_t)insn_fetch_type(int16_t)
2845 : insn_fetch_type(int32_t));
2846 op_bytes = mode_64bit() ? 8 : op_bytes;
2847 src.val = _regs.eip;
2848 jmp_rel(rel);
2849 goto push;
2852 case 0xe9: /* jmp (near) */ {
2853 int rel = (((op_bytes == 2) && !mode_64bit())
2854 ? (int32_t)insn_fetch_type(int16_t)
2855 : insn_fetch_type(int32_t));
2856 jmp_rel(rel);
2857 break;
2860 case 0xea: /* jmp (far, absolute) */ {
2861 uint16_t sel;
2862 uint32_t eip;
2863 generate_exception_if(mode_64bit(), EXC_UD, -1);
2864 eip = insn_fetch_bytes(op_bytes);
2865 sel = insn_fetch_type(uint16_t);
2866 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
2867 goto done;
2868 _regs.eip = eip;
2869 break;
2872 case 0xeb: /* jmp (short) */ {
2873 int rel = insn_fetch_type(int8_t);
2874 jmp_rel(rel);
2875 break;
2878 case 0xf1: /* int1 (icebp) */
2879 src.val = EXC_DB;
2880 goto swint;
2882 case 0xf4: /* hlt */
2883 ctxt->retire.flags.hlt = 1;
2884 break;
2886 case 0xf5: /* cmc */
2887 _regs.eflags ^= EFLG_CF;
2888 break;
2890 case 0xf8: /* clc */
2891 _regs.eflags &= ~EFLG_CF;
2892 break;
2894 case 0xf9: /* stc */
2895 _regs.eflags |= EFLG_CF;
2896 break;
2898 case 0xfa: /* cli */
2899 generate_exception_if(!mode_iopl(), EXC_GP, 0);
2900 _regs.eflags &= ~EFLG_IF;
2901 break;
2903 case 0xfb: /* sti */
2904 generate_exception_if(!mode_iopl(), EXC_GP, 0);
2905 if ( !(_regs.eflags & EFLG_IF) )
2907 _regs.eflags |= EFLG_IF;
2908 ctxt->retire.flags.sti = 1;
2910 break;
2912 case 0xfc: /* cld */
2913 _regs.eflags &= ~EFLG_DF;
2914 break;
2916 case 0xfd: /* std */
2917 _regs.eflags |= EFLG_DF;
2918 break;
2920 goto writeback;
2922 twobyte_insn:
2923 switch ( b )
2925 case 0x40 ... 0x4f: /* cmovcc */
2926 dst.val = src.val;
2927 if ( !test_cc(b, _regs.eflags) )
2928 dst.type = OP_NONE;
2929 break;
2931 case 0x90 ... 0x9f: /* setcc */
2932 dst.val = test_cc(b, _regs.eflags);
2933 break;
2935 case 0xb0 ... 0xb1: /* cmpxchg */
2936 /* Save real source value, then compare EAX against destination. */
2937 src.orig_val = src.val;
2938 src.val = _regs.eax;
2939 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2940 if ( _regs.eflags & EFLG_ZF )
2942 /* Success: write back to memory. */
2943 dst.val = src.orig_val;
2945 else
2947 /* Failure: write the value we saw to EAX. */
2948 dst.type = OP_REG;
2949 dst.reg = (unsigned long *)&_regs.eax;
2951 break;
2953 case 0xa3: bt: /* bt */
2954 emulate_2op_SrcV_nobyte("bt", src, dst, _regs.eflags);
2955 break;
2957 case 0xa4: /* shld imm8,r,r/m */
2958 case 0xa5: /* shld %%cl,r,r/m */
2959 case 0xac: /* shrd imm8,r,r/m */
2960 case 0xad: /* shrd %%cl,r,r/m */ {
2961 uint8_t shift, width = dst.bytes << 3;
2962 shift = (b & 1) ? (uint8_t)_regs.ecx : insn_fetch_type(uint8_t);
2963 if ( (shift &= width - 1) == 0 )
2964 break;
2965 dst.orig_val = truncate_word(dst.val, dst.bytes);
2966 dst.val = ((shift == width) ? src.val :
2967 (b & 8) ?
