Äîêóìåíò âçÿò èç êýøà ïîèñêîâîé ìàøèíû. Àäðåñ îðèãèíàëüíîãî äîêóìåíòà : http://www.arcetri.astro.it/irlab/doc/library/intel/24319101.pdf Äàòà èçìåíåíèÿ: Thu Oct 7 13:17:34 1999 Äàòà èíäåêñèðîâàíèÿ: Sat Dec 22 10:12:09 2007 Êîäèðîâêà: Ïîèñêîâûå ñëîâà: arp 220

Intel Architecture Software Developer's Manual
Volume 2: Instruction Set Reference

NOTE: The Intel Architecture Software Developer's Manual consists of three volumes: Basic Architecture, O rder Number 243190; Instruction Set Reference, Order Number 243191; and the System Programm ing Guide, Order Number 243192. Please refer to all three volumes when evaluating your design needs.

1997


Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. Intel' Intel Architecture processors (e.g., Pentium® processor, Pentium processor with MMXTM technology, and Pentium Pro s processor) may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Such errata are not covered by Intel' warranty. Current characterized errata are available on request. s Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an ordering number and are referenced in this document, or other Intel literature, may be obtained from: Intel Corporation P.O. Box 7641 Mt. Prospect IL 60056-7641 or call 1-800-879-4683 or visit Intel' website at http:\\www.intel.com s Copyright © Intel Corporation 1996, 1997. * Third-party brands and names are the property of their respective owners.


TABLE OF CONTENTS
PAGE

CHAPTER 1 ABOUT THIS M ANUAL 1.1. OVERVIEW O F THE INTEL ARCHITECTURE SO FTWARE DEVELOPER'S MANUAL, VOLUME 2: INSTRUCTION SET REFERENCE 1.2. OVERVIEW O F THE INTEL ARCHITECTURE SO FTWARE DEVELOPER'S MANUAL, VOLUME 1: BASIC ARCHITECTURE . . . . . . . . 1.3. OVERVIEW O F THE INTEL ARCHITECTURE SO FTWARE DEVELOPER'S MANUAL, VOLUME 3: SYSTEM PROG RAMMING GUIDE 1.4. NOTATIO NAL CONVENTION S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1. Bit and Byte O rder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2. Reserved Bits and Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 1.4.3. Instruction Operands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.4. Hexadecimal and Binary Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.5. Segmented Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.6. Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5. RELATED LITERATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CHAPTER 2 INSTRU CTION FORM AT 2.1. GENERAL INSTRUCTION FORMAT . . . . . . . . . 2.2. INSTRU CTION PREFIXES . . . . . . . . . . . . . . . . . 2.3. OP C OD E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4. MODR /M AND SIB BYTES . . . . . . . . . . . . . . . . . 2.5. DISPLACEM ENT AND IMMEDIATE BYTES . . . . 2.6. ADDRESSING-MO DE ENCODING OF MODR/M

. . . . . . 1-1 . . . . . . 1-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1-5 1-5 1-5 1-6 1-6 1-7 1-7 1-8

..... ..... ..... ..... ..... AND

... ... ... ... ... SIB

...... ...... ...... ...... ...... BYTES

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

2-1 2-1 2-2 2-2 2-3 2-3

CHAPTER 3 INSTRU CTION SET REFERENCE 3.1. INTERPRETING THE INSTRUCTIO N REFERENCE 3.1.1. Instruction Form at . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1.1. Opcode Column . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1.2. Instruction Column . . . . . . . . . . . . . . . . . . . . . . 3.1.1.3. Description Column . . . . . . . . . . . . . . . . . . . . . 3.1.1.4. Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.3. Flags Affected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.4. FPU Flags Affected . . . . . . . . . . . . . . . . . . . . . . . . 3.1.5. Protected Mode Exceptions. . . . . . . . . . . . . . . . . . 3.1.6. Real-Address M ode Exceptions . . . . . . . . . . . . . . 3.1.7. Virtual-8086 M ode Exceptions. . . . . . . . . . . . . . . . 3.1.8. Floating-Point Exceptions . . . . . . . . . . . . . . . . . . . 3.2. INSTRU CTION REFERENCE . . . . . . . . . . . . . . . . . . AAA--ASC II Adjust After Addition . . . . . . . . AAD--ASCII Adjust AX Before Division. . . . AAM--ASCII Adjust AX After M ultiply . . . . . AAS--ASC II Adjust AL After Subtraction. . . ADC--Add with Carry . . . . . . . . . . . . . . . . . ADD--Add . . . . . . . . . . . . . . . . . . . . . . . . . .

PAGES ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... .......

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. 3-1 . 3-1 . 3-1 . 3-2 . 3-4 . 3-4 . 3-5 . 3-8 . 3-8 . 3-8 . 3-9 . 3-9 3-10 3-10 3-11 3-12 3-13 3-14 3-15 3-17 v


TABLE OF CONTENTS
PAGE

AND--Logical AND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARPL--Adjust RPL Field of Segment Selector . . . . . . . . . . . . . . . . BOUND--Check Array Index Against Bounds. . . . . . . . . . . . . . . . . BSF--Bit Scan Forw ard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSR--Bit Scan Reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSWAP--Byte Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BT--Bit Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BTC--Bit Test and Complement . . . . . . . . . . . . . . . . . . . . . . . . . . . BTR--Bit Test and Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BTS--Bit Test and Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CALL--Call Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CBW/CWDE--Convert Byte to Word/Convert Word to Doubleword CDQ--Convert Double to Quad. . . . . . . . . . . . . . . . . . . . . . . . . . . . CLC--C lear Carry Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLD--C lear Direction Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI--Clear Interrupt Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLTS--Clear Task-Switched Flag in CR0 . . . . . . . . . . . . . . . . . . . . CMC--Complement Carry Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . CMO Vcc--Conditional Move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CMP--Compare Two Operands . . . . . . . . . . . . . . . . . . . . . . . . . . . CMPS/CMPSB/CM PSW/CMPSD--Compare String Operands . . . CMPXCHG --Compare and Exchange . . . . . . . . . . . . . . . . . . . . . . CMPXCHG 8B--Compare and Exchange 8 Bytes . . . . . . . . . . . . . . CPUID--CPU Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CWD/CDQ--Convert Word to Doubleword/Convert Doubleword to Quadword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CWDE--Convert Word to Doubleword . . . . . . . . . . . . . . . . . . . . . . DAA--Decim al Adjust AL after Addition . . . . . . . . . . . . . . . . . . . . . DAS--Decim al Adjust AL after Subtraction . . . . . . . . . . . . . . . . . . . DEC--Decrement by 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DIV--Unsigned Divide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EMM S--Empty M MXTM State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ENTER--M ake Stack Frame for Procedure Parameters . . . . . . . . . F2XM1--Compute 2x­1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FABS--Absolute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FADD/FADDP/FIADD--Add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FBLD--Load Binary Coded Decimal . . . . . . . . . . . . . . . . . . . . . . . . FBSTP--Store BCD Integer and Pop . . . . . . . . . . . . . . . . . . . . . . . FCHS--Change Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FCLEX/FNCLEX--Clear Exceptions . . . . . . . . . . . . . . . . . . . . . . . . FCMOVcc--Floating-Point Conditional M ove . . . . . . . . . . . . . . . . . FCOM/FCOMP/FCOM PP--Compare R eal . . . . . . . . . . . . . . . . . . . FCOMI/FCOMIP/ FUCOMI/FUCOMIP--Compare Real and Set EFLAG S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FCOS--Cosine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FDECSTP--Decrement Stack-Top Pointer . . . . . . . . . . . . . . . . . . . FDIV/FDIVP/FIDIV--Divide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

3-19 3-21 3-23 3-25 3-27 3-29 3-30 3-32 3-34 3-36 3-38 3-49 3-50 3-51 3-52 3-53 3-55 3-56 3-57 3-61 3-63 3-66 3-68 3-70

. 3-77 . 3-78 . 3-79 . 3-81 . 3-82 . 3-84 . 3-87 . 3-88 . 3-91 . 3-93 . 3-95 . 3-98 3-100 3-103 3-105 3-107 3-109 3333112 115 117 118

vi


TABLE OF CONTENTS
PAGE

FDIVR/FDIVRP/FIDIVR--Reverse Divide . . . . . . . . . . . . . . FFR EE--Free Floating-Point Register . . . . . . . . . . . . . . . . . FICOM/FICOMP--Compare Integer . . . . . . . . . . . . . . . . . . FILD--Load Integer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FINCSTP--Increment Stack-Top Pointer . . . . . . . . . . . . . . FINIT/FNINIT--Initialize Floating-Point Unit. . . . . . . . . . . . . FIST/FISTP--Store Integer . . . . . . . . . . . . . . . . . . . . . . . . . FLD--Load Real . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FLD1/FLDL2T/FLDL2E/FLDPI/FLDLG2/FLDLN2/FLDZ-- Load Constant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FLDC W--Load Control Word . . . . . . . . . . . . . . . . . . . . . . . . FLDENV--Load FPU Environment . . . . . . . . . . . . . . . . . . . FMUL/FMULP/FIMUL--Multiply . . . . . . . . . . . . . . . . . . . . . . FNOP--No O peration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FPATAN--Partial Arctangent . . . . . . . . . . . . . . . . . . . . . . . . FPATAN--Partial Arctangent . . . . . . . . . . . . . . . . . . . . . . . . FPREM1--Partial Rem ainder . . . . . . . . . . . . . . . . . . . . . . . FPTAN--Partial Tangent . . . . . . . . . . . . . . . . . . . . . . . . . . . FRNDINT--Round to Integer . . . . . . . . . . . . . . . . . . . . . . . . FRSTOR--Restore FPU State . . . . . . . . . . . . . . . . . . . . . . . FSAVE/FNSAVE--Store FPU State . . . . . . . . . . . . . . . . . . FSCALE--Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FSIN--Sine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FSINCOS--Sine and Cosine . . . . . . . . . . . . . . . . . . . . . . . . FSQRT--Square Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FST/FSTP--Store Real . . . . . . . . . . . . . . . . . . . . . . . . . . . . FSTC W/FNSTCW--Store Control Word . . . . . . . . . . . . . . . FSTENV/FNSTENV--Store FPU Environment . . . . . . . . . . FSTSW/FNSTSW--Store Status Word . . . . . . . . . . . . . . . . FSUB/FSUBP/FISUB--Subtract . . . . . . . . . . . . . . . . . . . . . FSUBR/FSUBRP/FISUBR--Reverse Subtract . . . . . . . . . . FTST--TEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FUCOM/FUCO MP/FUCOMPP--Unordered Compare Real FWAIT--Wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FXAM--Examine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FXCH--Exchange Register Contents . . . . . . . . . . . . . . . . . FXTR AC T--Extract Exponent and Significand . . . . . . . . . . FYL2X--Compute y * log2x . . . . . . . . . . . . . . . . . . . . . . . . . FYL2XP1--C om pute y * log2(x +1) . . . . . . . . . . . . . . . . . . . HLT--Halt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IDIV--Signed Divide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMUL--Signed Multiply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IN--Input from Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INC--Increment by 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . INS/INSB/INSW/INSD--Input from Port to String . . . . . . . . INT n/INTO/INT 3--Call to Interrupt Procedure . . . . . . . . . . INVD--Invalidate Internal Caches . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-122 3-126 3-127 3-129 3-131 3-132 3-134 3-137 3-139 3-141 3-143 3-145 3-148 3-149 3-151 3-154 3-157 3-159 3-160 3-162 3-165 3-167 3-169 3-171 3-173 3-176 3-178 3-180 3-182 3-185 3-188 3-190 3-193 3-194 3-196 3-198 3-200 3-202 3-204 3-205 3-208 3-211 3-213 3-215 3-218 3-230

vii


TABLE OF CONTENTS
PAGE

INVLPG--Invalidate TLB Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IRET/IRETD--Interrupt Return . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jcc--Jump if Condition Is Met . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J M P --J u m p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LAHF--Load Status Flags into AH Register . . . . . . . . . . . . . . . . . . . LAR--Load Access Rights Byte . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDS/LES/LFS/LG S/LSS--Load Far Pointer . . . . . . . . . . . . . . . . . . . LEA--Load Effective Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LEAVE--High Level Procedure Exit . . . . . . . . . . . . . . . . . . . . . . . . . LES--Load Full Pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LFS--Load Full Pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LGDT/LIDT--Load Global/Interrupt Descriptor Table Register . . . . . LGS--Load Full Pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LLDT--Load Local Descriptor Table Register . . . . . . . . . . . . . . . . . . LIDT--Load Interrupt Descriptor Table Register . . . . . . . . . . . . . . . . LMSW--Load Machine Status Word . . . . . . . . . . . . . . . . . . . . . . . . . LOCK--Assert LOCK# Signal Prefix . . . . . . . . . . . . . . . . . . . . . . . . . LODS/LOD SB/LODSW/LO DSD--Load String . . . . . . . . . . . . . . . . . LOOP/LO OPcc--Loop According to ECX Counter . . . . . . . . . . . . . . LSL--Load Segment Lim it . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LSS--Load Full Pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LTR--Load Task Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOV -- Mo v e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOV--Move to/from Control Registers . . . . . . . . . . . . . . . . . . . . . . . MOV--Move to/from Debug Registers . . . . . . . . . . . . . . . . . . . . . . . MOVD--Move 32 Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOVQ --Move 64 Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MOVS/MOVSB/MOVSW/MOVSD--M ove Data from String to String MOVSX--Move with Sign-Extension . . . . . . . . . . . . . . . . . . . . . . . . . MOVZX--Move with Zero-Extend . . . . . . . . . . . . . . . . . . . . . . . . . . . MUL--Unsigned Multiply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NEG--Two's Complement Negation . . . . . . . . . . . . . . . . . . . . . . . . . NOP--No Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NOT--One's Complement Negation . . . . . . . . . . . . . . . . . . . . . . . . . OR--Logical Inclusive OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OUT--Output to Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OUTS/OUTSB/OUTSW/OUTSD--Output String to Port . . . . . . . . . . PACKSSWB/PACKSSDW--Pack with Signed Saturation . . . . . . . . PACKUSWB--Pack with Unsigned Saturation . . . . . . . . . . . . . . . . . PADDB/PADDW/PADDD--Packed Add . . . . . . . . . . . . . . . . . . . . . . PADDSB/PAD DSW--Packed Add with Saturation . . . . . . . . . . . . . . PADDUSB/PADDUSW--Packed Add Unsigned with Saturation . . . PAND--Logical AND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PANDN--Logical AND NOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PCMPEQB/PCMPEQW/PCMPEQD--Packed Compare for Equal . . PCMPGTB/PCMPGTW/PCMPGTD--Packed Compare for Greater Than . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-232 3-233 3-241 3-245 3-252 3-253 3-256 3-259 3-261 3-263 3-264 3-265 3-267 3-268 3-270 3-271 3-273 3-275 3-278 3-280 3-283 3-284 3-286 3-291 3-293 3-295 3-297 3-299 3-302 3-304 3-306 3-308 3-310 3-311 3-313 3-315 3-317 3-320 3-323 3-325 3-328 3-331 3-334 3-336 3-338

. . . 3-341

viii


TABLE OF CONTENTS
PAGE

PMADDWD--Packed Multiply and Add . . . . . . . . . . . . . . . . . . . . . . . . PMULHW--Packed Multiply High . . . . . . . . . . . . . . . . . . . . . . . . . . . . PMULLW--Packed Multiply Low . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POP--Pop a Value from the Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . POPA/POPAD--Pop All General-Purpose Registers . . . . . . . . . . . . . POPF/POPFD--Pop Stack into EFLAGS Register . . . . . . . . . . . . . . . POR--Bitwise Logical O R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PSLLW/PSLLD/PSLLQ--Packed Shift Left Logical . . . . . . . . . . . . . . . PSRAW/PSRAD--Packed Shift Right Arithm etic. . . . . . . . . . . . . . . . . PSRLW/PSRLD/PSRLQ --Packed Shift Right Logical . . . . . . . . . . . . . PSUBB/PSUBW/PSUBD--Packed Subtract . . . . . . . . . . . . . . . . . . . . PSUBSB/PSUBSW--Packed Subtract with Saturation . . . . . . . . . . . . PSUBUSB/PSUBUSW--Packed Subtract Unsigned with Saturation . PUNPCKHBW/PUNPCKHWD/PUN PC KHDQ-- Unpack High Packed Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PUNPCKLBW/PUNPCKLWD/PUNPCKLDQ-- Unpack Low Packed D ata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PUSH--Push Word or Doubleword Onto the Stack . . . . . . . . . . . . . . . PUSHA/PUSHAD--Push All G eneral-Purpose Registers . . . . . . . . . . PUSHF/PUSHFD--Push EFLAGS Register onto the Stack . . . . . . . . PXOR--Logical Exclusive OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RCL/RCR/ROL/ROR---Rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RDMSR--R ead from Model Specific Register . . . . . . . . . . . . . . . . . . . RDPMC--R ead Perform ance-Monitoring Counters . . . . . . . . . . . . . . . RDTSC--Read Time-Stamp Counter . . . . . . . . . . . . . . . . . . . . . . . . . REP/REPE/REPZ/REPNE /REPNZ--Repeat String O peration Prefix RET--Return from Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ROL/ROR--Rotate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RSM--Resume from System Management Mode . . . . . . . . . . . . . . . . SAHF--Store AH into Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SAL/SAR/SHL/SHR--Shift . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SBB--Integer Subtraction with Borrow . . . . . . . . . . . . . . . . . . . . . . . . SCAS/SCASB/SCASW/SCASD--Scan String. . . . . . . . . . . . . . . . . . . SETcc--Set Byte on C ondition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SGDT/SIDT--Store Global/Interrupt Descriptor Table Register . . . . . SHL/SHR--Shift Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHLD--Double Precision Shift Left . . . . . . . . . . . . . . . . . . . . . . . . . . . SHRD--Double Precision Shift Right . . . . . . . . . . . . . . . . . . . . . . . . . . SIDT--Store Interrupt Descriptor Table Register . . . . . . . . . . . . . . . . . SLDT--Store Local Descriptor Table Register. . . . . . . . . . . . . . . . . . . SMSW--Store Machine Status Word . . . . . . . . . . . . . . . . . . . . . . . . . STC--Set Carry Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STD--Set Direction Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STI--Set Interrupt Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . STOS/STOSB/STOSW/STOSD--Store String . . . . . . . . . . . . . . . . . . STR--Store Task Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SUB--Subtract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

3-344 3-346 3-348 3-350 3-354 3-356 3-359 3-361 3-364 3-367 3-370 3-373 3-376

. 3-379 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-382 3-385 3-388 3-390 3-392 3-394 3-399 3-401 3-403 3-404 3-407 3-413 3-414 3-415 3-416 3-420 3-422 3-425 3-427 3-429 3-430 3-432 3-434 3-435 3-437 3-439 3-440 3-441 3-443 3-446 3-448

ix


TABLE OF CONTENTS
PAGE

TEST--Logical Compare . . . . . . . . . . . . . . . . . . . . . UD2--U ndefined Instruction . . . . . . . . . . . . . . . . . . VERR, VERW--Verify a Segment for Reading or W WAIT/FWAIT--Wait . . . . . . . . . . . . . . . . . . . . . . . . . WBINVD--Write Back and Invalidate Cache . . . . . . WR MSR--Write to Model Specific Register . . . . . . XADD--Exchange and Add . . . . . . . . . . . . . . . . . . . XCHG--Exchange Register/Memory with Register . XLAT/XLATB--Table Look-up Translation . . . . . . . XOR--Logical Exclusive OR . . . . . . . . . . . . . . . . . . APPENDIX A OPCODE MAP A.1. KEY TO ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . A.1.1. Codes for Addressing Method . . . . . . . . . . . . . . . . . . A.1.2. Codes for Operand Type . . . . . . . . . . . . . . . . . . . . . . A.1.3. Register Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2. ONE-BYTE OPCODE INTEGER INSTRUCTIONS . . . . A.3. TWO-BYTE OPCOD E INTEGER INSTRUCTIO NS . . . . A.4. OPCODE EXTENSIONS FOR ONE- AND TWO-BYTE A.5. ESCAPE O PCODE INSTR UCTIONS . . . . . . . . . . . . . . A.5.1. Escape O pcodes with D8 as First Byte . . . . . . . . . . . A.5.2. Escape O pcodes with D9 as First Byte . . . . . . . . . . . A.5.3. Escape O pcodes with DA as First Byte . . . . . . . . . . . A.5.4. Escape O pcodes with DB as First Byte . . . . . . . . . . . A.5.5. Escape O pcodes with DC as First Byte . . . . . . . . . . . A.5.6. Escape O pcodes with DD as First Byte . . . . . . . . . . . A.5.7. Escape O pcodes with DE as First Byte . . . . . . . . . . . A.5.8. Escape O pcodes with DF As First Byte . . . . . . . . . . .

... ... ritin ... ... ... ... ... ... ...

. . g . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

3-450 3-452 3-453 3-455 3-456 3-458 3-460 3-462 3-464 3-466

......... ......... ......... ......... ......... ......... OPCODES ......... ......... ......... ......... ......... ......... ......... ......... .........

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. A-1 . A-1 . A-2 . A-3 . A-3 . A-3 . A-8 . A-9 A-10 A-12 A-14 A-16 A-18 A-20 A-22 A-24

APPENDIX B INSTRU CTION FORM ATS AND EN CODINGS B.1. MACHINE INSTRUCTION FO RMAT . . . . . . . . . . . . . . . . . . . . B.1.1. Reg Field (reg). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1.2. Encoding of Operand Size Bit (w) . . . . . . . . . . . . . . . . . . . . B.1.3. Sign Extend (s) Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1.4. Segment Register Field (sreg). . . . . . . . . . . . . . . . . . . . . . . B.1.5. Special-Purpose Register (eee) Field . . . . . . . . . . . . . . . . . B.1.6. Condition Test Field (tttn) . . . . . . . . . . . . . . . . . . . . . . . . . . B.1.7. Direction (d) Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.2. INTEG ER INSTRUCTION FORM ATS AND ENCODINGS . . . B.3. MM XTM INSTRUCTION FORMATS AND ENCODINGS . . . . . B.3.1. Granularity Field (gg) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3.2. MM XTM and General-Purpose Register Fields (m mxreg and reg) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.3.3. MM XTM Instruction Formats and Encodings Table . . . . . . . B.4. FLOATING-POINT INSTRUCTIO N FORMATS AND ENCODI

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. B-1 . B-2 . B-3 . B-3 . B-4 . B-4 . B-5 . B-5 . B-6 B-19 B-19

. . . . . . . . . . . . . . . B-19 . . . . . . . . . . . . . . . B-20 NGS . . . . . . . . . . . B-24

x


TABLE OF FIGURES
PAG E

Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure

123333333333333333333333333-

1. 1. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

Figure 3-26. Figure Figure Figure Figure 3-27. A-1. B-1. B-2.

Bit and Byte O rder . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intel Architecture Instruction Format . . . . . . . . . . . . . . . Bit Offset for BIT[EAX,21] . . . . . . . . . . . . . . . . . . . . . . . Memory Bit Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . Version and Feature Information in Registers EAX and Operation of MOVD Instruction . . . . . . . . . . . . . . . . . . . Operation of the MOVQ Instructions. . . . . . . . . . . . . . . Operation of the PACKSSDW Instruction . . . . . . . . . . . Operation of the PACKUSWB Instruction . . . . . . . . . . . Operation of the PADDW Instruction . . . . . . . . . . . . . . Operation of the PADDSW Instruction . . . . . . . . . . . . . Operation of the PADDUSB Instruction . . . . . . . . . . . . Operation of the PAND Instruction . . . . . . . . . . . . . . . . Operation of the PANDN Instruction . . . . . . . . . . . . . . . Operation of the PCMPEQW Instruction . . . . . . . . . . . Operation of the PCMPGTW Instruction. . . . . . . . . . . . Operation of the PMADDWD Instruction . . . . . . . . . . . Operation of the PMULHW Instruction . . . . . . . . . . . . . Operation of the PMULLW Instruction . . . . . . . . . . . . . Operation of the POR Instruction.. . . . . . . . . . . . . . . . . Operation of the PSLLW Instruction . . . . . . . . . . . . . . . Operation of the PSRAW Instruction . . . . . . . . . . . . . . Operation of the PSRLW Instruction. . . . . . . . . . . . . . . Operation of the PSUBW Instruction . . . . . . . . . . . . . . Operation of the PSUBSW Instruction . . . . . . . . . . . . . Operation of the PSUBUSB Instruction . . . . . . . . . . . . High-Order Unpacking and Interleaving of Bytes With the PUNPCKHBW Instruction. . . . . . . . . . . . . . . . Low-Order Unpacking and Interleaving of Bytes With the PUNPCKLBW Instruction . . . . . . . . . . . . . . . . Operation of the PXOR Instruction. . . . . . . . . . . . . . . . ModR/M Byte nnn Field (Bits 5, 4, and 3) . . . . . . . . . . . General Machine Instruction Format . . . . . . . . . . . . . . Key to Codes for M MXTM Data Type Cross-Reference

..... ..... ..... ..... EDX. ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... .....

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . .

. . 1-5 . . 2-1 . . 3-7 . . 3-8 . 3-71 3-295 3-297 3-320 3-323 3-325 3-328 3-331 3-334 3-336 3-338 3-341 3-344 3-346 3-348 3-359 3-361 3-364 3-367 3-370 3-373 3-376

. . . . . . . . . . . . . . . . 3-379 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-382 3-392 . A-8 . B-1 B-20

xi


TABLE OF TABLES
PAG E

Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table

2-1. 2-2. 2-3. 3-1. 3-2. 3-3. 3-4. 3-5. 3-6. 3-7. A-1. A-2. A-3. A-4. A-5. A-6. A-7. A-8. A-9. A-10 A-11 A-12 A-13 A-14 A-15 A-16 A-17 A-18 A-19 B-1. B-2. B-3. B-4. B-5. B-6. B-7. B-8. B-9. B-10 B-11 B-12 B-13

. . . . . . . . . .

. . . .

Table B-14. Table B-15. Table B-16.

16-Bit Addressing Forms with the ModR/M Byte . . . . . . . . . . . . . . . . . . . . 32-Bit Addressing Forms with the ModR/M Byte . . . . . . . . . . . . . . . . . . . . 32-Bit Addressing Forms with the SIB Byte . . . . . . . . . . . . . . . . . . . . . . . . Register Encodings Associated with the +rb, +rw, and +rd Nomenclature . Exception Mnemonics, Names, and Vector Numbers . . . . . . . . . . . . . . . . Floating-Point Exception M nemonics and Names . . . . . . . . . . . . . . . . . . . Information Returned by CPUID Instruction . . . . . . . . . . . . . . . . . . . . . . . . Processor Type Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Feature Flags Returned in EDX Register . . . . . . . . . . . . . . . . . . . . . . . . . . Encoding of Cache and TLB Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . One-Byte Opcode Map1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Two Byte Opcode Map (First byte is 0FH)1 . . . . . . . . . . . . . . . . . . . . . . . . Opcode Extensions for O ne- and Two-Byte O pcodes by Group Number1 D8 O pcode Map When M odR/M Byte is Within 00H to BFH1 . . . . . . . . . . D8 O pcode Map When M odR/M Byte is Outside 00H to BFH1 . . . . . . . . . D9 O pcode Map When M odR/M Byte is Within 00H to BFH1 . . . . . . . . . . D9 O pcode Map When M odR/M Byte is Outside 00H to BFH1 . . . . . . . . . DA Opcode Map When ModR/M Byte is Within 00H to BFH1 . . . . . . . . . . DA Opcode Map When ModR/M Byte is Outside 00H to BFH1 . . . . . . . . . DB Opcode Map When ModR/M Byte is Within 00H to BFH1 . . . . . . . . . . DB Opcode Map When ModR/M Byte is Outside 00H to BFH1 . . . . . . . . . DC Opcode Map When ModR /M Byte is Within 00H to BFH1 . . . . . . . . . . DC Opcode Map When ModR /M Byte is Outside 00H to BFH1 . . . . . . . . . DD Opcode Map When ModR /M Byte is Within 00H to BFH1 . . . . . . . . . . DD Opcode Map When ModR /M Byte is Outside 00H to BFH1 . . . . . . . . . DE Opcode Map When ModR/M Byte is Within 00H to BFH1 . . . . . . . . . . DE Opcode Map When ModR/M Byte is Outside 00H to BFH1 . . . . . . . . . DF O pcode Map When M odR/M Byte is Within 00H to BFH1 . . . . . . . . . . DF O pcode Map When M odR/M Byte is Outside 00H to BFH1 . . . . . . . . . Special Fields Within Instruction Encodings . . . . . . . . . . . . . . . . . . . . . . . . Encoding of reg Field When w Field is Not Present in Instruction . . . . . . . Encoding of reg Field When w Field is Present in Instruction. . . . . . . . . . . Encoding of Operand Size (w) Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encoding of Sign-Extend (s) Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encoding of the Segm ent Register (sreg) Field . . . . . . . . . . . . . . . . . . . . . Encoding of Special-Purpose Register (eee) Field . . . . . . . . . . . . . . . . . . . Encoding of Conditional Test (tttn) Field. . . . . . . . . . . . . . . . . . . . . . . . . . . Encoding of Operation Direction (d) Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . Integer Instruction Form ats and Encodings . . . . . . . . . . . . . . . . . . . . . . . . Encoding of Granularity of D ata Field (gg) . . . . . . . . . . . . . . . . . . . . . . . . . Encoding of the MMXTM Register Field (mmxreg) . . . . . . . . . . . . . . . . . . . Encoding of the General-Purpose Register Field (reg) When Used in M MXTM Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MM XTM Instruction Formats and Encodings . . . . . . . . . . . . . . . . . . . . . . . . General Floating-Point Instruction Formats . . . . . . . . . . . . . . . . . . . . . . . . Floating-Point Instruction Formats and Encodings . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . 2-4 . . 2-5 . . 2-6 . . 3-2 . . 3-9 . 3-10 . 3-70 . 3-72 . 3-72 . 3-74 . A-4 . A-6 . A-8 A-10 A-11 A-12 A-13 A-14 A-15 A-16 A-17 A-18 A-19 A-20 A-21 A-22 A-23 A-24 A-25 . B-2 . B-2 . B-3 . B-3 . B-3 . B-4 . B-4 . B-5 . B-6 . B-6 B-19 B-19 B-20 B-20 B-24 B-25

xii


1
About This Manual



CHAPTER 1 ABOUT THIS MANUAL
The Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference (O rder Number 243191) is part of a three-volume set that describes the architecture and programming environment of all Intel Architecture processors. The other two volumes in this set are:

· ·

The Intel Architecture Software Developer's Manual, Volume 1: Basic Architecture (Order Number 243190). The Intel Architecture Software Developer's Manual, Volume 3: System Programing Guide (Order Number 243192).

The Intel Architecture Software Developer's Manual, Volume 1, describes the basic architecture and programming environment of an Intel Architecture processor; the Intel Architecture Software Developer's Manual, Volume 2, describes the instructions set of the processor and the opcode structure. These two volumes are aimed at application programmers w ho are writing programs to run under existing operating systems or executives. The Intel Architecture Software Developer's Manual, Volume 3, describes the operating-system support environment of an Intel Architecture processor, including memory management, protection, task management, interrupt and exception handling, and system management mode. It also provides Intel Architecture processor compatibility information. This volume is aimed at operating-system and BIOS designers and programmers.

1.1.

OVERVIEW OF THE INTEL ARCHITECTURE SOFTWARE DEVELOPER'S MANUAL, VOLUME 2: INSTRUCTION SET REFERENCE

The contents of this manual are as follows: Chapter 1 -- About This M anual. Gives an overview of all three volumes of the Intel Architecture Software Developer's Manual. It also describes the notational conventions in these manuals and lists related Intel manuals and documentation of interest to programmers and hardware designers. Chapter 2 -- Instruction Format. Describes the machine-level instruction format used for all Intel Architecture instructions and gives the allowable encodings of prefixes, the operand-identifier byte (ModR/M byte), the addressing-mode specifier byte (SIB byte), and the displacement and immediate bytes. Chapter 3 -- Instruction Set Reference. Describes each of the Intel Architecture instructions in detail, including an algorithmic description of operations, the effect on flags, the effect of operand- and address-size attributes, and the exceptions that may be generated. The instructions are arranged in alphabetical order. The MMXTM instructions are included in this chapter.

1-1


ABOUT THIS MANUAL

Appendix A -- Opcode M ap. Gives an opcode map for the Intel Architecture instruction set. Appendix B -- Instruction Formats and Encodings. Gives the binary encoding of each form of each Intel Architecture instruction.

1.2.

OVERVIEW OF THE INTEL ARCHITECTURE SOFTWARE DEVELOPER'S MANUAL, VOLUME 1: BASIC ARCHITECTURE

The contents of the Intel Architecture Software Developer's Manual, Volume 1, are as follows: Chapter 1 -- About This Manual. Gives an overview of all three volumes of the Intel Architecture Software Developer's Manual. It also describes the notational conventions in these manuals and lists related Intel manuals and documentation of interest to programmers and hardware designers. Chapter 2 -- Introduction to the Intel A rchitecture. Introduces the Intel A rchitecture and the families of Intel processors that are based on this architecture. It also gives an overview of the common features found in these processors and brief history of the Intel Architecture. Chapter 3 -- Basic Execution Environment. Introduces the models of memory organization and describes the register set used by applications. Chapter 4 -- Procedure Calls, Interrupts, and Exceptions. Describes the procedure stack and the mechanisms provided for making procedure calls and for servicing interrupts and exceptions. Chapter 5 -- Data Types and Addressing M odes. Describes the data types and addressing modes recognized by the processor. Chapter 6 -- Instruction Set Summary. Gives an overview of all the Intel Architecture instructions except those executed by the processor's floating-point unit. The instructions are presented in functionally related groups. Chapter 7 -- Floating-Point Unit. Describes the Intel Architecture floating-point unit, including the floating-point registers and data types; gives an overview of the floating-point instruction set; and describes the processor's floating-point exception conditions. Chapter 8 -- Programming with Intel MM XTM Technology. Describes the Intel MMX technology, including MMX registers and data types, and gives an overview of the MMX instruction set. Chapter 9 -- Input/Output. Describes the processor's I/O architecture, including I/O port addressing, the I/O instructions, and the I/O protection mechanism. Chapter 10 -- Processor Identification and Feature Determination. Describes how to determine the CPU type and the features that are available in the processor. Appendix A -- EFLAGS Cross-Reference. Summaries how the Intel Architecture instructions affect the flags in the EFLAGS register.

1- 2


A BOUT THIS MANUAL

Appendix B -- EFLAGS Condition Codes. Summarizes how the conditional jump, move, and byte set on condition code instructions use the condition code flags (OF, CF, ZF, SF, and PF) in the EFLAGS register. Appendix C -- Floating-Point Exceptions Summary. Summarizes the exceptions that can be raised by floating-point instructions. App and both also endix D -- Guidelines for Writing FPU Exception Handlers. Describes how to design write M S-DOS* compatible exception handling facilities for FPU exceptions, including software and hardware requirements and assembly-language code examples. This appendix describes general techniques for writing robust FPU exception handlers.

1.3.

OVERVIEW OF THE INTEL ARCHITECTURE SOFTWARE DEVELOPER'S MANUAL, VOLUME 3: SYSTEM PROGRAMMING GUIDE

The contents of the Intel Architecture Software Developer's Manual, Volume 3, are as follows: Chapter 1 -- About This M anual. Gives an overview of all three volumes of the Intel Architecture Software Developer's Manual. It also describes the notational conventions in these manuals and lists related Intel manuals and documentation of interest to programmers and hardware designers. Chapter 2 -- System Architecture Overview. Describes the modes of operation of an Intel Architecture processor and the mechanisms provided in the Intel A rchitecture to support operating systems and executives, including the system-oriented registers and data structures and the system-oriented instructions. The steps necessary for switching between real-address and protected modes are also identified. Chapter 3 -- Protected-Mode Memory M anagement. Describes the data structures, registers, and instructions that support segmentation and paging and explains how they can be used to implement a "flat" (unsegmented) memory model or a segmented memory model. Chapter 4 -- Protection. Describes the support for page and segment protection provided in the Intel Architecture. This chapter also explains the implementation of privilege rules, stack switching, pointer validation, user and supervisor modes. Chapter 5 -- Interrupt and Exception Handling. Describes the basic interrupt mechanisms defined in the Intel Architecture, shows how interrupts and exceptions relate to protection, and describes how the architecture handles each exception type. Reference information for each Intel Architecture exception is given at the end of this chapter. Chapter 6 -- Task M anagement. Describes the mechanisms the Intel Architecture provides to support multitasking and inter-task protection. Chapter 7 -- Multiple Processor M anagement. D escribes the instructions and flags that support multiple processors with shared memory, memory ordering, and the advanced programmable interrupt controller (APIC).

1-3


ABOUT THIS MANUAL

Chapter 8 -- Processor Management and Initialization. Defines the state of an Intel Architecture processor and its floating-point unit after reset initialization. This chapter also explains how to set up an Intel Architecture processor for real-address mode operation and protected mode operation, and how to switch between modes. Chapter 9 -- Memory Cache Control. Describes the general concept caching mechanisms supported by the Intel Architecture. This chapter memory type range registers (MTRRs) and how they can be used to map me ical memory. MTRRs were introduced into the Intel Architecture with processor. of caching and the also describes the mory types of physthe Pentium® Pro

Chapter 10 -- MMX TM Technology System Programming M odel. Describes those aspects of the Intel MMX technology that must be handled and considered at the system programming level, including task sw itching, exception handling, and compatibility with existing system environments. Chapter 11 -- System Management Mode (SM M). Describes the Intel Architecture's system management mode (SMM), which can be used to implement power management functions. Chapter 12 -- Machine Check Architecture. Describes the machine check architecture, which was introduced into the Intel Architecture with the Pentium processor. Chapter 13 -- Code Optimization. Discusses general optimization techniques for programming an Intel A rchitecture processor. Chapter 14 -- Debugging and Performance M onitoring. Describes the debugging registers and other debug mechanism provided in the Intel Architecture. This chapter also describes the time-stamp counter and the performance monitoring counters. Chapter 15 -- 8086 Emulation. D escribes the real-address and virtual-8086 modes of the Intel Architecture. Chapter 16 -- Mixing 16-Bit and 32-Bit Code. Describes how to mix 16-bit and 32-bit code modules within the same program or task. Chapter 17 -- Intel Architecture C ompatibility. Describes the programming differences between the Intel 286, Intel386TM, Intel486TM, Pentium, and Pentium Pro processors. The differences among the 32-bit Intel Architecture processors (the Intel386, Intel486, Pentium, and Pentium Pro processors) are described throughout the three volumes of the Intel Architecture Software Developer's Manual, as relevant to particular features of the architecture. This chapter provides a collection of all the relevant compatibility information for all Intel Architecture processors and also describes the basic differences with respect to the 16-bit Intel Architecture processors (the Intel 8086 and Intel 286 processors). Appendix A -- Performance-M onitoring Counters. Lists the events that can be counted with the performance-monitoring counters and the codes used to select these events. Appendix B -- Model Specific Registers (MSRs). Lists the MSRs available in the Pentium Pro processor and their functions.

1- 4


A BOUT THIS MANUAL

1.4.

NOTATIONAL CONVENTIONS

This manual uses special notation for data-structure formats, for symbolic representation of instructions, and for hexadecimal numbers. A review of this notation makes the manual easier to read.

1.4.1.

Bit and Byte Order

In illustrations of data structures in memory, smaller addresses appear toward the bottom of the figure; addresses increase toward the top. Bit positions are numbered from right to left. The numerical value of a set bit is equal to two raised to the power of the bit position. Intel Architecture processors is a "little endian" machines; this means the bytes of a word are numbered starting from the least significant byte. Figure 1-1 illustrates these conventions.

Highest 31 Address

Data Structure 87 24 23 16 15

0 28 24 20 16 12 8 4 0

Bit offset

Byte 3

Byte 2

Byte 1

Byte 0

Lowest Address

Byte Offset

Figure 1-1. Bit and Byte Order

1.4.2.

Reserved Bits and Software Compatibility

In many register and memory layout descriptions, certain bits are marked as reserved. When bits are marked as reserved, it is essential for compatibility with future processors that software treat these bits as having a future, though unknown, effect. The behavior of reserved bits should be regarded as not only undefined, but unpredictable. Software should follow these guidelines in dealing with reserved bits:

· · · ·

Do not depend on the states of any reserved bits when testing the values of registers which contain such bits. Mask out the reserved bits before testing. Do not depend on the states of any reserved bits when storing to memory or to a register. Do not depend on the ability to retain information written into any reserved bits. W hen loading a register, always load the reserved bits with the values indicated in the documentation, if any, or reload them with values previously read from the same register.

1-5


ABOUT THIS MANUAL

NOTE

Avoid any software dependence upon the state of reserved bits in Intel Architecture registers. D epending upon the values of reserved register bits will make software dependent upon the unspecified manner in which the processor handles these bits. Depending upon reserved values risks incompatibility with future processors.

1.4.3.

Instruction Operands

When instructions are represented symbolically, a subset of the Intel Architecture assembly language is used. In this subset, an instruction has the following format:
label: mnemonic argument1, argument2, argument3

where:

· · ·

A label is an identifier which is followed by a colon. A mnemonic is a reserved name for a class of instruction opcodes which have the same function. The operands argument1, argument2, and argument3 are optional. There may be from zero to three operands, depending on the opcode. W hen present, they take the form of either literals or identifiers for data items. O perand identifiers are either reserved names of registers or are assumed to be assigned to data items declared in another part of the program (which may not be shown in the example).

When two operands are present in an arithmetic or logical instruction, the right operand is the source and the left operand is the destination. For example:
LOADREG: MOV EAX, SUBTOTAL

In this example LOADREG is a label, MOV is the mnemonic identifier of an opcode, EAX is the destination operand, and SUBTOTA L is the source operand. Some assembly languages put the source and destination in reverse order.

1.4.4.

Hexadecimal and Binary Numbers

Base 16 (hexadecimal) numbers are represented by a string of hexadecimal digits followed by the character H (for example, F82EH). A hexadecimal digit is a character from the following set: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. Base 2 (binary) numbers are represented by a string of 1s and 0s, sometimes followed by the character B (for example, 1010B). The "B" designation is only used in situations where confusion as to the type of number might arise.

1- 6


A BOUT THIS MANUAL

1.4.5.

Segmented Addressing

The processor uses byte addressing. This means memory is organized and accessed as a sequence of bytes. W hether one or more bytes are being accessed, a byte address is used to locate the byte or bytes memory. The range of memory that can be addressed is called an address space. The processor also supports segmented addressing. This is a form of addressing where a program may have many independent address spaces, called segments. For example, a program can keep its code (instructions) and stack in separate segments. Code addresses would always refer to the code space, and stack addresses would always refer to the stack space. The following notation is used to specify a byte address within a segment: Segment-register:Byte-address For example, the following segment address identifies the byte at address FF79H in the segment pointed by the DS register:
DS:FF79H

The following segment address identifies an instruction address in the code segment. The CS register points to the code segment and the EIP register contains the address of the instruction.
CS:EIP

1.4.6.

Exceptions

An exception is an event that typically occurs when an instruction causes an error. For example, an attempt to divide by zero generates an exception. However, some exceptions, such as breakpoints, occur under other conditions. Some types of exceptions may provide error codes. An error code reports additional information about the error. An example of the notation used to show an exception and error code is shown below.
#PF(fault code)

This example refers to a page-fault exception under conditions where an error code naming a type of fault is reported. Under some conditions, exceptions which produce error codes may not be able to report an accurate code. In this case, the error code is zero, as shown below for a general-protection exception.
#GP(0)

See Chapter 5, Interrupt and Exception H andling, in the Intel Architecture Software Developer's Manual, Volume 3, for a list of exception mnemonics and their descriptions.

1-7


ABOUT THIS MANUAL

1.5.

RELATED LITERATURE

The following books contain additional material related to Intel processors:

· · · · · · · · · · · · · · · · · · ·

Intel Pentium® Pro Processor Specification Update, Order Number 242689. Intel Pentium® Processor Specification Update, Order Number 242480. AP-485, Intel Processor Identification and the CPUID Instruction, Order Number 241618. AP-578, Software and Hardware Considerations for FPU Exception Handlers for Intel Architecture Processors, Order Number 242415-001. Pentium® Pro Processor Fam ily Developer's Manual, Volume 1: Specifications, Order Number 242690-001. Pentium® Processor Family Developer's Manual, Order Number 241428. Intel486TM Microprocessor Data Book, Order Number 240440. Intel486TM SX CPU/Intel487TM SX Math Coprocessor Data Book, Order Number 240950. Intel486TM DX2 Microprocessor Data Book, Order N umber 241245. Intel486TM Microprocessor Product Brief Book, Order Number 240459. Intel386TM Processor Hardware Reference Manual, Order Number 231732. Intel386TM Processor System Software Writer's Guide, Order Number 231499. Intel386TM High-Performance 32-Bit CHMOS Microprocessor with Integrated Memory Management, Order Number 231630. 376 Embedded Processor Programmer's Reference Manual, Order Number 240314. 80387 DX User's Manual Programmer's Reference, Order Number 231917. 376 High-Performance 32-Bit Embedded Processor, O rder Number 240182. Intel386TM SX Microprocessor, Order Number 240187. Microprocessor and Peripheral H andbook (Vol. 1), Order Number 230843. AP-528, Optimizations for Intel's 32-Bit Processors, Order Number 242816-001.

1- 8


2
Instruction Format



CHAPTER 2 INSTRUCTION FORMAT
This chapter describes the instruction format for all Intel A rchitecture processors.

2.1.

GENERAL INSTRUCTION FORMAT

All Intel Architecture instruction encodings are subsets of the general instruction format shown in Figure 2-1. Instructions consist of optional instruction prefixes (in any order), one or two primary opcode bytes, an addressing-form specifier (if required) consisting of the ModR/M byte and sometimes the SIB (Scale-Index-Base) byte, a displacement (if required), and an immediate data field (if required).

Instruction Prefixes Up to four prefixes of 1-byte each (optional) 7

Opcode 1 or 2 byte opcode

ModR/M 1 byte (if required)

SIB 1 byte (if required)

Displacement Address displacement of 1, 2, or 4 bytes or none 32 Index Base 0

Immediate Immediate data of 1, 2, or 4 bytes or none

65 Mod

32 0 Reg/ R/M Opcode

7

65

Scale

Figure 2-1. Intel Architecture Instruction Format

2.2.

INSTRUCTION PREFIXES

The instruction prefixes are divided into four groups, each with a set of allowable prefix codes:

·

Lock and repeat prefixes. -- F0H--LOCK prefix. -- F2H--REPNE/REPNZ prefix (used only with string instructions). -- F3H--REP prefix (used only with string instructions). -- F3H--REPE/REPZ prefix (used only with string instructions).

·

Segment override. -- 2EH--CS segment override prefix. -- 36H--SS segment override prefix.

2-1


INSTRUCTION FORM AT

-- 3EH--DS segment override prefix. -- 26H--ES segment override prefix. -- 64H--FS segment override prefix. -- 65H--GS segment override prefix.

· ·

Operand-size override, 66H Address-size override, 67H

For each instruction, one prefix may be used from each of these groups and be placed in any order. The effect of redundant prefixes (more than one prefix from a group) is undefined and may vary from processor to processor.

2.3.

OPCODE

The primary opcode is either 1 or 2 bytes. An additional 3-bit opcode field is sometimes encoded in the ModR/M byte. Smaller encoding fields can be defined within the primary opcode. These fields define the direction of the operation, the size of displacements, the register encoding, condition codes, or sign extension. The encoding of fields in the opcode varies, depending on the class of operation.

2.4.

MODR/M AND SIB BYTES

Most instructions that refer to an operand in memory have an addressing-form specifier byte (called the ModR/M byte) following the primary opcode. The ModR/M byte contains three fields of information:

· · ·

The mod field combines with the r/m field to form 32 possible values: eight registers and 24 addressing modes. The reg/opcode field specifies either a register number or three more bits of opcode information. The purpose of the reg/opcode field is specified in the primary opcode. The r/m field can specify a register as an operand or can be combined with the mod field to encode an addressing mode.

Certain encodings of the ModR/M byte require a second addressing byte, the SIB byte, to fully specify the addressing form. The base-plus-index and scale-plus-index forms of 32-bit addressing require the SIB byte. The SIB byte includes the following fields:

· · ·

The scale field specifies the scale factor. The index field specifies the register number of the index register. The base field specifies the register number of the base register.

See Section 2.6., "Addressing-Mode Encoding of ModR/M and SIB Bytes", for the encodings of the ModR/M and SIB bytes.

2- 2


IN STRUCTION FORM AT

2.5.

DISPLACEMENT AND IMMEDIATE BYTES

Some addressing forms include a displacement immediately following either the ModR/M or SIB byte. If a displacement is required, it can be 1, 2, or 4 bytes. If the instruction specifies an immediate operand, the operand always follows any displacement bytes. An immediate operand can be 1, 2 or 4 bytes.

2.6.

ADDRESSING-MODE ENCODING OF MODR/M AND SIB BYTES

The values and the corresponding addressing forms of the ModR/M and SIB bytes are shown in Tables 2-1 through 2-3. The 16-bit addressing forms specified by the ModR/M byte are in Table 2-1, and the 32-bit addressing forms specified by the ModR/M byte are in Table 2-2. Table 2-3 shows the 32-bit addressing forms specified by the SIB byte. In Tables 2-1 and 2-2, the first column (labeled "Effective Address") lists 32 different effective addresses that can be assigned to one operand of an instruction by using the Mod and R/M fields of the ModR/M byte. The first 24 give the different ways of specifying a memory location; the last 8 (specified by the Mod field encoding 11B) give the ways of specifying the general purpose and MM X registers. Each of the register encodings list four possible registers. For example, the first register-encoding (selected by the R/M field encoding of 000B) indicates the generalpurpose registers EAX, AX or AL, or the MMX register MM0. Which of these four registers is used is determined by the opcode byte and the operand-size attribute, which select either the EAX register (32 bits) or AX register (16 bits). The second and third columns in Tables 2-1 and 2-2 gives the binary encodings of the Mod and R/M fields in the ModR/M byte, respectively, required to obtain the associated effective address listed in the first column. All 32 possible combinations of the Mod and R/M fields are listed. Across the top of Tables 2-1 and 2-2, the 8 possible values of the 3-bit Reg/Opcode field are listed, in decimal (fifth row from top) and in binary (sixth row from top). The sixth row is labeled "REG=" w hich represents the use of these 3 bits to give the location of a second operand, which must be a general-purpose register or an MMX register. If the instruction does not require a second operand to be specified, then the 3 bits of the Reg/Opcode field may be used as an extension of the opcode, which is represented by the fifth row, labeled "/digit (O pcode)". The four rows above give the byte, word and doubleword general-purpose registers and the MMX registers that correspond to the register numbers, with the same assignments as for the R/M field when Mod field encoding is 11B. As with the R/M field register options, which of the four possible registers is used is determined by the opcode byte along with the operand-size attribute. The body of Tables 2-1 and 2-2 (under the label "Value of ModR/M Byte (in Hexadecimal)") contains a 32 by 8 array giving all of the 256 values of the ModR/M byte, in hexadecimal. Bits 3, 4 and 5 are specified by the column of the table in which a byte resides, and the row specifies bits 0, 1 and 2, and also bits 6 and 7.

2-3


INSTRUCTION FORM AT

Table 2-1. 16-Bit Addressing Forms w ith the ModR/M Byte
r8(/r) r16(/r) r32(/r) mm(/r ) /digit (Opcode) REG = Effective Address [BX+SI] [BX+DI] [BP+SI] [BP+DI] [SI] [DI] disp162 [BX] [BX+SI]+disp83 [BX+DI]+disp8 [BP+SI]+disp8 [BP+DI]+disp8 [SI]+disp8 [DI]+disp8 [BP]+disp8 [BX]+disp8 [BX+SI]+disp16 [BX+DI]+disp16 [BP+SI]+disp16 [BP+DI]+disp16 [SI]+disp16 [DI]+disp16 [BP]+disp16 [BX]+disp16 EAX/AX/AL/MM0 ECX/CX /CL/MM1 EDX/DX /DL/MM2 EBX/BX/BL/MM3 ESP/SP/AH MM4 EBP/BP/CH/MM5 ESI/SI/DH/MM6 EDI/DI/BH/MM7 NOTE S: 1. The default segment register is SS for the effective addresses containing a BP index, D S for other effective addresses. 2. The "disp16" nomenclature denotes a 16-bit displacement follow ing the ModR/M byte, to be added to the index. 3. The " disp8" nomenclature denotes an 8-bit displacement following the ModR/M byte, to be sign-extended and added to the index. Mod 00 R/M 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 00 01 02 03 04 05 06 07 40 41 42 43 44 45 46 47 80 81 82 83 84 85 86 87 C0 C1 C2 C3 C4 C5 C6 C7 AL AX EAX MM0 0 000 CL CX ECX MM1 1 001 DL DX EDX MM2 2 010 BL BX EBX MM3 3 011 AH SP ESP MM4 4 100 CH BP1 EBP MM5 5 101 DH SI ESI MM6 6 110 BH DI EDI MM7 7 111

Value of ModR/M Byt e (in Hexadecimal) 08 09 0A 0B 0C 0D 0E 0F 48 49 4A 4B 4C 4D 4E 4F 88 89 8A 8B 8C 8D 8E 8F C8 C9 CA CB CC CD CE CF 10 11 12 13 14 15 16 17 50 51 52 53 54 55 56 57 90 91 92 93 94 95 96 97 D0 D1 D2 D3 D4 D5 D6 D7 18 19 1A 1B 1C 1D 1E 1F 58 59 5A 5B 5C 5D 5E 5F 98 99 9A 9B 9C 9D 9E 9F D8 D9 DA DB DC DD DE DF 20 21 22 23 24 25 26 27 60 61 62 63 64 65 66 67 A0 A1 A2 A3 A4 A5 A6 A7 E0 EQ E2 E3 E4 E5 E6 E7 28 29 2A 2B 2C 2D 2E 2F 68 69 6A 6B 6C 6D 6E 6F A8 A9 AA AB AC AD AE AF E8 E9 EA EB EC ED EE EF 30 31 32 33 34 35 36 37 70 71 72 73 74 75 76 77 B0 B1 B2 B3 B4 B5 B6 B7 F0 F1 F2 F3 F4 F5 F6 F7 38 39 3A 3B 3C 3D 3E 3F 78 79 7A 7B 7C 7D 7E 7F B8 B9 BA BB BC BD BE BF F8 F9 FA FB FC FD FE FF

01

10

11

2- 4


IN STRUCTION FORM AT

Table 2-2. 32-Bit Addressing Form s with the ModR/M Byte
r8(/r) r16(/r) r32(/r) mm(/r) /digit (Opcode) RE G = Effective Address [E AX] [ECX] [EDX] [E BX] [- -][--]1 disp322 [E SI] [EDI] disp8[EA X]3 disp8[ECX ] disp8[EDX ] disp8[EB X]; disp8[--][--] disp8[EB P] disp8[ES I] disp8[EDI] disp32[EAX] disp32[ECX] disp32[EDX] disp32[EBX] disp32[--][-- ] disp32[EBP] disp32[ESI] disp32[EDI] EA X/AX /AL/MM0 EC X/CX/CL/MM1 ED X/DX/DL/MM2 EB X/BX /BL/MM3 ES P/SP /AH/MM4 EB P/BP /CH/MM5 ES I/SI/DH/MM6 ED I/DI/BH/MM7 NOTES: 1. The [--][--] nomenclature means a SIB follows the ModR/M byte. 2. The disp32 nomenclature denotes a 32-bit displacement following the SIB byte, to be added to the index. 3. The disp8 nomenclature denotes an 8-bit displacement following the SIB byte, to be sign-extended and added to the index. Mod 00 R/M 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 00 01 02 03 04 05 06 07 40 41 42 43 44 45 46 47 80 81 82 83 84 85 86 87 C0 C1 C2 C3 C4 C5 C6 C7 AL AX EAX MM0 0 000 CL CX EC X MM1 1 001 DL DX ED X MM2 2 010 BL BX EBX MM3 3 011 AH SP ESP MM4 4 100 CH BP EBP MM5 5 101 DH SI ESI MM6 6 110 BH DI EDI MM7 7 111

Value of ModR/M B yte (in Hexadecimal) 08 09 0A 0B 0C 0D 0E 0F 48 49 4A 4B 4C 4D 4E 4F 88 89 8A 8B 8C 8D 8E 8F C8 C9 CA CB CC CD CE CF 10 11 12 13 14 15 16 17 50 51 52 53 54 55 56 57 90 91 92 93 94 95 96 97 D0 D1 D2 D3 D4 D5 D6 D7 18 19 1A 1B 1C 1D 1E 1F 58 59 5A 5B 5C 5D 5E 5F 98 99 9A 9B 9C 9D 9E 9F D8 D9 DA DB DC DD DE DF 20 21 22 23 24 25 26 27 60 61 62 63 64 65 66 67 A0 A1 A2 A3 A4 A5 A6 A7 E0 E1 E2 E3 E4 E5 E6 E7 28 29 2A 2B 2C 2D 2E 2F 68 69 6A 6B 6C 6D 6E 6F A8 A9 AA AB AC AD AE AF E8 E9 EA EB EC ED EE EF 30 31 32 33 34 35 36 37 70 71 72 73 74 75 76 77 B0 B1 B2 B3 B4 B5 B6 B7 F0 F1 F2 F3 F4 F5 F6 F7 38 39 3A 3B 3C 3D 3E 3F 78 79 7A 7B 7C 7D 7E 7F B8 B9 BA BB BC BD BE BF F8 F9 FA FB FC FD FE FF

01

10

11

2-5


INSTRUCTION FORM AT

Table 2-3 is organized similarly to Tables 2-1 and 2-2, except that its body gives the 256 possible values of the SIB byte, in hexadecimal. Which of the 8 general-purpose registers will be used as base is indicated across the top of the table, along with the corresponding values of the base field (bits 0, 1 and 2) in decimal and binary. The rows indicate w hich register is used as the index (determined by bits 3, 4 and 5) along with the scaling factor (determined by bits 6 and 7).
Table 2-3. 32-Bit Addressing Form s with the SIB Byte
r32 Base = Base = Scaled Index [EAX ] [ECX] [EDX] [EBX ] none [EBP ] [ESI] [EDI] [EAX *2] [ECX*2] [EDX*2] [EBX *2] none [EBP *2] [ESI*2] [EDI*2] [EAX *4] [ECX*4] [EDX*4] [EBX *4] none [EBP *4] [ESI*4] [EDI*4] [EAX *8] [ECX*8] [EDX*8] [EBX *8] none [EBP *8] [ESI*8] [EDI*8] NOTE : 1. The [*] nomenclature means a disp32 with no base if MOD is 00, [EBP] otherwise. This provides the following addressing modes: disp32[index] disp8[EBP ][index] disp32[E BP][index] (MOD=00). (MOD=01). (MOD=10). SS 00 Index 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 00 00 01 01 10 10 11 11 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 00 08 10 18 20 28 30 38 40 48 50 58 60 68 70 78 80 88 90 98 A0 A8 B0 B8 C0 C8 D0 D8 E0 E8 F0 F8 01 09 11 19 21 29 31 39 41 49 51 59 61 69 71 79 81 89 91 89 A1 A9 B1 B9 C1 C9 D1 D9 E1 E9 F1 F9 EAX 0 000 ECX 1 001 EDX 2 010 EBX 3 011 ESP 4 100 [*] 5 101 ESI 6 110 EDI 7 111

Value of SIB Byt e (in Hexadecimal) 02 0A 12 1A 22 2A 32 3A 42 4A 52 5A 62 6A 72 7A 82 8A 92 9A A2 AA B2 BA C2 CA D2 DA E2 EA F2 FA 03 0B 13 1B 23 2B 33 3B 43 4B 53 5B 63 6B 73 7B 83 8B 93 9B A3 AB B3 BB C3 CB D3 DB E3 EB F3 FB 04 0C 14 1C 24 2C 34 3C 44 4C 54 5C 64 6C 74 7C 84 8C 94 9C A4 AC B4 BC C4 CC D4 DC E4 EC F4 FC 05 0D 15 1D 25 2D 35 3D 45 4D 55 5D 65 6D 75 7D 85 8D 95 9D A5 AD B5 BD C5 CD D5 DD E5 ED F5 FD 06 0E 16 1E 26 2E 36 3E 46 4E 56 5E 66 6E 76 7E 86 8E 96 9E A6 AE B6 BE C6 CE D6 DE E6 EE F6 FE 07 0F 17 1F 27 2F 37 3F 47 4F 57 5F 67 6F 77 7F 87 8F 97 9F A7 AF B7 BF C7 CF D7 DF E7 EF F7 FF

01

10

11

2- 6


3
Instruction Set Reference



CHAPTER 3 INSTRUCTION SET REFERENCE
This chapter describes the complete Intel Architecture instruction set, including the integer, floating-point, MMX technology, and system instructions. The instruction descriptions are arranged in alphabetical order. For each instruction, the forms are given for each operand combination, including the opcode, operands required, and a description. Also given for each instruction are a description of the instruction and its operands, an operational description, a description of the effect of the instructions on flags in the EFLAGS register, and a summary of the exceptions that can be generated.

3.1.

INTERPRETING THE INSTRUCTION REFERENCE PAGES

This section describes the information contained in the various sections of the instruction reference pages that make up the majority of this chapter. It also explains the notational conventions and abbreviations used in these sections.

3.1.1.

Instruction Format

The following is an example of the format used for each Intel Architecture instruction description in this chapter:

CMC--Complement Carry Flag
Opcode F5 Instruction CMC Description Complement carr y flag

3.1.1.1.

OPCODE COLUMN

The "Opcode" column gives the complete object code produced for each form of the instruction. When possible, the codes are given as hexadecimal bytes, in the same order in which they appear in memory. Definitions of entries other than hexadecimal bytes are as follows:

· ·

/digit--A digit between 0 and 7 indicates that the ModR/M byte of the instruction uses only the r/m (register or memory) operand. The reg field contains the digit that provides an extension to the instruction's opcode. /r--Indicates that the ModR/M byte of the instruction contains both a register operand and an r/m operand.

3-1


INSTRUCTION SET REFERENCE

· ·

cb, cw, cd, cp--A 1-byte (cb), 2-byte (cw ), 4-byte (cd), or 6-byte (cp) value following the opcode that is used to specify a code offset and possibly a new value for the code segment register. ib, iw, id--A 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to the instruction that follows the opcode, ModR/M bytes or scale-indexing bytes. The opcode determines if the operand is a signed value. All words and doublewords are given with the low-order byte first. +rb, +rw, +rd--A register code, from 0 through 7, added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The register codes are given in Table 3-1. +i--A number used in floating-point instructions when one of the operands is ST(i) from the FPU register stack. The number i (w hich can range from 0 to 7) is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte.
Table 3-1. Register Encodings Associated with the +rb, +rw, and +rd Nomenclature
rb AL CL DL BL = = = = rb AH CH DH BH = = = = 4 5 6 7 SP BP SI DI 0 1 2 3 AX CX DX BX rw = = = = rw = = = = 4 5 6 7 ESP EBP ESI EDI 0 1 2 3 EAX ECX EDX EBX rd = = = = rd = = = = 4 5 6 7 0 1 2 3

· ·

3.1.1.2.

INSTRUCTION C OLUMN

The "Instruction" column gives the syntax of the instruction statement as it would appear in an ASM386 program. The following is a list of the symbols used to represent operands in the instruction statements:

· · ·

rel8--A relative address in the range from 128 bytes before the end of the instruction to 127 bytes after the end of the instruction. rel16 and rel32--A relative address within the same code segment as the instruction assembled. The rel16 symbol applies to instructions with an operand-size attribute of 16 bits; the rel32 symbol applies to instructions with an operand-size attribute of 32 bits. ptr16:16 and ptr16:32--A far pointer, typically in a code segment different from that of the instruction. The notation 16:16 indicates that the value of the pointer has two parts. The value to the left of the colon is a 16-bit selector or value destined for the code segment register. The value to the right corresponds to the offset within the destination segment.

3- 2


INSTRUCTION SET REFER EN CE

The ptr16:16 symbol is used w hen the instruction's operand-size attribute is 16 bits; the ptr16:32 symbol is used when the operand-size attribute is 32 bits.

· · · ·

r8--One of the byte general-purpose registers A L, CL, DL, BL, AH, CH, DH, or BH. r16--One of the word general-purpose registers AX , CX, DX, BX, SP, BP, SI, or DI. r32--One of the doubleword general-purpose registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or EDI. imm8--An immediate byte value. The imm8 symbol is a signed and +127 inclusive. For instructions in which imm8 is comb doubleword operand, the immediate value is sign-extended to form The upper byte of the word is filled with the topmost bit of the imm number between ­128 ined with a word or a word or doubleword. ediate value.

· · · ·

imm16--An immediate word value used for instructions whose operand-size attribute is 16 bits. This is a number between ­32,768 and +32,767 inclusive. im m 3 2 --A n i m m e d i ate d o u b l ew o r d v a lu e u s ed f o r in st r u ctio n s w h o s e o p er an d s i ze att r ib u t e is 3 2 b its . I t al low s th e u s e o f a n u m b er b e tw een +2 ,1 4 7 ,4 8 3 ,6 4 7 a n d ­2 , 1 4 7 , 4 83 , 6 48 i n c l us ive . r/m8--A byte operand that is either the contents of a byte general-purpose register (AL, BL, CL, D L, AH, BH, CH, and DH), or a byte from memory. r/m16--A word general-purpose register or memory operand used for instructions whose operand-size attribute is 16 bits. The word general-purpose registers are: AX, BX, CX, DX , SP, BP, SI, and DI. The contents of memory are found at the address provided by the effective address computation. r/m32--A doubleword general-purpose register or memory operand used for instructions whose operand-size attribute is 32 bits. The doubleword general-purpose registers are: EAX, EBX, ECX, EDX, ESP, EBP, ESI, and EDI. The contents of memory are found at the address provided by the effective address computation. m--A 16- or 32-bit operand in memory. m8--A byte operand in memory, usually expressed as a variable or array name, but pointed to by the DS:(E)SI or ES:(E)D I registers. This nomenclature is used only with the string instructions and the XLAT instruction. m16--A word operand in memory, usually expressed as a variable or array name, but pointed to by the DS:(E)SI or ES:(E)D I registers. This nomenclature is used only with the string instructions. m32--A doubleword operand in memory, usually expressed as a variable or array name, but pointed to by the DS:(E)SI or ES:(E)DI registers. This nomenclature is used only w ith the string instructions. m64--A memory quadword operand in memory. This nomenclature is used only with the CMPXCHG8B instruction.

·

· · · · ·

3-3


INSTRUCTION SET REFERENCE

· ·

m16:16, m16:32--A memory operand containing a far pointer composed of two numbers. The number to the left of the colon corresponds to the pointer's segment selector. The number to the right corresponds to its offset. m16&32, m16&16, m32&32--A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. The m16&16 and m32&32 operands are used by the BOUND instruction to provide an operand containing an upper and lower bounds for array indices. The m16&32 operand is used by LIDT and LGDT to provide a word with which to load the limit field, and a doubleword with which to load the base field of the corresponding GDTR and IDTR registers. moffs8, moffs16, moffs32--A simple memory variable (memory offset) of type byte, word, or doubleword used by some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The number show n with moffs indicates its size, which is determined by the address-size attribute of the instruction. Sreg--A segment register. The segment register bit assignments are ES=0, CS=1, SS=2, DS=3, FS=4, and GS=5. m32real, m64real, m80real--A single-, double-, and extended-real (respectively) floating-point operand in memory. m16int, m32int, m64int--A word-, short-, and long-integer (respectively) floating-point operand in memory. ST or ST(0)--The top element of the FPU register stack. ST(i)--The ith element from the top of the FPU register stack. (i = 0 through 7) mm--An MMXTM register. The 64-bit MMX registers are: MM0 through MM7. mm/m32--The low order 32 bits of an MMX register or a 32-bit memory operand. The 64-bit MMX registers are: MM0 through MM7. The contents of memory are found at the address provided by the effective address computation. mm/m64--An MMX register or a 64-bit memory operand. The 64-bit MMX registers are: MM0 through MM7. The contents of memory are found at the address provided by the effective address computation. DESCRIPTION C OLUMN

·

· · · · · · · ·

3.1.1.3.

The "Description" column following the "Instruction" column briefly explains the various forms of the instruction. The following "Description" and "Operation" sections contain more details of the instruction's operation. 3.1.1.4. DESCRIPTION

The "Description" section describes the purpose of the instructions and the required operands. It also discusses the effect of the instruction on flags.

3- 4


INSTRUCTION SET REFER EN CE

3.1.2.

Operation

The "Operation" section contains an algorithmic description (w ritten in pseudo-code) of the instruction. The pseudo-code uses a notation similar to the Algol or Pascal language. The algorithms are composed of the following elements:

· · ·

Comments are enclosed within the symbol pairs "(*" and "*)". Compound statements are enclosed in keywords, such as IF, THEN, ELSE, and FI for an if statement, DO and OD for a do statement, or CASE ... O F and ESAC for a case statement. A register name implies the contents of the register. A register name enclosed in brackets implies the contents of the location whose address is contained in that register. For example, ES:[DI] indicates the contents of the location whose ES segment relative address is in register DI. [SI] indicates the contents of the address contained in register SI relative to SI's default segment (DS) or overridden segment. Parentheses around the "E" in a general-purpose register name, such as (E)SI, indicates that an offset is read from the SI register if the current address-size attribute is 16 or is read from the ESI register if the address-size attribute is 32. Brackets are also used for memory operands, w here they mean that the contents of the memory location is a segment-relative offset. For example, [SRC] indicates that the contents of the source operand is a segment-relative offset. A B; indicates that the value of B is assigned to A. The symbols =, , , and are relational operators used to compare two values, meaning equal, not equal, greater or equal, less or equal, respectively. A relational expression such as A = B is TRUE if the value of A is equal to B; otherwise it is FALSE. The expression "<< COUNT" and ">> COUNT" indicates that the destination operand should be shifted left or right, respectively, by the number of bits indicated by the count operand.

· · · · ·

The following identifiers are used in the algorithmic descriptions:

·

OperandSize and AddressSize--The OperandSize identifier represents the operand-size attribute of the instruction, which is either 16 or 32 bits. The AddressSize identifier represents the address-size attribute, which is either 16 or 32 bits. For example, the following pseudo-code indicates that the operand-size attribute depends on the form of the CMPS instruction used.
IF instruction = CMPSW THEN OperandSize 16; ELSE IF instruction = CMPSD THEN OperandSize 32; FI; FI;

3-5


INSTRUCTION SET REFERENCE

See "Operand-Size and Address-Size Attributes" in Chapter 3 of the Intel Architecture Software Developer's Manual, Volume 1, for general guidelines on how these attributes are determined.

· · · ·

StackAddrSize--Represents the stack address-size attribute associated with the instruction, which has a value of 16 or 32 bits (see "Address-Size Attribute for Stack" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volume 1). SRC--Represents the source operand. DEST--Represents the destination operand.

The following functions are used in the algorithmic descriptions: ZeroExtend(value)--Returns a value zero-extended to the operand-size attribute of the instruction. For example, if the operand-size attribute is 32, zero extending a byte value of ­10 converts the byte from F6H to a doubleword value of 000000F6H. If the value passed to the ZeroExtend function and the operand-size attribute are the same size, ZeroExtend returns the value unaltered. SignExtend(value)--Returns a value sign-extended to the operand-size attribute of the instruction. For example, if the operand-size attribute is 32, sign extending a byte containing the value ­10 converts the byte from F6H to a doubleword value of FFFFFFF6H. If the value passed to the SignExtend function and the operand-size attribute are the same size, SignExtend returns the value unaltered. SaturateSignedWordToSignedByte--Converts a signed 16-bit value to a signed 8-bit value. If the signed 16-bit value is less than ­128, it is represented by the saturated value ­ 128 (80H); if it is greater than 127, it is represented by the saturated value 127 (7FH). SaturateSignedDwordToSignedWord--Converts a signed 32-bit value to a signed 16-bit value. If the signed 32-bit value is less than ­32768, it is represented by the saturated value ­32768 (8000H); if it is greater than 32767, it is represented by the saturated value 32767 (7FFFH). SaturateSignedWordToUnsignedByte--Converts a signed 16-bit value to an unsigned 8-bit value. If the signed 16-bit value is less than zero, it is represented by the saturated value zero (00H); if it is greater than 255, it is represented by the saturated value 255 (FFH). SaturateToSignedByte--Represents the result of an operation as a signed 8-bit value. If the result is less than ­128, it is represented by the saturated value ­128 (80H); if it is greater than 127, it is represented by the saturated value 127 (7FH). SaturateToSignedWord --Represents the result of an operation as a signed 16-bit value. If the result is less than ­32768, it is represented by the saturated value ­32768 (8000H); if it is greater than 32767, it is represented by the saturated value 32767 (7FFFH). SaturateToUnsignedByte--Represents the result of an operation as a signed 8-bit value. If the result is less than zero it is represented by the saturated value zero (00H); if it is greater than 255, it is represented by the saturated value 255 (FFH).

·

· ·

·

· · ·

3- 6


INSTRUCTION SET REFER EN CE

· · · ·

SaturateToUnsignedWord--Represents the result of an operation as a signed 16-bit value. If the result is less than zero it is represented by the saturated value zero (00H); if it is greater than 65535, it is represented by the saturated value 65535 (FFFFH). LowOrderWord(DEST * SRC)--Multiplies a word operand by a word operand and stores the least significant word of the doubleword result in the destination operand. HighOrderWord(DEST * SR C)--Multiplies a word operand by a word operand and stores the most significant word of the doubleword result in the destination operand. Push(value)--Pushes a value onto the stack. The number of bytes pushed is determined by the operand-size attribute of the instruction. See the "Operation" section in "PUSH--Push Word or Doubleword Onto the Stack" in this chapter for more information on the push operation. Pop() removes the value from the top of the stack and returns it. The statement EAX Pop(); assigns to EAX the 32-bit value from the top of the stack. Pop w ill return either a word or a doubleword depending on the operand-size attribute. See the "Operation" section in Chapter 3, "POP--Pop a Value from the Stack" for more information on the pop operation. PopRegisterStack--Marks the FPU ST(0) register as empty and increments the FPU register stack pointer (TOP) by 1. Switch-Tasks--Performs a standard task switch. Bit(BitBase, BitOffset)--Returns the value of a bit within a bit string, which is a sequence of bits in memory or a register. Bits are numbered from low-order to high-order within registers and within memory bytes. If the base operand is a register, the offset can be in the range 0..31. This offset addresses a bit within the indicated register. An example, the function Bit[EAX, 21] is illustrated in Figure 3-1.

·

· · ·

31

21

0

BitOffset = 21

Figure 3-1. Bit Offset for BIT[EAX,21]

If BitBase is a memory address, BitOffset can range from ­2 GBits to 2 GBits. The addressed bit is numbered (Offset MOD 8) within the byte at address (BitBase + (BitOffset DIV 8)), where DIV is signed division with rounding towards negative infinity, and MOD returns a positive number. This operation is illustrated in Figure 3-2.

3-7


INSTRUCTION SET REFERENCE

3.1.3.

Flags Affected

The "Flags Affected" section lists the flags in the EFLAGS register that are affected by the instruction. W hen a flag is cleared, it is equal to 0; when it is set, it is equal to 1. The arithmetic and logical instructions usually assign values to the status flags in a uniform manner (see Appendix A, EFLAGS Cross-Reference, in the Intel Architecture Software Developer's Manual, Volume 1). Non-conventional assignments are described in the "Operation" section. The values of flags listed as undefined may be changed by the instruction in an indeterminate manner. Flags that are not listed are unchanged by the instruction.

7

5

07

07

0

B itBase + 1

BitBase

BitBase - 1

BitOffset = +13
7 07 07 5 0

BitBase

BitBase - 1 BitOffset = -

BitBase - 2

Figure 3-2. Memory Bit Indexing

3.1.4.

FPU Flags Affected

The floating-point instructions have an "FPU Flags Affected" section that describes how each instruction can affect the four condition code flags of the FPU status word.

3.1.5.

Protected Mode Exceptions

The "Protected Mode Exceptions" section lists the exceptions that can occur when the instruction is executed in protected mode and the reasons for the exceptions. Each exception is given a mnemonic that consists of a pound sign (#) followed by two letters and an optional error code in parentheses. For example, #GP(0) denotes a general protection exception w ith an error code of 0. Table 3-2 associates each two-letter mnemonic with the corresponding interrupt vector number and exception name. See Chapter 5, Interrupt and Exception Handling, in the Intel Architecture Software Developer's Manual, Volume 3, for a detailed description of the exceptions. Application programmers should consult the documentation provided with their operating systems to determine the actions taken when exceptions occur.

3- 8


INSTRUCTION SET REFER EN CE

3.1.6.

Real-Address Mode Exceptions

The "Real-Address Mode Exceptions" section lists the exceptions that can occur when the instruction is executed in real-address mode.
Table 3-2. Exception Mnemonics, Names, and Vector Numbers
Vector No. 0 1 3 4 5 6 7 8 10 11 12 13 14 16 17 18 NOTE S: 1. The UD2 instr uction was introduced in the Pentium® Pro processor. 2. This exception was introduced in the Intel486TM processor. 3. This exception was introduced in the Pentium processor and enhanced in the Pentium Pro processor. Mnemonic # DE # DB #BP # OF #BR # UD # NM # DF #TS #NP # SS #GP #P F #MF #AC #MC D ivide Er ror D ebug Breakpoint Overflow B OUND Range Exceeded Invalid Opcode (Undefined Opcode) D evice Not Available (No Math C oprocessor) D ouble Fault Invalid TS S S egment Not Present S tack Segment Fault General Pr otection P age Fault Floating-Point Error (Math Fault) Alignment Check Machine Check Name Source D IV and IDIV instructions. Any code or data reference. INT 3 instruction. INTO instruction. BOUND instruction. U D2 instruction or reserved opcode. Floating-point or WAIT/FWAIT instruction. Any instr uction that can generate an exception, an NMI, or an INTR. Task switch or TSS access. Loading segment registers or accessing system segments. Stack operations and SS register loads. Any memor y reference and other protection checks. Any memory reference. Floating-point or WAIT/FWAIT instruction. Any data reference in memory.2 Model dependent.3
1

3.1.7.

Vir tual-8086 Mode Exceptions

The "Virtual-8086 Mode Exceptions" section lists the exceptions that can occur when the instruction is executed in virtual-8086 mode.

3-9


INSTRUCTION SET REFERENCE

3.1.8.

Floating-Point Exceptions

The "Floating-Point Exceptions" section lists additional exceptions that can occur when a floating-point instruction is executed in any mode. All of these exception conditions result in a floating-point error exception (#MF, vector number 16) being generated. Table 3-3 associates each one- or two-letter mnemonic with the corresponding exception name. See "Floating-Point Exception Conditions" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for a detailed description of these exceptions.
Table 3-3. Floating-Point Exception M nem onics and Names
Vector No. 16 #IS #IA 16 16 16 16 16 #Z #D #O #U #P Mnemonic N ame Floating-point invalid operation: - Stack overflow or underflow - Invalid arithmetic operation Floating-point divide-by- zero Floating-point denor malized operation Floating-point numer ic overflow Floating-point numer ic underflow Floating-point inexact result (pr ecision) Source - FPU stack overflow or underflow - Invalid FPU ar ithmetic operation FPU divide-by-zero Attempting to operate on a denor mal number FPU numeric overflow FPU numeric underflow Inexact result (precision)

3.2.

INSTRUCTION REFERENCE

The remainder of this chapter provides detailed descriptions of each of the Intel Architecture instructions.

