ia64/xen-unstable

view xen/arch/x86/x86_emulate.c @ 16849:a878752a83f9

x86_emulate: Provide callbacks for faster emulation of:
REP MOVS, REP INS, REP OUTS.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Jan 22 17:18:02 2008 +0000 (2008-01-22)
parents 56b42d68518e
children 7f940c605893
line source
1 /******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005-2007 Keir Fraser
7 * Copyright (c) 2005-2007 XenSource Inc.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
24 #ifndef __XEN__
25 #include <stddef.h>
26 #include <stdint.h>
27 #include <public/xen.h>
28 #else
29 #include <xen/config.h>
30 #include <xen/types.h>
31 #include <xen/lib.h>
32 #include <asm/regs.h>
33 #undef cmpxchg
34 #endif
35 #include <asm-x86/x86_emulate.h>
37 /* Operand sizes: 8-bit operands or specified/overridden size. */
38 #define ByteOp (1<<0) /* 8-bit operands. */
39 /* Destination operand type. */
40 #define DstBitBase (0<<1) /* Memory operand, bit string. */
41 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
42 #define DstReg (2<<1) /* Register operand. */
43 #define DstMem (3<<1) /* Memory operand. */
44 #define DstMask (3<<1)
45 /* Source operand type. */
46 #define SrcNone (0<<3) /* No source operand. */
47 #define SrcImplicit (0<<3) /* Source operand is implicit in the opcode. */
48 #define SrcReg (1<<3) /* Register operand. */
49 #define SrcMem (2<<3) /* Memory operand. */
50 #define SrcMem16 (3<<3) /* Memory operand (16-bit). */
51 #define SrcImm (4<<3) /* Immediate operand. */
52 #define SrcImmByte (5<<3) /* 8-bit sign-extended immediate operand. */
53 #define SrcMask (7<<3)
54 /* Generic ModRM decode. */
55 #define ModRM (1<<6)
56 /* Destination is only written; never read. */
57 #define Mov (1<<7)
59 static uint8_t opcode_table[256] = {
60 /* 0x00 - 0x07 */
61 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
62 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
63 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
64 /* 0x08 - 0x0F */
65 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
66 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
67 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, 0,
68 /* 0x10 - 0x17 */
69 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
70 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
71 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
72 /* 0x18 - 0x1F */
73 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
74 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
75 ByteOp|DstReg|SrcImm, DstReg|SrcImm, ImplicitOps, ImplicitOps,
76 /* 0x20 - 0x27 */
77 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
78 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
79 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
80 /* 0x28 - 0x2F */
81 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
82 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
83 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
84 /* 0x30 - 0x37 */
85 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
86 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
87 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
88 /* 0x38 - 0x3F */
89 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
90 ByteOp|DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
91 ByteOp|DstReg|SrcImm, DstReg|SrcImm, 0, ImplicitOps,
92 /* 0x40 - 0x4F */
93 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
94 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
95 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
96 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
97 /* 0x50 - 0x5F */
98 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
99 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
100 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
101 ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov, ImplicitOps|Mov,
102 /* 0x60 - 0x67 */
103 ImplicitOps, ImplicitOps, DstReg|SrcMem|ModRM, DstReg|SrcMem16|ModRM|Mov,
104 0, 0, 0, 0,
105 /* 0x68 - 0x6F */
106 ImplicitOps|Mov, DstReg|SrcImm|ModRM|Mov,
107 ImplicitOps|Mov, DstReg|SrcImmByte|ModRM|Mov,
108 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
109 /* 0x70 - 0x77 */
110 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
111 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
112 /* 0x78 - 0x7F */
113 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
114 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
115 /* 0x80 - 0x87 */
116 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImm|ModRM,
117 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
118 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
119 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
120 /* 0x88 - 0x8F */
121 ByteOp|DstMem|SrcReg|ModRM|Mov, DstMem|SrcReg|ModRM|Mov,
122 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
123 DstMem|SrcReg|ModRM|Mov, DstReg|SrcNone|ModRM,
124 DstReg|SrcMem|ModRM|Mov, DstMem|SrcNone|ModRM|Mov,
125 /* 0x90 - 0x97 */
126 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
127 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
128 /* 0x98 - 0x9F */
129 ImplicitOps, ImplicitOps, ImplicitOps, 0,
130 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
131 /* 0xA0 - 0xA7 */
132 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
133 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
134 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
135 ByteOp|ImplicitOps, ImplicitOps,
136 /* 0xA8 - 0xAF */
137 ByteOp|DstReg|SrcImm, DstReg|SrcImm,
138 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
139 ByteOp|ImplicitOps|Mov, ImplicitOps|Mov,
140 ByteOp|ImplicitOps, ImplicitOps,
141 /* 0xB0 - 0xB7 */
142 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
143 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
144 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
145 ByteOp|DstReg|SrcImm|Mov, ByteOp|DstReg|SrcImm|Mov,
146 /* 0xB8 - 0xBF */
147 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
148 DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov, DstReg|SrcImm|Mov,
149 /* 0xC0 - 0xC7 */
150 ByteOp|DstMem|SrcImm|ModRM, DstMem|SrcImmByte|ModRM,
151 ImplicitOps, ImplicitOps,
152 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
153 ByteOp|DstMem|SrcImm|ModRM|Mov, DstMem|SrcImm|ModRM|Mov,
154 /* 0xC8 - 0xCF */
155 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
156 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
157 /* 0xD0 - 0xD7 */
158 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
159 ByteOp|DstMem|SrcImplicit|ModRM, DstMem|SrcImplicit|ModRM,
160 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
161 /* 0xD8 - 0xDF */
162 0, 0, 0, 0, 0, 0, 0, 0,
163 /* 0xE0 - 0xE7 */
164 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
165 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
166 /* 0xE8 - 0xEF */
167 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
168 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
169 /* 0xF0 - 0xF7 */
170 0, ImplicitOps, 0, 0,
171 ImplicitOps, ImplicitOps,
172 ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM,
173 /* 0xF8 - 0xFF */
174 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
175 ImplicitOps, ImplicitOps, ByteOp|DstMem|SrcNone|ModRM, DstMem|SrcNone|ModRM
176 };
178 static uint8_t twobyte_table[256] = {
179 /* 0x00 - 0x07 */
180 0, ImplicitOps|ModRM, 0, 0, 0, ImplicitOps, 0, 0,
181 /* 0x08 - 0x0F */
182 ImplicitOps, ImplicitOps, 0, 0, 0, ImplicitOps|ModRM, 0, 0,
183 /* 0x10 - 0x17 */
184 0, 0, 0, 0, 0, 0, 0, 0,
185 /* 0x18 - 0x1F */
186 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
187 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
188 /* 0x20 - 0x27 */
189 ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM, ImplicitOps|ModRM,
190 0, 0, 0, 0,
191 /* 0x28 - 0x2F */
192 0, 0, 0, 0, 0, 0, 0, 0,
193 /* 0x30 - 0x37 */
194 ImplicitOps, ImplicitOps, ImplicitOps, 0, 0, 0, 0, 0,
195 /* 0x38 - 0x3F */
196 0, 0, 0, 0, 0, 0, 0, 0,
197 /* 0x40 - 0x47 */
198 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
199 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
200 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
201 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
202 /* 0x48 - 0x4F */
203 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
204 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
205 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
206 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
207 /* 0x50 - 0x5F */
208 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
209 /* 0x60 - 0x6F */
210 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211 /* 0x70 - 0x7F */
212 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
213 /* 0x80 - 0x87 */
214 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
215 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
216 /* 0x88 - 0x8F */
217 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
218 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
219 /* 0x90 - 0x97 */
220 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
221 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
222 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
223 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
224 /* 0x98 - 0x9F */
225 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
226 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
227 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
228 ByteOp|DstMem|SrcNone|ModRM|Mov, ByteOp|DstMem|SrcNone|ModRM|Mov,
229 /* 0xA0 - 0xA7 */
230 ImplicitOps, ImplicitOps, ImplicitOps, DstBitBase|SrcReg|ModRM,
231 DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
232 /* 0xA8 - 0xAF */
233 ImplicitOps, ImplicitOps, 0, DstBitBase|SrcReg|ModRM,
234 DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, DstReg|SrcMem|ModRM,
235 /* 0xB0 - 0xB7 */
236 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM,
237 DstReg|SrcMem|ModRM|Mov, DstBitBase|SrcReg|ModRM,
238 DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem|ModRM|Mov,
239 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
240 /* 0xB8 - 0xBF */
241 0, 0, DstBitBase|SrcImmByte|ModRM, DstBitBase|SrcReg|ModRM,
242 DstReg|SrcMem|ModRM, DstReg|SrcMem|ModRM,
243 ByteOp|DstReg|SrcMem|ModRM|Mov, DstReg|SrcMem16|ModRM|Mov,
244 /* 0xC0 - 0xC7 */
245 ByteOp|DstMem|SrcReg|ModRM, DstMem|SrcReg|ModRM, 0, 0,
246 0, 0, 0, ImplicitOps|ModRM,
247 /* 0xC8 - 0xCF */
248 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
249 ImplicitOps, ImplicitOps, ImplicitOps, ImplicitOps,
250 /* 0xD0 - 0xDF */
251 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
252 /* 0xE0 - 0xEF */
253 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
254 /* 0xF0 - 0xFF */
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
256 };
258 /* Type, address-of, and value of an instruction's operand. */
259 struct operand {
260 enum { OP_REG, OP_MEM, OP_IMM, OP_NONE } type;
261 unsigned int bytes;
262 unsigned long val, orig_val;
263 union {
264 /* OP_REG: Pointer to register field. */
265 unsigned long *reg;
266 /* OP_MEM: Segment and offset. */
267 struct {
268 enum x86_segment seg;
269 unsigned long off;
270 } mem;
271 };
272 };
274 /* MSRs. */
275 #define MSR_TSC 0x10
277 /* Control register flags. */
278 #define CR0_PE (1<<0)
279 #define CR4_TSD (1<<2)
281 /* EFLAGS bit definitions. */
282 #define EFLG_VIP (1<<20)
283 #define EFLG_VIF (1<<19)
284 #define EFLG_AC (1<<18)
285 #define EFLG_VM (1<<17)
286 #define EFLG_RF (1<<16)
287 #define EFLG_NT (1<<14)
288 #define EFLG_IOPL (3<<12)
289 #define EFLG_OF (1<<11)
290 #define EFLG_DF (1<<10)
291 #define EFLG_IF (1<<9)
292 #define EFLG_TF (1<<8)
293 #define EFLG_SF (1<<7)
294 #define EFLG_ZF (1<<6)
295 #define EFLG_AF (1<<4)
296 #define EFLG_PF (1<<2)
297 #define EFLG_CF (1<<0)
299 /* Exception definitions. */
300 #define EXC_DE 0
301 #define EXC_DB 1
302 #define EXC_BP 3
303 #define EXC_OF 4
304 #define EXC_BR 5
305 #define EXC_UD 6
306 #define EXC_GP 13
308 /*
309 * Instruction emulation:
310 * Most instructions are emulated directly via a fragment of inline assembly
311 * code. This allows us to save/restore EFLAGS and thus very easily pick up
312 * any modified flags.
313 */
315 #if defined(__x86_64__)
316 #define _LO32 "k" /* force 32-bit operand */
317 #define _STK "%%rsp" /* stack pointer */
318 #define _BYTES_PER_LONG "8"
319 #elif defined(__i386__)
320 #define _LO32 "" /* force 32-bit operand */
321 #define _STK "%%esp" /* stack pointer */
322 #define _BYTES_PER_LONG "4"
323 #endif
325 /*
326 * These EFLAGS bits are restored from saved value during emulation, and
327 * any changes are written back to the saved value after emulation.