2968 /* shrd */
2969 ((dst.orig_val >> shift) |
2970 truncate_word(src.val << (width - shift), dst.bytes)) :
2971 /* shld */
2972 ((dst.orig_val << shift) |
2973 ((src.val >> (width - shift)) & ((1ull << shift) - 1))));
2974 dst.val = truncate_word(dst.val, dst.bytes);
2975 _regs.eflags &= ~(EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_PF|EFLG_CF);
2976 if ( (dst.val >> ((b & 8) ? (shift - 1) : (width - shift))) & 1 )
2977 _regs.eflags |= EFLG_CF;
2978 if ( ((dst.val ^ dst.orig_val) >> (width - 1)) & 1 )
2979 _regs.eflags |= EFLG_OF;
2980 _regs.eflags |= ((dst.val >> (width - 1)) & 1) ? EFLG_SF : 0;
2981 _regs.eflags |= (dst.val == 0) ? EFLG_ZF : 0;
2982 _regs.eflags |= even_parity(dst.val) ? EFLG_PF : 0;
2983 break;
2986 case 0xb3: btr: /* btr */
2987 emulate_2op_SrcV_nobyte("btr", src, dst, _regs.eflags);
2988 break;
2990 case 0xab: bts: /* bts */
2991 emulate_2op_SrcV_nobyte("bts", src, dst, _regs.eflags);
2992 break;
2994 case 0xaf: /* imul */
2995 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
2996 switch ( dst.bytes )
2998 case 2:
2999 dst.val = ((uint32_t)(int16_t)src.val *
3000 (uint32_t)(int16_t)dst.val);
3001 if ( (int16_t)dst.val != (uint32_t)dst.val )
3002 _regs.eflags |= EFLG_OF|EFLG_CF;
3003 break;
3004 #ifdef __x86_64__
3005 case 4:
3006 dst.val = ((uint64_t)(int32_t)src.val *
3007 (uint64_t)(int32_t)dst.val);
3008 if ( (int32_t)dst.val != dst.val )
3009 _regs.eflags |= EFLG_OF|EFLG_CF;
3010 break;
3011 #endif
3012 default: {
3013 unsigned long m[2] = { src.val, dst.val };
3014 if ( imul_dbl(m) )
3015 _regs.eflags |= EFLG_OF|EFLG_CF;
3016 dst.val = m[0];
3017 break;
3020 break;
3022 case 0xb2: /* lss */
3023 dst.val = x86_seg_ss;
3024 goto les;
3026 case 0xb4: /* lfs */
3027 dst.val = x86_seg_fs;
3028 goto les;
3030 case 0xb5: /* lgs */
3031 dst.val = x86_seg_gs;
3032 goto les;
3034 case 0xb6: /* movzx rm8,r{16,32,64} */
3035 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
3036 dst.reg = decode_register(modrm_reg, &_regs, 0);
3037 dst.bytes = op_bytes;
3038 dst.val = (uint8_t)src.val;
3039 break;
3041 case 0xbc: /* bsf */ {
3042 int zf;
3043 asm ( "bsf %2,%0; setz %b1"
3044 : "=r" (dst.val), "=q" (zf)
3045 : "r" (src.val), "1" (0) );
3046 _regs.eflags &= ~EFLG_ZF;
3047 _regs.eflags |= zf ? EFLG_ZF : 0;
3048 break;
3051 case 0xbd: /* bsr */ {
3052 int zf;
3053 asm ( "bsr %2,%0; setz %b1"
3054 : "=r" (dst.val), "=q" (zf)
3055 : "r" (src.val), "1" (0) );
3056 _regs.eflags &= ~EFLG_ZF;
3057 _regs.eflags |= zf ? EFLG_ZF : 0;
3058 break;
3061 case 0xb7: /* movzx rm16,r{16,32,64} */
3062 dst.val = (uint16_t)src.val;
3063 break;
3065 case 0xbb: btc: /* btc */
3066 emulate_2op_SrcV_nobyte("btc", src, dst, _regs.eflags);
3067 break;
3069 case 0xba: /* Grp8 */
3070 switch ( modrm_reg & 7 )
3072 case 4: goto bt;
3073 case 5: goto bts;
3074 case 6: goto btr;
3075 case 7: goto btc;
3076 default: generate_exception_if(1, EXC_UD, -1);
3078 break;
3080 case 0xbe: /* movsx rm8,r{16,32,64} */
3081 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
3082 dst.reg = decode_register(modrm_reg, &_regs, 0);