3- 10


INSTRUCTION SET REFER EN CE

AAA--ASCII Adjust After Addition
Opcode 37 Instruction AAA D escription A SCII adjust AL after addition

Description Adjusts the sum of two unpacked BCD values to create an unpacked BCD result. The AL register is the implied source and destination operand for this instruction. The AAA instruction is only useful when it follows an ADD instruction that adds (binary addition) two unpacked BCD values and stores a byte result in the AL register. The AAA instruction then adjusts the contents of the AL register to contain the correct 1-digit unpacked BCD result. If the addition produces a decimal carry, the AH register is incremented by 1, and the CF and AF flags are set. If there was no decimal carry, the CF and AF flags are cleared and the AH register is unchanged. In either case, bits 4 through 7 of the AL register are cleared to 0. Operation
IF ((AL AND 0FH) > 9) O R (AF = 1) THEN AL (AL + 6); AH AH + 1; AF 1; CF 1; ELSE AF 0; CF 0; FI; AL AL AND 0FH;

Flags Affected The AF and CF flags are set to 1 if the adjustment results in a decimal carry; otherwise they are cleared to 0. The OF, SF, ZF, and PF flags are undefined. Exceptions (All Operating Modes) None.

3-11


INSTRUCTION SET REFERENCE

AAD--ASCII Adjust AX Before Division
Opcode D5 0A D5 ib Instruction AAD ( No mnemonic) Description ASCII adjust AX before division Adjust AX before division to number base imm8

Description Adjusts two unpacked BCD digits (the least-significant digit in the AL register and the mostsignificant digit in the AH register) so that a division operation performed on the result will yield a correct unpacked BCD value. The AA D instruction is only useful w hen it precedes a DIV instruction that divides (binary division) the adjusted value in the A X register by an unpacked BCD value. The AAD instruction sets the value in the AL register to (AL + (10 * AH)), and then clears the AH register to 00H. The value in the AX register is then equal to the binary equivalent of the original unpacked two-digit (base 10) number in registers AH and AL. The generalized version of this instruction allows adjustment of two unpacked digits of any number base (see the "O peration" section below), by setting the imm8 byte to the selected number base (for example, 08H for octal, 0AH for decimal, or 0CH for base 12 numbers). The AAD mnemonic is interpreted by all assemblers to mean adjust ASCII (base 10) values. To adjust values in another number base, the instruction must be hand coded in machine code (D5 imm8). Operation
tempAL AL; tempAH AH; AL (tempAL + (tem pAH im m8)) AND FFH; (* imm8 is set to 0AH for the AAD mnemonic *) AH 0

The immediate value (imm8) is taken from the second byte of the instruction. Flags Affected The SF, ZF, and PF flags are set according to the result; the OF, A F, and CF flags are undefined. Exceptions (All Operating Modes) None.

3- 12


INSTRUCTION SET REFER EN CE

AAM--ASCII Adjust AX After Multiply
Opcode D4 0A D4 ib Instruction AA M (No mnemonic) Description ASCII adjust AX after multiply Adjust A X after multiply to number base imm8

Description Adjusts the result of the multiplication of two unpacked BCD values to create a pair of unpacked (base 10) BCD values. The AX register is the implied source and destination operand for this instruction. The AA M instruction is only useful when it follows an MUL instruction that multiplies (binary multiplication) two unpacked BCD values and stores a word result in the AX register. The AAM instruction then adjusts the contents of the AX register to contain the correct 2-digit unpacked (base 10) BCD result. The generalized version of this instruction allows adjustment of the contents of the A X to create two unpacked digits of any number base (see the "Operation" section below). Here, the imm8 byte is set to the selected number base (for example, 08H for octal, 0AH for decimal, or 0CH for base 12 numbers). The AAM mnemonic is interpreted by all assemblers to mean adjust to ASCII (base 10) values. To adjust to values in another number base, the instruction must be hand coded in machine code (D4 imm8). Operation
tempAL AL; AH tempAL / imm8; (* imm8 is set to 0AH for the AAD mnemonic *) AL tem pAL MOD imm8;

The immediate value (imm8) is taken from the second byte of the instruction. Flags Affected The SF, ZF, and PF flags are set according to the result. The OF, AF, and CF flags are undefined. Exceptions (All Operating Modes) None with the default immediate value of 0AH. If, however, an immediate value of 0 is used, it will cause a #DE (divide error) exception.

3-13


INSTRUCTION SET REFERENCE

AAS--ASCII Adjust AL After Subtraction
Opcode 3F Instruction AAS Description ASCII adjust AL after subtraction

Description Adjusts the result of the subtraction of two unpacked BCD values to create a unpacked BCD result. The AL register is the implied source and destination operand for this instruction. The AAS instruction is only useful when it follow s a SUB instruction that subtracts (binary subtraction) one unpacked BCD value from another and stores a byte result in the AL register. The AAA instruction then adjusts the contents of the AL register to contain the correct 1-digit unpacked BCD result. If the subtraction produced a decimal carry, the AH register is decremented by 1, and the CF and AF flags are set. If no decimal carry occurred, the CF and AF flags are cleared, and the AH register is unchanged. In either case, the AL register is left with its top nibble set to 0. Operation
IF ((AL AND 0FH) > 9) OR (AF = 1) THEN AL AL ­ 6; AH AH ­ 1; AF 1; CF 1; ELSE CF 0; AF 0; FI; AL AL AND 0FH;

Flags Affected The AF and CF flags are set to 1 if there is a decimal borrow; otherw ise, they are cleared to 0. The OF, SF, ZF, and PF flags are undefined. Exceptions (All Operating Modes) None.

3- 14


INSTRUCTION SET REFER EN CE

ADC--Add with Carry
Opcode 14 ib 15 iw 15 id 80 /2 ib 81 /2 iw 81 /2 id 83 /2 ib 83 /2 ib 10 /r 11 /r 11 /r 12 /r 13 /r 13 /r Instruction ADC AL,imm8 ADC AX ,imm16 ADC EAX,imm32 ADC r/m8,imm8 ADC r/m16,imm16 ADC r/m32,imm32 ADC r/m16,imm8 ADC r/m32,imm8 ADC r/m8,r8 ADC r/m16,r16 ADC r/m32,r32 ADC r8,r/m8 ADC r16,r/m16 ADC r32,r/m32 Description Add with carr y imm8 to AL Add with carr y imm16 to AX Add with carr y imm32 to EAX Add with carr y imm8 to r/m8 Add with carr y imm16 to r/m16 Add with CF imm32 to r/m32 Add with CF sign-extended imm8 to r/m16 Add with CF sign-extended imm8 into r/m32 Add with carr y byte register to r/m8 Add with carr y r16 to r/m16 Add with CF r32 to r/m32 Add with carr y r/m8 to byte register Add with carr y r/m16 to r16 Add with CF r/m32 to r32

Description Adds the destination operand (first operand), the source operand (second operand), and the carry (CF) flag and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (H owever, two memory operands cannot be used in one instruction.) The state of the CF flag represents a carry from a previous addition. When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format. The ADC instruction does not distinguish between signed or unsigned operands. Instead, the processor evaluates the result for both data types and sets the OF and CF flags to indicate a carry in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result. The ADC instruction is usually executed as part of a multibyte or multiword addition in which an ADD instruction is followed by an ADC instruction. Operation
DEST DEST + SRC + CF;

Flags Affected The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

3-15


INSTRUCTION SET REFERENCE

ADC--Add with Carry (Continued)
Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 16


INSTRUCTION SET REFER EN CE

ADD--Add
Opcode 04 ib 05 iw 05 id 80 /0 ib 81 /0 iw 81 /0 id 83 /0 ib 83 /0 ib 00 /r 01 /r 01 /r 02 /r 03 /r 03 /r Instruction ADD AL,imm8 ADD AX ,imm16 ADD EAX,imm32 ADD r/m8,imm8 ADD r/m16,imm16 ADD r/m32,imm32 ADD r/m16,imm8 ADD r/m32,imm8 ADD r/m8,r8 ADD r/m16,r16 ADD r/m32,r32 ADD r8,r/m8 ADD r16,r/m16 ADD r32,r/m32 D escription Add imm8 to AL Add imm16 to AX Add imm32 to EAX Add imm8 to r/m8 Add imm16 to r/m16 Add imm32 to r/m32 A dd sign-extended imm8 to r/m16 A dd sign-extended imm8 to r/m32 Add r8 to r/m8 Add r16 to r/m16 Add r32 to r/m32 Add r/m8 to r8 Add r/m16 to r16 Add r/m32 to r32

Description Adds the first operand (destination operand) and the second operand (source operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (However, two memory operands cannot be used in one instruction.) W hen an immediate value is used as an operand, it is sign-extended to the length of the destination operand format. The ADD instruction does not distinguish between signed or unsigned operands. Instead, the processor evaluates the result for both data types and sets the OF and CF flags to indicate a carry in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result. Operation
DEST DEST + SRC;

Flags Affected The OF, SF, ZF, AF, CF, and PF flags are set according to the result. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector.

3-17


INSTRUCTION SET REFERENCE

ADD--Add (Continued)
#SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 18


INSTRUCTION SET REFER EN CE

AND--Logical AND
Opcode 24 ib 25 iw 25 id 80 /4 ib 81 /4 iw 81 /4 id 83 /4 ib 83 /4 ib 20 /r 21 /r 21 /r 22 /r 23 /r 23 /r Instruction A ND AL,imm8 A ND AX,imm16 A ND EAX ,imm32 A ND r/m8,imm8 A ND r/m16,imm16 A ND r/m32,imm32 A ND r/m16,imm8 A ND r/m32,imm8 A ND r/m8,r8 A ND r/m16,r 16 A ND r/m32,r 32 A ND r8,r/m8 A ND r16,r /m16 A ND r32,r /m32 Description AL AND imm8 AX AND imm16 EAX AND imm32 r/m8 AND imm8 r/m16 AND imm16 r/m32 AND imm32 r/m16 AND imm8 (sign-extended) r/m32 AND imm8 (sign-extended) r/m8 AND r8 r/m16 AND r16 r/m32 AND r32 r8 AND r/m8 r16 AND r/m16 r32 AND r/m32

Description Performs a bitwise AND operation on the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result of the AND instruction is a 1 if both corresponding bits of the operands are 1; otherwise, it becomes a 0. Operation
DEST DEST AN D SRC;

Flags Affected The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonw ritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3-19


INSTRUCTION SET REFERENCE

AND--Logical AND (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 20


INSTRUCTION SET REFER EN CE

ARPL--Adjust RPL Field of Segment Selector
Opcode 63 /r Instruction ARPL r/m16,r16 D escription Adjust RPL of r/m16 to not less than RPL of r16

Description Compares the RPL fields of two segment selectors. The first operand (the destination operand) contains one segment selector and the second operand (source operand) contains the other. (The RPL field is located in bits 0 and 1 of each operand.) If the RPL field of the destination operand is less than the RPL field of the source operand, the ZF flag is set and the RPL field of the destination operand is increased to match that of the source operand. Otherwise, the ZF flag is cleared and no change is made to the destination operand. (The destination operand can be a word register or a memory location; the source operand must be a word register.) The ARPL instruction is provided for use by operating-system procedures (however, it can also be used by applications). It is generally used to adjust the RPL of a segment selector that has been passed to the operating system by an application program to match the privilege level of the application program. Here the segment selector passed to the operating system is placed in the destination operand and segment selector for the application program's code segment is placed in the source operand. (The RPL field in the source operand represents the privilege level of the application program.) Execution of the ARPL instruction then insures that the RPL of the segment selector received by the operating system is no lower (does not have a higher privilege) than the privilege level of the application program. (The segment selector for the application program's code segment can be read from the stack following a procedure call.) See "Checking Caller Access Privileges" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volume 3, for more information about the use of this instruction. Operation
IF DEST(RPL) < SRC(RPL) THEN ZF 1; DEST(RPL) SRC(RPL); ELSE ZF 0; FI;

Flags Affected The ZF flag is set to 1 if the RPL field of the destination operand is less than that of the source operand; otherwise, is cleared to 0.

3-21


INSTRUCTION SET REFERENCE

ARPL--Adjust RPL Field of Segment Selector (Continued)
Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #UD The ARPL instruction is not recognized in real-address mode.

Vir tual-8086 Mode Exceptions #UD The ARPL instruction is not recognized in virtual-8086 mode.

3- 22


INSTRUCTION SET REFER EN CE

BOUND--Check Array Index Against Bounds
Opcode 62 /r 62 /r Instruction BOUND r16,m16& 16 BOUND r32,m32& 32 Description Check if r16 (array index) is within bounds specified by m16&16 Check if r32 (array index) is within bounds specified by m16&16

Description Determines if the first operand (array index) is within the bounds of an array specified the second operand (bounds operand). The array index is a signed integer located in a register. The bounds operand is a memory location that contains a pair of signed doubleword-integers (when the operand-size attribute is 32) or a pair of signed word-integers (when the operand-size attribute is 16). The first doubleword (or word) is the lower bound of the array and the second doubleword (or word) is the upper bound of the array. The array index must be greater than or equal to the lower bound and less than or equal to the upper bound plus the operand size in bytes. If the index is not within bounds, a BOUND range exceeded exception (#BR) is signaled. (When a this exception is generated, the saved return instruction pointer points to the BOUND instruction.) The bounds limit data structure (two words or doublewords containing the lower and upper limits of the array) is usually placed just before the array itself, making the limits addressable via a constant offset from the beginning of the array. Because the address of the array already will be present in a register, this practice avoids extra bus cycles to obtain the effective address of the array bounds. Operation
IF (ArrayIndex < LowerBound OR ArrayIndex > (UppderBound + OperandSize/8])) (* Below lower bound or above upper bound *) THEN #BR; FI;

Flags Affected None. Protected Mode Exceptions #BR #UD #GP(0) If the bounds test fails. If second operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector.

3-23


INSTRUCTION SET REFERENCE

BOUND--Check Array Index Against Bounds (Continued)
#SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #BR #UD #GP #SS If the bounds test fails. If second operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #BR #UD #GP(0) #SS(0) #PF(fault-code) #AC(0) If the bounds test fails. If second operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 24


INSTRUCTION SET REFER EN CE

BSF--Bit Scan Forward
Opcode 0F BC 0F BC Instruction BSF r16,r/m16 BSF r32,r/m32 D escription B it scan forward on r/m16 B it scan forward on r/m32

Description Searches the source operand (second operand) significant 1 bit is found, its bit index is stored source operand can be a register or a memory lo bit index is an unsigned offset from bit 0 of the are 0, the contents of the destination operand is Operation
IF SRC = 0 THEN ZF 1; DEST is undefined; ELSE ZF 0; temp 0; WHILE Bit(SRC, temp) = 0 DO temp temp + 1; DEST temp; OD; FI;

for the least significant set bit (1 in the destination operand (first cation; the destination operand is source operand. If the contents s undefined.

bit). If a least operand). The a register. The ource operand

Flags Affected The ZF flag is set to 1 if all the source operand is 0; otherwise, the ZF flag is cleared. The CF, OF, SF, AF, and PF, flags are undefined. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-25


INSTRUCTION SET REFERENCE

BSF--Bit Scan Forward (Continued)
Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 26


INSTRUCTION SET REFER EN CE

BSR--Bit Scan Reverse
Opcode 0F BD 0F BD Instruction BSR r16,r/m16 BSR r32,r/m32 D escription B it scan reverse on r/m16 B it scan reverse on r/m32

Description Searches the source operand (second operand) for the most significant set bit (1 significant 1 bit is found, its bit index is stored in the destination operand (first source operand can be a register or a memory location; the destination operand is bit index is an unsigned offset from bit 0 of the source operand. If the contents s are 0, the contents of the destination operand is undefined. Operation
IF SRC = 0 THEN ZF 1; DEST is undefined; ELSE ZF 0; temp OperandSize ­ 1; WHILE Bit(SRC, temp) = 0 DO temp temp - 1; DEST temp; OD; FI;

bit). If a most operand). The a register. The ource operand

Flags Affected The ZF flag is set to 1 if all the source operand is 0; otherwise, the ZF flag is cleared. The CF, OF, SF, AF, and PF, flags are undefined. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-27


INSTRUCTION SET REFERENCE

BSR--Bit Scan Reverse (Continued)
Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 28


INSTRUCTION SET REFER EN CE

BSWAP--Byte Swap
Opcode 0F C8+rd Instruction BSWAP r32 D escription R everses the byte order of a 32-bit register.

Description Reverses the byte order of a 32-bit (destination) register: bits 0 through 7 are swapped with bits 24 through 31, and bits 8 through 15 are swapped with bits 16 through 23. This instruction is provided for converting little-endian values to big-endian format and vice versa. To swap bytes in a word value (16-bit register), use the XCHG instruction. When the BSWAP instruction references a 16-bit register, the result is undefined. Intel Architecture Compatibility The BSWAP instruction is not supported on Intel Architecture processors earlier than the In te l4 86 p r oc esso r fam ily. Fo r co mp ati bi li ty w it h th is in str uc ti on , i n clu d e f u nc tio n all y equivalent code for execution on Intel processors earlier than the Intel486 processor family. Operation
TEM P DEST( DEST( DEST( DEST( DEST 7..0) TEM P(31..24) 15..8) TEM P(23..16) 23..16) TEMP(15..8) 31..24) TEMP(7..0)

Flags Affected None. Exceptions (All Operating Modes) None.

3-29


INSTRUCTION SET REFERENCE

BT--Bit Test
Opcode 0F A3 0F A3 0F BA /4 ib 0F BA /4 ib Instruction BT r/m16,r16 BT r/m32,r32 BT r/m16,imm8 BT r/m32,imm8 Description Store selected bit in CF flag Store selected bit in CF flag Store selected bit in CF flag Store selected bit in CF flag

Description Selects the bit in a bit string (specified with the first operand, called the bit base) at the bitposition designated by the bit offset operand (second operand) and stores the value of the bit in the CF flag. The bit base operand can be a register or a memory location; the bit offset operand can be a register or an immediate value. If the bit base operand specifies a register, the instruction takes the modulo 16 or 32 (depending on the register size) of the bit offset operand, allowing any bit position to be selected in a 16- or 32-bit register, respectively (see Figure 3-1). If the bit base operand specifies a memory location, it represents the address of the byte in memory that contains the bit base (bit 0 of the specified byte) of the bit string (see Figure 3-2). The offset operand then selects a bit position within the range -231 to 231 - 1 for a register offset and 0 to 31 for an immediate offset. Some assemblers support immediate bit offsets larger than 31 by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the loworder 3 or 5 bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high order bits if they are not zero. When accessing a bit in memory, the processor may access 4 bytes starting from the memory address for a 32-bit operand size, using by the following relationship:
Effective Address + (4 (BitOffset DIV 32))

Or, it may access 2 bytes starting from the memory address for a 16-bit operand, using this relationship:
Effective Address + (2 (BitOffset DIV 16))

It may do so even when only a single byte needs to be accessed to reach the given bit. W hen using this bit addressing mechanism, software should avoid referencing areas of memory close to address space holes. In particular, it should avoid references to memory-mapped I/O registers. Instead, software should use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data. Operation
CF Bit(BitBase, BitO ffset)

3- 30


INSTRUCTION SET REFER EN CE

BT--Bit Test (Continued)
Flags Affected The CF flag contains the value of the selected bit. The OF, SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-31


INSTRUCTION SET REFERENCE

BTC--Bit Test and Complement
Opcode 0F BB 0F BB 0F BA /7 ib 0F BA /7 ib Instruction BTC r/m16,r16 BTC r/m32,r32 BTC r/m16,imm8 BTC r/m32,imm8 Description Store selected bit in CF flag and complement Store selected bit in CF flag and complement Store selected bit in CF flag and complement Store selected bit in CF flag and complement

Description Selects the bit in a bit string (specified with the first operand, called the bit base) at the bitposition designated by the bit offset operand (second operand), stores the value of the bit in the CF flag, and complements the selected bit in the bit string. The bit base operand can be a register or a memory location; the bit offset operand can be a register or an immediate value. If the bit base operand specifies a register, the instruction takes the modulo 16 or 32 (depending on the register size) of the bit offset operand, allowing any bit position to be selected in a 16- or 32-bit register, respectively (see Figure 3-1). If the bit base operand specifies a memory location, it represents the address of the byte in memory that contains the bit base (bit 0 of the specified byte) of the bit string (see Figure 3-2). The offset operand then selects a bit position within the range -231 to 231 - 1 for a register offset and 0 to 31 for an immediate offset. Some assemblers support immediate bit offsets larger than 31 by using the immediate bit offset field in combination with the displacement field of the memory operand. See "BT--Bit Test" in this chapter for more information on this addressing mechanism. Operation
CF Bit(BitBase, BitO ffset) Bit(BitBase, BitOffset) NOT Bit(BitBase, BitOffset);

Flags Affected The CF flag contains the value of the selected bit before it is complemented. The OF, SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 32


INSTRUCTION SET REFER EN CE

BTC--Bit Test and Complement (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-33


INSTRUCTION SET REFERENCE

BTR--Bit Test and Reset
Opcode 0F B3 0F B3 0F BA /6 ib 0F BA /6 ib Instruction BTR r/m16,r16 BTR r/m32,r32 BTR r/m16,imm8 BTR r/m32,imm8 Description Store selected bit in CF flag and clear Store selected bit in CF flag and clear Store selected bit in CF flag and clear Store selected bit in CF flag and clear

Description Selects the bit in a bit string (specified with the first operand, called the bit base) at the bitposition designated by the bit offset operand (second operand), stores the value of the bit in the CF flag, and clears the selected bit in the bit string to 0. The bit base operand can be a register or a memory location; the bit offset operand can be a register or an immediate value. If the bit base operand specifies a register, the instruction takes the modulo 16 or 32 (depending on the register size) of the bit offset operand, allowing any bit position to be selected in a 16- or 32-bit register, respectively (see Figure 3-1). If the bit base operand specifies a memory location, it represents the address of the byte in memory that contains the bit base (bit 0 of the specified byte) of the bit string (see Figure 3-2). The offset operand then selects a bit position within the range -231 to 231 - 1 for a register offset and 0 to 31 for an immediate offset. Some assemblers support immediate bit offsets larger than 31 by using the immediate bit offset field in combination with the displacement field of the memory operand. See "BT--Bit Test" in this chapter for more information on this addressing mechanism. Operation
CF Bit(BitBase, BitO ffset) Bit(BitBase, BitOffset) 0;

Flags Affected The CF flag contains the value of the selected bit before it is cleared. The OF, SF, ZF, A F, and PF flags are undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 34


INSTRUCTION SET REFER EN CE

BTR--Bit Test and Reset (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-35


INSTRUCTION SET REFERENCE

BTS--Bit Test and Set
Opcode 0F AB 0F AB 0F BA /5 ib 0F BA /5 ib Instruction BTS r/m16,r 16 BTS r/m32,r 32 BTS r/m16,imm8 BTS r/m32,imm8 Description Store selected bit in CF flag and set Store selected bit in CF flag and set Store selected bit in CF flag and set Store selected bit in CF flag and set

Description Selects the bit in a bit string (specified with the first operand, called the bit base) at the bitposition designated by the bit offset operand (second operand), stores the value of the bit in the CF flag, and sets the selected bit in the bit string to 1. The bit base operand can be a register or a memory location; the bit offset operand can be a register or an immediate value. If the bit base operand specifies a register, the instruction takes the modulo 16 or 32 (depending on the register size) of the bit offset operand, allowing any bit position to be selected in a 16- or 32-bit register, respectively (see Figure 3-1). If the bit base operand specifies a memory location, it represents the address of the byte in memory that contains the bit base (bit 0 of the specified byte) of the bit string (see Figure 3-2). The offset operand then selects a bit position within the range -231 to 231 - 1 for a register offset and 0 to 31 for an immediate offset. Some assemblers support immediate bit offsets larger than 31 by using the immediate bit offset field in combination with the displacement field of the memory operand. See "BT--Bit Test" in this chapter for more information on this addressing mechanism. Operation
CF Bit(BitBase, BitO ffset) Bit(BitBase, BitOffset) 1;

Flags Affected The CF flag contains the value of the selected bit before it is set. The OF, SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 36


INSTRUCTION SET REFER EN CE

BTS--Bit Test and Set (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP #SS #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-37


INSTRUCTION SET REFERENCE

CALL--Call Procedure
Opcode E8 cw E8 cd FF /2 FF /2 9A cd 9A cp FF /3 FF /3 Instruction CALL rel16 CALL rel32 CALL r/m16 CALL r/m32 CALL ptr16:16 CALL ptr16:32 CALL m16:16 CALL m16:32 Descript ion Call near, relative, displacement relative to next instruction Call near, relative, displacement relative to next instruction Call near, absolute indirect, address given in r/m16 Call near, absolute indirect, address given in r/m32 Call far, absolute, address given in operand Call far, absolute, address given in operand Call far, absolute indirect, address given in m16:16 Call far, absolute indirect, address given in m16:32

Description Saves procedure linking information on the stack and branches to the procedure (called procedure) specified with the destination (target) operand. The target operand specifies the address of the first instruction in the called procedure. This operand can be an immediate value, a generalpurpose register, or a memory location. This instruction can be used to execute four different types of calls:

· · · ·

Near call--A call to a procedure within the current code segment (the segment currently pointed to by the CS register), sometimes referred to as an intrasegment call. Far call--A call to a procedure located in a different segment than the current code segment, sometimes referred to as an intersegment call. Inter-privilege-level far call--A far call to a procedure in a segment at a different privilege level than that of the currently executing program or procedure. Task switch--A call to a procedure located in a different task.

The latter two call types (inter-privilege-level call and task switch) can only be executed in protected mode. See the section titled "Calling Procedures Using Call and RET" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volum e 1, for additional information on near, far, and inter-privilege-level calls. See Chapter 6, Task Management, in the I n tel Arch it ectu re Software Deve lo pe r's M anual, Volume 3 , for in forma tion on performing ta sk sw it ch es w it h th e C A LL instruction. Near Call. When executing a near call, the processor pushes the value of the EIP register (which contains the offset of the instruction following the CA LL instruction) onto the stack (for use later as a return-instruction pointer). The processor then branches to the address in the current code segment specified with the target operand. The target operand specifies either an absolute offset in the code segment (that is an offset from the base of the code segment) or a relative offset (a signed displacement relative to the current value of the instruction pointer in the EIP register, which points to the instruction following the CALL instruction). The CS register is not changed on near calls.

3- 38


INSTRUCTION SET REFER EN CE

CALL--Call Procedure (Continued)
For a near call, an absolute offset is specified indirectly in a general-purpose register or a memory location (r/m16 or r/m32). The operand-size attribute determines the size of the target operand (16 or 32 bits). Absolute offsets are loaded directly into the EIP register. If the operandsize attribute is 16, the upper two bytes of the EIP register are cleared to 0s, resulting in a maximum instruction pointer size of 16 bits. (When accessing an absolute offset indirectly using the stack pointer [ESP] as a base register, the base value used is the value of the ESP before the instruction executes.) A m to th relative offset (rel16 or rel32) is generally specified as a label in assembly code, but at the achine code level, it is encoded as a signed, 16- or 32-bit immediate value. This value is added the value in the EIP register. As with absolute offsets, the operand-size attribute determines e size of the target operand (16 or 32 bits).

Far Calls in Real-Address or Virtual-8086 Mode. When executing a far call in realaddress or virtual-8086 mode, the processor pushes the current value of both the CS and EIP registers onto the stack for use as a return-instruction pointer. The processor then performs a "far branch" to the code segment and offset specified with the target operand for the called procedure. Here the target operand specifies an absolute far address either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). With the pointer method, the segment and offset of the called procedure is encoded in the instruction, using a 4-byte (16-bit operand size) or 6-byte (32-bit operand size) far address immediate. With the indirect method, the target operand specifies a memory location that contains a 4-byte (16-bit operand size) or 6-byte (32-bit operand size) far address. The operand-size attribute determines the size of the offset (16 or 32 bits) in the far address. The far address is loaded directly into the CS and EIP registers. If the operand-size attribute is 16, the upper two bytes of the EIP register are cleared to 0s. Far Calls in Protected Mode. W hen the processor is operating in protected mode, the CALL instruction can be used to perform the following three types of far calls:

· · ·

Far call to the same privilege level. Far call to a different privilege level (inter-privilege level call). Task switch (far call to another task).

In protected mode, the processor always uses the segment selector part of the far address to access the corresponding descriptor in the GDT or LDT. The descriptor type (code segment, call gate, task gate, or TSS) and access rights determine the type of call operation to be performed. If the selected descriptor is for a code segment, a far call to a code segment at the same privilege level is performed. (If the selected code segment is at a different privilege level and the code segment is non-conforming, a general-protection exception is generated.) A far call to the same privilege level in protected mode is very similar to one carried out in real-address or virtual-8086 mode. The target operand specifies an absolute far address either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). The operandsize attribute determines the size of the offset (16 or 32 bits) in the far address. The new code segment selector and its descriptor are loaded into CS register, and the offset from the instruction is loaded into the EIP register.

3-39


INSTRUCTION SET REFERENCE

CALL--Call Procedure (Continued)
Note that a call gate (described in the next paragraph) can also be used to perform far call to a code segment at the same privilege level. Using this mechanism provides an extra level of indirection and is the preferred method of making calls betw een 16-bit and 32-bit code segments. When executing an inter-privilege-level far call, the code segment for the procedure being called must be accessed through a call gate. The segment selector specified by the target operand identifies the call gate. Here again, the target operand can specify the call gate segment selector either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). The processor obtains the segment selector for the new code segment and the new instruction pointer (offset) from the call gate descriptor. (The offset from the target operand is ignored when a call gate is used.) On inter-privilege-level calls, the processor switches to the stack for the privilege level of the called procedure. The segment selector for the new stack segment is specified in the TSS for the currently running task. The branch to the new code segment occurs after the stack switch. (Note that w hen using a call gate to perform a far call to a segment at the same privilege level, no stack switch occurs.) On the new stack, the processor pushes the segment selector and stack pointer for the calling procedure's stack, an (optional) set of parameters from the calling procedures stack, and the segment selector and instruction pointer for the calling procedure's code segment. (A value in the call gate descriptor determines how many parameters to copy to the new stack.) Finally, the processor branches to the address of the procedure being called within the new code segment. Executing a task sw itch with the CALL instruction, is somewhat similar to executing a call through a call gate. H ere the target operand specifies the segment selector of the task gate for the task being switched to (and the offset in the target operand is ignored.) The task gate in turn points to the TSS for the task, which contains the segment selectors for the task's code and stack segments. The TSS also contains the EIP value for the next instruction that was to be executed before the task was suspended. This instruction pointer value is loaded into EIP register so that the task begins executing again at this next instruction. The CALL instruction can also specify the segment selector of the TSS directly, which eliminates the indirection of the task gate. See Chapter 6, Task Management, in the Intel Architecture Software Developer's Manual, Volume 3, for detailed information on the mechanics of a task switch. Note that w hen you execute at task switch with a CA LL instruction, the nested task flag (NT) is set in the EFLAG S register and the new TSS's previous task link field is loaded with the old tasks TSS selector. Code is expected to suspend this nested task by executing an IRET instruction, which, because the NT flag is set, will automatically use the previous task link to return to the calling task. (See "Task Linking" in Chapter 6 of the Intel Architecture Software Developer's Manual, Volume 3, for more information on nested tasks.) Switching tasks with the CALL instruction differs in this regard from the JMP instruction which does not set the NT flag and therefore does not expect an IRET instruction to suspend the task.

3- 40


INSTRUCTION SET REFER EN CE

CALL--Call Procedure (Continued)
Mixing 16-Bit and 32-Bit Calls. W hen making far calls between 16-bit and 32-bit code segments, the calls should be made through a call gate. If the far call is from a 32-bit code segment to a 16-bit code segment, the call should be made from the first 64 KBytes of the 32bit code segment. This is because the operand-size attribute of the instruction is set to 16, so only a 16-bit return address offset is saved. Also, the call should be made using a 16-bit call gate so that 16-bit values will be pushed on the stack. See Chapter 16, Mixing 16-Bit and 32-Bit Code, in the Intel Architecture Software Developer's Manual, Volume 3, for more information on making calls between 16-bit and 32-bit code segments. Operation
IF near call THEN IF near relative call IF the instruction pointer is not within code segment lim it THEN #GP(0); FI; THEN IF OperandSize = 32 THEN IF stack not large enough for a 4-byte return address THEN #SS(0) Push(EIP); EIP EIP + DEST; (* DEST is rel32 *) ELSE (* OperandSize = 16 *) IF stack not large enough for a 2-byte return address THEN #SS(0) Push(IP); EIP (EIP + DEST) AND 0000FFFFH; (* DEST is rel16 *) FI; FI; ELSE (* near absolute call *) IF the instruction pointer is not within code segment lim it THEN #GP(0); FI; IF OperandSize = 32 THEN IF stack not large enough for a 4-byte return address THEN #SS(0) Push(EIP); EIP DEST; (* DEST is r/m32 *) ELSE (* OperandSize = 16 *) IF stack not large enough for a 2-byte return address THEN #SS(0) Push(IP); EIP DEST AND 0000FFFFH; (* DEST is r/m16 *) FI; FI: FI;

; FI;

; FI;

; FI;

; FI;

IF far call AND (PE = 0 OR (PE = 1 AND VM = 1)) (* real-address or virtual-8086 mode *) THEN IF OperandSize = 32 THEN IF stack not large enough for a 6-byte return address THEN #SS(0); FI; IF the instruction pointer is not within code segment lim it THEN #GP(0); FI;

3-41


INSTRUCTION SET REFERENCE

CALL--Call Procedure (Continued)
Push(CS); (* padded with 16 high-order bits *) Push(EIP); CS DEST[47:32]; (* DEST is ptr16:32 or [m16:32] *) EIP DEST[31:0]; (* DEST is ptr16:32 or [m16:32] *) ELSE (* OperandSize = 16 *) IF stack not large enough for a 4-byte return address THEN #SS(0); FI; IF the instruction pointer is not within code segment limit THEN #GP(0); FI; Push(CS); Push(IP); CS DEST[31:16]; (* DEST is ptr16:16 or [m16:16] *) EIP DEST[15:0]; (* DEST is ptr16:16 or [m16:16] *) EIP EIP AND 0000FFFFH; (* clear upper 16 bits *) FI; FI; IF far call AND (PE = 1 AND VM = 0) (* Protected m ode, not virtual-8086 m ode *) THEN IF segm ent selector in target operand null THEN #GP(0); FI; IF segm ent selector index not within descriptor table limits THEN #GP(new code segment selector); FI; Read type and access rights of selected segment descriptor; IF segm ent type is not a conforming or nonconform ing code segment, call gate, task gate, or TSS THEN #GP(segment selector); FI; Depending on type and access rights G O TO C ONFORMING -CODE-SEGMENT; G O TO N ONCONFORMING-CODE-SEGMENT; G O TO C ALL-GATE; G O TO TASK-GATE; G O TO TASK-STATE-SEGMENT; FI; CONFORMING-C ODE-SEGMENT: IF DPL > CPL THEN #GP(new code segment selector); FI; IF segm ent not present THEN #NP(new code segment selector); FI; IF OperandSize = 32 THEN IF stack not large enough for a 6-byte return address THEN #SS(0); FI; IF the instruction pointer is not within code segment limit THEN #GP(0); FI; Push(CS); (* padded with 16 high-order bits *) Push(EIP); CS DEST(NewCodeSegmentSelector); (* segment descriptor information also loaded *) CS(RPL) CPL EIP DEST(offset);

3- 42


INSTRUCTION SET REFER EN CE

CALL--Call Procedure (Continued)
ELSE (* OperandSize = 16 *) IF stack not large enough for a 4-byte return address THEN #SS(0); FI; IF the instruction pointer is not within code segment lim it THEN #GP(0); FI; Push(CS); Push(IP); CS DEST(NewCodeSegmentSelector); (* segment descriptor information also loaded *) CS(R PL) CPL EIP DEST(offset) AND 0000FFFFH; (* clear upper 16 bits *) FI; END; NONCONFORMING-COD E-SEGMENT: IF (RPL > CPL) O R (DPL CPL) THEN #GP(new code segment selector); FI; IF segment not present THEN #NP(new code segment selector); FI; IF stack not large enough for return address THEN #SS(0); FI; tempEIP DEST(offset) IF OperandSize=16 THEN tempEIP tempEIP AND 0000FFFFH; (* clear upper 16 bits *) FI; IF tempEIP outside code segment limit THEN #GP(0); FI; IF OperandSize = 32 THEN Push(CS); (* padded with 16 high-order bits *) Push(EIP); CS DEST(NewCodeSegmentSelector); (* segment descriptor information also loaded *) CS(R PL) CPL; EIP tem pEIP; ELSE (* OperandSize = 16 *) Push(CS); Push(IP); CS DEST(NewCodeSegmentSelector); (* segment descriptor information also loaded *) CS(R PL) CPL; EIP tem pEIP; FI; END; CALL IF IF IF -GATE: call gate DPL < CPL or RPL THEN #G P(call gate selector); FI; call gate not present THEN #N P(call gate selector); FI; call gate code-segment selector is null THEN #GP(0); FI;

3-43


INSTRUCTION SET REFERENCE

CALL--Call Procedure (Continued)
IF call gate code-segment selector index is outside descriptor table limits THEN #GP(code segment selector); FI; Read code segment descriptor; IF code-segment segment descriptor does not indicate a code segm ent O R code-segment segment descriptor D PL > CPL THEN #GP(code segment selector); FI; IF code segment not present THEN #NP(new code segment selector); FI; IF code segment is non-conforming AND DPL < CPL THEN go to M ORE-PRIVILEGE; ELSE go to SAME-PRIVILEG E; FI; END; MORE-PRIVILEG E: IF current TSS is 32-bit TSS THEN TSSstackAddress new code segment (DPL 8) + 4 IF (TSSstackAddress + 7) > TSS lim it THEN #TS(current TSS selector); FI; newSS TSSstackAddress + 4; newESP stack address; ELSE (* TSS is 16-bit *) TSSstackAddress new code segment (DPL 4) + 2 IF (TSSstackAddress + 4) > TSS lim it THEN #TS(current TSS selector); FI; newESP TSSstackAddress; newSS TSSstackAddress + 2; FI; IF stack segment selector is null THEN #TS(stack segment selector); FI; IF stack segment selector index is not within its descriptor table limits THEN #TS(SS selector); FI Read code segment descriptor; IF stack segment selector's RPL DPL of code segm ent O R stack segment DPL DPL of code segment O R stack segment is not a writable data segment THEN #TS(SS selector); FI IF stack segment not present THEN #SS(SS selector); FI; IF CallGateSize = 32 THEN IF stack does not have room for param eters plus 16 bytes THEN #SS(SS selector); FI; IF CallGate(InstructionPointer) not within code segment lim it THEN #GP(0); FI; SS newSS; (* segment descriptor information also loaded *)

3- 44


INSTRUCTION SET REFER EN CE

CALL--Call Procedure (Continued)
ESP newESP; CS:EIP CallGate(CS:InstructionPointer); (* segment descriptor information also loaded *) Push(oldSS:oldESP); (* from calling procedure *) temp parameter count from call gate, masked to 5 bits; Push(parameters from calling procedure's stack, temp) Push(oldCS:oldEIP); (* return address to calling procedure *) ELSE (* CallGateSize = 16 *) IF stack does not have room for parameters plus 8 bytes THEN #SS(SS selector); FI; IF (CallGate(InstructionPointer) AND FFFFH) not within code segment lim it THEN #GP(0); FI; SS newSS; (* segment descriptor information also loaded *) ESP newESP; CS:IP CallGate(CS:InstructionPointer); (* segment descriptor information also loaded *) Push(oldSS:oldESP); (* from calling procedure *) temp parameter count from call gate, masked to 5 bits; Push(parameters from calling procedure's stack, temp) Push(oldCS:oldEIP); (* return address to calling procedure *) FI; CPL CodeSegment(DPL) CS(RPL) CPL END; SAME-PRIVILEGE: IF CallGateSize = 32 THEN IF stack does not have room for 8 bytes THEN #SS(0); FI; IF EIP not within code segment lim it then #GP(0); FI; CS:EIP CallGate(CS:EIP) (* segment descriptor information also loaded *) Push(oldCS:oldEIP); (* return address to calling procedure *) ELSE (* CallGateSize = 16 *) IF stack does not have room for parameters plus 4 bytes THEN #SS(0); FI; IF IP not within code segment lim it THEN #GP(0); FI; CS:IP CallGate(CS:instruction pointer) (* segment descriptor information also loaded *) Push(oldCS:oldIP); (* return address to calling procedure *) FI; CS(RPL) CPL END;

3-45


INSTRUCTION SET REFERENCE

CALL--Call Procedure (Continued)
TASK-GATE: IF task gate DPL < CPL or RPL THEN #GP(task gate selector); FI; IF task gate not present THEN #NP(task gate selector); FI; Read the TSS segm ent selector in the task-gate descriptor; IF TSS segment selector local/global bit is set to local O R index not within G DT limits THEN #GP(TSS selector); FI; Access TSS descriptor in GDT; IF TSS descriptor specifies that the TSS is busy (low-order 5 bits set to 00001) THEN #GP(TSS selector); FI; IF TSS not present THEN #NP(TSS selector); FI; SWITCH-TASKS (with nesting) to TSS; IF EIP not within code segm ent limit THEN #GP(0); FI; END; TASK-STATE-SEG MENT: IF TSS DPL < CPL or RPL O R TSS descriptor indicates TSS not available THEN #GP(TSS selector); FI; IF TSS is not present THEN #NP(TSS selector); FI; SWITCH-TASKS (with nesting) to TSS IF EIP not within code segm ent limit THEN #GP(0); FI; END;

Flags Affected All flags are affected if a task switch occurs; no flags are affected if a task switch does not occur.

3- 46


INSTRUCTION SET REFER EN CE

CALL--Call Procedure (Continued)
Protected Mode Exceptions #GP(0) If target offset in destination operand is beyond the new code segment limit. If the segment selector in the destination operand is null. If the code segment selector in the gate is null. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #GP(selector) If code segment or gate or TSS selector index is outside descriptor table limits. If the segment descriptor pointed to by the segment selector in the destination operand is not for a conforming-code segment, nonconforming-code segment, call gate, task gate, or task state segment. If the DPL for a nonconforming-code segment is not equal to the CPL or the RPL for the segment's segment selector is greater than the CPL. If the DPL for a conforming-code segment is greater than the CPL. If the DPL from a call-gate, task-gate, or TSS segment descriptor is less than the CPL or than the RPL of the call-gate, task-gate, or TSS's segment selector. If the segment descriptor for a segment selector from a call gate does not indicate it is a code segment. If the segment selector from a call gate is beyond the descriptor table limits. If the DPL for a code-segment obtained from a call gate is greater than the CPL. If the segment selector for a TSS has its local/global bit set for local. If a TSS segment descriptor specifies that the TSS is busy or not available. #SS(0) If pushing the return address, parameters, or stack segment pointer onto the stack exceeds the bounds of the stack segment, when no stack switch occurs. If a memory operand effective address is outside the SS segment limit. #SS(selector) If pushing the return address, parameters, or stack segment pointer onto the stack exceeds the bounds of the stack segment, w hen a stack switch occurs.

3-47


INSTRUCTION SET REFERENCE

CALL--Call Procedure (Continued)
If the SS register is being loaded as part of a stack switch and the segment pointed to is marked not present. If stack segment does not have room for the return address, parameters, or stack segment pointer, when stack sw itch occurs. #NP(selector) #TS(selector) If a code segment, data segment, stack segment, call gate, task gate, or TSS is not present. If the new stack segment selector and ESP are beyond the end of the TSS. If the new stack segment selector is null. If the RPL of the new stack segment selector in the TSS is not equal to the DPL of the code segment being accessed. If DPL of the stack segment descriptor for the new stack segment is not equal to the DPL of the code segment descriptor. If the new stack segment is not a writable data segment. If segment-selector index for stack segment is outside descriptor table limits. #PF(fault-code) #AC(0) If a page fault occurs. If an unaligned memory access occurs when the CPL is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the target offset is beyond the code segment limit. Vir tual-8086 Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the target offset is beyond the code segment limit. #PF(fault-code) #AC(0) If a page fault occurs. If an unaligned memory access occurs when alignment checking is enabled.

3- 48


INSTRUCTION SET REFER EN CE

CBW/CWDE--Convert Byte to Word/Conver t Word to Doubleword
Opcode 98 98 Instruction CBW CWDE D escription A X sign- extend of AL E AX sign-extend of AX

Description Double the size of the source operand by means of sign extension (see Figure Architecture Software Developer's Manual, Volume 1). The CBW (convert byte t tion copies the sign (bit 7) in the source operand into every bit in the AH regis (convert word to doubleword) instruction copies the sign (bit 15) of the word in into the higher 16 bits of the EAX register. 6-5 in the Intel o word) instructer. The CWDE the AX register

The CBW and CWDE mnemonics reference the same opcode. The CBW instruction is intended for use when the operand-size attribute is 16 and the CWDE instruction for when the operandsize attribute is 32. Some assemblers may force the operand size to 16 when CBW is used and to 32 when CW DE is used. Others may treat these mnemonics as synonyms (CBW/CWDE) and use the current setting of the operand-size attribute to determine the size of values to be converted, regardless of the mnemonic used. The CWDE instruction is different from the CW D (convert word to double) instruction. The CW D instruction uses the D X:AX register pair as a destination operand; whereas, the CWDE instruction uses the EAX register as a destination. Operation
IF OperandSize = 16 (* instruction = CBW *) THEN AX SignExtend(AL); ELSE (* OperandSize = 32, instruction = CWDE *) EAX SignExtend(AX); FI;

Flags Affected None. Exceptions (All Operating Modes) None.

3-49


INSTRUCTION SET REFERENCE

CDQ--Conver t Double to Quad
See entry for CW D/CDQ -- Convert Word to Doubleword/Convert Doubleword to Quadword.

3- 50


INSTRUCTION SET REFER EN CE

CLC--Clear Carry Flag
Opcode F8 Instruction CLC D escription C lear CF flag

Description Clears the CF flag in the EFLAGS register. Operation
CF 0;

Flags Affected The CF flag is cleared to 0. The OF, ZF, SF, AF, and PF flags are unaffected. Exceptions (All Operating Modes) None.

3-51


INSTRUCTION SET REFERENCE

CLD--Clear Direction Flag
Opcode FC Instruction CLD Description Clear DF flag

Description Clears the DF flag in the EFLAGS register. W hen the DF flag is set to 0, string operations increment the index registers (ESI and/or EDI). Operation
DF 0;

Flags Affected The DF flag is cleared to 0. The CF, O F, ZF, SF, AF, and PF flags are unaffected. Exceptions (All Operating Modes) None.

3- 52


INSTRUCTION SET REFER EN CE

CLI--Clear Interrupt Flag
Opcode FA Instruction CLI D escription C lear interr upt flag; interr upts disabled when inter rupt flag cleared

Description Clears the IF flag in the EFLAGS register. No other flags are affected. Clearing the IF flag causes the processor to ignore maskable external interrupts. The IF flag and the CLI and STI instruction have no affect on the generation of exceptions and NMI interrupts. The follow ing decision table indicates the action of the CLI instruction (bottom of the table) depending on the processor's mode of operating and the CPL and IOPL of the currently running program or procedure (top of the table).
PE = VM = CP L IOP L IF 0 #GP(0) NOTES: X Don't care N Action in column 1 not taken Y Action in column 1 taken 0 X X X Y N 1 0 IOPL X Y N 1 X X =3 Y N 1 0 > IOPL X N Y 1 1 X <3 N Y

Operation
IF PE = 0 (* Executing in real-address mode *) THEN IF 0; ELSE IF VM = 0 (* Executing in protected mode *) THEN IF CPL IOPL THEN IF 0; ELSE #GP(0); FI; FI;

3-53


INSTRUCTION SET REFERENCE

CLI--Clear Interrupt Flag (Continued)
ELSE (* Executing in Virtual-8086 mode *) IF IO PL = 3 THEN IF 0 ELSE #GP(0); FI; FI; FI;

Flags Affected The IF is cleared to 0 if the CPL is equal to or less than the IOPL; otherwise, it is not affected. The other flags in the EFLAGS register are unaffected. Protected Mode Exceptions #GP(0) If the CPL is greater (has less privilege) than the IOPL of the current program or procedure.

Real-Address Mode Exceptions None. Vir tual-8086 Mode Exceptions #GP(0) If the CPL is greater (has less privilege) than the IOPL of the current program or procedure.

3- 54


INSTRUCTION SET REFER EN CE

CLTS--Clear Task-Switched Flag in CR0
Opcode 0F 06 Instruction CLTS D escription C lears TS flag in CR0

Description Clears the task-switched (TS) flag in the CR0 register. This instruction is intended for use in operating-system procedures. It is a privileged instruction that can only be executed at a CPL of 0. It is allowed to be executed in real-address mode to allow initialization for protected mode. The processor sets the TS flag every time a task switch occurs. The flag is used to synchronize the saving of FPU context in multitasking applications. See the description of the TS flag in the section titled "Control Registers" in Chapter 2 of the Intel Architecture Software Developer's Manual, Volume 3, for more information about this flag. Operation
CR0(TS) 0;

Flags Affected The TS flag in CR0 register is cleared. Protected Mode Exceptions #GP(0) If the CPL is greater than 0.

Real-Address Mode Exceptions None. Virtual-8086 Mode Exceptions #GP(0) If the CPL is greater than 0.

3-55


INSTRUCTION SET REFERENCE

CMC--Complement Carry Flag
Opcode F5 Instruction CM C Description Complement CF flag

Description Complements the CF flag in the EFLAGS register. Operation
CF NOT CF;

Flags Affected The CF flag contains the complement of its original value. The OF, ZF, SF, AF, and PF flags are unaffected. Exceptions (All Operating Modes) None.

3- 56


INSTRUCTION SET REFER EN CE

CMOVcc--Conditional Move
Opcode 0F 47 /r 0F 47 /r 0F 43 /r 0F 43 /r 0F 42 /r 0F 42 /r 0F 46 /r 0F 46 /r 0F 42 /r 0F 42 /r 0F 44 /r 0F 44 /r 0F 4F /r 0F 4F /r 0F 4D /r 0F 4D /r 0F 4C /r 0F 4C /r 0F 4E /r 0F 4E /r 0F 46 /r 0F 46 /r 0F 42 /r 0F 42 /r 0F 43 /r 0F 43 /r 0F 47 /r 0F 47 /r 0F 43 /r 0F 43 /r 0F 45 /r 0F 45 /r 0F 4E /r 0F 4E /r 0F 4C /r 0F 4C /r 0F 4D /r 0F 4D /r 0F 4F /r 0F 4F /r Instruction CMOVA r16, r/m16 CMOVA r32, r/m32 CMOVAE r16, r/m16 CMOVAE r32, r/m32 CMOV B r16, r/m16 CMOV B r32, r/m32 CMOVBE r16, r/m16 CMOVBE r32, r/m32 CMOV C r16, r/m16 CMOV C r32, r/m32 CMOV E r16, r/m16 CMOV E r32, r/m32 CMOVG r16, r/m16 CMOVG r32, r/m32 CMOVGE r 16, r/m16 CMOVGE r 32, r/m32 CMOV L r16, r/m16 CMOV L r32, r/m32 CMOV LE r16, r/m16 CMOV LE r32, r/m32 CMOV NA r16, r/m16 CMOV NA r32, r/m32 CMOV NAE r16, r/m16 CMOV NAE r32, r/m32 CMOV NB r16, r/m16 CMOV NB r32, r/m32 CMOV NBE r16, r/m16 CMOV NBE r32, r/m32 CMOV NC r16, r/m16 CMOV NC r32, r/m32 CMOV NE r16, r/m16 CMOV NE r32, r/m32 CMOV NG r16, r/m16 CMOV NG r32, r/m32 CMOV NGE r16, r/m16 CMOV NGE r32, r/m32 CMOV NL r 16, r/m16 CMOV NL r 32, r/m32 CMOV NLE r16, r/m16 CMOV NLE r32, r/m32 Description Move if above (CF=0 and ZF=0) Move if above (CF=0 and ZF=0) Move if above or equal (CF=0) Move if above or equal (CF=0) Move if below (CF=1) Move if below (CF=1) Move if below or equal ( CF=1 or ZF=1) Move if below or equal ( CF=1 or ZF=1) Move if carr y (CF=1) Move if carr y (CF=1) Move if equal (ZF=1) Move if equal (ZF=1) Move if greater (ZF=0 and SF=OF) Move if greater (ZF=0 and SF=OF) Move if greater or equal (SF=OF) Move if greater or equal (SF=OF) Move if less (SF<>OF) Move if less (SF<>OF) Move if less or equal (ZF=1 or SF<>OF) Move if less or equal (ZF=1 or SF<>OF) Move if not above (CF=1 or ZF=1) Move if not above (CF=1 or ZF=1) Move if not above or equal (CF=1) Move if not above or equal (CF=1) Move if not below (C F=0) Move if not below (C F=0) Move if not below or equal (CF=0 and ZF=0) Move if not below or equal (CF=0 and ZF=0) Move if not carr y (CF=0) Move if not carr y (CF=0) Move if not equal ( ZF=0) Move if not equal ( ZF=0) Move if not greater (ZF=1 or SF<>OF) Move if not greater (ZF=1 or SF<>OF) Move if not greater or equal (SF<>OF) Move if not greater or equal (SF<>OF) Move if not less (SF=OF) Move if not less (SF=OF) Move if not less or equal (ZF=0 and SF=OF) Move if not less or equal (ZF=0 and SF=OF)

3-57


INSTRUCTION SET REFERENCE

CMOVcc--Conditional Move (Continued)
Opcode 0F 41 /r 0F 41 /r 0F 4B /r 0F 4B /r 0F 49 /r 0F 49 /r 0F 45 /r 0F 45 /r 0F 40 /r 0F 40 /r 0F 4A /r 0F 4A /r 0F 4A /r 0F 4A /r 0F 4B /r 0F 4B /r 0F 48 /r 0F 48 /r 0F 44 /r 0F 44 /r Instruction CMOVNO r16, r/m16 CMOVNO r32, r/m32 CMOVNP r16, r/m16 CMOVNP r32, r/m32 CMOVNS r16, r/m16 CMOVNS r32, r/m32 CMOVNZ r16, r/m16 CMOVNZ r32, r/m32 CMOVO r16, r/m16 CMOVO r32, r/m32 CMOVP r 16, r/m16 CMOVP r 32, r/m32 CMOVPE r16, r/m16 CMOVPE r32, r/m32 CMOVPO r16, r/m16 CMOVPO r32, r/m32 CMOVS r 16, r/m16 CMOVS r 32, r/m32 CMOVZ r16, r/m16 CMOVZ r32, r/m32 Description Move if not overflow (OF=0) Move if not overflow (OF=0) Move if not par ity (PF=0) Move if not par ity (PF=0) Move if not sign ( SF=0) Move if not sign ( SF=0) Move if not zero (ZF=0) Move if not zero (ZF=0) Move if overflow (OF=0) Move if overflow (OF=0) Move if parity (PF=1) Move if parity (PF=1) Move if parity even (PF=1) Move if parity even (PF=1) Move if parity odd (PF=0) Move if parity odd (PF=0) Move if sign (SF=1) Move if sign (SF=1) Move if zero (ZF=1) Move if zero (ZF=1)

Description The CMOVcc instructions check the state of one or more of the status flags in the EFLAGS register (CF, OF, PF, SF, and ZF) and perform a move operation if the flags are in a specified state (or condition). A condition code (cc) is associated with each instruction to indicate the condition being tested for. If the condition is not satisfied, a move is not performed and execution continues with the instruction following the CMOVcc instruction. These instructions can move a 16- or 32-bit value from memory to a general-purpose register or from one general-purpose register to another. Conditional moves of 8-bit register operands are not supported. The conditions for each CMOVcc mnemonic is given in the description column of the above table. The terms "less" and "greater" are used for comparisons of signed integers and the terms "above" and "below" are used for unsigned integers. Because a particular state of the status flags can sometimes be interpreted in two ways, two mnemonics are defined for some opcodes. For example, the CMOVA (conditional move if above) instruction and the CMOVNBE (conditional move if not below or equal) instruction are alternate mnemonics for the opcode 0F 47H.

3- 58


INSTRUCTION SET REFER EN CE

CMOVcc--Conditional Move (Continued)
The CMOVcc instructions are new for the Pentium Pro processor family; however, they may not be supported by all the processors in the family. Software can determine if the CMOVcc instructions are supported by checking the processor's feature information with the CPUID instruction (see "CPU ID--CPU Identification" in this chapter). Operation
temp DEST IF condition TRU E THEN DEST SRC ELSE DEST temp FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3-59


INSTRUCTION SET REFERENCE

CMOVcc--Conditional Move (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 60


INSTRUCTION SET REFER EN CE

CMP--Compare Two Operands
Opcode 3C ib 3D iw 3D id 80 /7 ib 81 /7 iw 81 /7 id 83 /7 ib 83 /7 ib 38 /r 39 /r 39 /r 3A /r 3B /r 3B /r Instruction CMP AL, imm8 CMP AX, imm16 CMP EAX, imm32 CMP r/m8, imm8 CMP r/m16, imm16 CMP r/m32,imm32 CMP r/m16,imm8 CMP r/m32,imm8 CMP r/m8,r8 CMP r/m16,r16 CMP r/m32,r32 CMP r8,r/m8 CMP r16,r/m16 CMP r32,r/m32 D escription Compare imm8 w ith AL Compare imm16 with AX Compare imm32 with EAX Compare imm8 w ith r/m8 Compare imm16 with r/m16 Compare imm32 with r/m32 Compare imm8 w ith r/m16 Compare imm8 w ith r/m32 Compare r8 with r/m8 Compare r16 with r/m16 Compare r32 with r/m32 Compare r/m8 with r8 Compare r/m16 with r16 Compare r/m32 with r32

Description Compares the first source operand with the second source operand and sets the status flags in the EFLAGS register according to the results. The comparison is performed by subtracting the second operand from the first operand and then setting the status flags in the same manner as the SUB instruction. When an immediate value is used as an operand, it is sign-extended to the length of the first operand. The CMP instruction is typically used in conjunction with a conditional jump (Jcc), condition move (CMOVcc), or SETcc instruction. The condition codes used by the J cc, CM OVcc, and SETcc instructions are based on the results of a CMP instruction. Appendix B, EFLAGS Condition Codes, in the Intel Architecture Software Developer's Manual, Volume 1, shows the relationship of the status flags and the condition codes. Operation
temp SRC1 - SignExtend(SRC2); ModifyStatusFlags; (* Modify status flags in the same m anner as the SUB instruction*)

Flags Affected The CF, OF, SF, ZF, AF, and PF flags are set according to the result. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector.
3-61


INSTRUCTION SET REFERENCE

CMP--Compare Two Operands (Continued)
#SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 62


INSTRUCTION SET REFER EN CE

CMPS/CMPSB/CMPSW/CMPSD--Compare String Operands
Opcode A6 A7 A7 A6 A7 A7 Instruction CMPS m8, m8 CMPS m16, m16 CMPS m32, m32 C M PSB CMPSW CMPSD D escription C ompares byte at addr ess DS:(E)SI with byte at address E S:(E) DI and sets the status flags accordingly C ompares word at address DS:(E)SI with word at address E S:(E) DI and sets the status flags accordingly C ompares doubleword at address DS:(E)SI with doubleword at address ES :(E)DI and sets the status flags accordingly C ompares byte at addr ess DS:(E)SI with byte at address E S:(E) DI and sets the status flags accordingly C ompares word at address DS:(E)SI with word at address E S:(E) DI and sets the status flags accordingly C ompares doubleword at address DS:(E)SI with doubleword at address ES :(E)DI and sets the status flags accordingly

Description Compares the byte, word, or double word specified with the first source operand with the byte, word, or double word specified with the second source operand and sets the status flags in the EFLAGS register according to the results. Both the source operands are located in memory. The address of the first source operand is read from either the DS:ESI or the DS:SI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). The address of the second source operand is read from either the ES:EDI or the ES:DI registers (again depending on the address-size attribute of the instruction). The DS segment may be overridden with a segment override prefix, but the ES segment cannot be overridden. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified w ith the CMPS mnemonic) allows the two source operands to be specified explicitly. Here, the source operands should be symbols that indicate the size and location of the source values. This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the source operand symbols must specify the correct type (size) of the operands (bytes, words, or doublewords), but they do not have to specify the correct location. The locations of the source operands are always specified by the DS:(E)SI and ES:(E)DI registers, which must be loaded correctly before the compare string instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the CMPS instructions. Here also the DS:(E)SI and ES:(E)DI registers are assumed by the processor to specify the location of the source operands. The size of the source operands is selected w ith the mnemonic: CMPSB (byte comparison), CMPSW (word comparison), or CMPSD (doubleword comparison).

3-63


INSTRUCTION SET REFERENCE

CMPS/CMPSB/CMPSW/CMPSD--Compare String Operands (Continued)
After the comparison, the (E)SI and (E)DI registers are incremented or decremented autom cally according to the setting of the DF flag in the EFLAGS register. (If the DF flag is 0, (E)SI and (E)DI register are incremented; if the DF flag is 1, the (E)SI and (E)DI registers decremented.) The registers are incremented or decremented by 1 for byte operations, by 2 word operations, or by 4 for doubleword operations. atithe are for

The CMPS, CMPSB, CMPSW, and CMPSD instructions can be preceded by the REP prefix for block comparisons of ECX bytes, words, or doublewords. More often, however, these instructions will be used in a LOOP construct that takes some action based on the setting of the status flags before the next comparison is made. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix. Operation
temp SRC1 - SRC2; SetStatusFlags(temp); IF (byte comparison) THEN IF DF = 0 THEN (E)SI (E)SI + 1; (E)DI (E)DI + 1; ELSE (E)SI (E)SI ­ 1; (E)DI (E)DI ­ 1; FI; ELSE IF (word comparison) THEN IF DF = 0 (E)SI (E)SI + 2; (E)DI (E)DI + 2; ELSE (E)SI (E)SI ­ 2; (E)DI (E)DI ­ 2; FI; ELSE (* doubleword comparison*) THEN IF DF = 0 (E)SI (E)SI + 4; (E)DI (E)DI + 4; ELSE (E)SI (E)SI ­ 4; (E)DI (E)DI ­ 4; FI; FI;

3- 64


INSTRUCTION SET REFER EN CE

CMPS/CMPSB/CMPSW/CMPSD--Compare String Operands (Continued)
Flags Affected The CF, OF, SF, ZF, AF, and PF flags are set according to the temporary result of the comparison. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-65


INSTRUCTION SET REFERENCE

CMPXCHG--Compare and Exchange
Opcode 0F B0/r 0F B1/r 0F B1/r Instruction CMPXCHG r/m8,r 8 CMPXCHG r/m16,r16 CMPXCHG r/m32,r32 Description Compare AL with r/m8. If equal, ZF is set and r8 is loaded into r/m8. Else, clear ZF and load r/m8 into AL. Compare AX with r/m16. If equal, ZF is set and r16 is loaded into r/m16. Else, clear ZF and load r/m16 into AL Compare EAX with r/m32. If equal, ZF is set and r32 is loaded into r/m32. Else, clear ZF and load r/m32 into AL

Description Compares the value in the AL, AX, or EA X register (depending on the size of the operand) with the first operand (destination operand). If the two values are equal, the second operand (source operand) is loaded into the destination operand. Otherwise, the destination operand is loaded into the A L, AX, or EAX register. This instruction can be used with a LOCK prefix to allow the instruction to be executed atomically. To simplify the interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. The destination operand is written back if the comparison fails; otherwise, the source operand is written into the destination. (The processor never produces a locked read without also producing a locked write.) Intel Architecture Compatibility This instruction is not supported on Intel processors earlier than the Intel486 processors. Operation
(* accumulator = AL, AX, or EAX, depending on whether *) (* a byte, word, or doubleword com parison is being performed*) IF accumulator = DEST THEN ZF 1 DEST SRC ELSE ZF 0 accum ulator DEST FI;

Flags Affected The ZF flag is set if the values in the destination operand and register A L, AX , or EAX are equal; otherwise it is cleared. The CF, PF, AF, SF, and OF flags are set according to the results of the comparison operation.

3- 66


INSTRUCTION SET REFER EN CE

CMPXCHG--Compare and Exchange (Continued)
Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-67


INSTRUCTION SET REFERENCE

CMPXCHG8B--Compare and Exchange 8 Bytes
Opcode 0F C7 /1 m64 Instruction CMPXCHG8B m64 Description Compare EDX:EAX with m64. If equal, set ZF and load ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX.

Description Compares the 64-bit value in EDX:EAX with the operand (destination operand). If the values are equal, the 64-bit value in ECX:EBX is stored in the destination operand. Otherwise, the value in the destination operand is loaded into EDX:EAX. The destination operand is an 8-byte memory location. For the EDX:EAX and ECX :EBX register pairs, EDX and ECX contain the high-order 32 bits and EAX and EBX contain the low-order 32 bits of a 64-bit value. This instruction can be used with a LOCK prefix to allow the instruction to be executed atomically. To simplify the interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. The destination operand is written back if the comparison fails; otherwise, the source operand is written into the destination. (The processor never produces a locked read without also producing a locked write.) Intel Architecture Compatibility This instruction is not supported on Intel processors earlier than the Pentium processors. Operation
IF (EDX:EAX = DEST) ZF 1 DEST ECX:EBX ELSE ZF 0 EDX:EAX DEST

Flags Affected The ZF flag is set if the destination operand and EDX:EAX are equal; otherwise it is cleared. The CF, PF, AF, SF, and OF flags are unaffected. Protected Mode Exceptions #UD #GP(0) If the destination operand is not a memory location. If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector.

3- 68


INSTRUCTION SET REFER EN CE

CMPXCHG8B--Compare and Exchange 8 Bytes (Continued)
#SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #UD #GP #SS If the destination operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #UD #GP(0) #SS(0) #PF(fault-code) #AC(0) If the destination operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-69


INSTRUCTION SET REFERENCE

CPUID--CPU Identification
Opcode 0F A2 Instruction CPUID Description EAX Processor identification infor mation

Description Provides processor identification information in registers EAX, EBX, ECX, and EDX. This information identifies Intel as the vendor, gives the family, model, and stepping of processor, feature information, and cache information. An input value loaded into the EAX register determines what information is returned, as shown in Table 3-4.
Table 3-4. Information Returned by CPUID Instruction
Initial EAX Value 0 E AX EBX ECX EDX 1 E AX EBX ECX EDX E AX EBX ECX EDX Information Provided about the Processor Maximum CPUID Input Value (2 for the Pentium® Pro processor and 1 for the Pentium processor and the later ver sions of Intel486TM processor that suppor t the CPU ID instr uction) . "Genu" "ntel" "ineI" Version Infor mation (Type, Family, Model, and Stepping ID) Reser ved Reser ved Feature Infor mation C C C C ache ache ache ache and and and and TL TL TL TL B B B B Info Info Info Info r r r r m m m m ation ation ation ation

2

The CPUID instruction can be executed at any privilege level to serialize instruction execution. Serializing instruction execution guarantees that any modifications to flags, registers, and memory for previous instructions are completed before the next instruction is fetched and executed (see "Serializing Instructions" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 3). When the input value in register EAX is 0, the processor returns the highest value the CPUID instruction recognizes in the EAX register (see Table 3-4). A vendor identification string is returned in the EBX, EDX, and ECX registers. For Intel processors, the vendor identification string is "GenuineIntel" as follows:
EBX 756e6547h (* "Genu", with G in the low nibble of BL *) EDX 49656e69h (* "ineI", with i in the low nibble of DL *) ECX 6c65746eh (* "ntel", with n in the low nibble of CL *)

When the input value is 1, the processor returns version information in the EAX register and feature information in the EDX register (see Figure 3-3).

3- 70


INSTRUCTION SET REFER EN CE

CPUID--CPU Identification (Continued)

31

14 13 12 11

87

43

0

EAX

Family

Model

Stepping ID

Processor Type Family (0110B for the Pentium® Pro Processor Family) Model (Beginning with 0001B)

31

23

16 15 14 13 12 11 10 9 8 7 6 5 4

32

10

EDX

MMXTM Technology CMOV --Cond. Move/Cmp. Inst. MCA --Machine Check Arch. PGE--P TE Global Bit MTRR--Mem. Type Range Reg. APIC--APIC on Chip CXS-- CMP XCHG8B Inst. MCE--Machine Check Exception PA E--Physical A ddress Extensions MSR--RDMSR and WRMSR Suppor t TSC-- Time Stamp Counter PSE-- Page S ize Extensions DE--Debugging Extensions VME--Vir tual-8086 Mode Enhancement FPU-- FPU on Chip Reser ved

Figure 3-3. Version and Feature Inform ation in Registers EAX and EDX

The version information consists of an Intel Architecture family identifier, a model identifier, a stepping ID, and a processor type. The model, family, and processor type for the first processor in the Intel Pentium Pro family is as follows:

· · ·

Model--0001B Family--0110B Processor Type--00B

See AP-485, Intel Processor Identification and the CPUID Instruction (Order Number 241618), the Intel Pentium® Pro Processor Specification Update (Order Number 242689), and the Intel Pentium® Processor Specification Update (Order Number 242480) for more information on identifying earlier Intel Architecture processors.

3-71


INSTRUCTION SET REFERENCE

CPUID--CPU Identification (Continued)
The available processor types are given in Table 3-5. Intel releases information on stepping IDs as needed.
Table 3-5. Processor Type Field
Type Or iginal OEM Processor Intel OverDr ive Processor Dual pr ocessor * Intel reser ved. NOTE : * Not applicable to Intel386TM and Intel486TM pr ocessors.
®

Encoding 00B 01B 10B 11B

Table 3-6 shows the encoding of the feature flags in the EDX register. A feature flag set to 1 indicates the corresponding feature is supported. Software should identify Intel as the vendor to properly interpret the feature flags.
Table 3-6. Feature Flags Returned in EDX Register
Bit 0 1 Feature FPU--Floating-Point Unit on Chip VME--Vir tual-8086 Mode Enhancements Description Processor contains an FPU and executes the Intel 387 instruction set. Processor suppor ts the following vir tual-8086 mode enhancements: · CR4.VME bit enables vir tual-8086 mode extensions. · CR4.PVI bit enables protected-mode vir tual interr upts. · Expansion of the TSS with the software indirection bitmap. · EFLAGS.VIF bit (vir tual interrupt flag). · EFLAGS.VIP bit (vir tual inter rupt pending flag). Processor suppor ts I/O breakpoints, including the CR4.DE bit for enabling debug extensions and optional trapping of access to the DR4 and DR5 registers. Processor suppor ts 4-Mbyte pages, including the CR4.PSE bit for enabling page size extensions, the modified bit in page director y entr ies (PDEs), page dir ector y entries, and page table entr ies (PTE s). Processor suppor ts the RDTSC (read time stamp counter ) instruction, including the C R4.TSD bit that, along with the CPL, controls whether the time stamp counter can be read. Processor suppor ts the RDMSR (read model-specific register) and WRMSR (write model-specific register) instr uctions.

2

DE --Debugging E xtensions PSE--Page Size E xtensions

3

4

TSC--Time Stamp Counter MSR-- Model Specific Registers

5

3- 72


INSTRUCTION SET REFER EN CE

CPUID--CPU Identification (Continued)
Table 3-6. Feature Flags Returned in EDX Register (Continued)
Bit 6 Feat ure PAE--Physical Address Extension Description Processor suppor ts physical addr esses greater than 32 bits, the extended page-table- entr y for mat, an extra level in the page translation tables, and 2-MByte pages. The CR4.PAE bit enables this feature. The number of address bits is implementation specific. The Pentium® Pro processor suppor ts 36 bits of addressing when the PAE bit is set. Processor suppor ts the CR4.MCE bit, enabling machine check exceptions. However, this feature does not define the modelspecific implementations of machine-check error logging, repor ting, or processor shutdowns. Machine-check exception handlers might have to check the processor version to do model-specific processing of the exception or check for the presence of the standard machine- check feature. Processor suppor ts the CMPXCHG8B (compare and exchange 8 bytes) instruction. Processor contains an on-chip Advanced Programmable Interr upt Controller (A PIC) and it has been enabled and is available for use.

7

MCE--Machine Check Exception

8 9 10,11 12

CX8--CMPX CHG8B Instr uction APIC Reser ved MTRR-- Memor y Type Range Register s

Processor suppor ts machine- specific memor y-type range registers (MTRRs). The MTRRs contains bit fields that indicate the processor's MTRR capabilities, including which memor y types the processor suppor ts, the number of var iable MTRRs the processor suppor ts, and whether the processor suppor ts fixed MTRRs. Processor suppor ts the CR4.PGE flag both PTDE s and P TEs. These bits are lookaside buffer (TLB) entr ies that are and need not be flushed when control enabling the global bit in used to indicate translation common to different tasks register CR3 is wr itten.

13

PGE --PTE Global Flag

14

MCA--Machine Check Architecture CMOV--C onditional Move and Compare Instr uctions Reser ved MMXTM Technology

Processor suppor ts the MCG_CAP (machine check global capability) MSR. The MCG_CAP register indicates how many banks of err or r epor ting MSRs the processor suppor ts. Processor suppor ts the CMOVcc instr uction and, if the FPU feature flag (bit 0) is also set, suppor ts the FCMOVcc and FCOMI instructions.

15

16-22 23

Processor suppor ts the MMX instr uction set. These instr uctions operate in parallel on multiple data elements (8 bytes, 4 words, or 2 doublewords) packed into quadwor d registers or memor y locations.

24-31

Reser ved

3-73


INSTRUCTION SET REFERENCE

CPUID--CPU Identification (Continued)
When the input value is 2, the processor returns information about the processor's internal caches and TLBs in the EAX, EBX, ECX, and EDX registers. The encoding of these registers is as follows:

· · ·

The least-significant byte in register EAX (register AL) indicates the number of times the CPUID instruction must be executed with an input value of 2 to get a complete description of the processor's caches and TLBs. The Pentium ® Pro family of processors will return a 1. The most significant bit (bit 31) of each register indicates whether the register contains valid information (cleared to 0) or is reserved (set to 1). If a register contains valid information, the information is contained in 1 byte descriptors. Table 3-7 shows the encoding of these descriptors.
Table 3-7. Encoding of Cache and TLB Descriptors
Descriptor Value 00H 01H 02H 03H 04H 06H 08H 0AH 0 CH 41H 42H 43H 44H Null descr iptor Instruction TLB: 4K-Byte Pages, 4-way set associative, 32 entr ies Instruction TLB: 4M-Byte Pages, 4-way set associative, 4 entr ies Data TLB: 4K-Byte Pages, 4-way set associative, 64 entr ies Data TLB : 4M- Byte Pages, 4-way set associative, 8 entr ies Instruction cache: 8K Bytes, 4-way set associative, 32 byte line size Instruction cache: 16K Bytes, 4-way set associative, 32 byte line size Data cache: 8K Bytes, 2-way set associative, 32 byte line size Data cache: 16K B ytes, 2-way set associative, 32 byte line size Unified cache: 128K Bytes, 4-way set associative, 32 byte line size Unified cache: 256K Bytes, 4-way set associative, 32 byte line size Unified cache: 512K Bytes, 4-way set associative, 32 byte line size Unified cache: 1M Byte, 4-way set associative, 32 byte line size Cache or TLB Description

The first member of the Pentium Pro processor family will return the following information about caches and TLBs when the CPUID instruction is executed with an input value of 2: EAX EBX ECX EDX 03 02 01 01H 0H 0H 06 04 0A 42H

These values are interpreted as follows:

·

The least-significant byte (byte 0) of register EAX is set to 01H, indicating that the CPUID instruction needs to be executed only once with an input value of 2 to retrieve complete information about the processor's caches and TLBs.

3- 74


INSTRUCTION SET REFER EN CE

CPUID--CPU Identification (Continued)

· ·

The most-significant bit of all four registers (EAX, EBX , ECX, and EDX) is set to 0, indicating that each register contains valid 1-byte descriptors. Bytes 1, 2, and 3 of register EAX indicate that the processor contains the following: -- 01H--A 32-entry instruction TLB (4-way set associative) for mapping 4-KByte pages. -- 02H--A 4-entry instruction TLB (4-way set associative) for mapping 4-MByte pages. -- 03H--A 64-entry data TLB (4-way set associative) for mapping 4-KByte pages.

· ·

The descriptors in registers EBX and ECX are valid, but contain null descriptors. Bytes 0, 1, 2, and 3 of register EDX indicate that the processor contains the following: -- 42H--A 256-KByte unified cache (the L2 cache), 4-way set associative, with a 32-byte cache line size. -- 0AH--An 8-KByte data cache (the L1 data cache), 2-way set associative, with a 32-byte cache line size. -- 04H--An 8-entry data TLB (4-way set associative) for mapping 4M-byte pages. -- 06H--An 8-KByte instruction cache (the L1 instruction cache), 4-way set associative, with a 32-byte cache line size.

Intel Architecture Compatibility The CPUID instruction is not supported in early models of the Intel486 processor or in any Intel Architecture processor earlier than the Intel486 processor. The ID flag in the EFLAGS register can be used to determine if this instruction is supported. If a procedure is able to set or clear this flag, the CPUID is supported by the processor running the procedure. Operation
CASE (EAX) OF EAX = 0: EAX highest input value understood by CPUID; (* 2 for Pentium Pro processor *) EBX Vendor identification string; EDX Vendor identification string; ECX Vendor identification string; BREAK; EAX = 1: EAX[3:0] Stepping ID; EAX[7:4] Model; EAX[11:8] Family; EAX[13:12] Processor type; EAX[31:12] Reserved; EBX Reserved;

3-75


INSTRUCTION SET REFERENCE

CPUID--CPU Identification (Continued)
ECX Reserved; EDX Feature flags; (* See Figure 3-3 *) BREAK; EAX = 2: EAX Cache and TLB information; EBX Cache and TLB information; ECX Cache and TLB information; EDX Cache and TLB information; BREAK; DEFAULT: (* EAX > highest value recognized by C PU ID *) EAX reserved, undefined; EBX reserved, undefined; ECX reserved, undefined; EDX reserved, undefined; BREAK; ESAC;

Flags Affected None. Exceptions (All Operating Modes) None.

3- 76


INSTRUCTION SET REFER EN CE

CWD/CDQ--Conver t Word to Doubleword/Conver t Doubleword to Quadword
Opcode 99 99 Instruction CWD CDQ D escription D X:AX sign-extend of AX E DX:EA X sign- extend of EAX

Description Doubles the size of the operand in register AX or EAX (depending on the operand size) by means of sign extension and stores the result in registers DX:A X or EDX:EAX, respectively. The CWD instruction copies the sign (bit 15) of the value in the AX register into every bit position in the DX register (see Figure 6-5 in the Intel Architecture Software Developer's Manual, Volume 1). The CDQ instruction copies the sign (bit 31) of the value in the EAX register into every bit position in the EDX register. The CWD instruction can be used to produce a doubleword dividend from a word before a word division, and the CDQ instruction can be used to produce a quadword dividend from a doubleword before doubleword division. The CW D and CDQ mnemonics reference the same opcode. The CW D instruction is intended for use when the operand-size attribute is 16 and the CDQ instruction for when the operand-size attribute is 32. Some assemblers may force the operand size to 16 when CW D is used and to 32 when CDQ is used. Others may treat these mnemonics as synonyms (CWD /CDQ) and use the current setting of the operand-size attribute to determine the size of values to be converted, regardless of the mnemonic used. Operation
IF OperandSize = 16 (* CWD instruction *) THEN DX SignExtend(AX); ELSE (* OperandSize = 32, CDQ instruction *) EDX SignExtend(EAX); FI;

Flags Affected None. Exceptions (All Operating Modes) None.

3-77


INSTRUCTION SET REFERENCE

CWDE--Conver t Word to Doubleword
See entry for CBW/CWDE--Convert Byte to Word/Convert Word to Doubleword.

3- 78


INSTRUCTION SET REFER EN CE

DAA--Decimal Adjust AL after Addition
Opcode 27 Instruction DAA D escription D ecimal adjust AL after addition

Description Adjusts the sum of two packed BCD values to create a packed BCD result. The AL register is the implied source and destination operand. The DAA instruction is only useful when it follows an ADD instruction that adds (binary addition) two 2-digit, packed BCD values and stores a byte result in the AL register. The DAA instruction then adjusts the contents of the AL register to contain the correct 2-digit, packed BCD result. If a decimal carry is detected, the CF and AF flags are set accordingly. Operation
IF (((AL AND 0FH) > 9) or AF = 1) THEN AL AL + 6; CF CF OR CarryFromLastAddition; (* CF OR carry from AL AL + 6 *) AF 1; ELSE AF 0; FI; IF ((AL AND F0H) > 90H) or CF = 1) THEN AL AL + 60H; CF 1; ELSE CF 0; FI;

Example
ADD AL, BL DAA Before: After: Before: After: AL=79H AL=AEH AL=AEH AL=14H BL BL BL BL =3 =3 =3 =3 5H 5H 5H 5H EFLAGS(OSZ EFLAGS(0SZ EFLAGS(OSZ EFLAGS(0SZ AP AP AP AP C) C) C) C) =X =1 =1 =X XX 10 10 00 XX 00 00 11 X 0 0 1

Flags Affected The CF and A F flags are set if the adjustment of the value results in a decimal carry in either digit of the result (see the "Operation" section above). The SF, ZF, and PF flags are set according to the result. The OF flag is undefined.