328 */
329 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
331 /* Before executing instruction: restore necessary bits in EFLAGS. */
332 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
333 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
334 "movl %"_sav",%"_LO32 _tmp"; " \
335 "push %"_tmp"; " \
336 "push %"_tmp"; " \
337 "movl %"_msk",%"_LO32 _tmp"; " \
338 "andl %"_LO32 _tmp",("_STK"); " \
339 "pushf; " \
340 "notl %"_LO32 _tmp"; " \
341 "andl %"_LO32 _tmp",("_STK"); " \
342 "andl %"_LO32 _tmp",2*"_BYTES_PER_LONG"("_STK"); " \
343 "pop %"_tmp"; " \
344 "orl %"_LO32 _tmp",("_STK"); " \
345 "popf; " \
346 "pop %"_sav"; "
348 /* After executing instruction: write-back necessary bits in EFLAGS. */
349 #define _POST_EFLAGS(_sav, _msk, _tmp) \
350 /* _sav |= EFLAGS & _msk; */ \
351 "pushf; " \
352 "pop %"_tmp"; " \
353 "andl %"_msk",%"_LO32 _tmp"; " \
354 "orl %"_LO32 _tmp",%"_sav"; "
356 /* Raw emulation: instruction has two explicit operands. */
357 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy)\
358 do{ unsigned long _tmp; \
359 switch ( (_dst).bytes ) \
360 { \
361 case 2: \
362 asm volatile ( \
363 _PRE_EFLAGS("0","4","2") \
364 _op"w %"_wx"3,%1; " \
365 _POST_EFLAGS("0","4","2") \
366 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
367 : _wy ((_src).val), "i" (EFLAGS_MASK), \
368 "m" (_eflags), "m" ((_dst).val) ); \
369 break; \
370 case 4: \
371 asm volatile ( \
372 _PRE_EFLAGS("0","4","2") \
373 _op"l %"_lx"3,%1; " \
374 _POST_EFLAGS("0","4","2") \
375 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
376 : _ly ((_src).val), "i" (EFLAGS_MASK), \
377 "m" (_eflags), "m" ((_dst).val) ); \
378 break; \
379 case 8: \
380 __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy); \
381 break; \
382 } \
383 } while (0)
384 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy)\
385 do{ unsigned long _tmp; \
386 switch ( (_dst).bytes ) \
387 { \
388 case 1: \
389 asm volatile ( \
390 _PRE_EFLAGS("0","4","2") \
391 _op"b %"_bx"3,%1; " \
392 _POST_EFLAGS("0","4","2") \
393 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
394 : _by ((_src).val), "i" (EFLAGS_MASK), \
395 "m" (_eflags), "m" ((_dst).val) ); \
396 break; \
397 default: \
398 __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy);\
399 break; \
400 } \
401 } while (0)
402 /* Source operand is byte-sized and may be restricted to just %cl. */
403 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
404 __emulate_2op(_op, _src, _dst, _eflags, \
405 "b", "c", "b", "c", "b", "c", "b", "c")
406 /* Source operand is byte, word, long or quad sized. */
407 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
408 __emulate_2op(_op, _src, _dst, _eflags, \
409 "b", "q", "w", "r", _LO32, "r", "", "r")
410 /* Source operand is word, long or quad sized. */
411 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
412 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
413 "w", "r", _LO32, "r", "", "r")
415 /* Instruction has only one explicit operand (no source operand). */
416 #define emulate_1op(_op,_dst,_eflags) \
417 do{ unsigned long _tmp; \
418 switch ( (_dst).bytes ) \
419 { \
420 case 1: \
421 asm volatile ( \
422 _PRE_EFLAGS("0","3","2") \
423 _op"b %1; " \
424 _POST_EFLAGS("0","3","2") \
425 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
426 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
427 break; \
428 case 2: \
429 asm volatile ( \
430 _PRE_EFLAGS("0","3","2") \
431 _op"w %1; " \
432 _POST_EFLAGS("0","3","2") \
433 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
434 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
435 break; \
436 case 4: \
437 asm volatile ( \
438 _PRE_EFLAGS("0","3","2") \
439 _op"l %1; " \
440 _POST_EFLAGS("0","3","2") \
441 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
442 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
443 break; \
444 case 8: \
445 __emulate_1op_8byte(_op, _dst, _eflags); \
446 break; \
447 } \
448 } while (0)
450 /* Emulate an instruction with quadword operands (x86/64 only). */
451 #if defined(__x86_64__)
452 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
453 do{ asm volatile ( \
454 _PRE_EFLAGS("0","4","2") \
455 _op"q %"_qx"3,%1; " \
456 _POST_EFLAGS("0","4","2") \
457 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
458 : _qy ((_src).val), "i" (EFLAGS_MASK), \
459 "m" (_eflags), "m" ((_dst).val) ); \
460 } while (0)
461 #define __emulate_1op_8byte(_op, _dst, _eflags) \
462 do{ asm volatile ( \
463 _PRE_EFLAGS("0","3","2") \
464 _op"q %1; " \
465 _POST_EFLAGS("0","3","2") \
466 : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
467 : "i" (EFLAGS_MASK), "m" (_eflags), "m" ((_dst).val) ); \
468 } while (0)
469 #elif defined(__i386__)
470 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
471 #define __emulate_1op_8byte(_op, _dst, _eflags)
472 #endif /* __i386__ */
474 /* Fetch next part of the instruction being emulated. */
475 #define insn_fetch_bytes(_size) \
476 ({ unsigned long _x, _eip = _regs.eip; \
477 if ( !mode_64bit() ) _eip = (uint32_t)_eip; /* ignore upper dword */ \
478 _regs.eip += (_size); /* real hardware doesn't truncate */ \
479 generate_exception_if((uint8_t)(_regs.eip - ctxt->regs->eip) > 15, \
480 EXC_GP); \
481 rc = ops->insn_fetch(x86_seg_cs, _eip, &_x, (_size), ctxt); \
482 if ( rc ) goto done; \
483 _x; \
484 })
485 #define insn_fetch_type(_type) ((_type)insn_fetch_bytes(sizeof(_type)))
487 #define truncate_word(ea, byte_width) \
488 ({ unsigned long __ea = (ea); \
489 unsigned int _width = (byte_width); \
490 ((_width == sizeof(unsigned long)) ? __ea : \
491 (__ea & ((1UL << (_width << 3)) - 1))); \
492 })
493 #define truncate_ea(ea) truncate_word((ea), ad_bytes)
495 #define mode_64bit() (def_ad_bytes == 8)
497 #define fail_if(p) \
498 do { \
499 rc = (p) ? X86EMUL_UNHANDLEABLE : X86EMUL_OKAY; \
500 if ( rc ) goto done; \
501 } while (0)
503 #define generate_exception_if(p, e) \
504 ({ if ( (p) ) { \
505 fail_if(ops->inject_hw_exception == NULL); \
506 rc = ops->inject_hw_exception(e, ctxt) ? : X86EMUL_EXCEPTION; \
507 goto done; \
508 } \
509 })
511 /*
512 * Given byte has even parity (even number of 1s)? SDM Vol. 1 Sec. 3.4.3.1,
513 * "Status Flags": EFLAGS.PF reflects parity of least-sig. byte of result only.
514 */
515 static int even_parity(uint8_t v)
516 {
517 asm ( "test %b0,%b0; setp %b0" : "=a" (v) : "0" (v) );
518 return v;
519 }
521 /* Update address held in a register, based on addressing mode. */
522 #define _register_address_increment(reg, inc, byte_width) \
523 do { \
524 int _inc = (inc); /* signed type ensures sign extension to long */ \
525 unsigned int _width = (byte_width); \
526 if ( _width == sizeof(unsigned long) ) \
527 (reg) += _inc; \
528 else if ( mode_64bit() ) \
529 (reg) = ((reg) + _inc) & ((1UL << (_width << 3)) - 1); \
530 else \
531 (reg) = ((reg) & ~((1UL << (_width << 3)) - 1)) | \
532 (((reg) + _inc) & ((1UL << (_width << 3)) - 1)); \
533 } while (0)
534 #define register_address_increment(reg, inc) \
535 _register_address_increment((reg), (inc), ad_bytes)
537 #define sp_pre_dec(dec) ({ \
538 _register_address_increment(_regs.esp, -(dec), ctxt->sp_size/8); \
539 truncate_word(_regs.esp, ctxt->sp_size/8); \
540 })
541 #define sp_post_inc(inc) ({ \
542 unsigned long __esp = truncate_word(_regs.esp, ctxt->sp_size/8); \
543 _register_address_increment(_regs.esp, (inc), ctxt->sp_size/8); \
544 __esp; \
545 })
547 #define jmp_rel(rel) \
548 do { \
549 _regs.eip += (int)(rel); \
550 if ( !mode_64bit() ) \
551 _regs.eip = ((op_bytes == 2) \
552 ? (uint16_t)_regs.eip : (uint32_t)_regs.eip); \
553 } while (0)
555 static unsigned long __get_rep_prefix(
556 struct cpu_user_regs *int_regs,
557 struct cpu_user_regs *ext_regs,
558 int ad_bytes)
559 {
560 unsigned long ecx = ((ad_bytes == 2) ? (uint16_t)int_regs->ecx :
561 (ad_bytes == 4) ? (uint32_t)int_regs->ecx :
562 int_regs->ecx);
564 /* Skip the instruction if no repetitions are required. */
565 if ( ecx == 0 )
566 ext_regs->eip = int_regs->eip;
568 return ecx;
569 }
571 #define get_rep_prefix() ({ \
572 unsigned long max_reps = 1; \
573 if ( rep_prefix ) \
574 max_reps = __get_rep_prefix(&_regs, ctxt->regs, ad_bytes); \
575 if ( max_reps == 0 ) \
576 goto done; \
577 max_reps; \
578 })
580 static void __put_rep_prefix(
581 struct cpu_user_regs *int_regs,
582 struct cpu_user_regs *ext_regs,
583 int ad_bytes,
584 unsigned long reps_completed)
585 {
586 unsigned long ecx = ((ad_bytes == 2) ? (uint16_t)int_regs->ecx :
587 (ad_bytes == 4) ? (uint32_t)int_regs->ecx :
588 int_regs->ecx);
590 /* Reduce counter appropriately, and repeat instruction if non-zero. */
591 ecx -= reps_completed;
592 if ( ecx != 0 )
593 int_regs->eip = ext_regs->eip;
595 if ( ad_bytes == 2 )
596 *(uint16_t *)&int_regs->ecx = ecx;
597 else if ( ad_bytes == 4 )
598 int_regs->ecx = (uint32_t)ecx;
599 else
600 int_regs->ecx = ecx;
601 }
603 #define put_rep_prefix(reps_completed) ({ \
604 if ( rep_prefix ) \
605 __put_rep_prefix(&_regs, ctxt->regs, ad_bytes, reps_completed); \
606 })
608 /*
609 * Unsigned multiplication with double-word result.
610 * IN: Multiplicand=m[0], Multiplier=m[1]
611 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
612 */
613 static int mul_dbl(unsigned long m[2])
614 {
615 int rc;
616 asm ( "mul %4; seto %b2"
617 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
618 : "0" (m[0]), "1" (m[1]), "2" (0) );
619 return rc;
620 }
622 /*
623 * Signed multiplication with double-word result.
624 * IN: Multiplicand=m[0], Multiplier=m[1]
625 * OUT: Return CF/OF (overflow status); Result=m[1]:m[0]
626 */
627 static int imul_dbl(unsigned long m[2])
628 {
629 int rc;
630 asm ( "imul %4; seto %b2"
631 : "=a" (m[0]), "=d" (m[1]), "=q" (rc)
632 : "0" (m[0]), "1" (m[1]), "2" (0) );
633 return rc;
634 }
636 /*
637 * Unsigned division of double-word dividend.
638 * IN: Dividend=u[1]:u[0], Divisor=v
639 * OUT: Return 1: #DE
640 * Return 0: Quotient=u[0], Remainder=u[1]
641 */
642 static int div_dbl(unsigned long u[2], unsigned long v)
643 {
644 if ( (v == 0) || (u[1] >= v) )
645 return 1;
646 asm ( "div %4"
647 : "=a" (u[0]), "=d" (u[1])
648 : "0" (u[0]), "1" (u[1]), "r" (v) );
649 return 0;
650 }
652 /*
653 * Signed division of double-word dividend.
654 * IN: Dividend=u[1]:u[0], Divisor=v
655 * OUT: Return 1: #DE
656 * Return 0: Quotient=u[0], Remainder=u[1]
657 * NB. We don't use idiv directly as it's moderately hard to work out
658 * ahead of time whether it will #DE, which we cannot allow to happen.
659 */
660 static int idiv_dbl(unsigned long u[2], unsigned long v)
661 {
662 int negu = (long)u[1] < 0, negv = (long)v < 0;
664 /* u = abs(u) */
665 if ( negu )
666 {
667 u[1] = ~u[1];
668 if ( (u[0] = -u[0]) == 0 )
669 u[1]++;
670 }
672 /* abs(u) / abs(v) */
673 if ( div_dbl(u, negv ? -v : v) )
674 return 1;
676 /* Remainder has same sign as dividend. It cannot overflow. */
677 if ( negu )
678 u[1] = -u[1];
680 /* Quotient is overflowed if sign bit is set. */
681 if ( negu ^ negv )
682 {
683 if ( (long)u[0] >= 0 )
684 u[0] = -u[0];
685 else if ( (u[0] << 1) != 0 ) /* == 0x80...0 is okay */
686 return 1;
687 }
688 else if ( (long)u[0] < 0 )
689 return 1;
691 return 0;
692 }
694 static int
695 test_cc(
696 unsigned int condition, unsigned int flags)
697 {
698 int rc = 0;
700 switch ( (condition & 15) >> 1 )
701 {
702 case 0: /* o */
703 rc |= (flags & EFLG_OF);
704 break;
705 case 1: /* b/c/nae */
706 rc |= (flags & EFLG_CF);
707 break;
708 case 2: /* z/e */
709 rc |= (flags & EFLG_ZF);
710 break;
711 case 3: /* be/na */
712 rc |= (flags & (EFLG_CF|EFLG_ZF));
713 break;
714 case 4: /* s */
715 rc |= (flags & EFLG_SF);
716 break;
717 case 5: /* p/pe */
718 rc |= (flags & EFLG_PF);
719 break;
720 case 7: /* le/ng */
721 rc |= (flags & EFLG_ZF);
722 /* fall through */
723 case 6: /* l/nge */
724 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
725 break;
726 }
728 /* Odd condition identifiers (lsb == 1) have inverted sense. */
729 return (!!rc ^ (condition & 1));
730 }
732 static int
733 get_cpl(
734 struct x86_emulate_ctxt *ctxt,
735 struct x86_emulate_ops *ops)
736 {
737 struct segment_register reg;
739 if ( ctxt->regs->eflags & EFLG_VM )
740 return 3;
742 if ( (ops->read_segment == NULL) ||
743 ops->read_segment(x86_seg_ss, &reg, ctxt) )
744 return -1;
746 return reg.attr.fields.dpl;
747 }
749 static int
750 _mode_iopl(
751 struct x86_emulate_ctxt *ctxt,
752 struct x86_emulate_ops *ops)
753 {
754 int cpl = get_cpl(ctxt, ops);
755 return ((cpl >= 0) && (cpl <= ((ctxt->regs->eflags >> 12) & 3)));
756 }
758 #define mode_ring0() (get_cpl(ctxt, ops) == 0)
759 #define mode_iopl() _mode_iopl(ctxt, ops)
761 static int
762 in_realmode(
763 struct x86_emulate_ctxt *ctxt,
764 struct x86_emulate_ops *ops)
765 {
766 unsigned long cr0;
767 int rc;
769 if ( ops->read_cr == NULL )
770 return 0;
772 rc = ops->read_cr(0, &cr0, ctxt);
773 return (!rc && !(cr0 & CR0_PE));
774 }
776 static int
777 load_seg(
778 enum x86_segment seg,
779 uint16_t sel,
780 struct x86_emulate_ctxt *ctxt,
781 struct x86_emulate_ops *ops)
782 {
783 struct segment_register reg;
784 int rc;
786 if ( !in_realmode(ctxt, ops) ||
787 (ops->read_segment == NULL) ||
788 (ops->write_segment == NULL) )
789 return X86EMUL_UNHANDLEABLE;
791 if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 )
792 return rc;
794 reg.sel = sel;
795 reg.base = (uint32_t)sel << 4;
797 return ops->write_segment(seg, &reg, ctxt);
798 }
800 void *
801 decode_register(
802 uint8_t modrm_reg, struct cpu_user_regs *regs, int highbyte_regs)
803 {
804 void *p;
806 switch ( modrm_reg )
807 {
808 case 0: p = &regs->eax; break;
809 case 1: p = &regs->ecx; break;
810 case 2: p = &regs->edx; break;
811 case 3: p = &regs->ebx; break;
812 case 4: p = (highbyte_regs ?