3083 dst.bytes = op_bytes;
3084 dst.val = (int8_t)src.val;
3085 break;
3087 case 0xbf: /* movsx rm16,r{16,32,64} */
3088 dst.val = (int16_t)src.val;
3089 break;
3091 case 0xc0 ... 0xc1: /* xadd */
3092 /* Write back the register source. */
3093 switch ( dst.bytes )
3095 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
3096 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
3097 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
3098 case 8: *src.reg = dst.val; break;
3100 goto add;
3102 goto writeback;
3104 twobyte_special_insn:
3105 switch ( b )
3107 case 0x01: /* Grp7 */ {
3108 struct segment_register reg;
3109 unsigned long base, limit, cr0, cr0w;
3111 if ( modrm == 0xdf ) /* invlpga */
3113 generate_exception_if(in_realmode(ctxt, ops), EXC_UD, -1);
3114 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3115 fail_if(ops->invlpg == NULL);
3116 if ( (rc = ops->invlpg(x86_seg_none, truncate_ea(_regs.eax),
3117 ctxt)) )
3118 goto done;
3119 break;
3122 switch ( modrm_reg & 7 )
3124 case 0: /* sgdt */
3125 case 1: /* sidt */
3126 generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
3127 fail_if(ops->read_segment == NULL);
3128 if ( (rc = ops->read_segment((modrm_reg & 1) ?
3129 x86_seg_idtr : x86_seg_gdtr,
3130 &reg, ctxt)) )
3131 goto done;
3132 if ( op_bytes == 2 )
3133 reg.base &= 0xffffff;
3134 if ( (rc = ops->write(ea.mem.seg, ea.mem.off+0,
3135 reg.limit, 2, ctxt)) ||
3136 (rc = ops->write(ea.mem.seg, ea.mem.off+2,
3137 reg.base, mode_64bit() ? 8 : 4, ctxt)) )
3138 goto done;
3139 break;
3140 case 2: /* lgdt */
3141 case 3: /* lidt */
3142 generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
3143 fail_if(ops->write_segment == NULL);
3144 memset(&reg, 0, sizeof(reg));
3145 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0,
3146 &limit, 2, ctxt)) ||
3147 (rc = ops->read(ea.mem.seg, ea.mem.off+2,
3148 &base, mode_64bit() ? 8 : 4, ctxt)) )
3149 goto done;
3150 reg.base = base;
3151 reg.limit = limit;
3152 if ( op_bytes == 2 )
3153 reg.base &= 0xffffff;
3154 if ( (rc = ops->write_segment((modrm_reg & 1) ?
3155 x86_seg_idtr : x86_seg_gdtr,
3156 &reg, ctxt)) )
3157 goto done;
3158 break;
3159 case 4: /* smsw */
3160 ea.bytes = 2;
3161 dst = ea;
3162 fail_if(ops->read_cr == NULL);
3163 if ( (rc = ops->read_cr(0, &dst.val, ctxt)) )
3164 goto done;
3165 d |= Mov; /* force writeback */
3166 break;
3167 case 6: /* lmsw */
3168 fail_if(ops->read_cr == NULL);
3169 fail_if(ops->write_cr == NULL);
3170 if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
3171 goto done;
3172 if ( ea.type == OP_REG )
3173 cr0w = *ea.reg;
3174 else if ( (rc = ops->read(ea.mem.seg, ea.mem.off,
3175 &cr0w, 2, ctxt)) )
3176 goto done;
3177 cr0 &= 0xffff0000;
3178 cr0 |= (uint16_t)cr0w;
3179 if ( (rc = ops->write_cr(0, cr0, ctxt)) )
3180 goto done;
3181 break;
3182 case 7: /* invlpg */
3183 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3184 generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
3185 fail_if(ops->invlpg == NULL);
3186 if ( (rc = ops->invlpg(ea.mem.seg, ea.mem.off, ctxt)) )