3-79


INSTRUCTION SET REFERENCE

DAA--Decimal Adjust AL after Addition (Continued)
Exceptions (All Operating Modes) None.

3- 80


INSTRUCTION SET REFER EN CE

DAS--Decimal Adjust AL after Subtraction
Opcode 2F Instruction DAS D escription D ecimal adjust AL after subtraction

Description Adjusts the result of the subtraction of two packed BCD values to create a packed BCD result. The AL register is the implied source and destination operand. The DAS instruction is only useful when it follows a SUB instruction that subtracts (binary subtraction) one 2-digit, packed BCD value from another and stores a byte result in the AL register. The DAS instruction then adjusts the contents of the AL register to contain the correct 2-digit, packed BCD result. If a decimal borrow is detected, the CF and AF flags are set accordingly. Operation
IF (AL AND 0FH) > 9 OR AF = 1 THEN AL AL - 6; CF CF OR BorrowFrom LastSubtraction; (* CF OR borrow from AL AL - 6 *) AF 1; ELSE AF 0; FI; IF ((AL > 9FH) or CF = 1) THEN AL AL - 60H; CF 1; ELSE CF 0; FI;

Example
SUB AL, BL DAA Before: After: Before: After: AL=35H AL=EEH AL=EEH AL=88H BL BL BL BL =4 =4 =4 =4 7H 7H 7H 7H EFLAGS(OSZ EFLAGS(0SZ EFLAGS(OSZ EFLAGS(0SZ AP AP AP AP C) C) C) C) =X =0 =0 =X XX 10 10 10 XX 11 11 11 X 1 1 1

Flags Affected The CF and AF flags are set if the adjustment of the value results in a decimal borrow in either digit of the result (see the "Operation" section above). The SF, ZF, and PF flags are set according to the result. The OF flag is undefined. Exceptions (All Operating Modes) None.

3-81


INSTRUCTION SET REFERENCE

DEC--Decrement by 1
Opcode FE /1 FF /1 FF /1 48+r w 48+r d Instruction DEC r/m8 DEC r/m16 DEC r/m32 DEC r16 DEC r32 Description Decrement r/m8 by 1 Decrement r/m16 by 1 Decrement r/m32 by 1 Decrement r16 by 1 Decrement r32 by 1

Description Subtracts 1 from the destination operand, while preserving the state of the CF flag. The destination operand can be a register or a memory location. This instruction allows a loop counter to be updated without disturbing the CF flag. (To perform a decrement operation that updates the CF flag, use a SUB instruction with an immediate operand of 1.) Operation
DEST DEST ­ 1;

Flags Affected The CF flag is not affected. The OF, SF, ZF, AF, and PF flags are set according to the result. Protected Mode Exceptions #GP(0) If the destination operand is located in a nonw ritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3- 82


INSTRUCTION SET REFER EN CE

DEC--Decrement by 1 (Continued)
Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-83


INSTRUCTION SET REFERENCE

DIV--Unsigned Divide
Opcode F6 /6 F7 /6 F7 /6 Instruction DIV r/m8 DIV r/m16 DIV r/m32 Description Unsigned divide AX by r/m8; AL Quotient, AH Remainder Unsigned divide DX:AX by r/m16; AX Quotient, DX Remainder Unsigned divide EDX:EAX by r/m32 doubleword; EAX Quotient, EDX Remainder

Description Divides (unsigned) the value in the AX register, DX:AX register pair, or EDX:EA X register pair (dividend) by the source operand (divisor) and stores the result in the AX (AH:AL), DX:AX, or EDX :EAX registers. The source operand can be a general-purpose register or a memory location. The action of this instruction depends on the operand size, as shown in the following table:
Maximum Quotient 255 65,535 232 - 1

Operand Size Wor d/byte Doubleword/word Quadword/doubleword

Dividend AX DX:AX EDX:EAX

Divisor r/m8 r/m16 r/m32

Quotient AL AX EAX

Remainder AH DX EDX

Non-integral results are truncated (chopped) towards 0. The remainder is always less than the divisor in magnitude. Overflow is indicated with the #DE (divide error) exception rather than with the CF flag. Operation
IF SRC = 0 THEN #DE; (* divide error *) FI; IF OpernadSize = 8 (* word/byte operation *) THEN temp AX / SRC; IF temp > FFH THEN #DE; (* divide error *) ; ELSE AL temp; AH AX MOD SRC; FI;

3- 84


INSTRUCTION SET REFER EN CE

DIV--Unsigned Divide (Continued)
ELSE IF OperandSize = 16 (* doubleword/word operation *) THEN temp DX:AX / SRC; IF temp > FFFFH THEN #DE; (* divide error *) ; ELSE AX temp; DX DX:AX MOD SRC; FI; ELSE (* quadword/doubleword operation *) temp EDX:EAX / SRC; IF temp > FFFFFFFFH THEN #DE; (* divide error *) ; ELSE EAX temp; EDX EDX:EAX MOD SRC; FI; FI; FI;

Flags Affected The CF, OF, SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #DE If the source operand (divisor) is 0 If the quotient is too large for the designated register. #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #DE If the source operand (divisor) is 0. If the quotient is too large for the designated register.

3-85


INSTRUCTION SET REFERENCE

DIV--Unsigned Divide (Continued)
#GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #DE If the source operand (divisor) is 0. If the quotient is too large for the designated register. #GP(0) #SS #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 86


INSTRUCTION SET REFER EN CE

EMMS--Empty MMXTM State
Opcode 0F 77 Instruction EMMS Description Set the FP tag word to empty.

Description Sets the values of all the tags in the FPU tag word to empty (all ones). This operation marks the MMX registers as available, so they can subsequently be used by floating-point instructions. (See Figure 7-11 in the Intel Architecture Software Developer's Manual, Volume 1, for the format of the FPU tag word.) All other MMX instructions (other than the EMMS instruction) set all the tags in FPU tag word to valid (all zeros). The EMMS instruction must be used to clear the MMX state at the end of all MMX routines and before calling other procedures or subroutines that may execute floating-point instructions. If a floating-point instruction loads one of the registers in the FPU register stack before the FPU tag word has been reset by the EMMS instruction, a floating-point stack overflow can occur that will result in a floating-point exception or incorrect result. Operation
FPUTagWord FFFFH;

Flags Affected None. Protected Mode Exceptions #UD #NM #MF If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Real-Address Mode Exceptions #UD #NM #MF If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #UD #NM #MF If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3-87


INSTRUCTION SET REFERENCE

ENTER--Make Stack Frame for Procedure Parameters
Opcode C8 iw 00 C8 iw 01 C8 iw ib Instruction ENTER imm16,0 ENTER imm16,1 ENTER imm16,imm8 Description Create a stack frame for a pr ocedure Create a nested stack frame for a procedure Create a nested stack frame for a procedure

Description Creates a stack frame for a procedure. The first operand (size operand) specifies the size of the stack frame (that is, the number of bytes of dynamic storage allocated on the stack for the procedure). The second operand (nesting level operand) gives the lexical nesting level (0 to 31) of the procedure. The nesting level determines the number of stack frame pointers that are copied into the "display area" of the new stack frame from the preceding frame. Both of these operands are immediate values. The stack-size attribute determines whether the BP (16 bits) or EBP (32 bits) register specifies the current frame pointer and whether SP (16 bits) or ESP (32 bits) specifies the stack pointer. The ENTER and companion LEAVE instructions are provided to support block structured languages. The ENTER instruction (when used) is typically the first instruction in a procedure and is used to set up a new stack frame for a procedure. The LEAVE instruction is then used at the end of the procedure (just before the RET instruction) to release the stack frame. If the nesting level is 0, the processor pushes the frame pointer from the EBP register onto the stack, copies the current stack pointer from the ESP register into the EBP register, and loads the ESP register with the current stack-pointer value minus the value in the size operand. For nesting levels of 1 or greater, the processor pushes additional frame pointers on the stack before adjusting the stack pointer. These additional frame pointers provide the called procedure with access points to other nested frames on the stack. See "Procedure Calls for Block-Structured Languages" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volume 1, for more information about the actions of the ENTER instruction. Operation
NestingLevel NestingLevel MOD 32 IF StackSize = 32 THEN Push(EBP) ; FrameTemp ESP; ELSE (* StackSize = 16*) Push(BP); FrameTemp SP; FI; IF NestingLevel = 0 THEN GOTO CO NTINUE; FI;

3- 88


INSTRUCTION SET REFER EN CE

ENTER--Make Stack Frame for Procedure Parameters (Continued)
IF (NestingLevel > 0) FOR i 1 TO (NestingLevel - 1) DO IF OperandSize = 32 THEN IF StackSize = 32 EBP EBP - 4; Push([EBP]); (* doubleword push *) ELSE (* StackSize = 16*) BP BP - 4; Push([BP]); (* doubleword push *) FI; ELSE (* OperandSize = 16 *) IF StackSize = 32 THEN EBP EBP - 2; Push([EBP]); (* word push *) ELSE (* StackSize = 16*) BP BP - 2; Push([BP]); (* word push *) FI; FI; OD; IF OperandSize = 32 THEN Push(FrameTemp); (* doubleword push *) ELSE (* OperandSize = 16 *) Push(FrameTemp); (* word push *) FI; GOTO CONTINUE; FI; CONTINUE: IF StackSize = 32 THEN EBP FrameTemp ESP EBP - Size; ELSE (* StackSize = 16*) BP FrameTemp SP BP - Size; FI; END;

Flags Affected None.

3-89


INSTRUCTION SET REFERENCE

ENTER--Make Stack Frame for Procedure Parameters (Continued)
Protected Mode Exceptions #SS(0) #PF(fault-code) If the new value of the SP or ESP register is outside the stack segment limit. If a page fault occurs.

Real-Address Mode Exceptions #SS(0) If the new value of the SP or ESP register is outside the stack segment limit.

Vir tual-8086 Mode Exceptions #SS(0) #PF(fault-code) If the new value of the SP or ESP register is outside the stack segment limit. If a page fault occurs.

3- 90


INSTRUCTION SET REFER EN CE

F2XM1--Compute 2x­1
Opcode D9 F0 Instruction F2X M1 D escription R eplace ST(0) with (2
ST (0)

­ 1)

Description Calculates the exponential value of 2 to the power of the source operand minus 1. The source operand is located in register ST(0) and the result is also stored in ST(0). The value of the source operand must lie in the range ­1.0 to +1.0. If the source value is outside this range, the result is undefined. The following table shows the results obtained when computing the exponential value of various classes of numbers, assuming that neither overflow nor underflow occurs.
S T(0) SRC -1.0 to -0 -0 +0 +0 to +1.0 ST(0) DEST -0.5 to -0 -0 +0 +0 to 1.0

Values other than 2 can be exponentiated using the following formula:
xy = 2(y
log x) 2

Operation
ST(0) (2
ST(0)

- 1);

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #D Stack underflow occurred. Source operand is an SNaN value or unsupported format. Result is a denormal value.

3-91


INSTRUCTION SET REFERENCE

F2XM1--Compute 2x­1 (Continued)
#U #P Result is too small for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 92


INSTRUCTION SET REFER EN CE

FABS--Absolute Value
Opcode D9 E 1 Instruction FABS D escription R eplace ST with its absolute value.

Description Clears the sign bit of ST(0) to create the absolute value of the operand. The following table shows the results obtained when creating the absolute value of various classes of numbers.
S T(0) SRC - -F -0 +0 +F + NaN NOTE: F Means finite-real number. ST(0) DEST + +F +0 +0 +F + N aN

Operation
ST(0) |ST(0)|

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS Stack underflow occurred.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

3-93


INSTRUCTION SET REFERENCE

FABS--Absolute Value (Continued)
Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 94


INSTRUCTION SET REFER EN CE

FADD/FADDP/FIADD--Add
Opcode D8 /0 DC /0 D8 C0+i DC C0+i DE C0+i DE C1 DA /0 DE /0 Instruction FADD m32 real FADD m64real FADD ST(0), ST(i) FADD ST(i), ST(0) FADDP ST(i), S T(0) FADDP FIADD m32int FIADD m16int D escription Add m32real to ST(0) and store result in ST(0) Add m64real to ST(0) and store result in ST(0) Add ST(0) to ST(i) and store result in ST(0) Add ST(i) to ST(0) and store result in ST(i) Add ST(0) to ST(i), store result in ST(i), and pop the r egister stack Add ST(0) to ST(1), store result in ST(1), and pop the r egister stack Add m32int to ST(0) and store result in ST(0) Add m16int to ST(0) and store result in ST(0)

Description Adds the destination and source operands and stores the sum in the destination location. The destination operand is always an FPU register; the source operand can be a register or a memory location. Source operands in memory can be in single-real, double-real, word-integer, or shortinteger formats. The no-operand version of the instruction adds the contents of the ST(0) register to the ST(1) register. The one-operand version adds the contents of a memory location (either a real or an integer value) to the contents of the ST(0) register. The two-operand version, adds the contents of the ST(0) register to the ST(i) register or vice versa. The value in ST(0) can be doubled by coding:
FADD ST(0), ST(0);

The FADDP instructions perform the additional operation of popping the FPU register stack after storing the result. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. (The no-operand version of the floating-point add instructions always results in the register stack being popped. In some assemblers, the mnemonic for this instruction is FADD rather than FADDP.) The FIAD D instructions convert an integer source operand to extended-real format before performing the addition. The table on the follow ing page shows the results obtained when adding various classes of numbers, assuming that neither overflow nor underflow occurs. When the sum of two operands with opposite signs is 0, the result is +0, except for the round toward - mode, in which case the result is -0. When the source operand is an integer 0, it is treated as a +0. When both operand are infinities of the same sign, the result is of the expected sign. If both operands are infinities of opposite signs, an invalid-operation exception is generated.

3-95


INSTRUCTION SET REFERENCE

FADD/FADDP/FIADD--Add (Continued)
.

D EST - - -F or -I SRC -0 +0 +F or +I + NaN NOTE S: F Means finite-real number. I Means integer. * Indicates floating-point invalid-ar ithmetic-operand ( #IA ) exception. - - - - - * N aN -F - -F DEST DEST ±F or ±0 + NaN -0 - SRC -0 ±0 SRC + Na N +0 - SRC ±0 +0 SRC + N aN +F - ±F or ±0 D EST D EST +F + NaN + * + + + + + NaN NaN Na N NaN NaN NaN NaN NaN Na N

Operation
IF instruction is FIADD THEN DEST DEST + ConvertExtendedReal(SRC); ELSE (* source operand is real number *) DEST DEST + SRC; FI; IF instruction = FADDP THEN PopRegisterStack; FI;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Operand is an SNaN value or unsupported format. Operands are infinities of unlike sign.

3- 96


INSTRUCTION SET REFER EN CE

FADD/FADDP/FIADD--Add (Continued)
#D #U #O #P Result is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-97


INSTRUCTION SET REFERENCE

FBLD--Load Binary Coded Decimal
Opcode DF /4 Instruction FBLD m80 dec Description Conver t BCD value to real and push onto the FPU stack.

Description Converts the BCD source operand into extended-real format and pushes the value onto the FPU stack. The source operand is loaded without rounding errors. The sign of the source operand is preserved, including that of -0. The packed BCD digits are assumed to be in the range 0 through 9; the instruction does not check for invalid digits (AH through FH). Attempting to load an invalid encoding produces an undefined result. Operation
TOP TOP - 1; ST(0) ExtendedReal(SRC);

FPU Flags Affected C1 C0, C2, C3 Set to 1 if stack overflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS Stack overflow occurred.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

3- 98


INSTRUCTION SET REFER EN CE

FBLD--Load Binary Coded Decimal (Continued)
Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-99


INSTRUCTION SET REFERENCE

FBSTP--Store BCD Integer and Pop
Opcode DF /6 Instruction FB STP m80bcd Description Store ST(0) in m80bcd and pop ST(0).

Description Converts the value in the ST(0) register to an 18-digit packed BCD integer, stores the result in the destination operand, and pops the register stack. If the source value is a non-integral value, it is rounded to an integer value, according to rounding mode specified by the RC field of the FPU control word. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The destination operand specifies the address where the first byte destination value is to be stored. The BCD value (including its sign bit) requires 10 bytes of space in memory. The following table shows the results obtained when storing various classes of numbers in packed BCD format.
ST(0) - -F < -1 -1 < -F < -0 -0 +0 +0 < +F < +1 +F > +1 + NaN NOTE S: F Means finite-real number. D Means packed-BCD number. * Indicates floating-point invalid-operation (#IA) exception. ** ±0 or ±1, depending on the rounding mode. DEST * -D ** -0 +0 ** +D * *

If the source value is too large for the destination format and the invalid-operation exception is not masked, an invalid-operation exception is generated and no value is stored in the destination operand. If the invalid-operation exception is masked, the packed BCD indefinite value is stored in memory. If the source value is a quiet NaN, an invalid-operation exception is generated. Quiet NaNs do not normally cause this exception to be generated.

3- 100


INSTRUCTION SET REFER EN CE

FBSTP--Store BCD Integer and Pop (Continued)
Operation
DEST BCD(ST(0)); PopRegisterStack;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. I nd ic ate s ro u nd in g di r ect io n i f th e in exa ct ex cep ti on ( # P) i s ge ne ra ted : 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #P Stack underflow occurred. Source operand is empty; contains a NaN, ±, or unsupported format; or contains value that exceeds 18 BCD digits in length. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a segment register is being loaded with a segment selector that points to a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

3-101


INSTRUCTION SET REFERENCE

FBSTP--Store BCD Integer and Pop (Continued)
Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 102


INSTRUCTION SET REFER EN CE

FCHS--Change Sign
Opcode D9 E 0 Instruct ion F CHS Description Complements sign of ST( 0)

Description Complements the sign bit of ST(0). This operation changes a positive value into a negative value of equal magnitude or vice versa. The following table shows the results obtained when changing the sign of various classes of numbers.
S T(0) SRC - -F -0 +0 +F + NaN NOTE: F Means finite-real number. ST(0) DEST + +F +0 -0 -F - N aN

Operation
SignBit(ST(0)) NOT (SignBit(ST(0)))

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS Stack underflow occurred.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

3-103


INSTRUCTION SET REFERENCE

FCHS--Change Sign (Continued)
Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 104


INSTRUCTION SET REFER EN CE

FCLEX/FNCLEX--Clear Exceptions
Opcode 9B DB E2 DB E2 NOTE : * See "Intel Architecture Compatibility" below. Instruction FCLEX FNCLEX D escription C lear floating-point exception flags after checking for pending unmasked floating-point exceptions.

*

C lear floating-point exception flags without checking for pending unmasked floating-point exceptions.

Description Clears the floating-point exception flags (PE, UE, status flag (ES), the stack fault flag (SF), and th FCLEX instruction checks for and handles any before clearing the exception flags; the FNCLEX Intel Architecture Compatibility When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FN CLEX instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window " in Appendix D of the Intel Architecture Software Developer's Manual, Volume 1, for a description of these circumstances. An FNCLEX instruction cannot be interrupted in this way on a Pentium Pro processor. Operation
FPUStatusWord[0..7] 0; FPUStatusWord[15] 0;

OE, ZE, DE, and IE), the exception summary e busy flag (B) in the FPU status word. The pending unmasked floating-point exceptions instruction does not.

FPU Flags Affected The PE, U E, OE, ZE, DE, IE, ES, SF, and B flags in the FPU status word are cleared. The C0, C1, C2, and C3 flags are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

3-105


INSTRUCTION SET REFERENCE

FCLEX/FNCLEX--Clear Exceptions (Continued)
Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 106


INSTRUCTION SET REFER EN CE

FCMOVcc--Floating-Point Conditional Move
Opcode DA C0+i DA C8+i DA D0+i DA D8+i DB C0+i DB C8+i DB D0+i DB D8+i Instruction FCMOVB ST(0), ST(i) FCMOVE S T(0), ST(i) FCMOVBE ST(0), ST(i) FCMOVU ST(0) , ST(i) FCMOVNB ST(0), ST(i) FCMOVNE ST(0), ST(i) FCMOVNBE ST(0), ST(i) FCMOVNU ST(0), ST(i) Description Move if below (CF=1) Move if equal (ZF=1) Move if below or equal (CF=1 or ZF=1) Move if unordered (PF=1) Move if not below (CF=0) Move if not equal (ZF=0) Move if not below or equal (C F=0 and ZF=0) Move if not unordered (PF=0)

Description Tests the status flags in the EFLAGS register and moves the source operand (second operand) to the destination operand (first operand) if the given test condition is true. The conditions for each mnemonic are given in the Description column above and in Table 6-4 in the Intel Architecture Software Developer's Manual, Volume 1. The source operand is always in the ST(i) register and the destination operand is always ST(0). The FCMOV cc instructions are useful for optimizing small IF constructions. They also help eliminate branching overhead for IF operations and the possibility of branch mispredictions by the processor. A in in fe processor may not support the FCMOV cc instructions. Software can check if the FCMOV cc structions are supported by checking the processor's feature information with the CPUID struction (see "CPU ID--CPU Identification" in this chapter). If both the CMOV and FPU ature bits are set, the FCMOVcc instructions are supported.

Intel Architecture Compatibility The FCMOVcc instructions were introduced to the Intel Architecture in the Pentium Pro processor family and is not available in earlier Intel Architecture processors. Operation
IF condition TRU E ST(0) ST(i) FI;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred. Undefined.

3-107


INSTRUCTION SET REFERENCE

FCMOVcc--Floating-Point Conditional Move (Continued)
Floating-Point Exceptions #IS Stack underflow occurred.

Integer Flags Affected None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 108


INSTRUCTION SET REFER EN CE

FCOM/FCOMP/FCOMPP--Compare Real
Opcode D8 / 2 DC /2 D8 D0+i D8 D1 D8 / 3 DC /3 D8 D8+i D8 D9 DE D9 Instruction FCOM m32real FCOM m64real FCOM ST(i) FCOM FCOMP m32real FCOMP m64real FCOMP ST(i) FCOMP FCOMPP D escription C ompare ST(0) with m32real. C ompare ST(0) with m64real. C ompare ST(0) with ST(i). C ompare ST(0) with ST(1). C ompare ST(0) with m32real and pop register stack. C ompare ST(0) with m64real and pop register stack. C ompare ST(0) with ST(i) and pop register stack. C ompare ST(0) with ST(1) and pop register stack. C ompare ST(0) with ST(1) and pop register stack twice.

Description Compares the contents of register ST(0) and source value and sets condition code flags C0, C2, and C3 in the FPU status word according to the results (see the table below). The source operand can be a data register or a memory location. If no source operand is given, the value in ST(0) is compared with the value in ST(1). The sign of zero is ignored, so that ­0.0 = +0.0.
Condition ST(0) > S RC ST(0) < S RC ST(0) = S RC Unordered* NOTE: * Flags not set if unmasked invalid-ar ithmetic- operand (#IA ) exception is generated. C3 0 0 1 1 C2 0 0 0 1 C0 0 1 0 1

This instruction checks the class of the numbers being compared (see "FXAM--Examine" in this chapter). If either operand is a NaN or is in an unsupported format, an invalid-arithmeticoperand exception (#IA) is raised and, if the exception is masked, the condition flags are set to "unordered." If the invalid-arithmetic-operand exception is unmasked, the condition code flags are not set. The FCO MP instruction pops the register stack following the comparison operation and the FCOMPP instruction pops the register stack twice follow ing the comparison operation. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TO P) by 1.

3-109


INSTRUCTION SET REFERENCE

FCOM/FCOMP/FCOMPP--Compare Real (Continued)
The FCOM instructions perform the same operation as the FUCOM instructions. The only difference is how they handle QNaN operands. The FCOM instructions raise an invalid-arithmetic-operand exception (#IA) when either or both of the operands is a NaN value or is in an unsupported format. The FUCOM instructions perform the same operation as the FCOM instructions, except that they do not generate an invalid-arithmetic-operand exception for QNaNs. Operation
CASE (relation of operands) OF ST > SRC: C3, C2, C0 000; ST < SRC: C3, C2, C0 001; ST = SRC: C3, C2, C0 100; ESAC; IF ST(0) or SRC = NaN or unsupported form at THEN #IA IF FPUControlWord.IM = 1 THEN C3, C2, C0 111; FI; FI; IF instruction = FCOMP THEN PopRegisterStack; FI; IF instruction = FCOMPP THEN PopRegisterStack; PopRegisterStack; FI;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. See table on previous page.

Floating-Point Exceptions #IS #IA Stack underflow occurred. One or both operands are NaN values or have unsupported formats. Register is marked empty. #D One or both operands are denormal values.

3- 110


INSTRUCTION SET REFER EN CE

FCOM/FCOMP/FCOMPP--Compare Real (Continued)
Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-111


INSTRUCTION SET REFERENCE

FCOMI/FCOMIP/ FUCOMI/FUCOMIP--Compare Real and Set EFLAGS
Opcode DB F0+i DF F0+i DB E8+i DF E8+i Instruction FCOMI ST, ST(i) FCOMIP ST, ST(i) FUCOMI ST, ST(i) FUCOMIP ST, ST(i) Description Compare ST(0) with ST(i) and set status flags accordingly Compare ST(0) with ST( i), set status flags accordingly, and pop register stack Compare ST(0) with ST(i), check for ordered values, and set status flags accordingly Compare ST(0) with ST(i), check for ordered values, set status flags accordingly, and pop register stack

Description Compares the contents of register ST(0) and ST(i) and sets the status flags ZF, PF, and CF in the EFLAGS register according to the results (see the table below). The sign of zero is ignored for comparisons, so that ­0.0 = +0.0.
Comparison Results ST0 > ST(i) ST0 < ST(i) ST0 = ST(i) U nordered* NOTE : * Flags not set if unmasked invalid-ar ithmetic- operand (#IA) exception is generated. ZF 0 0 1 1 PF 0 0 0 1 CF 0 1 0 1

The FCOMI/FCOMIP instructions instructions. The only difference is instructions set the status flags to exception (#IA) when either or both unsupported format.

perform the same operation as the FU COMI/FUCOMIP how they handle QNaN operands. The FCOMI/FCOMIP "unordered" and generate an invalid-arithmetic-operand of the operands is a NaN value (SNaN or QNaN) or is in an

The FUCOM I/FUCOMIP instructions perform the same operation as the FCOMI/FCOMIP instructions, except that they do not generate an invalid-arithmetic-operand exception for QNaNs. See "FXAM--Examine" in this chapter for additional information on unordered comparisons. If invalid-operation exception is unmasked, the status flags are not set if the invalid-arithmeticoperand exception is generated. The FCOMIP and FUCOMIP instructions also pop the register stack following the comparison operation. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1.

3- 112


INSTRUCTION SET REFER EN CE

FCOMI/FCOMIP/ FUCOMI/FUCOMIP--Compare Real and Set EFLAGS (Continued)
Intel Architecture Compatibility The FCOMI/FCOMIP/FUCOMI/FUCO MIP instructions were introduced to the Intel Architecture in the Pentium Pro processor family and are not available in earlier Intel Architecture processors. Operation
CASE (relation of operands) OF ST(0) > ST(i): ZF, PF, CF 000; ST(0) < ST(i): ZF, PF, CF 001; ST(0) = ST(i): ZF, PF, CF 100; ESAC; IF instruction is FCOMI or FCO MIP THEN IF ST(0) or ST(i) = NaN or unsupported format THEN #IA IF FPUControlWord.IM = 1 THEN ZF, PF, CF 111; FI; FI; FI; IF instruction is FUCOMI or FU COMIP THEN IF ST(0) or ST(i) = QNaN, but not SNaN or unsupported format THEN ZF, PF, CF 111; ELSE (* ST(0) or ST(i) is SNaN or unsupported format *) #IA; IF FPUControlWord.IM = 1 THEN ZF, PF, CF 111; FI; FI; FI; IF instruction is FCOMIP or FUC OMIP THEN PopRegisterStack; FI;

3-113


INSTRUCTION SET REFERENCE

FCOMI/FCOMIP/ FUCOMI/FUCOMIP--Compare Real and Set EFLAGS (Continued)
FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. Not affected.

Floating-Point Exceptions #IS #IA Stack underflow occurred. (FCOMI or FCOMIP instruction) One or both operands are NaN values or have unsupported formats. (FUCOMI or FUCOMIP instruction) One or both operands are SNaN values (but not Q NaNs) or have undefined formats. Detection of a QNaN value does not raise an invalid-operand exception. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 114


INSTRUCTION SET REFER EN CE

FCOS--Cosine
Opcode D9 FF Instruction FCOS D escription R eplace ST(0) with its cosine

Description Calculates the cosine of the source operand in register ST(0) and stores the result in ST(0). The source operand must be given in radians and must be within the range -263 to +263. The following table shows the results obtained when taking the cosine of various classes of numbers, assuming that neither overflow nor underflow occurs.
S T(0) SRC - -F -0 +0 +F + NaN NOTES: F Means finite-r eal number. * Indicates floating-point invalid-arithmetic-operand (#IA) exception. ST(0) DEST * -1 to +1 +1 +1 -1 to +1 * N aN

If the source operand is outside the acceptable range, the C2 flag in the FPU status word is set, and the value in register ST(0) remains unchanged. The instruction does not raise an exception when the source operand is out of range. It is up to the program to check the C2 flag for out-ofrange conditions. Source values outside the range -263 to +263 can be reduced to the range of the instruction by subtracting an appropriate integer multiple of 2 or by using the FPREM instruction with a divisor of 2. See the section titled "Pi" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for a discussion of the proper value to use for in performing such reductions. Operation
IF |ST(0)| < 263 THEN C2 0; ST(0) cosine(ST(0)); ELSE (*source operand is out-of-range *) C2 1; FI;

3-115


INSTRUCTION SET REFERENCE

FCOS--Cosine (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. Undefined if C2 is 1. C2 C0, C3 Set to 1 if source operand is outside the range -2 cleared to 0. Undefined.
63

to +263; otherwise,

Floating-Point Exceptions #IS #IA #D #U #P Stack underflow occurred. Source operand is an SNaN value, , or unsupported format. Result is a denormal value. Result is too small for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 116


INSTRUCTION SET REFER EN CE

FDECSTP--Decrement Stack-Top Pointer
Opcode D9 F6 Instruction FDECSTP D escription D ecrement TOP field in FPU status word.

Description Subtracts one from the TOP field of the FPU status word (decrements the top-of-stack pointer). If the TOP field contains a 0, it is set to 7. The effect of this instruction is to rotate the stack by one position. The contents of the FPU data registers and tag register are not affected. Operation
IF TOP = 0 THEN TOP 7; ELSE TOP TOP ­ 1; FI;

FPU Flags Affected The C1 flag is set to 0; otherwise, cleared to 0. The C0, C2, and C3 flags are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-117


INSTRUCTION SET REFERENCE

FDIV/FDIVP/FIDIV--Divide
Opcode D8 /6 DC /6 D8 F0+i DC F8+i DE F8+i DE F9 DA /6 DE /6 Instruction FDIV m32real FDIV m64real FDIV ST(0), ST(i) FDIV ST(i), ST(0) FDIVP S T(i) , ST(0) FDIVP FIDIV m32int FIDIV m16int Description Divide ST(0) by m32real and store result in ST(0) Divide ST(0) by m64real and store result in ST(0) Divide ST(0) by ST(i) and store result in ST(0) Divide ST(i) by ST(0) and store result in ST(i) Divide ST(i) by ST(0), store result in ST( i), and pop the register stack Divide ST(1) by ST(0), store result in ST(1), and pop the register stack Divide ST(0) by m32int and stor e result in ST(0) Divide ST(0) by m64int and stor e result in ST(0)

Description Divides the destination operand by the source operand and stores the result in the destination location. The destination operand (dividend) is always in an FPU register; the source operand (divisor) can be a register or a memory location. Source operands in memory can be in singlereal, double-real, word-integer, or short-integer formats. The no-operand contents of the S by the contents version, divides versa. version of the instruction divides the contents of the ST(1) register by the T(0) register. The one-operand version divides the contents of the ST(0) register of a memory location (either a real or an integer value). The two-operand the contents of the ST(0) register by the contents of the ST(i) register or vice popping the FPU register stack after arks the ST(0) register as empty and version of the floating-point divide popped. In some assemblers, the

The FDIVP instructions perform the additional operation of storing the result. To pop the register stack, the processor m increments the stack pointer (TOP) by 1. The no-operand instructions always results in the register stack being mnemonic for this instruction is FDIV rather than FDIVP.

The FIDIV instructions convert an integer source operand to extended-real format before performing the division. When the source operand is an integer 0, it is treated as a +0. If an unmasked divide by zero exception (#Z) is generated, no result is stored; if the exception is masked, an of the appropriate sign is stored in the destination operand. The following table shows the results obtained when dividing various classes of numbers, assuming that neither overflow nor underflow occurs.

3- 118


INSTRUCTION SET REFER EN CE

FDIV/FDIVP/FIDIV--Divide (Continued)
DEST - - -F -I SRC -0 +0 +I +F + NaN NOTES: F Means finite-real number. I Means integer. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. ** Indicates floating-point zero-divide (#Z) exception. * + + + - - - * Na N -F +0 +F +F ** ** -F -F -0 NaN -0 +0 +0 +0 * * -0 -0 -0 NaN +0 -0 -0 -0 * * +0 +0 +0 NaN +F -0 -F -F ** ** +F +F +0 Na N + * - - - + + + * NaN NaN NaN NaN NaN NaN NaN NaN NaN NaN NaN

Operation
IF SRC = 0 THEN #Z ELSE IF instruction is FID IV THEN DEST DEST / ConvertExtendedReal(SRC); ELSE (* source operand is real number *) DEST DEST / SRC; FI; FI; IF instruction = FDIVP THEN PopRegisterStack FI;

3-119


INSTRUCTION SET REFERENCE

FDIV/FDIVP/FIDIV--Divide (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Operand is an SNaN value or unsupported format. ± / ±; ±0 / ±0 #D #Z #U #O #P Result is a denormal value. DEST / ±0, where DEST is not equal to ±0. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

3- 120


INSTRUCTION SET REFER EN CE

FDIV/FDIVP/FIDIV--Divide (Continued)
Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-121


INSTRUCTION SET REFERENCE

FDIVR/FDIVRP/FIDIVR--Reverse Divide
Opcode D8 /7 DC /7 D8 F8+i DC F0+i DE F0+i DE F1 DA /7 DE /7 Instruction FDIVR m32real FDIVR m64real FDIVR ST(0), ST(i) FDIVR ST(i), ST( 0) FDIVRP ST(i) , ST(0) FDIVRP FIDIVR m32int FIDIVR m16int Description Divide m32real by ST(0) and store result in ST(0) Divide m64real by ST(0) and store result in ST(0) Divide ST(i) by ST(0) and store result in ST(0) Divide ST(0) by ST(i) and store result in ST(i) Divide ST(0) by ST(i), store result in ST( i), and pop the register stack Divide ST(0) by ST(1), store result in ST(1), and pop the register stack Divide m32int by ST(0) and stor e result in ST(0) Divide m64int by ST(0) and stor e result in ST(0)

Description Divides the source operand by the destination operand and stores the result in the destination location. The destination operand (divisor) is always in an FPU register; the source operand (dividend) can be a register or a memory location. Source operands in memory can be in singlereal, double-real, word-integer, or short-integer formats. These instructions perform the reverse operations of the FDIV, FD IVP, and FIDIV instructions. They are provided to support more efficient coding. The no-operand version of the contents of the ST(1) register. T tion (either a real or an integer version, divides the contents of versa. instruction divides the contents of the ST(0) register by the he one-operand version divides the contents of a memory locavalue) by the contents of the ST(0) register. The two-operand the ST(i) register by the contents of the ST(0) register or vice

The FDIVRP instructions perform the additional operation of popping the FPU register stack after storing the result. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The no-operand version of the floating-point divide instructions always results in the register stack being popped. In some assemblers, the mnemonic for this instruction is FDIVR rather than FDIVRP. The FIDIVR instructions convert an integer source operand to extended-real format before performing the division. If an unmasked divide by zero exception (#Z) is generated, no result is stored; if the exception is masked, an of the appropriate sign is stored in the destination operand. The following table shows the results obtained when dividing various classes of numbers, assuming that neither overflow nor underflow occurs.

3- 122


INSTRUCTION SET REFER EN CE

FDIVR/FDIVRP/FIDIVR--Reverse Divide (Continued)
DEST - - SRC -F -I -0 +0 +I +F + NaN NOTES: F Means finite-real number. I Means integer. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. ** Indicates floating-point zero-divide (#Z) exception. * +0 +0 +0 -0 -0 -0 * Na N -F + +F +F +0 -0 -F -F - NaN -0 + ** ** * * ** ** - NaN +0 - ** ** * * ** ** + NaN +F - -F -F -0 +0 +F +F + Na N + * -0 -0 -0 +0 +0 +0 * NaN NaN NaN NaN NaN NaN NaN NaN NaN NaN NaN

When the source operand is an integer 0, it is treated as a +0. Operation
IF DEST = 0 THEN #Z ELSE IF instruction is FID IVR THEN DEST ConvertExtendedReal(SRC) / DEST; ELSE (* source operand is real number *) DEST SRC / DEST; FI; FI; IF instruction = FDIVRP THEN PopRegisterStack FI;

3-123


INSTRUCTION SET REFERENCE

FDIVR/FDIVRP/FIDIVR--Reverse Divide (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Operand is an SNaN value or unsupported format. ± / ±; ±0 / ±0 #D #Z #U #O #P Result is a denormal value. SRC / ±0, where SRC is not equal to ±0. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

3- 124


INSTRUCTION SET REFER EN CE

FDIVR/FDIVRP/FIDIVR--Reverse Divide (Continued)
Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-125


INSTRUCTION SET REFERENCE

FFREE--Free Floating-Point Register
Opcode DD C0+i Instruction FFREE ST(i) Description Sets tag for ST(i) to empty

Description Sets the tag in the FPU tag register associated with register ST(i) to empty (11B). The contents of ST(i) and the FPU stack-top pointer (TOP) are not affected. Operation
TAG(i) 11B;

FPU Flags Affected C0, C1, C2, C3 undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 126


INSTRUCTION SET REFER EN CE

FICOM/FICOMP--Compare Integer
Opcode DE /2 DA /2 DE /3 DA /3 Instruction FICOM m16int FICOM m32int FICOMP m16int FICOMP m32int D escription C ompare ST(0) with m16int C ompare ST(0) with m32int C ompare ST(0) with m16int and pop stack register C ompare ST(0) with m32int and pop stack register

Description Compares the value in ST(0) with an integer source operand and sets the condition code flags C0, C2, and C3 in the FPU status word according to the results (see table below). The integer value is converted to extended-real format before the comparison is made.
C ondition S T(0) > SRC S T(0) < SRC S T(0) = SRC Unordered C3 0 0 1 1 C2 0 0 0 1 C0 0 1 0 1

These instructions perform an "unordered comparison." An unordered comparison also checks the class of the numbers being compared (see "FXAM--Examine" in this chapter). If either operand is a NaN or is in an undefined format, the condition flags are set to "unordered." The sign of zero is ignored, so that ­0.0 = +0.0. The FICOMP instructions pop the register stack following the comparison. To pop the register stack, the processor marks the ST(0) register empty and increments the stack pointer (TOP) by 1. Operation
CASE (relation of operands) OF ST(0) > SRC: C3, C2, C0 ST(0) < SRC: C3, C2, C0 ST(0) = SRC: C3, C2, C0 Unordered: C3, C2, C0 ESAC; IF instruction = FICOMP THEN PopRegisterStack; FI; 000; 001; 100; 111;

3-127


INSTRUCTION SET REFERENCE

FICOM/FICOMP--Compare Integer (Continued)
FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, set to 0. See table on previous page.

Floating-Point Exceptions #IS #IA #D Stack underflow occurred. One or both operands are NaN values or have unsupported formats. One or both operands are denormal values.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 128


INSTRUCTION SET REFER EN CE

FILD--Load Integer
Opcode DF / 0 DB /0 DF / 5 Instruction FILD m16int FILD m32int FILD m64int D escription Push m16int onto the FPU r egister stack. Push m32int onto the FPU r egister stack. Push m64int onto the FPU r egister stack.

Description Converts the signed-integer source operand into extended-real format and pushes the value onto the FPU register stack. The source operand can be a word, short, or long integer value. It is loaded without rounding errors. The sign of the source operand is preserved. Operation
TO P TOP - 1; ST(0) ExtendedReal(SRC);

FPU Flags Affected C1 C0, C2, C3 Set to 1 if stack overflow occurred; cleared to 0 otherw ise. Undefined.

Floating-Point Exceptions #IS Stack overflow occurred.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-129


INSTRUCTION SET REFERENCE

FILD--Load Integer (Continued)
Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 130


INSTRUCTION SET REFER EN CE

FINCSTP--Increment Stack-Top Pointer
Opcode D9 F7 Instruction FINCSTP D escription Increment the TOP field in the FPU status register

Description Adds one to the TO P field of the FPU status word (increments the top-of-stack pointer). If the TOP field contains a 7, it is set to 0. The effect of this instruction is to rotate the stack by one position. The contents of the FPU data registers and tag register are not affected. This operation is not equivalent to popping the stack, because the tag for the previous top-of-stack register is not marked empty. Operation
IF TOP = 7 THEN TOP 0; ELSE TOP TOP + 1; FI;

FPU Flags Affected The C1 flag is set to 0; otherwise, cleared to 0. The C0, C2, and C3 flags are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-131


INSTRUCTION SET REFERENCE

FINIT/FNINIT--Initialize Floating-Point Unit
Opcode 9B DB E3 DB E3 NOTE: * See "Intel Architecture Compatibility" below. Instruction FINIT FNINIT* Description Initialize FPU after checking for pending unmasked floating-point exceptions. Initialize FPU without checking for pending unmasked floating-point exceptions.

Description Sets the FPU control, status, tag, instruction pointer, and data pointer registers to their default states. The FPU control word is set to 037FH (round to nearest, all exceptions masked, 64-bit precision). The status word is cleared (no exception flags set, TOP is set to 0). The data registers in the register stack are left unchanged, but they are all tagged as empty (11B). Both the instruction and data pointers are cleared. The FINIT instruction checks for and handles any pending unmasked floating-point exceptions before performing the initialization; the FNINIT instruction does not. Intel Architecture Compatibility When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FN INIT instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window" in Appendix D of the Intel Architecture Software Developer's Manual, Volume 1, for a description of these circumstances. A n FNINIT instruction cannot be interrupted in this way on a Pentium Pro processor. In the Intel387 math coprocessor, the FINIT/FNINIT instruction does not clear the instruction and data pointers. Operation
FPUControlWord 037FH; FPUStatusWord 0; FPUTagWord FFFFH; FPUDataPointer 0; FPUInstructionPointer 0; FPULastInstructionO pcode 0;

FPU Flags Affected C0, C1, C2, C3 cleared to 0.

3- 132


INSTRUCTION SET REFER EN CE

FINIT/FNINIT--Initialize Floating-Point Unit (Continued)
Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-133


INSTRUCTION SET REFERENCE

FIST/FISTP--Store Integer
Opcode DF /2 DB /2 DF /3 DB /3 DF /7 Instruction FIST m16int FIST m32int FISTP m16int FISTP m32int FISTP m64int Description Store ST(0) in m16int Store ST(0) in m32int Store ST(0) in m16int and pop r egister stack Store ST(0) in m32int and pop r egister stack Store ST(0) in m64int and pop r egister stack

Description The FIST instruction converts the value in the ST(0) register to a signed integer and stores the result in the destination operand. Values can be stored in word- or short-integer format. The destination operand specifies the address where the first byte of the destination value is to be stored. The FISTP instruction performs the same operation as the FIST instruction and then pops the register stack. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The FISTP instruction can also stores values in longinteger format. The following table shows the results obtained when storing various classes of numbers in integer format.
ST(0) - -F < -1 -1 < -F < -0 -0 +0 +0 < +F < +1 +F > +1 + NaN NOTE S: F Means finite-real number. I Means integer. * Indicates floating-point invalid-operation (#IA) exception. ** 0 or ±1, depending on the rounding mode. DEST * -I ** 0 0 ** +I * *

3- 134


INSTRUCTION SET REFER EN CE

FIST/FISTP--Store Integer (Continued)
If the source value is a non-integral value, it is rounded to an integer value, according to the rounding mode specified by the RC field of the FPU control word. If the value being stored is unsupported format and if invalid-operation exception invalid-operation exception operand. Operation
DEST Integer(ST(0)); IF instruction = FISTP THEN PopRegisterStack; FI;

too large for the destination format, is an , is a NaN, or is in an the invalid-arithmetic-operand exception (#IA) is unmasked, an is generated and no value is stored in the destination operand. If the is masked, the integer indefinite value is stored in the destination

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction of if the inexact exception (#P) is generated: 0 = not roundup; 1 = roundup. Cleared to 0 otherwise. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Source operand is too large for the destination format Source operand is a NaN value or unsupported format. #P Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

3-135


INSTRUCTION SET REFERENCE

FIST/FISTP--Store Integer (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 136


INSTRUCTION SET REFER EN CE

FLD--Load Real
Opcode D9 / 0 DD /0 DB /5 D9 C0+i Instruction FLD m32real FLD m64real FLD m80real FLD ST(i) D escription Push m32r eal onto the FPU register stack. Push m64r eal onto the FPU register stack. Push m80r eal onto the FPU register stack. Push ST(i) onto the FPU register stack.

Description Pushes the source operand onto the FPU register stack. If the source operand is in single- or double-real format, it is automatically converted to the extended-real format before being pushed on the stack. The FLD instruction can also push the value in a selected FPU register [ST(i)] onto the stack. Here, pushing register ST(0) duplicates the stack top. Operation
IF SRC is ST(i) THEN temp ST(i) TO P TOP - 1; IF SRC is memory-operand THEN ST(0) ExtendedReal(SRC); ELSE (* SRC is ST(i) *) ST(0) temp;

FPU Flags Affected C1 C0, C2, C3 Set to 1 if stack overflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS #IA #D Stack overflow occurred. Source operand is an SNaN value or unsupported format. Source operand is a denormal value. Does not occur if the source operand is in extended-real format.

3-137


INSTRUCTION SET REFERENCE

FLD--Load Real (Continued)
Protected Mode Exceptions #GP(0) If destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 138


INSTRUCTION SET REFER EN CE

FLD1/FLDL2T/FLDL2E/FLDPI/FLDLG2/FLDLN2/FLDZ--Load Constant
Opcode D9 E 8 D9 E9 D9 EA D9 E B D9 EC D9 E D D9 E E Instruction FLD 1 FLD L2T FLD L2E FLD PI FLD LG2 FLD LN2 FLD Z D escription Push +1.0 onto the FPU register stack. Push log210 onto the FPU register stack. Push log2e onto the FPU r egister stack. P ush onto the FPU register stack. Push log102 onto the FPU r egister stack. P ush loge2 onto the FPU r egister stack. Push +0.0 onto the FPU register stack.

Description Push one of seven commonly used constants (in extended-real format) onto the FPU register stack. The constants that can be loaded with these instructions include +1.0, +0.0, log210, log2e, , log102, and loge2. For each constant, an internal 66-bit constant is rounded (as specified by the RC field in the FPU control word) to external-real format. The inexact-result exception (#P) is not generated as a result of the rounding. See the section titled "Pi" in Chapter 7 of the Intel Architecture Software D eveloper's Manual, Volume 1, for a description of the constant. Operation
TO P TOP - 1; ST(0) CONSTANT;

FPU Flags Affected C1 C0, C2, C3 Set to 1 if stack overflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS Stack overflow occurred.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

3-139


INSTRUCTION SET REFERENCE

FLD1/FLDL2T/FLDL2E/FLDPI/FLDLG2/FLDLN2/FLDZ--Load Constant (Continued)
Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

Intel Architecture Compatibility When the RC field is set to round-to-nearest, the FPU produces the same constants that is produced by the Intel 8087 and Intel287 math coprocessors.

3- 140


INSTRUCTION SET REFER EN CE

FLDCW--Load Control Word
Opcode D9 / 5 Instruction FLD CW m2byte D escription Load FPU control word from m2byte.

Description Loads the 16-bit source operand into the FPU control word. The source operand is a memory location. This instruction is typically used to establish or change the FPU's mode of operation. If one or more exception flags are set in the FPU status word prior to loading a new FPU control word and the new control word unmasks one or more of those exceptions, a floating-point exception will be generated upon execution of the next floating-point instruction (except for the nowait floating-point instructions, see the section titled "Software Exception Handling" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1). To avoid raising exceptions when changing FPU operating modes, clear any pending exceptions (using the FCLEX or FNCLEX instruction) before loading the new control word. Operation
FPUC ontrolWord SRC;

FPU Flags Affected C0, C1, C2, C3 undefined. Floating-Point Exceptions None; however, this operation might unmask a pending exception in the FPU status word. That exception is then generated upon execution of the next "waiting" floating-point instruction. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-141


INSTRUCTION SET REFERENCE

FLDCW--Load Control Word (Continued)
Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 142


INSTRUCTION SET REFER EN CE

FLDENV--Load FPU Environment
Opcode D9 /4 Instruction FLD ENV m14/28byte D escription Load FPU environment from m14byte or m28byte.

Description Loads the complete FPU operating environment from memory into the FPU registers. The source operand specifies the first byte of the operating-environment data in memory. This data is typically written to the specified memory location by a FSTENV or FNSTEN V instruction. The FPU operating environment consists of the FPU control word, status word, tag word, instruction pointer, data pointer, and last opcode. Figures 7-13 through 7-16 in the Intel Architecture Software Developer's Manual, Volume 1, show the layout in memory of the loaded environment, depending on the operating mode of the processor (protected or real) and the current operand-size attribute (16-bit or 32-bit). In virtual-8086 mode, the real mode layouts are used. The FLDENV instruction should be executed in the same operating mode as the corresponding FSTENV/FNSTENV instruction. If one or more unmasked exception flags are set in the new FPU status word, a floating-point exception will be generated upon execution of the next floating-point instruction (except for the no-wait floating-point instructions, see the section titled "Software Exception Handling" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1). To avoid generating exceptions when loading a new environment, clear all the exception flags in the FPU status word that is being loaded. Operation
FP FP FP FP FP FP UC ontrolWord SRC(FPUControlWord); UStatusWord SRC(FPUStatusWord); UTagWord SRC(FPUTagWord); UD ataPointer SRC(FPUDataPointer); UInstructionPointer SRC(FPUInstructionPointer); ULastInstructionOpcode SRC(FPULastInstructionOpcode);

FPU Flags Affected The C0, C1, C2, C3 flags are loaded. Floating-Point Exceptions None; however, if an unmasked exception is loaded in the status word, it is generated upon execution of the next "waiting" floating-point instruction.

3-143


INSTRUCTION SET REFERENCE

FLDENV--Load FPU Environment (Continued)
Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 144


INSTRUCTION SET REFER EN CE

FMUL/FMULP/FIMUL--Multiply
Opcode D8 /1 DC /1 D8 C8+i DC C8+i DE C8+i DE C9 DA /1 DE /1 Instruction FMUL m32real FMUL m64real FMUL ST(0), ST(i) FMUL ST(i), ST(0) FMULP ST(i), ST( 0) FMULP FIMUL m32int FIMUL m16int D escription Multiply ST(0) by m32real and store result in ST(0) Multiply ST(0) by m64real and store result in ST(0) Multiply ST(0) by ST( i) and store r esult in ST(0) Multiply ST(i) by ST(0) and store r esult in ST(i) Multiply ST(i) by ST(0), store result in ST(i), and pop the r egister stack Multiply ST(1) by ST(0), store result in ST(1), and pop the r egister stack Multiply ST(0) by m32int and stor e result in ST(0) Multiply ST(0) by m16int and stor e result in ST(0)

Description Multiplies the destination and source operands and stores the product in the destination location. The destination operand is always an FPU data register; the source operand can be an FPU data register or a memory location. Source operands in memory can be in single-real, double-real, word-integer, or short-integer formats. The no-operand version of the instruction multiplies the contents of the ST(1) register by the contents of the ST(0) register and stores the product in the ST(1) register. The one-operand version multiplies the contents of the ST(0) register by the contents of a memory location (either a real or an integer value) and stores the product in the ST(0) register. The two-operand version, multiplies the contents of the ST(0) register by the contents of the ST(i) register, or vice versa, with the result being stored in the register specified with the first operand (the destination operand). The FMULP instructions perform the additional operation of popping the FPU register stack after storing the product. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The no-operand version of the floating-point multiply instructions always results in the register stack being popped. In some assemblers, the mnemonic for this instruction is FMUL rather than FMULP. The FIMUL instructions convert an integer source operand to extended-real format before performing the multiplication. The sign of the result is always the exclusive-OR of the source signs, even if one or more of the values being multiplied is 0 or . When the source operand is an integer 0, it is treated as a +0. The following table shows the results obtained when multiplying various classes of numbers, assuming that neither overflow nor underflow occurs.

3-145


INSTRUCTION SET REFERENCE

FMUL/FMULP/FIMUL--Multiply (Continued)
D EST - - -F -I SRC -0 +0 +I +F + NaN NOTE S: F Means finite-real number. I Means Integer. * Indicates invalid-ar ithmetic-operand ( #IA ) exception. + + + * * - - - N aN -F + +F +F +0 -0 -F -F - NaN -0 * +0 +0 +0 -0 -0 -0 * Na N +0 * -0 -0 -0 +0 +0 +0 * N aN +F - -F -F -0 +0 +F +F + NaN + - - - * * + + + NaN NaN NaN NaN NaN Na N Na N NaN NaN NaN Na N

Operation
IF instruction is FIM UL THEN DEST DEST ConvertExtendedReal(SRC); ELSE (* source operand is real number *) DEST DEST SRC ; FI; IF instruction = FMULP THEN PopRegisterStack FI;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) fault is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS Stack underflow occurred.

3- 146


INSTRUCTION SET REFER EN CE

FMUL/FMULP/FIMUL--Multiply (Continued)
#IA Operand is an SNaN value or unsupported format. One operand is ±0 and the other is ±. #D #U #O #P Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-147


INSTRUCTION SET REFERENCE

FNOP--No Operation
Opcode D9 D0 Instruction FNOP Description No operation is perfor med.

Description Performs no FPU operation. This instruction takes up space in the instruction stream but does not affect the FPU or machine context, except the EIP register. FPU Flags Affected C0, C1, C2, C3 undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 148


INSTRUCTION SET REFER EN CE

FPATAN--Par tial Arctangent
Opcode D9 F3 Instruction FPATA N Description Replace ST(1) with arctan(ST(1)/ST(0)) and pop the register stack

Description Computes the arctangent of the source operand in register ST(1) divided by the source operand in register ST(0), stores the result in ST(1), and pops the FPU register stack. The result in register ST(0) has the same sign as the source operand ST(1) and a magnitude less than +. The FPATAN instruction returns the angle between the X axis and the line from the origin to the point (X,Y), where Y (the ordinate) is ST(1) and X (the abscissa) is ST(0). The angle depends on the sign of X and Y independently, not just on the sign of the ratio Y/X. This is because a point (-X,Y) is in the second quadrant, resulting in an angle between /2 and , while a point (X ,-Y) is in the fourth quadrant, resulting in an angle between 0 and -/2. A point (-X,-Y) is in the third quadrant, giving an angle between -/2 and -. The following table shows the results obtained when computing the arctangent of various classes of numbers, assuming that underflow does not occur.
ST(0) - - ST(1) -F -0 +0 +F + NaN NOTES: F Means finite-real number. * Table 7-20 in the Intel A rchitecture Softwar e Developer's Manual, Volume 1, specifies that the ratios 0/0 and / generate the floating-point invalid ar ithmetic-operation exception and, if this exception is masked, the real indefinite value is retur ned. With the FPATAN instr uction, the 0/0 or / value is actually not calculated using division. Instead, the arctangent of the two var iables is derived from a standard mathematical for mulation that is generalized to allow complex number s as arguments. In this complex variable for mulation, arctangent(0,0) etc. has well defined values. These values are needed to develop a librar y to compute transcendental functions with complex arguments, based on the FPU functions that only allow real numbers as arguments. -3/4* - - + + +3/4 NaN -F -/2 - to -/2 - + + to +/2 +/2 NaN -0 -/2 -/2 -* +* +/2 +/2 Na N +0 -/2 -/2 -0 +F -/2 -/2 to -0 -0 +0 +/2 to +0 +/2 NaN + -/4 -0 -0 +0 +0 +/4* NaN NaN

*

NaN Na N Na N Na N Na N NaN Na N

*

+0* +/2 +/2 NaN

*

There is no restriction on the range of source operands that FPATAN can accept.

3-149


INSTRUCTION SET REFERENCE

FPATAN--Par tial Arctangent (Continued)
Intel Architecture Compatibility The source operands for this instruction are restricted for the 80287 math coprocessor to the follow ing range: 0 |ST(1)| < |ST(0)| < + Operation
ST(1) arctan(ST(1) / ST(0)); PopRegisterStack;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #D #U #P Stack underflow occurred. Source operand is an SNaN value or unsupported format. Source operand is a denormal value. Result is too small for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 150


INSTRUCTION SET REFER EN CE

FPATAN--Par tial Arctangent
Opcode D9 F8 Instruction FPREM Description Replace ST(0) with the remainder obtained from dividing ST(0) by ST(1)

Description Computes the remainder obtained from dividing the value in the ST(0) register (the dividend) by the value in the ST(1) register (the divisor or modulus), and stores the result in ST(0). The remainder represents the following value: Remainder = ST(0) - (Q ST(1)) Here, Q is an integer value that is obtained by truncating the real-number quotient of [ST(0) / ST(1)] toward zero. The sign of the remainder is the same as the sign of the dividend. The magnitude of the remainder is less than that of the modulus, unless a partial remainder was computed (as described below). This instruction produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The following table shows the results obtained when computing the remainder of various classes of numbers, assuming that underflow does not occur.
ST( 1) - - ST( 0) -F -0 +0 +F + NaN NOTE S: F Means finite-real number. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. ** Indicates floating-point zero-divide (#Z) exception. * ST(0) -0 +0 ST(0) * Na N -F * -F or -0 -0 +0 +F or +0 * NaN -0 * ** * * ** * NaN +0 * ** * * ** * NaN +F * -F or -0 -0 +0 +F o r + 0 * Na N + * ST(0) -0 +0 ST(0) * NaN NaN NaN NaN NaN NaN NaN NaN NaN

When the result is 0, its sign is the same as that of the dividend. W hen the modulus is , the result is equal to the value in ST(0). The FPREM instruction does not compute the remainder specified in IEEE Std 754. The IEEE specified remainder can be computed with the FPREM1 instruction. The FPREM instruction is provided for compatibility with the Intel 8087 and Intel287 math coprocessors.

3-151


INSTRUCTION SET REFERENCE

FPATAN--Par tial Arctangent (Continued)
The FPREM instruction gets its name "partial remainder" because of the way it computes the remainder. This instructions arrives at a remainder through iterative subtraction. It can, however, reduce the exponent of ST(0) by no more than 63 in one execution of the instruction. If the instruction succeeds in producing a remainder that is less than the modulus, the operation is complete and the C2 flag in the FPU status word is cleared. Otherwise, C2 is set, and the result in ST(0) is called the partial remainder. The exponent of the partial remainder will be less than the exponent of the original dividend by at least 32. Software can re-execute the instruction (using the partial remainder in ST(0) as the dividend) until C2 is cleared. (Note that while executing such a remainder-computation loop, a higher-priority interrupting routine that needs the FPU can force a context switch in-between the instructions in the loop.) An important use of the FPREM instruction is to reduce the arguments of periodic functions. When reduction is complete, the instruction stores the three least-significant bits of the quotient in the C3, C1, and C0 flags of the FPU status word. This information is important in argument reduction for the tangent function (using a modulus of /4), because it locates the original angle in the correct one of eight sectors of the unit circle. Operation
D exponent(ST(0)) ­ exponent(ST(1)); IF D < 64 THEN Q Integer(TruncateTowardZero(ST(0) / ST(1))); ST(0) ST(0) ­ (ST(1) Q); C2 0; C0, C3, C1 LeastSignificantBits(Q); (* Q2, Q1, Q0 *) ELSE C2 1; N an implementation-dependent number between 32 and 63; QQ Integer(TruncateTowardZero((ST(0) / ST(1)) / 2(D - N))); ST(0) ST(0) ­ (ST(1) QQ 2(D - N)); FI;

FPU Flags Affected C0 C1 C2 C3 Set to bit 2 (Q2) of the quotient. Set to 0 if stack underflow occurred; otherwise, set to least significant bit of quotient (Q0). Set to 0 if reduction complete; set to 1 if incomplete. Set to bit 1 (Q1) of the quotient.

Floating-Point Exceptions #IS Stack underflow occurred.

3- 152


INSTRUCTION SET REFER EN CE

FPATAN--Par tial Arctangent (Continued)
#IA #D #U Source operand is an SNaN value, modulus is 0, dividend is , or unsupported format. Source operand is a denormal value. Result is too small for destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-153


INSTRUCTION SET REFERENCE

FPREM1--Par tial Remainder
Opcode D9 F5 Instruction FPREM1 Description Replace ST(0) with the IEEE remainder obtained from dividing ST(0) by ST(1)

Description Computes the IEEE remainder obtained from dividing the value in the ST(0) register (the dividend) by the value in the ST(1) register (the divisor or modulus), and stores the result in ST(0). The remainder represents the following value: Remainder = ST(0) - (Q ST(1)) Here, Q is an integer value that is obtained by rounding the real-number quotient of [ST(0) / ST(1)] toward the nearest integer value. The magnitude of the remainder is less than half the magnitude of the modulus, unless a partial remainder was computed (as described below). This instruction produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The following table shows the results obtained when computing the remainder of various classes of numbers, assuming that underflow does not occur.
ST(1) - - S T(0) -F -0 +0 +F + NaN NOTE S: F Means finite-real number. * Indicates floating-point invalid-ar ithmetic-operand ( #IA ) exception. ** Indicates floating-point zero-divide (#Z) exception. * ST(0) -0 +0 ST(0) * N aN -F * ±F or -0 -0 +0 ±F or +0 * NaN -0 * ** * * ** * Na N +0 * ** * * ** * N aN +F * ±F or -0 -0 +0 ±F or +0 * NaN + * ST(0) -0 +0 ST(0) * NaN NaN Na N Na N Na N Na N NaN Na N Na N

When the result is 0, its sign is the same as that of the dividend. When the modulus is , the result is equal to the value in ST(0). The FPREM1 instruction computes the remainder specified in IEEE Std 754. This instruction operates differently from the FPREM instruction in the way that it rounds the quotient of ST(0) divided by ST(1) to an integer (see the "Operation" section below).

3- 154


INSTRUCTION SET REFER EN CE

FPREM1--Partial Remainder (Continued)
Like the FPREM instruction, the FPREM1 computes the remainder through iterative subtraction, but can reduce the exponent of ST(0) by no more than 63 in one execution of the instruction. If the instruction succeeds in producing a remainder that is less than one half the modulus, the operation is complete and the C2 flag in the FPU status word is cleared. Otherwise, C2 is set, and the result in ST(0) is called the partial remainder. The exponent of the partial remainder will be less than the exponent of the original dividend by at least 32. Software can re-execute the instruction (using the partial remainder in ST(0) as the dividend) until C2 is cleared. (Note that while executing such a remainder-computation loop, a higher-priority interrupting routine that needs the FPU can force a context sw itch in-between the instructions in the loop.) An important use of the FPREM1 instruction is to reduce the arguments of periodic functions. When reduction is complete, the instruction stores the three least-significant bits of the quotient in the C3, C1, and C0 flags of the FPU status word. This information is important in argument reduction for the tangent function (using a modulus of /4), because it locates the original angle in the correct one of eight sectors of the unit circle. Operation
D exponent(ST(0)) ­ exponent(ST(1)); IF D < 64 THEN Q Integer(RoundTowardNearestInteger(ST(0) / ST(1))); ST(0) ST(0) ­ (ST(1) Q); C2 0; C0, C3, C1 LeastSignificantBits(Q); (* Q2, Q1, Q0 *) ELSE C2 1; N an implem entation-dependent number between 32 and 63; QQ Integer(TruncateTowardZero((ST(0) / ST(1)) / 2(D - N))); ST(0) ST(0) ­ (ST(1) QQ 2(D - N)); FI;

FPU Flags Affected C0 C1 C2 C3 Set to bit 2 (Q2) of the quotient. Set to 0 if stack underflow occurred; otherwise, set to least significant bit of quotient (Q0). Set to 0 if reduction complete; set to 1 if incomplete. Set to bit 1 (Q1) of the quotient.

Floating-Point Exceptions #IS Stack underflow occurred.

3-155


INSTRUCTION SET REFERENCE

FPREM1--Par tial Remainder (Continued)
#IA #D #U Source operand is an SNaN value, modulus (divisor) is 0, dividend is , or unsupported format. Source operand is a denormal value. Result is too small for destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 156


INSTRUCTION SET REFER EN CE

FPTAN--Par tial Tangent
Opcode D9 F2 Instruction FPTAN Clocks 17-173 Description Replace ST(0) w ith its tangent and push 1 onto the FPU stack.

Description Computes the tangent of the source operand in register ST(0), stores the result in ST(0), and pushes a 1.0 onto the FPU register stack. The source operand must be given in radians and must be less than ±263. The following table shows the unmasked results obtained when computing the partial tangent of various classes of numbers, assuming that underflow does not occur.
S T(0) SRC - -F -0 +0 +F + NaN NOTES: F Means finite-r eal number. * Indicates floating-point invalid-arithmetic-operand (#IA) exception. ST(0) DEST * -F to +F -0 +0 -F to +F * N aN

If the source operand is outside the acceptable range, the C2 flag in the FPU status word is set, and the value in register ST(0) remains unchanged. The instruction does not raise an exception when the source operand is out of range. It is up to the program to check the C2 flag for out-ofrange conditions. Source values outside the range -263 to +263 can be reduced to the range of the instruction by subtracting an appropriate integer multiple of 2 or by using the FPREM instruction with a divisor of 2. See the section titled "Pi" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for a discussion of the proper value to use for in performing such reductions. The value 1.0 is pushed onto the register stack after the tangent has been computed to maintain compatibility with the Intel 8087 and Intel287 math coprocessors. This operation also simplifies the calculation of other trigonometric functions. For instance, the cotangent (which is the reciprocal of the tangent) can be computed by executing a FDIV R instruction after the FPTAN instruction.

3-157


INSTRUCTION SET REFERENCE

FPTAN--Par tial Tangent (Continued)
Operation
IF ST(0) < 263 THEN C2 0; ST(0) tan(ST(0)); TOP TOP - 1; ST(0) 1.0; ELSE (*source operand is out-of-range *) C2 1; FI;

FPU Flags Affected C1 Set to 0 if stack underflow occurred; set to 1 if stack overflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C2 C0, C3 Set to 1 if source operand is outside the range -2 cleared to 0. Undefined.
63

to +263; otherwise,

Floating-Point Exceptions #IS #IA #D #U #P Stack underflow occurred. Source operand is an SNaN value, , or unsupported format. Source operand is a denormal value. Result is too small for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 158


INSTRUCTION SET REFER EN CE

FRNDINT--Round to Integer
Opcode D9 FC Instruction FRNDINT D escription R ound ST( 0) to an integer.

Description Rounds the source value in the ST(0) register to the nearest integral value, depending on the current rounding mode (setting of the RC field of the FPU control word), and stores the result in ST(0). If the source value is , the value is not changed. If the source value is not an integral value, the floating-point inexact-result exception (#P) is generated. Operation
ST(0) RoundToIntegralValue(ST(0));

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #D #P Stack underflow occurred. Source operand is an SNaN value or unsupported format. Source operand is a denormal value. Source operand is not an integral value.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-159


INSTRUCTION SET REFERENCE

FRSTOR--Restore FPU State
Opcode DD /4 Instruction FRS TOR m94/108byte Description Load FPU state from m94byte or m108byte.

Description Loads the FPU state (operating environment and register stack) from the memory area specified with the source operand. This state data is typically written to the specified memory location by a previous FSAVE/FNSAVE instruction. The FPU operating environment consists of the FPU control word, status word, tag word, instruction pointer, data pointer, and last opcode. Figures 7-13 through 7-16 in the Intel Architecture Software D eveloper's Manual, Volume 1, show the layout in memory of the stored environment, depending on the operating mode of the processor (protected or real) and the current operand-size attribute (16-bit or 32-bit). In virtual-8086 mode, the real mode layouts are used. The contents of the FPU register stack are stored in the 80 bytes immediately follow the operating environment image. The FRSTOR instruction should be executed in the same operating mode as the corresponding FSAVE/FNSAVE instruction. If one or more unmasked exception bits are set in the new FPU status word, a floating-point exception will be generated. To avoid raising exceptions when loading a new operating environment, clear all the exception flags in the FPU status word that is being loaded. Operation
FPUControlWord SRC(FPUControlWord); FPUStatusWord SRC(FPUStatusWord); FPUTagWord SRC(FPUTagWord); FPUDataPointer SRC(FPUDataPointer); FPUInstructionPointer SRC(FPUInstructionPointer); FPULastInstructionO pcode SRC(FPULastInstructionOpcode); ST(0) SRC(ST(0)); ST(1) SRC(ST(1)); ST(2) SRC(ST(2)); ST(3) SRC(ST(3)); ST(4) SRC(ST(4)); ST(5) SRC(ST(5)); ST(6) SRC(ST(6)); ST(7) SRC(ST(7));

FPU Flags Affected The C0, C1, C2, C3 flags are loaded.

3- 160


INSTRUCTION SET REFER EN CE

FRSTOR--Restore FPU State (Continued)
Floating-Point Exceptions None; however, this operation might unmask an existing exception that has been detected but not generated, because it was masked. Here, the exception is generated at the completion of the instruction. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-161


INSTRUCTION SET REFERENCE

FSAVE/FNSAVE--Store FPU State
Opcode 9B DD /6 Instruct ion FSAV E m94/108byte Description Store FPU state to m94byte or m108byte after checking for pending unmasked floating-point exceptions. Then reinitialize the FPU. Store FPU environment to m94byte or m108byte without checking for pending unmasked floating-point exceptions. Then re-initialize the FPU.

DD /6

FNSAVE* m94/108byte

NOTE: * See "Intel Architecture Compatibility" below.

Description Stores the current FPU state (operating environment and register stack) at the specified destination in memory, and then re-initializes the FPU. The FSAVE instruction checks for and handles pending unmasked floating-point exceptions before storing the FPU state; the FNSAVE instruction does not. The FPU operating environment consists of the FPU control word, status word, tag word, instruction pointer, data pointer, and last opcode. Figures 7-13 through 7-16 in the Intel Architecture Software D eveloper's Manual, Volume 1, show the layout in memory of the stored environment, depending on the operating mode of the processor (protected or real) and the current operand-size attribute (16-bit or 32-bit). In virtual-8086 mode, the real mode layouts are used. The contents of the FPU register stack are stored in the 80 bytes immediately follow the operating environment image. The saved image reflects the state of the FPU after all floating-point instructions preceding the FSAVE/FNSAVE instruction in the instruction stream have been executed. After the FPU state has been saved, the FPU is reset to the same default values it is set to with the FIN IT/FNINIT instructions (see "FINIT/FNINIT--Initialize Floating-Point Unit" in this chapter). The FSAVE/FN SAV E instructions are typically used w hen the operating system needs to perform a context switch, an exception handler needs to use the FPU, or an application program needs to pass a "clean" FPU to a procedure. Intel Architecture Compatibility For Intel math coprocessors and FPUs prior to the Intel Pentium processor, an FWAIT instruction should be executed before attempting to read from the memory image stored with a prior FSAVE/FNSAVE instruction. This FWAIT instruction helps insure that the storage operation has been completed.

3- 162


INSTRUCTION SET REFER EN CE

FSAVE/FNSAVE--Store FPU State (Continued)
When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FNSAVE instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window " in Appendix D of the Intel Architecture Software Developer's Manual, Volum e 1, for a description of these circumstances. An FNSAVE instruction cannot be interrupted in this way on a Pentium Pro processor. Operation
(* Save FPU State and Registers *) DEST(FPUControlWord) FPUControlWord; DEST(FPUStatusWord) FPUStatusWord; DEST(FPUTagWord) FPUTagWord; DEST(FPUDataPointer) FPUDataPointer; DEST(FPUInstructionPointer) FPUInstructionPointer; DEST(FPULastInstructionOpcode) FPULastInstructionOpcode; DEST(ST(0)) ST(0); DEST(ST(1)) ST(1); DEST(ST(2)) ST(2); DEST(ST(3)) ST(3); DEST(ST(4)) ST(4); DEST(ST(5)) ST(5); DEST(ST(6)) ST(6); DEST(ST(7)) ST(7); (* Initialize FPU *) FPUC ontrolWord 037FH; FPUStatusWord 0; FPUTagWord FFFFH; FPUD ataPointer 0; FPUInstructionPointer 0; FPULastInstructionOpcode 0;

FPU Flags Affected The C0, C1, C2, and C3 flags are saved and then cleared. Floating-Point Exceptions None. Protected Mode Exceptions #GP(0) If destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

3-163


INSTRUCTION SET REFERENCE

FSAVE/FNSAVE--Store FPU State (Continued)
If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 164


INSTRUCTION SET REFER EN CE

FSCALE--Scale
Opcode D9 FD Instruction FSCALE D escription Scale ST(0) by ST(1).

Description Multiplies the destination operand by 2 to the power of the source operand and stores the result in the destination operand. The destination operand is a real value that is located in register ST(0). The source operand is the nearest integer value that is smaller than the value in the ST(1) register (that is, the value in register ST(1) is truncated toward 0 to its nearest integer value to form the source operand). This instruction provides rapid multiplication or division by integral powers of 2 because it is implemented by simply adding an integer value (the source operand) to the exponent of the value in register ST(0). The following table shows the results obtained when scaling various classes of numbers, assuming that neither overflow nor underflow occurs.
ST(1) -N - S T(0) -F -0 +0 +F + NaN NOTES: F Means finite-real number. N Means integer. - -F -0 +0 +F + NaN 0 - -F -0 +0 +F + NaN +N - -F -0 +0 +F + NaN

In most cases, only However, when the and the result may results from a scale

the exponent is changed and the mantissa (significand) remains unchanged. value being scaled in ST(0) is a denormal value, the mantissa is also changed turn out to be a normalized number. Similarly, if overflow or underflow operation, the resulting mantissa will differ from the source's mantissa.

The FSCALE instruction can also be used to reverse the action of the FXTRACT instruction, as shown in the following example:
FXTRACT; FSCALE; FSTP ST(1);

3-165


INSTRUCTION SET REFERENCE

FSCALE--Scale (Continued)
In this example, the FXTRACT instruction extracts the significand and exponent from the value in ST(0) and stores them in ST(0) and ST(1) respectively. The FSCALE then scales the significand in ST(0) by the exponent in ST(1), recreating the original value before the FXTRACT operation was performed. The FSTP ST(1) instruction overwrites the exponent (extracted by the FXTRACT instruction) with the recreated value, which returns the stack to its original state with only one register [ST(0)] occupied. Operation
ST(0) ST(0) 2
ST(1)

;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #D #U #O #P Stack underflow occurred. Source operand is an SNaN value or unsupported format. Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 166


INSTRUCTION SET REFER EN CE

FSIN--Sine
Opcode D9 F E Instruction FSIN D escription R eplace ST(0) with its sine.

Description Calculates the sine of the source operand in register ST(0) and stores the result in ST(0). The source operand must be given in radians and must be within the range -263 to +263. The following table shows the results obtained when taking the sine of various classes of numbers, assuming that underflow does not occur.
S RC (ST(0)) - -F -0 +0 +F + NaN NOTES: F Means finite-real number. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. DEST (ST(0) ) * -1 to +1 -0 +0 -1 to +1 * N aN

If the source operand is outside the acceptable range, the C2 flag in the FPU status word is set, and the value in register ST(0) remains unchanged. The instruction does not raise an exception when the source operand is out of range. It is up to the program to check the C2 flag for out-ofrange conditions. Source values outside the range -263 to +263 can be reduced to the range of the instruction by subtracting an appropriate integer multiple of 2 or by using the FPREM instruction with a divisor of 2. See the section titled "Pi" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for a discussion of the proper value to use for in performing such reductions. Operation
IF ST(0) < 263 THEN C2 0; ST(0) sin(ST(0)); ELSE (* source operand out of range *) C2 1; FI:

3-167


INSTRUCTION SET REFERENCE

FSIN--Sine (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C2 C0, C3 Set to 1 if source operand is outside the range -2 cleared to 0. Undefined.
63

to +263; otherwise,

Floating-Point Exceptions #IS #IA #D #P Stack underflow occurred. Source operand is an SNaN value, , or unsupported format. Source operand is a denormal value. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 168


INSTRUCTION SET REFER EN CE

FSINCOS--Sine and Cosine
Opcode D9 FB Instruction FSINC OS D escription C ompute the sine and cosine of ST(0); replace ST(0) with the sine, and push the cosine onto the register stack.

Description Computes both the sine and the cosine of the source operand in register ST(0), stores the sine in ST(0), and pushes the cosine onto the top of the FPU register stack. (This instruction is faster than executing the FSIN and FCOS instructions in succession.) The source operand must be given in radians and must be within the range -263 to +263. The following table shows the results obtained when taking the sine and cosine of various classes of numbers, assuming that underflow does not occur.
SRC ST(0) - -F -0 +0 +F + NaN NOTES: F Means finite-real number. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. ST(1) C osine * -1 to +1 +1 +1 -1 to +1 * Na N DEST ST(0) Sine * -1 to +1 -0 +0 -1 to +1 * NaN

If the source operand is outside the acceptable range, the C2 flag in the FPU status word is set, and the value in register ST(0) remains unchanged. The instruction does not raise an exception when the source operand is out of range. It is up to the program to check the C2 flag for out-ofrange conditions. Source values outside the range -263 to +263 can be reduced to the range of the instruction by subtracting an appropriate integer multiple of 2 or by using the FPREM instruction with a divisor of 2. See the section titled "Pi" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for a discussion of the proper value to use for in performing such reductions.