813 ((unsigned char *)&regs->eax + 1) :
814 (unsigned char *)&regs->esp); break;
815 case 5: p = (highbyte_regs ?
816 ((unsigned char *)&regs->ecx + 1) :
817 (unsigned char *)&regs->ebp); break;
818 case 6: p = (highbyte_regs ?
819 ((unsigned char *)&regs->edx + 1) :
820 (unsigned char *)&regs->esi); break;
821 case 7: p = (highbyte_regs ?
822 ((unsigned char *)&regs->ebx + 1) :
823 (unsigned char *)&regs->edi); break;
824 #if defined(__x86_64__)
825 case 8: p = &regs->r8; break;
826 case 9: p = &regs->r9; break;
827 case 10: p = &regs->r10; break;
828 case 11: p = &regs->r11; break;
829 case 12: p = &regs->r12; break;
830 case 13: p = &regs->r13; break;
831 case 14: p = &regs->r14; break;
832 case 15: p = &regs->r15; break;
833 #endif
834 default: p = NULL; break;
835 }
837 return p;
838 }
840 #define decode_segment_failed x86_seg_tr
841 enum x86_segment
842 decode_segment(
843 uint8_t modrm_reg)
844 {
845 switch ( modrm_reg )
846 {
847 case 0: return x86_seg_es;
848 case 1: return x86_seg_cs;
849 case 2: return x86_seg_ss;
850 case 3: return x86_seg_ds;
851 case 4: return x86_seg_fs;
852 case 5: return x86_seg_gs;
853 default: break;
854 }
855 return decode_segment_failed;
856 }
858 int
859 x86_emulate(
860 struct x86_emulate_ctxt *ctxt,
861 struct x86_emulate_ops *ops)
862 {
863 /* Shadow copy of register state. Committed on successful emulation. */
864 struct cpu_user_regs _regs = *ctxt->regs;
866 uint8_t b, d, sib, sib_index, sib_base, twobyte = 0, rex_prefix = 0;
867 uint8_t modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
868 unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
869 #define REPE_PREFIX 1
870 #define REPNE_PREFIX 2
871 unsigned int lock_prefix = 0, rep_prefix = 0;
872 int override_seg = -1, rc = X86EMUL_OKAY;
873 struct operand src, dst;
875 /* Data operand effective address (usually computed from ModRM). */
876 struct operand ea;
878 /* Default is a memory operand relative to segment DS. */
879 ea.type = OP_MEM;
880 ea.mem.seg = x86_seg_ds;
881 ea.mem.off = 0;
883 op_bytes = def_op_bytes = ad_bytes = def_ad_bytes = ctxt->addr_size/8;
884 if ( op_bytes == 8 )
885 {
886 op_bytes = def_op_bytes = 4;
887 #ifndef __x86_64__
888 return X86EMUL_UNHANDLEABLE;
889 #endif
890 }
892 /* Prefix bytes. */
893 for ( ; ; )
894 {
895 switch ( b = insn_fetch_type(uint8_t) )
896 {
897 case 0x66: /* operand-size override */
898 op_bytes = def_op_bytes ^ 6;
899 break;
900 case 0x67: /* address-size override */
901 ad_bytes = def_ad_bytes ^ (mode_64bit() ? 12 : 6);
902 break;
903 case 0x2e: /* CS override */
904 override_seg = x86_seg_cs;
905 break;
906 case 0x3e: /* DS override */
907 override_seg = x86_seg_ds;
908 break;
909 case 0x26: /* ES override */
910 override_seg = x86_seg_es;
911 break;
912 case 0x64: /* FS override */
913 override_seg = x86_seg_fs;
914 break;
915 case 0x65: /* GS override */
916 override_seg = x86_seg_gs;
917 break;
918 case 0x36: /* SS override */
919 override_seg = x86_seg_ss;
920 break;
921 case 0xf0: /* LOCK */
922 lock_prefix = 1;
923 break;
924 case 0xf2: /* REPNE/REPNZ */
925 rep_prefix = REPNE_PREFIX;
926 break;
927 case 0xf3: /* REP/REPE/REPZ */
928 rep_prefix = REPE_PREFIX;
929 break;
930 case 0x40 ... 0x4f: /* REX */
931 if ( !mode_64bit() )
932 goto done_prefixes;
933 rex_prefix = b;
934 continue;
935 default:
936 goto done_prefixes;
937 }
939 /* Any legacy prefix after a REX prefix nullifies its effect. */
940 rex_prefix = 0;
941 }
942 done_prefixes:
944 if ( rex_prefix & 8 ) /* REX.W */
945 op_bytes = 8;
947 /* Opcode byte(s). */
948 d = opcode_table[b];
949 if ( d == 0 )
950 {
951 /* Two-byte opcode? */
952 if ( b == 0x0f )
953 {
954 twobyte = 1;
955 b = insn_fetch_type(uint8_t);
956 d = twobyte_table[b];
957 }
959 /* Unrecognised? */
960 if ( d == 0 )
961 goto cannot_emulate;
962 }
964 /* Lock prefix is allowed only on RMW instructions. */
965 generate_exception_if((d & Mov) && lock_prefix, EXC_GP);
967 /* ModRM and SIB bytes. */
968 if ( d & ModRM )
969 {
970 modrm = insn_fetch_type(uint8_t);
971 modrm_mod = (modrm & 0xc0) >> 6;
972 modrm_reg = ((rex_prefix & 4) << 1) | ((modrm & 0x38) >> 3);
973 modrm_rm = modrm & 0x07;
975 if ( modrm_mod == 3 )
976 {
977 modrm_rm |= (rex_prefix & 1) << 3;
978 ea.type = OP_REG;
979 ea.reg = decode_register(
980 modrm_rm, &_regs, (d & ByteOp) && (rex_prefix == 0));
981 }
982 else if ( ad_bytes == 2 )
983 {
984 /* 16-bit ModR/M decode. */
985 switch ( modrm_rm )
986 {
987 case 0:
988 ea.mem.off = _regs.ebx + _regs.esi;
989 break;
990 case 1:
991 ea.mem.off = _regs.ebx + _regs.edi;
992 break;
993 case 2:
994 ea.mem.seg = x86_seg_ss;
995 ea.mem.off = _regs.ebp + _regs.esi;
996 break;
997 case 3:
998 ea.mem.seg = x86_seg_ss;
999 ea.mem.off = _regs.ebp + _regs.edi;
1000 break;
1001 case 4:
1002 ea.mem.off = _regs.esi;
1003 break;
1004 case 5:
1005 ea.mem.off = _regs.edi;
1006 break;
1007 case 6:
1008 if ( modrm_mod == 0 )
1009 break;
1010 ea.mem.seg = x86_seg_ss;
1011 ea.mem.off = _regs.ebp;
1012 break;
1013 case 7:
1014 ea.mem.off = _regs.ebx;
1015 break;
1017 switch ( modrm_mod )
1019 case 0:
1020 if ( modrm_rm == 6 )
1021 ea.mem.off = insn_fetch_type(int16_t);
1022 break;
1023 case 1:
1024 ea.mem.off += insn_fetch_type(int8_t);
1025 break;
1026 case 2:
1027 ea.mem.off += insn_fetch_type(int16_t);
1028 break;
1030 ea.mem.off = truncate_ea(ea.mem.off);
1032 else
1034 /* 32/64-bit ModR/M decode. */
1035 if ( modrm_rm == 4 )
1037 sib = insn_fetch_type(uint8_t);
1038 sib_index = ((sib >> 3) & 7) | ((rex_prefix << 2) & 8);
1039 sib_base = (sib & 7) | ((rex_prefix << 3) & 8);
1040 if ( sib_index != 4 )
1041 ea.mem.off = *(long*)decode_register(sib_index, &_regs, 0);
1042 ea.mem.off <<= (sib >> 6) & 3;
1043 if ( (modrm_mod == 0) && ((sib_base & 7) == 5) )
1044 ea.mem.off += insn_fetch_type(int32_t);
1045 else if ( sib_base == 4 )
1047 ea.mem.seg = x86_seg_ss;
1048 ea.mem.off += _regs.esp;
1049 if ( !twobyte && (b == 0x8f) )
1050 /* POP <rm> computes its EA post increment. */
1051 ea.mem.off += ((mode_64bit() && (op_bytes == 4))
1052 ? 8 : op_bytes);
1054 else if ( sib_base == 5 )
1056 ea.mem.seg = x86_seg_ss;
1057 ea.mem.off += _regs.ebp;
1059 else
1060 ea.mem.off += *(long*)decode_register(sib_base, &_regs, 0);
1062 else
1064 modrm_rm |= (rex_prefix & 1) << 3;
1065 ea.mem.off = *(long *)decode_register(modrm_rm, &_regs, 0);
1066 if ( (modrm_rm == 5) && (modrm_mod != 0) )
1067 ea.mem.seg = x86_seg_ss;
1069 switch ( modrm_mod )
1071 case 0:
1072 if ( (modrm_rm & 7) != 5 )
1073 break;
1074 ea.mem.off = insn_fetch_type(int32_t);
1075 if ( !mode_64bit() )
1076 break;
1077 /* Relative to RIP of next instruction. Argh! */
1078 ea.mem.off += _regs.eip;
1079 if ( (d & SrcMask) == SrcImm )
1080 ea.mem.off += (d & ByteOp) ? 1 :
1081 ((op_bytes == 8) ? 4 : op_bytes);
1082 else if ( (d & SrcMask) == SrcImmByte )
1083 ea.mem.off += 1;
1084 else if ( !twobyte && ((b & 0xfe) == 0xf6) &&
1085 ((modrm_reg & 7) <= 1) )
1086 /* Special case in Grp3: test has immediate operand. */
1087 ea.mem.off += (d & ByteOp) ? 1
1088 : ((op_bytes == 8) ? 4 : op_bytes);
1089 else if ( twobyte && ((b & 0xf7) == 0xa4) )
1090 /* SHLD/SHRD with immediate byte third operand. */
1091 ea.mem.off++;
1092 break;
1093 case 1:
1094 ea.mem.off += insn_fetch_type(int8_t);
1095 break;
1096 case 2:
1097 ea.mem.off += insn_fetch_type(int32_t);
1098 break;
1100 ea.mem.off = truncate_ea(ea.mem.off);
1104 if ( override_seg != -1 )
1105 ea.mem.seg = override_seg;
1107 /* Special instructions do their own operand decoding. */
1108 if ( (d & DstMask) == ImplicitOps )
1109 goto special_insn;
1111 /* Decode and fetch the source operand: register, memory or immediate. */
1112 switch ( d & SrcMask )
1114 case SrcNone:
1115 break;
1116 case SrcReg:
1117 src.type = OP_REG;
1118 if ( d & ByteOp )
1120 src.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
1121 src.val = *(uint8_t *)src.reg;
1122 src.bytes = 1;
1124 else
1126 src.reg = decode_register(modrm_reg, &_regs, 0);
1127 switch ( (src.bytes = op_bytes) )
1129 case 2: src.val = *(uint16_t *)src.reg; break;
1130 case 4: src.val = *(uint32_t *)src.reg; break;
1131 case 8: src.val = *(uint64_t *)src.reg; break;
1134 break;
1135 case SrcMem16:
1136 ea.bytes = 2;
1137 goto srcmem_common;
1138 case SrcMem:
1139 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
1140 srcmem_common:
1141 src = ea;
1142 if ( src.type == OP_REG )
1144 switch ( src.bytes )
1146 case 1: src.val = *(uint8_t *)src.reg; break;
1147 case 2: src.val = *(uint16_t *)src.reg; break;
1148 case 4: src.val = *(uint32_t *)src.reg; break;
1149 case 8: src.val = *(uint64_t *)src.reg; break;
1152 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1153 &src.val, src.bytes, ctxt)) )
1154 goto done;
1155 break;
1156 case SrcImm:
1157 src.type = OP_IMM;
1158 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1159 if ( src.bytes == 8 ) src.bytes = 4;
1160 /* NB. Immediates are sign-extended as necessary. */
1161 switch ( src.bytes )
1163 case 1: src.val = insn_fetch_type(int8_t); break;
1164 case 2: src.val = insn_fetch_type(int16_t); break;
1165 case 4: src.val = insn_fetch_type(int32_t); break;
1167 break;
1168 case SrcImmByte:
1169 src.type = OP_IMM;
1170 src.bytes = 1;
1171 src.val = insn_fetch_type(int8_t);
1172 break;
1175 /* Decode and fetch the destination operand: register or memory. */
1176 switch ( d & DstMask )
1178 case DstReg:
1179 dst.type = OP_REG;
1180 if ( d & ByteOp )
1182 dst.reg = decode_register(modrm_reg, &_regs, (rex_prefix == 0));
1183 dst.val = *(uint8_t *)dst.reg;
1184 dst.bytes = 1;
1186 else
1188 dst.reg = decode_register(modrm_reg, &_regs, 0);
1189 switch ( (dst.bytes = op_bytes) )
1191 case 2: dst.val = *(uint16_t *)dst.reg; break;
1192 case 4: dst.val = *(uint32_t *)dst.reg; break;
1193 case 8: dst.val = *(uint64_t *)dst.reg; break;
1196 break;
1197 case DstBitBase:
1198 if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
1200 src.val &= (op_bytes << 3) - 1;
1202 else
1204 /*
1205 * EA += BitOffset DIV op_bytes*8
1206 * BitOffset = BitOffset MOD op_bytes*8
1207 * DIV truncates towards negative infinity.
1208 * MOD always produces a positive result.