3187 goto done;
3188 break;
3189 default:
3190 goto cannot_emulate;
3192 break;
3195 case 0x06: /* clts */
3196 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3197 fail_if((ops->read_cr == NULL) || (ops->write_cr == NULL));
3198 if ( (rc = ops->read_cr(0, &dst.val, ctxt)) ||
3199 (rc = ops->write_cr(0, dst.val&~8, ctxt)) )
3200 goto done;
3201 break;
3203 case 0x08: /* invd */
3204 case 0x09: /* wbinvd */
3205 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3206 fail_if(ops->wbinvd == NULL);
3207 if ( (rc = ops->wbinvd(ctxt)) != 0 )
3208 goto done;
3209 break;
3211 case 0x0d: /* GrpP (prefetch) */
3212 case 0x18: /* Grp16 (prefetch/nop) */
3213 case 0x19 ... 0x1f: /* nop (amd-defined) */
3214 break;
3216 case 0x20: /* mov cr,reg */
3217 case 0x21: /* mov dr,reg */
3218 case 0x22: /* mov reg,cr */
3219 case 0x23: /* mov reg,dr */
3220 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3221 modrm_rm |= (rex_prefix & 1) << 3;
3222 modrm_reg |= lock_prefix << 3;
3223 if ( b & 2 )
3225 /* Write to CR/DR. */
3226 src.val = *(unsigned long *)decode_register(modrm_rm, &_regs, 0);
3227 if ( !mode_64bit() )
3228 src.val = (uint32_t)src.val;
3229 rc = ((b & 1)
3230 ? (ops->write_dr
3231 ? ops->write_dr(modrm_reg, src.val, ctxt)
3232 : X86EMUL_UNHANDLEABLE)
3233 : (ops->write_cr
3234 ? ops->write_cr(modrm_reg, src.val, ctxt)
3235 : X86EMUL_UNHANDLEABLE));
3237 else
3239 /* Read from CR/DR. */
3240 dst.type = OP_REG;
3241 dst.bytes = mode_64bit() ? 8 : 4;
3242 dst.reg = decode_register(modrm_rm, &_regs, 0);
3243 rc = ((b & 1)
3244 ? (ops->read_dr
3245 ? ops->read_dr(modrm_reg, &dst.val, ctxt)
3246 : X86EMUL_UNHANDLEABLE)
3247 : (ops->read_cr
3248 ? ops->read_cr(modrm_reg, &dst.val, ctxt)
3249 : X86EMUL_UNHANDLEABLE));
3251 if ( rc != 0 )
3252 goto done;
3253 break;
3255 case 0x30: /* wrmsr */ {
3256 uint64_t val = ((uint64_t)_regs.edx << 32) | (uint32_t)_regs.eax;
3257 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3258 fail_if(ops->write_msr == NULL);
3259 if ( (rc = ops->write_msr((uint32_t)_regs.ecx, val, ctxt)) != 0 )
3260 goto done;
3261 break;
3264 case 0x31: /* rdtsc */ {
3265 unsigned long cr4;
3266 uint64_t val;
3267 fail_if(ops->read_cr == NULL);
3268 if ( (rc = ops->read_cr(4, &cr4, ctxt)) )
3269 goto done;
3270 generate_exception_if((cr4 & CR4_TSD) && !mode_ring0(), EXC_GP, 0);
3271 fail_if(ops->read_msr == NULL);
3272 if ( (rc = ops->read_msr(MSR_TSC, &val, ctxt)) != 0 )
3273 goto done;
3274 _regs.edx = (uint32_t)(val >> 32);
3275 _regs.eax = (uint32_t)(val >> 0);
3276 break;
3279 case 0x32: /* rdmsr */ {
3280 uint64_t val;
3281 generate_exception_if(!mode_ring0(), EXC_GP, 0);
3282 fail_if(ops->read_msr == NULL);
3283 if ( (rc = ops->read_msr((uint32_t)_regs.ecx, &val, ctxt)) != 0 )
3284 goto done;
3285 _regs.edx = (uint32_t)(val >> 32);
3286 _regs.eax = (uint32_t)(val >> 0);
3287 break;
3290 case 0x80 ... 0x8f: /* jcc (near) */ {
3291 int rel = (((op_bytes == 2) && !mode_64bit())
3292 ? (int32_t)insn_fetch_type(int16_t)
3293 : insn_fetch_type(int32_t));
3294 if ( test_cc(b, _regs.eflags) )