3-169


INSTRUCTION SET REFERENCE

FSINCOS--Sine and Cosine (Continued)
Operation
IF ST(0) < 263 THEN C2 0; TEMP cosine(ST(0)); ST(0) sine(ST(0)); TOP TOP - 1; ST(0) TEMP; ELSE (* source operand out of range *) C2 1; FI:

FPU Flags Affected C1 Set to 0 if stack underflow occurred; set to 1 of stack overflow occurs. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C2 C0, C3 Set to 1 if source operand is outside the range -2 cleared to 0. Undefined.
63

to +263; otherwise,

Floating-Point Exceptions #IS #IA #D #U #P Stack underflow occurred. Source operand is an SNaN value, , or unsupported format. Source operand is a denormal value. Result is too small for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 170


INSTRUCTION SET REFER EN CE

FSQRT--Square Root
Opcode D9 FA Instruction FSQRT Description Calculates square root of ST(0) and stor es the result in ST(0)

Description Calculates the square root of the source value in the ST(0) register and stores the result in ST(0). The following table shows the results obtained when taking the square root of various classes of numbers, assuming that neither overflow nor underflow occurs.
S RC (ST(0)) - -F -0 +0 +F + NaN NOTE S: F Means finite-real number. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. DEST (ST(0) ) * * -0 +0 +F + N aN

Operation
ST(0) SquareRoot(ST(0));

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

3-171


INSTRUCTION SET REFERENCE

FSQRT--Square Root (Continued)
Floating-Point Exceptions #IS #IA Stack underflow occurred. Source operand is an SNaN value or unsupported format. Source operand is a negative value (except for -0). #D #P Source operand is a denormal value. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 172


INSTRUCTION SET REFER EN CE

FST/FSTP--Store Real
Opcode D9 /2 DD /2 DD D0+i D9 /3 DD /3 DB /7 DD D8+i Instruction FST m32real FST m64real FST ST(i) FSTP m32real FSTP m64real FSTP m80real FSTP ST(i) D escription C opy S T(0) to m32real C opy S T(0) to m64real C opy ST(0) to ST(i) C opy S T(0) to m32real and pop register stack C opy S T(0) to m64real and pop register stack C opy S T(0) to m80real and pop register stack C opy ST(0) to ST(i) and pop register stack

Description The FST instruction copies the value in the ST(0) register to the destination operand, which can be a memory location or another register in the FPU register stack. When storing the value in memory, the value is converted to single- or double-real format. The FSTP instruction performs the same operation as the FST instruction and then pops the register stack. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The FSTP instruction can also store values in memory in extended-real format. If the destination operand is a memory location, the operand specifies the address where the first byte of the destination value is to be stored. If the destination operand is a register, the operand specifies a register in the register stack relative to the top of the stack. If the destination size is single- or double-real, the significand of the value being stored is rounded to the width of the destination (according to rounding mode specified by the RC field of the FPU control word), and the exponent is converted to the width and bias of the destination format. If the value being stored is too large for the destination format, a numeric overflow exception (#O ) is generated and, if the exception is unmasked, no value is stored in the destination operand. If the value being stored is a denormal value, the denormal exception (#D) is not generated. This condition is simply signaled as a numeric underflow exception (#U) condition. If the value being stored is ±0, ±, or a NaN, the least-significant bits of the significand and the exponent are truncated to fit the destination format. This operation preserves the value's identity as a 0, , or NaN. If the destination operand is a non-empty register, the invalid-operation exception is not generated. Operation
DEST ST(0); IF instruction = FSTP THEN PopRegisterStack; FI;

3-173


INSTRUCTION SET REFERENCE

FST/FSTP--Store Real (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction of if the floating-point inexact exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #U #O #P Stack underflow occurred. Source operand is an SNaN value or unsupported format. Result is too small for the destination format. Result is too large for the destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

3- 174


INSTRUCTION SET REFER EN CE

FST/FSTP--Store Real (Continued)
Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-175


INSTRUCTION SET REFERENCE

FSTCW/FNSTCW--Store Control Word
Opcode 9B D9 /7 D9 /7 NOTE: * See "Intel Architecture Compatibility" below. Instruction FS TCW m2byte FNS TCW* m2byte Description Store FPU control word to m2byte after checking for pending unmasked floating-point exceptions. Store FPU control word to m2byte without checking for pending unmasked floating-point exceptions.

Description Stores the current value of the FPU control word at the specified destination in memory. The FSTCW instruction checks for and handles pending unmasked floating-point exceptions before storing the control word; the FNSTCW instruction does not. Intel Architecture Compatibility When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FNSTCW instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window" in Appendix D of the Intel Architecture Software Developer's Manual, Volume 1, for a description of these circumstances. An FNSTCW instruction cannot be interrupted in this way on a Pentium Pro processor. Operation
DEST FPU ControlWord;

FPU Flags Affected The C0, C1, C2, and C3 flags are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) If a memory operand effective address is outside the SS segment limit.

3- 176


INSTRUCTION SET REFER EN CE

FSTCW/FNSTCW--Store Control Word (Continued)
#NM #PF(fault-code) #AC(0) EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-177


INSTRUCTION SET REFERENCE

FSTENV/FNSTENV--Store FPU Environment
Opcode 9B D9 /6 Instruction FS TENV m14/28byte Description Store FPU environment to m14byte or m28byte after checking for pending unmasked floating-point exceptions. Then mask all floating-point exceptions. Store FPU environment to m14byte or m28byte without checking for pending unmasked floating-point exceptions. Then mask all floating-point exceptions.

D9 /6

FNS TENV* m14/28byte

NOTE: * See "Intel Architecture Compatibility" below.

Description Saves the current FPU operating environment at the memory location specified with the destination operand, and then masks all floating-point exceptions. The FPU operating environment consists of the FPU control word, status word, tag word, instruction pointer, data pointer, and last opcode. Figures 7-13 through 7-16 in the Intel Architecture Software Developer's Manual, Volume 1, show the layout in memory of the stored environment, depending on the operating mode of the processor (protected or real) and the current operand-size attribute (16-bit or 32bit). In virtual-8086 mode, the real mode layouts are used. Th ti o im FS e FSTENV instruction checks for and handles any pending unmasked floating-point excepn s before storing th e FPU e nvironmen t; th e FN STENV inst ru ct ion do es not.T he saved ag e reflects the state of the FPU after all floating-point instructions preceding the TENV/FNSTENV instruction in the instruction stream have been executed.

These instructions are often used by exception handlers because they provide access to the FPU instruction and data pointers. The environment is typically saved in the stack. Masking all exceptions after saving the environment prevents floating-point exceptions from interrupting the exception handler. Intel Architecture Compatibility When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FN STEN V instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window" in Appendix D of the Intel Architecture Software Developer's Manual, Volume 1, for a description of these circumstances. An FN STEN V instruction cannot be interrupted in this way on a Pentium Pro processor. Operation
DEST(F DEST(F DEST(F DEST(F PUControlWord) FPU ControlWord; PUStatusWord) FPUStatusWord; PUTagWord) FPUTagWord; PUDataPointer) FPUDataPointer;

3- 178


INSTRUCTION SET REFER EN CE

FSTENV/FNSTENV--Store FPU Environment (Continued)
DEST(FPUInstructionPointer) FPUInstructionPointer; DEST(FPULastInstructionOpcode) FPULastInstructionOpcode;

FPU Flags Affected The C0, C1, C2, and C3 are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-179


INSTRUCTION SET REFERENCE

FSTSW/FNSTSW--Store Status Word
Opcode 9B DD /7 9B DF E0 DD /7 DF E0 NOTE: * See "Intel Architecture Compatibility" below. Instruction FS TSW m2byte FSTSW AX FNS TSW* m2byte FNSTSW* AX Description S tore FPU status word at m2byte after checking for pending unmasked floating-point exceptions. Store FPU status word in AX register after checking for pending unmasked floating-point exceptions. S tore FPU status word at m2byte without checking for pending unmasked floating-point exceptions. Store FPU status word in AX register without checking for pending unmasked floating-point exceptions.

Description Stores the current value of the FPU status word in the destination location. The destination operand can be either a two-byte memory location or the AX register. The FSTSW instruction checks for and handles pending unmasked floating-point exceptions before storing the status word; the FNSTSW instruction does not. The FNSTSW AX form of the instruction is used primarily in conditional branching (for instance, after an FPU comparison instruction or an FPREM, FPREM1, or FXAM instruction), where the direction of the branch depends on the state of the FPU condition code flags. (See the section titled "Branching and Conditional Moves on FPU Condition Codes" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1.) This instruction can also be used to invoke exception handlers (by examining the exception flags) in environments that do not use interrupts. When the FNSTSW AX instruction is executed, the AX register is updated before the processor executes any further instructions. The status stored in the AX register is thus guaranteed to be from the completion of the prior FPU instruction. Intel Architecture Compatibility When operating a Pentium or Intel486 processor in MS-DOS compatibility mode, it is possible (under unusual circumstances) for an FNSTSW instruction to be interrupted prior to being executed to handle a pending FPU exception. See the section titled "No-Wait FPU Instructions Can Get FPU Interrupt in Window" in Appendix D of the Intel Architecture Software Developer's Manual, Volume 1, for a description of these circumstances. An FN STSW instruction cannot be interrupted in this way on a Pentium Pro processor. Operation
DEST FPU StatusWord;

FPU Flags Affected The C0, C1, C2, and C3 are undefined.

3- 180


INSTRUCTION SET REFER EN CE

FSTSW/FNSTSW--Store Status Word (Continued)
Floating-Point Exceptions None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-181


INSTRUCTION SET REFERENCE

FSUB/FSUBP/FISUB--Subtract
Opcode D8 /4 DC /4 D8 E0+i DC E 8+i DE E8+i DE E9 DA /4 DE /4 Instruction FSUB m32real FSUB m64real FSUB ST(0), ST( i) FSUB ST(i), ST(0) FSUBP ST(i), ST(0) FSUBP FISUB m32int FISUB m16int Description Subtract m32real from ST(0) and store result in ST(0) Subtract m64real from ST(0) and store result in ST(0) Subtract ST(i) from ST(0) and store result in ST(0) Subtract ST(0) from ST(i) and store result in ST(i) Subtract ST(0) from ST(i), store result in ST(i), and pop register stack Subtract ST(0) from ST(1) , store r esult in ST(1), and pop register stack Subtract m32int from ST(0) and store result in ST(0) Subtract m16int from ST(0) and store result in ST(0)

Description Subtracts the source operand from the destination operand and stores the difference in the destination location. The destination operand is always an FPU data register; the source operand can be a register or a memory location. Source operands in memory can be in single-real, doublereal, word-integer, or short-integer formats. The no-operand version of the instruction subtracts ST(1) register and stores the result in ST(1). The on a memory location (either a real or an integer value) stores the result in ST(0). The two-operand version, from the ST(i) register or vice versa. the contents of the ST(0) register from the e-operand version subtracts the contents of from the contents of the ST(0) register and subtracts the contents of the ST(0) register

The FSUBP instructions perform the additional operation of popping the FPU register stack follow ing the subtraction. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The no-operand version of the floating-point subtract instructions always results in the register stack being popped. In some assemblers, the mnemonic for this instruction is FSUB rather than FSUBP. The FISUB instructions convert an integer source operand to extended-real format before performing the subtraction. The following table shows the results obtained when subtracting various classes of numbers from one another, assuming that neither overflow nor underflow occurs. Here, the SRC value is subtracted from the DEST value (DEST - SRC = result). When the difference between two operands of like sign is 0, the result is +0, except for the round toward - mode, in w hich case the result is -0. This instruction also guarantees that +0 - (-0) = +0, and that -0 - (+0) = -0. When the source operand is an integer 0, it is treated as a +0. When one operand is , the result is of the expected sign. If both operands are of the same sign, an invalid-operation exception is generated.

3- 182


INSTRUCTION SET REFER EN CE

FSUB/FSUBP/FISUB--Subtract (Continued)
SRC - - -F DES T -0 +0 +F + NaN NOTES: F Means finite-real number. I Means integer. * Indicates floating-point invalid-ar ithmetic-operand (#IA) exception. * + + + + + Na N -F or -I - ±F or ±0 -SRC -SRC +F + NaN -0 - DEST ±0 +0 DEST + NaN +0 - DEST -0 ±0 DEST + NaN +F or +I - -F -SRC -SRC ±F or ±0 + Na N + - - - - - * NaN NaN NaN NaN NaN NaN NaN NaN NaN

Operation
IF instruction is FISUB THEN DEST DEST - ConvertExtendedReal(SRC); ELSE (* source operand is real number *) DEST DEST - SRC; FI; IF instruction is FSUBP THEN PopRegisterStack FI;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) fault is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Operand is an SNaN value or unsupported format. Operands are infinities of like sign.

3-183


INSTRUCTION SET REFERENCE

FSUB/FSUBP/FISUB--Subtract (Continued)
#D #U #O #P Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 184


INSTRUCTION SET REFER EN CE

FSUBR/FSUBRP/FISUBR--Reverse Subtract
Opcode D8 /5 DC /5 D8 E 8+i DC E0+i DE E0+i DE E1 DA /5 DE /5 Instruction FS UBR m32real FS UBR m64real FS UBR ST(0) , ST(i) FSUBR ST(i), ST(0) FS UBRP S T(i), ST(0) FS UBRP FISUBR m32int FISUBR m16int Description Subtract ST(0) from m32real and store result in ST(0) Subtract ST(0) from m64real and store result in ST(0) Subtract ST(0) from ST(i) and store result in ST( 0) Subtract ST(i) from ST(0) and store result in ST(i) Subtract ST(i) from ST(0) , store result in ST(i), and pop register stack Subtract ST(1) from ST(0), store result in ST(1), and pop register stack Subtract ST(0) from m32int and store result in ST(0) Subtract ST(0) from m16int and store result in ST(0)

Description Subtracts the destination operand from the source operand and stores the difference in the destination location. The destination operand is always an FPU register; the source operand can be a register or a memory location. Source operands in memory can be in single-real, double-real, word-integer, or short-integer formats. These instructions perform the reverse operations of the FSUB, FSUBP, and FISUB instructions. They are provided to support more efficient coding. The no-operand version of the instruction subtracts the contents of the ST(1) register from the ST(0) register and stores the result in ST(1). The one-operand version subtracts the contents of the ST(0) register from the contents of a memory location (either a real or an integer value) and stores the result in ST(0). The two-operand version, subtracts the contents of the ST(i) register from the ST(0) register or vice versa. The FSUBRP instructions perform the additional operation of popping the FPU register stack following the subtraction. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1. The no-operand version of the floating-point reverse subtract instructions always results in the register stack being popped. In some assemblers, the mnemonic for this instruction is FSUBR rather than FSUBRP. The FISUBR instructions convert an integer source operand to extended-real format before performing the subtraction. The following table shows the results obtained when subtracting various classes of numbers from one another, assuming that neither overflow nor underflow occurs. Here, the D EST value is subtracted from the SRC value (SRC - DEST = result). When the difference between two operands of like sign is 0, the result is +0, except for the round toward - mode, in which case the result is -0. This instruction also guarantees that +0 - (-0) = +0, and that -0 - (+0) = -0. W hen the source operand is an integer 0, it is treated as a +0. When one operand is , the result is of the expected sign. If both operands are of the same sign, an invalid-operation exception is generated.

3-185


INSTRUCTION SET REFERENCE

FSUBR/FSUBRP/FISUBR--Reverse Subtract (Continued)
SRC - - -F DEST -0 +0 +F + NaN NOTE S: F Means finite-real number. I Means integer. * Indicates floating-point invalid-ar ithmetic-operand ( #IA ) exception. * - - - - - N aN -F or -I + ±F or ±0 SRC SRC -F - NaN -0 + -DES T ±0 -0 -DES T - Na N +0 + -D EST +0 ±0 -D EST - N aN +F o r + I + +F SRC SRC ±F or ±0 - NaN + + + + + + * NaN NaN NaN NaN NaN NaN NaN Na N Na N

Operation
IF instruction is FISUBR THEN DEST ConvertExtendedReal(SRC) - DEST; ELSE (* source operand is real number *) DEST SRC - DEST; FI; IF instruction = FSUBRP THEN PopRegisterStack FI;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) fault is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Operand is an SNaN value or unsupported format. Operands are infinities of like sign.

3- 186


INSTRUCTION SET REFER EN CE

FSUBR/FSUBRP/FISUBR--Reverse Subtract (Continued)
#D #U #O #P Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #NM If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #NM #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. EM or TS in CR0 is set. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-187


INSTRUCTION SET REFERENCE

FTST--TEST
Opcode D9 E4 Instruction FTST Description Compare ST(0) with 0.0.

Description Compares the value in the ST(0) register with 0.0 and sets the condition code flags C0, C2, and C3 in the FPU status word according to the results (see table below).
Condition ST(0) > 0.0 ST(0) < 0.0 ST(0) = 0.0 Unordered C3 0 0 1 1 C2 0 0 0 1 C0 0 1 0 1

This instruction performs an "unordered comparison." An unordered comparison also checks the class of the numbers being compared (see "FXAM--Examine" in this chapter). If the value in register ST(0) is a NaN or is in an undefined format, the condition flags are set to "unordered" and the invalid operation exception is generated. The sign of zero is ignored, so that ­0.0 = +0.0. Operation
CASE (relation of operands) OF Not comparable: C3, C2, C0 ST(0) > 0.0: C3, C2, C0 ST(0) < 0.0: C3, C2, C0 ST(0) = 0.0: C3, C2, C0 ESAC; 111; 000; 001; 100;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. See above table.

Floating-Point Exceptions #IS #IA #D Stack underflow occurred. The source operand is a NaN value or is in an unsupported format. The source operand is a denormal value.

3- 188


INSTRUCTION SET REFER EN CE

FTST--TEST (Continued)
Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-189


INSTRUCTION SET REFERENCE

FUCOM/FUCOMP/FUCOMPP--Unordered Compare Real
Opcode DD E 0+i DD E 1 DD E8+i DD E 9 DA E9 Instruction FUCOM S T(i) FUCOM FUCOMP ST(i) FUCOMP FUCOMPP Description Compare ST(0) with ST(i) Compare ST(0) with ST(1) Compare ST(0) with ST(i) and pop register stack Compare ST(0) with ST(1) and pop r egister stack Compare ST(0) with ST(1) and pop r egister stack twice

Description Performs an unordered comparison of the contents of register ST(0) and ST(i) and sets condition code flags C0, C2, and C3 in the FPU status word according to the results (see the table below). If no operand is specified, the contents of registers ST(0) and ST(1) are compared. The sign of zero is ignored, so that ­0.0 = +0.0.
Comparison Results ST0 > ST(i) ST0 < ST(i) ST0 = ST(i) Unordered NOTE : * Flags not set if unmasked invalid-arithmetic-operand (#IA) exception is generated. C3 0 0 1 1 C2 0 0 0 1 C0 0 1 0 1

An unordered comparison checks the class of the numbers being compared (see "FXAM--Examine" in this chapter). The FUCOM instructions perform the same operations as the FCOM instructions. The only difference is that the FUCOM instructions raise the invalidarithmetic-operand exception (#IA) only w hen either or both operands are an SNaN or are in an unsupported format; QNaNs cause the condition code flags to be set to unordered, but do not cause an exception to be generated. The FCOM instructions raise an invalid-operation exception when either or both of the operands are a NaN value of any kind or are in an unsupported format. As with the FCOM instructions, if the operation results in an invalid-arithmetic-operand exception being raised, the condition code flags are set only if the exception is masked. The FUCOMP instruction pops the register stack following the comparison operation and the FUCOMPP instruction pops the register stack twice following the comparison operation. To pop the register stack, the processor marks the ST(0) register as empty and increments the stack pointer (TOP) by 1.

3- 190


INSTRUCTION SET REFER EN CE

FUCOM/FUCOMP/FUCOMPP--Unordered Compare Real (Continued)
Operation
CASE (relation of operands) OF ST > SRC: C3, C2, C0 000; ST < SRC: C3, C2, C0 001; ST = SRC: C3, C2, C0 100; ESAC; IF ST(0) or SRC = QNaN, but not SNaN or unsupported format THEN C3, C2, C0 111; ELSE (* ST(0) or SRC is SNaN or unsupported format *) #IA; IF FPUControlWord.IM = 1 THEN C3, C2, C0 111; FI; FI; IF instruction = FUCOMP THEN PopRegisterStack; FI; IF instruction = FUCOMPP THEN PopRegisterStack; PopRegisterStack; FI;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred. See table on previous page.

Floating-Point Exceptions #IS #IA Stack underflow occurred. One or both operands are SNaN values or have unsupported formats. Detection of a QNaN value in and of itself does not raise an invalidoperand exception. One or both operands are denormal values.

#D

Protected Mode Exceptions #NM EM or TS in CR0 is set.

3-191


INSTRUCTION SET REFERENCE

FUCOM/FUCOMP/FUCOMPP--Unordered Compare Real (Continued)
Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Vir tual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3- 192


INSTRUCTION SET REFER EN CE

FWAIT--Wait
See entry for WAIT/FWAIT--Wait.

3-193


INSTRUCTION SET REFERENCE

FXAM--Examine
Opcode D9 E5 Instruction FXAM Description Classify value or number in ST(0)

Description Examines the contents of the ST(0) register and sets the condition code flags C0, C2, and C3 in the FPU status word to indicate the class of value or number in the register (see the table below).
.

Class Unsuppor ted NaN Nor mal finite number Infinity Zero Empty Denor mal number

C3 0 0 0 0 1 1 1

C2 0 0 1 1 0 0 1

C0 0 1 0 1 0 1 0

The C1 flag is set to the sign of the value in ST(0), regardless of whether the register is empty or full. Operation
C1 sign bit of ST; (* 0 for positive, 1 for negative *) CASE (class of value or num ber in ST(0)) OF Unsupported:C3, C2, C0 000; NaN: C3, C2, C0 001; Normal: C3, C2, C0 010; Infinity: C3, C2, C0 011; Zero: C3, C2, C0 100; Em pty: C3, C2, C0 101; Denorm al: C3, C2, C0 110; ESAC;

FPU Flags Affected C1 C0, C2, C3 Sign of value in ST(0). See table above.

3- 194


INSTRUCTION SET REFER EN CE

FXAM--Examine (Continued)
Floating-Point Exceptions None. Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-195


INSTRUCTION SET REFERENCE

FXCH--Exchange Register Contents
Opcode D9 C8+i D9 C9 Instruction FXCH ST(i) FX CH Description Exchange the contents of ST(0) and ST(i) Exchange the contents of ST(0) and ST(1)

Description Exchanges the contents of registers ST(0) and ST(i). If no source operand is specified, the contents of ST(0) and ST(1) are exchanged. This instruction provides a simple means of moving values in the FPU register stack to the top of the stack [ST(0)], so that they can be operated on by those floating-point instructions that can only operate on values in ST(0). For example, the following instruction sequence takes the square root of the third register from the top of the register stack:
FXCH ST(3); FSQRT; FXCH ST(3);

Operation
IF num ber-of-operands is 1 THEN temp ST(0); ST(0) SRC; SRC tem p; ELSE temp ST(0); ST(0) ST(1); ST(1) temp;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; otherwise, cleared to 0. Undefined.

Floating-Point Exceptions #IS Stack underflow occurred.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

3- 196


INSTRUCTION SET REFER EN CE

FXCH--Exchange Register Contents (Continued)
Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-197


INSTRUCTION SET REFERENCE

FXTRACT--Extract Exponent and Significand
Opcode D9 F4 Instruction FXTRACT Description Separate value in ST(0) into exponent and significand, store exponent in ST(0), and push the significand onto the register stack.

Description Separates the source value in the ST(0) register into its exponent and significand, stores the exponent in ST(0), and pushes the significand onto the register stack. Following this operation, the new top-of-stack register ST(0) contains the value of the original significand expressed as a real number. The sign and significand of this value are the same as those found in the source operand, and the exponent is 3FFFH (biased value for a true exponent of zero). The ST(1) register contains the value of the original operand's true (unbiased) exponent expressed as a real number. (The operation performed by this instruction is a superset of the IEEE-recommended logb(x) function.) This instruction and the F2XM1 instruction are useful for performing power and range scaling operations. The FXTRACT instruction is also useful for converting numbers in extended-real format to decimal representations (e.g., for printing or displaying). If the floating-point zero-divide exception (#Z) is masked and the source operand is zero, an exponent value of ­ is stored in register ST(1) and 0 w ith the sign of the source operand is stored in register ST(0). Operation
TEMP Significand(ST(0)); ST(0) Exponent(ST(0)); TOP TOP - 1; ST(0) TEMP;

FPU Flags Affected C1 C0, C2, C3 Set to 0 if stack underflow occurred; set to 1 if stack overflow occurred. Undefined.

Floating-Point Exceptions #IS Stack underflow occurred. Stack overflow occurred. #IA #Z #D Source operand is an SNaN value or unsupported format. ST(0) operand is ±0. Source operand is a denormal value.

3- 198


INSTRUCTION SET REFER EN CE

FXTRACT--Extract Exponent and Significand (Continued)
Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-199


INSTRUCTION SET REFERENCE

FYL2X--Compute y log2x
Opcode D9 F1 Instruction FY L2X Description Replace ST(1) with ( ST(1) log2ST( 0)) and pop the register stack

Description Calculates (ST(1) log2 (ST(0))), stores the result in resister ST(1), and pops the FPU register stack. The source operand in ST(0) must be a non-zero positive number. The following table shows the results obtained when taking the log of various classes of numbers, assuming that neither overflow nor underflow occurs.
ST(0) - - S T(1) -F -0 +0 +F + NaN NOTE S: F Means finite-real number. * Indicates floating-point invalid-operation (#IA) exception. ** Indicates floating-point zero-divide (#Z) exception. * * * * * * NaN -F * * * * * * NaN ±0 + ** * * ** - NaN +0 < +F < +1 + +F +0 -0 -F - N aN +1 * -0 -0 +0 +0 Na N +F > +1 - -F -0 +0 +F + NaN + - - * * + + Na N NaN NaN NaN Na N Na N NaN NaN NaN

If the divide-by-zero exception is masked and register ST(0) contains ±0, the instruction returns with a sign that is the opposite of the sign of the source operand in register ST(1). The FYL2X instruction is designed with a built-in multiplication to optimize the calculation of logarithms with an arbitrary positive base (b):
logbx = (log2b)­1 log2x

Operation
ST(1) ST(1) log2ST(0); PopRegisterStack;

3- 200


INSTRUCTION SET REFER EN CE

FYL2X--Compute y log2x (Continued)
FPU Flags Affected C1 Set to 0 if stack underflow occurred. Indicates rounding direction if the inexact-result exception (#P) is generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA Stack underflow occurred. Either operand is an SNaN or unsupported format. Source operand in register ST(0) is a negative finite value (not -0). #Z #D #U #O #P Source operand in register ST(0) is ±0. Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-201


INSTRUCTION SET REFERENCE

FYL2XP1--Compute y log2(x +1)
Opcode D9 F9 Instruction FYL2XP1 Description Replace ST(1) with ST(1) log2(ST(0) + 1.0) and pop the register stack

Description Calculates the log epsilon (ST(1) log2(ST(0) + 1.0)), stores the result in register ST(1), and pops the FPU register stack. The source operand in ST(0) must be in the range: ­ ( 1 ­ 2 / 2 ) ) to ( 1 ­ 2 / 2 ) The source operand in ST(1) can range from - to +. If the ST(0) operand is outside of its acceptable range, the result is undefined and software should not rely on an exception being generated. Under some circumstances exceptions may be generated w hen ST(0) is out of range, but this behavior is implementation specific and not guaranteed. The following table shows the results obtained when taking the log epsilon of various classes of numbers, assuming that underflow does not occur.
ST( 0) -(1 - ( 2 / 2 )) to -0 - ST(1) -F -0 +0 +F + NaN NOTE S: F Means finite-real number. * Indicates floating-point invalid-operation (#IA) exception. + +F +0 -0 -F - Na N -0 * +0 +0 -0 -0 * NaN +0 * -0 -0 +0 +0 * Na N +0 to +(1 - ( 2 / 2 )) - -F -0 +0 +F + NaN Na N NaN Na N Na N Na N Na N NaN Na N

This instruction provides optimal accuracy for values of epsilon [the value in register ST(0)] that are close to 0. When the epsilon value () is small, more significant digits can be retained by using the FYL2XP1 instruction than by using (+1) as an argument to the FYL2X instruction. The (+1) expression is commonly found in compound interest and annuity calculations. The result can be simply converted into a value in another logarithm base by including a scale factor in the ST(1) source operand. The following equation is used to calculate the scale factor for a particular logarithm base, where n is the logarithm base desired for the result of the FYL2XP1 instruction: scale factor = logn 2
3- 202


INSTRUCTION SET REFER EN CE

FYL2XP1--Compute y log2(x +1) (Continued)
Operation
ST(1) ST(1) log2(ST(0) + 1.0); PopRegisterStack;

FPU Flags Affected C1 Set to 0 if stack underflow occurred. I nd ic ate s ro u nd in g di re ct io n i f t he in ex ac t- r esu lt ex cep ti on ( #P) i s generated: 0 = not roundup; 1 = roundup. C0, C2, C3 Undefined.

Floating-Point Exceptions #IS #IA #D #U #O #P Stack underflow occurred. Either operand is an SNaN value or unsupported format. Source operand is a denormal value. Result is too small for destination format. Result is too large for destination format. Value cannot be represented exactly in destination format.

Protected Mode Exceptions #NM EM or TS in CR0 is set.

Real-Address Mode Exceptions #NM EM or TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM EM or TS in CR0 is set.

3-203


INSTRUCTION SET REFERENCE

HLT--Halt
Opcode F4 Instruction HLT Description Halt

Description Stops inst NMI, or a tion after follow ing ruction execution and places the processor in a HALT state. An enabled interrupt, reset will resume execution. If an interrupt (including NMI) is used to resume execua H LT instruction, the saved instruction pointer (CS:EIP) points to the instruction the H LT instruction.

The HLT instruction is a privileged instruction. When the processor is running in protected or virtual-8086 mode, the privilege level of a program or procedure must be 0 to execute the HLT instruction. Operation
Enter Halt state;

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0.

Real-Address Mode Exceptions None. Vir tual-8086 Mode Exceptions #GP(0) If the current privilege level is not 0.

3- 204


INSTRUCTION SET REFER EN CE

IDIV--Signed Divide
Opcode F6 /7 Instruction IDIV r/m8 Description Signed divide AX ( where AH must contain signextension of AL) by r/m byte. (Results: AL=Quotient, AH=Remainder) Signed divide DX:AX (where DX must contain signextension of AX) by r/m word. ( Results: AX=Quotient, DX=Remainder) Signed divide EDX:EAX ( where EDX must contain sign-extension of EAX) by r/m doubleword. (Results: EAX=Quotient, EDX=Remainder)

F7 /7

IDIV r/m16

F7 /7

IDIV r/m32

Description Divides (signed) the value in the AL, AX, or EAX register by the source operand and stores the result in the AX, DX:AX, or EDX:EAX registers. The source operand can be a general-purpose register or a memory location. The action of this instruction depends on the operand size, as shown in the following table:
Operand S ize Word/byte Doublewor d/wor d Quadword/doublewor d Dividend AX DX:AX EDX:EA X Divisor r/m8 r/m16 r/m32 Quotient AL AX EA X Remainder AH DX E DX Quot ient Range -128 to +127 -32,768 to +32,767 -231 to 232 - 1

Non-integral resu same as the sign absolute value of than with the O F Operation

lts are truncated (chopped) towards 0. The sign of the remainder is always the of the dividend. The absolute value of the remainder is always less than the the divisor. Overflow is indicated with the #DE (divide error) exception rather (overflow) flag.

IF SRC = 0 THEN #DE; (* divide error *) FI; IF OpernadSize = 8 (* word/byte operation *) THEN temp AX / SRC; (* signed division *) IF (tem p > 7FH) OR (temp < 80H) (* if a positive result is greater than 7FH or a negative result is less than 80H *) THEN #DE; (* divide error *) ; ELSE AL temp; AH AX SignedModulus SRC; FI;

3-205


INSTRUCTION SET REFERENCE

IDIV--Signed Divide (Continued)
ELSE IF OpernadSize = 16 (* doubleword/word operation *) THEN temp DX:AX / SRC; (* signed division *) IF (temp > 7FFFH) OR (temp < 8000H) (* if a positive result is greater than 7FFFH *) (* or a negative result is less than 8000H *) THEN #DE; (* divide error *) ; ELSE AX tem p; DX DX:AX SignedModulus SR C; FI; ELSE (* quadword/doubleword operation *) temp EDX:EAX / SRC; (* signed division *) IF (temp > 7FFFFFFFH ) O R (temp < 80000000H) (* if a positive result is greater than 7FFFFFFFH *) (* or a negative result is less than 80000000H *) THEN #DE; (* divide error *) ; ELSE EAX tem p; EDX EDXE:AX SignedM odulus SRC; FI; FI; FI;

Flags Affected The CF, OF, SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #DE If the source operand (divisor) is 0. The signed result (quotient) is too large for the destination. #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

3- 206


INSTRUCTION SET REFER EN CE

IDIV--Signed Divide (Continued)
Real-Address Mode Exceptions #DE If the source operand (divisor) is 0. The signed result (quotient) is too large for the destination. #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #DE If the source operand (divisor) is 0. The signed result (quotient) is too large for the destination. #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-207


INSTRUCTION SET REFERENCE

IMUL--Signed Multiply
Opcode F6 /5 F7 /5 F7 /5 0F AF /r 0F AF /r 6B /r ib 6B /r ib 6B /r ib 6B /r ib 69 /r iw 69 /r id 69 /r iw 69 /r id Instruct ion IMUL r/m8 IMUL r/m16 IMUL r/m32 IMUL r16,r/m16 IMUL r32,r/m32 IMUL r16,r/m16,imm8 IMUL r32,r/m32,imm8 IMUL r16,imm8 IMUL r32,imm8 IMUL r16,r/ m16,imm16 IMUL r32,r/ m32,imm32 IMUL r16,imm16 IMUL r32,imm32 Description AX AL r/m byte DX :AX AX r/m word EDX:EAX EAX r/m doubleword word r egister word register r/m word doubleword register doubleword register r/m doubleword word r egister r/m16 sign-extended immediate byte doubleword register r/m32 sign-extended immediate byte word r egister word register sign-extended immediate byte doubleword r egister doubleword register sign-extended immediate byte word r egister r/m16 immediate word doubleword register r/m32 immediate doubleword word r egister r/m16 immediate word doubleword register r/m32 immediate doubleword

Description Performs a signed multiplication of two operands. This instruction has three forms, depending on the number of operands.

·

One-operand form. This form is identical to that source operand (in a general-purpose register or value in the AL, AX, or EAX register (depending stored in the AX, DX:AX, or EDX:EA X registers,

used by the MUL instruction. Here, the memory location) is multiplied by the on the operand size) and the product is respectively.

·

Two-operand form. With this form the destination operand (the first operand) is multiplied by the source operand (second operand). The destination operand is a generalpurpose register and the source operand is an immediate value, a general-purpose register, or a memory location. The product is then stored in the destination operand location. Three-operand form. This form requires a destination operand (the first operand) and two source operands (the second and the third operands). Here, the first source operand (which can be a general-purpose register or a memory location) is multiplied by the second source operand (an immediate value). The product is then stored in the destination operand (a general-purpose register).

·

When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

3- 208


INSTRUCTION SET REFER EN CE

IMUL--Signed Multiply (Continued)
The CF and OF flags are set when significant bits are carried into the upper half of the result. The CF and OF flags are cleared when the result fits exactly in the low er half of the result. The three forms of the IMUL instruction are similar in that the length of the product is calculated to twice the length of the operands. With the one-operand form, the product is stored exactly in the destination. With the two- and three- operand forms, however, result is truncated to the length of the destination before it is stored in the destination register. Because of this truncation, the CF or OF flag should be tested to ensure that no significant bits are lost. The two- and three-operand forms may also be used with unsigned operands because the lower half of the product is the same regardless if the operands are signed or unsigned. The CF and OF flags, however, cannot be used to determine if the upper half of the result is non-zero. Operation
IF (NumberOfO perands = 1) THEN IF (O perandSize = 8) THEN AX AL SRC (* signed multiplication *) IF ((AH = 00H) OR (AH = FFH)) THEN CF = 0; OF = 0; ELSE CF = 1; O F = 1; FI; ELSE IF OperandSize = 16 THEN DX:AX AX SRC (* signed multiplication *) IF ((DX = 0000H) OR (DX = FFFFH)) THEN CF = 0; OF = 0; ELSE CF = 1; O F = 1; FI; ELSE (* OperandSize = 32 *) EDX:EAX EAX SRC (* signed multiplication *) IF ((EDX = 00000000H) OR (EDX = FFFFFFFFH)) THEN CF = 0; OF = 0; ELSE CF = 1; O F = 1; FI; FI; ELSE IF (NumberO fOperands = 2) THEN temp DEST SRC (* signed m ultiplication; temp is double DEST size*) DEST DEST SRC (* signed multiplication *) IF temp DEST THEN CF = 1; OF = 1; ELSE CF = 0; O F = 0; FI; ELSE (* Num berOfOperands = 3 *)

3-209


INSTRUCTION SET REFERENCE

IMUL--Signed Multiply (Continued)
DEST SRC1 SRC 2 temp SRC1 SRC2 IF tem p DEST THEN CF = 1; OF = ELSE CF = 0; OF = FI; FI; FI; (* signed multiplication *) (* signed multiplication; tem p is double SRC1 size *) 1; 0;

Flags Affected For the one operand form of the instruction, the CF and OF flags are set when significant bits are carried into the upper half of the result and cleared when the result fits exactly in the lower half of the result. For the two- and three-operand forms of the instruction, the CF and OF flags are set when the result must be truncated to fit in the destination operand size and cleared when the result fits exactly in the destination operand size. The SF, ZF, AF, and PF flags are undefined. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 210


INSTRUCTION SET REFER EN CE

IN--Input from Port
Opcode E4 ib E5 ib E5 ib EC ED ED Instruction IN AL,imm8 IN AX ,imm8 IN EAX,imm8 IN AL,DX IN AX ,DX IN EA X,DX D escription Input byte from imm8 I/O por t address into AL Input byte from imm8 I/O por t address into AX Input byte from imm8 I/O por t address into EAX Input byte from I/O por t in DX into AL Input word from I/O por t in DX into AX Input doubleword from I/O por t in DX into EAX

Description Copies the value from the I/O port specified with the second operand (source operand) to the destination operand (first operand). The source operand can be a byte-immediate or the DX register; the destination operand can be register AL, AX, or EAX, depending on the size of the port being accessed (8, 16, or 32 bits, respectively). Using the DX register as a source operand allows I/O port addresses from 0 to 65,535 to be accessed; using a byte immediate allows I/O port addresses 0 to 255 to be accessed. When accessing an 8-bit I/O port, the opcode determines the port size; when accessing a 16- and 32-bit I/O port, the operand-size attribute determines the port size. At the machine code level, I/O instructions are shorter when accessing 8-bit I/O ports. Here, the upper eight bits of the port address will be 0. This instruction is only useful for accessing I/O ports located in the processor's I/O address space. See Chapter 9, Input/Output, in the Intel Architecture Software D eveloper's Manual, Volume 1, for more information on accessing I/O ports in the I/O address space. Operation
IF ((PE = 1) AND ((CPL > IOPL) OR (VM = 1))) THEN (* Protected m ode with CPL > IO PL or virtual-8086 mode *) IF (Any I/O Permission Bit for I/O port being accessed = 1) THEN (* I/O operation is not allowed *) #GP(0); ELSE ( * I/O operation is allowed *) DEST SRC; (* Reads from selected I/O port *) FI; ELSE (Real Mode or Protected M ode with CPL IOPL *) DEST SRC; (* Reads from selected I/O port *) FI;

Flags Affected None.

3-211


INSTRUCTION SET REFERENCE

IN--Input from Por t (Continued)
Protected Mode Exceptions #GP(0) If the CPL is greater than (has less privilege) the I/O privilege level (IOPL) and any of the corresponding I/O permission bits in TSS for the I/O port being accessed is 1.

Real-Address Mode Exceptions None. Vir tual-8086 Mode Exceptions #GP(0) If any of the I/O permission bits in the TSS for the I/O port being accessed is 1.

3- 212


INSTRUCTION SET REFER EN CE

INC--Increment by 1
Opcode FE /0 FF /0 FF /0 40+ rw 40+ rd Instruction INC r/m8 INC r/m16 INC r/m32 INC r16 INC r32 D escription Increment r/m byte by 1 Increment r/m wor d by 1 Increment r/m doubleword by 1 Increment word register by 1 Increment doubleword r egister by 1

Description Adds 1 to the destination operand, while preserving the state of the CF flag. The destination operand can be a register or a memory location. This instruction allows a loop counter to be updated without disturbing the CF flag. (Use a ADD instruction with an immediate operand of 1 to perform an increment operation that does updates the CF flag.) Operation
DEST DEST +1;

Flags Affected The CF flag is not affected. The OF, SF, ZF, A F, and PF flags are set according to the result. Protected Mode Exceptions #GP(0) If the destination operand is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3-213


INSTRUCTION SET REFERENCE

INC--Increment by 1 (Continued)
Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 214


INSTRUCTION SET REFER EN CE

INS/INSB/INSW/INSD--Input from Por t to String
Opcode 6C 6D 6D 6C 6D 6D Instruction INS m8, DX INS m16, DX INS m32, DX INSB INSW INSD D escription Input byte from I/O por t specified in DX into memor y location specified in ES:(E)DI Input word from I/O por t specified in DX into memor y location specified in ES:(E)DI Input doubleword from I/O por t specified in DX into memor y location specified in ES:(E)DI Input byte from I/O por t specified in DX into memor y location specified with ES:(E)DI Input word from I/O por t specified in DX into memor y location specified in ES:(E)DI Input doubleword from I/O por t specified in DX into memor y location specified in ES:(E)DI

Description Copies the data from the I/O port specified with the source operand (second operand) to the destination operand (first operand). The source operand is an I/O port address (from 0 to 65,535) that is read from the DX register. The destination operand is a memory location, the address of which is read from either the ES:EDI or the ES:DI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). (The ES segment cannot be overridden w ith a segment override prefix.) The size of the I/O port being accessed (that is, the size of the source and destination operands) is determined by the opcode for an 8-bit I/O port or by the operandsize attribute of the instruction for a 16- or 32-bit I/O port. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified w ith the INS mnemonic) allow s the source and destination operands to be specified explicitly. H ere, the source operand must be "D X," and the destination operand should be a symbol that indicates the size of the I/O port and the destination address. This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the destination operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the ES:(E)DI registers, w hich must be loaded correctly before the INS instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the IN S instructions. Here also DX is assumed by the processor to be the source operand and ES:(E)DI is assumed to be the destination operand. The size of the I/O port is specified with the choice of mnemonic: IN SB (byte), INSW (word), or INSD (doubleword). After the byte, word, or doubleword is transfer from the I/O port to the memory location, the (E)DI register is incremented or decremented automatically according to the setting of the DF flag in the EFLAGS register. (If the DF flag is 0, the (E)DI register is incremented; if the DF flag is 1, the (E)DI register is decremented.) The (E)DI register is incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations.

3-215


INSTRUCTION SET REFERENCE

INS/INSB/INSW/INSD--Input from Por t to String (Continued)
The INS, INSB, INSW, and INSD instructions can be preceded by the REP prefix for block input of ECX bytes, words, or doublewords. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix. These instructions are only useful for accessing I/O ports located in the processor's I/O address space. See Chapter 9, Input/Output, in the Intel Architecture Software Developer's Manual, Volume 1, for more information on accessing I/O ports in the I/O address space. Operation
IF ((PE = 1) AND ((CPL > IOPL) OR (VM = 1))) THEN (* Protected mode with CPL > IOPL or virtual-8086 mode *) IF (Any I/O Permission Bit for I/O port being accessed = 1) THEN (* I/O operation is not allowed *) #GP(0); ELSE ( * I/O operation is allowed *) DEST SRC; (* Reads from I/O port *) FI; ELSE (Real M ode or Protected Mode with CPL IOPL *) DEST SRC; (* Reads from I/O port *) FI; IF (byte transfer) THEN IF DF = 0 THEN (E)DI (E)DI + 1; ELSE (E)DI (E)DI ­ 1; FI; ELSE IF (word transfer) THEN IF DF = 0 THEN (E)DI (E)DI + 2; ELSE (E)DI (E)DI ­ 2; FI; ELSE (* doubleword transfer *) THEN IF DF = 0 THEN (E)DI (E)DI + 4; ELSE (E)D I (E)DI ­ 4; FI; FI; FI;

Flags Affected None.

3- 216


INSTRUCTION SET REFER EN CE

INS/INSB/INSW/INSD--Input from Por t to String (Continued)
Protected Mode Exceptions #GP(0) If the CPL is greater than (has less privilege) the I/O privilege level (IOPL) and any of the corresponding I/O permission bits in TSS for the I/O port being accessed is 1. If the destination is located in a nonwritable segment. If an illegal memory operand effective address in the ES segments is given. #PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If any of the I/O permission bits in the TSS for the I/O port being accessed is 1. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-217


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure
Opcode CC CD CE Instruction INT 3 INT imm8 INTO Description Inter rupt 3-- trap to debugger Inter rupt vector number specified by immediate byte Inter rupt 4-- if overflow flag is 1

ib

Description The INT n instruction generates a call to the interrupt or exception handler specified with the destination operand (see the section titled "Interrupts and Exceptions" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volume 1). The destination operand specifies an interrupt vector number from 0 to 255, encoded as an 8-bit unsigned intermediate value. Each interrupt vector number provides an index to a gate descriptor in the IDT. The first 32 interrupt vector numbers are reserved by Intel for system use. Some of these interrupts are used for internally generated exceptions. The INT n instruction is the general mnemonic for executing a software-generated call to an interrupt handler. The INTO instruction is a special mnemonic for calling overflow exception (#OF), interrupt vector number 4. The overflow interrupt checks the OF flag in the EFLAGS register and calls the overflow interrupt handler if the OF flag is set to 1. The IN T 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler. (This one byte form is valuable because it can be used to replace the first byte of any instruction with a breakpoint, including other one byte instructions, without over-writing other code). To further support its function as a debug breakpoint, the interrupt generated with the CC opcode also differs from the regular software interrupts as follows:

· ·

Interrupt redirection does not happen when in VME mode; the interrupt is handled by a protected-mode handler. The virtual-8086 mode IOPL checks do not occur. The interrupt is taken without faulting at any IOPL level.

Note that the "normal" 2-byte opcode for INT 3 (CD03) does not have these special features. Intel and Microsoft assemblers will not generate the CD03 opcode from any mnemonic, but this opcode can be created by direct numeric code definition or by self-modifying code. The action of the INT n instruction (including the INTO and INT 3 instructions) is similar to that of a far call made w ith the CALL instruction. The primary difference is that with the INT n instruction, the EFLAGS register is pushed onto the stack before the return address. (The return address is a far address consisting of the current values of the CS and EIP registers.) Returns from interrupt procedures are handled with the IRET instruction, which pops the EFLAGS information and return address from the stack.

3- 218


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
The interrupt vector number specifies an interrupt descriptor in the interrupt descriptor table (IDT); that is, it provides index into the IDT. The selected interrupt descriptor in turn contains a pointer to an in te rr upt or exc eption ha nd le r proc ed ur e. In pr otec ted mode, th e IDT contai ns an ar r ay o f 8-byte descriptors, each of which is an interrupt gate, trap gate, or task gate. In realad dr ess mo de , t he I D T is a n ar r ay o f 4- by te far p o in te rs (2 - byt e co de segme nt se lec to r an d a 2-byte instruction pointer), each of which point directly to a procedure in the selected segment. (N ote that in real-address mode, the IDT is called the interrupt vector table, and it's pointers are called interrupt vectors.) The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table. Each Y in the lower section of the decision table represents a procedure defined in the "Operation" section for this instruction (except #GP).
PE VM IOPL DPL/CPL RELATIONSHIP IN TERRUP T TYPE GATE TYPE REAL-ADDRES SMODE PROTE CTED-MODE TRAP-ORIN TERRUP T-GATE IN TER-P RIVILEGELEVEL-INTE RRUPT IN TRA-PRIVILE GELEVEL-INTE RRUPT IN TERRUP T-FROMVIRTUAL-8086MODE TASK-GATE #GP NOTES: - Y Blank Don't Car e. Yes, Action Taken. Action Not Taken. Y Y Y Y Y Y 0 ­ ­ ­ 1 ­ ­ DPL< CPL S/W ­ 1 ­ ­ ­ 1 ­ ­ DPL> CPL ­ Trap or Interr upt 1 ­ ­ DPL= CPL or C ­ Trap or Interr upt 1 0 ­ DPL< CPL & NC ­ Trap or Interr upt 1 1 <3 ­ 1 1 =3 ­

­ ­ Y

­ Task

­ Trap or Interrupt

­ Trap or Interrupt

Y

Y

Y Y

Y Y

Y Y Y

Y Y

Y Y

3-219


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
When the processor is executing in virtual-8086 mode, the IOPL determines the action of the INT n instruction. If the IOPL is less than 3, the processor generates a general protection exception (#GP); if the IOPL is 3, the processor executes a protected mode interrupt to privilege level 0. The interrupt gate's D PL must be set to three and the target CPL of the interrupt handler procedure must be 0 to execute the protected mode interrupt to privilege level 0. The interrupt descriptor table register (IDTR) specifies the base linear address and limit of the IDT. The initial base address value of the IDTR after the processor is powered up or reset is 0. Operation The following operational description applies not only to the INT n and INTO instructions, but also to external interrupts and exceptions.
IF PE=0 THEN G OTO REAL-ADDRESS-MODE; ELSE (* PE=1 *) IF (VM=1 AND IOPL < 3 AND INT n) THEN #GP(0); ELSE (* protected mode or virtual-8086 m ode interrupt *) G OTO PROTECTED-M ODE; FI; FI; REAL-ADDRESS-MODE: IF ((DEST 4) + 3) is not within IDT limit THEN #GP; FI; IF stack not large enough for a 6-byte return information THEN #SS; FI; Push (EFLAGS[15:0]); IF 0; (* Clear interrupt flag *) TF 0; (* Clear trap flag *) AC 0; (*Clear AC flag*) Push(CS); Push(IP); (* No error codes are pushed *) CS IDT(Descriptor (vector_number 4), selector)); EIP IDT(Descriptor (vector_number 4), offset)); (* 16 bit offset AND 0000FFFFH *) END; PROTECTED-M ODE: IF ((DEST 8) + 7) is not within IDT limits O R selected IDT descriptor is not an interrupt-, trap-, or task-gate type THEN #GP((DEST 8) + 2 + EXT); (* EXT is bit 0 in error code *) FI;

3- 220


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
IF software interrupt (* generated by INT n, INT 3, or INTO *) THEN IF gate descriptor DPL < CPL THEN #GP((vector_number 8) + 2 ); (* PE=1, DPL
3-221


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
IF segm ent selector is not within its descriptor table limits THEN #GP(selector + EXT); FI; Read trap or interrupt handler descriptor; IF descriptor does not indicate a code segment O R code segment descriptor DPL > CPL THEN #GP(selector + EXT); FI; IF trap or interrupt gate segment is not present, THEN #NP(selector + EXT); FI; IF code segment is non-conforming AND DPL < CPL THEN IF VM =0 THEN G OTO IN TER-PRIVILEGE-LEVEL-INTERR UPT; (* PE=1, interrupt or trap gate, nonconforming *) (* code segment, DPLCPL *) FI; FI; END; INTER-PREVILEGE-LEVEL-INTERRUPT (* PE=1, interrupt or trap gate, non-conform ing code segment, DPL TSS lim it THEN #TS(current TSS selector); FI; NewSS TSSstackAddress + 4; NewESP stack address;

3- 222


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
ELSE (* TSS is 16-bit *) TSSstackAddress (new code segment DPL 4) + 2 IF (TSSstackAddress + 4) > TSS limit THEN #TS(current TSS selector); FI; NewESP TSSstackAddress; NewSS TSSstackAddress + 2; FI; IF segment selector is null THEN #TS(EXT); FI; IF segment selector index is not within its descriptor table limits OR segment selector's RPL DPL of code segment, THEN #TS(SS selector + EXT); FI; Read segment descriptor for stack segment in GDT or LDT; IF stack segment DPL DPL of code segment, OR stack segment does not indicate writable data segment, THEN #TS(SS selector + EXT); FI; IF stack segment not present THEN #SS(SS selector+EXT); FI; IF 32-bit gate THEN IF new stack does not have room for 24 bytes (error code pushed) OR 20 bytes (no error code pushed) THEN #SS(segment selector + EXT); FI; ELSE (* 16-bit gate *) IF new stack does not have room for 12 bytes (error code pushed) OR 10 bytes (no error code pushed); THEN #SS(segment selector + EXT); FI; FI; IF instruction pointer is not within code segment limits THEN #GP(0); FI; SS:ESP TSS(NewSS:New ESP) (* segment descriptor inform ation also loaded *) IF 32-bit gate THEN CS:EIP Gate(CS:EIP); (* segment descriptor inform ation also loaded *) ELSE (* 16-bit gate *) CS:IP Gate(CS:IP); (* segment descriptor inform ation also loaded *) FI; IF 32-bit gate THEN Push(far pointer to old stack); (* old SS and ESP, 3 words padded to 4 *); Push(EFLAG S); Push(far pointer to return instruction); (* old CS and EIP, 3 words padded to 4*); Push(ErrorCode); (* if needed, 4 bytes *)

3-223


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
ELSE(* 16-bit gate *) Push(far pointer to old stack); (* old SS and SP, 2 words *); Push(EFLAGS(15..0)); Push(far pointer to return instruction); (* old CS and IP, 2 words *); Push(ErrorCode); (* if needed, 2 bytes *) FI; CPL CodeSegmentDescriptor(DPL); CS(RPL) CPL; IF interrupt gate THEN IF 0 (* interrupt flag to 0 (disabled) *); FI; TF 0; VM 0; RF 0; NT 0; END; INTERRUPT-FROM-VIRTUAL-8086-MODE: (* Check segment selector and descriptor for privilege level 0 stack in current TSS *) IF current TSS is 32-bit TSS THEN TSSstackAddress (new code segment DPL 8) + 4 IF (TSSstackAddress + 7) > TSS lim it THEN #TS(current TSS selector); FI; NewSS TSSstackAddress + 4; NewESP stack address; ELSE (* TSS is 16-bit *) TSSstackAddress (new code segment DPL 4) + 2 IF (TSSstackAddress + 4) > TSS lim it THEN #TS(current TSS selector); FI; NewESP TSSstackAddress; NewSS TSSstackAddress + 2; FI; IF segm ent selector is null THEN #TS(EXT); FI; IF segm ent selector index is not within its descriptor table lim its O R segm ent selector's RPL DPL of code segm ent, THEN #TS(SS selector + EXT); FI; Access segment descriptor for stack segment in GDT or LDT; IF stack segment DPL DPL of code segment, O R stack segment does not indicate writable data segm ent, THEN #TS(SS selector + EXT); FI; IF stack segment not present THEN #SS(SS selector+EXT); FI;

3- 224


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
IF 32-bit gate THEN IF new stack does not have room for 40 bytes (error code pushed) OR 36 bytes (no error code pushed); THEN #SS(segment selector + EXT); FI; ELSE (* 16-bit gate *) IF new stack does not have room for 20 bytes (error code pushed) OR 18 bytes (no error code pushed); THEN #SS(segment selector + EXT); FI; FI; IF instruction pointer is not within code segment limits THEN #GP(0); FI; tempEFLAGS EFLAG S; VM 0; TF 0; RF 0; IF service through interrupt gate THEN IF 0; FI; TempSS SS; TempESP ESP; SS:ESP TSS(SS0:ESP0); (* Change to level 0 stack segment *) (* Following pushes are 16 bits for 16-bit gate and 32 bits for 32-bit gates *) (* Segment selector pushes in 32-bit mode are padded to two words *) Push(GS); Push(FS); Push(DS); Push(ES); Push(Tem pSS); Push(Tem pESP); Push(Tem pEFlags); Push(CS); Push(EIP); GS 0; (*segment registers nullified, invalid in protected mode *) FS 0; DS 0; ES 0; CS Gate(CS); IF OperandSize=32 THEN EIP Gate(instruction pointer); ELSE (* OperandSize is 16 *) EIP Gate(instruction pointer) AND 0000FFFFH ; FI; (* Starts execution of new routine in Protected Mode *) END;

3-225


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
INTRA-PRIVILEG E-LEVEL-INTERRUPT: (* PE=1, DPL = CPL or conforming segment *) IF 32-bit gate THEN IF current stack does not have room for 16 bytes (error code pushed) O R 12 bytes (no error code pushed); THEN #SS(0); FI; ELSE (* 16-bit gate *) IF current stack does not have room for 8 bytes (error code pushed) O R 6 bytes (no error code pushed); THEN #SS(0); FI; IF instruction pointer not w ithin code segment limit THEN #G P(0); FI; IF 32-bit gate THEN Push (EFLAGS); Push (far pointer to return instruction); (* 3 words padded to 4 *) CS:EIP Gate(CS:EIP); (* segment descriptor information also loaded *) Push (ErrorCode); (* if any *) ELSE (* 16-bit gate *) Push (FLAGS); Push (far pointer to return location); (* 2 words *) CS:IP Gate(CS:IP); (* segment descriptor information also loaded *) Push (ErrorCode); (* if any *) FI; CS(RPL) CPL; IF interrupt gate THEN IF 0; FI; TF 0; NT 0; VM 0; RF 0; FI; END;

Flags Affected The EFLAGS register is pushed onto the stack. The IF, TF, NT, AC, RF, and VM flags may be cleared, depending on the mode of operation of the processor when the INT instruction is executed (see the "O peration" section). If the interrupt uses a task gate, any flags may be set or cleared, controlled by the EFLAGS image in the new task's TSS. Protected Mode Exceptions #GP(0) If the instruction pointer in the IDT or in the interrupt-, trap-, or task gate is beyond the code segment limits.

3- 226


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
#GP(selector) If the segment selector in the interrupt-, trap-, or task gate is null. If a interrupt-, trap-, or task gate, code segment, or TSS segment selector index is outside its descriptor table limits. If the interrupt vector number is outside the IDT limits. If an IDT descriptor is not an interrupt-, trap-, or task-descriptor. If an interrupt is generated by the INT n, INT 3, or INTO instruction and the DPL of an interrupt-, trap-, or task-descriptor is less than the CPL. If the segment selector in an interrupt- or trap-gate does not point to a segment descriptor for a code segment. If the segment selector for a TSS has its local/global bit set for local. If a TSS segment descriptor specifies that the TSS is busy or not available. #SS(0) #SS(selector) If pushing the return address, flags, or error code onto the stack exceeds the bounds of the stack segment and no stack switch occurs. If the SS register is being loaded and the segment pointed to is marked not present. If pushing the return address, flags, error code, or stack segment pointer exceeds the bounds of the new stack segment w hen a stack switch occurs. #NP(selector) #TS(selector) If code segment, interrupt-, trap-, or task gate, or TSS is not present. If the RPL of the stack segment selector in the TSS is not equal to the DPL of the code segment being accessed by the interrupt or trap gate. If D PL of the stack segment descriptor pointed to by the stack segment selector in the TSS is not equal to the DPL of the code segment descriptor for the interrupt or trap gate. If the stack segment selector in the TSS is null. If the stack segment for the TSS is not a writable data segment. If segment-selector index for stack segment is outside descriptor table limits. #PF(fault-code) If a page fault occurs.

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the interrupt vector number is outside the IDT limits.

3-227


INSTRUCTION SET REFERENCE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
#SS If stack limit violation on push. If pushing the return address, flags, or error code onto the stack exceeds the bounds of the stack segment. Vir tual-8086 Mode Exceptions #GP(0) (For INT n, INTO, or BOUND instruction) If the IOPL is less than 3 or the DPL of the interrupt-, trap-, or task-gate descriptor is not equal to 3. If the instruction pointer in the IDT or in the interrupt-, trap-, or task gate is beyond the code segment limits. #GP(selector) If the segment selector in the interrupt-, trap-, or task gate is null. If a interrupt-, trap-, or task gate, code segment, or TSS segment selector index is outside its descriptor table limits. If the interrupt vector number is outside the IDT limits. If an IDT descriptor is not an interrupt-, trap-, or task-descriptor. If an interrupt is generated by the INT n instruction and the DPL of an interrupt-, trap-, or task-descriptor is less than the CPL. If the segment selector in an interrupt- or trap-gate does not point to a segment descriptor for a code segment. If the segment selector for a TSS has its local/global bit set for local. #SS(selector) If the SS register is being loaded and the segment pointed to is marked not present. If pushing the return address, flags, error code, stack segment pointer, or data segments exceeds the bounds of the stack segment. #NP(selector) #TS(selector) If code segment, interrupt-, trap-, or task gate, or TSS is not present. If the RPL of the stack segment selector in the TSS is not equal to the DPL of the code segment being accessed by the interrupt or trap gate. If D PL of the stack segment descriptor for the TSS's stack segment is not equal to the DPL of the code segment descriptor for the interrupt or trap gate. If the stack segment selector in the TSS is null. If the stack segment for the TSS is not a writable data segment. If segment-selector index for stack segment is outside descriptor table limits.

3- 228


INSTRUCTION SET REFER EN CE

INT n/INTO/INT 3--Call to Interrupt Procedure (Continued)
#PF(fault-code) #BP #OF If a page fault occurs. If the INT 3 instruction is executed. If the INTO instruction is executed and the OF flag is set.

3-229


INSTRUCTION SET REFERENCE

INVD--Invalidate Internal Caches
Opcode 0F 08 Instruction INV D Description Flush inter nal caches; initiate flushing of exter nal caches.

Description Invalidates (flushes) the processor's internal caches and issues a special-function bus cycle that directs external caches to also flush themselves. Data held in internal caches is not written back to main memory. After executing this instruction, the processor does not wait for the external caches to complete their flushing operation before proceeding with instruction execution. It is the responsibility of hardware to respond to the cache flush signal. The INVD instruction is a privileged instruction. When the processor is running in protected mode, the CPL of a program or procedure must be 0 to execute this instruction. Use this instruction with care. Data cached internally and not written back to main memory will be lost. Unless there is a specific requirement or benefit to flushing caches without writing back modified cache lines (for example, testing or fault recovery where cache coherency with main memory is not a concern), software should use the W BINV D instruction. Intel Architecture Compatibility The INVD instruction is implementation dependent, and its function may be implemented differently on future Intel Architecture processors. This instruction is not supported on Intel Architecture processors earlier than the Intel486 processor. Operation
Flush(InternalCaches); SignalFlush(ExternalCaches); Continue (* Continue execution);

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0.

Real-Address Mode Exceptions None.

3- 230


INSTRUCTION SET REFER EN CE

INVD--Invalidate Internal Caches (Continued)
Virtual-8086 Mode Exceptions #GP(0) The INVD instruction cannot be executed in virtual-8086 mode.

3-231


INSTRUCTION SET REFERENCE

INVLPG--Invalidate TLB Entry
Opcode 0F 01/7 Instruction INV LPG m Description Invalidate TLB Entr y for page that contains m

Description Invalidates (flushes) the translation lookaside buffer (TLB) entry specified with the source operand. The source operand is a memory address. The processor determines the page that contains that address and flushes the TLB entry for that page. The INV LPG instruction is a privileged instruction. W hen the processor is running in protected mode, the CPL of a program or procedure must be 0 to execute this instruction. The INVLPG instruction normally flushes the TLB entry only for the specified page; however, in some cases, it flushes the entire TLB. See "MOV--Move to/from Control Registers" in this chapter for further information on operations that flush the TLB. Intel Architecture Compatibility The INVLPG instruction is implementation dependent, and its function may be implemented differently on future Intel Architecture processors. This instruction is not supported on Intel Architecture processors earlier than the Intel486 processor. Operation
Flush(RelevantTLBEntries); Continue (* Continue execution);

Flags Affected None. Protected Mode Exceptions #GP(0) #UD If the current privilege level is not 0. Operand is a register.

Real-Address Mode Exceptions #UD Operand is a register.

Vir tual-8086 Mode Exceptions #GP(0) The INVLPG instruction cannot be executed at the virtual-8086 mode.

3- 232


INSTRUCTION SET REFER EN CE

IRET/IRETD--Interrupt Return
Opcode CF CF Instruction IRET IRETD D escription Interr upt retur n (16-bit operand size) Interr upt retur n (32-bit operand size)

Description Returns program control from an exception or interrupt handler to a program or procedure that was interrupted by an exception, an external interrupt, or a software-generated interrupt. These instructions are also used to perform a return from a nested task. (A nested task is created when a CA LL instruction is used to initiate a task switch or when an interrupt or exception causes a task switch to an interrupt or exception handler.) See the section titled "Task Linking" in Chapter 6 of the Intel Architecture Software Developer's Manual, Volume 1. IRET and IRETD are mnemonics for the same opcode. The IRETD mnemonic (interrupt return double) is intended for use when returning from an interrupt when using the 32-bit operand size; however, most assemblers use the IRET mnemonic interchangeably for both operand sizes. In Real-Address Mode, the IRET instruction preforms a far return to the interrupted program or procedure. During this operation, the processor pops the return instruction pointer, return code segment selector, and EFLAGS image from the stack to the EIP, CS, and EFLAGS registers, respectively, and then resumes execution of the interrupted program or procedure. In Protected Mode, the action of the IRET instruction depends on the settings of the NT (nested task) and VM flags in the EFLAGS register and the VM flag in the EFLAGS image stored on the current stack. Depending on the setting of these flags, the processor performs the following types of interrupt returns:

· · · · ·

Return from virtual-8086 mode. Return to virtual-8086 mode. Intra-privilege level return. Inter-privilege level return. Return from nested task (task sw itch).

If the NT flag (EFLAGS register) is cleared, the IRET instruction performs a far return from the interrupt procedure, without a task switch. The code segment being returned to must be equally or less privileged than the interrupt handler routine (as indicated by the RPL field of the code segment selector popped from the stack). As with a real-address mode interrupt return, the IRET instruction pops the return instruction pointer, return code segment selector, and EFLAG S image from the stack to the EIP, CS, and EFLAG S registers, respectively, and then resumes execution of the interrupted program or procedure. If the return is to another privilege level, the IRET instruction also pops the stack pointer and SS from the stack, before resuming program execution. If the return is to virtual-8086 mode, the processor also pops the data segment registers from the stack.

3-233


INSTRUCTION SET REFERENCE

IRET/IRETD--Interrupt Return (Continued)
If the NT flag is set, the IRET instruction performs a task switch (return) from a nested task (a task called with a CALL instruction, an interrupt, or an exception) back to the calling or interrupted task. The updated state of the task executing the IRET instruction is saved in its TSS. If the task is reentered later, the code that follows the IRET instruction is executed. Operation
IF PE = 0 THEN G OTO REAL-ADDRESS-MODE:; ELSE G OTO PROTECTED-M ODE; FI; REAL-ADDRESS-MODE; IF OperandSize = 32 THEN IF top 12 bytes of stack not within stack limits THEN #SS; FI; IF instruction pointer not w ithin code segment limits THEN #GP(0); FI; EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) tempEFLAGS Pop(); EFLAGS (tempEFLAGS AND 257FD5H) O R (EFLAGS AND 1A0000H); ELSE (* OperandSize = 16 *) IF top 6 bytes of stack are not within stack limits THEN #SS; FI; IF instruction pointer not w ithin code segment limits THEN #GP(0); FI; EIP Pop(); EIP EIP AND 0000FFFFH; CS Pop(); (* 16-bit pop *) EFLAGS[15:0] Pop(); FI; END; PROTECTED-M ODE: IF VM = 1 (* Virtual-8086 mode: PE=1, VM=1 *) THEN G OTO RETURN-FRO M-VIRTUAL-8086-MODE; (* PE=1, VM=1 *) FI; IF NT = 1 THEN G OTO TASK-RETURN;( *PE=1, VM=0, NT=1 *) FI; IF OperandSize=32 THEN IF top 12 bytes of stack not within stack limits

3- 234


INSTRUCTION SET REFER EN CE

IRET/IRETD--Interrupt Return (Continued)
THEN #SS(0) FI; tempEIP Pop(); tempCS Pop(); tempEFLAGS Pop(); ELSE (* OperandSize = 16 *) IF top 6 bytes of stack are not within stack lim its THEN #SS(0); FI; tempEIP Pop(); tempCS Pop(); tempEFLAGS Pop(); tempEIP tempEIP AND FFFFH; tempEFLAGS tempEFLAGS AND FFFFH; FI; IF tempEFLAGS(VM) = 1 AND CPL=0 THEN GOTO RETURN-TO-VIRTUAL-8086-MODE; (* PE=1, VM=1 in EFLAG S image *) ELSE GOTO PROTECTED-MODE-RETURN; (* PE=1, VM=0 in EFLAG S image *) FI; RETU RN-FROM-VIRTUAL-8086-MOD E: (* Processor is in virtual-8086 mode when IRET is executed and stays in virtual-8086 mode *) IF IOPL=3 (* Virtual mode: PE=1, VM=1, IOPL=3 *) THEN IF OperandSize = 32 THEN IF top 12 bytes of stack not within stack limits THEN #SS(0); FI; IF instruction pointer not within code segment lim its THEN #GP(0); FI; EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) EFLAGS Pop(); (*VM,IOPL,VIP,and VIF EFLAGS bits are not modified by pop *) ELSE (* OperandSize = 16 *) IF top 6 bytes of stack are not within stack lim its THEN #SS(0); FI; IF instruction pointer not within code segment lim its THEN #GP(0); FI; EIP Pop(); EIP EIP AND 0000FFFFH; CS Pop(); (* 16-bit pop *) EFLAGS[15:0] Pop(); (* IO PL in EFLAGS is not m odified by pop *) FI; ELSE #GP(0); (* trap to virtual-8086 monitor: PE=1, VM=1, IOPL<3 *) FI;

3-235


INSTRUCTION SET REFERENCE

IRET/IRETD--Interrupt Return (Continued)
END; RETURN-TO-VIRTUAL-8086-M ODE: (* Interrupted procedure was in virtual-8086 mode: PE=1, VM =1 in flags image *) IF top 24 bytes of stack are not within stack segment limits THEN #SS(0); FI; IF instruction pointer not w ithin code segment limits THEN #GP(0); FI; CS tem pCS; EIP tempEIP; EFLAGS tempEFLAGS TempESP Pop(); TempSS Pop(); ES Pop(); (* pop 2 words; throw away high-order word *) DS Pop(); (* pop 2 words; throw away high-order word *) FS Pop(); (* pop 2 words; throw away high-order word *) GS Pop(); (* pop 2 words; throw away high-order word *) SS:ESP TempSS:TempESP; (* Resume execution in Virtual-8086 mode *) END; TASK-RETURN: (* PE=1, VM=1, NT=1 *) Read segment selector in link field of current TSS; IF local/global bit is set to local O R index not within G DT limits THEN #GP(TSS selector); FI; Access TSS for task specified in link field of current TSS; IF TSS descriptor type is not TSS or if the TSS is m arked not busy THEN #GP(TSS selector); FI; IF TSS not present THEN #NP(TSS selector); FI; SWITCH-TASKS (without nesting) to TSS specified in link field of current TSS; M ark the task just abandoned as NOT BUSY; IF EIP is not within code segment limit THEN #GP(0); FI; END; PROTECTED-M ODE-RETURN: (* PE=1, VM=0 in flags image *) IF return code segment selector is null THEN GP(0); FI; IF return code segment selector addrsses descriptor beyond descriptor table limit

3- 236


INSTRUCTION SET REFER EN CE

IRET/IRETD--Interrupt Return (Continued)
THEN GP(selector; FI; Read segment descriptor pointed to by the return code segment selector IF return code segment descriptor is not a code segm ent THEN #GP(selector); FI; IF return code segment selector RPL < CPL THEN #GP(selector); FI; IF return code segment descriptor is conforming AND return code segment DPL > return code segment selector RPL THEN #GP(selector); FI; IF return code segment descriptor is not present THEN #NP(selector); FI: IF return code segment selector RPL > CPL THEN GO TO RETURN-OUTER-PRIVILEGE-LEVEL; ELSE GOTO RETURN-TO-SAME-PRIVILEGE-LEVEL FI; END; RETU RN-TO-SAM E-PRIVILEGE-LEVEL: (* PE=1, VM=0 in flags im age, RPL=C PL *) IF EIP is not within code segm ent limits THEN #GP(0); FI; EIP tem pEIP; CS tempCS; (* segment descriptor information also loaded *) EFLAGS (CF, PF, AF, ZF, SF, TF, DF, OF, NT) tempEFLAGS; IF OperandSize=32 THEN EFLAGS(RF, AC, ID) tempEFLAG S; FI; IF CPL IOPL THEN EFLAGS(IF) tempEFLAGS; FI; IF CPL = 0 THEN EFLAGS(IOPL) tempEFLAGS; IF OperandSize=32 THEN EFLAGS(VM, VIF, VIP) tempEFLAGS; FI; FI; END; RETU RN-TO-OUTER-PRIVILGE-LEVEL: IF OperandSize=32 THEN IF top 8 bytes on stack are not within limits THEN #SS(0); FI; ELSE (* OperandSize=16 *) IF top 4 bytes on stack are not within limits THEN #SS(0); FI; FI; Read return segm ent selector; IF stack segment selector is null THEN #GP(0); FI; IF return stack segment selector index is not within its descriptor table limits

3-237


INSTRUCTION SET REFERENCE

IRET/IRETD--Interrupt Return (Continued)
THEN #GP(SSselector); FI; Read segment descriptor pointed to by return segment selector; IF stack segment selector RPL RPL of the return code segment selector IF stack segment selector RPL RPL of the return code segment selector O R the stack segment descriptor does not indicate a a writable data segment; O R stack segment DPL RPL of the return code segment selector THEN #GP(SS selector); FI; IF stack segment is not present THEN #SS(SS selector); FI; IF tempEIP is not within code segment lim it THEN #GP(0); FI; EIP tempEIP; CS tem pCS; EFLAGS (CF, PF, AF, ZF, SF, TF, DF, OF, NT) tempEFLAGS; IF OperandSize=32 THEN EFLAGS(RF, AC, ID) tempEFLAGS; FI; IF CPL IOPL THEN EFLAGS(IF) tem pEFLAGS; FI; IF CPL = 0 THEN EFLAGS(IOPL) tem pEFLAGS; IF OperandSize=32 THEN EFLAG S(VM, VIF, VIP) tempEFLAGS; FI; FI; CPL RPL of the return code segment selector; FOR each of segm ent register (ES, FS, GS, and DS) DO ; IF segm ent register points to data or non-conform ing code segment AND CPL > segment descriptor DPL (* stored in hidden part of segment register *) THEN (* segment register invalid *) SegmentSelector 0; (* null segment selector *) FI; OD; END:

Flags Affected All the flags and fields in the EFLAGS register are potentially modified, depending on the mode of operation of the processor. If performing a return from a nested task to a previous task, the EFLAGS register will be modified according to the EFLAGS image stored in the previous task's TSS.

3- 238


INSTRUCTION SET REFER EN CE

IRET/IRETD--Interrupt Return (Continued)
Protected Mode Exceptions #GP(0) If the return code or stack segment selector is null. If the return instruction pointer is not within the return code segment limit. #GP(selector) If a segment selector index is outside its descriptor table limits. If the return code segment selector RPL is greater than the CPL. If the DPL of a conforming-code segment is greater than the return code segment selector RPL. If the DPL for a nonconforming-code segment is not equal to the RPL of the code segment selector. If the stack segment descriptor DPL is not equal to the RPL of the return code segment selector. If the stack segment is not a writable data segment. If the stack segment selector RPL is not equal to the RPL of the return code segment selector. If the segment descriptor for a code segment does not indicate it is a code segment. If the segment selector for a TSS has its local/global bit set for local. If a TSS segment descriptor specifies that the TSS is busy or not available. #SS(0) #NP(selector) #PF(fault-code) #AC(0) If the top bytes of stack are not within stack limits. If the return code or stack segment is not present. If a page fault occurs. If an unaligned memory reference occurs when the CPL is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #GP #SS If the return instruction pointer is not within the return code segment limit. If the top bytes of stack are not within stack limits.

Virtual-8086 Mode Exceptions #GP(0) If the return instruction pointer is not within the return code segment limit. IF IOPL not equal to 3 #PF(fault-code) If a page fault occurs.

3-239


INSTRUCTION SET REFERENCE

IRET/IRETD--Interrupt Return (Continued)
#SS(0) #AC(0) If the top bytes of stack are not within stack limits. If an unaligned memory reference occurs and alignment checking is enabled.

3- 240


INSTRUCTION SET REFER EN CE

Jcc--Jump if Condition Is Met
Opcode 77 cb 73 cb 72 cb 76 cb 72 cb E3 cb E3 cb 74 cb 7F cb 7D cb 7C cb 7E cb 76 cb 72 cb 73 cb 77 cb 73 cb 75 cb 7E cb 7C cb 7D cb 7F cb 71 cb 7B cb 79 cb 75 cb 70 cb 7A cb 7A cb 7B cb 78 cb 74 cb 0F 87 cw/cd 0F 83 cw/cd 0F 82 cw/cd 0F 86 cw/cd 0F 82 cw/cd 0F 84 cw/cd 0F 84 cw/cd 0F 8F cw/cd Instruction JA rel8 JA E rel8 JB rel8 JBE rel8 JC rel8 JCXZ rel8 JEC XZ rel8 JE rel8 JG rel8 JGE rel8 JL rel8 JLE rel8 JNA rel8 JNAE rel8 JNB rel8 JNBE rel8 JNC rel8 JNE rel8 JNG rel8 JNGE rel8 JNL rel8 JNLE rel8 JNO rel8 JNP rel8 JNS rel8 JNZ rel8 JO rel8 JP rel8 JPE rel8 JPO rel8 JS rel8 JZ rel8 JA rel16/32 JA E rel16/32 JB rel16/32 JBE rel16/32 JC rel16/32 JE rel16/32 JZ rel16/32 JG r el16/32 D escription Jump shor t if above (CF=0 and ZF=0) Jump shor t if above or equal (CF=0) Jump shor t if below (CF=1) Jump shor t if below or equal (CF=1 or ZF=1) Jump shor t if car r y (CF=1) Jump shor t if CX register is 0 Jump shor t if EC X register is 0 Jump shor t if equal (ZF=1) Jump shor t if greater (ZF=0 and SF=OF) Jump shor t if greater or equal (SF=OF) Jump shor t if less (SF<>OF) Jump shor t if less or equal (ZF=1 or SF<>OF) Jump shor t if not above (CF=1 or ZF=1) Jump shor t if not above or equal (CF=1) Jump shor t if not below (CF=0) Jump shor t if not below or equal (CF=0 and ZF=0) Jump shor t if not carr y (CF=0) Jump shor t if not equal (ZF=0) Jump shor t if not greater (ZF=1 or SF<>OF) Jump shor t if not greater or equal (SF<>OF) Jump shor t if not less (SF=OF) Jump shor t if not less or equal (ZF=0 and SF=OF) Jump shor t if not overflow (OF=0) Jump shor t if not par ity (PF=0) Jump shor t if not sign (SF=0) Jump shor t if not zer o (ZF=0) Jump shor t if overflow ( OF=1) Jump shor t if par ity (PF=1) Jump shor t if par ity even (PF=1) Jump shor t if par ity odd (PF=0) Jump shor t if sign (SF=1) Jump shor t if zero (ZF = 1) Jump near if above (CF=0 and ZF=0) Jump near if above or equal ( CF=0) Jump near if below (CF=1) Jump near if below or equal (CF=1 or ZF=1) Jump near if car r y (CF=1) Jump near if equal (ZF=1) Jump near if 0 (ZF=1) Jump near if gr eater (ZF=0 and SF=OF)

3-241


INSTRUCTION SET REFERENCE

Jcc--Jump if Condition Is Met (Continued)
Opcode 0F 8D cw/cd 0F 8C cw/cd 0F 8E cw/cd 0F 86 cw/cd 0F 82 cw/cd 0F 83 cw/cd 0F 87 cw/cd 0F 83 cw/cd 0F 85 cw/cd 0F 8E cw/cd 0F 8C cw/cd 0F 8D cw/cd 0F 8F cw/cd 0F 81 cw/cd 0F 8B cw/cd 0F 89 cw/cd 0F 85 cw/cd 0F 80 cw/cd 0F 8A cw/cd 0F 8A cw/cd 0F 8B cw/cd 0F 88 cw/cd 0F 84 cw/cd Instruction JGE rel16/32 JL r el16/32 JLE rel16/32 JNA rel16/32 JNAE rel16/32 JNB rel16/32 JNBE rel16/32 JNC rel16/32 JNE rel16/32 JNG rel16/32 JNGE rel16/32 JNL r el16/32 JNLE rel16/32 JNO rel16/32 JNP rel16/32 JNS rel16/32 JNZ rel16/32 JO rel16/32 JP rel16/32 JPE rel16/32 JPO rel16/32 JS rel16/32 JZ rel16/32 Description Jump near if greater or equal (SF=OF) Jump near if less (SF<>OF) Jump near if less or equal (ZF=1 or SF<>OF) Jump near if not above (CF=1 or ZF=1) Jump near if not above or equal (C F=1) Jump near if not below (CF=0) Jump near if not below or equal (CF=0 and ZF=0) Jump near if not car r y (CF=0) Jump near if not equal (ZF=0) Jump near if not greater (ZF=1 or SF<>OF) Jump near if not greater or equal (SF<>OF) Jump near if not less (SF=OF) Jump near if not less or equal (ZF=0 and SF=OF) Jump near if not over flow ( OF=0) Jump near if not par ity (PF=0) Jump near if not sign (SF=0) Jump near if not zero (ZF=0) Jump near if overflow (OF=1) Jump near if parity (PF=1) Jump near if parity even (PF=1) Jump near if parity odd (PF=0) Jump near if sign (SF=1) Jump near if 0 ( ZF=1)

Description Checks the state of one or more of the status flags in the EFLAGS register (CF, OF, PF, SF, and ZF) and, if the flags are in the specified state (condition), performs a jump to the target instruction specified by the destination operand. A condition code (cc) is associated w ith each instruction to indicate the condition being tested for. If the condition is not satisfied, the jump is not performed and execution continues with the instruction following the Jcc instruction. The target instruction is specified with a relative offset (a signed offset relative to the current value of the instruction pointer in the EIP register). A relative offset (rel8, rel16, or rel32) is generally specified as a label in assembly code, but at the machine code level, it is encoded as a signed, 8-bit or 32-bit immediate value, w hich is added to the instruction pointer. Instruction coding is most efficient for offsets of ­128 to +127. If the operand-size attribute is 16, the upper two bytes of the EIP register are cleared to 0s, resulting in a maximum instruction pointer size of 16 bits.