1209 */
1210 if ( op_bytes == 2 )
1211 src.val = (int16_t)src.val;
1212 else if ( op_bytes == 4 )
1213 src.val = (int32_t)src.val;
1214 if ( (long)src.val < 0 )
1216 unsigned long byte_offset;
1217 byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
1218 ea.mem.off -= byte_offset;
1219 src.val = (byte_offset << 3) + src.val;
1221 else
1223 ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
1224 src.val &= (op_bytes << 3) - 1;
1227 /* Becomes a normal DstMem operation from here on. */
1228 d = (d & ~DstMask) | DstMem;
1229 case DstMem:
1230 ea.bytes = (d & ByteOp) ? 1 : op_bytes;
1231 dst = ea;
1232 if ( dst.type == OP_REG )
1234 switch ( dst.bytes )
1236 case 1: dst.val = *(uint8_t *)dst.reg; break;
1237 case 2: dst.val = *(uint16_t *)dst.reg; break;
1238 case 4: dst.val = *(uint32_t *)dst.reg; break;
1239 case 8: dst.val = *(uint64_t *)dst.reg; break;
1242 else if ( !(d & Mov) ) /* optimisation - avoid slow emulated read */
1244 if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1245 &dst.val, dst.bytes, ctxt)) )
1246 goto done;
1247 dst.orig_val = dst.val;
1249 break;
1252 /* LOCK prefix allowed only on instructions with memory destination. */
1253 generate_exception_if(lock_prefix && (dst.type != OP_MEM), EXC_GP);
1255 if ( twobyte )
1256 goto twobyte_insn;
1258 switch ( b )
1260 case 0x04 ... 0x05: /* add imm,%%eax */
1261 dst.reg = (unsigned long *)&_regs.eax;
1262 dst.val = _regs.eax;
1263 case 0x00 ... 0x03: add: /* add */
1264 emulate_2op_SrcV("add", src, dst, _regs.eflags);
1265 break;
1267 case 0x0c ... 0x0d: /* or imm,%%eax */
1268 dst.reg = (unsigned long *)&_regs.eax;
1269 dst.val = _regs.eax;
1270 case 0x08 ... 0x0b: or: /* or */
1271 emulate_2op_SrcV("or", src, dst, _regs.eflags);
1272 break;
1274 case 0x14 ... 0x15: /* adc imm,%%eax */
1275 dst.reg = (unsigned long *)&_regs.eax;
1276 dst.val = _regs.eax;
1277 case 0x10 ... 0x13: adc: /* adc */
1278 emulate_2op_SrcV("adc", src, dst, _regs.eflags);
1279 break;
1281 case 0x1c ... 0x1d: /* sbb imm,%%eax */
1282 dst.reg = (unsigned long *)&_regs.eax;
1283 dst.val = _regs.eax;
1284 case 0x18 ... 0x1b: sbb: /* sbb */
1285 emulate_2op_SrcV("sbb", src, dst, _regs.eflags);
1286 break;
1288 case 0x24 ... 0x25: /* and imm,%%eax */
1289 dst.reg = (unsigned long *)&_regs.eax;
1290 dst.val = _regs.eax;
1291 case 0x20 ... 0x23: and: /* and */
1292 emulate_2op_SrcV("and", src, dst, _regs.eflags);
1293 break;
1295 case 0x2c ... 0x2d: /* sub imm,%%eax */
1296 dst.reg = (unsigned long *)&_regs.eax;
1297 dst.val = _regs.eax;
1298 case 0x28 ... 0x2b: sub: /* sub */
1299 emulate_2op_SrcV("sub", src, dst, _regs.eflags);
1300 break;
1302 case 0x34 ... 0x35: /* xor imm,%%eax */
1303 dst.reg = (unsigned long *)&_regs.eax;
1304 dst.val = _regs.eax;
1305 case 0x30 ... 0x33: xor: /* xor */
1306 emulate_2op_SrcV("xor", src, dst, _regs.eflags);
1307 break;
1309 case 0x3c ... 0x3d: /* cmp imm,%%eax */
1310 dst.reg = (unsigned long *)&_regs.eax;
1311 dst.val = _regs.eax;
1312 case 0x38 ... 0x3b: cmp: /* cmp */
1313 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
1314 break;
1316 case 0x62: /* bound */ {
1317 unsigned long src_val2;
1318 int lb, ub, idx;
1319 generate_exception_if(mode_64bit() || (src.type != OP_MEM), EXC_UD);
1320 if ( (rc = ops->read(src.mem.seg, src.mem.off + op_bytes,
1321 &src_val2, op_bytes, ctxt)) )
1322 goto done;
1323 ub = (op_bytes == 2) ? (int16_t)src_val2 : (int32_t)src_val2;
1324 lb = (op_bytes == 2) ? (int16_t)src.val : (int32_t)src.val;
1325 idx = (op_bytes == 2) ? (int16_t)dst.val : (int32_t)dst.val;
1326 generate_exception_if((idx < lb) || (idx > ub), EXC_BR);
1327 dst.type = OP_NONE;
1328 break;
1331 case 0x63: /* movsxd (x86/64) / arpl (x86/32) */
1332 if ( mode_64bit() )
1334 /* movsxd */
1335 if ( src.type == OP_REG )
1336 src.val = *(int32_t *)src.reg;
1337 else if ( (rc = ops->read(src.mem.seg, src.mem.off,
1338 &src.val, 4, ctxt)) )
1339 goto done;
1340 dst.val = (int32_t)src.val;
1342 else
1344 /* arpl */
1345 uint16_t src_val = dst.val;
1346 dst = src;
1347 _regs.eflags &= ~EFLG_ZF;
1348 _regs.eflags |= ((src_val & 3) > (dst.val & 3)) ? EFLG_ZF : 0;
1349 if ( _regs.eflags & EFLG_ZF )
1350 dst.val = (dst.val & ~3) | (src_val & 3);
1351 else
1352 dst.type = OP_NONE;
1353 generate_exception_if(in_realmode(ctxt, ops), EXC_UD);
1355 break;
1357 case 0x69: /* imul imm16/32 */
1358 case 0x6b: /* imul imm8 */ {
1359 unsigned long src1; /* ModR/M source operand */
1360 if ( ea.type == OP_REG )
1361 src1 = *ea.reg;
1362 else if ( (rc = ops->read(ea.mem.seg, ea.mem.off,
1363 &src1, op_bytes, ctxt)) )
1364 goto done;
1365 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1366 switch ( dst.bytes )
1368 case 2:
1369 dst.val = ((uint32_t)(int16_t)src.val *
1370 (uint32_t)(int16_t)src1);
1371 if ( (int16_t)dst.val != (uint32_t)dst.val )
1372 _regs.eflags |= EFLG_OF|EFLG_CF;
1373 break;
1374 #ifdef __x86_64__
1375 case 4:
1376 dst.val = ((uint64_t)(int32_t)src.val *
1377 (uint64_t)(int32_t)src1);
1378 if ( (int32_t)dst.val != dst.val )
1379 _regs.eflags |= EFLG_OF|EFLG_CF;
1380 break;
1381 #endif
1382 default: {
1383 unsigned long m[2] = { src.val, src1 };
1384 if ( imul_dbl(m) )
1385 _regs.eflags |= EFLG_OF|EFLG_CF;
1386 dst.val = m[0];
1387 break;
1390 break;
1393 case 0x82: /* Grp1 (x86/32 only) */
1394 generate_exception_if(mode_64bit(), EXC_UD);
1395 case 0x80: case 0x81: case 0x83: /* Grp1 */
1396 switch ( modrm_reg & 7 )
1398 case 0: goto add;
1399 case 1: goto or;
1400 case 2: goto adc;
1401 case 3: goto sbb;
1402 case 4: goto and;
1403 case 5: goto sub;
1404 case 6: goto xor;
1405 case 7: goto cmp;
1407 break;
1409 case 0xa8 ... 0xa9: /* test imm,%%eax */
1410 dst.reg = (unsigned long *)&_regs.eax;
1411 dst.val = _regs.eax;
1412 case 0x84 ... 0x85: test: /* test */
1413 emulate_2op_SrcV("test", src, dst, _regs.eflags);
1414 break;
1416 case 0x86 ... 0x87: xchg: /* xchg */
1417 /* Write back the register source. */
1418 switch ( dst.bytes )
1420 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
1421 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
1422 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
1423 case 8: *src.reg = dst.val; break;
1425 /* Write back the memory destination with implicit LOCK prefix. */
1426 dst.val = src.val;
1427 lock_prefix = 1;
1428 break;
1430 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
1431 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1432 case 0x88 ... 0x8b: /* mov */
1433 dst.val = src.val;
1434 break;
1436 case 0x8c: /* mov Sreg,r/m */ {
1437 struct segment_register reg;
1438 enum x86_segment seg = decode_segment(modrm_reg);
1439 generate_exception_if(seg == decode_segment_failed, EXC_UD);
1440 fail_if(ops->read_segment == NULL);
1441 if ( (rc = ops->read_segment(seg, &reg, ctxt)) != 0 )
1442 goto done;
1443 dst.val = reg.sel;
1444 if ( dst.type == OP_MEM )
1445 dst.bytes = 2;
1446 break;
1449 case 0x8e: /* mov r/m,Sreg */ {
1450 enum x86_segment seg = decode_segment(modrm_reg);
1451 generate_exception_if(seg == decode_segment_failed, EXC_UD);
1452 if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
1453 goto done;
1454 dst.type = OP_NONE;
1455 break;
1458 case 0x8d: /* lea */
1459 dst.val = ea.mem.off;
1460 break;
1462 case 0x8f: /* pop (sole member of Grp1a) */
1463 generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
1464 /* 64-bit mode: POP defaults to a 64-bit operand. */
1465 if ( mode_64bit() && (dst.bytes == 4) )
1466 dst.bytes = 8;
1467 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
1468 &dst.val, dst.bytes, ctxt)) != 0 )
1469 goto done;
1470 break;
1472 case 0xb0 ... 0xb7: /* mov imm8,r8 */
1473 dst.reg = decode_register(
1474 (b & 7) | ((rex_prefix & 1) << 3), &_regs, (rex_prefix == 0));
1475 dst.val = src.val;
1476 break;
1478 case 0xb8 ... 0xbf: /* mov imm{16,32,64},r{16,32,64} */
1479 if ( dst.bytes == 8 ) /* Fetch more bytes to obtain imm64 */
1480 src.val = ((uint32_t)src.val |
1481 ((uint64_t)insn_fetch_type(uint32_t) << 32));
1482 dst.reg = decode_register(
1483 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
1484 dst.val = src.val;
1485 break;
1487 case 0xc0 ... 0xc1: grp2: /* Grp2 */
1488 switch ( modrm_reg & 7 )
1490 case 0: /* rol */
1491 emulate_2op_SrcB("rol", src, dst, _regs.eflags);
1492 break;
1493 case 1: /* ror */
1494 emulate_2op_SrcB("ror", src, dst, _regs.eflags);
1495 break;
1496 case 2: /* rcl */
1497 emulate_2op_SrcB("rcl", src, dst, _regs.eflags);
1498 break;
1499 case 3: /* rcr */
1500 emulate_2op_SrcB("rcr", src, dst, _regs.eflags);
1501 break;
1502 case 4: /* sal/shl */
1503 case 6: /* sal/shl */
1504 emulate_2op_SrcB("sal", src, dst, _regs.eflags);
1505 break;
1506 case 5: /* shr */
1507 emulate_2op_SrcB("shr", src, dst, _regs.eflags);
1508 break;
1509 case 7: /* sar */
1510 emulate_2op_SrcB("sar", src, dst, _regs.eflags);
1511 break;
1513 break;
1515 case 0xc4: /* les */ {
1516 unsigned long sel;
1517 dst.val = x86_seg_es;
1518 les: /* dst.val identifies the segment */
1519 generate_exception_if(src.type != OP_MEM, EXC_UD);
1520 if ( (rc = ops->read(src.mem.seg, src.mem.off + src.bytes,
1521 &sel, 2, ctxt)) != 0 )
1522 goto done;
1523 if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
1524 goto done;
1525 dst.val = src.val;
1526 break;
1529 case 0xc5: /* lds */
1530 dst.val = x86_seg_ds;
1531 goto les;
1533 case 0xd0 ... 0xd1: /* Grp2 */
1534 src.val = 1;
1535 goto grp2;
1537 case 0xd2 ... 0xd3: /* Grp2 */
1538 src.val = _regs.ecx;
1539 goto grp2;
1541 case 0xf6 ... 0xf7: /* Grp3 */
1542 switch ( modrm_reg & 7 )
1544 case 0 ... 1: /* test */
1545 /* Special case in Grp3: test has an immediate source operand. */
1546 src.type = OP_IMM;
1547 src.bytes = (d & ByteOp) ? 1 : op_bytes;
1548 if ( src.bytes == 8 ) src.bytes = 4;
1549 switch ( src.bytes )
1551 case 1: src.val = insn_fetch_type(int8_t); break;
1552 case 2: src.val = insn_fetch_type(int16_t); break;
1553 case 4: src.val = insn_fetch_type(int32_t); break;
1555 goto test;
1556 case 2: /* not */
1557 dst.val = ~dst.val;
1558 break;
1559 case 3: /* neg */
1560 emulate_1op("neg", dst, _regs.eflags);
1561 break;
1562 case 4: /* mul */
1563 src = dst;
1564 dst.type = OP_REG;
1565 dst.reg = (unsigned long *)&_regs.eax;
1566 dst.val = *dst.reg;
1567 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1568 switch ( src.bytes )
1570 case 1:
1571 dst.val *= src.val;
1572 if ( (uint8_t)dst.val != (uint16_t)dst.val )
1573 _regs.eflags |= EFLG_OF|EFLG_CF;
1574 break;
1575 case 2:
1576 dst.val *= src.val;
1577 if ( (uint16_t)dst.val != (uint32_t)dst.val )
1578 _regs.eflags |= EFLG_OF|EFLG_CF;
1579 *(uint16_t *)&_regs.edx = dst.val >> 16;
1580 break;
1581 #ifdef __x86_64__
1582 case 4:
1583 dst.val *= src.val;