3295 jmp_rel(rel);
3296 break;
3299 case 0xa0: /* push %%fs */
3300 src.val = x86_seg_fs;
3301 goto push_seg;
3303 case 0xa1: /* pop %%fs */
3304 src.val = x86_seg_fs;
3305 goto pop_seg;
3307 case 0xa2: /* cpuid */ {
3308 unsigned int eax = _regs.eax, ebx = _regs.ebx;
3309 unsigned int ecx = _regs.ecx, edx = _regs.edx;
3310 fail_if(ops->cpuid == NULL);
3311 if ( (rc = ops->cpuid(&eax, &ebx, &ecx, &edx, ctxt)) != 0 )
3312 goto done;
3313 _regs.eax = eax; _regs.ebx = ebx;
3314 _regs.ecx = ecx; _regs.edx = edx;
3315 break;
3318 case 0xa8: /* push %%gs */
3319 src.val = x86_seg_gs;
3320 goto push_seg;
3322 case 0xa9: /* pop %%gs */
3323 src.val = x86_seg_gs;
3324 goto pop_seg;
3326 case 0xc7: /* Grp9 (cmpxchg8b) */
3327 #if defined(__i386__)
3329 unsigned long old_lo, old_hi;
3330 generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
3331 generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
3332 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0, &old_lo, 4, ctxt)) ||
3333 (rc = ops->read(ea.mem.seg, ea.mem.off+4, &old_hi, 4, ctxt)) )
3334 goto done;
3335 if ( (old_lo != _regs.eax) || (old_hi != _regs.edx) )
3337 _regs.eax = old_lo;
3338 _regs.edx = old_hi;
3339 _regs.eflags &= ~EFLG_ZF;
3341 else if ( ops->cmpxchg8b == NULL )
3343 rc = X86EMUL_UNHANDLEABLE;
3344 goto done;
3346 else
3348 if ( (rc = ops->cmpxchg8b(ea.mem.seg, ea.mem.off, old_lo, old_hi,
3349 _regs.ebx, _regs.ecx, ctxt)) != 0 )
3350 goto done;
3351 _regs.eflags |= EFLG_ZF;
3353 break;
3355 #elif defined(__x86_64__)
3357 unsigned long old, new;
3358 generate_exception_if((modrm_reg & 7) != 1, EXC_UD, -1);
3359 generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
3360 if ( (rc = ops->read(ea.mem.seg, ea.mem.off, &old, 8, ctxt)) != 0 )
3361 goto done;
3362 if ( ((uint32_t)(old>>0) != (uint32_t)_regs.eax) ||
3363 ((uint32_t)(old>>32) != (uint32_t)_regs.edx) )
3365 _regs.eax = (uint32_t)(old>>0);
3366 _regs.edx = (uint32_t)(old>>32);
3367 _regs.eflags &= ~EFLG_ZF;
3369 else
3371 new = (_regs.ecx<<32)|(uint32_t)_regs.ebx;
3372 if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old,
3373 new, 8, ctxt)) != 0 )
3374 goto done;
3375 _regs.eflags |= EFLG_ZF;
3377 break;
3379 #endif
3381 case 0xc8 ... 0xcf: /* bswap */
3382 dst.type = OP_REG;
3383 dst.reg = decode_register(
3384 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
3385 switch ( dst.bytes = op_bytes )
3387 default: /* case 2: */
3388 /* Undefined behaviour. Writes zero on all tested CPUs. */
3389 dst.val = 0;
3390 break;
3391 case 4:
3392 #ifdef __x86_64__
3393 asm ( "bswap %k0" : "=r" (dst.val) : "0" (*dst.reg) );
3394 break;
3395 case 8:
3396 #endif
3397 asm ( "bswap %0" : "=r" (dst.val) : "0" (*dst.reg) );
3398 break;
3400 break;
3402 goto writeback;
3404 cannot_emulate:
3405 #if 0
3406 gdprintk(XENLOG_DEBUG, "Instr:");
3407 for ( ea.mem.off = ctxt->regs->eip; ea.mem.off < _regs.eip; ea.mem.off++ )
3409 unsigned long x;
3410 ops->insn_fetch(x86_seg_cs, ea.mem.off, &x, 1, ctxt);
3411 printk(" %02x", (uint8_t)x);
3413 printk("\n");
3414 #endif
3415 return X86EMUL_UNHANDLEABLE;