3- 242


INSTRUCTION SET REFER EN CE

Jcc--Jump if Condition Is Met (Continued)
The conditions for each Jcc mnemonic are given in the "Description" column of the table on the preceding page. The terms "less" and "greater" are used for comparisons of signed integers and the terms "above" and "below" are used for unsigned integers. Because a particular state of the status flags can sometimes be interpreted in two ways, two mnemonics are defined for some opcodes. For example, the JA (jump if above) instruction and the JNBE (jump if not below or equal) instruction are alternate mnemonics for the opcode 77H. The Jcc instruction does not support far jumps (jumps to other code segments). When the target for the conditional jump is in a different segment, use the opposite condition from the condition being tested for the Jcc instruction, and then access the target w ith an unconditional far jump (JMP instruction) to the other segment. For example, the following conditional far jump is illegal:
JZ FARLABEL;

To accomplish this far jump, use the following two instructions:
JNZ BEYOND; JMP FARLABEL; BEYOND:

The JECXZ and JCXZ instructions differs from the other Jcc instructions because they do not check the status flags. Instead they check the contents of the ECX and CX registers, respectively, for 0. Either the CX or ECX register is chosen according to the address-size attribute. These instructions are useful at the beginning of a conditional loop that terminates with a conditional loop instruction (such as LOOPNE). They prevent entering the loop w hen the ECX or CX register is equal to 0, w hich would cause the loop to execute 232 or 64K times, respectively, instead of zero times. All conditional jumps are converted to code fetches of one or tw o cache lines, regardless

of jump address or cacheability.
Operation
IF condition THEN EIP EIP + SignExtend(DEST); IF OperandSize = 16 THEN EIP EIP AND 0000FFFFH; FI; FI;

Flags Affected None.

3-243


INSTRUCTION SET REFERENCE

Jcc--Jump if Condition Is Met (Continued)
Protected Mode Exceptions #GP(0) If the offset being jumped to is beyond the limits of the CS segment.

Real-Address Mode Exceptions #GP If the offset being jumped to is beyond the limits of the CS segment or is outside of the effective address space from 0 to FFFFH . This condition can occur if 32-address size override prefix is used.

Vir tual-8086 Mode Exceptions #GP(0) If the offset being jumped to is beyond the limits of the CS segment or is outside of the effective address space from 0 to FFFFH . This condition can occur if 32-address size override prefix is used.

3- 244


INSTRUCTION SET REFER EN CE

JMP--Jump
Opcode EB cb E9 cw E9 cd FF /4 FF /4 EA cd EA cp FF /5 FF /5 Instruction JMP rel8 JMP rel16 JMP rel32 JMP r/m16 JMP r/m32 JMP ptr16:16 JMP ptr16:32 JMP m16:16 JMP m16:32 D escription Jump shor t, relative, displacement r elative to next instr uction Jump near, relative, displacement relative to next instr uction Jump near, relative, displacement relative to next instr uction Jump near, absolute indirect, address given in r/m16 Jump near, absolute indirect, address given in r/m32 Jump far, absolute, address given in operand Jump far, absolute, address given in operand Jump far, absolute indirect, address given in m16:16 Jump far, absolute indirect, address given in m16:32

Description Transfers program control to a different point in the instruction stream without recording return information. The destination (target) operand specifies the address of the instruction being jumped to. This operand can be an immediate value, a general-purpose register, or a memory location. This instruction can be used to execute four different types of jumps:

· · · ·

Near jump--A jump to an instruction within the current code segment (the segment currently pointed to by the CS register), sometimes referred to as an intrasegment jump. Short jump--A near jump where the jump range is limited to ­128 to +127 from the current EIP value. Far jump--A jump to an instruction located in a different segment than the current code segment but at the same privilege level, sometimes referred to as an intersegment jump. Task switch--A jump to an instruction located in a different task.

A task switch can only be executed in protected mode (see Chapter 6, Task Management, in the In te l Arch it ect ure So ft wa re D eve lo pe r's M a nu a l, Vo lu m e 3 , for information on p er fo r min g task sw i tch es with the JMP instruction). Near and Shor t Jumps. When executing a near jump, the processor jumps to the address (w ithin the current code segment) that is specified with the target operand. The target operand specifies either an absolute offset (that is an offset from the base of the code segment) or a relative offset (a signed displacement relative to the current value of the instruction pointer in the EIP register). A near jump to a relative offset of 8-bits (rel8) is referred to as a short jump. The CS register is not changed on near and short jumps. An absolute offset is specified indirectly in a general-purpose register or a memory location (r/m16 or r/m32). The operand-size attribute determines the size of the target operand (16 or 32 bits). A bsolute offsets are loaded directly into the EIP register. If the operand-size attribute is 16, the upper two bytes of the EIP register are cleared to 0s, resulting in a maximum instruction pointer size of 16 bits.

3-245


INSTRUCTION SET REFERENCE

JMP--Jump (Continued)
A relative offset (rel8, rel16, or rel32) is generally specified as a label in assembly code, but at the machine code level, it is encoded as a signed 8-, 16-, or 32-bit immediate value. This value is added to the value in the EIP register. (Here, the EIP register contains the address of the instruction following the JMP instruction). W hen using relative offsets, the opcode (for short vs. near jumps) and the operand-size attribute (for near relative jumps) determines the size of the target operand (8, 16, or 32 bits). Far Jumps in Real-Address or Virtual-8086 Mode. W hen executing a far jump in realaddress or virtual-8086 mode, the processor jumps to the code segment and offset specified with the target operand. Here the target operand specifies an absolute far address either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). With the pointer method, the segment and address of the called procedure is encoded in the instruction, using a 4-byte (16-bit operand size) or 6-byte (32-bit operand size) far address immediate. With the indirect method, the target operand specifies a memory location that contains a 4-byte (16-bit operand size) or 6-byte (32-bit operand size) far address. The far address is loaded directly into the CS and EIP registers. If the operand-size attribute is 16, the upper two bytes of the EIP register are cleared to 0s. Far Jumps in Protected Mode. When the processor is operating in protected mode, the JMP instruction can be used to perform the following three types of far jumps:

· · ·

A far jump to a conforming or non-conforming code segment. A far jump through a call gate. A task switch.

(The JMP instruction cannot be used to perform interprivilege level far jumps.) In protected mode, the processor always uses the segment selector part of the far address to access the corresponding descriptor in the GDT or LDT. The descriptor type (code segment, call gate, task gate, or TSS) and access rights determine the type of jump to be performed. If the selected descriptor is for a code segment, a far jump to a code segment at the same privilege level is performed. (If the selected code segment is at a different privilege level and the code segment is non-conforming, a general-protection exception is generated.) A far jump to the same privilege level in protected mode is very similar to one carried out in real-address or virtual-8086 mode. The target operand specifies an absolute far address either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). The operandsize attribute determines the size of the offset (16 or 32 bits) in the far address. The new code segment selector and its descriptor are loaded into CS register, and the offset from the instruction is loaded into the EIP register. Note that a call gate (described in the next paragraph) can also be used to perform far call to a code segment at the same privilege level. Using this mechanism provides an extra level of indirection and is the preferred method of making jumps between 16bit and 32-bit code segments.

3- 246


INSTRUCTION SET REFER EN CE

JMP--Jump (Continued)
When executing a far jump through a call gate, the segment selector specified by the target operand identifies the call gate. (The offset part of the target operand is ignored.) The processor then jumps to the code segment specified in the call gate descriptor and begins executing the instruction at the offset specified in the call gate. No stack switch occurs. Here again, the target operand can specify the far address of the call gate either directly with a pointer (ptr16:16 or ptr16:32) or indirectly with a memory location (m16:16 or m16:32). Executing a task switch with the JMP instruction, is somewhat similar to executing a jump through a call gate. Here the target operand specifies the segment selector of the task gate for the task being switched to (and the offset part of the target operand is ignored). The task gate in turn points to the TSS for the task, which contains the segment selectors for the task's code and stack segments. The TSS also contains the EIP value for the next instruction that was to be executed before the task was suspended. This instruction pointer value is loaded into EIP register so that the task begins executing again at this next instruction. The JMP instruction can also specify the segment selector of the TSS directly, which eliminates the indirection of the task gate. See Chapter 6, Task Management, in Intel Architecture Software Developer's Manual, Volume 3, the for detailed information on the mechanics of a task switch. Note that when you execute at task switch with a JMP instruction, the nested task flag (NT) is not set in the EFLAGS register and the new TSS's previous task link field is not loaded with the old task's TSS selector. A return to the previous task can thus not be carried out by executing the IRET instruction. Switching tasks w ith the JMP instruction differs in this regard from the CALL instruction which does set the NT flag and save the previous task link information, allowing a return to the calling task with an IRET instruction. Operation
IF near jump THEN IF near relative jump THEN tempEIP EIP + DEST; (* EIP is instruction following JMP instruction*) ELSE (* near absolute jump *) tempEIP DEST; FI; IF tempEIP is beyond code segm ent limit THEN #GP(0); FI; IF OperandSize = 32 THEN EIP tem pEIP; ELSE (* OperandSize=16 *) EIP tem pEIP AND 0000FFFFH; FI; FI: IF far jump AND (PE = 0 OR (PE = 1 AND VM = 1)) (* real-address or virtual-8086 mode *) THEN tempEIP DEST(offset); (* DEST is ptr16:32 or [m16:32] *)

3-247


INSTRUCTION SET REFERENCE

JMP--Jump (Continued)
IF tempEIP is beyond code segment limit THEN #GP(0); FI; CS DEST(segment selector); (* DEST is ptr16:32 or [m16:32] *) IF OperandSize = 32 THEN EIP tempEIP; (* DEST is ptr16:32 or [m16:32] *) ELSE (* OperandSize = 16 *) EIP tempEIP AND 0000FFFFH; (* clear upper 16 bits *) FI; FI; IF far jump AND (PE = 1 AND VM = 0) (* Protected m ode, not virtual-8086 m ode *) THEN IF effective address in the CS, DS, ES, FS, GS, or SS segment is illegal O R segm ent selector in target operand null THEN #GP(0); FI; IF segm ent selector index not within descriptor table limits THEN #GP(new selector); FI; Read type and access rights of segment descriptor; IF segm ent type is not a conforming or nonconform ing code segment, call gate, task gate, or TSS THEN #GP(segment selector); FI; Depending on type and access rights G O TO C ONFORMING -CODE-SEGMENT; G O TO N ONCONFORMING-CODE-SEGMENT; G O TO C ALL-GATE; G O TO TASK-GATE; G O TO TASK-STATE-SEGMENT; ELSE #GP(segment selector); FI; CONFORMING-C ODE-SEGMENT: IF DPL > CPL THEN #GP(segment selector); FI; IF segm ent not present THEN #NP(segment selector); FI; tempEIP DEST(offset); IF OperandSize=16 THEN tempEIP tem pEIP AND 0000FFFFH; FI; IF tempEIP not in code segment lim it THEN #GP(0); FI; CS DEST(SegmentSelector); (* segment descriptor information also loaded *) CS(RPL) CPL EIP tempEIP; END; NONCONFORM ING-CODE-SEGM ENT: IF (RPL > CPL) OR (DPL CPL) THEN #GP(code segment selector); FI;

3- 248


INSTRUCTION SET REFER EN CE

JMP--Jump (Continued)
IF segment not present THEN #NP(segm ent selector); FI; IF instruction pointer outside code segment limit THEN #GP(0); FI; tempEIP DEST(offset); IF OperandSize=16 THEN tempEIP tempEIP AND 0000FFFFH; FI; IF tempEIP not in code segment limit THEN #G P(0); FI; CS DEST(SegmentSelector); (* segm ent descriptor information also loaded *) CS(RPL) CPL EIP tem pEIP; END; CALL-GATE: IF call gate DPL < CPL OR call gate DPL < call gate segment-selector RPL THEN #GP(call gate selector); FI; IF call gate not present THEN #N P(call gate selector); FI; IF call gate code-segment selector is null THEN #GP(0); FI; IF call gate code-segment selector index is outside descriptor table lim its THEN #GP(code segment selector); FI; Read code segment descriptor; IF code-segment segment descriptor does not indicate a code segment OR code-segment segment descriptor is conforming and DPL > CPL OR code-segment segment descriptor is non-conforming and DPL CPL THEN #GP(code segment selector); FI; IF code segment is not present THEN #NP(code-segment selector); FI; IF instruction pointer is not within code-segment limit THEN #G P(0); FI; tempEIP DEST(offset); IF GateSize=16 THEN tempEIP tempEIP AND 0000FFFFH; FI; IF tempEIP not in code segment limit THEN #G P(0); FI; CS DEST(SegmentSelector); (* segm ent descriptor information also loaded *) CS(RPL) CPL EIP tem pEIP; END; TASK-GATE: IF task gate DPL < CPL OR task gate DPL < task gate segment-selector RPL THEN #GP(task gate selector); FI; IF task gate not present THEN #NP(gate selector); FI; Read the TSS segment selector in the task-gate descriptor; IF TSS segment selector local/global bit is set to local OR index not within GDT limits OR TSS descriptor specifies that the TSS is busy

3-249


INSTRUCTION SET REFERENCE

JMP--Jump (Continued)
THEN #GP(TSS selector); FI; IF TSS not present THEN #NP(TSS selector); FI; SWITCH-TASKS to TSS; IF EIP not within code segm ent limit THEN #GP(0); FI; END; TASK-STATE-SEG MENT: IF TSS DPL < CPL O R TSS DPL < TSS segm ent-selector RPL O R TSS descriptor indicates TSS not available THEN #GP(TSS selector); FI; IF TSS is not present THEN #NP(TSS selector); FI; SWITCH-TASKS to TSS IF EIP not within code segm ent limit THEN #GP(0); FI; END;

Flags Affected All flags are affected if a task switch occurs; no flags are affected if a task switch does not occur. Protected Mode Exceptions #GP(0) If offset in target operand, call gate, or TSS is beyond the code segment limits. If the segment selector in the destination operand, call gate, task gate, or TSS is null. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #GP(selector) If segment selector index is outside descriptor table limits. If the segment descriptor pointed to by the segment selector in the destination operand is not for a conforming-code segment, nonconforming-code segment, call gate, task gate, or task state segment. If the DPL for a nonconforming-code segment is not equal to the CPL (When not using a call gate.) If the RPL for the segment's segment selector is greater than the CPL. If the DPL for a conforming-code segment is greater than the CPL. If the DPL from a call-gate, task-gate, or TSS segment descriptor is less than the CPL or than the RPL of the call-gate, task-gate, or TSS's segment selector.

3- 250


INSTRUCTION SET REFER EN CE

JMP--Jump (Continued)
If the segment descriptor for selector in a call gate does not indicate it is a code segment. If the segment descriptor for the segment selector in a task gate does not indicate available TSS. If the segment selector for a TSS has its local/global bit set for local. If a TSS segment descriptor specifies that the TSS is busy or not available. #SS(0) #NP (selector) If a memory operand effective address is outside the SS segment limit. If the code segment being accessed is not present. If call gate, task gate, or TSS not present. #PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3. (Only occurs when fetching target from memory.)

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. #SS If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) If the target operand is beyond the code segment limits. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made. (Only occurs when fetching target from memory.)

3-251


INSTRUCTION SET REFERENCE

LAHF--Load Status Flags into AH Register
Opcode 9F Instruction LAHF Description Load: AH = EFLAGS(SF:ZF:0:AF:0:PF:1:CF)

Description Moves the low byte of the EFLAG S register (which includes status flags SF, ZF, AF, PF, and CF) to the AH register. Reserved bits 1, 3, and 5 of the EFLAGS register are set in the AH register as shown in the "Operation" section below. Operation
AH EFLAG S(SF:ZF:0:AF:0:PF:1:CF);

Flags Affected None (that is, the state of the flags in the EFLAGS register are not affected). Exceptions (All Operating Modes) None.

3- 252


INSTRUCTION SET REFER EN CE

LAR--Load Access Rights Byte
Opcode 0F 02 /r 0F 02 /r Instruction LAR r16,r/m16 LAR r32,r/m32 D escription

r 16 r/m16 masked by FF00H r 32 r/m32 masked by 00FxFF00H

Description Loads the access rights from the segment descriptor specified by the second operand (source operand) into the first operand (destination operand) and sets the ZF flag in the EFLAGS register. The source operand (which can be a register or a memory location) contains the segment selector for the segment descriptor being accessed. The destination operand is a general-purpose register. The processor performs access checks as part of the loading process. Once loaded in the destination register, software can perform additional checks on the access rights information. When the operand size is 32 bits, the access rights for a segment descriptor include the type and DPL fields and the S, P, AVL, D/B, and G flags, all of which are located in the second doubleword (bytes 4 through 7) of the segment descriptor. The doubleword is masked by 00FX FF00H before it is loaded into the destination operand. When the operand size is 16 bits, the access rights include the type and DPL fields. Here, the two lower-order bytes of the doubleword are masked by FF00H before being loaded into the destination operand. This instruction performs the following checks before it loads the access rights in the destination register:

· · · ·

Checks that the segment selector is not null. Checks that the segment selector points to a descriptor that is within the limits of the GDT or LDT being accessed Checks that the descriptor type is valid for this instruction. All code and data segment descriptors are valid for (can be accessed with) the LAR instruction. The valid system segment and gate descriptor types are given in the following table. If the segment is not a conforming code segment, it checks that the specified segment descriptor is visible at the CPL (that is, if the CPL and the RPL of the segment selector are less than or equal to the DPL of the segment selector).

If the segment descriptor cannot be accessed or is an invalid type for the instruction, the ZF flag is cleared and no access rights are loaded in the destination operand. The LAR instruction can only be executed in protected mode.

3-253


INSTRUCTION SET REFERENCE

LAR--Load Access Rights Byte (Continued)
Type 0 1 2 3 4 5 6 7 8 9 A B C D E F Name Reser ved Available 16- bit TSS L DT Busy 16-bit TSS 16-bit call gate 16-bit/32-bit task gate 16-bit interr upt gate 16-bit trap gate Reser ved Available 32- bit TSS Reser ved Busy 32-bit TSS 32-bit call gate Reser ved 32-bit interr upt gate 32-bit trap gate Valid No Yes Yes Yes Yes Yes No No No Yes No Yes Yes No No No

Operation
IF SRC(Offset) > descriptor table lim it THEN ZF 0; FI; Read segment descriptor; IF SegmentDescriptor(Type) conforming code segment AND (CPL > DPL) OR (RPL > DPL) O R Segment type is not valid for instruction THEN ZF 0 ELSE IF OperandSize = 32 THEN DEST [SRC ] AND 00FxFF00H; ELSE (*OperandSize = 16*) DEST [SRC ] AND FF00H; FI; FI;

Flags Affected The ZF flag is set to 1 if the access rights are loaded successfully; otherwise, it is cleared to 0.

3- 254


INSTRUCTION SET REFER EN CE

LAR--Load Access Rights Byte (Continued)
Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3. (Only occurs when fetching target from memory.)

Real-Address Mode Exceptions #UD The LA R instruction is not recognized in real-address mode.

Virtual-8086 Mode Exceptions #UD The LA R instruction cannot be executed in virtual-8086 mode.

3-255


INSTRUCTION SET REFERENCE

LDS/LES/LFS/LGS/LSS--Load Far Pointer
Opcode C5 /r C5 /r 0F B2 /r 0F B2 /r C4 /r C4 /r 0F B4 /r 0F B4 /r 0F B5 /r 0F B5 /r Instruction LD S r16,m16:16 LD S r32,m16:32 LS S r16,m16:16 LS S r32,m16:32 LE S r16,m16:16 LE S r32,m16:32 LFS r16,m16:16 LFS r32,m16:32 LGS r16,m16:16 LGS r32,m16:32 Description Load DS :r16 with far pointer from memor y Load DS :r32 with far pointer from memor y Load SS :r16 with far pointer from memor y Load SS :r32 with far pointer from memor y Load ES :r16 with far pointer from memor y Load ES :r32 with far pointer from memor y Load FS:r16 w ith far pointer from memor y Load FS:r32 w ith far pointer from memor y Load GS:r16 with far pointer from memor y Load GS:r32 with far pointer from memor y

Description Loads a far pointer (segment selector and offset) from the second operand (source operand) into a segment register and the first operand (destination operand). The source operand specifies a 48-bit or a 32-bit pointer in memory depending on the current setting of the operand-size attribute (32 bits or 16 bits, respectively). The instruction opcode and the destination operand specify a segment register/general-purpose register pair. The 16-bit segment selector from the source operand is loaded into the segment register specified w ith the opcode (DS, SS, ES, FS, or GS). The 32-bit or 16-bit offset is loaded into the register specified with the destination operand. If one of these instructions is executed in protected mode, additional information from the segment descriptor pointed to by the segment selector in the source operand is loaded in the hidden part of the selected segment register. Also in protected mode, a null selector (values 0000 through 0003) can be loaded into D S, ES, FS, or GS registers without causing a protection exception. (Any subsequent reference to a segment whose corresponding segment register is loaded with a null selector, causes a generalprotection exception (#GP) and no memory reference to the segment occurs.) Operation
IF ProtectedMode THEN IF SS is loaded THEN IF SegementSelector = null THEN #GP(0); FI; ELSE IF Segment selector index is not within descriptor table limits O R Segment selector RPL CPL O R Access rights indicate nonwritable data segment OR DPL CPL

3- 256


INSTRUCTION SET REFER EN CE

LDS/LES/LFS/LGS/LSS--Load Far Pointer (Continued)
THEN #GP(selector); FI; ELSE IF Segm ent marked not present THEN #SS(selector); FI; SS Segm entSelector(SRC); SS Segm entDescriptor([SRC]); ELSE IF DS, ES, FS, or GS is loaded with non-null segment selector THEN IF Segment selector index is not within descriptor table limits OR Access rights indicate segm ent neither data nor readable code segment OR (Segment is data or nonconforming-code segment AND both RPL and CPL > DPL) THEN #GP(selector); FI; ELSE IF Segm ent marked not present THEN #NP(selector); FI; SegmentRegister SegmentSelector(SRC) AND RPL; SegmentRegister SegmentDescriptor([SRC]); ELSE IF DS, ES, FS or G S is loaded with a null selector: SegmentRegister NullSelector; SegmentRegister(DescriptorValidBit) 0; (*hidden flag; not accessible by software*) FI; FI; IF (Real-Address or Virtual-8086 Mode) THEN SegmentRegister SegmentSelector(SRC); FI; DEST Offset(SRC);

Flags Affected None. Protected Mode Exceptions #UD #GP(0) If source operand is not a memory location. If a null selector is loaded into the SS register. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector.

3-257


INSTRUCTION SET REFERENCE

LDS/LES/LFS/LGS/LSS--Load Far Pointer (Continued)
#GP(selector) If the SS register is being loaded and any of the following is true: the segment selector index is not within the descriptor table limits, the segment selector RPL is not equal to CPL, the segment is a nonw ritable data segment, or DPL is not equal to CPL. If the DS, ES, FS, or GS register is being loaded with a non-null segment selector and any of the following is true: the segment selector index is not within descriptor table limits, the segment is neither a data nor a readable code segment, or the segment is a data or nonconforming-code segment and both RPL and CPL are greater than DPL. #SS(0) #SS(selector) #NP(selector) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If the SS register is being loaded and the segment is marked not present. If DS, ES, FS, or GS register is being loaded with a non-null segment selector and the segment is marked not present. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS #UD If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If source operand is not a memory location.

Vir tual-8086 Mode Exceptions #UD #GP(0) #SS(0) #PF(fault-code) #AC(0) If source operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 258


INSTRUCTION SET REFER EN CE

LEA--Load Effective Address
Opcode 8D /r 8D /r Instruction LEA r16,m LEA r32,m D escription S tore effective address for m in register r16 S tore effective address for m in register r32

Description Computes the effective address of the second operand (the source operand) and stores it in the first operand (destination operand). The source operand is a memory address (offset part) specified with one of the processors addressing modes; the destination operand is a general-purpose register. The address-size and operand-size attributes affect the action performed by this instruction, as shown in the following table. The operand-size attribute of the instruction is determined by the chosen register; the address-size attribute is determined by the attribute of the code segment.
Operand S ize 16 16 32 32 A ddress Size 16 32 16 32 Action Performed 16-bit effective address is calculated and stored in requested 16-bit register destination. 32-bit effective address is calculated. The lower 16 bits of the address are stored in the requested 16-bit register destination. 16-bit effective address is calculated. The 16-bit address is zeroextended and stored in the requested 32-bit register destination. 32-bit effective address is calculated and stored in the requested 32-bit register destination.

Different assemblers may use different algorithms based on the size attribute and symbolic reference of the source operand. Operation
IF OperandSize = 16 AND AddressSize = 16 THEN DEST EffectiveAddress(SRC); (* 16-bit address *) ELSE IF OperandSize = 16 AND AddressSize = 32 THEN temp EffectiveAddress(SRC ); (* 32-bit address *) DEST temp[0..15]; (* 16-bit address *) ELSE IF OperandSize = 32 AND AddressSize = 16 THEN temp EffectiveAddress(SRC ); (* 16-bit address *) DEST ZeroExtend(temp); (* 32-bit address *) ELSE IF OperandSize = 32 AND AddressSize = 32 THEN

3-259


INSTRUCTION SET REFERENCE

LEA--Load Effective Address (Continued)
DEST EffectiveAddress(SR C); (* 32-bit address *) FI; FI;

Flags Affected None. Protected Mode Exceptions #UD If source operand is not a memory location.

Real-Address Mode Exceptions #UD If source operand is not a memory location.

Vir tual-8086 Mode Exceptions #UD If source operand is not a memory location.

3- 260


INSTRUCTION SET REFER EN CE

LEAVE--High Level Procedure Exit
Opcode C9 C9 Instruction LEAVE LEAVE D escription S et SP to BP then pop BP , Set ESP to EBP then pop EBP ,

Description Releases the stack frame set up by an earlier EN TER instruction. The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer (the frame pointer for the calling procedure that was saved by the ENTER instruction) is then popped from the stack into the EBP register, restoring the calling procedure's stack frame. A RET instruction is commonly executed follow ing a LEAVE instruction to return program control to the calling procedure. See "Procedure Calls for Block-Structured Languages" in Chapter 6 of the Intel Architecture Software Developer's Manual, Volume 1, for detailed information on the use of the ENTER and LEAVE instructions. Operation
IF StackAddressSize = 32 THEN ESP EBP; ELSE (* StackAddressSize = 16*) SP BP; FI; IF OperandSize = 32 THEN EBP Pop(); ELSE (* OperandSize = 16*) BP Pop(); FI;

Flags Affected None. Protected Mode Exceptions #SS(0) #PF(fault-code) If the EBP register points to a location that is not within the limits of the current stack segment. If a page fault occurs.

3-261


INSTRUCTION SET REFERENCE

LEAVE--High Level Procedure Exit (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP If the EBP register points to a location outside of the effective address space from 0 to 0FFFFH.

Vir tual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If the EBP register points to a location outside of the effective address space from 0 to 0FFFFH. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 262


INSTRUCTION SET REFER EN CE

LES--Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS--Load Far Pointer.

3-263


INSTRUCTION SET REFERENCE

LFS--Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS--Load Far Pointer.

3- 264


INSTRUCTION SET REFER EN CE

LGDT/LIDT--Load Global/Interrupt Descriptor Table Register
Opcode 0F 01 /2 0F 01 /3 Instruction LGDT m16&32 LIDT m16&32 D escription Load m into GDTR Load m into IDTR

Description Loads the values in the source operand into the global descriptor table register (GDTR) or the interrupt descriptor table register (IDTR). The source operand specifies a 6-byte memory location that contains the base address (a linear address) and the limit (size of table in bytes) of the global descriptor table (GDT) or the interrupt descriptor table (IDT). If operand-size attribute is 32 bits, a 16-bit limit (lower 2 bytes of the 6-byte data operand) and a 32-bit base address ( up p er 4 byt es o f th e da ta op er an d ) ar e l oa de d in to t he r eg ist er. I f th e o p er an d- siz e a tt ri bu te i s 16 bits, a 16-bit limit (lower 2 bytes) and a 24-bit base address (third, fourth, and fifth byte) are loaded. Here, the high-order byte of the operand is not used and the high-order byte of the base address in the GDTR or IDTR is filled with zeros. The LGDT and LIDT instructions are used only in operating-system software; they are not used in application programs. They are the only instructions that directly load a linear address (that is, not a segment-relative address) and a limit in protected mode. They are commonly executed in real-address mode to allow processor initialization prior to switching to protected mode. See "SGDT/SIDT--Store Global/Interrupt Descriptor Table Register" in this chapter for information on storing the contents of the GDTR and IDTR. Operation
IF instruction is LIDT THEN IF OperandSize = 16 THEN IDTR(Limit) SRC[0:15]; IDTR(Base) SRC[16:47] AND 00FFFFFFH; ELSE (* 32-bit Operand Size *) IDTR(Limit) SRC[0:15]; IDTR(Base) SRC[16:47]; FI; ELSE (* instruction is LGDT *) IF OperandSize = 16 THEN GDTR(Limit) SRC[0:15]; GDTR(Base) SRC[16:47] AND 00FFFFFFH; ELSE (* 32-bit Operand Size *) GDTR(Limit) SRC[0:15]; GDTR(Base) SRC[16:47]; FI; FI;

3-265


INSTRUCTION SET REFERENCE

LGDT/LIDT--Load Global/Interrupt Descriptor Table Register (Continued)
Flags Affected None. Protected Mode Exceptions #UD #GP(0) If source operand is not a memory location. If the current privilege level is not 0. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

Real-Address Mode Exceptions #UD #GP #SS If source operand is not a memory location. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

3- 266


INSTRUCTION SET REFER EN CE

LGS--Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS--Load Far Pointer.

3-267


INSTRUCTION SET REFERENCE

LLDT--Load Local Descriptor Table Register
Opcode 0F 00 /2 Instruction LLDT r/m16 Description Load segment selector r/m16 into LDTR

Description Loads the source operand into the segment selector field of the local descriptor table register (LDTR). The source operand (a general-purpose register or a memory location) contains a segment selector that points to a local descriptor table (LDT). After the segment selector is loaded in the LDTR, the processor uses to segment selector to locate the segment descriptor for the LDT in the global descriptor table (GDT). It then loads the segment limit and base address for the LD T from the segment descriptor into the LDTR. The segment registers DS, ES, SS, FS, GS, and CS are not affected by this instruction, nor is the LDTR field in the task state segment (TSS) for the current task. If the source operand is 0, the LDTR is marked invalid and all references to descriptors in the LDT (except by the LA R, VERR, VERW or LSL instructions) cause a general protection exception (#GP). The operand-size attribute has no effect on this instruction. The LLDT instruction is provided for use in operating-system software; it should not be used in application programs. Also, this instruction can only be executed in protected mode. Operation
IF SRC(Offset) > descriptor table lim it THEN #GP(segment selector); FI; Read segment descriptor; IF SegmentDescriptor(Type) LDT THEN #GP(segment selector); FI; IF segment descriptor is not present THEN #NP(segment selector); LDTR(SegmentSelector) SRC; LDTR(SegmentDescriptor) GDTSegmentDescriptor;

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #GP(selector) If the selector operand does not point into the Global Descriptor Table or if the entry in the G DT is not a Local D escriptor Table.

3- 268


INSTRUCTION SET REFER EN CE

LLDT--Load Local Descriptor Table Register (Continued)
Segment selector is beyond GDT limit. #SS(0) #NP(selector) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If the LDT descriptor is not present. If a page fault occurs.

Real-Address Mode Exceptions #UD The LLDT instruction is not recognized in real-address mode.

Virtual-8086 Mode Exceptions #UD The LLDT instruction is recognized in virtual-8086 mode.

3-269


INSTRUCTION SET REFERENCE

LIDT--Load Interrupt Descriptor Table Register
See entry for LGDT/LIDT--Load Global/Interrupt Descriptor Table Register.

3- 270


INSTRUCTION SET REFER EN CE

LMSW--Load Machine Status Word
Opcode 0F 01 /6 Instruction LMSW r/m16 D escription Loads r/m16 in machine status word of CR0

Description Loads the source operand into the machine status word, bits 0 through 15 of register CR0. The source operand can be a 16-bit general-purpose register or a memory location. Only the loworder 4 bits of the source operand (which contains the PE, MP, EM, and TS flags) are loaded into CR0. The PG, CD, NW, AM, WP, NE, and ET flags of CR0 are not affected. The operandsize attribute has no effect on this instruction. If the PE flag of the source operand (bit 0) is set to 1, the instruction causes the processor to switch to protected mode. While in protected mode, the LMSW instruction cannot be used clear the PE flag and force a switch back to real-address mode. The LMSW instruction is provided for use in operating-system software; it should not be used in application programs. In protected or virtual-8086 mode, it can only be executed at CPL 0. This instruction is provided for compatibility w ith the Intel 286 processor; programs and procedures intended to run on the Pentium Pro, Pentium, Intel486, and Intel386 processors should use the MOV (control registers) instruction to load the w hole CR0 register. The MOV CR0 instruction can be used to set and clear the PE flag in CR0, allowing a procedure or program to switch betw een protected and real-address modes. This instruction is a serializing instruction. Operation
CR0[0:3] SRC[0:3];

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3-271


INSTRUCTION SET REFERENCE

LMSW--Load Machine Status Word (Continued)
Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) If the current privilege level is not 0. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 272


INSTRUCTION SET REFER EN CE

LOCK--Assert LOCK# Signal Prefix
Opcode F0 Instruction LOCK D escription Asser ts LOCK# signal for duration of the accompanying instr uction

Description Causes the processor's LOCK# signal to be asserted during execution of the accompanying instruction (turns the instruction into an atomic instruction). In a multiprocessor environment, the LOCK# signal insures that the processor has exclusive use of any shared memory while the signal is asserted. Note that in later Intel A rchitecture processors (such as the Pentium Pro processor), locking may occur w ithout the LOCK# signal being asserted. See Intel Architecture Compatibility below. The LOCK prefix can be prepended only to the following instructions and to those forms of the instructions that use a memory operand: A DD, ADC, AND, BTC, BTR, BTS, CMPXCHG, DEC, INC, NEG, NOT, OR, SBB, SUB, XOR, XADD, and XCHG. An undefined opcode exception will be generated if the LOCK prefix is used w ith any other instruction. The XCHG instruction always asserts the LOCK# signal regardless of the presence or absence of the LOCK prefix. The LOCK prefix is typically used with the BTS instruction to perform a read-modify-write operation on a memory location in shared memory environment. The integrity of the LOCK prefix is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields. Intel Architecture Compatibility Beginning with the Pentium Pro processor, when the LOCK prefix is prefixed to an instruction and the memory area being accessed is cached internally in the processor, the LOCK# signal is generally not asserted. Instead, only the processor's cache is locked. H ere, the processor's cache coherency mechanism insures that the operation is carried out atomically with regards to memory. See "Effects of a Locked Operation on Internal Processor Caches" in Chapter 7 of Intel Architecture Software Developer's Manual, Volume 3, the for more information on locking of caches. Operation
AssertLOCK#(DurationO fAccompaningInstruction)

Flags Affected None.

3-273


INSTRUCTION SET REFERENCE

LOCK--Asser t LOCK# Signal Prefix (Continued)
Protected Mode Exceptions #UD If the LOCK prefix is used with an instruction not listed in the "Description" section above. Other exceptions can be generated by the instruction that the LOCK prefix is being applied to.

Real-Address Mode Exceptions #UD If the LOCK prefix is used with an instruction not listed in the "Description" section above. Other exceptions can be generated by the instruction that the LOCK prefix is being applied to.

Vir tual-8086 Mode Exceptions #UD If the LOCK prefix is used with an instruction not listed in the "Description" section above. Other exceptions can be generated by the instruction that the LOCK prefix is being applied to.

3- 274


INSTRUCTION SET REFER EN CE

LODS/LODSB/LODSW/LODSD--Load String
Opcode AC AD AD AC AD AD Instruction LODS m8 LODS m16 LODS m32 LODSB LODSW LODSD D escription Load byte at address DS:(E)SI into AL Load word at address DS:(E)SI into AX Load doubleword at address DS:(E)SI into EAX Load byte at address DS:(E)SI into AL Load word at address DS:(E)SI into AX Load doubleword at address DS:(E)SI into EAX

Description Loads a byte, word, or doubleword from the source operand into the AL, AX, or EAX register, respectively. The source operand is a memory location, the address of which is read from the DS:EDI or the DS:SI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). The DS segment may be overridden with a segment override prefix. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified with the LODS mnemonic) allows the source operand to be specified explicitly. Here, the source operand should be a symbol that indicates the size and location of the source value. The destination operand is then automatically selected to match the size of the source operand (the AL register for byte operands, AX for word operands, and EAX for doubleword operands). This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the source operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the DS:(E)SI registers, which must be loaded correctly before the load string instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the LODS instructions. Here also DS:(E)SI is assumed to be the source operand and the AL, AX, or EAX register is assumed to be the destination operand. The size of the source and destination operands is selected with the mnemonic: LODSB (byte loaded into register AL), LODSW (word loaded into AX), or LODSD (doubleword loaded into EAX). After the byte, word, or doubleword is transferred from the memory location into the AL, AX, or EAX register, the (E)SI register is incremented or decremented automatically according to the setting of the DF flag in the EFLAGS register. (If the D F flag is 0, the (E)SI register is incremented; if the DF flag is 1, the ESI register is decremented.) The (E)SI register is incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations. The LODS, LODSB, LODSW, and LODSD instructions can be preceded by the REP prefix for block loads of ECX bytes, words, or doublewords. More often, however, these instructions are used within a LOOP construct because further processing of the data moved into the register is usually necessary before the next transfer can be made. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix.

3-275


INSTRUCTION SET REFERENCE

LODS/LODSB/LODSW/LODSD--Load String (Continued)
Operation
IF (byte load) THEN AL SRC; (* byte load *) THEN IF DF = 0 THEN (E)SI (E)SI + 1; ELSE (E)SI (E)SI ­ 1; FI; ELSE IF (word load) THEN AX SRC; (* word load *) THEN IF DF = 0 THEN (E)SI (E)SI + 2; ELSE (E)SI (E)SI ­ 2; FI; ELSE (* doubleword transfer *) EAX SRC; (* doubleword load *) THEN IF DF = 0 THEN (E)SI (E)SI + 4; ELSE (E)SI (E)SI ­ 4; FI; FI; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

3- 276


INSTRUCTION SET REFER EN CE

LODS/LODSB/LODSW/LODSD--Load String (Continued)
#SS If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-277


INSTRUCTION SET REFERENCE

LOOP/LOOPcc--Loop According to ECX Counter
Opcode E2 cb E1 cb E1 cb E0 cb E0 cb Instruction LOOP rel8 LOOP E rel8 LOOP Z rel8 LOOP NE rel8 LOOP NZ rel8 Description Decrement count; jump shor t if count 0 Decrement count; jump shor t if count 0 and ZF=1 Decrement count; jump shor t if count 0 and ZF=1 Decrement count; jump shor t if count 0 and ZF=0 Decrement count; jump shor t if count 0 and ZF=0

Description Performs a loop operation using the ECX or CX register as a counter. Each time the LOOP instruction is executed, the count register is decremented, then checked for 0. If the count is 0, the loop is terminated and program execution continues with the instruction following the LOOP instruction. If the count is not zero, a near jump is performed to the destination (target) operand, which is presumably the instruction at the beginning of the loop. If the address-size attribute is 32 bits, the ECX register is used as the count register; otherwise the CX register is used. The target instruction is specified with a relative offset (a signed offset relative to the current value of the instruction pointer in the EIP register). This offset is generally specified as a label in assembly code, but at the machine code level, it is encoded as a signed, 8-bit immediate value, which is added to the instruction pointer. Offsets of ­128 to +127 are allowed with this instruction. Some forms of the loop instruction (LOOPcc) also accept the ZF flag as a condition for terminating the loop before the count reaches zero. With these forms of the instruction, a condition code (cc) is associated with each instruction to indicate the condition being tested for. Here, the LOO Pcc instruction itself does not affect the state of the ZF flag; the ZF flag is changed by other instructions in the loop. Operation
IF AddressSize = 32 THEN Count is ECX; ELSE (* AddressSize = 16 *) Count is CX; FI; Count Count ­ 1; IF instruction is not LO OP THEN IF (instruction = LOOPE) OR (instruction = LOOPZ) THEN IF (ZF =1) AND (Count 0) THEN BranchCond 1; ELSE BranchCond 0;

3- 278


INSTRUCTION SET REFER EN CE

LOOP/LOOPcc--Loop According to ECX Counter (Continued)
FI; FI; IF (instruction = LOO PNE) O R (instruction = LOOPNZ) THEN IF (ZF =0 ) AND (Count 0) THEN BranchCond 1; ELSE BranchCond 0; FI; FI; ELSE (* instruction = LOOP *) IF (Count 0) THEN BranchCond 1; ELSE BranchCond 0; FI; FI; IF BranchCond = 1 THEN EIP EIP + SignExtend(DEST); IF OperandSize = 16 THEN EIP EIP AND 0000FFFFH; FI; ELSE Terminate loop and continue program execution at EIP; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If the offset jumped to is beyond the limits of the code segment.

Real-Address Mode Exceptions None. Virtual-8086 Mode Exceptions None.

3-279


INSTRUCTION SET REFERENCE

LSL--Load Segment Limit
Opcode 0F 03 /r 0F 03 /r Instruction LS L r16,r/m16 LS L r32,r/m32 Description Load: r16 segment limit, selector r/m16 Load: r32 segment limit, selector r/m32)

Description Loads the unscrambled segment limit from the segment descriptor specified with the second operand (source operand) into the first operand (destination operand) and sets the ZF flag in the EFLAGS register. The source operand (which can be a register or a memory location) contains the segment selector for the segment descriptor being accessed. The destination operand is a general-purpose register. The processor performs access checks as part of the loading process. Once loaded in the destination register, software can compare the segment limit with the offset of a pointer. The segment limit is a 20-bit value contained in bytes 0 and 1 and in the first 4 bits of byte 6 of the segment descriptor. If the descriptor has a byte granular segment limit (the granularity flag is set to 0), the destination operand is loaded with a byte granular value (byte limit). If the descriptor has a page granular segment limit (the granularity flag is set to 1), the LSL instruction will translate the page granular limit (page limit) into a byte limit before loading it into the destination operand. The translation is performed by shifting the 20-bit "raw" limit left 12 bits and filling the low-order 12 bits with 1s. When the operand size is 32 bits, the 32-bit byte limit is stored in the destination operand. W hen the operand size is 16 bits, a valid 32-bit limit is computed; however, the upper 16 bits are truncated and only the low-order 16 bits are loaded into the destination operand. This instruction performs the following checks before it loads the segment limit into the destination register:

· · · ·

Checks that the segment selector is not null. Checks that the segment selector points to a descriptor that is within the limits of the GDT or LDT being accessed Checks that the descriptor type is valid for this instruction. All code and data segment descriptors are valid for (can be accessed w ith) the LSL instruction. The valid special segment and gate descriptor types are given in the following table. If the segment is not a conforming code segment, the instruction checks that the specified segment descriptor is visible at the CPL (that is, if the CPL and the RPL of the segment selector are less than or equal to the DPL of the segment selector).

If the segment descriptor cannot be accessed or is an invalid type for the instruction, the ZF flag is cleared and no value is loaded in the destination operand.

3- 280


INSTRUCTION SET REFER EN CE

LSL--Load Segment Limit (Continued)
Type 0 1 2 3 4 5 6 7 8 9 A B C D E F Name Reser ved Available 16-bit TSS L DT Busy 16- bit TSS 16-bit call gate 16-bit/32-bit task gate 16-bit interr upt gate 16-bit trap gate Reser ved Available 32-bit TSS Reser ved Busy 32- bit TSS 32-bit call gate Reser ved 32-bit interr upt gate 32-bit trap gate Valid No Yes Yes Yes No No No No No Yes No Yes No No No No

Operation
IF SRC(Offset) > descriptor table limit THEN ZF 0; FI; Read segment descriptor; IF SegmentDescriptor(Type) conform ing code segment AND (CPL > DPL) OR (RPL > DPL) OR Segment type is not valid for instruction THEN ZF 0 ELSE temp SegmentLimit([SRC]); IF (G = 1) THEN temp ShiftLeft(12, temp) O R 00000FFFH; FI; IF OperandSize = 32 THEN DEST temp; ELSE (*OperandSize = 16*)

3-281


INSTRUCTION SET REFERENCE

LSL--Load Segment Limit (Continued)
DEST temp AND FFFFH; FI; FI;

Flags Affected The ZF flag is set to 1 if the segment limit is loaded successfully; otherwise, it is cleared to 0. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #UD The LSL instruction is not recognized in real-address mode.

Vir tual-8086 Mode Exceptions #UD The LSL instruction is not recognized in virtual-8086 mode.

3- 282


INSTRUCTION SET REFER EN CE

LSS--Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS--Load Far Pointer.

3-283


INSTRUCTION SET REFERENCE

LTR--Load Task Register
Opcode 0F 00 /3 Instruction LTR r/m16 Description Load r/m16 into task register

Description Loads the source operand into the segment selector field of the task register. The source operand (a general-purpose register or a memory location) contains a segment selector that points to a task state segment (TSS). After the segment selector is loaded in the task register, the processor uses the segment selector to locate the segment descriptor for the TSS in the global descriptor table (GDT). It then loads the segment limit and base address for the TSS from the segment descriptor into the task register. The task pointed to by the task register is marked busy, but a switch to the task does not occur. The LTR instruction is provided for use in operating-system software; it should not be used in application programs. It can only be executed in protected mode when the CPL is 0. It is commonly used in initialization code to establish the first task to be executed. The operand-size attribute has no effect on this instruction. Operation
IF SRC(Offset) > descriptor table lim it OR IF SRC(type) global THEN #GP(segm ent selector); FI; Read segment descriptor; IF segment descriptor is not for an available TSS THEN #GP(segment selector); FI; IF segment descriptor is not present THEN #NP(segment selector); TSSsegmentDescriptor(busy) 1; (* Locked read-modify-write operation on the entire descriptor when setting busy flag *) TaskRegister(SegmentSelector) SR C; TaskRegister(SegmentDescriptor) TSSSegmentD escriptor;

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector.

3- 284


INSTRUCTION SET REFER EN CE

LTR--Load Task Register (Continued)
#GP(selector) If the source selector points to a segment that is not a TSS or to one for a task that is already busy. If the selector points to LDT or is beyond the GDT limit. #NP(selector) #SS(0) #PF(fault-code) If the TSS is marked not present. If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

Real-Address Mode Exceptions #UD The LTR instruction is not recognized in real-address mode.

Virtual-8086 Mode Exceptions #UD The LTR instruction is not recognized in virtual-8086 mode.

3-285


INSTRUCTION SET REFERENCE

MOV--Move
Opcode 88 /r 89 /r 89 /r 8A /r 8B /r 8B /r 8C /r 8E /r A0 A1 A1 A2 A3 A3 B0+ rb B8+ rw B8+ rd C6 /0 C7 /0 C7 /0 NOTE S: * The moffs8, moffs16, and moffs32 operands specify a simple offset relative to the segment base, where 8, 16, and 32 refer to the size of the data. The address-size attr ibute of the instr uction deter mines the size of the offset, either 16 or 32 bits. ** In 32- bit mode, the assembler may inser t the 16-bit operand- size prefix with this instr uction (see the following "Descr iption" section for fur ther infor mation). Instruction MOV r/m8,r8 MOV r/m16,r16 MOV r/m32,r32 MOV r8,r/m8 MOV r16,r/m16 MOV r32,r/m32 MOV r/m16,Sreg** MOV Sr eg,r/m16** MOV AL,moffs8* MOV AX,moffs16* MOV EAX,moffs32* MOV moffs8*,A L MOV moffs16*,AX MOV moffs32*,EAX MOV r8,imm8 MOV r16,imm16 MOV r32,imm32 MOV r/m8,imm8 MOV r/m16,imm16 MOV r/m32,imm32 Description Move r8 to r/m8 Move r16 to r/m16 Move r32 to r/m32 Move r/m8 to r8 Move r/m16 to r16 Move r/m32 to r32 Move segment register to r/m16 Move r/m16 to segment register Move byte at (seg:offset) to AL Move word at (seg:offset) to AX Move doubleword at (seg:offset) to EAX Move AL to (seg:offset) Move AX to (seg:offset) Move EAX to (seg:offset) Move imm8 to r8 Move imm16 to r16 Move imm32 to r32 Move imm8 to r/m8 Move imm16 to r/m16 Move imm32 to r/m32

Description Copies the second oper source operand can be memory location; the de memory location. Both doubleword. and (source operand) to the first operand (destination operand). The an immediate value, general-purpose register, segment register, or stination register can be a general-purpose register, segment register, or operands must be the same size, which can be a byte, a word, or a

The MOV instruction cannot be used to load the CS register. Attempting to do so results in an invalid opcode exception (#UD). To load the CS register, use the far JMP, CALL, or RET instruction.

3- 286


INSTRUCTION SET REFER EN CE

MOV--Move (Continued)
If the destination operand is a segment register (DS, ES, FS, GS, or SS), the source operand must be a valid segment selector. In protected mode, moving a segment selector into a segment register automatically causes the segment descriptor information associated w ith that segment selector to be loaded into the hidden (shadow) part of the segment register. While loading this information, the segment selector and segment descriptor information is validated (see the "Operation" algorithm below). The segment descriptor data is obtained from the GDT or LDT entry for the specified segment selector. A null segment selector (values 0000-0003) can be loaded into the D S, ES, FS, and GS registers without causing a protection exception. However, any subsequent attempt to reference a segment whose corresponding segment register is loaded with a null value causes a general protection exception (#GP) and no memory reference occurs. Loading the SS register with a MOV instruction inhibits all interrupts until after the execution of the next instruction. This operation allows a stack pointer to be loaded into the ESP register with the next instruction (MOV ESP, stack-pointer value) before an interrupt occurs1. The LSS instruction offers a more efficient method of loading the SS and ESP registers. When operating in 32-bit mode and moving data between a segment register and a generalpurpose register, the Intel Architecture 32-bit processors do not require the use of the 16-bit operand-size prefix (a byte with the value 66H) with this instruction, but most assemblers will insert it if the standard form of the instruction is used (for example, MOV DS, AX). The processor will execute this instruction correctly, but it will usually require an extra clock. With most assemblers, using the instruction form MOV DS, EAX will avoid this unneeded 66H prefix. When the processor executes the instruction with a 32-bit general-purpose register, it assu mes th at th e 16 le ast- significant bits of the general-purpose register are the destination or source operand. If the register is a destination operand, the resulting value in the two high-order bytes of the register is implementation dependent. For the Pentium Pro processor, the two highorder bytes are filled with zeros; for earlier 32-bit Intel Architecture processors, the two high order bytes are undefined. Operation
DEST SRC;

Loading a segment register while in protected mode results in special checks and actions, as described in the following listing. These checks are performed on the segment selector and the segment descriptor it points to.
IF SS is loaded;
1. Note that in a sequence of instr uctions that individually delay interr upts past the following instruction, only the first instr uction in the sequence is guaranteed to delay the interr upt, but subsequent inter rupt-delaying instr uctions may not delay the inter rupt. Thus, in the following instruction sequence: STI MOV SS, EAX MOV ESP, EB P interr upts may be recognized before MOV E SP EB P executes, because STI also delays interr upts for one , instr uction.

3-287


INSTRUCTION SET REFERENCE

MOV--Move (Continued)
THEN IF segm ent selector is null THEN #GP(0); FI; IF segm ent selector index is outside descriptor table limits O R segm ent selector's RPL CPL O R segm ent is not a writable data segment OR DPL CPL THEN #GP(selector); FI; IF segm ent not marked present THEN #SS(selector); ELSE SS segm ent selector; SS segm ent descriptor; FI; FI; IF DS, ES, FS or GS is loaded with non-null selector; THEN IF segm ent selector index is outside descriptor table limits O R segm ent is not a data or readable code segment O R ((segment is a data or nonconforming code segment) AND (both RPL and CPL > DPL)) THEN #GP(selector); IF segm ent not marked present THEN #NP(selector); ELSE SegmentRegister segment selector; SegmentRegister segment descriptor; FI; FI; IF DS, ES, FS or GS is loaded with a null selector; THEN SegmentRegister segment selector; SegmentRegister segment descriptor; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If attempt is made to load SS register with null segment selector. If the destination operand is in a nonwritable segment.

3- 288


INSTRUCTION SET REFER EN CE

MOV--Move (Continued)
If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #GP(selector) If segment selector index is outside descriptor table limits. If the SS register is being loaded and the segment selector's RPL and the segment descriptor's DPL are not equal to the CPL. If the SS register is being loaded and the segment pointed to is a nonwritable data segment. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is not a data or readable code segment. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is a data or nonconforming code segment, but both the RPL and the CPL are greater than the DPL. #SS(0) #SS(selector) #NP #PF(fault-code) #AC(0) #UD If a memory operand effective address is outside the SS segment limit. If the SS register is being loaded and the segment pointed to is marked not present. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is marked not present. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3. If attempt is made to load the CS register.

Real-Address Mode Exceptions #GP #SS #UD If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If attempt is made to load the CS register.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3-289


INSTRUCTION SET REFERENCE

MOV--Move (Continued)
#AC(0) #UD If alignment checking is enabled and an unaligned memory reference is made. If attempt is made to load the CS register.

3- 290


INSTRUCTION SET REFER EN CE

MOV--Move to/from Control Registers
Opcode 0F 22 /r 0F 22 /r 0F 22 /r 0F 22 /r 0F 20 /r 0F 20 /r 0F 20 /r 0F 20 /r Instruction MOV CR0,r32 MOV CR2,r32 MOV CR3,r32 MOV CR4,r32 MOV r32,CR0 MOV r32,CR2 MOV r32,CR3 MOV r32,CR4 Description Move r32 to CR0 Move r32 to CR2 Move r32 to CR3 Move r32 to CR4 Move CR0 to r32 Move CR2 to r32 Move CR3 to r32 Move CR4 to r32

Description Moves the contents of a control register (CR0, CR2, CR3, or CR4) to a general-purpose register or vice versa. The operand size for these instructions is always 32 bits, regardless of the operandsize attribute. (See "Control Registers" in Chapter 2 of the Intel Architecture Software Developer's Manual, Volume 3, for a detailed description of the flags and fields in the control registers.) When loading a control register, a program should not attempt to change any of the reserved bits; that is, always set reserved bits to the value previously read. At the opcode level, the reg field within the ModR/M byte specifies w hich of the control registers is loaded or read. The 2 bits in the mod field are always 11B. The r/m field specifies the generalpurpose register loaded or read. These instructions have the following side effects:

·

W hen writing to control register CR3, all non-global TLB entries are flushed (see "Translation Lookaside Buffers (TLBs)" in Chapter 3 of the Intel Architecture Software Developer's Manual, Volume 3).

The following side effects are implementation specific for the Pentium Pro processors. Software should not depend on this functionality in future and previous Intel Architecture processors.:

· · · ·

W hen modifying any of the paging flags in the control registers (PE and PG in register CR0 and PGE, PSE, and PAE in register CR4), all TLB entries are flushed, including global entries. If the PG flag is set to 1 and control register CR4 is written to set the PAE flag to 1 (to enable the physical address extension mode), the pointers (PDPTRs) in the page-directory pointers table will be loaded into the processor (into internal, non-architectural registers). If the PAE flag is set to 1 and the PG flag set to 1, writing to control register CR3 will cause the PDPTRs to be reloaded into the processor. If the PAE flag is set to 1 and control register CR0 is written to set the PG flag, the PDPTRs are reloaded into the processor.

3-291


INSTRUCTION SET REFERENCE

MOV--Move to/from Control Registers (Continued)
Operation
DEST SRC;

Flags Affected The OF, SF, ZF, AF, PF, and CF flags are undefined. Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If an attempt is made to write invalid bit combinations in CR0 (such as setting the PG flag to 1 w hen the PE flag is set to 0, or setting the CD flag to 0 when the NE flag is set to 1). If an attempt is made to write a 1 to any reserved bit in CR4. If an attempt is made to write reserved bits in the page-directory pointers table (used in the extended physical addressing mode) when the PAE flag in control register CR4 and the PG flag in control register CR0 are set to 1. Real-Address Mode Exceptions #GP If an attempt is made to write a 1 to any reserved bit in CR4.

Vir tual-8086 Mode Exceptions #GP(0) These instructions cannot be executed in virtual-8086 mode.

3- 292


INSTRUCTION SET REFER EN CE

MOV--Move to/from Debug Registers
Opcode 0F 21/r 0F 23 /r Instruction MOV r32, DR0-DR7 MOV DR 0-DR7,r32 Description Move debug r egister to r32 Move r32 to debug register

Description Moves the contents of a debug register (DR0, DR1, DR2, DR3, DR4, DR5, DR6, or DR7) to a general-purpose register or vice versa. The operand size for these instructions is always 32 bits, regardless of the operand-size attribute. (See Chapter 14, Debugging and Performance Monitoring, of the Intel Architecture Software Developer's Manual, Volum e 3, for a detailed description of the flags and fields in the debug registers.) The instructions must be executed at privilege level 0 or in real-address mode. When the debug extension (DE) flag in register CR4 is clear, these instructions operate on debug registers in a manner that is compatible with Intel386 and Intel486 processors. In this mode, references to DR4 and DR5 refer to DR6 and DR7, respectively. When the DE set in CR4 is set, attempts to reference DR4 and DR5 result in an undefined opcode (#UD) exception. (The CR4 register was added to the Intel Architecture beginning w ith the Pentium processor.) At the opcode level, the reg field within the ModR/M byte specifies which of the debug registers is loaded or read. The two bits in the mod field are always 11. The r/m field specifies the generalpurpose register loaded or read. Operation
IF ((DE = 1) and (SRC or DEST = DR4 or DR5)) THEN #UD; ELSE DEST SRC;

Flags Affected The OF, SF, ZF, AF, PF, and CF flags are undefined. Protected Mode Exceptions #GP(0) #UD #DB If the current privilege level is not 0. If the DE (debug extensions) bit of CR4 is set and a MOV instruction is executed involving DR4 or DR5. If any debug register is accessed while the GD flag in debug register DR7 is set.

3-293


INSTRUCTION SET REFERENCE

MOV--Move to/from Debug Registers (Continued)
Real-Address Mode Exceptions #UD #DB If the DE (debug extensions) bit of CR4 is set and a MOV instruction is executed involving DR4 or DR5. If any debug register is accessed while the GD flag in debug register DR7 is set.

Vir tual-8086 Mode Exceptions #GP(0) The debug registers cannot be loaded or read when in virtual-8086 mode.

3- 294


INSTRUCTION SET REFER EN CE

MOVD--Move 32 Bits
Opcode 0F 6E /r 0F 7E /r Instruction MOV D mm, r/m32 MOV D r/m32, mm Description Move doublewor d from r/m32 to mm. Move doublewor d from mm to r/m32.

Description Copies doubleword from the source operand (second operand) to the destination operand (first operand). Source and destination operands can be MMX registers, memory locations, or 32-bit general-purpose registers; however, data cannot be transferred from an MMX register to an MMX register, from one memory location to another memory location, or from one generalpurpose register to another general-purpose register. When the destination operand is an MMX register, the 32-bit source value is written to the loworder 32 bits of the 64-bit MM X register and zero-extended to 64 bits (see Figure 3-4). When the source operand is an MMX register, the low-order 32 bits of the MMX register are written to the 32-bit general-purpose register or 32-bit memory location selected with the destination operand.

MOVD m32, mm 63 0 32 31 xxxxxxxx b 3 b2 b1 b0 mm

15 b b

3 1

0 b2 b0

W

N+1

WN+1 0 b1 b0

m32

MOVD mm, r32 63 32 31 00000000 b 3 b mm
2

31 b3 b

2

b

1

0 b0 r32

3006010

Figure 3-4. Operation of MOVD Instruction

Operation
IF DEST is MMX THEN DEST ELSE (* SRC DEST register ZeroExtend(SRC); is MMX register *) LowOrderDoubleword(SRC);

3-295


INSTRUCTION SET REFERENCE

MOVD--Move 32 Bits (Continued)
Flags Affected None. Protected Mode Exceptions #GP(0) If the destination operand is in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 296


INSTRUCTION SET REFER EN CE

MOVQ--Move 64 Bits
Opcode 0F 6F /r 0F 7F /r Instruction MOV Q mm, mm/m64 MOV Q mm/m64, mm Description Move quadword from mm/m64 to mm. Move quadword from mm to mm/m64.

Description Copies quadword from the source operand (second operand) to the destination operand (first operand). (See Figure 3-5.) A source or destination operand can be either an MMX register or a memory location; however, data cannot be transferred from one memory location to another memory location. Data can be transferred from one MM X register to another MMX register.
MOVQ mm, m64 15 b7 b5 b3 b1 0 b6 W b4 b2 b0 W W W 63 48 47 32 31 16 15 0 b7 b6 b5 b4 b3 b2 b1 b0 mm

N+3 N+2 N+1 N+0

m64
3006013

Figure 3-5. O peration of the MOVQ Instructions

Operation
DEST SRC;

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination operand is in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. #SS(0) #UD #NM #MF If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3-297


INSTRUCTION SET REFERENCE

MOVQ--Move 64 Bits (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 298


INSTRUCTION SET REFER EN CE

MOVS/MOVSB/MOVSW/MOVSD--Move Data from String to String
Opcode A4 A5 A5 A4 A5 A5 Instruction MOVS m8, m8 MOVS m16, m16 MOVS m32, m32 MOVS B MOVSW MOVS D Description Move byte at address DS:(E)SI to address ES:(E)DI Move word at address DS:(E)SI to address ES:(E)DI Move doubleword at address D S:(E)SI to address ES:(E)DI Move byte at address DS:(E)SI to address ES:(E)DI Move word at address DS:(E)SI to address ES:(E)DI Move doubleword at address D S:(E)SI to address ES:(E)DI

Description Moves the byte, word, or doubleword specified with the second operand (source operand) to the location specified with the first operand (destination operand). Both the source and destination operands are located in memory. The address of the source operand is read from the DS:ESI or the DS:SI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). The address of the destination operand is read from the ES:EDI or the ES:DI registers (again depending on the address-size attribute of the instruction). The DS segment may be overridden with a segment override prefix, but the ES segment cannot be overridden. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified with the MOVS mnemonic) allow s the source and destination operands to be specified explicitly. H ere, the source and destination operands should be symbols that indicate the size and location of the source value and the destination, respectively. This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the source and destination operand symbols must specify the correct type (size) of the operands (bytes, words, or doublewords), but they do not have to specify the correct location. The locations of the source and destination operands are always specified by the DS:(E)SI and ES:(E)DI registers, which must be loaded correctly before the move string instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the MOVS instructions. Here also DS:(E)SI and ES:(E)DI are assumed to be the source and destination operands, respectively. The size of the source and destination operands is selected w ith the mnemonic: MOV SB (byte move), MOVSW (word move), or MOVSD (doubleword move). After the move operation, the (E)SI and (E)D I registers are incremented or decremented automatically according to the setting of the DF flag in the EFLAGS register. (If the DF flag is 0, the (E)SI and (E)DI register are incremented; if the DF flag is 1, the (E)SI and (E)DI registers are decremented.) The registers are incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations. The MOVS, MOVSB, MOVSW, and MOVSD instructions can be preceded by the REP prefix (see "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter) for block moves of ECX bytes, words, or doublewords.

3-299


INSTRUCTION SET REFERENCE

MOVS/MOVSB/MOVSW/MOVSD--Move Data from String to String (Continued)
Operation
DEST SRC; IF (byte m ove) THEN IF DF = 0 THEN (E)SI (E)SI + 1; (E)DI (E)DI + 1; ELSE (E)SI (E)SI ­ 1; (E)DI (E)DI ­ 1; FI; ELSE IF (word move) THEN IF DF = 0 (E)SI (E)SI + 2; (E)DI (E)DI + 2; ELSE (E)SI (E)SI ­ 2; (E)DI (E)DI ­ 2; FI; ELSE (* doubleword move*) THEN IF DF = 0 (E)SI (E)SI + 4; (E)DI (E)DI + 4; ELSE (E)SI (E)SI ­ 4; (E)DI (E)DI ­ 4; FI; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 300


INSTRUCTION SET REFER EN CE

MOVS/MOVSB/MOVSW/MOVSD--Move Data from String to String (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-301


INSTRUCTION SET REFERENCE

MOVSX--Move with Sign-Extension
Opcode 0F BE /r 0F BE /r 0F BF /r Instruction MOVSX r16,r/m8 MOVSX r32,r/m8 MOVSX r32,r/m16 Description Move byte to word with sign-extension Move byte to doubleword, sign- extension Move word to doubleword, sign-extension

Description Copies the contents of the source operand (register or memory location) to the destination operand (register) and sign extends the value to 16 or 32 bits (see Figure 6-5 in the Intel Architecture Software Developer's Manual, Volume 1). The size of the converted value depends on the operand-size attribute. Operation
DEST SignExtend(SRC);

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3- 302


INSTRUCTION SET REFER EN CE

MOVSX--Move with Sign-Extension (Continued)
#PF(fault-code) If a page fault occurs.

3-303


INSTRUCTION SET REFERENCE

MOVZX--Move with Zero-Extend
Opcode 0F B6 /r 0F B6 /r 0F B7 /r Instruction MOVZX r16,r/m8 MOVZX r32,r/m8 MOVZX r32,r/m16 Description Move byte to word with zer o-extension Move byte to doubleword, zero-extension Move word to doubleword, zero-extension

Description Copies the contents of the source operand (register or memory location) to the destination operand (register) and zero extends the value to 16 or 32 bits. The size of the converted value depends on the operand-size attribute. Operation
DEST ZeroExtend(SRC);

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 304


INSTRUCTION SET REFER EN CE

MOVZX--Move with Zero-Extend (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made.

3-305


INSTRUCTION SET REFERENCE

MUL--Unsigned Multiply
Opcode F6 /4 F7 /4 F7 /4 Instruction MUL r/m8 MUL r/m16 MUL r/m32 Description Unsigned multiply (AX AL r/m8) Unsigned multiply (DX:AX AX r/m16) Unsigned multiply (EDX:EAX EAX r/m32)

Description Performs an unsigned multiplication of the first operand (destination operand) and the second operand (source operand) and stores the result in the destination operand. The destination operand is an implied operand located in register AL, AX or EAX (depending on the size of the operand); the source operand is located in a general-purpose register or a memory location. The action of this instruction and the location of the result depends on the opcode and the operand size as shown in the following table.
:

Operand Size Byte Word Doubleword

S ource 1 AL AX EAX

Source 2 r/m8 r/m16 r/m32

Destination AX DX:AX EDX:EAX

The result is stored in register AX, register pair DX:AX, or register pair EDX:EAX (depending on the operand size), with the high-order bits of the product contained in register AH, DX , or EDX , respectively. If the high-order bits of the product are 0, the CF and OF flags are cleared; otherwise, the flags are set. Operation
IF byte operation THEN AX AL SRC ELSE (* word or doubleword operation *) IF OperandSize = 16 THEN DX:AX AX SRC ELSE (* OperandSize = 32 *) EDX:EAX EAX SRC FI; FI;

Flags Affected The OF and CF flags are cleared to 0 if the upper half of the result is 0; otherwise, they are set to 1. The SF, ZF, AF, and PF flags are undefined.

3- 306


INSTRUCTION SET REFER EN CE

MUL--Unsigned Multiply (Continued)
Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-307


INSTRUCTION SET REFERENCE

NEG--Two's Complement Negation
Opcode F6 /3 F7 /3 F7 /3 Instruction NEG r/m8 NEG r/m16 NEG r/m32 Description Two's complement negate r/m8 Two's complement negate r/m16 Two's complement negate r/m32

Description Replaces the value of operand (the destination operand) with its two's complement. (This operation is equivalent to subtracting the operand from 0.) The destination operand is located in a general-purpose register or a memory location. Operation
IF DEST = 0 THEN CF 0 ELSE CF 1; FI; DEST ­ (DEST)

Flags Affected The CF flag cleared to 0 if the source operand is 0; otherwise it is set to 1. The OF, SF, ZF, AF, and PF flags are set according to the result. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3- 308


INSTRUCTION SET REFER EN CE

NEG--Two's Complement Negation (Continued)
Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-309


INSTRUCTION SET REFERENCE

NOP--No Operation
Opcode 90 Instruction NO P Description No operation

Description Performs no operation. This instruction is a one-byte instruction that takes up space in the instruction stream but does not affect the machine context, except the EIP register. The NOP instruction is an alias mnemonic for the XCHG (E)AX, (E)AX instruction. Flags Affected None. Exceptions (All Operating Modes) None.

3- 310


INSTRUCTION SET REFER EN CE

NOT--One's Complement Negation
Opcode F6 /2 F7 /2 F7 /2 Instruction NOT r/m8 NOT r/m16 NOT r/m32 D escription R everse each bit of r/m8 R everse each bit of r/m16 R everse each bit of r/m32

Description Performs a bitwise NOT operation (each 1 is cleared to 0, and each 0 is set to 1) on the destination operand and stores the result in the destination operand location. The destination operand can be a register or a memory location. Operation
DEST NOT DEST;

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination operand points to a nonw ritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3-311


INSTRUCTION SET REFERENCE

NOT--One's Complement Negation (Continued)
Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 312


INSTRUCTION SET REFER EN CE

OR--Logical Inclusive OR
Opcode 0C ib 0D iw 0D id 80 /1 ib 81 /1 iw 81 /1 id 83 /1 ib 83 /1 ib 08 /r 09 /r 09 /r 0A /r 0B /r 0B /r Instruction OR AL,imm8 OR AX,imm16 OR EAX,imm32 OR r/m8,imm8 OR r/m16,imm16 OR r/m32,imm32 OR r/m16,imm8 OR r/m32,imm8 OR r/m8,r8 OR r/m16,r16 OR r/m32,r32 OR r8,r/m8 OR r16,r/m16 OR r32,r/m32 D escription AL OR imm8 AX OR imm16 EAX OR imm32 r /m8 OR imm8 r/m16 OR imm1 r/m32 OR imm3 r /m16 OR imm8 r /m32 OR imm8 r /m8 OR r8 r /m16 OR r16 r /m32 OR r32 r 8 OR r/m8 r 16 OR r/m16 r 32 OR r/m32

6 2 (sign-extended) (sign-extended)

Description Performs a bitwise inclusive OR operation between the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result of the OR instruction is 0 if both corresponding bits of the operands are 0; otherwise, each bit is 1. Operation
DEST DEST OR SRC;

Flags Affected The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonw ritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.
3-313


INSTRUCTION SET REFERENCE

OR--Logical Inclusive OR (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 314


INSTRUCTION SET REFER EN CE

OUT--Output to Por t
Opcode E6 ib E7 ib E7 ib EE EF EF Instruction OUT imm8, AL OUT imm8, AX OUT imm8, EA X OUT DX, AL OUT DX, AX OUT DX, EAX D escription Output byte in AL to I/O por t address imm8 Output word in AX to I/O por t address imm8 Output doublewor d in EAX to I/O por t address imm8 Output byte in AL to I/O por t address in DX Output word in AX to I/O por t address in DX Output doublewor d in EAX to I/O por t address in DX

Description Copies the value from the second operand (source operand) to the I/O port specified with the destination operand (first operand). The source operand can be register AL, AX, or EAX, depending on the size of the port being accessed (8, 16, or 32 bits, respectively); the destination operand can be a byte-immediate or the DX register. Using a byte immediate allows I/O port addresses 0 to 255 to be accessed; using the DX register as a source operand allows I/O ports from 0 to 65,535 to be accessed. The size of the I/O port being accessed is determined by the opcode for an 8-bit I/O port or by the operand-size attribute of the instruction for a 16- or 32-bit I/O port. At the machine code level, I/O instructions are shorter when accessing 8-bit I/O ports. Here, the upper eight bits of the port address will be 0. This instruction is only useful for accessing I/O ports located in the processor's I/O address space. See Chapter 9, Input/Output, in the Intel Architecture Software D eveloper's Manual, Volume 1, for more information on accessing I/O ports in the I/O address space. Intel Architecture Compatibility After executing an OUT sampled active before it prefetched if EWBE# is active.) Only the Pentiu processors do not. Operation
IF ((PE = 1) AND ((CPL > IOPL) OR (VM = 1))) THEN (* Protected m ode with CPL > IO PL or virtual-8086 mode *) IF (Any I/O Permission Bit for I/O port being accessed = 1) THEN (* I/O operation is not allowed *) #GP(0); ELSE ( * I/O operation is allowed *) DEST SRC; (* Writes to selected I/O port *) FI;

instruction, the Pentium processor insures that the EWBE# pin has been begins to execute the next instruction. (Note that the instruction can be not active, but it will not be executed until the EWBE# pin is sampled m processor family has the EWBE# pin; the other Intel Architecture

3-315


INSTRUCTION SET REFERENCE

OUT--Output to Port (Continued)
ELSE (Real M ode or Protected Mode with CPL IOPL *) DEST SRC; (* Writes to selected I/O port *) FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If the CPL is greater than (has less privilege) the I/O privilege level (IOPL) and any of the corresponding I/O permission bits in TSS for the I/O port being accessed is 1.

Real-Address Mode Exceptions None. Vir tual-8086 Mode Exceptions #GP(0) If any of the I/O permission bits in the TSS for the I/O port being accessed is 1.

3- 316


INSTRUCTION SET REFER EN CE

OUTS/OUTSB/OUTSW/OUTSD--Output String to Por t
Opcode 6E 6F 6F 6E 6F 6F Instruction O U T S D X, m 8 OUTS DX, m16 OUTS DX, m32 OUTSB OUTSW OUTSD Description Output byte from memor y location specified in DS:(E)SI to I/O por t specified in DX Output word from memor y location specified in DS:(E)SI to I/O por t specified in DX Output doubleword from memor y location specified in DS:(E)SI to I/O por t specified in DX Output byte from memor y location specified in DS:(E)SI to I/O por t specified in DX Output word from memor y location specified in DS:(E)SI to I/O por t specified in DX Output doubleword from memor y location specified in DS:(E)SI to I/O por t specified in DX

Description Copies data from the source operand (second operand) to the I/O port specified with the destination operand (first operand). The source operand is a memory location, the address of which is read from either the DS:EDI or the DS:DI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). (The DS segment may be overridden with a segment override prefix.) The destination operand is an I/O port address (from 0 to 65,535) that is read from the DX register. The size of the I/O port being accessed (that is, the size of the source and destination operands) is determined by the opcode for an 8-bit I/O port or by the operand-size attribute of the instruction for a 16- or 32-bit I/O port. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified with the OUTS mnemonic) allow s the source and destination operands to be specified explicitly. H ere, the source operand should be a symbol that indicates the size of the I/O port and the source address, and the destination operand must be DX. This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the source operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the DS:(E)SI registers, which must be loaded correctly before the OUTS instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the OUTS instructions. Here also DS:(E)SI is assumed to be the source operand and DX is assumed to be the destination operand. The size of the I/O port is specified with the choice of mnemonic: OUTSB (byte), OUTSW (word), or OUTSD (doubleword). After the byte, word, or doubleword is transferred from the memory location to the I/O port, the (E)SI register is incremented or decremented automatically according to the setting of the DF flag in the EFLAGS register. (If the DF flag is 0, the (E)SI register is incremented; if the DF flag is 1, the (E)SI register is decremented.) The (E)SI register is incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations.

3-317


INSTRUCTION SET REFERENCE

OUTS/OUTSB/OUTSW/OUTSD--Output String to Port (Continued)
The OUTS, OUTSB, OUTSW, and OUTSD instructions can be preceded by the REP prefix for block input of ECX bytes, words, or doublewords. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix. This instruction is only useful for accessing I/O ports located in the processor's I/O address space. See Chapter 9, Input/Output, in the Intel Architecture Software Developer's Manual, Volume 1, for more information on accessing I/O ports in the I/O address space. Intel Architecture Compatibility After executing an O UTS, OUTSB, OUTSW, or OUTSD instruction, the Pentium processor insures that the EW BE# pin has been sampled active before it begins to execute the next instruction. (Note that the instruction can be prefetched if EWBE# is not active, but it will not be executed until the EW BE# pin is sampled active.) Only the Pentium processor family has the EW BE# pin; the other Intel A rchitecture processors do not. Operation
IF ((PE = 1) AND ((CPL > IOPL) OR (VM = 1))) THEN (* Protected mode with CPL > IOPL or virtual-8086 mode *) IF (Any I/O Permission Bit for I/O port being accessed = 1) THEN (* I/O operation is not allowed *) #GP(0); ELSE ( * I/O operation is allowed *) DEST SRC; (* Writes to I/O port *) FI; ELSE (Real M ode or Protected Mode with CPL IOPL *) DEST SRC; (* Writes to I/O port *) FI; IF (byte transfer) THEN IF DF = 0 THEN (E)SI (E)SI + 1; ELSE (E)SI (E)SI ­ 1; FI; ELSE IF (word transfer) THEN IF DF = 0 THEN (E)SI (E)SI + 2; ELSE (E)SI (E)SI ­ 2; FI; ELSE (* doubleword transfer *) THEN IF DF = 0 THEN (E)SI (E)SI + 4; ELSE (E)SI (E)SI ­ 4; FI; FI; FI;

3- 318


INSTRUCTION SET REFER EN CE

OUTS/OUTSB/OUTSW/OUTSD--Output String to Por t (Continued)
Flags Affected None. Protected Mode Exceptions #GP(0) If the CPL is greater than (has less privilege) the I/O privilege level (IOPL) and any of the corresponding I/O permission bits in TSS for the I/O port being accessed is 1. If a memory operand effective address is outside the limit of the CS, DS, ES, FS, or G S segment. If the segment register contains a null segment selector. #PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If any of the I/O permission bits in the TSS for the I/O port being accessed is 1. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-319


INSTRUCTION SET REFERENCE

PACKSSWB/PACKSSDW--Pack with Signed Saturation
Opcode 0F 63 /r 0F 6B /r Instruction PACKSSWB mm, mm/m64 PACKSSDW mm, mm/m64 Description Packs and saturate pack 4 signed words from mm and 4 signed words from mm/m64 into 8 signed bytes in mm. Pack and saturate 2 signed doublewords fr om mm and 2 signed doublewords from mm/m64 into 4 signed words in mm.

Description Packs and saturates signed words into bytes (PACK SSWB) or signed doublewords into words (PACKSSDW). The PACKSSWB instruction packs 4 signed words from the destination operand (first operand) and 4 signed words from the source operand (second operand) into 8 signed bytes in the destination operand. If the signed value of a word is beyond the range of a signed byte (that is, greater than 7FH or less than 80H), the saturated byte value of 7FH or 80H, respectively, is stored into the destination. The PACKSSDW instruction packs 2 signed doublewords from the destination operand (first operand) and 2 signed doublewords from the source operand (second operand) into 4 signed words in the destination operand (see Figure 3-6). If the signed value of a doubleword is beyond the range of a signed word (that is, greater than 7FFFH or less than 8000H ), the saturated word value of 7FFFH or 8000H, respectively, is stored into the destination. The destination operand for either the PACKSSWB or PACKSSDW instruction must be an MMX register; the source operand may be either an MMX register or a quadword memory location.