1584 if ( (uint32_t)dst.val != dst.val )
1585 _regs.eflags |= EFLG_OF|EFLG_CF;
1586 _regs.edx = (uint32_t)(dst.val >> 32);
1587 break;
1588 #endif
1589 default: {
1590 unsigned long m[2] = { src.val, dst.val };
1591 if ( mul_dbl(m) )
1592 _regs.eflags |= EFLG_OF|EFLG_CF;
1593 _regs.edx = m[1];
1594 dst.val = m[0];
1595 break;
1598 break;
1599 case 5: /* imul */
1600 src = dst;
1601 dst.type = OP_REG;
1602 dst.reg = (unsigned long *)&_regs.eax;
1603 dst.val = *dst.reg;
1604 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
1605 switch ( src.bytes )
1607 case 1:
1608 dst.val = ((uint16_t)(int8_t)src.val *
1609 (uint16_t)(int8_t)dst.val);
1610 if ( (int8_t)dst.val != (uint16_t)dst.val )
1611 _regs.eflags |= EFLG_OF|EFLG_CF;
1612 break;
1613 case 2:
1614 dst.val = ((uint32_t)(int16_t)src.val *
1615 (uint32_t)(int16_t)dst.val);
1616 if ( (int16_t)dst.val != (uint32_t)dst.val )
1617 _regs.eflags |= EFLG_OF|EFLG_CF;
1618 *(uint16_t *)&_regs.edx = dst.val >> 16;
1619 break;
1620 #ifdef __x86_64__
1621 case 4:
1622 dst.val = ((uint64_t)(int32_t)src.val *
1623 (uint64_t)(int32_t)dst.val);
1624 if ( (int32_t)dst.val != dst.val )
1625 _regs.eflags |= EFLG_OF|EFLG_CF;
1626 _regs.edx = (uint32_t)(dst.val >> 32);
1627 break;
1628 #endif
1629 default: {
1630 unsigned long m[2] = { src.val, dst.val };
1631 if ( imul_dbl(m) )
1632 _regs.eflags |= EFLG_OF|EFLG_CF;
1633 _regs.edx = m[1];
1634 dst.val = m[0];
1635 break;
1638 break;
1639 case 6: /* div */ {
1640 unsigned long u[2], v;
1641 src = dst;
1642 dst.type = OP_REG;
1643 dst.reg = (unsigned long *)&_regs.eax;
1644 switch ( src.bytes )
1646 case 1:
1647 u[0] = (uint16_t)_regs.eax;
1648 u[1] = 0;
1649 v = (uint8_t)src.val;
1650 generate_exception_if(
1651 div_dbl(u, v) || ((uint8_t)u[0] != (uint16_t)u[0]),
1652 EXC_DE);
1653 dst.val = (uint8_t)u[0];
1654 ((uint8_t *)&_regs.eax)[1] = u[1];
1655 break;
1656 case 2:
1657 u[0] = ((uint32_t)_regs.edx << 16) | (uint16_t)_regs.eax;
1658 u[1] = 0;
1659 v = (uint16_t)src.val;
1660 generate_exception_if(
1661 div_dbl(u, v) || ((uint16_t)u[0] != (uint32_t)u[0]),
1662 EXC_DE);
1663 dst.val = (uint16_t)u[0];
1664 *(uint16_t *)&_regs.edx = u[1];
1665 break;
1666 #ifdef __x86_64__
1667 case 4:
1668 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1669 u[1] = 0;
1670 v = (uint32_t)src.val;
1671 generate_exception_if(
1672 div_dbl(u, v) || ((uint32_t)u[0] != u[0]),
1673 EXC_DE);
1674 dst.val = (uint32_t)u[0];
1675 _regs.edx = (uint32_t)u[1];
1676 break;
1677 #endif
1678 default:
1679 u[0] = _regs.eax;
1680 u[1] = _regs.edx;
1681 v = src.val;
1682 generate_exception_if(div_dbl(u, v), EXC_DE);
1683 dst.val = u[0];
1684 _regs.edx = u[1];
1685 break;
1687 break;
1689 case 7: /* idiv */ {
1690 unsigned long u[2], v;
1691 src = dst;
1692 dst.type = OP_REG;
1693 dst.reg = (unsigned long *)&_regs.eax;
1694 switch ( src.bytes )
1696 case 1:
1697 u[0] = (int16_t)_regs.eax;
1698 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1699 v = (int8_t)src.val;
1700 generate_exception_if(
1701 idiv_dbl(u, v) || ((int8_t)u[0] != (int16_t)u[0]),
1702 EXC_DE);
1703 dst.val = (int8_t)u[0];
1704 ((int8_t *)&_regs.eax)[1] = u[1];
1705 break;
1706 case 2:
1707 u[0] = (int32_t)((_regs.edx << 16) | (uint16_t)_regs.eax);
1708 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1709 v = (int16_t)src.val;
1710 generate_exception_if(
1711 idiv_dbl(u, v) || ((int16_t)u[0] != (int32_t)u[0]),
1712 EXC_DE);
1713 dst.val = (int16_t)u[0];
1714 *(int16_t *)&_regs.edx = u[1];
1715 break;
1716 #ifdef __x86_64__
1717 case 4:
1718 u[0] = (_regs.edx << 32) | (uint32_t)_regs.eax;
1719 u[1] = ((long)u[0] < 0) ? ~0UL : 0UL;
1720 v = (int32_t)src.val;
1721 generate_exception_if(
1722 idiv_dbl(u, v) || ((int32_t)u[0] != u[0]),
1723 EXC_DE);
1724 dst.val = (int32_t)u[0];
1725 _regs.edx = (uint32_t)u[1];
1726 break;
1727 #endif
1728 default:
1729 u[0] = _regs.eax;
1730 u[1] = _regs.edx;
1731 v = src.val;
1732 generate_exception_if(idiv_dbl(u, v), EXC_DE);
1733 dst.val = u[0];
1734 _regs.edx = u[1];
1735 break;
1737 break;
1739 default:
1740 goto cannot_emulate;
1742 break;
1744 case 0xfe: /* Grp4 */
1745 generate_exception_if((modrm_reg & 7) >= 2, EXC_UD);
1746 case 0xff: /* Grp5 */
1747 switch ( modrm_reg & 7 )
1749 case 0: /* inc */
1750 emulate_1op("inc", dst, _regs.eflags);
1751 break;
1752 case 1: /* dec */
1753 emulate_1op("dec", dst, _regs.eflags);
1754 break;
1755 case 2: /* call (near) */
1756 case 4: /* jmp (near) */
1757 if ( (dst.bytes != 8) && mode_64bit() )
1759 dst.bytes = op_bytes = 8;
1760 if ( dst.type == OP_REG )
1761 dst.val = *dst.reg;
1762 else if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1763 &dst.val, 8, ctxt)) != 0 )
1764 goto done;
1766 src.val = _regs.eip;
1767 _regs.eip = dst.val;
1768 if ( (modrm_reg & 7) == 2 )
1769 goto push; /* call */
1770 dst.type = OP_NONE;
1771 break;
1772 case 3: /* call (far, absolute indirect) */
1773 case 5: /* jmp (far, absolute indirect) */ {
1774 unsigned long sel;
1776 generate_exception_if(dst.type != OP_MEM, EXC_UD);
1778 if ( (rc = ops->read(dst.mem.seg, dst.mem.off+dst.bytes,
1779 &sel, 2, ctxt)) )
1780 goto done;
1782 if ( (modrm_reg & 7) == 3 ) /* call */
1784 struct segment_register reg;
1785 fail_if(ops->read_segment == NULL);
1786 if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) ||
1787 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1788 reg.sel, op_bytes, ctxt)) ||
1789 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1790 _regs.eip, op_bytes, ctxt)) )
1791 goto done;
1794 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
1795 goto done;
1796 _regs.eip = dst.val;
1798 dst.type = OP_NONE;
1799 break;
1801 case 6: /* push */
1802 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
1803 if ( mode_64bit() && (dst.bytes == 4) )
1805 dst.bytes = 8;
1806 if ( dst.type == OP_REG )
1807 dst.val = *dst.reg;
1808 else if ( (rc = ops->read(dst.mem.seg, dst.mem.off,
1809 &dst.val, 8, ctxt)) != 0 )
1810 goto done;
1812 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
1813 dst.val, dst.bytes, ctxt)) != 0 )
1814 goto done;
1815 dst.type = OP_NONE;
1816 break;
1817 case 7:
1818 generate_exception_if(1, EXC_UD);
1819 default:
1820 goto cannot_emulate;
1822 break;
1825 writeback:
1826 switch ( dst.type )
1828 case OP_REG:
1829 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1830 switch ( dst.bytes )
1832 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
1833 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
1834 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
1835 case 8: *dst.reg = dst.val; break;
1837 break;
1838 case OP_MEM:
1839 if ( !(d & Mov) && (dst.orig_val == dst.val) )
1840 /* nothing to do */;
1841 else if ( lock_prefix )
1842 rc = ops->cmpxchg(
1843 dst.mem.seg, dst.mem.off, dst.orig_val,
1844 dst.val, dst.bytes, ctxt);
1845 else
1846 rc = ops->write(
1847 dst.mem.seg, dst.mem.off, dst.val, dst.bytes, ctxt);
1848 if ( rc != 0 )
1849 goto done;
1850 default:
1851 break;
1854 /* Commit shadow register state. */
1855 _regs.eflags &= ~EFLG_RF;
1856 *ctxt->regs = _regs;
1858 if ( (_regs.eflags & EFLG_TF) &&
1859 (rc == X86EMUL_OKAY) &&
1860 (ops->inject_hw_exception != NULL) )
1861 rc = ops->inject_hw_exception(EXC_DB, ctxt) ? : X86EMUL_EXCEPTION;
1863 done:
1864 return rc;
1866 special_insn:
1867 dst.type = OP_NONE;
1869 /*
1870 * The only implicit-operands instructions allowed a LOCK prefix are
1871 * CMPXCHG{8,16}B, MOV CRn, MOV DRn.
1872 */
1873 generate_exception_if(lock_prefix &&
1874 ((b < 0x20) || (b > 0x23)) && /* MOV CRn/DRn */
1875 (b != 0xc7), /* CMPXCHG{8,16}B */
1876 EXC_GP);
1878 if ( twobyte )
1879 goto twobyte_special_insn;
1881 switch ( b )
1883 case 0x06: /* push %%es */ {
1884 struct segment_register reg;
1885 src.val = x86_seg_es;
1886 push_seg:
1887 fail_if(ops->read_segment == NULL);
1888 if ( (rc = ops->read_segment(src.val, &reg, ctxt)) != 0 )
1889 return rc;
1890 /* 64-bit mode: PUSH defaults to a 64-bit operand. */
1891 if ( mode_64bit() && (op_bytes == 4) )
1892 op_bytes = 8;
1893 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
1894 reg.sel, op_bytes, ctxt)) != 0 )
1895 goto done;
1896 break;
1899 case 0x07: /* pop %%es */
1900 src.val = x86_seg_es;
1901 pop_seg:
1902 fail_if(ops->write_segment == NULL);
1903 /* 64-bit mode: POP defaults to a 64-bit operand. */
1904 if ( mode_64bit() && (op_bytes == 4) )
1905 op_bytes = 8;
1906 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
1907 &dst.val, op_bytes, ctxt)) != 0 )
1908 goto done;
1909 if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
1910 return rc;
1911 break;
1913 case 0x0e: /* push %%cs */
1914 src.val = x86_seg_cs;
1915 goto push_seg;
1917 case 0x16: /* push %%ss */
1918 src.val = x86_seg_ss;
1919 goto push_seg;
1921 case 0x17: /* pop %%ss */
1922 src.val = x86_seg_ss;
1923 goto pop_seg;
1925 case 0x1e: /* push %%ds */
1926 src.val = x86_seg_ds;
1927 goto push_seg;
1929 case 0x1f: /* pop %%ds */
1930 src.val = x86_seg_ds;
1931 goto pop_seg;
1933 case 0x27: /* daa */ {
1934 uint8_t al = _regs.eax;
1935 unsigned long eflags = _regs.eflags;
1936 generate_exception_if(mode_64bit(), EXC_UD);
1937 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1938 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1940 *(uint8_t *)&_regs.eax += 6;
1941 _regs.eflags |= EFLG_AF;
1943 if ( (al > 0x99) || (eflags & EFLG_CF) )
1945 *(uint8_t *)&_regs.eax += 0x60;
1946 _regs.eflags |= EFLG_CF;
1948 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1949 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1950 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1951 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1952 break;
1955 case 0x2f: /* das */ {
1956 uint8_t al = _regs.eax;
1957 unsigned long eflags = _regs.eflags;
1958 generate_exception_if(mode_64bit(), EXC_UD);
1959 _regs.eflags &= ~(EFLG_CF|EFLG_AF);
1960 if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
1962 _regs.eflags |= EFLG_AF;
1963 if ( (al < 6) || (eflags & EFLG_CF) )
1964 _regs.eflags |= EFLG_CF;
1965 *(uint8_t *)&_regs.eax -= 6;
1967 if ( (al > 0x99) || (eflags & EFLG_CF) )
1969 *(uint8_t *)&_regs.eax -= 0x60;
1970 _regs.eflags |= EFLG_CF;
1972 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
1973 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
1974 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
1975 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
1976 break;
1979 case 0x37: /* aaa */
1980 case 0x3f: /* aas */
1981 generate_exception_if(mode_64bit(), EXC_UD);
1982 _regs.eflags &= ~EFLG_CF;
1983 if ( ((uint8_t)_regs.eax > 9) || (_regs.eflags & EFLG_AF) )
1985 ((uint8_t *)&_regs.eax)[0] += (b == 0x37) ? 6 : -6;
1986 ((uint8_t *)&_regs.eax)[1] += (b == 0x37) ? 1 : -1;