PAC KSSDW mm, mm/m64 mm/m64 D C mm B A

D'

C'

B'

A'

mm

Figure 3-6. Operation of the PAC KSSDW Instruction

Operation
IF instruction is PACKSSWB THEN DEST(7..0) SaturateSignedWordToSignedByte DEST(15..0); DEST(15..8) SaturateSignedWordToSignedByte D EST(31..16); DEST(23..16) SaturateSignedWordToSignedByte DEST(47..32); DEST(31..24) SaturateSignedWordToSignedByte DEST(63..48);
3- 320


INSTRUCTION SET REFER EN CE

PACKSSWB/PACKSSDW--Pack with Signed Saturation (Continued)
DEST(39..32) SaturateSignedWordToSignedByte SRC(15..0); DEST(47..40) SaturateSignedWordToSignedByte SRC(31..16); DEST(55..48) SaturateSignedWordToSignedByte SRC(47..32); DEST(63..56) SaturateSignedWordToSignedByte SRC(63..48); ELSE (* instruction is PACKSSDW *) DEST(15..0) SaturateSignedDoublewordToSignedWord DEST(31..0 DEST(31..16) SaturateSignedDoublew ordToSignedWord DEST(63.. DEST(47..32) SaturateSignedDoublew ordToSignedWord SRC(31..0 DEST(63..48) SaturateSignedDoublew ordToSignedWord SRC(63..3 FI;

); 32); ); 2);

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set.

3-321


INSTRUCTION SET REFERENCE

PACKSSWB/PACKSSDW--Pack with Signed Saturation (Continued)
#NM #MF #PF(fault-code) #AC(0) If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 322


INSTRUCTION SET REFER EN CE

PACKUSWB--Pack with Unsigned Saturation
Opcode 0F 67 /r Instruction PACK USWB mm, mm/m64 Description Pack and saturate 4 signed words from mm and 4 signed words from mm/m64 into 8 unsigned bytes in mm.

Description Packs and saturates 4 signed words from the destination operand (first operand) and 4 signed words from the source operand (second operand) into 8 unsigned bytes in the destination operand (see Figure 3-7). If the signed value of a word is beyond the range of an unsigned byte (that is, greater than FFH or less than 00H), the saturated byte value of FFH or 00H, respectively, is stored into the destination. The destination operand must be an MMX register; the source operand may be either an MMX register or a quadword memory location.

PACKUSWB mm, mm/m64 mm/m64 HGFE

mm DCBA

H' G' F' E' D' C' B' A' mm
3006014

Figure 3-7. Operation of the PACKUSWB Instruction

Operation
DEST( DEST( DEST( DEST( DEST( DEST( DEST( DEST( 7..0) SaturateSignedWordToUnsignedByte D EST(15..0); 15..8) SaturateSignedWordToUnsignedByte DEST(31..16); 23..16) SaturateSignedWordToUnsignedByte DEST(47..32); 31..24) SaturateSignedWordToUnsignedByte DEST(63..48); 39..32) SaturateSignedWordToUnsignedByte SRC(15..0); 47..40) SaturateSignedWordToUnsignedByte SRC(31..16); 55..48) SaturateSignedWordToUnsignedByte SRC(47..32); 63..56) SaturateSignedWordToUnsignedByte SRC(63..48);

Flags Affected None.

3-323


INSTRUCTION SET REFERENCE

PACKUSWB--Pack with Unsigned Saturation (Continued)
Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 324


INSTRUCTION SET REFER EN CE

PADDB/PADDW/PADDD--Packed Add
Opcode 0F FC /r 0F FD /r 0F FE /r Instruction PADD B mm, mm/m64 PADDW mm, mm/m64 PADD D mm, mm/m64 Description Add packed bytes from mm/m64 to packed bytes in mm. Add packed words from mm/m64 to packed words in mm. Add packed doublewords from mm/m64 to packed doublewords in mm.

Description Adds the individual data elements (bytes, words, or doublewords) of the source operand (second operand) to the individual data elements of the destination operand (first operand). (See Figure 3-8.) If the result of an individual addition exceeds the range for the specified data type (overflows), the result is wrapped around, meaning that the result is truncated so that only the lower (least significant) bits of the result are returned (that is, the carry is ignored). The destination operand must be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PADDW mm, mm/m64 mm 1000000000000000 0111111100111000

+
mm/m64 mm

+

+
1111111111111111 0111111111111111

+
0001011100000111 1001011000111111
3006015

Figure 3-8. Operation of the PAD DW Instruction

The PADDB instruction adds the bytes of the source operand to the bytes of the destination operand and stores the results to the destination operand. When an individual result is too large to be represented in 8 bits, the lower 8 bits of the result are written to the destination operand and therefore the result wraps around. The PADDW instruction adds the words of the source operand to the words of the destination operand and stores the results to the destination operand. When an individual result is too large to be represented in 16 bits, the lower 16 bits of the result are written to the destination operand and therefore the result wraps around.

3-325


INSTRUCTION SET REFERENCE

PADDB/PADDW/PADDD--Packed Add (Continued)
The PADDD instruction adds the doublewords of the source operand to the doublewords of the destination operand and stores the results to the destination operand. W hen an individual result is too large to be represented in 32 bits, the lower 32 bits of the result are written to the destination operand and therefore the result wraps around. Note that like the integer ADD instruction, the PADDB, PADDW, and PADDD instructions can operate on either unsigned or signed (tw o's complement notation) packed integers. U nlike the integer instructions, none of the MMX instructions affect the EFLAGS register. With MMX instructions, there are no carry or overflow flags to indicate when overflow has occurred, so the software must control the range of values or else use the "with saturation" MMX instructions. Operation
IF instruction is PADDB THEN DEST(7..0) DEST(7..0) + SRC(7..0); DEST(15..8) DEST(15..8) + SRC(15..8); DEST(23..16) DEST(23..16)+ SRC(23..16); DEST(31..24) DEST(31..24) + SRC(31..24); DEST(39..32) DEST(39..32) + SRC(39..32); DEST(47..40) DEST(47..40)+ SRC(47..40); DEST(55..48) DEST(55..48) + SRC(55..48); DEST(63..56) DEST(63..56) + SRC(63..56); ELSEIF instruction is PADDW THEN DEST(15..0) DEST(15..0) + SRC(15..0); DEST(31..16) DEST(31..16) + SRC(31..16); DEST(47..32) DEST(47..32) + SRC(47..32); DEST(63..48) DEST(63..48) + SRC(63..48); ELSE (* instruction is PADD D *) DEST(31..0) DEST(31..0) + SRC(31..0); DEST(63..32) DEST(63..32) + SRC(63..32); FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set.

3- 326


INSTRUCTION SET REFER EN CE

PADDB/PADDW/PADDD--Packed Add (Continued)
#MF #PF(fault-code) #AC(0) If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-327


INSTRUCTION SET REFERENCE

PADDSB/PADDSW--Packed Add with Saturation
Opcode 0F EC /r 0F ED /r Instruction PADDSB mm, mm/m64 PADDSW mm, mm/m64 Descript ion Add signed packed bytes from mm/m64 to signed packed bytes in mm and saturate. Add signed packed words from mm/m64 to signed packed words in mm and saturate.

Description Adds the individual signed data elements (bytes or words) of the source operand (second operand) to the individual signed data elements of the destination operand (first operand). (See Figure 3-9.) If the result of an individual addition exceeds the range for the specified data type, the result is saturated. The destination operand must be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PADDSW mm, mm/m64 mm 1000000000000000 0111111100111000

+
mm/m64 mm

+

+
1111111111111111 1000000000000000

+
0001011100000111 0111111111111111
3006016

Figure 3-9. Operation of the PAD DSW Instruction

The PADDSB instruction adds the signed destination operand and stores the results is beyond the range of a signed byte (that byte value of 7FH or 80H, respectively, is

bytes of the source operand to the signed bytes of the to the destination operand. W hen an individual result is, greater than 7FH or less than 80H), the saturated written to the destination operand.

The PADDSW instruction adds the signed words of the source operand to the signed words of the destination operand and stores the results to the destination operand. When an individual result is beyond the range of a signed word (that is, greater than 7FFFH or less than 8000H), the saturated word value of 7FFFH or 8000H, respectively, is written to the destination operand. Operation
IF instruction is PADDSB THEN DEST(7..0) SaturateToSignedByte(DEST(7..0) + SRC (7..0)) ; DEST(15..8) SaturateToSignedByte(DEST(15..8) + SRC(15..8) );

3- 328


INSTRUCTION SET REFER EN CE

PADDSB/PADDSW--Packed Add with Saturation (Continued)
DEST(23..16) SaturateToSignedByte(DEST(23..16)+ SRC(23..16) ); DEST(31..24) SaturateToSignedByte(DEST(31..24) + SRC(31..24) ) DEST(39..32) SaturateToSignedByte(DEST(39..32) + SRC(39..32) ) DEST(47..40) SaturateToSignedByte(DEST(47..40)+ SRC(47..40) ); DEST(55..48) SaturateToSignedByte(DEST(55..48) + SRC(55..48) ) DEST(63..56) SaturateToSignedByte(DEST(63..56) + SRC(63..56) ) ELSE { (* instruction is PADDSW *) DEST(15..0) SaturateToSignedWord(DEST(15..0) + SRC(15..0) ); DEST(31..16) SaturateToSignedWord(D EST(31..16) + SRC(31..16) DEST(47..32) SaturateToSignedWord(D EST(47..32) + SRC(47..32) DEST(63..48) SaturateToSignedWord(D EST(63..48) + SRC(63..48) FI; ; ; ; ;

); ); );

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP If any part of the operand lies outside of the effective address space from 0 to FFFFH.

3-329


INSTRUCTION SET REFERENCE

PADDSB/PADDSW--Packed Add with Saturation (Continued)
#UD #NM #MF #PF(fault-code) #AC(0) If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 330


INSTRUCTION SET REFER EN CE

PADDUSB/PADDUSW--Packed Add Unsigned with Saturation
Opcode 0F DC /r 0F DD /r Instruction PADD USB mm, mm/m64 PADD USW mm, mm/m64 Description Add unsigned packed bytes from mm/m64 to unsigned packed bytes in mm and saturate. Add unsigned packed words from mm/m64 to unsigned packed wor ds in mm and saturate.

Description Adds the individual unsigned data elements (bytes or words) of the packed source operand (second operand) to the individual unsigned data elements of the packed destination operand (first operand). (See Figure 3-10.) If the result of an individual addition exceeds the range for the specified unsigned data type, the result is saturated. The destination operand must be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PADDUSB mm, mm/m64 mm 10000000 01111111 00111000

+
mm/m64 mm

+

+

+

+

+
11111111

+
00010111

+
00000111 00111111
3006017

11111111 10010110

Figure 3-10. Operation of the PADDUSB Instruction

The PADDUSB instruction adds the unsigned bytes of the source operand to the unsigned bytes of the destination operand and stores the results to the destination operand. When an individual result is beyond the range of an unsigned byte (that is, greater than FFH), the saturated unsigned byte value of FFH is written to the destination operand. The PADDUSW instruction adds the unsigned words of the source operand to the unsigned words of the destination operand and stores the results to the destination operand. When an individual result is beyond the range of an unsigned word (that is, greater than FFFFH), the saturated unsigned word value of FFFFH is written to the destination operand.

3-331


INSTRUCTION SET REFERENCE

PADDUSB/PADDUSW--Packed Add Unsigned with Saturation (Continued)
Operation
IF instruction is PADDUSB THEN DEST(7..0) SaturateToUnsignedByte(DEST(7..0) + SRC (7..0) ); DEST(15..8) SaturateToUnsignedByte(DEST(15..8) + SRC(15..8) ); DEST(23..16) SaturateToUnsignedByte(DEST(23..16)+ SRC(23..16) ); DEST(31..24) SaturateToUnsignedByte(DEST(31..24) + SRC(31..24) ); DEST(39..32) SaturateToUnsignedByte(DEST(39..32) + SRC(39..32) ); DEST(47..40) SaturateToUnsignedByte(DEST(47..40)+ SRC(47..40) ); DEST(55..48) SaturateToUnsignedByte(DEST(55..48) + SRC(55..48) ); DEST(63..56) SaturateToUnsignedByte(DEST(63..56) + SRC(63..56) ); ELSE { (* instruction is PADDUSW *) DEST(15..0) SaturateToUnsignedWord(DEST(15..0) + SRC(15..0) ); DEST(31..16) SaturateToUnsignedWord(D EST(31..16) + SRC(31..16) ); DEST(47..32) SaturateToUnsignedWord(D EST(47..32) + SRC(47..32) ); DEST(63..48) SaturateToUnsignedWord(D EST(63..48) + SRC(63..48) ); FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set.

3- 332


INSTRUCTION SET REFER EN CE

PADDUSB/PADDUSW--Packed Add Unsigned with Saturation (Continued)
#NM #MF If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-333


INSTRUCTION SET REFERENCE

PAND--Logical AND
Opcode 0F DB /r Instruction PAND mm, mm/m64 Description AND quadword from mm/m64 to quadword in mm.

Description Performs a bitwise logical AND operation on the quadword source (second) and destination (first) operands and stores the result in the destination operand location (see Figure 3-11). The source operand can be an MMX register or a quadword memory location; the destination operand must be an MMX register. Each bit of the result of the PAND instruction is set to 1 if the corresponding bits of the operands are both 1; otherwise it is made zero

PAND mm, mm/m64 mm 1111111111111000000000000000010110110101100010000111011101110111

&
mm/m64 0001000011011001010100000011000100011110111011110001010110010101 mm 0001000011011000000000000000000100010100100010000001010100010101
3006019

Figure 3-11. Operation of the PAND Instruction

Operation
DEST DEST AND SRC;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs.

3- 334


INSTRUCTION SET REFER EN CE

PAND--Logical AND (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-335


INSTRUCTION SET REFERENCE

PANDN--Logical AND NOT
Opcode 0F DF /r Inst ruct ion PANDN mm, mm/m64 Description AND quadword from mm/m64 to NOT quadword in mm.

Description Performs a bitwise logical NOT on the quadword destination operand (first operand). Then, the instruction performs a bitwise logical AN D operation on the inverted destination operand and the quadword source operand (second operand). (See Figure 3-12.) Each bit of the result of the AND operation is set to one if the corresponding bits of the source and inverted destination bits are one; otherwise it is set to zero. The result is stored in the destination operand location. The source operand can be an MMX register or a quadword memory location; the destination operand must be an MMX register.

PAN DN mm , mm / m 64

~
mm
11111111111110000000000000000101101101010011101111000100010001000

&
m m/ m64 mm
11111111111110000000000000000101101101010011101111000100010001000

11111111111110000000000000000101101101010011101111000100010001000

Figure 3-12. Operation of the PANDN Instruction

Operation
DEST (NOT DEST) AND SRC;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set.

3- 336


INSTRUCTION SET REFER EN CE

PANDN--Logical AND NOT (Continued)
#NM #MF #PF(fault-code) #AC(0) If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-337


INSTRUCTION SET REFERENCE

PCMPEQB/PCMPEQW/PCMPEQD--Packed Compare for Equal
Opcode 0F 74 /r 0F 75 /r 0F 76 /r Inst ruct ion P CMP EQB mm, mm/m64 P CMP EQW mm, mm/m64 P CMP EQD mm, mm/m64 Description Compare packed bytes in mm/m64 with packed bytes in mm for equality. Compare packed words in mm/m64 w ith packed words in mm for equality. Compare packed doublewor ds in mm/m64 with packed doublewords in mm for equality.

Description Compares the individual data elements (bytes, words, or doublewords) in the destination operand (first operand) to the corresponding data elements in the source operand (second operand). (See Figure 3-13.) If a pair of data elements are equal, the corresponding data element in the destination operand is set to all ones; otherwise, it is set to all zeros. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64bit memory location.

PCMPEQW mm, mm/m64 mm 0000000000000000 0000000000000001 0000000000000111 0111000111000111

==

==

==

==

mm/m64 0000000000000000 0000000000000000 0111000111000111 0111000111000111 True False False True mm 1111111111111111 0000000000000000 0000000000000000 1111111111111111
3006020

Figure 3-13. Operation of the PC MPEQW Instruction

The PCMPEQB instruction compares the bytes in the destination operand to the corresponding bytes in the source operand, with the bytes in the destination operand being set according to the results. The PCMPEQW instruction compares the words in the destination operand to the corresponding words in the source operand, with the words in the destination operand being set according to the results. The PCMPEQD instruction compares the doublewords in the destination operand to the corresponding doublewords in the source operand, with the doublewords in the destination operand being set according to the results.

3- 338


INSTRUCTION SET REFER EN CE

PCMPEQB/PCMPEQW/PCMPEQD--Packed Compare for Equal (Continued)
Operation
IF instruction is PCMPEQB THEN IF DEST(7..0) = SRC(7..0) THEN DEST(7 0) FFH; ELSE DEST(7..0) 0; * Continue comparison of second through seventh bytes in DEST and SRC * IF DEST(63..56) = SRC(63..56) THEN DEST(63..56) FFH; ELSE DEST(63..56) 0; ELSE IF instruction is PCMPEQW THEN IF DEST(15..0) = SRC (15..0) THEN DEST(15..0) FFFFH; ELSE DEST(15..0) 0; * Continue comparison of second and third words in DEST and SRC * IF DEST(63..48) = SRC(63..48) THEN DEST(63..48) FFFFH; ELSE DEST(63..48) 0; ELSE (* instruction is PCMPEQD *) IF DEST(31..0) = SRC (31..0) THEN DEST(31..0) FFFFFFFFH; ELSE DEST(31..0) 0; IF DEST(63..32) = SRC(63..32) THEN DEST(63..32) FFFFFFFFH; ELSE DEST(63..32) 0; FI;

Flags Affected None: Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs.

3-339


INSTRUCTION SET REFERENCE

PCMPEQB/PCMPEQW/PCMPEQD--Packed Compare for Equal (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 340


INSTRUCTION SET REFER EN CE

PCMPGTB/PCMPGTW/PCMPGTD--Packed Compare for Greater Than
Opcode 0F 64 /r 0F 65 /r 0F 66 /r Instruction PCMPGTB mm, mm/m64 PCMPGTW mm, mm/m64 PCMPGTD mm, mm/m64 Description Compare packed bytes in mm with packed bytes in mm/m64 for greater value. Compare packed words in mm with packed words in mm/m64 for greater value. Compare packed doublewor ds in mm with packed doublewords in mm/m64 for greater value.

Description Compare the individual signed data elements (bytes, words, or doublewords) in the destination operand (first operand) to the corresponding signed data elements in the source operand (second operand). (See Figure 3-14.) If a data element in the destination operand is greater than its corresponding data element in the source operand, the data element in the destination operand is set to all ones; otherwise, it is set to all zeros. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64-bit memory location.

PCMPGTW mm, mm/m64 mm 0000000000000000 0000000000000001 0000000000000111 0111000111000111

>
mm

>

>

>

mm/m64 0000000000000000 0000000000000000 0111000111000111 0111000111000111 True False False False 0000000000000000 1111111111111111 0000000000000000 0000000000000000
3006021

Figure 3-14. Operation of the PCMPGTW Instruction

The PCMPGTB instruction compares the signed bytes in the destination operand to the corresponding signed bytes in the source operand, with the bytes in the destination operand being set according to the results. The PCMPGTW instruction compares the signed words in the destination operand to the corresponding signed words in the source operand, with the words in the destination operand being set according to the results. The PCMPGTD instruction compares the signed doublewords in the destination operand to the corresponding signed doublewords in the source operand, with the doublewords in the destination operand being set according to the results.

3-341


INSTRUCTION SET REFERENCE

PCMPGTB/PCMPGTW/PCMPGTD--Packed Compare for Greater Than (Continued)
Operation
IF instruction is PCMPG TB THEN IF DEST(7..0) > SRC(7..0) THEN DEST(7 0) FFH; ELSE DEST(7..0) 0; * Continue comparison of second through seventh bytes in DEST and SRC * IF DEST(63..56) > SRC(63..56) THEN DEST(63..56) FFH; ELSE DEST(63..56) 0; ELSE IF instruction is PCM PGTW THEN IF DEST(15..0) > SRC(15..0) THEN DEST(15..0) FFFFH; ELSE DEST(15..0) 0; * Continue comparison of second and third bytes in DEST and SRC * IF DEST(63..48) > SRC(63..48) THEN DEST(63..48) FFFFH; ELSE DEST(63..48) 0; ELSE { (* instruction is PCM PGTD *) IF DEST(31..0) > SRC(31..0) THEN DEST(31..0) FFFFFFFFH; ELSE DEST(31..0) 0; IF DEST(63..32) > SRC(63..32) THEN DEST(63..32) FFFFFFFFH ; ELSE DEST(63..32) 0; FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs.

3- 342


INSTRUCTION SET REFER EN CE

PCMPGTB/PCMPGTW/PCMPGTD--Packed Compare for Greater Than (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-343


INSTRUCTION SET REFERENCE

PMADDWD--Packed Multiply and Add
Opcode 0F F5 /r Instruction PMADDWD mm, mm/m64 Description Multiply the packed words in mm by the packed words in mm/m64. Add the 32-bit pairs of results and store in mm as doubleword

Description Multiplies the individual signed words of the destination operand by the corresponding signed words of the source operand, producing four signed, doubleword results (see Figure 3-15). The two doubleword results from the multiplication of the high-order words are added together and stored in the upper doubleword of the destination operand; the two doubleword results from the multiplication of the low-order words are added together and stored in the lower doubleword of the destination operand. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64-bit memory location. The PMADDWD instruction wraps around to 80000000H only w hen all four words of both the source and destination operands are 8000H.

PMADDWD mm , m m/m 64 mm
0111000111000111 0111000111000111


mm /m64







1000000000000000 0000010000000000

+
mm

+
1100100011100011 1001110000000000

Figure 3-15. Operation of the PM ADDWD Instruction

Operation
DEST(31..0) (DEST(15..0) SRC(15..0)) + (DEST(31..16) SRC(31..16)); DEST(63..32) (DEST(47..32) SRC(47..32)) + (DEST(63..48) SRC(63..48));

Flags Affected None.

3- 344


INSTRUCTION SET REFER EN CE

PMADDWD--Packed Multiply and Add (Continued)
Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-345


INSTRUCTION SET REFERENCE

PMULHW--Packed Multiply High
Opcode 0F E5 /r Instruction PMULHW mm, mm/m64 Description Multiply the signed packed wor ds in mm by the signed packed words in mm/m64, then store the high-order word of each doubleword result in mm.

Description Multiplies the four signed words of the source operand (second operand) by the four signed words of the destination operand (first operand), producing four signed, doubleword, intermediate results (see Figure 3-16). The high-order word of each intermediate result is then written to its corresponding word location in the destination operand. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64-bit memory location.

PMULHW mm, mm/m64 mm 0111000111000111 0111000111000111

*
mm/m64 High Order mm

*
High Order

*

*

1000000000000000 0000010000000000 High Order High Order 1100011100011100 0000000111000111
3006022

Figure 3-16. O peration of the PMULHW Instruction

Operation
DEST(15.. DEST(31.. DEST(47.. DEST(63.. 0 1 3 4 ) HighOrderWo 6) HighOrderW 2) HighOrderW 8) HighOrderW rd(DEST(15..0) SRC(15..0)); ord(DEST(31..16) SRC(31..16)); ord(DEST(47..32) SRC(47..32)); ord(DEST(63..48) SRC(63..48));

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3- 346


INSTRUCTION SET REFER EN CE

PMULHW--Packed Multiply High (Continued)
#UD #NM #MF #PF(fault-code) #AC(0) If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-347


INSTRUCTION SET REFERENCE

PMULLW--Packed Multiply Low
Opcode 0F D5 /r Instruction PMULLW mm, mm/m64 Description Multiply the packed words in mm with the packed words in mm/m64, then store the low- order word of each doubleword result in mm.

Description Multiplies the four signed or unsigned words of the source operand (second operand) with the four signed or unsigned words of the destination operand (first operand), producing four doubleword, intermediate results (see Figure 3-17). The low -order word of each intermediate result is then written to its corresponding word location in the destination operand. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64bit memory location.

PMULLW mm, mm/m64 mm 0111000111000111 0111000111000111

*
mm/m64 Low Order mm

*
Low Order

*

*

1000000000000000 0000010000000000 Low Order Low Order 1000000000000000 0001110000000000
3006025

Figure 3-17. Operation of the PMULLW Instruction

Operation
DEST(15.. DEST(31.. DEST(47.. DEST(63.. 0 1 3 4 ) Low OrderWord 6) LowOrderWor 2) LowOrderWor 8) LowOrderWor (DEST(15..0 d(DEST(31.. d(DEST(47.. d(DEST(63.. ) 1 3 4 SRC(15..0)); 6) SR C(31..16)); 2) SR C(47..32)); 8) SR C(63..48));

Flags Affected None. Protected Mode Exceptions # G P( 0 ) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit.

3- 348


INSTRUCTION SET REFER EN CE

PMULLW--Packed Multiply Low (Continued)
#SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-349


INSTRUCTION SET REFERENCE

POP--Pop a Value from the Stack
Opcode 8F /0 8F /0 58+ rw 58+ rd 1F 07 17 0F A1 0F A9 Instruction POP m16 POP m32 POP r16 POP r32 PO P D S PO P ES PO P SS POP FS PO P G S Description Pop top of stack into m16; increment stack pointer Pop top of stack into m32; increment stack pointer Pop top of stack into r16; increment stack pointer Pop top of stack into r32; increment stack pointer Pop top of stack into DS; increment stack pointer Pop top of stack into ES; increment stack pointer Pop top of stack into SS; increment stack pointer Pop top of stack into FS; increment stack pointer Pop top of stack into GS; increment stack pointer

Description Loads the value from the top of the stack to the location specified with the destination operand and then increments the stack pointer. The destination operand can be a general-purpose register, memory location, or segment register. The address-size attribute of the stack segment determines the stack pointer size (16 bits or 32 bits--the source address size), and the operand-size attribute of the current code segment determines the amount the stack pointer is incremented (2 bytes or 4 bytes). For example, if these address- and operand-size attributes are 32, the 32-bit ESP register (stack pointer) is incremented by 4 and, if they are 16, the 16-bit SP register is incremented by 2. (The B flag in the stack segment's segment descriptor determines the stack's address-size attribute, and the D flag in the current code segment's segment descriptor, along with prefixes, determines the operandsize attribute and also the address-size attribute of the destination operand.) If the destination operand is one of the segment registers DS, ES, FS, GS, or SS, the value loaded into the register must be a valid segment selector. In protected mode, popping a segment selector into a segment register automatically causes the descriptor information associated with that segment selector to be loaded into the hidden (shadow) part of the segment register and causes the selector and the descriptor information to be validated (see the "Operation" section below). A null value (0000-0003) may be popped into the DS, ES, FS, or GS register w ithout causing a general protection fault. However, any subsequent attempt to reference a segment whose corresponding segment register is loaded with a null value causes a general protection exception (#GP). In this situation, no memory reference occurs and the saved value of the segment register is null. The POP instruction cannot pop a value into the CS register. To load the CS register from the stack, use the RET instruction. If the ESP register is used as a base register for addressing a destination operand in memory, the POP instruction computes the effective address of the operand after it increments the ESP register.

3- 350


INSTRUCTION SET REFER EN CE

POP--Pop a Value from the Stack (Continued)
The POP ESP instruction increments the stack pointer (ESP) before data at the old top of stack is written into the destination. A POP SS instruction inhibits all interrupts, including the NMI interrupt, until after execution of the next instruction. This action allows sequential execution of POP SS and M OV ESP, EBP instructions without the danger of having an invalid stack during an interrupt1. However, use of the LSS instruction is the preferred method of loading the SS and ESP registers. Operation
IF StackAddrSize = 32 THEN IF OperandSize = 32 THEN DEST SS:ESP; (* copy ESP ESP + 4; ELSE (* OperandSize = 16*) DEST SS:ESP; (* copy ESP ESP + 2; FI; ELSE (* StackAddrSize = 16* ) IF OperandSize = 16 THEN DEST SS:SP; (* copy a SP SP + 2; ELSE (* OperandSize = 32 *) DEST SS:SP; (* copy a SP SP + 4; FI; FI;

a doubleword *)

a word *)

word *)

doubleword *)

Loading a segment register while in protected mode results in special checks and actions, as described in the following listing. These checks are performed on the segment selector and the segment descriptor it points to.
IF SS is loaded; THEN IF segment selector is null THEN #GP(0);
1. Note that in a sequence of instr uctions that individually delay interr upts the first instr uction in the sequence is guaranteed to delay the interr upt, instr uctions may not delay the inter rupt. Thus, in the following instructio STI P OP SS P OP ES P interr upts may be recognized before the P OP ES P executes, because instr uction. past the following instruction, only but subsequent inter rupt-delaying n sequence:

STI also delays interrupts for one

3-351


INSTRUCTION SET REFERENCE

POP--Pop a Value from the Stack (Continued)
FI; IF segm OR OR OR ent selector index is outside descriptor table limits segm ent selector's RPL CPL segm ent is not a writable data segment DPL CPL THEN #GP(selector);

FI; IF segm ent not marked present THEN #SS(selector); ELSE SS segm ent selector; SS segm ent descriptor; FI; FI; IF DS, ES, FS or GS is loaded with non-null selector; THEN IF segm ent selector index is outside descriptor table limits O R segm ent is not a data or readable code segment O R ((segment is a data or nonconforming code segment) AND (both RPL and CPL > DPL)) THEN #GP(selector); IF segm ent not marked present THEN #NP(selector); ELSE SegmentRegister segment selector; SegmentRegister segment descriptor; FI; FI; IF DS, ES, FS or GS is loaded with a null selector; THEN SegmentRegister segment selector; SegmentRegister segment descriptor; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If attempt is made to load SS register with null segment selector. If the destination operand is in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

3- 352


INSTRUCTION SET REFER EN CE

POP--Pop a Value from the Stack (Continued)
If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #GP(selector) If segment selector index is outside descriptor table limits. If the SS register is being loaded and the segment selector's RPL and the segment descriptor's DPL are not equal to the CPL. If the SS register is being loaded and the segment pointed to is a nonwritable data segment. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is not a data or readable code segment. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is a data or nonconforming code segment, but both the RPL and the CPL are greater than the DPL. #SS(0) If the current top of stack is not within the stack segment. If a memory operand effective address is outside the SS segment limit. #SS(selector) #NP #PF(fault-code) #AC(0) If the SS register is being loaded and the segment pointed to is marked not present. If the DS, ES, FS, or GS register is being loaded and the segment pointed to is marked not present. If a page fault occurs. If an unaligned memory reference is made while the current privilege level is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a page fault occurs. If an unaligned memory reference is made while alignment checking is enabled.

3-353


INSTRUCTION SET REFERENCE

POPA/POPAD--Pop All General-Purpose Registers
Opcode 61 61 Instruction POPA POPAD Description Pop DI, SI, BP BX, DX, CX, and AX , Pop EDI, ESI, EBP EBX, EDX, ECX, and EAX ,

Description Pops doublewords (POPAD) or words (POPA) from the stack into the general-purpose registers. The registers are loaded in the following order: EDI, ESI, EBP, EBX, EDX, ECX, and EAX (if the operand-size attribute is 32) and D I, SI, BP, BX , DX, CX, and AX (if the operand-size attribute is 16). (These instructions reverse the operation of the PUSHA/PUSHA D instructions.) The value on the stack for the ESP or SP register is ignored. Instead, the ESP or SP register is incremented after each register is loaded. The POPA (pop all) and POPAD (pop all double) mnemonics reference the same opcode. The POPA instruction is intended for use when the operand-size attribute is 16 and the POPAD instruction for when the operand-size attribute is 32. Some assemblers may force the operand size to 16 when POPA is used and to 32 when POPA D is used (using the operand-size override prefix [66H] if necessary). Others may treat these mnemonics as synonyms (POPA/POPAD) and use the current setting of the operand-size attribute to determine the size of values to be popped from the stack, regardless of the mnemonic used. (The D flag in the current code segment's segment descriptor determines the operand-size attribute.) Operation
IF OperandSize = 32 (* instruction = POPAD *) THEN EDI Pop(); ESI Pop(); EBP Pop(); increment ESP by 4 (* skip next 4 bytes of stack *) EBX Pop(); EDX Pop(); ECX Pop(); EAX Pop(); ELSE (* OperandSize = 16, instruction = POPA *) DI Pop(); SI Pop(); BP Pop(); increment ESP by 2 (* skip next 2 bytes of stack *) BX Pop(); DX Pop(); CX Pop(); AX Pop(); FI;

3- 354


INSTRUCTION SET REFER EN CE

POPA/POPAD--Pop All General-Purpose Registers (Continued)
Flags Affected None. Protected Mode Exceptions #SS(0) #PF(fault-code) #AC(0) If the starting or ending stack address is not within the stack segment. If a page fault occurs. If an unaligned memory reference is made while the current privilege level is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #SS If the starting or ending stack address is not within the stack segment.

Virtual-8086 Mode Exceptions #SS(0) #PF(fault-code) #AC(0) If the starting or ending stack address is not within the stack segment. If a page fault occurs. If an unaligned memory reference is made while alignment checking is enabled.

3-355


INSTRUCTION SET REFERENCE

POPF/POPFD--Pop Stack into EFLAGS Register
Opcode 9D 9D Instruction PO PF PO PF D Description Pop top of stack into lower 16 bits of EFLAGS Pop top of stack into EFLAGS

Description Pops a doubleword (POPFD) from the top of the stack (if the current operand-size attribute is 32) and stores the value in the EFLAGS register or pops a word from the top of the stack (if the operand-size attribute is 16) and stores it in the low er 16 bits of the EFLAG S register (that is, the FLAGS register). (These instructions reverse the operation of the PUSHF/PUSHFD instructions.) The POPF (pop flags) and POPFD (pop flags double) mnemonics reference the same opcode. The POPF instruction is intended for use when the operand-size attribute is 16 and the PO PFD instruction for when the operand-size attribute is 32. Some assemblers may force the operand size to 16 when POPF is used and to 32 when POPFD is used. O thers may treat these mnemonics as synonyms (POPF/POPFD) and use the current setting of the operand-size attribute to determine the size of values to be popped from the stack, regardless of the mnemonic used. The effect of the PO PF/POPFD instructions on the EFLAGS register changes slightly, depending on the mode of operation of the processor. When the processor is operating in protected mode at privilege level 0 (or in real-address mode, which is equivalent to privilege level 0), all the non-reserved flags in the EFLAGS register except the VIP, VIF, and VM flags can be modified. The VIP and VIF flags are cleared, and the V M flag is unaffected. When operating in protected mode, with a privilege level greater than 0, but less than or equal to IOPL, all the flags can be modified except the IO PL field and the VIP, VIF, and VM flags. Here, the IOPL flags are unaffected, the V IP and VIF flags are cleared, and the VM flag is unaffected. The interrupt flag (IF) is altered only when executing at a level at least as privileged as the IOPL. If a POPF/POPFD instruction is executed with insufficient privilege, an exception does not occur, but the privileged bits do not change. When operating in virtual-8086 mode, the I/O privilege level (IOPL) must be equal to 3 to use POPF/POPFD instructions and the VM , RF, IOPL, VIP, and VIF flags are unaffected. If the IOPL is less than 3, the POPF/POPFD instructions cause a general-protection exception (#GP). See the section titled "EFLAGS Register" in Chapter 3 of the Intel Architecture Software Developer's Manual, Volume 1, for information about the EFLAGS registers. Operation
IF VM=0 (* Not in Virtual-8086 Mode *) THEN IF CPL=0 THEN IF OperandSize = 32; THEN

3- 356


INSTRUCTION SET REFER EN CE

POPF/POPFD--Pop Stack into EFLAGS Register (Continued)
EFLAGS Pop(); (* All non-reserved flags except VIP, VIF, and VM can be modified; *) (* VIP and VIF are cleared; VM is unaffected*) ELSE (* OperandSize = 16 *) EFLAGS[15:0] Pop(); (* All non-reserved flags can be m odified; *) FI; ELSE (* CPL > 0 *) IF OperandSize = 32; THEN EFLAGS Pop() (* All non-reserved bits except IOPL, VIP, and VIF can be modified; *) (* IOPL is unaffected; VIP and VIF are cleared; VM is unaffected *) ELSE (* OperandSize = 16 *) EFLAGS[15:0] Pop(); (* All non-reserved bits except IOPL can be m odified *) (* IOPL is unaffected *) FI; FI; ELSE (* In Virtual-8086 Mode *) IF IOPL=3 THEN IF OperandSize=32 THEN EFLAGS Pop() (* All non-reserved bits except VM, RF, IOPL, VIP, and VIF *) (* can be modified; VM, RF, IOPL, VIP, and VIF are unaffected *) ELSE EFLAGS[15:0] Pop() (* All non-reserved bits except IOPL can be m odified *) (* IOPL is unaffected *) FI; ELSE (* IOPL < 3 *) #GP(0); (* trap to virtual-8086 monitor *) FI; FI; FI;

Flags Affected All flags except the reserved bits and the V M bit. Protected Mode Exceptions #SS(0) #PF(fault-code) If the top of stack is not within the stack segment. If a page fault occurs.

3-357


INSTRUCTION SET REFERENCE

POPF/POPFD--Pop Stack into EFLAGS Register (Continued)
#AC(0) If an unaligned memory reference is made while the current privilege level is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #SS If the top of stack is not within the stack segment.

Vir tual-8086 Mode Exceptions # G P( 0 ) If the I/O privilege level is less than 3. If an attempt is made to execute the POPF/PO PFD instruction with an operand-size override prefix. #SS(0) #PF(fault-code) #AC(0) If the top of stack is not within the stack segment. If a page fault occurs. If an unaligned memory reference is made while alignment checking is enabled.

3- 358


INSTRUCTION SET REFER EN CE

POR--Bitwise Logical OR
Opcode 0F EB /r Instruction POR mm, mm/m64 Description OR quadword from mm/m64 to quadword in mm.

Description Performs a bitwise logical OR operation on the quadword source (second) and destination (first) operands and stores the result in the destination operand location (see Figure 3-18). The source operand can be an MMX register or a quadword memory location; the destination operand must be an MMX register. Each bit of the result is made 0 if the corresponding bits of both operands are 0; otherwise the bit is set to 1.

POR mm, mm/m64 mm 1111111111111000000000000000010110110101100010000111011101110111

mm/m64 0001000011011001010100000011000100011110111011110001010110010101

mm

1111111111111001010100000011010110111111111011110111011111110111
3006024

Figure 3-18. Operation of the POR Instruction.

Operation
DEST DEST OR SRC;

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs.
3-359


INSTRUCTION SET REFERENCE

POR--Bitwise Logical OR (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 360


INSTRUCTION SET REFER EN CE

PSLLW/PSLLD/PSLLQ--Packed Shift Left Logical
Opcode 0F F1 /r 0F 71 /6, ib 0F F2 /r 0F 72 /6 ib 0F F3 /r 0F 73 /6 ib Instruction PSLLW mm, mm/m64
PSLLW mm, imm8

Description Shift words in mm left by amount specified in mm/m64, while shifting in zeros. Shift words in mm left by imm8, while shifting in zeros. Shift doublewords in mm left by amount specified in mm/m64, while shifting in zer os. Shift doublewords in mm by imm8, while shifting in zeros. Shift mm left by amount specified in mm/m64, while shifting in zeros. Shift mm left by Imm8, w hile shifting in zeros.

PSLLD mm, mm/m64 PSLLD mm, imm8 PSLLQ mm, mm/m64 PSLLQ mm, imm8

Description Shifts the bits in the data elements (words, doublewords, or quadword) in the destination operand (first operand) to the left by the number of bits specified in the unsigned count operand (second operand). (See Figure 3-19.) The result of the shift operation is written to the destination operand. A s the bits in the data elements are shifted left, the empty low-order bits are cleared (set to zero). If the value specified by the count operand is greater than 15 (for words), 31 (for doublewords), or 63 (for a quadword), then the destination operand is set to all zeros. The destination operand must be an MMX register; the count operand can be either an MMX register, a 64-bit memory location, or an 8-bit immediate. The PSLLW instruction shifts each of the four words of the destination operand to the left by the number of bits specified in the count operand; the PSLLD instruction shifts each of the two doublewords of the destination operand; and the PSLLQ instruction shifts the 64-bit quadword in the destination operand. As the individual data elements are shifted left, the empty low-order bit positions are filled w ith zeros.

PSLLW mm, 2 mm 1111111111111100 0001000111000111

shift left

shift left

shift left

shift left

mm

1111111111110000 0100011100011100
3006026

Figure 3-19. Operation of the PSLLW Instruction

3-361


INSTRUCTION SET REFERENCE

PSLLW/PSLLD/PSLLQ--Packed Shift Left Logical (Continued)
Operation
IF instruction is PSLLW THEN DEST(15..0) DEST(15..0) << COUNT; DEST(31..16) DEST(31..16) << COUNT; DEST(47..32) DEST(47..32) << COUNT; DEST(63..48) DEST(63..48) << COUNT; ELSE IF instruction is PSLLD THEN { DEST(31..0) DEST(31..0) << COUNT; DEST(63..32) DEST(63..32) << COUNT; ELSE (* instruction is PSLLQ *) DEST DEST << C OUNT; FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3- 362


INSTRUCTION SET REFER EN CE

PSLLW/PSLLD/PSLLQ--Packed Shift Left Logical (Continued)
Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-363


INSTRUCTION SET REFERENCE

PSRAW/PSRAD--Packed Shift Right Arithmetic
Opcode 0F E1 /r 0F 71 /4 ib 0F E2 /r 0F 72 /4 ib Instruction PSRAW mm, mm/m64 PSRAW mm, imm8 PSRA D mm, mm/m64 PSRAD mm, imm8 Description Shift words in mm right by amount specified in mm/m64 while shifting in sign bits. Shift words in mm right by imm8 while shifting in sign bits Shift doublewords in mm r ight by amount specified in mm/m64 while shifting in sign bits. Shift doublewords in mm r ight by imm8 while shifting in sign bits.

Description Shifts the bits in the data elements (words or doublewords) in the destination operand (first operand) to the right by the amount of bits specified in the unsigned count operand (second operand). (See Figure 3-20.) The result of the shift operation is written to the destination operand. The empty high-order bits of each element are filled with the initial value of the sign bit of the data element. If the value specified by the count operand is greater than 15 (for words) or 31 (for doublewords), each destination data element is filled with the initial value of the sign bit of the element. The destination operand must be an MMX register; the count operand (source operand) can be either an MMX register, a 64-bit memory location, or an 8-bit immediate. The PSRAW instruction shifts each of the four words in the destination operand to the right by the number of bits specified in the count operand; the PSRAD instruction shifts each of the two doublewords in the destination operand. As the individual data elements are shifted right, the empty high-order bit positions are filled with the sign value.

PSRAW mm, 2 mm 1111111111111100 1101000111000111

shift right

shift right

shift right

shift right

mm

1111111111111111 1111010001110001
3006048

Figure 3-20. Operation of the PSRAW Instruction

Operation
IF instruction is PSRAW

3- 364


INSTRUCTION SET REFER EN CE

PSRAW/PSRAD--Packed Shift Right Arithmetic (Continued)
THEN DEST(15..0) SignExtend (DEST(15..0 DEST(31..16) SignExtend (DEST(31.. DEST(47..32) SignExtend (DEST(47.. DEST(63..48) SignExtend (DEST(63.. ELSE { (*instruction is PSRAD *) DEST(31..0) SignExtend (DEST(31..0 DEST(63..32) SignExtend (DEST(63.. FI; ) >> COUNT); 16) >> COUNT); 32) >> COUNT); 48) >> COUNT); ) >> COUNT); 32) >> COUNT);

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set.

3-365


INSTRUCTION SET REFERENCE

PSRAW/PSRAD--Packed Shift Right Arithmetic (Continued)
#MF #PF(fault-code) #AC(0) If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 366


INSTRUCTION SET REFER EN CE

PSRLW/PSRLD/PSRLQ--Packed Shift Right Logical
Opcode 0F D1 /r 0F 71 /2 ib 0F D2 /r 0F 72 /2 ib 0F D3 /r 0F 73 /2 ib Instruction PSRLW mm, mm/m64 PSRLW mm, imm8 PSRLD mm, mm/m64 PSRLD mm, imm8 PSRLQ mm, mm/m64 PSRLQ mm, imm8 Description Shift words in mm r ight by amount specified in mm/m64 while shifting in zeros. Shift words in mm right by imm8. Shift doublewords in mm right by amount specified in mm/m64 while shifting in zeros. Shift doublewords in mm right by imm8. Shift mm r ight by amount specified in mm/m64 while shifting in zeros. Shift mm right by imm8 while shifting in zeros.

Description Shifts the bits in the data elements (words, doublewords, or quadword) in the destination operand (first operand) to the right by the number of bits specified in the unsigned count operand (second operand). (See Figure 3-21.) The result of the shift operation is written to the destination operand. As the bits in the data elements are shifted right, the empty high-order bits are cleared (set to zero). If the value specified by the count operand is greater than 15 (for words), 31 (for doublewords), or 63 (for a quadword), then the destination operand is set to all zeros. The destination operand must be an MMX register; the count operand can be either an MMX register, a 64-bit memory location, or an 8-bit immediate. The PSRLW instruction shifts each of the four words of the destination operand to the right by the number of bits specified in the count operand; the PSRLD instruction shifts each of the two doublewords of the destination operand; and the PSRLQ instruction shifts the 64-bit quadword in the destination operand. As the individual data elements are shifted right, the empty highorder bit positions are filled with zeros.

PSRLW mm, 2 mm 1111111111111100 0001000111000111

shift right

shift right

shift right

shift right

mm

0011111111111111 0000010001110001
3006027

Figure 3-21. O peration of the PSRLW Instruction

3-367


INSTRUCTION SET REFERENCE

PSRLW/PSRLD/PSRLQ--Packed Shift Right Logical (Continued)
Operation
IF instruction is PSRLW THEN { DEST(15..0) DEST(15..0) >> COUNT; DEST(31..16) DEST(31..16) >> COUNT; DEST(47..32) DEST(47..32) >> COUNT; DEST(63..48) DEST(63..48) >> COUNT; ELSE IF instruction is PSRLD THEN { DEST(31..0) DEST(31..0) >> COUNT; DEST(63..32) DEST(63..32) >> COUNT; ELSE (* instruction is PSRLQ *) DEST DEST >> C OUNT; FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3- 368


INSTRUCTION SET REFER EN CE

PSRLW/PSRLD/PSRLQ--Packed Shift Right Logical (Continued)
Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-369


INSTRUCTION SET REFERENCE

PSUBB/PSUBW/PSUBD--Packed Subtract
Opcode 0F F8 /r 0F F9 /r 0F FA /r Instruction PSUB B mm, mm/m64 PSUBW mm, mm/m64 PSUB D mm, mm/m64 Description Subtract packed bytes in mm/m64 from packed bytes in mm. Subtract packed words inmm/m64 from packed words in mm. Subtract packed doublewords in mm/m64 from packed doublewords in mm.

Description Subtracts the individual data elements (bytes, words, or doublewords) of the source operand (second operand) from the individual data elements of the destination operand (first operand). (See Figure 3-22.) If the result of a subtraction exceeds the range for the specified data type (overflows), the result is w rapped around, meaning that the result is truncated so that only the lower (least significant) bits of the result are returned (that is, the carry is ignored). The destination operand must be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PSUBW mm, mm/m64 mm 1000000000000000 0111111100111000

­
mm/m64 mm

­

­

­

0000000000000001 1110100011111001

0111111111111111 1001011000111111
3006028

Figure 3-22. Operation of the PSUBW Instruction

The PSUBB tion operand large to be r operand and

instruction subtracts the bytes of the source operand from the bytes of the destinaand stores the results to the destination operand. When an individual result is too epresented in 8 bits, the lower 8 bits of the result are written to the destination therefore the result wraps around.

The PSUBW instruction subtracts the words of the source operand from the words of the destination operand and stores the results to the destination operand. When an individual result is too large to be represented in 16 bits, the lower 16 bits of the result are written to the destination operand and therefore the result wraps around.

3- 370


INSTRUCTION SET REFER EN CE

PSUBB/PSUBW/PSUBD--Packed Subtract (Continued)
The PSUBD instruction subtracts the doublewords of the destination operand and stores the results to result is too large to be represented in 32 bits, the destination operand and therefore the result wraps of the source operand from the doublewords the destination operand. When an individual low er 32 bits of the result are written to the around.

Note that like the integer SUB instruction, the PSUBB, PSUBW, and PSUBD instructions can operate on either unsigned or signed (two's complement notation) packed integers. Unlike the integer instructions, none of the MMX instructions affect the EFLAGS register. With MMX instructions, there are no carry or overflow flags to indicate when overflow has occurred, so the software must control the range of values or else use the "with saturation" MMX instructions. Operation
IF instruction is PSUBB THEN DEST(7..0) DEST(7..0) ­ SRC(7..0); DEST(15..8) DEST(15..8) ­ SRC(15..8); DEST(23..16) DEST(23..16) ­ SRC(23..16); DEST(31..24) DEST(31..24) ­ SRC(31..24); DEST(39..32) DEST(39..32) ­ SRC(39..32); DEST(47..40) DEST(47..40) ­ SRC(47..40); DEST(55..48) DEST(55..48) ­ SRC(55..48); DEST(63..56) DEST(63..56) ­ SRC(63..56); ELSEIF instruction is PSUBW THEN DEST(15..0) DEST(15..0) ­ SRC(15..0); DEST(31..16) DEST(31..16) ­ SRC(31..16); DEST(47..32) DEST(47..32) ­ SRC(47..32); DEST(63..48) DEST(63..48) ­ SRC(63..48); ELSE { (* instruction is PSUBD *) DEST(31..0) DEST(31..0) ­ SRC(31..0); DEST(63..32) DEST(63..32) ­ SRC(63..32); FI;

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set.

3-371


INSTRUCTION SET REFERENCE

PSUBB/PSUBW/PSUBD--Packed Subtract (Continued)
#MF #PF(fault-code) #AC(0) If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 372


INSTRUCTION SET REFER EN CE

PSUBSB/PSUBSW--Packed Subtract with Saturation
Opcode 0F E8 /r 0F E9 /r Instruction PSUBSB mm, mm/m64 PSUBSW mm, mm/m64 Description Subtract signed packed bytes in mm/m64 from signed packed bytes in mm and saturate. Subtract signed packed words in mm/m64 from signed packed words in mm and saturate.

Description Subtracts the individual signed data elements (bytes or words) of the source operand (second operand) from the individual signed data elements of the destination operand (first operand). (See Figure 3-23.) If the result of a subtraction exceeds the range for the specified data type, the result is saturated. The destination operand must be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PSUBSW mm, mm/m64 mm 1000000000000000 0111111100111000

­
mm/m64 mm

­

­

­

0000000000000001 1110100011111001

1000000000000000 0111111111111111
3006029

Figure 3-23. Operation of the PSUBSW Instruction

The PSUBSB instruction subtracts the signed bytes of the of the destination operand and stores the results to the des result is beyond the range of a signed byte (that is, greater rated byte value of 7FH or 80H, respectively, is written to

source operand from the signed bytes tination operand. When an individual than 7FH or less than 80H ), the satuthe destination operand.

The PSU BSW instruction subtracts the signed words of the source operand from the signed words of the destination operand and stores the results to the destination operand. When an individual result is beyond the range of a signed word (that is, greater than 7FFFH or less than 8000H), the saturated word value of 7FFFH or 8000H, respectively, is written to the destination operand.

3-373


INSTRUCTION SET REFERENCE

PSUBSB/PSUBSW--Packed Subtract with Saturation (Continued)
Operation
IF instruction is PSUBSB THEN DEST(7..0) SaturateToSignedByte(DEST(7..0) ­ SRC (7..0)); DEST(15..8) SaturateToSignedByte(DEST(15..8) ­ SRC(15..8)); DEST(23..16) SaturateToSignedByte(DEST(23..16) ­ SRC(23..16)); DEST(31..24) SaturateToSignedByte(DEST(31..24) ­ SRC(31..24)); DEST(39..32) SaturateToSignedByte(DEST(39..32) ­ SRC(39..32)); DEST(47..40) SaturateToSignedByte(DEST(47..40) ­ SRC(47..40)); DEST(55..48) SaturateToSignedByte(DEST(55..48) ­ SRC(55..48)); DEST(63..56) SaturateToSignedByte(DEST(63..56) ­ SRC(63..56)) ELSE (* instruction is PSUBSW *) DEST(15..0) SaturateToSignedWord(DEST(15..0) ­ SRC(15..0)); DEST(31..16) SaturateToSignedWord(DEST(31..16) ­ SRC(31..16)); DEST(47..32) SaturateToSignedWord(DEST(47..32) ­ SRC(47..32)); DEST(63..48) SaturateToSignedWord(DEST(63..48) ­ SRC(63..48)); FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set.

3- 374


INSTRUCTION SET REFER EN CE

PSUBSB/PSUBSW--Packed Subtract with Saturation (Continued)
#MF If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-375


INSTRUCTION SET REFERENCE

PSUBUSB/PSUBUSW--Packed Subtract Unsigned with Saturation
Opcode 0F D8 /r 0F D9 /r Instruction PSUBUSB mm, mm/m64 PSUBUSW mm, mm/m64 Description Subtract unsigned packed bytes in mm/m64 from unsigned packed bytes in mm and saturate. Subtract unsigned packed words in mm/m64 from unsigned packed words in mm and saturate.

Description Subtracts the individual unsigned data elements (bytes or words) of the source operand (second operand) from the individual unsigned data elements of the destination operand (first operand). (See Figure 3-24.) If the result of an individual subtraction exceeds the range for the specified unsigned data type, the result is saturated. The destination operand musts be an MMX register; the source operand can be either an MMX register or a quadword memory location.

PSUBUSB mm, mm/m64 mm 10000000 01111111 11111000

­
mm/m64 mm

­

­

­

­

­

­

­

11111111 00010111 00000111

00000000 01101000 11110001
3006030

Figure 3-24. O peration of the PSUBUSB Instruction

The PSUBUSB instruction subtracts the unsigned bytes of the source operand from the unsigned bytes of the destination operand and stores the results to the destination operand. When an individual result is less than zero (a negative value), the saturated unsigned byte value of 00H is written to the destination operand. The PSUBUSW instruction subtracts the unsigned words of the source operand from the unsigned words of the destination operand and stores the results to the destination operand. When an individual result is less than zero (a negative value), the saturated unsigned word value of 0000H is written to the destination operand.

3- 376


INSTRUCTION SET REFER EN CE

PSUBUSB/PSUBUSW--Packed Subtract Unsigned with Saturation (Continued)
Operation
IF instruction is PSUBUSB THEN DEST(7..0) SaturateToUnsignedByte (DEST(7..0 ­ SRC (7..0) ); DEST(15..8) SaturateToUnsignedByte ( DEST(15..8) ­ SRC(15..8) ); DEST(23..16) SaturateToUnsignedByte (DEST(23..16) ­ SR C(23..16) ) DEST(31..24) SaturateToUnsignedByte (DEST(31..24) ­ SR C(31..24) ) DEST(39..32) SaturateToUnsignedByte (DEST(39..32) ­ SR C(39..32) ) DEST(47..40) SaturateToUnsignedByte (DEST(47..40) ­ SR C(47..40) ) DEST(55..48) SaturateToUnsignedByte (DEST(55..48) ­ SR C(55..48) ) DEST(63..56) SaturateToUnsignedByte (DEST(63..56) ­ SR C(63..56) ) ELSE { (* instruction is PSUBUSW *) DEST(15..0) SaturateToUnsignedWord (DEST(15..0) ­ SRC(15..0) ); DEST(31..16) SaturateToUnsignedWord (D EST(31..16) ­ SRC(31..16) DEST(47..32) SaturateToUnsignedWord (D EST(47..32) ­ SRC(47..32) DEST(63..48) SaturateToUnsignedWord (D EST(63..48) ­ SRC(63..48) FI;

; ; ; ; ; ;

); ); );

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set.

3-377


INSTRUCTION SET REFERENCE

PSUBUSB/PSUBUSW--Packed Subtract Unsigned with Saturation (Continued)
#NM #MF If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 378


INSTRUCTION SET REFER EN CE

PUNPCKHBW/PUNPCKHWD/PUNPCKHDQ--Unpack High Packed Data
Opcode 0F 68 /r 0F 69 /r 0F 6A /r Instruction PUNPCKHB W mm, mm/m64 PUNPCKHWD mm, mm/m64 PUNPCKHD Q mm, mm/m64 Description Inter leave high-order bytes from mm and mm/m64 into mm. Inter leave high-order words from mm and mm/m64 into mm. Inter leave high-order doublewords from mm and mm/m64 into mm.

Description Unpacks and interleaves the high-order data elements (bytes, words, or doublewords) of the destination operand (first operand) and source operand (second operand) into the destination operand (see Figure 3-25). The low-order data elements are ignored. The destination operand must be an MMX register; the source operand may be either an MMX register or a 64-bit memory location. W hen the source data comes from a memory operand, the full 64-bit operand is accessed from memory, but the instruction uses only the high-order 32 bits.

PUNPCKHBW mm, mm/m64 mm/m64 27 26 25 24 23 22 21 20

1

7

1

6

mm 15 14 13 12 11 10

27 17 26 16 25 15 24 14 mm
3006031

Figure 3-25. High-Order Unpacking and Interleaving of B ytes With the PUNPCKHBW Instruction

The PUNPCKHBW instruction interleaves the four high-order bytes of the source operand and the four high-order bytes of the destination operand and writes them to the destination operand. The PUNPCKHW D instruction interleaves the two high-order words of the source operand and the two high-order words of the destination operand and writes them to the destination operand. The PUNPCKHDQ instruction interleaves the high-order doubleword of the source operand and the high-order doubleword of the destination operand and writes them to the destination operand.

3-379


INSTRUCTION SET REFERENCE

PUNPCKHBW/PUNPCKHWD/PUNPCKHDQ--Unpack High Packed Data (Continued)
If the source operand is all zeros, the result (stored in the destination operand) contains zero extensions of the high-order data elements from the original value in the destination operand. With the PUNPCKHBW instruction the high-order bytes are zero extended (that is, unpacked into unsigned words), and with the PUNPCKHWD instruction, the high-order words are zero extended (unpacked into unsigned doublewords). Operation
IF instruction is PUNPCKHBW THEN DEST(7..0) DEST(39..32); DEST(15..8) SRC(39..32); DEST(23..16) DEST(47..40); DEST(31..24) SRC(47..40); DEST(39..32) DEST(55..48); DEST(47..40) SRC(55..48); DEST(55..48) DEST(63..56); DEST(63..56) SRC(63..56); ELSE IF instruction is PUNPCKHW THEN DEST(15..0) DEST(47..32); DEST(31..16) SRC(47..32); DEST(47..32) DEST(63..48); DEST(63..48) SRC(63..48); ELSE (* instruction is PU NPCKHDQ *) DEST(31..0) DEST(63..32) DEST(63..32) SRC(63..32); FI;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD #NM #MF If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3- 380


INSTRUCTION SET REFER EN CE

PUNPCKHBW/PUNPCKHWD/PUNPCKHDQ--Unpack High Packed Data (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-381


INSTRUCTION SET REFERENCE

PUNPCKLBW/PUNPCKLWD/PUNPCKLDQ--Unpack Low Packed Data
Opcode 0F 60 /r 0F 61 /r 0F 62 /r Instruction PUNP CKLB W mm, mm/m32 PUNP CKLWD mm, mm/m32 PUNP CKLDQ mm, mm/m32 D escription Inter leave low-order bytes from mm and mm/m64 into mm. Inter leave low-order words from mm and mm/m64 into mm. Inter leave low-order doublewords from mm and mm/m64 into mm.

Description Unpacks and interleaves the low-order data elements (bytes, words, or doublewords) of the destination and source operands into the destination operand (see Figure 3-26). The destination operand must be an MMX register; the source operand may be either an MMX register or a memory location. When source data comes from an MMX register, the upper 32 bits of the register are ignored. When the source data comes from a memory, only 32-bits are accessed from memory.

PUNPCKLBW mm, mm/m32 mm/m32 2 3 2 2 2 1 20

17 1

6

mm 15 14 13 12 11 10

2

3

1

3

2

2

12 21 11 20 10 mm
3006032

Figure 3-26. Low-Order Unpacking and Interleaving of Bytes With the PUNPCKLBW Instruction

The PUNPCKLBW instruction interleaves the four low-order bytes of the source operand and the four low-order bytes of the destination operand and writes them to the destination operand. The PUNPCKLW D instruction interleaves the two low-order words of the source operand and the two low-order words of the destination operand and writes them to the destination operand. The PUNPCKLDQ instruction interleaves the low-order doubleword of the source operand and the low-order doubleword of the destination operand and writes them to the destination operand.

3- 382


INSTRUCTION SET REFER EN CE

PUNPCKLBW/PUNPCKLWD/PUNPCKLDQ--Unpack Low Packed Data (Continued)
If the source operand is all zeros, the result (stored in the destination operand) contains zero extensions of the high-order data elements from the original value in the destination operand. With the PUNPCKLBW instruction the low-order bytes are zero extended (that is, unpacked into unsigned words), and with the PUNPCKLWD instruction, the low-order words are zero extended (unpacked into unsigned doublewords). Operation
IF instruction is PUNPCKLBW THEN DEST(63..56) SRC(31..24); DEST(55..48) DEST(31..24); DEST(47..40) SRC(23..16); DEST(39..32) DEST(23..16); DEST(31..24) SRC(15..8); DEST(23..16) DEST(15..8); DEST(15..8) SRC(7..0); DEST(7..0) DEST(7..0); ELSE IF instruction is PUNPCKLWD THEN DEST(63..48) SRC(31..16); DEST(47..32) DEST(31..16); DEST(31..16) SRC(15..0); DEST(15..0) DEST(15..0); ELSE (* instruction is PUNPCKLDQ *) DEST(63..32) SRC(31..0); DEST(31..0) DEST(31..0); FI;

Flags Affected None. Protected Mode Exceptions #GP(0) #SS(0) #UD #NM #MF If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

3-383


INSTRUCTION SET REFERENCE

PUNPCKLBW/PUNPCKLWD/PUNPCKLDQ--Unpack Low Packed Data (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Vir tual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 384


INSTRUCTION SET REFER EN CE

PUSH--Push Word or Doubleword Onto the Stack
Opcode FF /6 FF /6 50+rw 50+rd 6A 68 68 0E 16 1E 06 0F A0 0F A8 Instruction PUSH r/m16 PUSH r/m32 PUSH r16 PUSH r32 PUSH imm8 PUSH imm16 PUSH imm32 PUSH CS PUSH S S PUSH DS PUSH E S PUSH FS PUSH GS D escription Push r/m16 Push r/m32 Push r16 Push r32 Push imm8 Push imm16 Push imm32 P ush CS P ush SS P ush DS P ush ES Push FS P ush GS

Description Decrements the stack pointer and then stores the source operand on the top of the stack. The address-size attribute of the stack segment determines the stack pointer size (16 bits or 32 bits), and the operand-size attribute of the current code segment determines the amount the stack pointer is decremented (2 bytes or 4 bytes). For example, if these address- and operand-size attributes are 32, the 32-bit ESP register (stack pointer) is decremented by 4 and, if they are 16, the 16-bit SP register is decremented by 2.(The B flag in the stack segment's segment descriptor determines the stack's address-size attribute, and the D flag in the current code segment's segment descriptor, along with prefixes, determines the operand-size attribute and also the address-size attribute of the source operand.) Pushing a 16-bit operand when the stack addresssize attribute is 32 can result in a misaligned the stack pointer (that is, the stack pointer is not aligned on a doubleword boundary). The PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction was executed. Thus, if a PUSH instruction uses a memory operand in which the ESP register is used as a base register for computing the operand address, the effective address of the operand is computed before the ESP register is decremented. In the real-address mode, if the ESP or SP register is 1 when the PUSH instruction is executed, the processor shuts down due to a lack of stack space. No exception is generated to indicate this condition. Intel Architecture Compatibility For Intel Architecture processors from the Intel 286 on, the PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction was executed. (This is also true in the real-address and virtual-8086 modes.) For the Intel 8086 processor, the PUSH SP instruction pushes the new value of the SP register (that is the value after it has been decremented by 2).

3-385


INSTRUCTION SET REFERENCE

PUSH--Push Word or Doubleword Onto the Stack (Continued)
Operation
IF StackAddrSize = 32 THEN IF OperandSize = 32 THEN ESP ESP - 4; SS:ESP SRC ; (* push doubleword *) ELSE (* OperandSize = 16*) ESP ESP - 2; SS:ESP SRC ; (* push word *) FI; ELSE (* StackAddrSize = 16*) IF OperandSize = 16 THEN SP SP - 2; SS:SP SRC; (* push word *) ELSE (* OperandSize = 32*) SP SP - 4; SS:SP SRC ; (* push doubleword *) FI; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #GP If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.

3- 386


INSTRUCTION SET REFER EN CE

PUSH--Push Word or Doubleword Onto the Stack (Continued)
#SS If a memory operand effective address is outside the SS segment limit. If the new value of the SP or ESP register is outside the stack segment limit. Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-387


INSTRUCTION SET REFERENCE

PUSHA/PUSHAD--Push All General-Purpose Registers
Opcode 60 60 Inst ruction P USHA P USHAD Description Push AX, CX, D X, BX, original SP BP SI, and DI ,, Push EAX, ECX, EDX, EBX, original ESP EBP ESI, and EDI , ,

Description Pushes the contents of the general-purpose registers onto the stack. The registers are stored on the stack in the following order: EAX, ECX, EDX, EBX , EBP, ESP (original value), EBP, ESI, and EDI (if the current operand-size attribute is 32) and AX , CX, DX, BX, SP (original value), BP, SI, and D I (if the operand-size attribute is 16). (These instructions perform the reverse operation of the POPA/POPAD instructions.) The value pushed for the ESP or SP register is its value before prior to pushing the first register (see the "Operation" section below). The PUSHA (push all) and PUSHAD (push all double) mnemonics reference the same opcode. The PUSHA instruction is intended for use when the operand-size attribute is 16 and the PUSHAD instruction for when the operand-size attribute is 32. Some assemblers may force the operand size to 16 when PUSHA is used and to 32 when PUSHAD is used. Others may treat these mnemonics as synonyms (PUSHA/PUSH AD) and use the current setting of the operandsize attribute to determine the size of values to be pushed from the stack, regardless of the mnemonic used. In the real-address mode, if the ESP or SP register is 1, 3, or 5 w hen the PUSHA/PUSHAD instruction is executed, the processor shuts down due to a lack of stack space. No exception is generated to indicate this condition. Operation
IF OperandSize = 32 (* PUSHAD instruction *) THEN Temp (ESP); Push(EAX); Push(ECX); Push(EDX); Push(EBX); Push(Temp); Push(EBP); Push(ESI); Push(EDI); ELSE (* OperandSize = 16, PUSHA instruction *) Temp (SP); Push(AX); Push(CX); Push(DX); Push(BX); Push(Temp);

3- 388


INSTRUCTION SET REFER EN CE

PUSHA/PUSHAD--Push All General-Purpose Register (Continued)
Push(BP); Push(SI); Push(DI); FI;

Flags Affected None. Protected Mode Exceptions #SS(0) #PF(fault-code) #AC(0) If the starting or ending stack address is outside the stack segment limit. If a page fault occurs. If an unaligned memory reference is made while the current privilege level is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #GP If the ESP or SP register contains 7, 9, 11, 13, or 15.

Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If the ESP or SP register contains 7, 9, 11, 13, or 15. If a page fault occurs. If an unaligned memory reference is made while alignment checking is enabled.

3-389


INSTRUCTION SET REFERENCE

PUSHF/PUSHFD--Push EFLAGS Register onto the Stack
Opcode 9C 9C Instruction PUSH F PUSH FD Description Push lower 16 bits of EFLAGS Push EFLAGS

Description Decrements the stack pointer by 4 (if the current operand-size attribute is 32) and pushes the entire contents of the EFLAG S register onto the stack, or decrements the stack pointer by 2 (if the operand-size attribute is 16) and pushes the lower 16 bits of the EFLAGS register (that is, the FLAGS register) onto the stack. (These instructions reverse the operation of the POPF/POPFD instructions.) W hen copying the entire EFLAGS register to the stack, the VM and RF flags (bits 16 and 17) are not copied; instead, the values for these flags are cleared in the EFLAGS image stored on the stack. See the section titled "EFLAGS Register" in Chapter 3 of the Intel Architecture Software Developer's Manual, Volume 1, for information about the EFLAGS registers. The PUSHF (push flags) and PUSHFD (push flags double) mnemonics reference the same opcode. The PUSHF instruction is intended for use when the operand-size attribute is 16 and the PUSHFD instruction for when the operand-size attribute is 32. Some assemblers may force the operand size to 16 when PUSHF is used and to 32 when PUSHFD is used. Others may treat these mnemonics as synonyms (PUSH F/PUSHFD) and use the current setting of the operand-size attribute to determine the size of values to be pushed from the stack, regardless of the mnemonic used. When in virtual-8086 mode and the I/O privilege level (IOPL) is less than 3, the PUSHF/PUSHFD instruction causes a general protection exception (#GP). In the real-address mode, if the ESP or SP register is 1, 3, or 5 w hen the PUSHA/PUSHAD instruction is executed, the processor shuts down due to a lack of stack space. No exception is generated to indicate this condition. Operation
IF (PE=0) OR (PE=1 AND ((VM=0) OR (VM=1 AND IOPL=3))) (* Real-Address Mode, Protected mode, or Virtual-8086 m ode with IOPL equal to 3 *) THEN IF OperandSize = 32 THEN push(EFLAGS AND 00FCFFFFH); (* VM and RF EFLAG bits are cleared in image stored on the stack*) ELSE push(EFLAGS); (* Lower 16 bits only *) FI;

3- 390


INSTRUCTION SET REFER EN CE

PUSHF/PUSHFD--Push EFLAGS Register onto the Stack (Continued)
ELSE (* In Virtual-8086 Mode with IOPL less than 0 *) #GP(0); (* Trap to virtual-8086 monitor *) FI;

Flags Affected None. Protected Mode Exceptions #SS(0) #PF(fault-code) #AC(0) If the new value of the ESP register is outside the stack segment boundary. If a page fault occurs. If an unaligned memory reference is made while the current privilege level is 3 and alignment checking is enabled.

Real-Address Mode Exceptions None. Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If the I/O privilege level is less than 3. If a page fault occurs. If an unaligned memory reference is made while alignment checking is enabled.

3-391


INSTRUCTION SET REFERENCE

PXOR--Logical Exclusive OR
Opcode 0F EF /r Instruction PXOR mm, mm/m64 Description XOR quadword from mm/m64 to quadword in mm.

Description Performs a bitwise logical exclusive-OR (XOR) destination (first) operands and stores the result 3-27). The source operand can be an MMX regi nation operand must be an MMX register. Each the two operands are different; each bit is 0 if same. operation on the quadword source (second) and in the destination operand location (see Figure ster or a quadword memory location; the destibit of the result is 1 if the corresponding bits of the corresponding bits of the operands are the

PXOR mm, mm/m64 mm 1111111111111000000000000000010110110101100010000111011101110111

^
mm/m64 0001000011011001010100000011000100011110111011110001010110010101 mm

1110111100100001010100000011010010101011011001110110001011100010

3006033

Figure 3-27. Operation of the PXOR Instruction

Operation
DEST DEST XOR SRC ;

Flags Affected None. Protected Mode Exceptions # G P( 0 ) #SS(0) #UD If a memory operand effective address is outside the CS, DS, ES, FS or GS segment limit. If a memory operand effective address is outside the SS segment limit. If EM in CR0 is set.

3- 392


INSTRUCTION SET REFER EN CE

PXOR--Logical Exclusive OR (Continued)
#NM #MF #PF(fault-code) #AC(0) If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #UD #NM #MF If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception.

Virtual-8086 Mode Exceptions #GP #UD #NM #MF #PF(fault-code) #AC(0) If any part of the operand lies outside of the effective address space from 0 to FFFFH. If EM in CR0 is set. If TS in CR0 is set. If there is a pending FPU exception. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-393


INSTRUCTION SET REFERENCE

RCL/RCR/ROL/ROR---Rotate
Opcode D0 /2 D2 /2 C0 /2 ib D1 /2 D3 /2 C1 /2 ib D1 /2 D3 /2 C1 /2 ib D0 /3 D2 /3 C0 /3 ib D1 /3 D3 /3 C1 /3 ib D1 /3 D3 /3 C1 /3 ib D0 /0 D2 /0 C0 /0 ib D1 /0 D3 /0 C1 /0 ib D1 /0 D3 /0 C1 /0 ib D0 /1 D2 /1 C0 /1 ib D1 /1 D3 /1 C1 /1 ib D1 /1 D3 /1 C1 /1 ib Instruction RCL r/m8,1 RCL r/m8,CL RCL r/m8,imm8 RCL r/m16,1 RCL r/m16,CL RCL r/m16,imm8 RCL r/m32,1 RCL r/m32,CL RCL r/m32,imm8 RCR r/m8,1 RCR r/m8,CL RCR r/m8,imm8 RCR r/m16,1 RCR r/m16,CL RCR r/m16,imm8 RCR r/m32,1 RCR r/m32,CL RCR r/m32,imm8 ROL r/m8,1 ROL r/m8,CL ROL r/m8,imm8 ROL r/m16,1 ROL r/m16,CL ROL r/m16,imm8 ROL r/m32,1 ROL r/m32,CL ROL r/m32,imm8 ROR r/m8,1 ROR r/m8,CL ROR r/m8,imm8 ROR r/m16,1 ROR r/m16,CL ROR r/m16,imm8 ROR r/m32,1 ROR r/m32,CL ROR r/m32,imm8 Description Rotate 9 bits (CF,r/m8) left once Rotate 9 bits (CF,r/m8) left CL times Rotate 9 bits (CF,r/m8) left imm8 times Rotate 17 bits (CF,r/m16) left once Rotate 17 bits (CF,r/m16) left CL times Rotate 17 bits (CF,r/m16) left imm8 times Rotate 33 bits (CF,r/m32) left once Rotate 33 bits (CF,r/m32) left CL times Rotate 33 bits (CF,r/m32) left imm8 times Rotate 9 bits (CF,r/m8) r ight once Rotate 9 bits (CF,r/m8) r ight CL times Rotate 9 bits (CF,r/m8) r ight imm8 times Rotate 17 bits (CF,r/m16) r ight once Rotate 17 bits (CF,r/m16) r ight CL times Rotate 17 bits (CF,r/m16) r ight imm8 times Rotate 33 bits (CF,r/m32) r ight once Rotate 33 bits (CF,r/m32) r ight CL times Rotate 33 bits (CF,r/m32) r ight imm8 times Rotate 8 bits r/m8 left once Rotate 8 bits r/m8 left CL times Rotate 8 bits r/m8 left imm8 times Rotate 16 bits r/m16 left once Rotate 16 bits r/m16 left CL times Rotate 16 bits r/m16 left imm8 times Rotate 32 bits r/m32 left once Rotate 32 bits r/m32 left CL times Rotate 32 bits r/m32 left imm8 times Rotate 8 bits r/m8 r ight once Rotate 8 bits r/m8 r ight CL times Rotate 8 bits r/m16 right imm8 times Rotate 16 bits r/m16 right once Rotate 16 bits r/m16 r ight CL times Rotate 16 bits r/m16 right imm8 times Rotate 32 bits r/m32 right once Rotate 32 bits r/m32 r ight CL times Rotate 32 bits r/m32 right imm8 times

3- 394


INSTRUCTION SET REFER EN CE

RCL/RCR/ROL/ROR---Rotate (Continued)
Description Shifts (rotates) the bits of the first operand (destination operand) the number of bit positions specified in the second operand (count operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the count operand is an unsigned integer that can be an immediate or a value in the CL register. The processor restricts the count to a number between 0 and 31 by masking all the bits in the count operand except the 5 leastsignificant bits. The rotate left (ROL) and rotate through carry left (RCL) instructions shift all the bits toward more-significant bit positions, except for the most-significant bit, which is rotated to the leastsignificant bit location (see Figure 6-10 in the Intel Architecture Software Developer's Manual, Volume 1). The rotate right (ROR) and rotate through carry right (RCR) instructions shift all the bits toward less significant bit positions, except for the least-significant bit, which is rotated to the most-significant bit location (see Figure 6-10 in the Intel Architecture Software Developer's Manual, Volume 1). The RCL and RCR instructions include the CF flag in the rotation. The RCL instruction shifts the CF flag into the least-significant bit and shifts the most-significant bit into the CF flag (see Figure 6-10 in the Intel Architecture Software Developer's Manual, Volume 1). The RCR instruction shifts the CF flag into the most-significant bit and shifts the least-significant bit into the CF flag (see Figure 6-10 in the Intel Architecture Software Developer's Manual, Volume 1). For the RO L and ROR instructions, the original value of the CF flag is not a part of the result, but the CF flag receives a copy of the bit that was shifted from one end to the other. The OF flag is defined only for the 1-bit rotates; it is undefined in all other cases (except that a zero-bit rotate does nothing, that is affects no flags). For left rotates, the OF flag is set to the exclusive OR of the CF bit (after the rotate) and the most-significant bit of the result. For right rotates, the OF flag is set to the exclusive OR of the two most-significant bits of the result. Intel Architecture Compatibility The 8086 does not mask the rotation count. However, all other Intel Architecture processors (starting with the Intel 286 processor) do mask the rotation count to 5 bits, resulting in a maximum count of 31. This masking is done in all operating modes (including the virtual-8086 mode) to reduce the maximum execution time of the instructions. Operation
(* RCL and RCR instructions *) SIZE OperandSize CASE (determine count) OF SIZE = 8: tempCOUNT (COUNT AND 1FH) MO D 9; SIZE = 16: tempCOUNT (COUNT AND 1FH) MO D 17; SIZE = 32: tempCOUNT COUNT AND 1FH; ESAC;

3-395


INSTRUCTION SET REFERENCE

RCL/RCR/ROL/ROR---Rotate (Continued)
(* RCL instruction operation *) WHILE (tempCOUNT 0) DO tempCF M SB(DEST); DEST (DEST 2) + CF; CF tem pCF; tempCOUNT tempCOUNT ­ 1; OD; ELIHW; IF COUNT = 1 THEN OF MSB(DEST) XOR CF; ELSE OF is undefined; FI; (* RCR instruction operation *) IF COUNT = 1 THEN OF MSB(DEST) XOR CF; ELSE OF is undefined; FI; WHILE (tempCOUNT 0) DO tempCF LSB(SRC); DEST (DEST / 2) + (CF * 2SIZE); CF tem pCF; tempCOUNT tempCOUNT ­ 1; OD; (* RO L and ROR instructions *) SIZE OperandSize CASE (determine count) OF SIZE = 8: tempCOUNT COUNT MOD 8; SIZE = 16: tempCOUNT COUNT MOD 16; SIZE = 32: tempCOUNT COUNT MOD 32; ESAC; (* RO L instruction operation *) WHILE (tempCOUNT 0) DO tempCF M SB(DEST); DEST (DEST 2) + tempCF; tempCOUNT tempCOUNT ­ 1; OD; ELIHW; CF LSB(DEST); IF COUNT = 1 THEN OF MSB(DEST) XOR CF; ELSE OF is undefined; FI;

3- 396


INSTRUCTION SET REFER EN CE

RCL/RCR/ROL/ROR---Rotate (Continued)
(* ROR instruction operation *) WHILE (tempCOU NT 0) DO tempCF LSB(SRC); DEST (DEST / 2) + (tempCF 2SIZE); tempCOUNT tem pCO UNT ­ 1; OD; ELIHW; CF MSB(DEST); IF COUN T = 1 THEN OF MSB(DEST) XO R MSB - 1(DEST); ELSE OF is undefined; FI;

Flags Affected The CF flag contains the value of the bit shifted into it. The OF flag is affected only for singlebit rotates (see "Description" above); it is undefined for multi-bit rotates. The SF, ZF, AF, and PF flags are not affected. Protected Mode Exceptions #GP(0) If the source operand is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

3-397


INSTRUCTION SET REFERENCE

RCL/RCR/ROL/ROR---Rotate (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 398


INSTRUCTION SET REFER EN CE

RDMSR--Read from Model Specific Register
Opcode 0F 32 Instruction RDMSR D escription Load MSR specified by ECX into EDX:EAX

Description Loads the contents of a 64-bit model specific register (MSR) specified in the ECX register into registers EDX:EAX. The EDX register is loaded with the high-order 32 bits of the MSR and the EAX register is loaded with the low -order 32 bits. If less than 64 bits are implemented in the MSR being read, the values returned to EDX:EAX in unimplemented bit locations are undefined. This instruction must be executed at privilege level 0 or in real-address mode; otherw ise, a general protection exception #GP(0) w ill be generated. Specifying a reserved or unimplemented MSR address in ECX will also cause a general protection exception. The MSRs control functions for testability, execution tracing, performance-monitoring and machine check errors. A ppendix B, Model-Specific Registers (MSRs), in the Intel Architecture Software Developer's Manual, Volume 3, lists all the MSRs that can be read with this instruction and their addresses. The CPUID instruction should be used to determine whether MSRs are supported (EDX[5]=1) before using this instruction. Intel Architecture Compatibility The MSRs and the ability to read them with the RDMSR instruction were introduced into the Intel Architecture with the Pentium processor. Execution of this instruction by an Intel Architecture processor earlier than the Pentium processor results in an invalid opcode exception #UD. Operation
EDX:EAX MSR[ECX];

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If the value in ECX specifies a reserved or unimplemented MSR address. Real-Address Mode Exceptions #GP If the value in ECX specifies a reserved or unimplemented MSR address.

3-399


INSTRUCTION SET REFERENCE

RDMSR--Read from Model Specific Register (Continued)
Vir tual-8086 Mode Exceptions #GP(0) The RDMSR instruction is not recognized in virtual-8086 mode.

3- 400


INSTRUCTION SET REFER EN CE

RDPMC--Read Performance-Monitoring Counters
Opcode 0F 33 Instruction RDPMC D escription R ead perfor mance-monitor ing counter specified by ECX into E DX:EAX

Description Loads the contents of the 40-bit performance-monitoring counter specified in the ECX into registers EDX:EAX. The EDX register is loaded with the high-order 8 bits of the and the EAX register is loaded with the low-order 32 bits. The Pentium Pro processor performance-monitoring counters (0 and 1), which are specified by placing 0000H or respectively, in the ECX register. register counter has two 0001H,

The RDPMC instruction allows application code running at a privilege level of 1, 2, or 3 to read the performance-monitoring counters if the PCE flag in the CR4 register is set. This instruction is provided to allow performance monitoring by application code without incurring the overhead of a call to an operating-system procedure. The performance-monitoring counters are event counters that can be programmed to count events such as the number of instructions decoded, number of interrupts received, or number of cache loads. Appendix A, Performance Monitoring Counters, in the Intel Architecture Software Developer's Manual, Volume 3, lists all the events that can be counted. The RDPMC instruction does not serialize instruction execution. That is, it does not imply that all the events caused by the preceding instructions have been completed or that events caused by subsequent instructions have not begun. If an exact event count is desired, software must use a serializing instruction (such as the CPU ID instruction) before and/or after the execution of the RDPCM instruction. The RDPMC instruction can execute in 16-bit addressing mode or virtual-8086 mode; however, the full contents of the ECX register are used to determine the counter to access and a full 40-bit result is returned (the low-order 32 bits in the EAX register and the high-order 9 bits in the EDX register). Intel Architecture Compatibility The RD PMC instruction was introduced into the Intel Architecture in the Pentium Pro processor and the Pentium processor with M MX technology. The other Pentium processors have performance-monitoring counters, but they must be read with the RD MSR instruction. Operation
IF (ECX = 0 OR 1) AND ((CR4.PCE = 1) OR ((CR4.PCE = 0) AND (CPL=0))) THEN EDX:EAX PMC[ECX]; ELSE (* ECX is not 0 or 1 and/or CR4.PCE is 0 and CPL is 1, 2, or 3 *) #GP(0); FI;

3-401


INSTRUCTION SET REFERENCE

RDPMC--Read Performance-Monitoring Counters (Continued)
Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0 and the PCE flag in the CR4 register is clear. If the value in the ECX register is not 0 or 1. Real-Address Mode Exceptions #GP If the PCE flag in the CR4 register is clear. If the value in the ECX register is not 0 or 1. Vir tual-8086 Mode Exceptions #GP(0) If the PCE flag in the CR4 register is clear. If the value in the ECX register is not 0 or 1.

3- 402


INSTRUCTION SET REFER EN CE

RDTSC--Read Time-Stamp Counter
Opcode 0F 31 Instruction RDTSC D escription R ead time-stamp counter into EDX:EAX

Description Loads the current value of the processor's time-stamp counter into the EDX:EAX registers. The time-stamp counter is contained in a 64-bit MSR. The high-order 32 bits of the MSR are loaded into the EDX register, and the low-order 32 bits are loaded into the EAX register. The processor increments the time-stamp counter MSR every clock cycle and resets it to 0 whenever the processor is reset. The time stamp disable (TSD) flag in register CR4 restricts the use of the RDTSC instruction. When the TSD flag is clear, the RDTSC instruction can be executed at any privilege level; when the flag is set, the instruction can only be executed at privilege level 0. The time-stamp counter can also be read with the RDMSR instruction, when executing at privilege level 0. The RDTSC instruction is not a serializing instruction. Thus, it does not necessarily wait until all previous instructions have been executed before reading the counter. Similarly, subsequent instructions may begin execution before the read operation is performed. This instruction was introduced into the Intel Architecture in the Pentium processor. Operation
IF (CR4.TSD = 0) OR ((CR4.TSD = 1) AND (CPL=0)) THEN EDX:EAX TimeStampCounter; ELSE (* CR4 is 1 and CPL is 1, 2, or 3 *) #GP(0) FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If the TSD flag in register CR4 is set and the CPL is greater than 0.

Real-Address Mode Exceptions #GP If the TSD flag in register CR4 is set.

Virtual-8086 Mode Exceptions #GP(0) If the TSD flag in register CR4 is set.

3-403


INSTRUCTION SET REFERENCE

REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix
Opcode F3 6C F3 6D F3 6D F3 A4 F3 A5 F3 A5 F3 6E F3 6F F3 6F F3 AC F3 AD F3 AD F3 AA F3 AB F3 AB F3 A6 F3 A7 F3 A7 F3 AE F3 AF F3 AF F2 A6 F2 A7 F2 A7 F2 AE F2 AF F2 AF Instruction REP INS r/m8, DX REP INS r/m16,DX REP INS r/m32,DX REP MOVS m8,m8 REP MOVS m16,m16 REP MOVS m32,m32 REP OUTS DX,r/m8 REP OUTS DX,r/m16 REP OUTS DX,r/m32 REP LODS AL REP LODS AX REP LODS EAX REP STOS m8 REP STOS m16 REP STOS m32 REPE CMPS m8,m8 REPE CMPS m16,m16 REPE CMPS m32,m32 REPE SCAS m8 REPE SCAS m16 REPE SCAS m32 REPN E CMPS m8,m8 REPN E CMPS m16,m16 REPN E CMPS m32,m32 REPN E SCAS m8 REPN E SCAS m16 REPN E SCAS m32 Description Input (E)CX bytes from por t DX into ES:[(E)DI] Input (E)CX words from por t DX into ES:[(E)DI] Input (E)CX doublewords from por t DX into ES:[( E)DI] Move (E)CX bytes from DS:[(E)SI] to ES:[(E)DI] Move (E)CX words from DS:[(E)SI] to ES:[(E)DI] Move (E)CX doublewords from DS:[( E)SI] to ES:[(E)DI] Output (E)CX bytes from DS:[( E)SI] to por t DX Output (E)CX words from DS:[(E)SI] to por t DX Output (E)CX doublewords from DS:[(E)SI] to por t DX Load (E)CX bytes from DS:[(E)SI] to AL Load (E)CX words from DS:[(E) SI] to AX Load (E)CX doublewords from DS:[(E)SI] to EAX Fill (E)CX bytes at ES:[(E)DI] with AL Fill (E)CX words at ES:[(E)DI] with AX Fill (E )CX doublewords at ES:[(E)DI] with EAX Find nonmatching bytes in ES:[(E)DI] and DS:[(E)SI] Find nonmatching words in ES:[(E)DI] and DS:[(E)SI] Find nonmatching doublewords in ES:[(E)DI] and DS:[(E)SI] Find non-AL byte star ting at ES:[(E)DI] Find non-AX word star ting at ES:[(E)DI] Find non-EAX doubleword star ting at ES:[(E)DI] Find matching bytes in ES:[(E) DI] and DS:[(E)SI] Find matching words in ES:[(E)DI] and DS:[(E)SI] Find matching doublewords in ES:[(E)DI] and DS:[(E) SI] Find A L, star ting at ES:[(E)DI] Find AX, star ting at ES:[( E)DI] Find E AX, star ting at ES:[(E)DI]

Description Repeats a string instruction the number of times specified in the count register ((E)CX) or until the indicated condition of the ZF flag is no longer met. The REP (repeat), REPE (repeat while equal), REPN E (repeat while not equal), REPZ (repeat while zero), and REPNZ (repeat while not zero) mnemonics are prefixes that can be added to one of the string instructions. The REP prefix can be added to the INS, OUTS, MOV S, LODS, and STOS instructions, and the REPE, REPNE, REPZ, and REPNZ prefixes can be added to the CMPS and SCAS instructions. (The REPZ and REPNZ prefixes are synonymous forms of the REPE and REPNE prefixes, respectively.) The behavior of the REP prefix is undefined when used with non-string instructions. The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use the LOOP instruction or another looping construct.

3- 404


INSTRUCTION SET REFER EN CE

REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix (Continued)
All of these repeat prefixes cause the associated instruction to be repeated until the count in register (E)CX is decremented to 0 (see the following table). (If the current address-size attribute is 32, register ECX is used as a counter, and if the address-size attribute is 16, the CX register is used.) The REPE, REPNE, REPZ, and REPNZ prefixes also check the state of the ZF flag after each iteration and terminate the repeat loop if the ZF flag is not in the specified state. W hen both termination conditions are tested, the cause of a repeat termination can be determined either by testing the (E)CX register with a JECXZ instruction or by testing the ZF flag with a JZ, JNZ, and JNE instruction.
Repeat Conditions
Repeat Prefix REP REPE/REPZ REPNE/REPNZ Termination Condition 1 ECX=0 ECX=0 ECX=0 Termination Condition 2 None ZF=0 ZF=1

When the REPE/REPZ and REPNE/REPNZ prefixes are used, the ZF flag does not require initialization because both the CMPS and SCAS instructions affect the ZF flag according to the results of the comparisons they make. A repeating string operation can be suspended by an exception or interrupt. When this happens, the state of the registers is preserved to allow the string operation to be resumed upon a return from the exception or interrupt handler. The source and destination registers point to the next string elements to be operated on, the EIP register points to the string instruction, and the ECX register has the value it held following the last successful iteration of the instruction. This mechanism allows long string operations to proceed w ithout affecting the interrupt response time of the system. When a fault occurs during the execution of a CMPS or SCAS instruction that is prefixed w ith REPE or REPNE, the EFLAGS value is restored to the state prior to the execution of the instruction. Since the SCAS and CMPS instructions do not use EFLAGS as an input, the processor can resume the instruction after the page fault handler. Use the REP INS and REP OUTS instructions w ith caution. Not all I/O ports can handle the rate at which these instructions execute. A REP STOS instruction is the fastest way to initialize a large block of memory.

3-405


INSTRUCTION SET REFERENCE

REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix (Continued)
Operation
IF AddressSize = 16 THEN use CX for CountReg; ELSE (* AddressSize = 32 *) use ECX for CountReg; FI; WHILE CountReg 0 DO service pending interrupts (if any); execute associated string instruction; CountReg CountReg ­ 1; IF CountReg = 0 THEN exit WHILE loop FI; IF (repeat prefix is REPZ or REPE) AND (ZF=0) O R (repeat prefix is REPNZ or REPNE) AND (ZF=1) THEN exit WHILE loop FI; OD;

Flags Affected None; how ever, the CMPS and SCAS instructions do set the status flags in the EFLAG S register. Exceptions (All Operating Modes) None; however, exceptions can be generated by the instruction a repeat prefix is associated w ith.

3- 406


INSTRUCTION SET REFER EN CE

RET--Return from Procedure
Opcode C3 CB C2 iw CA iw Instruction RET R ET RET imm16 RET imm16 Description Near retur n to calling procedur e Far retur n to calling pr ocedure Near retur n to calling procedur e and pop imm16 bytes from stack Far retur n to calling procedure and pop imm16 bytes from stack

Description Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction. The optional source operand specifies the number of stack bytes to be released after the return address is popped; the default is none. This operand can be used to release parameters from the stack that were passed to the called procedure and are no longer needed. It must be used when the CALL instruction used to switch to a new procedure uses a call gate with a non-zero word count to access the new procedure. Here, the source operand for the RET instruction must specify the same number of bytes as is specified in the word count field of the call gate. The RET instruction can be used to execute three different types of returns:

· · ·

Near return--A return to a calling procedure within the current code segment (the segment currently pointed to by the CS register), sometimes referred to as an intrasegment return. Far return--A return to a calling procedure located in a different segment than the current code segment, sometimes referred to as an intersegment return. Inter-privilege-level far return--A far return to a different privilege level than that of the currently executing program or procedure.

The inter-privilege-level return type can only be executed in protected mode. See the section titled "Calling Procedures Using Call and RET" in Chapter 4 of the Intel Architecture Software Developer's Manual, Volume 1, for detailed information on near, far, and inter-privilege-level returns. When executing a near return, the processor pops the return instruction pointer (offset) from the top of the stack into the EIP register and begins program execution at the new instruction pointer. The CS register is unchanged. When executing a far return, the processor pops the return instruction pointer from the top of the stack into the EIP register, then pops the segment selector from the top of the stack into the CS register. The processor then begins program execution in the new code segment at the new instruction pointer.

3-407


INSTRUCTION SET REFERENCE

RET--Return from Procedure (Continued)
The mechanics of an inter-privilege-level far return are similar to an intersegment return, except that the processor examines the privilege levels and access rights of the code and stack segments being returned to determine if the control transfer is allowed to be made. The DS, ES, FS, and GS segment registers are cleared by the RET instruction during an inter-privilege-level return if they refer to segments that are not allow ed to be accessed at the new privilege level. Since a stack switch also occurs on an inter-privilege level return, the ESP and SS registers are loaded from the stack. If parameters are passed to the called procedure during an inter-privilege level call, the optional source operand must be used with the RET instruction to release the parameters on the return. Here, the parameters are released both from the called procedure's stack and the calling procedure's stack (that is, the stack being returned to). Operation
(* Near return *) IF instruction = near return THEN; IF OperandSize = 32 THEN IF top 12 bytes of stack not within stack limits THEN #SS(0); FI; EIP Pop(); ELSE (* OperandSize = 16 *) IF top 6 bytes of stack not within stack limits THEN #SS(0) FI; tempEIP Pop(); tempEIP tempEIP AND 0000FFFFH; IF tem pEIP not within code segment limits THEN #GP(0); FI; EIP tempEIP; FI; IF instruction has imm ediate operand THEN IF StackAddressSize=32 THEN ESP ESP + SRC; (* release parameters from stack *) ELSE (* StackAddressSize=16 *) SP SP + SRC; (* release parameters from stack *) FI; FI; (* Real-address m ode or virtual-8086 m ode *) IF ((PE = 0) OR (PE = 1 AND VM = 1)) AND instruction = far return THEN;

3- 408


INSTRUCTION SET REFER EN CE

RET--Return from Procedure (Continued)
IF OperandSize = 32 THEN IF top 12 bytes of stack not within stack limits THEN #SS(0); FI; EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) ELSE (* OperandSize = 16 *) IF top 6 bytes of stack not within stack limits THEN #SS(0); FI; tempEIP Pop(); tempEIP tempEIP AND 0000FFFFH; IF tempEIP not within code segment limits THEN #GP(0); FI; EIP tem pEIP; CS Pop(); (* 16-bit pop *) FI; IF instruction has immediate operand THEN SP SP + (SRC AND FFFFH); (* release parameters from stack *) FI; FI; (* Protected mode, not virtual-8086 mode *) IF (PE = 1 AND VM = 0) AND instruction = far RET THEN IF OperandSize = 32 THEN IF second doubleword on stack is not within stack limits THEN #SS(0); FI; ELSE (* OperandSize = 16 *) IF second word on stack is not within stack limits THEN #SS(0); FI; FI; IF return code segment selector is null THEN GP(0); FI; IF return code segment selector addrsses descriptor beyond diescriptor table limit THEN GP(selector; FI; Obtain descriptor to which return code segm ent selector points from descriptor table IF return code segment descriptor is not a code segm ent THEN #GP(selector); FI; if return code segm ent selector R PL < CPL THEN #G P(selector); FI; IF return code segment descriptor is conforming AND return code segment DPL > return code segment selector RPL THEN #GP(selector); FI; IF return code segment descriptor is not present THEN #NP(selector); FI: IF return code segment selector RPL > CPL THEN GO TO RETURN-OUTER-PRIVILEGE-LEVEL; ELSE GOTO RETURN-TO-SAME-PRIVILEGE-LEVEL FI; END;FI;

3-409


INSTRUCTION SET REFERENCE

RET--Return from Procedure (Continued)
RETURN-SAM E-PRIVILEGE-LEVEL: IF the return instruction pointer is not within ther return code segment limit THEN #GP(0); FI; IF OperandSize=32 THEN EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) ESP ESP + SRC; (* release parameters from stack *) ELSE (* OperandSize=16 *) EIP Pop(); EIP EIP AND 0000FFFFH; CS Pop(); (* 16-bit pop *) ESP ESP + SRC; (* release parameters from stack *) FI; RETURN-O UTER -PRIVILEGE-LEVEL: IF top (16 + SRC) bytes of stack are not within stack limits (OperandSize=32) O R top (8 + SRC) bytes of stack are not within stack limits (OperandSize=16) THEN #SS(0); FI; FI; Read return segment selector; IF stack segment selector is null THEN #GP(0); FI; IF return stack segm ent selector index is not w ithin its descriptor table limits THEN #GP(selector); FI; Read segment descriptor pointed to by return segment selector; IF stack segment selector RPL RPL of the return code segment selector O R stack segment is not a writable data segment O R stack segment descriptor DPL RPL of the return code segm ent selector THEN #GP(selector); FI; IF stack segment not present THEN #SS(StackSegmentSelector); FI; IF the return instruction pointer is not within the return code segm ent limit THEN #GP(0); FI: CPL ReturnCodeSegmentSelector(RPL); IF OperandSize=32 THEN EIP Pop(); CS Pop(); (* 32-bit pop, high-order 16-bits discarded *) (* segment descriptor information also loaded *) CS(RPL) CPL; ESP ESP + SRC; (* release parameters from called procedure's stack *) tempESP Pop(); tempSS Pop(); (* 32-bit pop, high-order 16-bits discarded *) (* segment descriptor information also loaded *) ESP tem pESP; SS tem pSS;

3- 410


INSTRUCTION SET REFER EN CE

RET--Return from Procedure (Continued)
ELSE (* OperandSize=16 *) EIP Pop(); EIP EIP AND 0000FFFFH; CS Pop(); (* 16-bit pop; segm ent descriptor information also loaded *) CS(R PL) CPL; ESP ESP + SRC; (* release parameters from called procedure's stack *) tempESP Pop(); tempSS Pop(); (* 16-bit pop; segment descriptor information also loaded *) (* segment descriptor information also loaded *) ESP tempESP; SS tempSS; FI; FOR each of segment register (ES, FS, GS, and DS) DO; IF segment register points to data or non-conforming code segm ent AND CPL > segm ent descriptor DPL; (* DPL in hidden part of segment register *) THEN (* segment register invalid *) SegmentSelector 0; (* null segment selector *) FI; OD; For each of ES, FS, GS, and DS DO IF segment selector index is not within descriptor table limits OR segment descriptor indicates the segm ent is not a data or readable code segment OR if the segment is a data or non-conforming code segm ent and the segment descriptor's DPL < CPL or RPL of code segment's segment selector THEN segm ent selector register null selector; OD; ESP ESP + SRC; (* release parameters from calling procedure's stack *)

Flags Affected None. Protected Mode Exceptions #GP(0) If the return code or stack segment selector null. If the return instruction pointer is not within the return code segment limit #GP(selector) If the RPL of the return code segment selector is less then the CPL. If the return code or stack segment selector index is not within its descriptor table limits. If the return code segment descriptor does not indicate a code segment.

3-411


INSTRUCTION SET REFERENCE

RET--Return from Procedure (Continued)
If the return code segment is non-conforming and the segment selector's DPL is not equal to the RPL of the code segment's segment selector If the return code segment is conforming and the segment selector's DPL greater than the RPL of the code segment's segment selector If the stack segment is not a writable data segment. If the stack segment selector RPL is not equal to the RPL of the return code segment selector. If the stack segment descriptor DPL is not equal to the RPL of the return code segment selector. #SS(0) If the top bytes of stack are not within stack limits. If the return stack segment is not present. #NP(selector) #PF(fault-code) #AC(0) If the return code segment is not present. If a page fault occurs. If an unaligned memory access occurs when the CPL is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #GP #SS If the return instruction pointer is not within the return code segment limit If the top bytes of stack are not within stack limits.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If the return instruction pointer is not within the return code segment limit If the top bytes of stack are not within stack limits. If a page fault occurs. If an unaligned memory access occurs when alignment checking is enabled.

3- 412


INSTRUCTION SET REFER EN CE

ROL/ROR--Rotate
See entry for RCL/RCR/RO L/RO R--Rotate.

3-413


INSTRUCTION SET REFERENCE

RSM--Resume from System Management Mode
Opcode 0F AA Instruction RSM Description Resume operation of interrupted program

Description Returns program control from system management mode (SMM) to the application program or operating-system procedure that was interrupted when the processor received an SSM interrupt. The processor's state is restored from the dump created upon entering SMM. If the processor detects invalid state information during state restoration, it enters the shutdown state. The follow ing invalid information can cause a shutdown:

· · ·

Any reserved bit of CR4 is set to 1. Any illegal combination of bits in CR0, such as (PG=1 and PE=0) or (N W=1 and CD=0). (Intel Pentium® and Intel486TM processors only.) The value stored in the state dump base field is not a 32-KByte aligned address.

The contents of the model-specific registers are not affected by a return from SMM. See Chapter 11, System Management Mode (SMM), in the Intel Architecture Software Developer's Manual, Volume 3, for more information about SMM and the behavior of the RSM instruction. Operation
ReturnFromSSM; ProcessorState Restore(SSMD um p);

Flags Affected All. Protected Mode Exceptions #UD If an attempt is made to execute this instruction when the processor is not in SMM.

Real-Address Mode Exceptions #UD If an attempt is made to execute this instruction when the processor is not in SMM.

Vir tual-8086 Mode Exceptions #UD If an attempt is made to execute this instruction when the processor is not in SMM.

3- 414


INSTRUCTION SET REFER EN CE

SAHF--Store AH into Flags
Opcode 9E Instruction SAHF Clocks 2 Descript ion Loads SF, ZF, AF, PF, and CF from AH into EFLAGS register

Description Loads the SF, ZF, AF, PF, and CF flags of the EFLAGS register with values from the corresponding bits in the AH register (bits 7, 6, 4, 2, and 0, respectively). Bits 1, 3, and 5 of register AH are ignored; the corresponding reserved bits (1, 3, and 5) in the EFLAGS register remain as shown in the "Operation" section below. Operation
EFLAGS(SF:ZF:0:AF:0:PF:1:C F) AH;

Flags Affected The SF, ZF, AF, PF, and CF flags are loaded with values from the AH register. Bits 1, 3, and 5 of the EFLAGS register are unaffected, with the values remaining 1, 0, and 0, respectively. Exceptions (All Operating Modes) None.

3-415


INSTRUCTION SET REFERENCE

SAL/SAR/SHL/SHR--Shift
Opcode D0 /4 D2 /4 C0 /4 ib D1 /4 D3 /4 C1 /4 ib D1 /4 D3 /4 C1 /4 ib D0 /7 D2 /7 C0 /7 ib D1 /7 D3 /7 C1 /7 ib D1 /7 D3 /7 C1 /7 ib D0 /4 D2 /4 C0 /4 ib D1 /4 D3 /4 C1 /4 ib D1 /4 D3 /4 C1 /4 ib D0 /5 D2 /5 C0 /5 ib D1 /5 D3 /5 C1 /5 ib D1 /5 D3 /5 C1 /5 ib NOTE : * Not the same for m of division as IDIV; rounding is toward negative infinity. Instruction SAL r/m8,1 SA L r/m8,CL SAL r /m8,imm8 SA L r/m16,1 SA L r/m16,CL SAL r /m16,imm8 SA L r/m32,1 SA L r/m32,CL SAL r /m32,imm8 SA R r/m8,1 SA R r/m8,CL SA R r/m8,imm8 SA R r/m16,1 SA R r/m16,CL SA R r/m16,imm8 SA R r/m32,1 SA R r/m32,CL SA R r/m32,imm8 SH L r/m8,1 SH L r/m8,CL SH L r/m8,imm8 SH L r/m16,1 SH L r/m16,CL SH L r/m16,imm8 SH L r/m32,1 SH L r/m32,CL SH L r/m32,imm8 SH R r/m8,1 SH R r/m8,CL SH R r/m8,imm8 SH R r/m16,1 SH R r/m16,CL SH R r/m16,imm8 SH R r/m32,1 SH R r/m32,CL SH R r/m32,imm8 D escription Multiply r/m8 by 2, once Multiply r/m8 by 2, CL times Multiply r/m8 by 2, imm8 times Multiply r/m16 by 2, once Multiply r/m16 by 2, CL times Multiply r/m16 by 2, imm8 times Multiply r/m32 by 2, once Multiply r/m32 by 2, CL times Multiply r/m32 by 2, imm8 times Signed divide* r/m8 by 2, once S igned divide* r/m8 by 2, CL times Signed divide* r/m8 by 2, imm8 times Signed divide* r/m16 by 2, once S igned divide* r/m16 by 2, CL times Signed divide* r/m16 by 2, imm8 times Signed divide* r/m32 by 2, once S igned divide* r/m32 by 2, CL times Signed divide* r/m32 by 2, imm8 times Multiply r/m8 by 2, once Multiply r/m8 by 2, CL times Multiply r/m8 by 2, imm8 times Multiply r/m16 by 2, once Multiply r/m16 by 2, CL times Multiply r/m16 by 2, imm8 times Multiply r/m32 by 2, once Multiply r/m32 by 2, CL times Multiply r/m32 by 2, imm8 times U nsigned divide r/m8 by 2, once U nsigned divide r/m8 by 2, CL times U nsigned divide r/m8 by 2, imm8 times U nsigned divide r/m16 by 2, once U nsigned divide r/m16 by 2, CL times U nsigned divide r/m16 by 2, imm8 times U nsigned divide r/m32 by 2, once U nsigned divide r/m32 by 2, CL times U nsigned divide r/m32 by 2, imm8 times

3- 416


INSTRUCTION SET REFER EN CE

SAL/SAR/SHL/SHR--Shift (Continued)
Description Shifts the bits in the first operand (destination operand) to the left or right by the number of bits specified in the second operand (count operand). Bits shifted beyond the destination operand boundary are first shifted into the CF flag, then discarded. At the end of the shift operation, the CF flag contains the last bit shifted out of the destination operand. The destination operand can be a register or a memory location. The count operand can be an immediate value or register CL. The count is masked to 5 bits, which limits the count range to 0 to 31. A special opcode encoding is provided for a count of 1. The shift arithmetic left (SAL) and shift logical lef ation; they shift the bits in the destination operand tions). For each shift count, the most significant bit CF flag, and the least significant bit is cleared (see Developer's Manual, Volume 1). t (SHL) instructions perform the same operto the left (toward more significant bit locaof the destination operand is shifted into the Figure 6-6 in the Intel Architecture Software

The shift arithmetic right (SAR) and shift logical right (SHR) instructions shift the bits of the destination operand to the right (toward less significant bit locations). For each shift count, the least significant bit of the destination operand is shifted into the CF flag, and the most significant bit is either set or cleared depending on the instruction type. The SHR instruction clears the most significant bit (see Figure 6-7 in the Intel Architecture Software Developer's Manual, Volume 1); the SAR instruction sets or clears the most significant bit to correspond to the sign (most significant bit) of the original value in the destination operand. In effect, the SAR instruction fills the empty bit position's shifted value with the sign of the unshifted value (see Figure 6-8 in the Intel Architecture Software Developer's Manual, Volume 1). The SAR and SHR instructions can be used to perform signed or unsigned division, respectively, of the destination operand by powers of 2. For example, using the SAR instruction to shift a signed integer 1 bit to the right divides the value by 2. Using the SA R instruction to perform a division operation does not produce the same result as the IDIV instruction. The quotient from the IDIV instruction is rounded toward zero, whereas the "quotient" of the SAR instruction is rounded toward negative infinity. This difference is apparent only for negative numbers. For example, when the IDIV instruction is used to divide -9 by 4, the result is -2 with a remainder of -1. If the SA R instruction is used to shift -9 right by two bits, the result is -3 and the "remainder" is +3; however, the SAR instruction stores only the most significant bit of the remainder (in the CF flag). The OF flag is affected only on 1-bit shifts. For left shifts, the OF flag is cleared to 0 if the mostsignificant bit of the result is the same as the CF flag (that is, the top two bits of the original operand w ere the same); otherwise, it is set to 1. For the SAR instruction, the OF flag is cleared for all 1-bit shifts. For the SHR instruction, the OF flag is set to the most-significant bit of the original operand.

3-417


INSTRUCTION SET REFERENCE

SAL/SAR/SHL/SHR--Shift (Continued)
Intel Architecture Compatibility The 8086 does not mask the shift count. However, all other Intel A rchitecture processors (starting with the Intel 286 processor) do mask the shift count to 5 bits, resulting in a maximum count of 31. This masking is done in all operating modes (including the virtual-8086 mode) to reduce the maximum execution time of the instructions. Operation
tempCOUNT (COUNT AND 1FH); tempDEST DEST; WHILE (tempCOUNT 0) DO IF instruction is SAL or SHL THEN CF MSB(DEST); ELSE (* instruction is SAR or SHR *) CF LSB(DEST); FI; IF instruction is SAL or SHL THEN DEST DEST 2; ELSE IF instruction is SAR THEN DEST DEST / 2 (*Signed divide, rounding toward negative infinity*); ELSE (* instruction is SH R *) DEST DEST / 2 ; (* Unsigned divide *); FI; FI; tempCOUNT tempCOUNT ­ 1; OD; (* Determine overflow for the various instructions *) IF COUNT = 1 THEN IF instruction is SAL or SHL THEN OF MSB(DEST) XOR CF; ELSE IF instruction is SAR THEN OF 0; ELSE (* instruction is SH R *) OF MSB(tempDEST); FI; FI;

3- 418


INSTRUCTION SET REFER EN CE

SAL/SAR/SHL/SHR--Shift (Continued)
ELSE IF COUNT = 0 THEN All flags remain unchanged; ELSE (* COUNT neither 1 or 0 *) OF undefined; FI; FI;

Flags Affected The CF flag contains the value of the last bit shifted out of the destination operand; it is undefined for SHL and SHR instructions where the count is greater than or equal to the size (in bits) of the destination operand. The OF flag is affected only for 1-bit shifts (see "Description" above); otherwise, it is undefined. The SF, ZF, and PF flags are set according to the result. If the count is 0, the flags are not affected. For a non-zero count, the AF flag is undefined. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-419


INSTRUCTION SET REFERENCE

SBB--Integer Subtraction with Borrow
Opcode 1C ib 1D iw 1D id 80 /3 ib 81 /3 iw 81 /3 id 83 /3 ib 83 /3 ib 18 /r 19 /r 19 /r 1A /r 1B /r 1B /r Instruction SBB AL,imm8 SBB AX,imm16 SBB EAX,imm32 SBB r/m8,imm8 SBB r/m16,imm16 SBB r/m32,imm32 SBB r/m16,imm8 SBB r/m32,imm8 SBB r/m8,r8 SBB r/m16,r16 SBB r/m32,r32 SBB r8,r/m8 SBB r16,r/m16 SBB r32,r/m32 Description Subtract with borr ow imm8 from AL Subtract with borr ow imm16 from AX Subtract with borr ow imm32 from EAX Subtract with borr ow imm8 from r/m8 Subtract with borr ow imm16 from r/m16 Subtract with borr ow imm32 from r/m32 Subtract with borr ow sign-extended imm8 from r/m16 Subtract with borr ow sign-extended imm8 from r/m32 Subtract with borr ow r8 from r/m8 Subtract with borr ow r16 fr om r/m16 Subtract with borr ow r32 fr om r/m32 Subtract with borr ow r/m8 from r8 Subtract with borr ow r/m16 from r16 Subtract with borr ow r/m32 from r32

Description Adds the source operand (second operand) and the carry (CF) flag, and subtracts the result from the destination operand (first operand). The result of the subtraction is stored in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (However, two memory operands cannot be used in one instruction.) The state of the CF flag represents a borrow from a previous subtraction. When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format. The SBB instruction does not distinguish between signed or unsigned operands. Instead, the processor evaluates the result for both data types and sets the OF and CF flags to indicate a borrow in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result. The SBB instruction is usually executed as part of a multibyte or multiword subtraction in which a SUB instruction is followed by a SBB instruction. Operation
DEST DEST ­ (SRC + CF);

Flags Affected The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

3- 420


INSTRUCTION SET REFER EN CE

SBB--Integer Subtraction with Borrow (Continued)
Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-421


INSTRUCTION SET REFERENCE

SCAS/SCASB/SCASW/SCASD--Scan String
Opcode AE AF AF AE AF AF Inst ruction S CAS m8 S CAS m16 S CAS m32 S CASB SCASW S CASD Description Compare AL with byte at ES:(E)DI and set status flags Compare AX with word at ES:(E)DI and set status flags Compare EAX with doubleword at ES(E)DI and set status flags Compare AL with byte at ES:(E)DI and set status flags Compare AX with word at ES:(E)DI and set status flags Compare EAX with doubleword at ES:(E)DI and set status flags

Description Compares the byte, word, or double word specified with the memory operand with the value in the A L, AX, or EAX register, and sets the status flags in the EFLAGS register according to the results. The memory operand address is read from either the ES:EDI or the ES:DI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). The ES segment cannot be overridden with a segment override prefix. At the assembly-code level, two forms of this instruction are allowed: the "explicit-operands" form and the "no-operands" form. The explicit-operand form (specified with the SCAS mnemonic) allows the memory operand to be specified explicitly. Here, the memory operand should be a symbol that indicates the size and location of the operand value. The register operand is then automatically selected to match the size of the memory operand (the AL register for byte comparisons, AX for word comparisons, and EAX for doubleword comparisons). This explicitoperand form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the memory operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the ES:(E)DI registers, which must be loaded correctly before the compare string instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the SCAS instructions. Here also ES:(E)DI is assumed to be the memory operand and the AL, AX , or EAX register is assumed to be the register operand. The size of the two operands is selected with the mnemonic: SCASB (byte comparison), SCASW (word comparison), or SCASD (doubleword comparison). After the comparison, the (E)DI register is incremented or decremented automatically according to the setting of the DF flag in the EFLAGS register. (If the DF flag is 0, the (E)DI register is incremented; if the DF flag is 1, the (E)DI register is decremented.) The (E)DI register is incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations. The SCAS, SCASB, SCASW, and SCA SD instructions can be preceded by the REP prefix for block comparisons of ECX bytes, words, or doublewords. More often, however, these instructions will be used in a LOOP construct that takes some action based on the setting of the status flags before the next comparison is made. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix.

3- 422


INSTRUCTION SET REFER EN CE

SCAS/SCASB/SCASW/SCASD--Scan String (Continued)
Operation
IF (byte cmparison) THEN temp AL - SRC; SetStatusFlags(temp); THEN IF DF = 0 THEN (E)DI (E)DI + 1; ELSE (E)DI (E)DI ­ 1; FI; ELSE IF (word com parison) THEN temp AX - SRC; SetStatusFlags(temp) THEN IF DF = 0 THEN (E)DI (E)DI + ELSE (E)DI (E)DI ­ FI; ELSE (* doubleword comparison *) temp EAX - SRC; SetStatusFlags(temp) THEN IF DF = 0 THEN (E)DI (E)DI + ELSE (E)DI (E)DI ­ FI; FI; FI;

2; 2;

4; 4;

Flags Affected The OF, SF, ZF, A F, PF, and CF flags are set according to the temporary result of the comparison. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the limit of the ES segment. If the ES register contains a null segment selector. If an illegal memory operand effective address in the ES segment is given. #PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-423


INSTRUCTION SET REFERENCE

SCAS/SCASB/SCASW/SCASD--Scan String (Continued)
Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 424


INSTRUCTION SET REFER EN CE

SETcc--Set Byte on Condition
Opcode 0F 97 0F 93 0F 92 0F 96 0F 92 0F 94 0F 9F 0F 9D 0F 9C 0F 9E 0F 96 0F 92 0F 93 0F 97 0F 93 0F 95 0F 9E 0F 9C 0F 9D 0F 9F 0F 91 0F 9B 0F 99 0F 95 0F 90 0F 9A 0F 9A 0F 9B 0F 98 0F 94 Instruction SETA r/m8 SETAE r/m8 SETB r/m8 SETB E r/m8 SETC r/m8 SETE r/m8 SETG r/m8 SETGE r/m8 SETL r/m8 SETLE r/m8 SETNA r/m8 SETNA E r/m8 SETNB r/m8 SETNB E r/m8 SETNC r/m8 SETNE r/m8 SETNG r/m8 SETNGE r/m8 SETNL r/m8 SETNLE r/m8 SETNO r/m8 SETNP r/m8 SETNS r/m8 SETNZ r/m8 SETO r/m8 SETP r/m8 SETP E r/m8 SETP O r/m8 SETS r/m8 SETZ r/m8 D escription S et byte if above (CF=0 and ZF=0) S et byte if above or equal (CF=0) Set byte if below (CF=1) Set byte if below or equal (CF=1 or ZF=1) Set if carr y (CF=1) Set byte if equal (ZF=1) S et byte if greater (ZF=0 and SF=OF) Set byte if greater or equal (SF=OF) S et byte if less (SF<>OF) S et byte if less or equal (ZF=1 or SF<>OF) Set byte if not above (CF=1 or ZF=1) Set byte if not above or equal (CF=1) Set byte if not below ( CF=0) Set byte if not below or equal (CF=0 and ZF=0) Set byte if not carr y (CF=0) Set byte if not equal ( ZF=0) S et byte if not greater (ZF=1 or SF<>OF) S et if not greater or equal (SF<>OF) Set byte if not less (SF=OF) Set byte if not less or equal (ZF=0 and SF=OF) S et byte if not overflow (OF=0) S et byte if not parity (PF=0) S et byte if not sign (SF=0) S et byte if not zero (ZF=0) S et byte if overflow (OF=1) Set byte if par ity ( PF=1) Set byte if par ity even (PF=1) Set byte if par ity odd (PF=0) S et byte if sign (SF=1) S et byte if zero (ZF=1)

Description Set the destination operand to 0 or 1 depending on the settings of the status flags (CF, SF, OF, ZF, and PF) in the EFLAGS register. The destination operand points to a byte register or a byte in memory. The condition code suffix (cc) indicates the condition being tested for. The terms "above" and "below" are associated with the CF flag and refer to the relationship betw een two unsigned integer values. The terms "greater" and "less" are associated with the SF and OF flags and refer to the relationship between two signed integer values.

3-425


INSTRUCTION SET REFERENCE

SETcc--Set Byte on Condition (Continued)
Many of the SETcc instruction opcodes have alternate mnemonics. For example, the SETG (set byte if greater) and SETNLE (set if not less or equal) both have the same opcode and test for the same condition: ZF equals 0 and SF equals OF. These alternate mnemonics are provided to make code more intelligible. Appendix B, EFLAGS Condition Codes, in the Intel Architecture Software Developer's Manual, Volume 1, show s the alternate mnemonics for various test conditions. Some languages represent a logical one as an integer with all bits set. This representation can be obtained by choosing the logically opposite condition for the SET cc instruction, then decrementing the result. For example, to test for overflow, use the SETNO instruction, then decrement the result. Operation
IF condition THEN DEST 1 ELSE DEST 0; FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 426


INSTRUCTION SET REFER EN CE

SGDT/SIDT--Store Global/Interrupt Descriptor Table Register
Opcode 0F 01 /0 0F 01 /1 Instruction SGDT m SIDT m D escription Store GDTR to m Store IDTR to m

Description Stores the contents of the global descriptor table register (GDTR) or the interrupt descriptor table register (IDTR) in the destination operand. The destination operand specifies a 6-byte memory location. If the operand-size attribute is 32 bits, the 16-bit limit field of the register is stored in the lower 2 bytes of the memory location and the 32-bit base address is stored in the upper 4 bytes. If the operand-size attribute is 16 bits, the limit is stored in the low er 2 bytes and the 24-bit base address is stored in the third, fourth, and fifth byte, with the sixth byte filled w ith 0s. The SGDT and SIDT instructions are only useful in operating-system software; however, they can be used in application programs without causing an exception to be generated. See "LGDT/LIDT--Load Global/Interrupt Descriptor Table Register" in this chapter for information on loading the GD TR and IDTR. Intel Architecture Compatibility The 16-bit forms of the SGDT and SIDT instructions are compatible with the Intel 286 processor, if the upper 8 bits are not referenced. The Intel 286 processor fills these bits with 1s; the Pentium Pro, Pentium, Intel486, and Intel386 processors fill these bits with 0s. Operation
IF instruction is IDTR THEN IF OperandSize = 16 THEN DEST[0:15] IDTR(Lim it); DEST[16:39] IDTR (Base); (* 24 bits of base address loaded; *) DEST[40:47] 0; ELSE (* 32-bit Operand Size *) DEST[0:15] IDTR(Lim it); DEST[16:47] IDTR (Base); (* full 32-bit base address loaded *) FI; ELSE (* instruction is SGDT *) IF OperandSize = 16 THEN DEST[0:15] GD TR(Limit); DEST[16:39] GDTR(Base); (* 24 bits of base address loaded; *) DEST[40:47] 0;

3-427


INSTRUCTION SET REFERENCE

SGDT/SIDT--Store Global/Interrupt Descriptor Table Register (Continued)
ELSE (* 32-bit Operand Size *) DEST[0:15] GDTR(Lim it); DEST[16:47] GDTR(Base); (* full 32-bit base address loaded *) FI; FI;

Flags Affected None. Protected Mode Exceptions #UD #GP(0) If the destination operand is a register. If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If an unaligned memory access occurs when the CPL is 3 and alignment checking is enabled.

Real-Address Mode Exceptions #UD #GP #SS If the destination operand is a register. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #UD #GP(0) #SS(0) #PF(fault-code) #AC(0) If the destination operand is a register. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If an unaligned memory access occurs when alignment checking is enabled.

3- 428


INSTRUCTION SET REFER EN CE

SHL/SHR--Shift Instructions
See entry for SAL/SA R/SHL/SHR--Shift.

3-429


INSTRUCTION SET REFERENCE

SHLD--Double Precision Shift Left
Opcode 0F A4 0F A5 0F A4 0F A5 Instruction SHLD r/m16,r16,imm8 SHLD r/m16,r16,CL SHLD r/m32,r32,imm8 SHLD r/m32,r32,CL Description Shift r/m16 to left imm8 places w hile shifting bits from r16 in from the right Shift r/m16 to left CL places while shifting bits from r16 in from the r ight Shift r/m32 to left imm8 places w hile shifting bits from r32 in from the right Shift r/m32 to left CL places while shifting bits from r32 in from the r ight

Description Shifts the first operand (destination operand) to the left the number of bits specified by the third operand (count operand). The second operand (source operand) provides bits to shift in from the right (starting with bit 0 of the destination operand). The destination operand can be a register or a memory location; the source operand is a register. The count operand is an unsigned integer that can be an immediate byte or the contents of the CL register. Only bits 0 through 4 of the count are used, which masks the count to a value between 0 and 31. If the count is greater than the operand size, the result in the destination operand is undefined. If the count is 1 or greater, the CF flag is filled with the last bit shifted out of the destination operand. For a 1-bit shift, the OF flag is set if a sign change occurred; otherwise, it is cleared. If the count operand is 0, the flags are not affected. The SHLD instruction is useful for multiprecision shifts of 64 bits or more. Operation
COUNT COUNT M OD 32; SIZE OperandSize IF COUNT = 0 THEN no operation ELSE IF COUNT SIZE THEN (* Bad parameters *) DEST is undefined; CF, OF, SF, ZF, AF, PF are undefined; ELSE (* Perform the shift *) CF BIT[DEST, SIZE ­ CO UNT]; (* Last bit shifted out on exit *) FOR i SIZE ­ 1 DOWNTO COUNT DO Bit(DEST, i) Bit(DEST, i ­ COUNT); OD;

3- 430


INSTRUCTION SET REFER EN CE

SHLD--Double Precision Shift Left (Continued)
FOR i COUNT ­ 1 DOWNTO 0 DO BIT[DEST, i] BIT[SRC, i ­ CO UNT + SIZE]; OD; FI; FI;

Flags Affected If the count is 1 or greater, the CF flag is filled with the last bit shifted out of the destination operand and the SF, ZF, and PF flags are set according to the value of the result. For a 1-bit shift, the OF flag is set if a sign change occurred; otherwise, it is cleared. For shifts greater than 1 bit, the O F flag is undefined. If a shift occurs, the AF flag is undefined. If the count operand is 0, the flags are not affected. If the count is greater than the operand size, the flags are undefined. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-431


INSTRUCTION SET REFERENCE

SHRD--Double Precision Shift Right
Opcode 0F AC 0F AD 0F AC 0F AD Instruction SHRD r/m16,r16,imm8 SHRD r/m16,r16,CL SHRD r/m32,r32,imm8 SHRD r/m32,r32,CL Description Shift r/m16 to r ight imm8 places while shifting bits from r16 in from the left Shift r/m16 to r ight CL places while shifting bits from r16 in from the left Shift r/m32 to r ight imm8 places while shifting bits from r32 in from the left Shift r/m32 to r ight CL places while shifting bits from r32 in from the left

Description Shifts the first operand (destination operand) to the right the number of bits specified by the third operand (count operand). The second operand (source operand) provides bits to shift in from the left (starting with the most significant bit of the destination operand). The destination operand can be a register or a memory location; the source operand is a register. The count operand is an unsigned integer that can be an immediate byte or the contents of the CL register. Only bits 0 through 4 of the count are used, which masks the count to a value between 0 and 31. If the count is greater than the operand size, the result in the destination operand is undefined. If the count is 1 or greater, the CF flag is filled with the last bit shifted out of the destination operand. For a 1-bit shift, the OF flag is set if a sign change occurred; otherwise, it is cleared. If the count operand is 0, the flags are not affected. The SHRD instruction is useful for multiprecision shifts of 64 bits or more. Operation
COUNT COUNT M OD 32; SIZE OperandSize IF COUNT = 0 THEN no operation ELSE IF COUNT SIZE THEN (* Bad parameters *) DEST is undefined; CF, OF, SF, ZF, AF, PF are undefined; ELSE (* Perform the shift *) CF BIT[DEST, CO UNT ­ 1]; (* last bit shifted out on exit *) FOR i 0 TO SIZE ­ 1 ­ COUNT DO BIT[DEST, i] BIT[DEST, i ­ COUNT]; OD;

3- 432


INSTRUCTION SET REFER EN CE

SHRD--Double Precision Shift Right (Continued)
FOR i SIZE ­ CO UNT TO SIZE ­ 1 DO BIT[DEST,i] BIT[inBits,i+COU NT ­ SIZE]; OD; FI; FI;

Flags Affected If the count is 1 or greater, the CF flag is filled with the last bit shifted out of the destination operand and the SF, ZF, and PF flags are set according to the value of the result. For a 1-bit shift, the OF flag is set if a sign change occurred; otherwise, it is cleared. For shifts greater than 1 bit, the O F flag is undefined. If a shift occurs, the AF flag is undefined. If the count operand is 0, the flags are not affected. If the count is greater than the operand size, the flags are undefined. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-433


INSTRUCTION SET REFERENCE

SIDT--Store Interrupt Descriptor Table Register
See entry for SGDT/SIDT--Store Global/Interrupt Descriptor Table Register.

3- 434


INSTRUCTION SET REFER EN CE

SLDT--Store Local Descriptor Table Register
Opcode 0F 00 /0 0F 00 /0 Instruction SLDT r/m16 SLDT r/m32 Description Stores segment selector fr om LDTR in r/m16 Store segment selector from LDTR in low-order 16 bits of r/m32

Description Stores the segment selector from the local descriptor table register operand. The destination operand can be a general-purpose register segment selector stored with this instruction points to the segmen GDT) for the current LDT. This instruction can only be executed in (LDTR) in the destination or a memory location. The t descriptor (located in the protected mode.

When the destination operand is a 32-bit register, the 16-bit segment selector is copied into the lower-order 16 bits of the register. The high-order 16 bits of the register are cleared to 0s for the Pentium Pro processor and are undefined for Pentium, Intel486, and Intel386 processors. When the destination operand is a memory location, the segment selector is written to memory as a 16bit quantity, regardless of the operand size. The SLDT instruction is only useful in operating-system software; however, it can be used in application programs. Operation
DEST LDTR(SegmentSelector);

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-435


INSTRUCTION SET REFERENCE

SLDT--Store Local Descriptor Table Register (Continued)
Real-Address Mode Exceptions #UD The SLDT instruction is not recognized in real-address mode.

Vir tual-8086 Mode Exceptions #UD The SLDT instruction is not recognized in virtual-8086 mode.

3- 436


INSTRUCTION SET REFER EN CE

SMSW--Store Machine Status Word
Opcode 0F 01 /4 0F 01 /4 Instruction SMSW r/m16 SMSW r32/m16 Description Store machine status word to r/m16 Store machine status word in low-order 16 bits of r32/m16; high-or der 16 bits of r32 are undefined

Description Stores the machine status word (bits 0 through 15 of control register CR0) into the destination operand. The destination operand can be a 16-bit general-purpose register or a memory location. When the destination operand is copied into the low -order 16 bits fined. When the destination opera are written to memory as a 16-bit a 32-bit register, the low-order 16 bits of register CR0 are of the register and the upper 16 bits of the register are undend is a memory location, the low-order 16 bits of register CR0 quantity, regardless of the operand size.

The SMSW instruction is only useful in operating-system software; however, it is not a privileged instruction and can be used in application programs. This instruction is provided for compatibility with the Intel 286 processor. Programs and procedures intended to run on the Pentium Pro, Pentium, Intel486, and Intel386 processors should use the MOV (control registers) instruction to load the machine status word. Operation
DEST CR0[15:0]; (* Machine status word *);

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

3-437


INSTRUCTION SET REFERENCE

SMSW--Store Machine Status Word (Continued)
Real-Address Mode Exceptions #GP #SS(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Vir tual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3- 438


INSTRUCTION SET REFER EN CE

STC--Set Carry Flag
Opcode F9 Instruction STC D escription S et CF flag

Description Sets the CF flag in the EFLAGS register. Operation
CF 1;

Flags Affected The CF flag is set. The OF, ZF, SF, AF, and PF flags are unaffected. Exceptions (All Operating Modes) None.

3-439


INSTRUCTION SET REFERENCE

STD--Set Direction Flag
Opcode FD Instruction STD Description Set DF flag

Description Sets the DF flag in the EFLAGS register. When the DF flag is set to 1, string operations decrement the index registers (ESI and/or EDI). Operation
DF 1;

Flags Affected The DF flag is set. The CF, O F, ZF, SF, AF, and PF flags are unaffected. Operation
DF 1;

Exceptions (All Operating Modes) None.

3- 440


INSTRUCTION SET REFER EN CE

STI--Set Interrupt Flag
Opcode FB Instruction STI D escription Set inter rupt flag; exter nal, maskable interrupts enabled at the end of the next instr uction

Description Sets the interrupt flag (IF) in the EFLAGS register. After the IF flag is set, the processor begins responding to external, maskable interrupts after the next instruction is executed. The delayed effect of this instruction is provided to allow interrupts to be enabled just before returning from a procedure (or subroutine). For instance, if an STI instruction is followed by an RET instruction, the RET instruction is allowed to execute before external interrupts are recognized1. This behavior allows external interrupts to be disabled at the beginning of a procedure and enabled again at the end of the procedure. If the STI instruction is followed by a CLI instruction (which clears the IF flag), the effect of the STI instruction is negated. The IF flag and the STI and CLI instructions have no affect on the generation of exceptions and NMI interrupts. The following decision table indicates the action of the STI instruction (bottom of the table) depending on the processor's mode of operation and the CPL and IOPL of the currently running program or procedure (top of the table).
PE = VM = CPL IOPL IF 1 #GP (0) NOTES: X Don't care. N Action in Column 1 not taken. Y Action in Column 1 taken. 0 X X X Y N 1 0 IOPL X Y N 1 0 > IOPL X N Y 1 1 =3 =3 Y N

1. Note that in a sequence of instr uctions that individually delay interr upts past the following instruction, only the first instr uction in the sequence is guaranteed to delay the interr upt, but subsequent inter rupt-delaying instr uctions may not delay the inter rupt. Thus, in the following instruction sequence: STI MOV SS, AX MOV ESP EBP , interr upts may be recognized before MOV ESP, EBP executes, even though MOV SS, AX nor mally delays interr upts for one instr uction.

3-441


INSTRUCTION SET REFERENCE

STI--Set Interrupt Flag (Continued)
Operation
IF PE=0 ( THEN IF ELSE IF * Executing in real-address m ode *)

1; (* Set Interrupt Flag *) (* Executing in protected m ode or virtual-8086 mode *) VM=0 (* Executing in protected mode*) THEN IF IO PL = 3 THEN IF 1; ELSE IF C PL IOPL THEN IF 1; ELSE #GP(0); FI; FI; ELSE (* Executing in Virtual-8086 mode *) #GP(0); (* Trap to virtual-8086 m onitor *) FI;

FI;

Flags Affected The IF flag is set to 1. Protected Mode Exceptions #GP(0) If the CPL is greater (has less privilege) than the IOPL of the current program or procedure.

Real-Address Mode Exceptions None. Vir tual-8086 Mode Exceptions #GP(0) If the CPL is greater (has less privilege) than the IOPL of the current program or procedure.

3- 442


INSTRUCTION SET REFER EN CE

STOS/STOSB/STOSW/STOSD--Store String
Opcode AA AB AB AA AB AB Instruction STOS m8 STOS m16 STOS m32 STOSB STOSW STOSD D escription Store AL at address ES:(E)DI Store AX at address ES:(E)DI Store EAX at address ES:(E)DI Store AL at address ES:(E)DI Store AX at address ES:(E)DI Store EAX at address ES:(E)DI

Description Stores a byte, word, or doubleword from the AL, AX, or EAX register, respectively, into the destination operand. The destination operand is a memory location, the address of which is read from either the ES:EDI or the ES:DI registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). The ES segment cannot be overridden with a segment override prefix. At the assembly-code level, two forms of this instruction are allow ed: the "explicit-operands" form and the "no-operands" form. The explicit-operands form (specified with the STOS mnemonic) allows the destination operand to be specified explicitly. Here, the destination operand should be a symbol that indicates the size and location of the destination value. The source operand is then automatically selected to match the size of the destination operand (the AL register for byte operands, AX for word operands, and EAX for doubleword operands). This explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the destination operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the ES:(E)DI registers, which must be loaded correctly before the store string instruction is executed. The no-operands form provides "short forms" of the byte, word, and doubleword versions of the STOS instructions. Here also ES:(E)D I is assumed to be the destination operand and the AL, AX, or EAX register is assumed to be the source operand. The size of the destination and source operands is selected w ith the mnemonic: STOSB (byte read from register AL), STOSW (word from AX), or STOSD (doubleword from EAX). After the byte, word, or doubleword is transferred from the AL, AX, or EAX register to the memory location, the (E)DI register is incremented or decremented automatically according to the setting of the DF flag in the EFLAG S register. (If the DF flag is 0, the (E)DI register is incremented; if the DF flag is 1, the (E)DI register is decremented.) The (E)DI register is incremented or decremented by 1 for byte operations, by 2 for word operations, or by 4 for doubleword operations.

3-443


INSTRUCTION SET REFERENCE

STOS/STOSB/STOSW/STOSD--Store String (Continued)
The STOS, STOSB, STO SW, and STOSD instructions can be preceded by the REP prefix for block loads of ECX bytes, words, or doublewords. More often, however, these instructions are used within a LOOP construct because data needs to be moved into the AL, AX, or EAX register before it can be stored. See "REP/REPE/REPZ/REPNE /REPNZ--Repeat String Operation Prefix" in this chapter for a description of the REP prefix. Operation
IF (byte store) THEN DEST AL; THEN IF DF = 0 THEN (E)DI (E)DI + 1; ELSE (E)D I (E)DI ­ 1; FI; ELSE IF (word store) THEN DEST AX; THEN IF DF = 0 THEN (E)DI (E)DI ELSE (E)D I (E)DI FI; ELSE (* doubleword store *) DEST EAX; THEN IF DF = 0 THEN (E)DI (E)DI ELSE (E)D I (E)DI FI; FI; FI;

+ 2; ­ 2;

+ 4; ­ 4;

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the limit of the ES segment. If the ES register contains a null segment selector. #PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

3- 444


INSTRUCTION SET REFER EN CE

STOS/STOSB/STOSW/STOSD--Store String (Continued)
Real-Address Mode Exceptions #GP If a memory operand effective address is outside the ES segment limit.

Virtual-8086 Mode Exceptions #GP(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the ES segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-445


INSTRUCTION SET REFERENCE

STR--Store Task Register
Opcode 0F 00 /1 Instruction STR r/m16 Description Stores segment selector from TR in r/m16

Description Stores the segment selector from the task register (TR) in the destination operand. The destination operand can be a general-purpose register or a memory location. The segment selector stored with this instruction points to the task state segment (TSS) for the currently running task. When the destination operand is a 32-bit register, the 16-bit segment selector is copied into the lower 16 bits of the register and the upper 16 bits of the register are cleared to 0s. When the destination operand is a memory location, the segment selector is w ritten to memory as a 16-bit quantity, regardless of operand size. The STR instruction is useful only in operating-system software. It can only be executed in protected mode. Operation
DEST TR(SegmentSelector);

Flags Affected None. Protected Mode Exceptions #GP(0) If the destination is a memory operand that is located in a nonw ritable segment or if the effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #UD The STR instruction is not recognized in real-address mode.

3- 446


INSTRUCTION SET REFER EN CE

STR--Store Task Register (Continued)
Virtual-8086 Mode Exceptions #UD The STR instruction is not recognized in virtual-8086 mode.

3-447


INSTRUCTION SET REFERENCE

SUB--Subtract
Opcode 2C ib 2D iw 2D id 80 /5 ib 81 /5 iw 81 /5 id 83 /5 ib 83 /5 ib 28 /r 29 /r 29 /r 2A /r 2B /r 2B /r Instruction SUB AL,imm8 SUB AX,imm16 SUB EAX,imm32 SUB r/m8,imm8 SUB r/m16,imm16 SUB r/m32,imm32 SUB r/m16,imm8 SUB r/m32,imm8 SUB r/m8,r8 SUB r/m16,r16 SUB r/m32,r32 SUB r8,r/m8 SUB r16,r/m16 SUB r32,r/m32 Description Subtract imm8 from AL Subtract imm16 from AX Subtract imm32 from EAX Subtract imm8 from r/m8 Subtract imm16 from r/m16 Subtract imm32 from r/m32 Subtract sign-extended imm8 from r/m16 Subtract sign-extended imm8 from r/m32 Subtract r8 from r/m8 Subtract r16 fr om r/m16 Subtract r32 fr om r/m32 Subtract r/m8 from r8 Subtract r/m16 from r16 Subtract r/m32 from r32

Description Subtracts the second operand (source operand) from the first operand (destination operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, register, or memory location. (However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format. The SUB instruction does not distinguish between signed or unsigned operands. Instead, the processor evaluates the result for both data types and sets the OF and CF flags to indicate a borrow in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result. Operation
DEST DEST ­ SRC;

Flags Affected The OF, SF, ZF, AF, PF, and CF flags are set according to the result. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector.

3- 448


INSTRUCTION SET REFER EN CE

SUB--Subtract (Continued)
#SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-449


INSTRUCTION SET REFERENCE

TEST--Logical Compare
Opcode A8 ib A9 iw A9 id F6 /0 ib F7 /0 iw F7 /0 id 84 /r 85 /r 85 /r Instruction TEST AL,imm8 TEST AX,imm16 TES T E AX,imm32 TES T r/m8,imm8 TES T r/m16,imm16 TES T r/m32,imm32 TES T r/m8,r8 TES T r/m16,r16 TES T r/m32,r32 Description AND imm8 with AL; set SF, ZF, PF according to result AND imm16 with AX; set SF, ZF, PF according to result AND imm32 with EAX; set SF, ZF, PF according to result AND imm8 with r/m8; set SF, ZF, PF accor ding to result AND imm16 with r/m16; set SF, ZF, PF according to result AND imm32 with r/m32; set SF, ZF, PF according to result AND r8 with r/m8; set SF, ZF, PF according to result AND r16 with r/m16; set SF, ZF, PF according to result AND r32 with r/m32; set SF, ZF, PF according to result

Description Computes the bit-wise logical AND of first operand (source 1 operand) and the second operand (source 2 operand) and sets the SF, ZF, and PF status flags according to the result. The result is then discarded. Operation
TEMP SRC1 AND SRC2; SF MSB(TEMP); IF TEMP = 0 THEN ZF 0; ELSE ZF 1; FI: PF BitwiseXNOR(TEMP[0:7]); CF 0; OF 0; (*AF is Undefined*)

Flags Affected The OF and CF flags are cleared to 0. The SF, ZF, and PF flags are set according to the result (see the "Operation" section above). The state of the AF flag is undefined. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 450


INSTRUCTION SET REFER EN CE

TEST--Logical Compare (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-451


INSTRUCTION SET REFERENCE

UD2--Undefined Instruction
Opcode 0F 0B Instruction UD2 Description Raise invalid opcode exception

Description Generates an invalid opcode. This instruction is provided for software testing to explicitly generate an invalid opcode. The opcode for this instruction is reserved for this purpose. Other than raising the invalid opcode exception, this instruction is the same as the NOP instruction. Operation
#UD (* Generates invalid opcode exception *);

Flags Affected None. Exceptions (All Operating Modes) #UD Instruction is guaranteed to raise an invalid opcode exception in all operating modes).

3- 452


INSTRUCTION SET REFER EN CE

VERR, VERW--Verify a Segment for Reading or Writing
Opcode 0F 00 /4 0F 00 /5 Instruction VERR r/m16 VERW r/m16 Description Set ZF=1 if segment specified with r/m16 can be read Set ZF=1 if segment specified with r/m16 can be written

Description Verifies whether the code or data segment specified with the source operand is readable (VERR) or writable (VERW) from the current privilege level (CPL). The source operand is a 16-bit register or a memory location that contains the segment selector for the segment to be verified. If the segment is accessible and readable (VERR) or writable (VERW), the ZF flag is set; otherwise, the ZF flag is cleared. Code segments are never verified as writable. This check cannot be performed on system segments. To set the ZF flag, the following conditions must be met:

· · · · · ·

The segment selector is not null. The selector must denote a descriptor within the bounds of the descriptor table (G DT or LDT). The selector must denote the descriptor of a code or data segment (not that of a system segment or gate). For the VERR instruction, the segment must be readable. For the VERW instruction, the segment must be a writable data segment. If the segment is not a conforming code segment, the segment's DPL must be greater than or equal to (have less or the same privilege as) both the CPL and the segment selector's RPL.

The validation performed is the same as is performed when a segment selector is loaded into the DS, ES, FS, or GS register, and the indicated access (read or write) is performed. The segment selector's value cannot result in a protection exception, enabling the software to anticipate possible segment access problems. Operation
IF SRC(Offset) > (GD TR(Limit) OR (LDTR(Limit)) THEN ZF 0 Read segment descriptor; IF SegmentDescriptor(DescriptorType) = 0 (* system segm ent *) OR (SegmentDescriptor(Type) conforming code segment) AND (CPL > DPL) OR (RPL > DPL) THEN ZF 0

3-453


INSTRUCTION SET REFERENCE

VERR, VERW--Verify a Segment for Reading or Writing (Continued)
ELSE IF ((Instruction = VERR) AND (segment = readable)) O R ((Instruction = VERW) AND (segment = writable)) THEN ZF 1; FI; FI;

Flags Affected The ZF flag is set to 1 if the segment is accessible and readable (VERR) or writable (VERW); otherwise, it is cleared to 0. Protected Mode Exceptions The only exceptions generated for these instructions are those related to illegal addressing of the source operand. #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register is used to access memory and it contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

Real-Address Mode Exceptions #UD The VERR and VERW instructions are not recognized in real-address mode.

Vir tual-8086 Mode Exceptions #UD The VERR and VERW instructions are not recognized in virtual-8086 mode.

3- 454


INSTRUCTION SET REFER EN CE

WAIT/FWAIT--Wait
Opcode 9B 9B Instruction WAIT FWAIT D escription C heck pending unmasked floating-point exceptions. C heck pending unmasked floating-point exceptions.

Description Causes the processor to check for and handle pending, unmasked, floating-point exceptions before proceeding. (FWAIT is an alternate mnemonic for the WAIT). This instruction is useful for synchronizing exceptions in critical sections of code. Coding a WAIT instruction after a floating-point instruction insures that any unmasked floating-point exceptions the instruction may raise are handled before the processor can modify the instruction's results. See the section titled "Floating-Point Exception Synchronization" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 1, for more information on using the WAIT/FWA IT instruction. Operation
CheckForPendingUnmaskedFloatingPointExceptions;

FPU Flags Affected The C0, C1, C2, and C3 flags are undefined. Floating-Point Exceptions None. Protected Mode Exceptions #NM MP and TS in CR0 is set.

Real-Address Mode Exceptions #NM MP and TS in CR0 is set.

Virtual-8086 Mode Exceptions #NM MP and TS in CR0 is set.

3-455


INSTRUCTION SET REFERENCE

WBINVD--Write Back and Invalidate Cache
Opcode 0F 09 Instruction WBINVD Description Wr ite back and flush Inter nal caches; initiate wr iting-back and flushing of exter nal caches.

Description Writes back all modified cache lines in the processor's internal cache to main memory and invalidates (flushes) the internal caches. The instruction then issues a special-function bus cycle that directs external caches to also write back modified data and another bus cycle to indicate that the external caches should be invalidated. After executing this instruction, the processor does not wait for the external caches to complete their write-back and flushing operations before proceeding with instruction execution. It is the responsibility of hardware to respond to the cache w rite-back and flush signals. The WDINVD instruction is a privileged instruction. When the processor is running in protected mode, the CPL of a program or procedure must be 0 to execute this instruction. This instruction is also a serializing instruction (see "Serializing Instructions" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 3). In situations w here cache coherency with main memory is not a concern, software can use the INVD instruction. Intel Architecture Compatibility The W BINVD instruction is implementation dependent, and its function may be implemented differently on future Intel A rchitecture processors. The instruction is not supported on Intel Architecture processors earlier than the Intel486 processor. Operation
WriteBack(InternalCaches); Flush(InternalCaches); SignalWriteBack(ExternalC aches); SignalFlush(ExternalCaches); Continue (* Continue execution);

Flags Affected None. Protected Mode Exceptions #GP(0) If the current privilege level is not 0.

3- 456


INSTRUCTION SET REFER EN CE

WBINVD--Write Back and Invalidate Cache (Continued)
Real-Address Mode Exceptions None. Virtual-8086 Mode Exceptions #GP(0) The WBINVD instruction cannot be executed at the virtual-8086 mode.

3-457


INSTRUCTION SET REFERENCE

WRMSR--Write to Model Specific Register
Opcode 0F 30 Instruction WRMSR Description Wr ite the value in EDX:EAX to MSR specified by ECX

Description Writes the contents of registers EDX:EAX into the 64-bit model specific register (MSR) specified in the ECX register. The high-order 32 bits are copied from EDX and the low-order 32 bits are copied from EAX. Always set the undefined or reserved bits in an MSR to the values previously read. This instruction must be executed at privilege level 0 or in real-address mode; otherwise, a general protection exception #GP(0) will be generated. Specifying a reserved or unimplemented MSR address in ECX will also cause a general protection exception. When the W RMSR instruction is used to write to an MTRR, the TLBs are invalidated, including the global entries (see "Translation Lookaside Buffers (TLBs)" in Chapter 3 of the Intel Architecture Software Developer's Manual, Volume 3). (MTRRs are an implementation-specific feature of the Pentium Pro processor.) The MSRs control functions for testability, execution tracing, performance monitoring and machine check errors. Appendix B, Model-Specific Registers (MSRs), in the Intel Architecture Software Developer's Manual, Volume 3, lists all the MSRs that can be written to with this instruction and their addresses. The WRMSR instruction is a serializing instruction (see "Serializing Instructions" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 3). The CPUID instruction should be used to determine whether MSRs are supported (EDX[5]=1) before using this instruction. Intel Architecture Compatibility The MSRs and the ability to read them with the W RMSR instruction were introduced into the Intel A rchitecture with the Pentium processor. Execution of this instruction by an Intel Architecture processor earlier than the Pentium processor results in an invalid opcode exception #UD . Operation
MSR[ECX] EDX:EAX;

Flags Affected None.

3- 458


INSTRUCTION SET REFER EN CE

WRMSR--Write to Model Specific Register (Continued)
Protected Mode Exceptions #GP(0) If the current privilege level is not 0. If the value in ECX specifies a reserved or unimplemented MSR address. Real-Address Mode Exceptions #GP If the value in ECX specifies a reserved or unimplemented MSR address.

Virtual-8086 Mode Exceptions #GP(0) The W RMSR instruction is not recognized in virtual-8086 mode.

3-459


INSTRUCTION SET REFERENCE

XADD--Exchange and Add
Opcode 0F C0/r 0F C1/r 0F C1/r Instruction XADD r/m8,r8 XADD r/m16,r16 XADD r/m32,r32 Description Exchange r8 and r/m8; load sum into r/m8. Exchange r16 and r/m16; load sum into r/m16. Exchange r32 and r/m32; load sum into r/m32.

Description Exchanges the first operand (destination operand) with the second operand (source operand), then loads the sum of the two values into the destination operand. The destination operand can be a register or a memory location; the source operand is a register. This instruction can be used with a LO CK prefix. Intel Architecture Compatibility Intel Architecture processors earlier than the Intel486 processor do not recognize this instruction. If this instruction is used, you should provide an equivalent code sequence that runs on earlier processors. Operation
TEMP SRC + DEST SRC DEST DEST TEM P

Flags Affected The CF, PF, AF, SF, ZF, and OF flags are set according to the result of the addition, which is stored in the destination operand. Protected Mode Exceptions #GP(0) If the destination is located in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.

3- 460


INSTRUCTION SET REFER EN CE

XADD--Exchange and Add (Continued)
Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-461


INSTRUCTION SET REFERENCE

XCHG--Exchange Register/Memory with Register
Opcode 90+rw 90+rw 90+rd 90+rd 86 /r 86 /r 87 /r 87 /r 87 /r 87 /r Instruction XCHG A X,r16 XCHG r16,AX XCHG E AX,r32 XCHG r32,EAX XCHG r/m8,r8 XCHG r8,r/m8 XCHG r /m16,r16 XCHG r 16,r/m16 XCHG r /m32,r32 XCHG r 32,r/m32 Description Exchange r16 with AX Exchange AX with r16 Exchange r32 with EAX Exchange EAX with r32 Exchange r8 (byte register) with byte fr om r/m8 Exchange byte from r/m8 with r8 (byte register ) Exchange r16 with word from r/m16 Exchange wor d from r/m16 with r16 Exchange r32 with doubleword from r/m32 Exchange doubleword from r/m32 with r32

Description Exchanges the contents of the destination (first) and source (second) operands. Th be two general-purpose registers or a register and a memory location. If a mem referenced, the processor's locking protocol is automatically implemented for the exchange operation, regardless of the presence or absence of the LOCK prefix or the IOPL. (See the LOCK prefix description in this chapter for more information protocol.) e operands can ory operand is duration of the of the value of on the locking

This instruction is useful for implementing semaphores or similar data structures for process synchronization. (See "Bus Locking" in Chapter 7 of the Intel Architecture Software Developer's Manual, Volume 3, for more information on bus locking.) The XCHG instruction can also be used instead of the BSWAP instruction for 16-bit operands. Operation
TEMP DEST DEST SRC SRC TEMP

Flags Affected None. Protected Mode Exceptions #GP(0) If either operand is in a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0)
3- 462

If a memory operand effective address is outside the SS segment limit.


INSTRUCTION SET REFER EN CE

XCHG--Exchange Register/Memory with Register (Continued)
#PF(fault-code) #AC(0) If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-463


INSTRUCTION SET REFERENCE

XLAT/XLATB--Table Look-up Translation
Opcode D7 D7 Instruction XLAT m8 XLATB Description Set AL to memor y byte DS:[(E)BX + unsigned AL] Set AL to memor y byte DS:[(E)BX + unsigned AL]

Description Locates a byte entry in a table in memory, using the contents of the AL register as a table index, then copies the contents of the table entry back into the AL register. The index in the AL register is treated as an unsigned integer. The XLAT and XLATB instructions get the base address of the table in memory from either the DS:EBX or the DS:BX registers (depending on the address-size attribute of the instruction, 32 or 16, respectively). (The DS segment may be overridden w ith a segment override prefix.) At the assembly-code level, two forms of this instruction are allowed: the "explicit-operand" form and the "no-operand" form. The explicit-operand form (specified with the XLAT mnemonic) allows the base address of the table to be specified explicitly w ith a symbol. This explicit-operands form is provided to allow documentation; how ever, note that the documentation provided by this form can be misleading. That is, the symbol does not have to specify the correct base address. The base address is always specified by the DS:(E)BX registers, which must be loaded correctly before the XLAT instruction is executed. The no-operands form (XLATB) provides a "short form" of the XLAT instructions. Here also the processor assumes that the DS:(E)BX registers contain the base address of the table. Operation
IF AddressSize = 16 THEN AL (DS:BX + ZeroExtend(AL)) ELSE (* AddressSize = 32 *) AL (DS:EBX + ZeroExtend(AL)); FI;

Flags Affected None. Protected Mode Exceptions #GP(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code) If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3- 464


INSTRUCTION SET REFER EN CE

XLAT/XLATB--Table Look-up Translation (Continued)
Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs.

3-465


INSTRUCTION SET REFERENCE

XOR--Logical Exclusive OR
Opcode 34 ib 35 iw 35 id 80 /6 ib 81 /6 iw 81 /6 id 83 /6 ib 83 /6 ib 30 /r 31 /r 31 /r 32 /r 33 /r 33 /r Instruction XOR A L,imm8 XOR A X,imm16 XOR E AX,imm32 XOR r /m8,imm8 XOR r /m16,imm16 XOR r /m32,imm32 XOR r /m16,imm8 XOR r /m32,imm8 XOR r /m8,r8 XOR r /m16,r16 XOR r /m32,r32 XOR r8,r/m8 XOR r 16,r/m16 XOR r 32,r/m32 Description AL XOR imm8 AX XOR imm16 EAX XOR imm32 r/m8 XOR imm8 r/m16 XOR imm16 r/m32 XOR imm32 r/m16 XOR imm8 ( sign-extended) r/m32 XOR imm8 ( sign-extended) r/m8 XOR r8 r/m16 XOR r16 r/m32 XOR r32 r8 XOR r/m8 r8 XOR r/m8 r8 XOR r/m8

Description Performs a bitwise exclusive OR (XOR) operation on the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. Operation
DEST DEST XOR SRC ;

Flags Affected The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined. Protected Mode Exceptions #GP(0) If the destination operand points to a nonwritable segment. If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If the DS, ES, FS, or GS register contains a null segment selector. #SS(0) #PF(fault-code)
3- 466

If a memory operand effective address is outside the SS segment limit. If a page fault occurs.


INSTRUCTION SET REFER EN CE

XOR--Logical Exclusive OR (Continued)
#AC(0) If alignment checking is enabled and an unaligned memory reference is made w hile the current privilege level is 3.

Real-Address Mode Exceptions #GP #SS If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit.

Virtual-8086 Mode Exceptions #GP(0) #SS(0) #PF(fault-code) #AC(0) If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. If a memory operand effective address is outside the SS segment limit. If a page fault occurs. If alignment checking is enabled and an unaligned memory reference is made.

3-467



A
Opcode Map



APPENDIX A OPCODE MAP
The opcode tables in this chapter are provided to aid in interpreting Intel Architecture object code. The instructions are divided into three encoding groups: 1-byte opcode encodings, 2-byte opcode encodings, and escape (floating-point) encodings. The 1- and 2-byte opcode encodings are used to encode integer, system, and MMX instructions. The opcode maps for these instructions are given in Tables A-1 through A-3. Sections A .2. through A.4. give instructions for interpreting 1- and 2-byte opcode maps. The escape encodings are used to encode floating-point instructions. The opcode maps for these instructions are given in Tables A-4 through A-13. Section A.5. gives instructions for interpreting the escape opcode maps. See Chapter 2, Instruction Format, for detailed information on the ModR/M byte, register values, and the various addressing forms.

A.1. KEY TO ABBREVIATIONS
Operands are identified by a two-character code of the form Zz. The first character, an uppercase letter, specifies the addressing method; the second character, a lowercase letter, specifies the type of operand.

A.1.1.
A

Codes for Addressing Method
Direct address. The instruction has no M odR/M byte; the address of the operand is encoded in the instruction; and no base register, index register, or scaling factor can be applied, for example, far JMP (EA ). The reg field of the ModR/M byte selects a control register, for example, MOV (0F20, 0F22). The reg field of the ModR/M byte selects a debug register, for example, MOV (0F21,0F23). A ModR/M byte follows the opcode and specifies the operand. The operand is either a general-purpose register or a memory address. If it is a memory address, the address is computed from a segment register and any of the following values: a base register, an index register, a scaling factor, a displacement. EFLAGS Register. The reg field of the ModR/M byte selects a general register, for example, AX (000). Immediate data. The operand value is encoded in subsequent bytes of the instruction.

The following abbreviations are used for addressing methods:

C D E

F G I

A-1


OPCODE MAP

J M O

The instruction contains a relative offset to be added to the instruction pointer register, for example, JMP short, LO OP. The ModR/M byte may refer only to memory, for example, BOUND, LES, LDS, LSS, LFS, LGS, CMPXCHG8B. The instruction has no ModR/M byte; the offset of the operand is coded as a word or double word (depending on address size attribute) in the instruction. No base register, index register, or scaling factor can be applied, for example, MOV (A0­A3). The reg field of the ModR/M byte selects a packed quadword MMX register. An ModR/M byte follows the opcode and specifies the operand. The operand is either an MMX register or a memory address. If it is a memory address, the address is computed from a segment register and any of the following values: a base register, an index register, a scaling factor, and a displacement. The mod field of the ModR/M byte may refer only to a general register, for example, MOV (0F20-0F24, 0F26). The reg field of the ModR/M byte selects a segment register, for example, MOV (8C,8E). The reg field of the ModR/M byte selects a test register, for example, MOV (0F24,0F26). Memory addressed by the DS:SI register pair (for example, MOVS, OUTS, or LODS). Memory addressed by the ES:DI register pair (for example, MOVS, INS, or STOS).

P Q

R S T X Y

A.1.2.
a b c d p q s v w

Codes for Operand Type
Two one-word operands in memory or two double-word operands in memory, depending on operand size attribute (used only by the BOUND instruction). Byte, regardless of operand-size attribute. Byte or word, depending on operand-size attribute. Doubleword, regardless of operand-size attribute. 32-bit or 48-bit pointer, depending on operand size attribute. Quadword, regardless of operand-size attribute. 6-byte pseudo-descriptor. Word or doubleword, depending on operand-size attribute. Word, regardless of operand-size attribute.