1987 _regs.eflags |= EFLG_CF | EFLG_AF;
1989 ((uint8_t *)&_regs.eax)[0] &= 0x0f;
1990 break;
1992 case 0x40 ... 0x4f: /* inc/dec reg */
1993 dst.type = OP_REG;
1994 dst.reg = decode_register(b & 7, &_regs, 0);
1995 dst.bytes = op_bytes;
1996 dst.val = *dst.reg;
1997 if ( b & 8 )
1998 emulate_1op("dec", dst, _regs.eflags);
1999 else
2000 emulate_1op("inc", dst, _regs.eflags);
2001 break;
2003 case 0x50 ... 0x57: /* push reg */
2004 src.val = *(unsigned long *)decode_register(
2005 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2006 goto push;
2008 case 0x58 ... 0x5f: /* pop reg */
2009 dst.type = OP_REG;
2010 dst.reg = decode_register(
2011 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2012 dst.bytes = op_bytes;
2013 if ( mode_64bit() && (dst.bytes == 4) )
2014 dst.bytes = 8;
2015 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
2016 &dst.val, dst.bytes, ctxt)) != 0 )
2017 goto done;
2018 break;
2020 case 0x60: /* pusha */ {
2021 int i;
2022 unsigned long regs[] = {
2023 _regs.eax, _regs.ecx, _regs.edx, _regs.ebx,
2024 _regs.esp, _regs.ebp, _regs.esi, _regs.edi };
2025 generate_exception_if(mode_64bit(), EXC_UD);
2026 for ( i = 0; i < 8; i++ )
2027 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2028 regs[i], op_bytes, ctxt)) != 0 )
2029 goto done;
2030 break;
2033 case 0x61: /* popa */ {
2034 int i;
2035 unsigned long dummy_esp, *regs[] = {
2036 (unsigned long *)&_regs.edi, (unsigned long *)&_regs.esi,
2037 (unsigned long *)&_regs.ebp, (unsigned long *)&dummy_esp,
2038 (unsigned long *)&_regs.ebx, (unsigned long *)&_regs.edx,
2039 (unsigned long *)&_regs.ecx, (unsigned long *)&_regs.eax };
2040 generate_exception_if(mode_64bit(), EXC_UD);
2041 for ( i = 0; i < 8; i++ )
2043 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2044 &dst.val, op_bytes, ctxt)) != 0 )
2045 goto done;
2046 switch ( op_bytes )
2048 case 1: *(uint8_t *)regs[i] = (uint8_t)dst.val; break;
2049 case 2: *(uint16_t *)regs[i] = (uint16_t)dst.val; break;
2050 case 4: *regs[i] = (uint32_t)dst.val; break; /* 64b: zero-ext */
2051 case 8: *regs[i] = dst.val; break;
2054 break;
2057 case 0x68: /* push imm{16,32,64} */
2058 src.val = ((op_bytes == 2)
2059 ? (int32_t)insn_fetch_type(int16_t)
2060 : insn_fetch_type(int32_t));
2061 goto push;
2063 case 0x6a: /* push imm8 */
2064 src.val = insn_fetch_type(int8_t);
2065 push:
2066 d |= Mov; /* force writeback */
2067 dst.type = OP_MEM;
2068 dst.bytes = op_bytes;
2069 if ( mode_64bit() && (dst.bytes == 4) )
2070 dst.bytes = 8;
2071 dst.val = src.val;
2072 dst.mem.seg = x86_seg_ss;
2073 dst.mem.off = sp_pre_dec(dst.bytes);
2074 break;
2076 case 0x6c ... 0x6d: /* ins %dx,%es:%edi */ {
2077 unsigned long nr_reps = get_rep_prefix();
2078 generate_exception_if(!mode_iopl(), EXC_GP);
2079 dst.bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2080 dst.mem.seg = x86_seg_es;
2081 dst.mem.off = truncate_ea(_regs.edi);
2082 if ( (nr_reps > 1) && (ops->rep_ins != NULL) )
2084 if ( (rc = ops->rep_ins((uint16_t)_regs.edx, dst.mem.seg,
2085 dst.mem.off, dst.bytes,
2086 &nr_reps, ctxt)) != 0 )
2087 goto done;
2089 else
2091 fail_if(ops->read_io == NULL);
2092 if ( (rc = ops->read_io((uint16_t)_regs.edx, dst.bytes,
2093 &dst.val, ctxt)) != 0 )
2094 goto done;
2095 dst.type = OP_MEM;
2096 nr_reps = 1;
2098 register_address_increment(
2099 _regs.edi,
2100 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2101 put_rep_prefix(nr_reps);
2102 break;
2105 case 0x6e ... 0x6f: /* outs %esi,%dx */ {
2106 unsigned long nr_reps = get_rep_prefix();
2107 generate_exception_if(!mode_iopl(), EXC_GP);
2108 dst.bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2109 if ( (nr_reps > 1) && (ops->rep_outs != NULL) )
2111 if ( (rc = ops->rep_outs(ea.mem.seg, truncate_ea(_regs.esi),
2112 (uint16_t)_regs.edx, dst.bytes,
2113 &nr_reps, ctxt)) != 0 )
2114 goto done;
2116 else
2118 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2119 &dst.val, dst.bytes, ctxt)) != 0 )
2120 goto done;
2121 fail_if(ops->write_io == NULL);
2122 if ( (rc = ops->write_io((uint16_t)_regs.edx, dst.bytes,
2123 dst.val, ctxt)) != 0 )
2124 goto done;
2125 nr_reps = 1;
2127 register_address_increment(
2128 _regs.esi,
2129 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2130 put_rep_prefix(nr_reps);
2131 break;
2134 case 0x70 ... 0x7f: /* jcc (short) */ {
2135 int rel = insn_fetch_type(int8_t);
2136 if ( test_cc(b, _regs.eflags) )
2137 jmp_rel(rel);
2138 break;
2141 case 0x90: /* nop / xchg %%r8,%%rax */
2142 if ( !(rex_prefix & 1) )
2143 break; /* nop */
2145 case 0x91 ... 0x97: /* xchg reg,%%rax */
2146 src.type = dst.type = OP_REG;
2147 src.bytes = dst.bytes = op_bytes;
2148 src.reg = (unsigned long *)&_regs.eax;
2149 src.val = *src.reg;
2150 dst.reg = decode_register(
2151 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
2152 dst.val = *dst.reg;
2153 goto xchg;
2155 case 0x98: /* cbw/cwde/cdqe */
2156 switch ( op_bytes )
2158 case 2: *(int16_t *)&_regs.eax = (int8_t)_regs.eax; break; /* cbw */
2159 case 4: _regs.eax = (uint32_t)(int16_t)_regs.eax; break; /* cwde */
2160 case 8: _regs.eax = (int32_t)_regs.eax; break; /* cdqe */
2162 break;
2164 case 0x99: /* cwd/cdq/cqo */
2165 switch ( op_bytes )
2167 case 2:
2168 *(int16_t *)&_regs.edx = ((int16_t)_regs.eax < 0) ? -1 : 0;
2169 break;
2170 case 4:
2171 _regs.edx = (uint32_t)(((int32_t)_regs.eax < 0) ? -1 : 0);
2172 break;
2173 case 8:
2174 _regs.edx = (_regs.eax < 0) ? -1 : 0;
2175 break;
2177 break;
2179 case 0x9a: /* call (far, absolute) */ {
2180 struct segment_register reg;
2181 uint16_t sel;
2182 uint32_t eip;
2184 fail_if(ops->read_segment == NULL);
2185 generate_exception_if(mode_64bit(), EXC_UD);
2187 eip = insn_fetch_bytes(op_bytes);
2188 sel = insn_fetch_type(uint16_t);
2190 if ( (rc = ops->read_segment(x86_seg_cs, &reg, ctxt)) ||
2191 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2192 reg.sel, op_bytes, ctxt)) ||
2193 (rc = ops->write(x86_seg_ss, sp_pre_dec(op_bytes),
2194 _regs.eip, op_bytes, ctxt)) )
2195 goto done;
2197 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
2198 goto done;
2199 _regs.eip = eip;
2200 break;
2203 case 0x9c: /* pushf */
2204 src.val = _regs.eflags;
2205 goto push;
2207 case 0x9d: /* popf */ {
2208 uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
2209 if ( !mode_iopl() )
2210 mask |= EFLG_IOPL;
2211 fail_if(ops->write_rflags == NULL);
2212 /* 64-bit mode: POP defaults to a 64-bit operand. */
2213 if ( mode_64bit() && (op_bytes == 4) )
2214 op_bytes = 8;
2215 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2216 &dst.val, op_bytes, ctxt)) != 0 )
2217 goto done;
2218 if ( op_bytes == 2 )
2219 dst.val = (uint16_t)dst.val | (_regs.eflags & 0xffff0000u);
2220 dst.val &= 0x257fd5;
2221 _regs.eflags &= mask;
2222 _regs.eflags |= (uint32_t)(dst.val & ~mask) | 0x02;
2223 if ( (rc = ops->write_rflags(_regs.eflags, ctxt)) != 0 )
2224 goto done;
2225 break;
2228 case 0x9e: /* sahf */
2229 *(uint8_t *)_regs.eflags = (((uint8_t *)&_regs.eax)[1] & 0xd7) | 0x02;
2230 break;
2232 case 0x9f: /* lahf */
2233 ((uint8_t *)&_regs.eax)[1] = (_regs.eflags & 0xd7) | 0x02;
2234 break;
2236 case 0xa0 ... 0xa1: /* mov mem.offs,{%al,%ax,%eax,%rax} */
2237 /* Source EA is not encoded via ModRM. */
2238 dst.type = OP_REG;
2239 dst.reg = (unsigned long *)&_regs.eax;
2240 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2241 if ( (rc = ops->read(ea.mem.seg, insn_fetch_bytes(ad_bytes),
2242 &dst.val, dst.bytes, ctxt)) != 0 )
2243 goto done;
2244 break;
2246 case 0xa2 ... 0xa3: /* mov {%al,%ax,%eax,%rax},mem.offs */
2247 /* Destination EA is not encoded via ModRM. */
2248 dst.type = OP_MEM;
2249 dst.mem.seg = ea.mem.seg;
2250 dst.mem.off = insn_fetch_bytes(ad_bytes);
2251 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2252 dst.val = (unsigned long)_regs.eax;
2253 break;
2255 case 0xa4 ... 0xa5: /* movs */ {
2256 unsigned long nr_reps = get_rep_prefix();
2257 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2258 dst.mem.seg = x86_seg_es;
2259 dst.mem.off = truncate_ea(_regs.edi);
2260 if ( (nr_reps > 1) && (ops->rep_movs != NULL) )
2262 if ( (rc = ops->rep_movs(ea.mem.seg, truncate_ea(_regs.esi),
2263 dst.mem.seg, dst.mem.off, dst.bytes,
2264 &nr_reps, ctxt)) != 0 )
2265 goto done;
2267 else
2269 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2270 &dst.val, dst.bytes, ctxt)) != 0 )
2271 goto done;
2272 dst.type = OP_MEM;
2273 nr_reps = 1;
2275 register_address_increment(
2276 _regs.esi,
2277 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2278 register_address_increment(
2279 _regs.edi,
2280 nr_reps * ((_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes));
2281 put_rep_prefix(nr_reps);
2282 break;
2285 case 0xa6 ... 0xa7: /* cmps */ {
2286 unsigned long next_eip = _regs.eip;
2287 get_rep_prefix();
2288 src.bytes = dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2289 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2290 &dst.val, dst.bytes, ctxt)) ||
2291 (rc = ops->read(x86_seg_es, truncate_ea(_regs.edi),
2292 &src.val, src.bytes, ctxt)) )
2293 goto done;
2294 register_address_increment(
2295 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2296 register_address_increment(
2297 _regs.edi, (_regs.eflags & EFLG_DF) ? -src.bytes : src.bytes);
2298 put_rep_prefix(1);
2299 /* cmp: dst - src ==> src=*%%edi,dst=*%%esi ==> *%%esi - *%%edi */
2300 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2301 if ( ((rep_prefix == REPE_PREFIX) && !(_regs.eflags & EFLG_ZF)) ||
2302 ((rep_prefix == REPNE_PREFIX) && (_regs.eflags & EFLG_ZF)) )
2303 _regs.eip = next_eip;
2304 break;
2307 case 0xaa ... 0xab: /* stos */ {
2308 /* unsigned long max_reps = */get_rep_prefix();
2309 dst.type = OP_MEM;
2310 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2311 dst.mem.seg = x86_seg_es;
2312 dst.mem.off = truncate_ea(_regs.edi);
2313 dst.val = _regs.eax;
2314 register_address_increment(
2315 _regs.edi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2316 put_rep_prefix(1);
2317 break;
2320 case 0xac ... 0xad: /* lods */ {
2321 /* unsigned long max_reps = */get_rep_prefix();
2322 dst.type = OP_REG;
2323 dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2324 dst.reg = (unsigned long *)&_regs.eax;
2325 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.esi),
2326 &dst.val, dst.bytes, ctxt)) != 0 )
2327 goto done;
2328 register_address_increment(
2329 _regs.esi, (_regs.eflags & EFLG_DF) ? -dst.bytes : dst.bytes);
2330 put_rep_prefix(1);
2331 break;
2334 case 0xae ... 0xaf: /* scas */ {
2335 unsigned long next_eip = _regs.eip;
2336 get_rep_prefix();
2337 src.bytes = dst.bytes = (d & ByteOp) ? 1 : op_bytes;
2338 dst.val = _regs.eax;
2339 if ( (rc = ops->read(x86_seg_es, truncate_ea(_regs.edi),
2340 &src.val, src.bytes, ctxt)) != 0 )
2341 goto done;
2342 register_address_increment(
2343 _regs.edi, (_regs.eflags & EFLG_DF) ? -src.bytes : src.bytes);
2344 put_rep_prefix(1);
2345 /* cmp: dst - src ==> src=*%%edi,dst=%%eax ==> %%eax - *%%edi */
2346 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2347 if ( ((rep_prefix == REPE_PREFIX) && !(_regs.eflags & EFLG_ZF)) ||
2348 ((rep_prefix == REPNE_PREFIX) && (_regs.eflags & EFLG_ZF)) )
2349 _regs.eip = next_eip;
2350 break;
2353 case 0xc2: /* ret imm16 (near) */
2354 case 0xc3: /* ret (near) */ {
2355 int offset = (b == 0xc2) ? insn_fetch_type(uint16_t) : 0;
2356 op_bytes = mode_64bit() ? 8 : op_bytes;
2357 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes + offset),
2358 &dst.val, op_bytes, ctxt)) != 0 )
2359 goto done;
2360 _regs.eip = dst.val;
2361 break;
2364 case 0xc8: /* enter imm16,imm8 */ {
2365 uint16_t size = insn_fetch_type(uint16_t);
2366 uint8_t depth = insn_fetch_type(uint8_t) & 31;
2367 int i;
2369 dst.type = OP_REG;
2370 dst.bytes = (mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes;
2371 dst.reg = (unsigned long *)&_regs.ebp;
2372 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2373 _regs.ebp, dst.bytes, ctxt)) )
2374 goto done;
2375 dst.val = _regs.esp;
2377 if ( depth > 0 )
2379 for ( i = 1; i < depth; i++ )
2381 unsigned long ebp, temp_data;
2382 ebp = truncate_word(_regs.ebp - i*dst.bytes, ctxt->sp_size/8);
2383 if ( (rc = ops->read(x86_seg_ss, ebp,
2384 &temp_data, dst.bytes, ctxt)) ||
2385 (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2386 temp_data, dst.bytes, ctxt)) )
2387 goto done;
2389 if ( (rc = ops->write(x86_seg_ss, sp_pre_dec(dst.bytes),
2390 dst.val, dst.bytes, ctxt)) )
2391 goto done;
2394 sp_pre_dec(size);
2395 break;
2398 case 0xc9: /* leave */
2399 /* First writeback, to %%esp. */
2400 dst.type = OP_REG;
2401 dst.bytes = (mode_64bit() && (op_bytes == 4)) ? 8 : op_bytes;
2402 dst.reg = (unsigned long *)&_regs.esp;
2403 dst.val = _regs.ebp;
2405 /* Flush first writeback, since there is a second. */
2406 switch ( dst.bytes )
2408 case 1: *(uint8_t *)dst.reg = (uint8_t)dst.val; break;
2409 case 2: *(uint16_t *)dst.reg = (uint16_t)dst.val; break;
2410 case 4: *dst.reg = (uint32_t)dst.val; break; /* 64b: zero-ext */
2411 case 8: *dst.reg = dst.val; break;
2414 /* Second writeback, to %%ebp. */
2415 dst.reg = (unsigned long *)&_regs.ebp;
2416 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(dst.bytes),
2417 &dst.val, dst.bytes, ctxt)) )
2418 goto done;
2419 break;
2421 case 0xca: /* ret imm16 (far) */
2422 case 0xcb: /* ret (far) */ {
2423 int offset = (b == 0xca) ? insn_fetch_type(uint16_t) : 0;
2424 op_bytes = mode_64bit() ? 8 : op_bytes;
2425 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2426 &dst.val, op_bytes, ctxt)) ||
2427 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes + offset),
2428 &src.val, op_bytes, ctxt)) ||
2429 (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
2430 goto done;
2431 _regs.eip = dst.val;
2432 break;
2435 case 0xcc: /* int3 */
2436 src.val = EXC_BP;
2437 goto swint;
2439 case 0xcd: /* int imm8 */
2440 src.val = insn_fetch_type(uint8_t);
2441 swint:
2442 fail_if(ops->inject_sw_interrupt == NULL);
2443 rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
2444 ctxt) ? : X86EMUL_EXCEPTION;
2445 goto done;
2447 case 0xce: /* into */
2448 generate_exception_if(mode_64bit(), EXC_UD);
2449 if ( !(_regs.eflags & EFLG_OF) )
2450 break;
2451 src.val = EXC_OF;
2452 goto swint;
2454 case 0xcf: /* iret */ {
2455 unsigned long cs, eip, eflags;
2456 uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
2457 if ( !mode_iopl() )
2458 mask |= EFLG_IOPL;
2459 fail_if(!in_realmode(ctxt, ops));
2460 fail_if(ops->write_rflags == NULL);
2461 if ( (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2462 &eip, op_bytes, ctxt)) ||
2463 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2464 &cs, op_bytes, ctxt)) ||
2465 (rc = ops->read(x86_seg_ss, sp_post_inc(op_bytes),
2466 &eflags, op_bytes, ctxt)) )
2467 goto done;
2468 if ( op_bytes == 2 )
2469 eflags = (uint16_t)eflags | (_regs.eflags & 0xffff0000u);
2470 eflags &= 0x257fd5;
2471 _regs.eflags &= mask;
2472 _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
2473 if ( (rc = ops->write_rflags(_regs.eflags, ctxt)) != 0 )
2474 goto done;
2475 _regs.eip = eip;
2476 if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
2477 goto done;
2478 break;
2481 case 0xd4: /* aam */ {
2482 unsigned int base = insn_fetch_type(uint8_t);
2483 uint8_t al = _regs.eax;
2484 generate_exception_if(mode_64bit(), EXC_UD);
2485 generate_exception_if(base == 0, EXC_DE);
2486 *(uint16_t *)&_regs.eax = ((al / base) << 8) | (al % base);
2487 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2488 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2489 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2490 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2491 break;
2494 case 0xd5: /* aad */ {
2495 unsigned int base = insn_fetch_type(uint8_t);
2496 uint16_t ax = _regs.eax;
2497 generate_exception_if(mode_64bit(), EXC_UD);
2498 *(uint16_t *)&_regs.eax = (uint8_t)(ax + ((ax >> 8) * base));
2499 _regs.eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
2500 _regs.eflags |= ((uint8_t)_regs.eax == 0) ? EFLG_ZF : 0;
2501 _regs.eflags |= (( int8_t)_regs.eax < 0) ? EFLG_SF : 0;
2502 _regs.eflags |= even_parity(_regs.eax) ? EFLG_PF : 0;
2503 break;
2506 case 0xd6: /* salc */
2507 generate_exception_if(mode_64bit(), EXC_UD);
2508 *(uint8_t *)&_regs.eax = (_regs.eflags & EFLG_CF) ? 0xff : 0x00;
2509 break;
2511 case 0xd7: /* xlat */ {
2512 unsigned long al = (uint8_t)_regs.eax;
2513 if ( (rc = ops->read(ea.mem.seg, truncate_ea(_regs.ebx + al),
2514 &al, 1, ctxt)) != 0 )
2515 goto done;
2516 *(uint8_t *)&_regs.eax = al;
2517 break;
2520 case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
2521 int rel = insn_fetch_type(int8_t);
2522 int do_jmp = !(_regs.eflags & EFLG_ZF); /* loopnz */
2523 if ( b == 0xe1 )
2524 do_jmp = !do_jmp; /* loopz */
2525 else if ( b == 0xe2 )
2526 do_jmp = 1; /* loop */
2527 switch ( ad_bytes )
2529 case 2:
2530 do_jmp &= --(*(uint16_t *)&_regs.ecx) != 0;
2531 break;
2532 case 4:
2533 do_jmp &= --(*(uint32_t *)&_regs.ecx) != 0;
2534 _regs.ecx = (uint32_t)_regs.ecx; /* zero extend in x86/64 mode */
2535 break;
2536 default: /* case 8: */
2537 do_jmp &= --_regs.ecx != 0;
2538 break;
2540 if ( do_jmp )
2541 jmp_rel(rel);
2542 break;
2545 case 0xe3: /* jcxz/jecxz (short) */ {
2546 int rel = insn_fetch_type(int8_t);
2547 if ( (ad_bytes == 2) ? !(uint16_t)_regs.ecx :
2548 (ad_bytes == 4) ? !(uint32_t)_regs.ecx : !_regs.ecx )
2549 jmp_rel(rel);
2550 break;
2553 case 0xe4: /* in imm8,%al */
2554 case 0xe5: /* in imm8,%eax */
2555 case 0xe6: /* out %al,imm8 */
2556 case 0xe7: /* out %eax,imm8 */
2557 case 0xec: /* in %dx,%al */
2558 case 0xed: /* in %dx,%eax */
2559 case 0xee: /* out %al,%dx */
2560 case 0xef: /* out %eax,%dx */ {
2561 unsigned int port = ((b < 0xe8)
2562 ? insn_fetch_type(uint8_t)
2563 : (uint16_t)_regs.edx);
2564 generate_exception_if(!mode_iopl(), EXC_GP);
2565 op_bytes = !(b & 1) ? 1 : (op_bytes == 8) ? 4 : op_bytes;
2566 if ( b & 2 )
2568 /* out */
2569 fail_if(ops->write_io == NULL);
2570 rc = ops->write_io(port, op_bytes, _regs.eax, ctxt);
2573 else
2575 /* in */
2576 dst.type = OP_REG;
2577 dst.bytes = op_bytes;
2578 dst.reg = (unsigned long *)&_regs.eax;
2579 fail_if(ops->read_io == NULL);
2580 rc = ops->read_io(port, dst.bytes, &dst.val, ctxt);
2582 if ( rc != 0 )
2583 goto done;
2584 break;
2587 case 0xe8: /* call (near) */ {
2588 int rel = (((op_bytes == 2) && !mode_64bit())
2589 ? (int32_t)insn_fetch_type(int16_t)
2590 : insn_fetch_type(int32_t));
2591 op_bytes = mode_64bit() ? 8 : op_bytes;
2592 src.val = _regs.eip;
2593 jmp_rel(rel);
2594 goto push;
2597 case 0xe9: /* jmp (near) */ {
2598 int rel = (((op_bytes == 2) && !mode_64bit())
2599 ? (int32_t)insn_fetch_type(int16_t)
2600 : insn_fetch_type(int32_t));
2601 jmp_rel(rel);
2602 break;
2605 case 0xea: /* jmp (far, absolute) */ {
2606 uint16_t sel;
2607 uint32_t eip;
2608 generate_exception_if(mode_64bit(), EXC_UD);
2609 eip = insn_fetch_bytes(op_bytes);
2610 sel = insn_fetch_type(uint16_t);
2611 if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
2612 goto done;
2613 _regs.eip = eip;
2614 break;
2617 case 0xeb: /* jmp (short) */
2618 jmp_rel(insn_fetch_type(int8_t));
2619 break;
2621 case 0xf1: /* int1 (icebp) */
2622 src.val = EXC_DB;
2623 goto swint;
2625 case 0xf4: /* hlt */
2626 fail_if(ops->hlt == NULL);
2627 if ( (rc = ops->hlt(ctxt)) != 0 )
2628 goto done;
2629 break;
2631 case 0xf5: /* cmc */
2632 _regs.eflags ^= EFLG_CF;
2633 break;
2635 case 0xf8: /* clc */
2636 _regs.eflags &= ~EFLG_CF;
2637 break;
2639 case 0xf9: /* stc */
2640 _regs.eflags |= EFLG_CF;
2641 break;
2643 case 0xfa: /* cli */
2644 case 0xfb: /* sti */
2645 generate_exception_if(!mode_iopl(), EXC_GP);
2646 fail_if(ops->write_rflags == NULL);
2647 _regs.eflags &= ~EFLG_IF;
2648 if ( b == 0xfb ) /* sti */
2649 _regs.eflags |= EFLG_IF;
2650 if ( (rc = ops->write_rflags(_regs.eflags, ctxt)) != 0 )
2651 goto done;
2652 break;
2654 case 0xfc: /* cld */
2655 _regs.eflags &= ~EFLG_DF;
2656 break;
2658 case 0xfd: /* std */
2659 _regs.eflags |= EFLG_DF;
2660 break;
2662 goto writeback;
2664 twobyte_insn:
2665 switch ( b )
2667 case 0x40 ... 0x4f: /* cmovcc */
2668 dst.val = src.val;
2669 if ( !test_cc(b, _regs.eflags) )
2670 dst.type = OP_NONE;
2671 break;
2673 case 0x90 ... 0x9f: /* setcc */
2674 dst.val = test_cc(b, _regs.eflags);
2675 break;
2677 case 0xb0 ... 0xb1: /* cmpxchg */
2678 /* Save real source value, then compare EAX against destination. */
2679 src.orig_val = src.val;
2680 src.val = _regs.eax;
2681 emulate_2op_SrcV("cmp", src, dst, _regs.eflags);
2682 /* Always write back. The question is: where to? */
2683 d |= Mov;
2684 if ( _regs.eflags & EFLG_ZF )
2686 /* Success: write back to memory. */
2687 dst.val = src.orig_val;
2689 else
2691 /* Failure: write the value we saw to EAX. */
2692 dst.type = OP_REG;
2693 dst.reg = (unsigned long *)&_regs.eax;
2695 break;
2697 case 0xa3: bt: /* bt */
2698 emulate_2op_SrcV_nobyte("bt", src, dst, _regs.eflags);
2699 break;
2701 case 0xa4: /* shld imm8,r,r/m */
2702 case 0xa5: /* shld %%cl,r,r/m */
2703 case 0xac: /* shrd imm8,r,r/m */
2704 case 0xad: /* shrd %%cl,r,r/m */ {
2705 uint8_t shift, width = dst.bytes << 3;
2706 shift = (b & 1) ? (uint8_t)_regs.ecx : insn_fetch_type(uint8_t);
2707 if ( (shift &= width - 1) == 0 )
2708 break;
2709 dst.orig_val = truncate_word(dst.val, dst.bytes);
2710 dst.val = ((shift == width) ? src.val :
2711 (b & 8) ?
2712 /* shrd */
2713 ((dst.orig_val >> shift) |
2714 truncate_word(src.val << (width - shift), dst.bytes)) :
2715 /* shld */
2716 ((dst.orig_val << shift) |
2717 ((src.val >> (width - shift)) & ((1ull << shift) - 1))));
2718 dst.val = truncate_word(dst.val, dst.bytes);
2719 _regs.eflags &= ~(EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_PF|EFLG_CF);
2720 if ( (dst.val >> ((b & 8) ? (shift - 1) : (width - shift))) & 1 )
2721 _regs.eflags |= EFLG_CF;
2722 if ( ((dst.val ^ dst.orig_val) >> (width - 1)) & 1 )
2723 _regs.eflags |= EFLG_OF;
2724 _regs.eflags |= ((dst.val >> (width - 1)) & 1) ? EFLG_SF : 0;
2725 _regs.eflags |= (dst.val == 0) ? EFLG_ZF : 0;
2726 _regs.eflags |= even_parity(dst.val) ? EFLG_PF : 0;
2727 break;
2730 case 0xb3: btr: /* btr */
2731 emulate_2op_SrcV_nobyte("btr", src, dst, _regs.eflags);
2732 break;
2734 case 0xab: bts: /* bts */
2735 emulate_2op_SrcV_nobyte("bts", src, dst, _regs.eflags);
2736 break;
2738 case 0xaf: /* imul */
2739 _regs.eflags &= ~(EFLG_OF|EFLG_CF);
2740 switch ( dst.bytes )
2742 case 2:
2743 dst.val = ((uint32_t)(int16_t)src.val *
2744 (uint32_t)(int16_t)dst.val);
2745 if ( (int16_t)dst.val != (uint32_t)dst.val )
2746 _regs.eflags |= EFLG_OF|EFLG_CF;
2747 break;
2748 #ifdef __x86_64__
2749 case 4:
2750 dst.val = ((uint64_t)(int32_t)src.val *
2751 (uint64_t)(int32_t)dst.val);
2752 if ( (int32_t)dst.val != dst.val )
2753 _regs.eflags |= EFLG_OF|EFLG_CF;
2754 break;
2755 #endif
2756 default: {
2757 unsigned long m[2] = { src.val, dst.val };
2758 if ( imul_dbl(m) )
2759 _regs.eflags |= EFLG_OF|EFLG_CF;
2760 dst.val = m[0];
2761 break;
2764 break;
2766 case 0xb2: /* lss */
2767 dst.val = x86_seg_ss;
2768 goto les;
2770 case 0xb4: /* lfs */
2771 dst.val = x86_seg_fs;
2772 goto les;
2774 case 0xb5: /* lgs */
2775 dst.val = x86_seg_gs;
2776 goto les;
2778 case 0xb6: /* movzx rm8,r{16,32,64} */
2779 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2780 dst.reg = decode_register(modrm_reg, &_regs, 0);
2781 dst.bytes = op_bytes;
2782 dst.val = (uint8_t)src.val;
2783 break;
2785 case 0xbc: /* bsf */ {
2786 int zf;
2787 asm ( "bsf %2,%0; setz %b1"
2788 : "=r" (dst.val), "=q" (zf)
2789 : "r" (src.val), "1" (0) );
2790 _regs.eflags &= ~EFLG_ZF;
2791 _regs.eflags |= zf ? EFLG_ZF : 0;
2792 break;
2795 case 0xbd: /* bsr */ {
2796 int zf;
2797 asm ( "bsr %2,%0; setz %b1"
2798 : "=r" (dst.val), "=q" (zf)
2799 : "r" (src.val), "1" (0) );
2800 _regs.eflags &= ~EFLG_ZF;
2801 _regs.eflags |= zf ? EFLG_ZF : 0;
2802 break;
2805 case 0xb7: /* movzx rm16,r{16,32,64} */
2806 dst.val = (uint16_t)src.val;
2807 break;
2809 case 0xbb: btc: /* btc */
2810 emulate_2op_SrcV_nobyte("btc", src, dst, _regs.eflags);
2811 break;
2813 case 0xba: /* Grp8 */
2814 switch ( modrm_reg & 7 )
2816 case 4: goto bt;
2817 case 5: goto bts;
2818 case 6: goto btr;
2819 case 7: goto btc;
2820 default: generate_exception_if(1, EXC_UD);
2822 break;
2824 case 0xbe: /* movsx rm8,r{16,32,64} */
2825 /* Recompute DstReg as we may have decoded AH/BH/CH/DH. */
2826 dst.reg = decode_register(modrm_reg, &_regs, 0);
2827 dst.bytes = op_bytes;
2828 dst.val = (int8_t)src.val;
2829 break;
2831 case 0xbf: /* movsx rm16,r{16,32,64} */
2832 dst.val = (int16_t)src.val;
2833 break;
2835 case 0xc0 ... 0xc1: /* xadd */
2836 /* Write back the register source. */
2837 switch ( dst.bytes )
2839 case 1: *(uint8_t *)src.reg = (uint8_t)dst.val; break;
2840 case 2: *(uint16_t *)src.reg = (uint16_t)dst.val; break;
2841 case 4: *src.reg = (uint32_t)dst.val; break; /* 64b reg: zero-extend */
2842 case 8: *src.reg = dst.val; break;
2844 goto add;
2846 goto writeback;
2848 twobyte_special_insn:
2849 switch ( b )
2851 case 0x01: /* Grp7 */ {
2852 struct segment_register reg;
2853 unsigned long base, limit, cr0, cr0w;
2855 switch ( modrm_reg & 7 )
2857 case 0: /* sgdt */
2858 case 1: /* sidt */
2859 generate_exception_if(ea.type != OP_MEM, EXC_UD);
2860 fail_if(ops->read_segment == NULL);
2861 if ( (rc = ops->read_segment((modrm_reg & 1) ?
2862 x86_seg_idtr : x86_seg_gdtr,
2863 &reg, ctxt)) )
2864 goto done;
2865 if ( op_bytes == 2 )
2866 reg.base &= 0xffffff;
2867 if ( (rc = ops->write(ea.mem.seg, ea.mem.off+0,
2868 reg.limit, 2, ctxt)) ||
2869 (rc = ops->write(ea.mem.seg, ea.mem.off+2,
2870 reg.base, mode_64bit() ? 8 : 4, ctxt)) )
2871 goto done;
2872 break;
2873 case 2: /* lgdt */
2874 case 3: /* lidt */
2875 generate_exception_if(ea.type != OP_MEM, EXC_UD);
2876 fail_if(ops->write_segment == NULL);
2877 memset(&reg, 0, sizeof(reg));
2878 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0,
2879 &limit, 2, ctxt)) ||
2880 (rc = ops->read(ea.mem.seg, ea.mem.off+2,
2881 &base, mode_64bit() ? 8 : 4, ctxt)) )
2882 goto done;
2883 reg.base = base;
2884 reg.limit = limit;
2885 if ( op_bytes == 2 )
2886 reg.base &= 0xffffff;
2887 if ( (rc = ops->write_segment((modrm_reg & 1) ?
2888 x86_seg_idtr : x86_seg_gdtr,
2889 &reg, ctxt)) )
2890 goto done;
2891 break;
2892 case 4: /* smsw */
2893 ea.bytes = 2;
2894 dst = ea;
2895 fail_if(ops->read_cr == NULL);
2896 if ( (rc = ops->read_cr(0, &dst.val, ctxt)) )
2897 goto done;
2898 d |= Mov; /* force writeback */
2899 break;
2900 case 6: /* lmsw */
2901 fail_if(ops->read_cr == NULL);
2902 fail_if(ops->write_cr == NULL);
2903 if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
2904 goto done;
2905 if ( ea.type == OP_REG )
2906 cr0w = *ea.reg;
2907 else if ( (rc = ops->read(ea.mem.seg, ea.mem.off,
2908 &cr0w, 2, ctxt)) )
2909 goto done;
2910 cr0 &= 0xffff0000;
2911 cr0 |= (uint16_t)cr0w;
2912 if ( (rc = ops->write_cr(0, cr0, ctxt)) )
2913 goto done;
2914 break;
2915 default:
2916 goto cannot_emulate;
2918 break;
2921 case 0x06: /* clts */
2922 generate_exception_if(!mode_ring0(), EXC_GP);
2923 fail_if((ops->read_cr == NULL) || (ops->write_cr == NULL));
2924 if ( (rc = ops->read_cr(0, &dst.val, ctxt)) ||
2925 (rc = ops->write_cr(0, dst.val&~8, ctxt)) )
2926 goto done;
2927 break;
2929 case 0x08: /* invd */
2930 case 0x09: /* wbinvd */
2931 generate_exception_if(!mode_ring0(), EXC_GP);
2932 fail_if(ops->wbinvd == NULL);
2933 if ( (rc = ops->wbinvd(ctxt)) != 0 )
2934 goto done;
2935 break;
2937 case 0x0d: /* GrpP (prefetch) */
2938 case 0x18: /* Grp16 (prefetch/nop) */
2939 case 0x19 ... 0x1f: /* nop (amd-defined) */
2940 break;
2942 case 0x20: /* mov cr,reg */
2943 case 0x21: /* mov dr,reg */
2944 case 0x22: /* mov reg,cr */
2945 case 0x23: /* mov reg,dr */
2946 generate_exception_if(!mode_ring0(), EXC_GP);
2947 modrm_rm |= (rex_prefix & 1) << 3;
2948 modrm_reg |= lock_prefix << 3;
2949 if ( b & 2 )
2951 /* Write to CR/DR. */
2952 src.val = *(unsigned long *)decode_register(modrm_rm, &_regs, 0);
2953 if ( !mode_64bit() )
2954 src.val = (uint32_t)src.val;
2955 rc = ((b & 1)
2956 ? (ops->write_dr
2957 ? ops->write_dr(modrm_reg, src.val, ctxt)
2958 : X86EMUL_UNHANDLEABLE)
2959 : (ops->write_cr
2960 ? ops->write_cr(modrm_reg, src.val, ctxt)
2961 : X86EMUL_UNHANDLEABLE));
2963 else
2965 /* Read from CR/DR. */
2966 dst.type = OP_REG;
2967 dst.bytes = mode_64bit() ? 8 : 4;
2968 dst.reg = decode_register(modrm_rm, &_regs, 0);
2969 rc = ((b & 1)
2970 ? (ops->read_dr
2971 ? ops->read_dr(modrm_reg, &dst.val, ctxt)
2972 : X86EMUL_UNHANDLEABLE)
2973 : (ops->read_cr
2974 ? ops->read_cr(modrm_reg, &dst.val, ctxt)
2975 : X86EMUL_UNHANDLEABLE));
2977 if ( rc != 0 )
2978 goto done;
2979 break;
2981 case 0x30: /* wrmsr */ {
2982 uint64_t val = ((uint64_t)_regs.edx << 32) | (uint32_t)_regs.eax;
2983 generate_exception_if(!mode_ring0(), EXC_GP);
2984 fail_if(ops->write_msr == NULL);
2985 if ( (rc = ops->write_msr((uint32_t)_regs.ecx, val, ctxt)) != 0 )
2986 goto done;
2987 break;
2990 case 0x31: /* rdtsc */ {
2991 unsigned long cr4;
2992 uint64_t val;
2993 fail_if(ops->read_cr == NULL);
2994 if ( (rc = ops->read_cr(4, &cr4, ctxt)) )
2995 goto done;
2996 generate_exception_if((cr4 & CR4_TSD) && !mode_ring0(), EXC_GP);
2997 fail_if(ops->read_msr == NULL);
2998 if ( (rc = ops->read_msr(MSR_TSC, &val, ctxt)) != 0 )
2999 goto done;
3000 _regs.edx = (uint32_t)(val >> 32);
3001 _regs.eax = (uint32_t)(val >> 0);
3002 break;
3005 case 0x32: /* rdmsr */ {
3006 uint64_t val;
3007 generate_exception_if(!mode_ring0(), EXC_GP);
3008 fail_if(ops->read_msr == NULL);
3009 if ( (rc = ops->read_msr((uint32_t)_regs.ecx, &val, ctxt)) != 0 )
3010 goto done;
3011 _regs.edx = (uint32_t)(val >> 32);
3012 _regs.eax = (uint32_t)(val >> 0);
3013 break;
3016 case 0x80 ... 0x8f: /* jcc (near) */ {
3017 int rel = (((op_bytes == 2) && !mode_64bit())
3018 ? (int32_t)insn_fetch_type(int16_t)
3019 : insn_fetch_type(int32_t));
3020 if ( test_cc(b, _regs.eflags) )
3021 jmp_rel(rel);
3022 break;
3025 case 0xa0: /* push %%fs */
3026 src.val = x86_seg_fs;
3027 goto push_seg;
3029 case 0xa1: /* pop %%fs */
3030 src.val = x86_seg_fs;
3031 goto pop_seg;
3033 case 0xa2: /* cpuid */ {
3034 unsigned int eax = _regs.eax, ebx = _regs.ebx;
3035 unsigned int ecx = _regs.ecx, edx = _regs.edx;
3036 fail_if(ops->cpuid == NULL);
3037 if ( (rc = ops->cpuid(&eax, &ebx, &ecx, &edx, ctxt)) != 0 )
3038 goto done;
3039 _regs.eax = eax; _regs.ebx = ebx;
3040 _regs.ecx = ecx; _regs.edx = edx;
3041 break;
3044 case 0xa8: /* push %%gs */
3045 src.val = x86_seg_gs;
3046 goto push_seg;
3048 case 0xa9: /* pop %%gs */
3049 src.val = x86_seg_gs;
3050 goto pop_seg;
3052 case 0xc7: /* Grp9 (cmpxchg8b) */
3053 #if defined(__i386__)
3055 unsigned long old_lo, old_hi;
3056 generate_exception_if((modrm_reg & 7) != 1, EXC_UD);
3057 generate_exception_if(ea.type != OP_MEM, EXC_UD);
3058 if ( (rc = ops->read(ea.mem.seg, ea.mem.off+0, &old_lo, 4, ctxt)) ||
3059 (rc = ops->read(ea.mem.seg, ea.mem.off+4, &old_hi, 4, ctxt)) )
3060 goto done;
3061 if ( (old_lo != _regs.eax) || (old_hi != _regs.edx) )
3063 _regs.eax = old_lo;
3064 _regs.edx = old_hi;
3065 _regs.eflags &= ~EFLG_ZF;
3067 else if ( ops->cmpxchg8b == NULL )
3069 rc = X86EMUL_UNHANDLEABLE;
3070 goto done;
3072 else
3074 if ( (rc = ops->cmpxchg8b(ea.mem.seg, ea.mem.off, old_lo, old_hi,
3075 _regs.ebx, _regs.ecx, ctxt)) != 0 )
3076 goto done;
3077 _regs.eflags |= EFLG_ZF;
3079 break;
3081 #elif defined(__x86_64__)
3083 unsigned long old, new;
3084 generate_exception_if((modrm_reg & 7) != 1, EXC_UD);
3085 generate_exception_if(ea.type != OP_MEM, EXC_UD);
3086 if ( (rc = ops->read(ea.mem.seg, ea.mem.off, &old, 8, ctxt)) != 0 )
3087 goto done;
3088 if ( ((uint32_t)(old>>0) != (uint32_t)_regs.eax) ||
3089 ((uint32_t)(old>>32) != (uint32_t)_regs.edx) )
3091 _regs.eax = (uint32_t)(old>>0);
3092 _regs.edx = (uint32_t)(old>>32);
3093 _regs.eflags &= ~EFLG_ZF;
3095 else
3097 new = (_regs.ecx<<32)|(uint32_t)_regs.ebx;
3098 if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old,
3099 new, 8, ctxt)) != 0 )
3100 goto done;
3101 _regs.eflags |= EFLG_ZF;
3103 break;
3105 #endif
3107 case 0xc8 ... 0xcf: /* bswap */
3108 dst.type = OP_REG;
3109 dst.reg = decode_register(
3110 (b & 7) | ((rex_prefix & 1) << 3), &_regs, 0);
3111 switch ( dst.bytes = op_bytes )
3113 default: /* case 2: */
3114 /* Undefined behaviour. Writes zero on all tested CPUs. */
3115 dst.val = 0;
3116 break;
3117 case 4:
3118 #ifdef __x86_64__
3119 asm ( "bswap %k0" : "=r" (dst.val) : "0" (*dst.reg) );
3120 break;
3121 case 8:
3122 #endif
3123 asm ( "bswap %0" : "=r" (dst.val) : "0" (*dst.reg) );
3124 break;
3126 break;
3128 goto writeback;
3130 cannot_emulate:
3131 #if 0
3132 gdprintk(XENLOG_DEBUG, "Instr:");
3133 for ( ea.mem.off = ctxt->regs->eip; ea.mem.off < _regs.eip; ea.mem.off++ )
3135 unsigned long x;
3136 ops->insn_fetch(x86_seg_cs, ea.mem.off, &x, 1, ctxt);
3137 printk(" %02x", (uint8_t)x);
3139 printk("\n");
3140 #endif
3141 return X86EMUL_UNHANDLEABLE;