The following abbreviations are used for operand types:

A-2


OPCODE M AP

A.1.3.

Register Codes

When an operand is a specific register encoded in the opcode, the register is identified by its name (for example, AX, CL, or ESI). The name of the register indicates w hether the register is 32, 16, or 8 bits wide. A register identifier of the form eX X is used when the width of the register depends on the operand size attribute. For example, eA X indicates that the AX register is used when the operand size attribute is 16, and the EAX register is used when the operand size attribute is 32.

A.2. ONE-BYTE OPCODE INTEGER INSTRUCTIONS
The opcode map for 1-byte opcodes are shown in Table A-1. For 1-byte opcodes, the instruction and its operands can be determined from the hexadecimal opcode. For example, the opcode 030500000000H for an ADD instruction can be interpreted from the 1-byte opcode map in Table A-1 as follows. The first digit (0) of the opcode indicates the row and the second digit (3) indicates the column in the opcode map table, which points to ADD instruction with operand types Gv and Ev. The first operand (type Gv) indicates a general register that is a word or doubleword depending on the operand-size attribute. The second operand (type Ev) indicates that a M odR/M byte follows that specifies whether the operand is a word or doubleword general-purpose register or a memory address. The M odR/M byte for this instruction is 05H, which indicates that a 32bit displacement follows (00000000H). The reg/opcode portion of the ModR/M byte (bits 3 through 5) is 000 indicating the EAX register. Thus, it can be determined that the instruction for this opcode is ADD EAX, mem_op and the offset of mem_op is 00000000H. Some 1- and 2-byte opcodes point to "group" numbers. These group numbers indicate that the instruction uses the reg/opcode bits in the ModR/M byte as an opcode extension (see Section A.4., "Opcode Extensions For One- And Two-byte Opcodes").

A.3. TWO-BYTE OPCODE INTEGER INSTRUCTIONS
Instructions that begin with 0FH can be found in the two-byte opcode map given in Table A-2. Here, the second opcode byte is used to reference a row and column in the Table. For example, the opcode 0FA4050000000003H is located on the first page of the two-byte opcode map in row A, column 4, which points to an SHLD instruction with the operands Ev, Gv, and Ib. The Ev, Gv, and Ib operands are interpreted as follows. The first operand (Ev type) indicates that a ModR/M byte follows the opcode to specify a word or doubleword operand. The second operand (Gv type) indicates that the reg field of the ModR/M byte selects a general-purpose register. The third operand (Ib type) indicates that immediate data is encoded in the subsequent byte of the instruction. The third byte of the opcode (05H) is the ModR/M byte. The mod and opcode/reg fields indicate that a 32-bit displacement follows and that the EAX register is the source.

A-3


OPCODE MAP

Table A-1. One-Byte Opcode Map1
0 0 Eb,Gb 1 Eb,Gb 2 Eb,Gb 3 Eb,Gb 4 eAX 5 eAX 6 PUSHA PUSHAD 7 JO 8 Eb,Ib 9 NOP eCX A AL,Ob B AL C CL Shift Group 2a2 Eb,Ib D Eb,1 E LOOPN Jb F LOCK Ev,Ib Iw Shift Group 22 Eb,CL LOOP Jb REPNE Ev,CL
JCXZ/JECXZ

1

2 ADD

3

4

5

6 PUSH

7 POP ES POP SS DAA

Ev,Gv

Gb,Eb ADC

Gv,Ev

AL,Ib

eAX,Iv

ES PUSH

Ev,Gv

Gb,Eb AND

Gv,Ev

AL,Ib

eAX,Iv

SS SEG

Ev,Gv

Gb,Eb XOR

Gv,Ev

AL,Ib

eAX,Iv

=ES SEG AAA

Ev,Gv

Gb,Eb

Gb,Ev

AL,Ib

eAX,Iv

=SS

INC general register eCX eDX e BX eSP eBP eSI eDI

PUSH general register eCX POPA POPAD eDX BOUND Gv,Ma e BX ARPL Ew,Gw eSP SEG =FS eBP SEG =GS eSI Operand Size eDI Address Size

Shor t-displacement jump on condition (Jb) JNO JB/JNAE/J C JNB/JAE/J NC JZ TEST Eb,lb Eb,Gb Ev,Gv Eb,Gb JNZ J BE XCHG Ev,Gv JNBE

Immediate Group 12 Ev,Iv Ev,Ib

XCHG word or double-word register with eAX eDX MOV eAX,Ov Ob,AL Ov,eAX e BX e SP MOVSB Xb,Yb eBP MOVSW Xv,Yv eSI CMPSB Xb,Yb eDI CMPSW Xv,Yv

MOV immediate byte into byte register DL RET near BL AH LES Gv,Mp AAM CH LDS Gv,Mp AAD Eb,Ib DH MOV Ev,Iv XLAT BH

Ev,1 LOOPE Jb

IN AL,Ib HLT eAX,Ib C MC Ib,AL

OUT Ib,eAX Unar y Group 32 Eb Ev

Jb REP REPE

A-4


OPCODE M AP

Table A-1. One-Byte Opcode Map (Continued)
8 0 Eb,Gb 1 Eb,Gb 2 Eb,Gb 3 CMP Eb,Gb 4 eAX 5 eAX 6 PUSH lv 7 JS 8 Eb,Gb 9 CBW Ev,Gv CWD/CDQ JNS MOV Gb,Eb CALL aP A AL,Ib B eAX C ENTER Iw, Ib D eCX LEAVE TEST eAX,Iv STOSB Yb,AL STOSW/D Yv,eAX Gv,Ev WAIT eCX IMUL Gv,Ev,lv eDX PUSH lb eCX eDX Ev,Gv SEG Ev,Gv Gb,Eb AAS Gb,Eb Gv,Ev AL,Ib eAX,Iv =DS Ev,Gv Gb,Eb SU B Gv,Ev AL,Ib eAX,Iv Ev,Gv Gb,Eb SBB Gv,Ev AL,Ib eAX,Iv 9 A OR Gv,Ev AL,Ib eAX,Iv B C D E PUSH CS PUSH DS SEG =CS F 2-byte Escape POP DS DAS

DEC General-Pur pose Register e BX eSP eBP eSI eDI

POP Into General-Purpose Register e BX IMUL Gv,Ev,lb eSP INSB Yb,DX eBP INSW/D Yv,DX eSI OUTSB Dx,Xb eDI OUTSW/D DX,Xv

Shor t-Displacement Jump on Condition (Jb) JP JNP JL MOV Ew,Sw PUSHF Fv LODSB AL,Xb JNL LEA Gv,M POP Fv LODSW/D eAX,Xv SCASB AL,Yb SCASW/D eAX,Yv JLE MOV Sw,Ew SAHF JNLE PO P Ev LAHF

MOV Immediate Word or Double Into Word or Double Register eDX RET far Iw e BX RET far eSP INT 3 eBP INT lb eSI INTO eDI IRET

ESC (Escape to Coprocessor Instruction Set)

E

CALL Jv Jv STC

J MP Ap CLI Jb STI AL,DX CLD

IN eAX,DX STD DX,AL INC/DEC

OUT DX,eAX INC/DEC

F

CLC

Group 42 NOTES:

Group 5

2

1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes. 2. Bits 5, 4, and 3 of ModR/M byte used as an opcode extension ( see Section A.4.). A-5


OPCODE MAP

The next part of the SHLD opcode is the 32-bit displacement for the destination memory operand (00000000H), which is followed by the immediate byte representing the count of the shift (03H ). By this breakdown, it has been shown that the opcode 0FA4050000000003H represents the instruction: SHLD DS:00000000H, EAX, 3.
Table A-2. Two Byte Opcode Map (First byte is 0FH)1
0 0 1 2 3 4 MOV Rd,Cd WRMSR CMOVO Gv, Ev MOV Rd,Dd RDTS C CMOVNO Gv, Ev MOV Cd,Rd RDMSR MOV Dd,Rd RDPMC CMOVE, CMOVZ Gv, Ev CMOVNE, CMOVNZ Gv, Ev CMOVBE, CMOVNA Gv, Ev CMOVA, CMOVNBE Gv, Ev Group 62 1 2 LAR Gv,Ew 3 LS L Gv,Ew 4 5 6 CLTS 7

CMOVB, CMOVAE , CMOVC, CMOVNB, CMOVNAE CMOVNC Gv, Ev Gv, Ev

5 6
PUNPCKLBW PUNPCKLWD PUNO CKLDQ PACKUSDW Pq, Qd Pq, Qd Pq, Qd Pq, Qd

PCMPGTB PCMPGTW PCMPGTD PACKSSWB Pq, Qd Pq, Qd Pq, Qd Pq, Qd PCMPEQB PCMPEQW PCMPEQD Pq, Qd Pq, Qd Pq, Qd EMMS

Group A2 7 8 JO 9 SETO A B PU SH FS SETNO POP FS SETB CPUID LSS Mp JNO
PSHIMW
3

PSHIMD

3

PSHIMQ

3

Long-Displacement Jump on Condition (Jv) JB J NB JZ JNZ JBE JNBE

Byte Set on condition (Eb) SETNB BT Ev,Gv BT R Ev,Gv SETZ SHLD Ev,Gv,Ib LFS Mp SETNZ SHLD Ev,Gv,CL LGS Mp MOVZX Gv,Eb Gv,Ew Group 92 PS RLD Pq, Qd PSRAD Pq, Qd PSLLD Pq, Qd PSLLQ Pq, Qd PSRLQ Pq, Qd PMULLW Pq, Qd PMULHW Pq, Qd PMADDWD Pq, Qd SETBE SETNBE

CMPXCHG CMPXCH G Eb,Gb Ev,Gv XAD D Ev,Gv P SRLW Pq, Qd PS RAW Pq, Qd PSLLW Pq, Qd

C D E F

XADD Eb,Gb

A-6


OPCODE M AP

Table A-2. Two-Byte Opcode M ap (First byte is 0FH) (Continued)
8 0 1 2 3 4 C MOVS Gv, Ev CMOVN S Gv, Ev CMOVP, CMOVP E Gv, Ev CMOVNP, CMOVL, CMOVGE, CMOV PO CMOVNGE CMOVNL Gv, Ev Gv, Ev Gv, Ev CMOVLE, CMOVG, CMOVNG CMOVNLE Gv, Ev Gv, Ev INVD 9 WB INVD A B UD2
4

C

D

E

F

5 6 7 8 JS JNS Long-Displacement Jump on Condition (Jv) JP J NP JL JNL JLE JNLE
PUNPCKHBW PUNPCKHWD PUNPCKHDQ Pq, Q d Pq, Q d Pq, Q d PACKSSDW Pq, Q d

MOVD Pd, Ed MOVD Ed, Pd

MOVQ Pq, Qq MOVQ Qq, Pq

Byte set on condition ( Eb) 9 SE TS Eb A B P U SH GS SETNS Eb POP GS Invalid Opcode BSWA P EA X
4

SE TP Eb RSM Group 82 Ev,lb BSWAP EDX

SE TNP Eb BT S Ev,Gv B TC Ev,Gv BSWA P EBX PAN D Pq, Qq POR Pq, Qq

SETL Eb SHRD Ev,Gv,Ib BSF Gv,Ev BSWAP ESP

SETNL Eb SHRD Ev,Gv,CL BSR Gv,Ev BSWAP EBP

SETLE Eb

SETNLE Eb IMUL Gv,Ev

MOVSX Gv,Eb BSWAP ESI Gv,Ew BSWAP EDI PAN DN Pq, Qq PXOR Pq, Qq PAD DD Pq, Qq

C D E F

BSWA P ECX

PS UBU SB PSUBUSW Pq, Qq Pq, Qq PSUB SB Pq, Qq PS UBB Pq, Qq P SUBSW Pq, Qq PSUBW Pq, Qq PS UBD Pq, Qq

PADDUSB PADDUSW Pq, Qq Pq, Qq PADDSB Pq, Qq PADDB Pq, Qq PADDSW Pq, Qq PADDW Pq, Qq

NOTES: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes. 2. Bits 5, 4, and 3 of ModR/M byte used as an opcode extension ( see Section A.4.). 3. These abbreviations are not actual mnemonics. When shifting by immediate shift counts, the PSHIMD mnemonic represents the PSLLD, P SRAD, and PSRLD instr uctions, PSHIMW represents the PSLLW, PSRAW, and PSRLW instructions, and PSHIMQ represents the PSLLQ and PSRLQ instr uctions. The instructions that shift by immediate counts are differentiated by the ModR /M bytes (see Section A.4.). 4. Use the 0F0B opcode (UD 2 instr uction) or the 0FB 9H opcode when deliberately tr ying to generate an invalid opcode exception (#UD).

A-7


OPCODE MAP

A.4. OPCODE EXTENSIONS FOR ONE- AND TWO-BYTE OPCODES
Some of the 1-byte and 2-byte opcodes use bits 5, 4, and 3 of the ModR/M byte (the nnn field in Figure A-1) as an extension of the opcode. Those opcodes that have opcode extensions are indicated in Tables A-1 and A-2 with group numbers (Group 1, Group 2, etc.). The group numbers (which range from 1 to A) provide an entry point into Table A -3 where the encoding of the opcode extension field can be found. For example, the ADD instruction with a 1-byte opcode of 80H is a Group 1 instruction. Table A-3 then indicates that the opcode extension that must be encoded in the ModR/M byte for this instruction is 000B.
mod nnn R/M

Figure A-1. M odR/M Byte nnn Field (Bits 5, 4, and 3) Table A-3. Opcode Extensions for One- and Two-Byte Opcodes by Group Num ber1
Encoding of Bits 5,4,3 of the ModR/M Byt e Group 1 2 3 4 5 6 7 8 9 A CMPXC H 8B Mq PSRLD, PSRLW, PSRLQ Pq, Ib PSRAD, PSRAW Pq, Ib PSLLD, PSLLW, PSLLQ Pq, Ib 000 ADD ROL TES T Ib/Iv INC Eb INC Ev SLDT Ew SGDT Ms DEC Eb DEC Ev STR Ew SIDT Ms CALL Ev LLDT Ew LGDT Ms CALL Ep LTR Ew LIDT Ms JMP Ev VERR Ew SMSW Ew BT BTS JMP Ep VERW Ew LMSW Ew BTR INVLPG BTC PUSH Ev 001 OR ROR 010 ADC RCL NOT 011 SB B RCR NE G 100 AN D SHL, SAL M UL AL/eAX 101 SUB SH R IMUL AL/eAX DIV AL/eAX 110 XOR 111 CM P SAR IDIV AL/eAX

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-8


OPCODE M AP

A.5. ESCAPE OPCODE INSTRUCTIONS
The opcode maps for the escape instruction opcodes (floating-point instruction opcodes) are given in Tables A-4 through A-13. These opcode maps are grouped by the first byte of the opcode from D8 through DF. Each of these opcodes has a ModR/M byte. If the ModR/M byte is within the range of 00H through BFH, bits 5, 4, and 3 of the ModR/M byte are used as an opcode extension, similar to the technique used for 1-and 2-byte opcodes (see Section A.4., "Opcode Extensions For One- And Two-byte Opcodes"). If the ModR/M byte is outside the range of 00H through BFH , the entire ModR/M byte is used as an opcode extension. For example, the opcode DD0504000000H can be interpreted as follows. The instruction encoded with this opcode can be located in Section A.5.6., "Escape Opcodes with DD as First Byte". Since the ModR/M byte (05H) is within the 00H through BFH range, bits 3 through 5 (000) of this byte indicate the opcode to be for an FLD double-real instruction (see Table A -6). The double-real value to be loaded is at 00000004H, which is the 32-bit displacement that follows and belongs to this opcode. The opcode D8C1H illustrates an opcode with a ModR/M byte outside the range of 00H through BFH. The instruction encoded here, can be located in Section A.5.1., "Escape Opcodes with D8 as First Byte". InTable A -5, the ModR/M byte C1H indicates row C, column 1, which is an FADD instruction using ST(0), ST(1) as the operands.

A-9


OPCODE MAP

A.5.1.

Escape Opcodes with D8 as First Byte

Tables A-4 and A-5 contain the opcodes maps for the escape instruction opcodes that begin with D8H. Table A -4 show s the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A-4. D8 Opcode Map When M odR/M B yte is Within 00H to BFH1
nnn Field of ModR/M Byte (see Figure A-1) 000 FA DD single-real NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes. 001 FMUL single- real 010 FC OM single-r eal 011 FCOMP single-real 100 FSUB single-real 101 FSUBR single-real 110 FDIV single-real 111 FDIVR single-real

Table A-5 show s the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-10


OPCODE M AP

Table A-5. D8 Opcode Map When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 FADD
ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

4

5

6

7

D
ST (0),ST(0) ST(0),ST(1) ST(0),T(2)

FCOM
ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

FSUB
ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

F

FDIV
ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

8 C

9

A

B FMUL

C

D

E

F

ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

D
ST (0),ST(0) ST(0),ST(1) ST(0),T(2)

FCOMP
ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

FSUBR
ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

F

FDIVR
ST (0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-11


OPCODE MAP

A.5.2.

Escape Opcodes with D9 as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with D9H. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
.

Table A-6. D9 Opcode Map When ModR/M Byte is Within 00H to B FH1
nnn Field of ModR/M Byte (see Figure A-1) 000 FLD single-real NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes. 001 010 FS T single-real 011 100 101 FLDCW 2 bytes 110 FSTENV 14/28 bytes 111 FSTCW 2 bytes

FSTP FLDENV single-real 14/28 bytes

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-12


OPCODE M AP

:

Table A-7. D9 Opcode Map When ModR/M Byte is Outside 00H to B FH1
0 C 1 2 3 FLD
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

4

5

7

D

F NO P

E

FCHS

FAB S

FTST

FXAM

F

F2XM1

FYL2X

FPTAN

FPATAN

FXTRACT

FPREM1

FDECSTP

FIN CSTP

8 C

9

A

B FXCH

C

D

E

F

ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

D

E

FLD1

FLDL2T

FLDL2E

FLDPI

FLDLG2

FLDLN2

FLDZ

F

FPREM

FYL2XP 1

FS QRT

FSINCOS

FRNDINT

FSCALE

FSIN

FCOS

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-13


OPCODE MAP

A.5.3.

Escape Opcodes with DA as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DAH. Table A -6 show s the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A-8. DA Opcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M Byte ( see Figure A-1) 000
FIADD sho r t-integ er

001

010

011

100

101

110

111

FIMUL FICOM FI COMP FISUB FISUBR FID IV FIDIVR shor t-integer shor t-integer shor t-integer shor t-int eger shor t-integer shor t-integer shor t-integer

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-14


OPCODE M AP

Table A-9. DA Opcode Map When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 FCMOVB
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

4

5

7

D

FCMOV BE
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

F

8 C

9

A

B FCMOVE

C

D

E

F

ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

D

FCMOVU
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

FUCOMPP

F

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-15


OPCODE MAP

A.5.4.

Escape Opcodes with DB as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DBH. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A -10. DB O pcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M Byte ( see Figure A-1) 000
FIL D sho r t-integ er

001

010

011

100

101
FLD extend ed-rea l

110

111
FSTP exte nded-real

FIST FISTP shor t-integer shor t-integer

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-16


OPCODE M AP

Table A-11. DB Opcode M ap When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 FCMOV NB
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

4

5

7

D

FCMOVNBE
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

FCLEX

FINIT

F

FCOMI
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

8 C

9

A

B

C FCMOV NE

D

E

F

ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

D

FCMOV NU
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

E

FUCOMI
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

F

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-17


OPCODE MAP

A.5.5.

Escape Opcodes with DC as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DCH. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A -12. DC O pcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M Byte ( see Figure A-1) 000
FADD double-real

001
FMUL double-real

010
FCOM double-real

011
FC OMP double -real

100
FSUB dou ble-real

101
FSUBR do uble-rea l

110
FDI V d ouble-re al

111
FDIVR double-real

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-18


OPCODE M AP

Table A-13. DC Opcode M ap When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 FADD
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

4

5

7

D

E

FSUBR
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

F

FDIVR
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

8 C

9

A

B FMUL

C

D

E

F

ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

D

E

FS UB
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

F

FDIV
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-19


OPCODE MAP

A.5.6.

Escape Opcodes with DD as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DD H. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A -14. DD O pcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M Byte ( see Figure A-1) 000
FL D double-real

001

010
FST double-real

011
FSTP double -real

100
FRSTOR 98/108bytes

101

110
FSAVE 98/108bytes

111
FSTSW 2 bytes

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-20


OPCODE M AP

Table A-15. DD Opcode M ap When ModR/M Byte is Outside 00H to BFH1
0 C ST(0) D ST(0) E ST(1) ST(2) ST(3) ST(1) ST(2) 1 2 3 FFREE ST(3) FST ST(4) ST(5) ST(6) ST(7) ST(4) ST(5) ST(6) ST(7) 4 5 7

FUCOM
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

F

8 C

9

A

B

C

D

E

F

D ST(0) E ST(0) F ST(1) ST(2) ST(1) ST(2) ST(3)

FSTP ST(4) ST(5) ST(6) ST(7)

FUCOMP ST(3) ST(4) ST(5) ST(6) ST(7)

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-21


OPCODE MAP

A.5.7.

Escape Opcodes with DE as First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DEH. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A-16. DE O pcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M B yte (see Figure A-1) 000
FIAD D word-integer

001

010

011

100

101

110

111
FIDIVR word-inte ger

FIMUL FICOM FICOMP FISUB FISUBR FIDIV word-integer word-inte ger word-integ er word -intege r wo rd-integer word-in teger

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-22


OPCODE M AP

Table A-17. DE Opcode M ap When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 FADDP
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

4

5

7

D

E

FS UBRP
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

F

FDIVRP ST(0),S T(0) ST( 1),S T(0) ST(2),ST(0) ST(3) ,ST(0) ST(4),ST(0) ST( 5),ST(0) ST( 6),ST(0) ST(7),ST(0) 8 9 A B FMULP
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

C

D

E

F

C

D

FCOMPP

E

FSUBP
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0) ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

F

FDIVP
ST(0),ST(0) ST(1),ST(0) ST(2),ST(0). ST(3),ST(0) ST(4),ST(0) ST(5),ST(0) ST(6),ST(0) ST(7),ST(0)

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-23


OPCODE MAP

A.5.8.

Escape Opcodes with DF As First Byte

Tables A -6 and A-13 contain the opcodes maps for the escape instruction opcodes that begin with DFH. Table A-6 shows the opcode map if the accompanying ModR/M byte within the range of 00H through BFH. Here, the value of bits 5, 4, and 3 (the nnn field in Figure A-1) selects the instruction.
Table A-18. DF Opcode Map When ModR/M Byte is Within 00H to BFH1
nnn Field of ModR/M Byte ( see Figure A-1) 000
FIL D word-int eger

001

010

011

100

101

110

111
FISTP long-in teger

FIST FISTP FBL D FILD FBSTP word-int eger word-in teger packed-BCD lon g-integ er packed-BCD

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

Table A-13 shows the opcode map if the accompanying ModR/M byte is outside the range of 00H to BFH. In this case the first digit of the ModR/M byte selects the row in the table and the second digit selects the column.

A-24


OPCODE M AP

Table A-19. DF Opcode M ap When ModR/M Byte is Outside 00H to BFH1
0 C 1 2 3 4 5 7

D

E

FSTS W AX FCOMIP
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

F

8 C

9

A

B

C

D

E

F

D

E

FUCOMIP
ST(0),ST(0) ST(0),ST(1) ST(0),ST(2) ST(0),ST(3) ST(0),ST(4) ST(0),ST(5) ST(0),ST(6) ST(0),ST(7)

F

NOTE: 1. All blanks in the opcode map are reser ved and should not be used. Do not depend on the operation of these undefined opcodes.

A-25



B
Instruction Formats and Encodings



APPENDIX B INSTRUCTION FORMATS AND ENCODINGS
This appendix show s the formats and encodings of the Intel Architecture instructions. The main format and encoding tables are Tables B-10, B-14, and B-16.

B.1. MACHINE INSTRUCTION FORMAT
All Intel Architecture instructions are encoded using subsets of the general machine instruction format shown in Figure B-1. Each instruction consists of an opcode, a register and/or address mode specifier (if required) consisting of the ModR/M byte and sometimes the scale-index-base (SIB) byte, a displacement (if required), and an immediate data field (if required).

76543210

7 6 5 4 3 2 1 0 7-6

5-3

2-0 7-6

5-3

2-0 d3 2 | 16 | 8 | None d3 2 | 16 | 8 | None

T T T T T T T T T T T T T T T T Mod Re g* R/M Scale Index Base

Opcode 1 or 2 Byte s (T R eprese nts an Opcode Bit) * Reg Field is sometimes used as an opcode ext ension f ield (TTT).

ModR/M Byte

SIB Byte

Address Displacement Immediate Data (4, 2, 1 Bytes or N one) (4,2,1 Bytes or None)

Reg ister and/or Address Mod e Sp ecifie r

Figure B-1. General M achine Instruction Form at

The primary opcode for an instruction is encoded in one or two bytes of the instruction. Some instructions also use an opcode extension field encoded in bits 5, 4, and 3 of the ModR/M byte. Within the primary opcode, smaller encoding fields may be defined. These fields vary according to the class of operation being performed. The fields define such information as register encoding, conditional test performed, or sign extension of immediate byte. Almost all instructions that refer to a register and/or memory operand have a register and/or address mode byte following the opcode. This byte, the ModR/M byte, consists of the mod field, the reg field, and the R/M field. Certain encodings of the ModR/M byte indicate that a second address mode byte, the SIB byte, must be used. If the selected addressing mode specifies a displacement, the displacement value is placed immediately following the ModR/M byte or SIB byte. If a displacement is present, the possible sizes are 8, 16, or 32 bits. If the instruction specifies an immediate operand, the immediate value follows any displacement bytes. An immediate operand, if specified, is always the last field of the instruction.

B-1


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-1 lists several smaller fields or bits that appear in certain instructions, sometimes w ithin the opcode bytes themselves. The following tables describe these fields and bits and list the allowable values. All of these fields (except the d bit) are shown in the integer instruction formats given in Table B-10.
Table B-1. Special Fields Within Instruction Encodings
Field Name reg w s sreg2 sreg3 eee tttn d Description General-register specifier ( see Table B-2 or B-3) Specifies if data is byte or full-sized, where full-sized is either 16 or 32 bits (see Table B-4) Specifies sign extension of an immediate data field (see Table B-5) Segment register specifier for CS, SS, DS, ES (see Table B-6) Segment register specifier for CS, SS, DS, ES, FS, GS (see Table B-6) Specifies a special-pur pose ( contr ol or debug) register (see Table B-7) For conditional instr uctions, specifies a condition asser ted or a condition negated (see Table B-8) Specifies direction of data operation (see Table B-9) Number of Bit s 3 1 1 2 3 3 4 1

B.1.1.

Reg Field (reg)

The reg field in the ModR/M byte specifies a general-purpose register operand. The group of registers specified is modified by the presence of and state of the w bit in an encoding (see Table B-4). Table B-2 shows the encoding of the reg field when the w bit is not present in an encoding, and Table B-3 shows the encoding of the reg field when the w bit is present.
Table B-2. Encoding of reg Field When w Field is Not Present in Instruction
reg Field 000 001 010 011 100 101 110 111 Register Selected during 16-Bit Data Operat ions AX CX DX BX SP BP SI DI Register Selected during 32-Bit Data Operat ions EAX EC X ED X EBX ESP EBP ESI EDI

B-2


INSTRUCTION FORMATS AND ENCODING S

Table B-3. Encoding of reg Field When w Field is Present in Instruction
Register Specif ied by reg Field during 16-Bit Data Operations Function of w Field re g 000 001 010 011 100 101 110 111 When w = 0 AL CL DL BL AH CH DH BH When w = 1 AX CX DX BX SP BP SI DI re g 000 001 010 011 100 101 110 111 Register Specif ied by reg Field during 32-Bit Data Operations Funct ion of w Field When w = 0 AL CL DL BL AH CH DH BH When w = 1 EAX E CX E DX EBX ESP EBP ESI EDI

B.1.2.

Encoding of Operand Size Bit (w)

The current operand-size attribute determines whether the processor is performing 16-or 32-bit operations. Within the constraints of the current operand-size attribute, the operand-size bit (w) can be used to indicate operations on 8-bit operands or the full operand size specified with the operand-size attribute (16 bits or 32 bits). Table B-4 shows the encoding of the w bit depending on the current operand-size attribute.
Table B-4. Encoding of O perand Size (w) Bit
w Bit 0 1 Operand Size When Operand-Size Attribut e is 16 bits 8 Bits 16 Bits Operand Size When Operand-Size Attribut e is 32 bits 8 Bits 32 Bits

B.1.3.

Sign Extend (s) Bit

The sign-extend (s) bit occurs primarily in instructions with immediate data fields that are being extended from 8 bits to 16 or 32 bits. Table B-5 shows the encoding of the s bit.
Table B-5. Encoding of Sign-Extend (s) Bit
s 0 1 None Sign-extend to fill 16-bit or 32-bit destination Effect on 8-Bit Immediate Data None None Ef fect on 16- or 32-Bit Immediate Data

B-3


INSTRUCTION FORM ATS AND ENCO DINGS

B.1.4.

Segment Register Field (sreg)

When an instruction operates on a segment register, the reg field in the ModR/M byte is called the sreg field and is used to specify the segment register. Table B-6 shows the encoding of the sreg field. This field is sometimes a 2-bit field (sreg2) and other times a 3-bit field (sreg3).
Table B-6. Encoding of the Segment Register (sreg) Field
2-Bit sreg2 Field 00 01 10 11 Segment Register Selected ES CS SS DS 3-Bit sreg3 Field 000 001 010 011 100 101 110 111 * Do not use reser ved encodings. Segment Register Selected ES CS SS DS FS GS Reser ved* Reser ved*

B.1.5.

Special-Purpose Register (eee) Field

When the control or debug registers are referenced in an instruction they are encoded in the eee field, which is located in bits 5, 4, and 3 of the ModR/M byte. Table B-7 shows the encoding of the eee field.
Table B-7. Encoding of Special-Purpose Register (eee) Field
eee 000 001 010 011 100 101 110 111 * Do not use reser ved encodings. Cont rol Register CR0 Reser ved* CR2 CR3 CR 4 Reser ved* Reser ved* Reser ved* Debug Register DR0 D R1 DR2 DR3 Reser ved* Reser ved* D R6 D R7

B-4


INSTRUCTION FORMATS AND ENCODING S

B.1.6.

Condition Test Field (tttn)

For conditional instructions (such as conditional jumps and set on condition), the condition test field (tttn) is encoded for the condition being tested for. The ttt part of the field gives the condition to test and the n part indicates whether to use the condition (n = 0) or its negation (n = 1). For 1-byte primary opcodes, the tttn field is located in bits 3,2,1, and 0 of the opcode byte; for 2-byte primary opcodes, the tttn field is located in bits 3,2,1, and 0 of the second opcode byte. Table B-8 shows the encoding of the tttn field.
Table B-8. Encoding of Conditional Test (tttn) Field
tttn 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 O NO B, NA E NB, AE E, Z NE, NZ BE , NA NBE, A S NS P, PE NP, PO L , NG E NL , G E L E, N G NLE, G Mnemonic Overflow No overflow Below, Not above or equal Not below, Above or equal Equal, Zero Not equal, Not zero Below or equal, Not above Not below or equal, Above Sign Not sign Par ity, Par ity Even Not par ity, Par ity Odd Less than, Not gr eater than or equal to Not less than, Greater than or equal to Less than or equal to, Not greater than Not less than or equal to, Greater than Condition

B.1.7.

Direction (d) Bit

In many two-operand instructions, a direction bit (d) indicates which operand is considered the source and which is the destination. Table B-9 shows the encoding of the d bit. When used for integer instructions, the d bit is located at bit 1 of a 1-byte primary opcode. This bit does not appear as the symbol "d" in Table B-10; instead, the actual encoding of the bit as 1 or 0 is given. When used for floating-point instructions (in Table B-16), the d bit is shown as bit 2 of the first byte of the primary opcode.

B-5


INSTRUCTION FORM ATS AND ENCO DINGS

.

Table B-9. Encoding of Operation Direction (d) B it
d 0 1 reg Field ModR/M or SIB Byte Source Destination ModR /M or SIB Byte reg Field

B.2. INTEGER INSTRUCTION FORMATS AND ENCODINGS
Table B-10 shows the formats and encodings of the integer instructions.
Table B-10. Integ er Instruction Formats and Encodings
Instruction and Format A AA ­ ASCII Adjust after Addition A AD ­ ASCII Adjust AX before Division A AM ­ AS CII A djust AX af ter Multiply A AS ­ ASCII Adjust AL after Subtraction A DC ­ ADD with Carry register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX, or EAX immediate to memor y A DD ­ Add register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX, or EAX immediate to memor y A ND ­ Logical AND register1 to register2 register2 to register1 memor y to register register to memor y immediate to register 0010 000w : 11 reg1 reg2 0010 001w : 11 reg1 reg2 0010 001w : mod r eg r/m 0010 000w : mod r eg r/m 0000 000w : 11 reg1 reg2 0000 001w : 11 reg1 reg2 0000 001w : mod r eg r/m 0000 000w : mod r eg r/m 1000 00sw : 11 000 reg : immediate data 0000 010w : immediate data 1000 00sw : mod 000 r/m : immediate data 0001 000w : 11 reg1 reg2 0001 001w : 11 reg1 reg2 0001 001w : mod r eg r/m 0001 000w : mod r eg r/m 1000 00sw : 11 010 reg : immediate data 0001 010w : immediate data 1000 00sw : mod 010 r/m : immediate data 0011 0111 1101 0101 : 0000 1010 1101 0100 : 0000 1010 0011 1111 Encoding

B-6


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format immediate to AL, AX , or EAX immediate to memor y ARPL ­ Adjust RPL Field of Selector from register from memor y BOUND ­ Check Array Against Bounds BSF ­ Bit S can Forward
register1, regist er2

Encoding 0010 010w : immediate data 1000 00sw : mod 100 r/m : immediate data

0110 0011 : 11 reg1 reg2 0110 0011 : mod reg r/m 0110 0010 : mod reg r/m

0000 1111 : 1011 1100 : 11 reg2 reg1 0000 1111 : 1011 1100 : mod reg r/m

memor y, register BSR ­ B it Scan Reverse register1, register2 memor y, register BSWAP ­ Byte Swap BT ­ Bit Test register, immediate memor y, immediate register1, register2 memor y, reg BTC ­ Bit Test and Complemen t register, immediate memor y, immediate register1, register2 memor y, reg BTR ­ Bit Test and Reset register, immediate memor y, immediate register1, register2 memor y, reg BTS ­ Bit Test and S et register, immediate memor y, immediate register1, register2 memor y, reg

0000 1111 : 1011 1101 : 11 reg2 reg1 0000 1111 : 1011 1101 : mod reg r/m 0000 1111 : 1100 1 reg

0000 1111 : 1011 1010 : 11 100 reg: imm8 data 0000 1111 : 1011 1010 : mod 100 r/m : imm8 data 0000 1111 : 1010 0011 : 11 reg2 reg1 0000 1111 : 1010 0011 : mod reg r/m

0000 1111 : 1011 1010 : 11 111 reg: imm8 data 0000 1111 : 1011 1010 : mod 111 r/m : imm8 data 0000 1111 : 1011 1011 : 11 reg2 reg1 0000 1111 : 1011 1011 : mod reg r/m

0000 1111 : 1011 1010 : 11 110 reg: imm8 data 0000 1111 : 1011 1010 : mod 110 r/m : imm8 data 0000 1111 : 1011 0011 : 11 reg2 reg1 0000 1111 : 1011 0011 : mod reg r/m

0000 1111 : 1011 1010 : 11 101 reg: imm8 data 0000 1111 : 1011 1010 : mod 101 r/m : imm8 data 0000 1111 : 1010 1011 : 11 reg2 reg1 0000 1111 : 1010 1011 : mod reg r/m

B-7


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format C ALL ­ Call Procedure (in same segment) direct register indir ect memor y indirect C ALL ­ Call Procedure (in other segment) direct indirect C BW ­ Conver t Byte to Word C DQ ­ Conver t Doubleword to Qword C LC ­ Clear Carry Flag C LD ­ Clear Direction Flag C LI ­ Clear Interrupt Flag C LTS ­ Clear Task-S witched Flag in CR0 C MC ­ Complement Carry Flag C MOVcc ­ Conditional Move register2 to r egister1 memor y to register C MP ­ Compare Two Operands register1 with register2 register2 with register1 memor y with r egister register with memor y immediate with register immediate with AL, AX, or EAX immediate with memor y C MPS /CMPSB/CMP SW/CMPSD ­ Compare String Operands C MPX CHG ­ Compare and Exchange register1, register2 memor y, register C MPX CHG8B ­ Compare and Exchange 8 Bytes memor y, register C PUID ­ CPU Identification C WD ­ Conver t Word to Doubleword C WDE ­ Convert Word to Doubleword DAA ­ Decimal Adjust AL after Addition 0000 1111 : 1100 0111 : mod reg r/m 0000 1111 : 1010 0010 1001 1001 1001 1000 0010 0111 0000 1111 : 1011 000w : 11 reg2 reg1 0000 1111 : 1011 000w : mod reg r/m 0011 100w : 11 reg1 reg2 0011 101w : 11 reg1 reg2 0011 100w : mod r eg r/m 0011 101w : mod r eg r/m 1000 00sw : 11 111 reg : immediate data 0011 110w : immediate data 1000 00sw : mod 111 r/m 1010 011w 0000 1111: 0100 tttn : 11 reg1 reg2 0000 1111: 0100 tttn : mod mem r /m 1001 1010 : unsigned full offset, selector 1111 1111 : mod 011 r/m 1001 1000 1001 1001 1111 1000 1111 1100 1111 1010 0000 1111 : 0000 0110 1111 0101 1110 1000 : full displacement 1111 1111 : 11 010 reg 1111 1111 : mod 010 r/m Encoding

B-8


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format DAS ­ Decimal Adjust AL after Subtraction DEC ­ D ecrement by 1 register register (alter nate encoding) memor y DIV ­ Unsigned Divide AL, AX, or EAX by register AL, AX, or EAX by memor y ENTER ­ Make Stack Frame for High Level Procedure HLT ­ Halt IDIV ­ Signed Divide AL, AX, or EAX by register AL, AX, or EAX by memor y IMUL ­ Signed Multiply AL, AX, or EAX with register AL, AX, or EAX with memor y register1 with register2 register with memor y register1 with immediate to register2 memor y with immediate to register IN ­ Input From Por t fixed por t var iable por t INC ­ Increment by 1 reg reg (alter nate encoding) memor y INS ­ Input from DX Por t INT n ­ Interrupt Type n INT ­ Single-Step Interrupt 3 INTO ­ Interrupt 4 on Overflow INV D ­ Invalidate Cache INVLPG ­ Invalidate TLB Entr y IRE T/IR ETD ­ Interrupt R eturn 1111 111w : 11 000 reg 0100 0 r eg 1111 111w : mod 000 r/m 0110 110w 1100 1101 : type 1100 1100 1100 1110 0000 1111 : 0000 1000 0000 1111 : 0000 0001 : mod 111 r/m 1100 1111 1110 010w : por t number 1110 110w 1111 011w : 11 101 reg 1111 011w : mod 101 reg 0000 1111 : 1010 1111 : 11 : reg1 reg2 0000 1111 : 1010 1111 : mod reg r/m 0110 10s1 : 11 reg1 reg2 : immediate data 0110 10s1 : mod reg r/m : immediate data 1111 011w : 11 111 reg 1111 011w : mod 111 r/m 1111 011w : 11 110 reg 1111 011w : mod 110 r/m 1100 1000 : 16-bit displacement : 8-bit level (L) 1111 0100 1111 111w : 11 001 reg 0100 1 r eg 1111 111w : mod 001 r/m 0010 1111 Encoding

B-9


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format Jcc ­ Jump if Condition is Met 8-bit displacement full displacement JCXZ/JE CXZ ­ Jump on CX/ECX Zero Address- size prefix differentiates JCXZ and JECXZ JMP ­ Unconditional Jump (to same segment) shor t direct register indir ect memor y indirect JMP ­ Unconditional Jump (to other segment) direct intersegment indirect intersegment LAHF ­ Load Flags into AH Register LAR ­ Load Access Rights Byte from register from memor y LDS ­ Load Pointer t o DS LEA ­ Load Effective Address LEAVE ­ High Level Procedure Exit LES ­ Load Pointer to E S LFS ­ Load Pointer to FS LGDT ­ Load Global Descriptor Table Register LGS ­ Load Point er to GS LIDT ­ Load Interrupt Descriptor Table Register LLDT ­ Load Local Descriptor Table Register LDTR from register LDTR from memor y LMSW ­ Load Machine Status Word from register from memor y LOCK ­ Assert LOCK# Signal Prefix LODS/LODSB/LODSW/LODSD ­ Load String Operand LOOP ­ Loop Count 0000 1111 : 0000 0001 : 11 110 reg 0000 1111 : 0000 0001 : mod 110 r/m 1111 0000 1010 110w 1110 0010 : 8- bit displacement 0000 1111 : 0000 0000 : 11 010 reg 0000 1111 : 0000 0000 : mod 010 r/m 0000 1111 : 0000 0010 : 11 r eg1 reg2 0000 1111 : 0000 0010 : mod reg r/m 1100 0101 : mod reg r/m 1000 1101 : mod reg r/m 1100 1001 1100 0100 : mod reg r/m 0000 1111 : 1011 0100 : mod reg r/m 0000 1111 : 0000 0001 : mod 010 r/m 0000 1111 : 1011 0101 : mod reg r/m 1110 1010 : unsigned full offset, selector 1111 1111 : mod 101 r/m 1001 1111 1110 1011 : 8- bit displacement 1110 1001 : full displacement 1111 1111 : 11 100 reg 1111 1111 : mod 100 r/m 0111 tttn : 8-bit displacement 0000 1111 : 1000 tttn : full displacement 1110 0011 : 8- bit displacement Encoding

B-10


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format LOOPZ/LOOP E ­ Loop C ount while Zero/Equal LOOPN Z/LOOP NE ­ Loop Count while not Zero/Equal LS L ­ Load Segment Limit from register from memor y LS S ­ Load Pointer to SS LTR ­ Load Task Register from register from memor y MOV ­ Move Data register1 to register2 register2 to register1 memor y to reg reg to memor y immediate to register immediate to register (alter nate encoding) immediate to memor y memor y to AL, AX, or EAX AL, AX , or EAX to memor y MOV ­ Move to/from Control Regist ers CR0 from register CR2 from register CR3 from register CR4 from register register fr om CR0-CR4 MOV ­ Move to/from Debug Registers DR0- DR3 from register DR4- DR5 from register DR6- DR7 from register register fr om DR6-DR7 register fr om DR4-DR5 register fr om DR0-DR3 MOV ­ Move to/from Segment Registers register to segment register register to SS 1000 1110 : 11 sr eg3 reg 1000 1110 : 11 sr eg3 reg 0000 1111 : 0010 0011 : 11 eee reg 0000 1111 : 0010 0011 : 11 eee reg 0000 1111 : 0010 0011 : 11 eee reg 0000 1111 : 0010 0001 : 11 eee reg 0000 1111 : 0010 0001 : 11 eee reg 0000 1111 : 0010 0001 : 11 eee reg 0000 1111 : 0010 0010 : 11 000 reg 0000 1111 : 0010 0010 : 11 010reg 0000 1111 : 0010 0010 : 11 011 reg 0000 1111 : 0010 0010 : 11 100 reg 0000 1111 : 0010 0000 : 11 eee reg 1000 100w : 11 reg1 reg2 1000 101w : 11 reg1 reg2 1000 101w : mod reg r/m 1000 100w : mod reg r/m 1100 011w : 11 000 reg : immediate data 1011 w reg : immediate data 1100 011w : mod 000 r/m : immediate data 1010 000w : full displacement 1010 001w : full displacement 0000 1111 : 0000 0000 : 11 011 reg 0000 1111 : 0000 0000 : mod 011 r/m 0000 1111 : 0000 0011 : 11 reg1 reg2 0000 1111 : 0000 0011 : mod reg r/m 0000 1111 : 1011 0010 : mod reg r/m Encoding 1110 0001 : 8-bit displacement 1110 0000 : 8-bit displacement

B-11


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format memor y to segment reg memor y to SS segment register to register segment register to memor y MOVS /MOVSB/MOVSW/MOVSD ­ Move Data f rom String t o String MOVS X ­ Move with S ign-Extend register2 to register1 memor y to reg MOVZX ­ Move with Zero-Extend register2 to register1 memor y to register MUL ­ Unsigned Multiply AL, AX, or E AX with register AL, AX, or E AX with memor y N EG ­ Two's Complement Negation register memor y N OP ­ No Operation N OT ­ One's Complement Negation register memor y OR ­ Logical Inclusive OR register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX, or EAX immediate to memor y OUT ­ Output to Por t fixed por t var iable por t OUTS ­ Output to DX Port P OP ­ Pop a Word f rom the St ack register 1000 1111 : 11 000 reg 1110 011w : por t number 1110 111w 0110 111w 0000 100w : 11 reg1 reg2 0000 101w : 11 reg1 reg2 0000 101w : mod r eg r/m 0000 100w : mod r eg r/m 1000 00sw : 11 001 reg : immediate data 0000 110w : immediate data 1000 00sw : mod 001 r/m : immediate data 1111 011w : 11 010 reg 1111 011w : mod 010 r/m 1111 011w : 11 011 reg 1111 011w : mod 011 r/m 1001 0000 1111 011w : 11 100 reg 1111 011w : mod 100 reg 0000 1111 : 1011 011w : 11 reg1 reg2 0000 1111 : 1011 011w : mod reg r/m 0000 1111 : 1011 111w : 11 reg1 reg2 0000 1111 : 1011 111w : mod reg r/m Encoding 1000 1110 : mod sreg3 r/m 1000 1110 : mod sreg3 r/m 1000 1100 : 11 sreg3 reg 1000 1100 : mod sreg3 r/m 1010 010w

B-12


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format register (alter nate encoding) memor y POP ­ Pop a Segment Register from the Stack segment register CS, DS, ES segment register SS segment register FS, GS POPA /POPAD ­ Pop All General Registers POPF/POPFD ­ Pop S tack int o FLAGS or EFLAGS R egister PUS H ­ Push Operand onto the S tack register register (alter nate encoding) memor y immediate PUS H ­ Push S egment Register onto the Stack segment register CS,DS,ES,SS segment register FS,GS PUS HA/PUSHA D ­ Push All General Registers PUSHF/PU SHFD ­ Push Flags Register onto the Stack RCL ­ Rotate t hru Carry Left register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count RCR ­ Rotate thru Carry Right register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count RDMSR ­ Read from Model-Specific Register 1101 000w : 11 011 reg 1101 000w : mod 011 r/m 1101 001w : 11 011 reg 1101 001w : mod 011 r/m 1100 000w : 11 011 reg : imm8 data 1100 000w : mod 011 r/m : imm8 data 0000 1111 : 0011 0010 1101 000w : 11 010 reg 1101 000w : mod 010 r/m 1101 001w : 11 010 reg 1101 001w : mod 010 r/m 1100 000w : 11 010 reg : imm8 data 1100 000w : mod 010 r/m : imm8 data 000 sreg2 110 0000 1111: 10 sreg3 000 0110 0000 1001 1100 1111 1111 : 11 110 reg 0101 0 r eg 1111 1111 : mod 110 r/m 0110 10s0 : immediate data 000 sreg2 111 000 sreg2 111 0000 1111: 10 sreg3 001 0110 0001 1001 1101 0101 1 r eg 1000 1111 : mod 000 r/m Encoding

B-13


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format R DPMC ­ Read Performance Monitoring C ounters R DTSC ­ Read Time-Stamp Counter R EP IN S ­ Input S tring R EP LODS ­ Load String R EP MOVS ­ Move String R EP OUTS ­ Output St ring R EP STOS ­ S tore String R EPE C MPS ­ Compare String R EPE SCAS ­ Scan String R EPNE CMPS ­ Compare String R EPNE SCAS ­ Scan String R ET ­ Return from Procedure ( to same segment) no argument adding immediate to S P R ET ­ Return from Procedure ( to other segment) intersegment adding immediate to S P ROL ­ Rot ate Left register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count ROR ­ Rotate Right register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count R SM ­ Resume from System Management Mode S AHF ­ St ore AH into Flags S AL ­ Shift Arithmetic Left 1101 000w : 11 001 reg 1101 000w : mod 001 r/m 1101 001w : 11 001 reg 1101 001w : mod 001 r/m 1100 000w : 11 001 reg : imm8 data 1100 000w : mod 001 r/m : imm8 data 0000 1111 : 1010 1010 1001 1110 same instr uction as SHL 1101 000w : 11 000 reg 1101 000w : mod 000 r/m 1101 001w : 11 000 reg 1101 001w : mod 000 r/m 1100 000w : 11 000 reg : imm8 data 1100 000w : mod 000 r/m : imm8 data 1100 1011 1100 1010 : 16-bit displacement 1100 0011 1100 0010 : 16-bit displacement Encoding 0000 1111 : 0011 0011 0000 1111 : 0011 0001 1111 0011 : 0110 110w 1111 0011 : 1010 110w 1111 0011 : 1010 010w 1111 0011 : 0110 111w 1111 0011 : 1010 101w 1111 0011 : 1010 011w 1111 0011 : 1010 111w 1111 0010 : 1010 011w 1111 0010 : 1010 111w

B-14


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format SAR ­ S hift Arithmetic Right register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count SBB ­ Integer Subtraction with B orrow register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX , or EAX immediate to memor y SCAS /SCASB/SCASW/SCAS D ­ Scan String SE Tcc ­ Byte S et on Condition register memor y SGDT ­ Store Global Descriptor Table Register SHL ­ Shift Left register by 1 memor y by 1 register by CL memor y by CL register by immediate count memor y by immediate count SHLD ­ Double Precision Shift Left register by immediate count memor y by immediate count register by CL memor y by CL SHR ­ S hift Right register by 1 memor y by 1 1101 000w : 11 101 reg 1101 000w : mod 101 r/m 0000 1111 : 1010 0100 : 11 reg2 reg1 : imm8 0000 1111 : 1010 0100 : mod reg r/m : imm8 0000 1111 : 1010 0101 : 11 reg2 reg1 0000 1111 : 1010 0101 : mod reg r/m 1101 000w : 11 100 reg 1101 000w : mod 100 r/m 1101 001w : 11 100 reg 1101 001w : mod 100 r/m 1100 000w : 11 100 reg : imm8 data 1100 000w : mod 100 r/m : imm8 data 0000 1111 : 1001 tttn : 11 000 reg 0000 1111 : 1001 tttn : mod 000 r/m 0000 1111 : 0000 0001 : mod 000 r/m 0001 100w : 11 reg1 reg2 0001 101w : 11 reg1 reg2 0001 101w : mod reg r/m 0001 100w : mod reg r/m 1000 00sw : 11 011 reg : immediate data 0001 110w : immediate data 1000 00sw : mod 011 r/m : immediate data 1101 111w 1101 000w : 11 111 reg 1101 000w : mod 111 r/m 1101 001w : 11 111 reg 1101 001w : mod 111 r/m 1100 000w : 11 111 reg : imm8 data 1100 000w : mod 111 r/m : imm8 data Encoding

B-15


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format register by CL memor y by CL register by immediate count memor y by immediate count S HRD ­ Double Precision Shift Right register by immediate count memor y by immediate count register by CL memor y by CL S IDT ­ S tore Int errupt Descriptor Table Register S LDT ­ Store Local Descript or Table Register to register to memor y S MSW ­ Store Machine Status Word to register to memor y S TC ­ Set Carry Flag S TD ­ Set Direction Flag S TI ­ S et Interrupt Flag S TOS /STOSB/S TOSW/STOSD ­ S tore String Data S TR ­ Store Task Register to register to memor y S UB ­ Int eger Subtraction register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX, or EAX immediate to memor y TEST ­ Logical Compare register1 and register2 memor y and register immediate and register 1000 010w : 11 reg1 reg2 1000 010w : mod r eg r/m 1111 011w : 11 000 reg : immediate data 0010 100w : 11 reg1 reg2 0010 101w : 11 reg1 reg2 0010 101w : mod r eg r/m 0010 100w : mod r eg r/m 1000 00sw : 11 101 reg : immediate data 0010 110w : immediate data 1000 00sw : mod 101 r/m : immediate data 0000 1111 : 0000 0000 : 11 001 reg 0000 1111 : 0000 0000 : mod 001 r/m 0000 1111 : 0000 0001 : 11 100 reg 0000 1111 : 0000 0001 : mod 100 r/m 1111 1001 1111 1101 1111 1011 1010 101w 0000 1111 : 0000 0000 : 11 000 reg 0000 1111 : 0000 0000 : mod 000 r/m 0000 1111 : 1010 1100 : 11 r eg2 reg1 : imm8 0000 1111 : 1010 1100 : mod reg r/m : imm8 0000 1111 : 1010 1101 : 11 r eg2 reg1 0000 1111 : 1010 1101 : mod reg r/m 0000 1111 : 0000 0001 : mod 001 r/m Encoding 1101 001w : 11 101 reg 1101 001w : mod 101 r/m 1100 000w : 11 101 reg : imm8 data 1100 000w : mod 101 r/m : imm8 data

B-16


INSTRUCTION FORMATS AND ENCODING S

Table B-10. Integer Instruction Form ats and Encodings (Contd.)
Instruction and Format immediate and AL, AX, or EAX immediate and memor y UD2 ­ Undefined instruction VE RR ­ Verify a S egment for Reading register memor y VE RW ­ Verif y a Segment for Writing register memor y WAIT ­ Wait WBINVD ­ Writeback and Invalidate Data Cache WRMS R ­ Write to Model-Specific Register XADD ­ Exchange and Add register1, register2 memor y, reg XCHG ­ E xchange Register/Memory with Register register1 with register2 AL, AX , or EAX with reg memor y with reg XLAT/XLATB ­ Table Look-up Translation XOR ­ Logical Exclusive OR register1 to register2 register2 to register1 memor y to register register to memor y immediate to register immediate to AL, AX , or EAX immediate to memor y Prefix Byt es addr ess size LOCK operand size CS segment override DS segment override ES segment overr ide 0110 0111 1111 0000 0110 0110 0010 1110 0011 1110 0010 0110 0011 000w : 11 reg1 reg2 0011 001w : 11 reg1 reg2 0011 001w : mod reg r/m 0011 000w : mod reg r/m 1000 00sw : 11 110 reg : immediate data 0011 010w : immediate data 1000 00sw : mod 110 r/m : immediate data 1000 011w : 11 reg1 reg2 1001 0 r eg 1000 011w : mod reg r/m 1101 0111 0000 1111 : 1100 000w : 11 reg2 reg1 0000 1111 : 1100 000w : mod reg r/m 0000 1111 : 0000 0000 : 11 101 reg 0000 1111 : 0000 0000 : mod 101 r/m 1001 1011 0000 1111 : 0000 1001 0000 1111 : 0011 0000 0000 1111 : 0000 0000 : 11 100 reg 0000 1111 : 0000 0000 : mod 100 r/m Encoding 1010 100w : immediate data 1111 011w : mod 000 r/m : immediate data 0000 FFFF : 0000 1011

B-17


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-10. Integ er Instruction Formats and Encodings (Contd.)
Instruction and Format FS segment overr ide GS segment overr ide SS segment overr ide 0110 0100 0110 0101 0011 0110 Encoding

B-18


INSTRUCTION FORMATS AND ENCODING S

B.3. MMXTM INSTRUCTION FORMATS AND ENCODINGS
All MMX instructions, except the EMMS instruction, use the a format similar to the 2-byte Intel Architecture integer format. Details of subfield encodings within these formats are presented below.

B.3.1.

Granularity Field (gg)

Th e g ranularity field (gg ) indicates the size o f the packed o perand s that the instruction is oper ating on. W hen this field is used , it is located in bits 1 and 0 of the second op co de byte. Tab le B-11 show s the encod ing of th is gg field.
Table B-11. Encoding of Granularity of Data Field (gg)
gg 00 01 10 11 Granularity of Data Packed Bytes Packed Wor ds Packed Doublewords Quadword

B.3.2.

MMXTM and General-Purpose Register Fields (mmxreg and reg)

When MMX registers (mmxreg) are used as operands, they are encoded in the ModR/M byte in the reg field (bits 5, 4, and 3) and/or the R/M field (bits 2, 1, and 0). Table B-12 shows the 3-bit encodings used for mmxreg fields.
Table B-12. Encoding of the MMXTM Register Field (mmxreg)
mmxreg Field Encoding 000 001 010 011 100 101 110 111 MMXTM Register MM0 MM1 MM2 MM3 MM4 MM5 MM6 MM7

If an MMX instruction operates on a general-purpose register (reg), the register is encoded in the R/M field of the ModR/M byte. Table B-13 shows the encoding of general-purpose registers when used in MMX instructions.

B-19


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-13. Encoding of the General-Purpose Register Field (reg) When Used in MMXTM Instructions.
reg Field Encoding 000 001 010 011 100 101 110 111 Register Selected EAX ECX EDX EBX ESP EBP ESI E DI

B.3.3.

MMXTM Instruction Formats and Encodings Table

Table B-1 4 show s the for mats an d encoding s for M MX in stru ctions f or the d ata typ es su ppor ted--packed byte (B), packed word (W ), p acked dou bleword (D) , and quadwo rd ( Q) . Figu re B-2 describ es the nomenclatur e used in co lumns ( 3 throu gh 6) o f the table.
Code Y N O I n/a Meaning Suppor ted Not suppor ted Output Input Not Applicable

Figure B-2. Key to Codes for MMXTM Data Type Cross-Reference
.

Table B-14. M MXTM Instruction Formats and Encodings
Instruction and Format EMMS - Empty MMXTM state MOV D - Move doubleword r eg to mmreg r eg from mmxreg mem to mmxreg mem from mmxreg MOV Q - Move quadword mmxreg2 to mmxreg1 mmxreg2 from mmxreg1 0000 1111:01101111: 11 mmxreg1 mmxreg2 0000 1111:01111111: 11 mmxreg1 mmxreg2 0000 1111:01101110: 11 mmxreg reg 0000 1111:01111110: 11 mmxreg reg 0000 1111:01101110: mod mmxreg r/m 0000 1111:01111110: mod mmxreg r/m N N N Y Encoding 0000 1111:01110111 B n/a N W n/a N D n/a Y Q n/a N

B-20


INSTRUCTION FORMATS AND ENCODING S

Table B-14. MMXTM Instruction Form ats and Encodings (Contd.)
Instruction and Format mem to mmxreg mem from mmxreg PACKSS DW1 - Pack dword to word data (signed with saturation) mmxreg2 to mmxreg1 memor y to mmxreg PACKSS WB - Pack word to byte data (signed with saturation) mmxreg2 to mmxreg1 memor y to mmxreg PACKUSWB - Pack word to byte data (unsigned with saturation) mmxreg2 to mmxreg1 memor y to mmxreg PA DD - Add with wrap-around mmxreg2 to mmxreg1 memor y to mmxreg PA DDS - A dd signed with saturation mmxreg2 to mmxreg1 memor y to mmxreg PA DDUS - Add unsigned with saturation mmxreg2 to mmxreg1 memor y to mmxreg PA ND - Bitwise And mmxreg2 to mmxreg1 memor y to mmxreg PA NDN - Bitwise AndNot mmxreg2 to mmxreg1 memor y to mmxreg PC MPEQ - Packed compare for equality 0000 1111:11011111: 11 mmxreg1 mmxreg2 0000 1111:11011111: mod mmxreg r/m Y Y Y N 0000 1111:11011011: 11 mmxreg1 mmxreg2 0000 1111:11011011: mod mmxreg r/m N N N Y 0000 1111: 110111gg: 11 mmxr eg1 mmxreg2 0000 1111: 110111gg: mod mmxreg r/m N N N Y 0000 1111: 111011gg: 11 mmxr eg1 mmxreg2 0000 1111: 111011gg: mod mmxreg r/m Y Y N N 0000 1111: 111111gg: 11 mmxr eg1 mmxreg2 0000 1111: 111111gg: mod mmxreg r/m Y Y N N 0000 1111:01100111: 11 mmxreg1 mmxreg2 0000 1111:01100111: mod mmxreg r/m Y Y Y N
1 1

Encoding 0000 1111:01101111: mod mmxreg r/m 0000 1111:01111111: mod mmxreg r/m

B

W

D

Q

n/a

O

I

n/a

0000 1111:01101011: 11 mmxreg1 mmxreg2 0000 1111:01101011: mod mmxreg r/m O I n/a n/a

0000 1111:01100011: 11 mmxreg1 mmxreg2 0000 1111:01100011: mod mmxreg r/m O I n/a n/a

B-21


INSTRUCTION FORM ATS AND ENCO DINGS

Table B-14. M MXTM Instruction Formats and Encodings (Contd.)
Instruction and Format mmxreg1 with mmxreg2 mmxreg with memor y PCMPGT - Packed compare greater (signed) mmxreg1 with mmxreg2 mmxreg with memor y PMADD - Packed multiply add mmxreg2 to mmxreg1 memor y to mmxreg PMULH - Packed multiplication mmxreg2 to mmxreg1 memor y to mmxreg PMULL - Packed multiplication mmxreg2 to mmxreg1 memor y to mmxreg POR - Bitwise Or mmxreg2 to mmxreg1 memor y to mmxreg PSLL2 - Packed shift left logical mmxreg1 by mmxreg2 mmxreg by memor y mmxreg by immediate PSRA2 - Packed shift right arithmetic mmxreg1 by mmxreg2 mmxreg by memor y mmxreg by immediate 0000 1111:111000gg: 11 mmxreg1 mmxreg2 0000 1111:111000gg: mod mmxreg r/m 0000 1111:011100gg: 11 100 mmxr eg: imm8 data 0000 1111:111100gg: 11 mmxreg1 mmxreg2 0000 1111:111100gg: mod mmxreg r/m 0000 1111:011100gg: 11 110 mmxr eg: imm8 data N Y Y N 0000 1111:11101011: 11 mmxreg1 mmxreg2 0000 1111:11101011: mod mmxreg r/m N Y Y Y 0000 1111:11010101: 11 mmxreg1 mmxreg2 0000 1111:11010101: mod mmxreg r/m N N N Y 0000 1111:11100101: 11 mmxreg1 mmxreg2 0000 1111:11100101: mod mmxreg r/m N Y N N 0000 1111:11110101: 11 mmxreg1 mmxreg2 0000 1111:11110101: mod mmxreg r/m N Y N N 0000 1111:011001gg: 11 mmxreg1 mmxreg2 0000 1111:011001gg: mod mmxreg r/m n/a I O n/a Encoding 0000 1111:011101gg: 11 mmxreg1 mmxreg2 0000 1111:011101gg: mod mmxreg r/m Y Y Y N B W D Q

B-22


INSTRUCTION FORMATS AND ENCODING S

Table B-14. MMXTM Instruction Form ats and Encodings (Contd.)
Instruction and Format PS RL - Packed shift right logical mmxreg1 by mmxreg2 mmxreg by memor y mmxreg by immediate PS UB - S ubtract with wraparound mmxreg2 from mmxreg1 memor y from mmxreg PSUBS - Subtract signed with saturation mmxreg2 from mmxreg1 memor y from mmxreg PSUBUS - S ubtract unsigned wit h saturation mmxreg2 from mmxreg1 memor y from mmxreg PU NPCKH - Unpack high data to next larger type mmxreg2 to mmxreg1 memor y to mmxreg PU NPCKL - Unpack low data to next larger type mmxreg2 to mmxreg1 memor y to mmxreg PX OR - Bitwise Xor mmxreg2 to mmxreg1 memor y to mmxreg NOTES: 1. The pack instr uctions per for m saturation from signed packed data of one type to signed or unsigned data of the next smaller type. 2. The for mat of the shift instructions has one additional for mat to suppor t shifting by immediate shiftcounts. The shift operations are not suppor ted equally for all data types. 0000 1111:11101111: 11 mmxreg1 mmxreg2 0000 1111:11101111: mod mmxreg r/m 0000 1111:011000gg: 11 mmxreg1 mmxreg2 0000 1111:011000gg: mod mmxreg r/m N N N Y 0000 1111:011010gg: 11 mmxreg1 mmxreg2 0000 1111:011010gg: mod mmxreg r/m Y Y Y N 0000 1111:110110gg: 11 mmxreg1 mmxreg2 0000 1111:110110gg: mod mmxreg r/m Y Y Y N 0000 1111:111010gg: 11 mmxreg1 mmxreg2 0000 1111:111010gg: mod mmxreg r/m Y Y N N 0000 1111:111110gg: 11 mmxreg1 mmxreg2 0000 1111:111110gg: mod mmxreg r/m Y Y N N 0000 1111:110100gg: 11 mmxreg1 mmxreg2 0000 1111:110100gg: mod mmxreg r/m 0000 1111:011100gg: 11 010 mmxreg: imm8 data Y Y Y N
2

Encoding

B N

W Y

D Y

Q Y

B-23


INSTRUCTION FORM ATS AND ENCO DINGS

B.4. FLOATING-POINT INSTRUCTION FORMATS AND ENCODINGS
Table B-15 shows the five different formats used for floating-point instructions In all cases, instructions are at least two bytes long and begin with the bit pattern 11011.
Table B-15. General Floating-Point Instruction Formats
Instruction First Byte 1 2 3 4 5 11011 11011 11011 11011 11011 15­11 d 0 0 10 OPA MF P 0 1 9 1 OPA OPA 1 1 8 1 1 1 7 mod mod 1 1 1 6 Second Byt e 1 OPB OPB 1 1 5 4 3 R OP OP 210 OPB r/m r/m ST(i) Opt ional Fields s-i-b s-i-b disp disp

MF = Memor y For mat 00 -- 32-bit real 01 -- 32-bit integer 10 -- 64-bit real 11 -- 16-bit integer P = Pop 0 -- Do not pop stack 1 -- Pop stack after operation d = Destination 0 -- Destination is ST(0) 1 -- Destination is ST(i) R XOR d = 0 -- Destination OP Sour ce R XOR d = 1 -- Source OP Destination ST(i) = 000 001 111 Register stack element i = Stack Top = Second stack element

= Eighth stack element

The Mod and R/M fields of the ModR/M byte have the same interpretation as the corresponding fields of the integer instructions. The SIB byte and disp (displacement) are optionally present in instructions that have Mod and R/M fields. Their presence depends on the values of Mod and R/M, as for integer instructions. Table B-16 shows the formats and encodings of the floating-point instructions.

B-24


INSTRUCTION FORMATS AND ENCODING S

Table B-16. Floating-Point Instruction Formats and Encodings
Inst ruction and Format F2XM1 ­ Comput e 2 FAD D ­ Add ST(0) ST(0) + 32-bit memor y ST(0) ST(0) + 64-bit memor y ST(d) ST(0) + ST(i) FAD DP ­ Add and Pop ST(0) ST(0) + ST(i) FBLD ­ Load Binar y Coded Decimal FBSTP ­ S tore Binary Coded Decimal and Pop FCHS ­ Change Sign FCLEX ­ C lear Exceptions FCMOV cc ­ Conditional Move on EFLAG Register Condition Codes move if below (B) move if equal (E) move if below or equal ( BE) move if unordered (U) move if not below ( NB) move if not equal ( NE) move if not below or equal (NBE) move if not unorder ed (NU) FCOM ­ Compare Real 32-bit memor y 64-bit memor y ST(i) FCOMP ­ Compare Real and Pop 32-bit memor y 64-bit memor y ST(i) FCOMP P ­ Compare R eal and Pop Twice FCOMI ­ Compare Real and S et EFLAGS FCOMIP ­ Compare Real, S et E FLAGS , and Pop FCOS ­ Cosine of ST( 0) FDECSTP ­ Decrement St ack-Top Pointer FDIV ­ Divide ST(0) ST(0) Â 32-bit memor y ST(0) ST(0) Â 64-bit memor y ST(d) ST(0) Â ST(i) FDIVP ­ Divide and Pop ST(0) ST(0) Â ST(i) 11011 110 : 1111 1 ST( i) 11011 000 : mod 110 r/m 11011 100 : mod 110 r/m 11011 d00 : 1111 R ST(i) 11011 000 : mod 011 r/m 11011 100 : mod 011 r/m 11011 000 : 11 011 ST( i) 11011 110 : 11 011 001 11011 011 : 11 110 ST( i) 11011 111 : 11 110 ST( i) 11011 001 : 1111 1111 11011 001 : 1111 0110 11011 000 : mod 010 r/m 11011 100 : mod 010 r/m 11011 000 : 11 010 ST( i) 11011 010 : 11 000 ST( i) 11011 010 : 11 001 ST( i) 11011 010 : 11 010 ST( i) 11011 010 : 11 011 ST( i) 11011 011 : 11 000 ST( i) 11011 011 : 11 001 ST( i) 11011 011 : 11 010 ST( i) 11011 011 : 11 011 ST( i) 11011 110 : 11 000 ST( i) 11011 111 : mod 100 r/m 11011 111 : mod 110 r/m 11011 001 : 1110 0000 11011 011 : 1110 0010 11011 000 : mod 000 r/m 11011 100 : mod 000 r/m 11011 d00 : 11 000 ST( i)
ST(0)

Encoding 11011 001 : 1111 0000 11011 001 : 1110 0001

­1

FAB S ­ Absolute Value

B-25


INSTRUCTION FORM ATS AND ENCO DINGS

Table B -16. Floating-Point Instruction Form ats and Encodings (Contd.)
Instruction and Format FDIV R ­ Reverse Divide S T(0) 32-bit memor y  ST(0) S T(0) 64-bit memor y  ST(0) S T(d) ST(i)  ST(0) FDIV RP ­ Reverse Divide and Pop S T(0) ¨ S T(i)  S T(0) FFRE E ­ Free ST(i) Register FIADD ­ A dd Integer S T(0) ST(0) + 16- bit memor y S T(0) ST(0) + 32- bit memor y FICOM ­ Compare Integer 16- bit memor y 32- bit memor y FICOMP ­ Compare Integer and Pop 16- bit memor y 32- bit memor y FIDIV S T(0) ST(0) + 16- bit memor y S T(0) ST(0) + 32- bit memor y FIDIVR S T(0) ST(0) + 16- bit memor y S T(0) ST(0) + 32- bit memor y FILD ­ Load Integer 16- bit memor y 32- bit memor y 64- bit memor y FIMUL S T(0) ST(0) + 16- bit memor y S T(0) ST(0) + 32- bit memor y FINCS TP ­ Increment Stack Pointer FINIT ­ Initialize Floating-Point Unit FIST ­ Store Integer 16- bit memor y 32- bit memor y FISTP ­ Store Integer and Pop 16- bit memor y 32- bit memor y 64- bit memor y FISU B S T(0) ST(0) + 16- bit memor y S T(0) ST(0) + 32- bit memor y 11011 110 : mod 100 r/m 11011 010 : mod 100 r/m 11011 111 : mod 011 r/m 11011 011 : mod 011 r/m 11011 111 : mod 111 r/m 11011 111 : mod 010 r/m 11011 011 : mod 010 r/m 11011 110 : mod 001 r/m 11011 010 : mod 001 r/m 11011 001 : 1111 0111 11011 111 : mod 000 r/m 11011 011 : mod 000 r/m 11011 111 : mod 101 r/m 11011 110 : mod 111 r/m 11011 010 : mod 111 r/m 11011 110 : mod 110 r/m 11011 010 : mod 110 r/m 11011 110 : mod 011 r/m 11011 010 : mod 011 r/m 11011 110 : mod 010 r/m 11011 010 : mod 010 r/m 11011 110 : mod 000 r/m 11011 010 : mod 000 r/m 11011 110 : 1111 0 ST(i) 11011 101 : 1100 0 ST(i) 11011 000 : mod 111 r/m 11011 100 : mod 111 r/m 11011 d00 : 1111 R ST(i) Encoding

B-26


INSTRUCTION FORMATS AND ENCODING S

Table B-16. Floating-Point Instruction Formats and Encodings (Contd.)
Inst ruction and Format FISUBR ST(0) ST(0) + 16-bit memor y ST(0) ST(0) + 32-bit memor y FLD ­ Load Real 32-bit memor y 64-bit memor y 80-bit memor y ST(i) FLD1 ­ Load +1.0 into ST(0) FLDCW ­ Load Control Word FLDENV ­ Load FPU E nvironment FLDL2E ­ Load log2() int o ST(0) FLDL2T ­ Load log2(10) into ST(0) FLDLG2 ­ Load log10(2) into ST(0) FLDLN2 ­ Load log(2) into ST(0) FLDPI ­ Load into ST(0) FLDZ ­ Load +0.0 into ST(0) FMUL ­ Multiply ST(0) ST(0) â 32-bit memor y ST(0) ST(0) â 64-bit memor y ST(d) ST(0) â ST( i) FMULP ­ Multiply ST(0) ST(0) â ST( i) FNOP ­ No Operation FPATAN ­ Par tial Arctangent FPREM ­ Par tial Remainder FPREM1 ­ Par tial Remainder (IEEE ) FPTAN ­ Par tial Tangent FRNDINT ­ R ound to Integer FRSTOR ­ Restore FPU State FSAVE ­ St ore FPU State FSCALE ­ Scale FSIN ­ Sine FSINCOS ­ S ine and Cosine FSQRT ­ S quare Root FST ­ St ore Real 32-bit memor y 64-bit memor y ST(i) FSTCW ­ Store Control Word FSTENV ­ Store FP U Environment 11011 001 : mod 010 r/m 11011 101 : mod 010 r/m 11011 101 : 11 010 ST( i) 11011 001 : mod 111 r/m 11011 001 : mod 110 r/m 11011 110 : 1100 1 ST( i) 11011 001 : 1101 0000 11011 001 : 1111 0011 11011 001 : 1111 1000 11011 001 : 1111 0101 11011 001 : 1111 0010 11011 001 : 1111 1100 11011 101 : mod 100 r/m 11011 101 : mod 110 r/m 11011 001 : 1111 1101 11011 001 : 1111 1110 11011 001 : 1111 1011 11011 001 : 1111 1010 11011 000 : mod 001 r/m 11011 100 : mod 001 r/m 11011 d00 : 1100 1 ST( i) 11011 001 : mod 000 r/m 11011 101 : mod 000 r/m 11011 011 : mod 101 r/m 11011 001 : 11 000 ST( i) 11011 001 : 1110 1000 11011 001 : mod 101 r/m 11011 001 : mod 100 r/m 11011 001 : 1110 1010 11011 001 : 1110 1001 11011 001 : 1110 1100 11011 001 : 1110 1101 11011 001 : 1110 1011 11011 001 : 1110 1110 11011 110 : mod 101 r/m 11011 010 : mod 101 r/m Encoding

B-27


INSTRUCTION FORM ATS AND ENCO DINGS

Table B -16. Floating-Point Instruction Form ats and Encodings (Contd.)
Instruction and Format FSTP ­ Store Real and Pop 32- bit memor y 64- bit memor y 80- bit memor y ST(i) FSTSW ­ S tore Status Word into AX FSTSW ­ S tore Status Word into Memory FSUB ­ S ubtract ST(0) ST(0) ­ 32-bit memor y ST(0) ST(0) ­ 64-bit memor y ST(d) ST(0) ­ S T(i) FSUBP ­ Subtract and Pop ST(0) ST(0) ­ S T(i) FSUBR ­ Reverse Subtract ST(0) 32-bit memor y ­ ST(0) ST(0) 64-bit memor y ­ ST(0) ST(d) ST(i) ­ S T(0) FSUBRP ­ Reverse S ubtract and Pop ST(i) ST(i) ­ ST(0) FTS T ­ Test FUCOM ­ Unordered Compare Real FUCOMP ­ Unordered Compare Real and Pop FUCOMPP ­ Unordered Compare Real and Pop Twice FUCOMI ­ Unorderd Compare Real and S et EFLAGS FUCOMIP ­ Unorderd Compare Real, Set EFLAGS, and Pop FXAM ­ Examine FXCH ­ E xchange ST(0) and ST(i) FXTRACT ­ Extract Exponent and Significand FYL2X ­ S T(1) â log2(S T(0)) FYL2XP 1 ­ ST(1) â log2(ST(0) + 1.0) FWAIT ­ Wait unt il FPU Ready 11011 110 : 1110 0 ST(i) 11011 001 : 1110 0100 11011 101 : 1110 0 ST(i) 11011 101 : 1110 1 ST(i) 11011 010 : 1110 1001 11011 011 : 11 101 ST(i) 11011 111 : 11 101 ST(i) 11011 001 : 1110 0101 11011 001 : 1100 1 ST(i) 11011 001 : 1111 0100 11011 001 : 1111 0001 11011 001 : 1111 1001 1001 1011 11011 000 : mod 101 r/m 11011 100 : mod 101 r/m 11011 d00 : 1110 R ST(i) 11011 110 : 1110 1 ST(i) 11011 000 : mod 100 r/m 11011 100 : mod 100 r/m 11011 d00 : 1110 R ST(i) 11011 001 : mod 011 r/m 11011 101 : mod 011 r/m 11011 011 : mod 111 r/m 11011 101 : 11 011 ST(i) 11011 111 : 1110 0000 11011 101 : mod 111 r/m Encoding

B-28


Index



INDEX
A
AA A instruction . . . . . . . . . . . . . . . . . . . . . . . AA D instruction . . . . . . . . . . . . . . . . . . . . . . AA M instr uction . . . . . . . . . . . . . . . . . . . . . . AA S instruction . . . . . . . . . . . . . . . . . . . . . . . Access rights, segment descriptor . . . . . . . . ADC instruction . . . . . . . . . . . . . . . . . . 3-15, ADD instruction . . . . 3-11, 3-15, 3-17, 3-79, Address size attribute override prefix . . . . . . . . . . . . . . . . . . . . . Address size override prefix . . . . . . . . . . . . . Addressing, segments . . . . . . . . . . . . . . . . . Advanced programmable interrupt controller (see AP IC) AND instruction . . . . . . . . . . . . . . . . . . 3-19, AP IC flag, CP UID instruction . . . . . . . . . . . . AP IC, presence of . . . . . . . . . . . . . . . . . . . . Arctangent, FPU operation. . . . . . . . . . . . . . ARP L instruction . . . . . . . . . . . . . . . . . . . . . . .3-11 . .3-12 . .3-13 . .3-14 .3- 253 3- 273 3- 273 . . .2-2 . . .2-2 . . .1-7 3- 27 .3-7 .3-7 3- 14 .3-2 3 3 3 9 1 CF (carry) flag, EFLAGS register . . . 3-15, 3-17, 3-30, 3-32, 3-34, 3-36, 3-51, 3-56, 3-82, 3-209, 3-213, 3-306, 3-395, 3-420, 3-430, 3-432, 3-439, 3-448 Classify floating-point value, FPU operation . . . . . . . . . . . . . . . 3-194 CLC instruction . . . . . . . . . . . . . . . . . . . . . . . . 3-51 CLD instruction . . . . . . . . . . . . . . . . . . . . . . . . 3-52 CLI instruction . . . . . . . . . . . . . . . . . . . . . . . . . 3-53 CLTS instruction . . . . . . . . . . . . . . . . . . . . . . . 3-55 CMC instruction . . . . . . . . . . . . . . . . . . . . . . . 3-56 CMOV flag, C PUID instruction . . . . . . . . . . . . 3-73 CMOVcc instructions . . . . . . . . . . . . . . . 3- 57, 3-73 CMP instruction . . . . . . . . . . . . . . . . . . . . . . . 3-61 CMPS instruction . . . . . . . . . . . . . . . . . 3-63, 3-404 CMPSB instruction . . . . . . . . . . . . . . . . . . . . . 3-63 CMPSD instr uction . . . . . . . . . . . . . . . . . . . . . 3-63 CMPSW instruction . . . . . . . . . . . . . . . . . . . . 3-63 CMPXCHG instr uction . . . . . . . . . . . . . 3-66, 3-273 CMPXCHG8B instruction . . . . . . . . . . . . . . . . 3-68 Compatibility software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1- 5 Condition code flags, EFLAGS register . . . . . 3-57 Condition code flags, FPU status w ord flags affected by instructions . . . . . . . . . . . . 3- 8 setting . . . . . . . . . . . . . . . . 3-188, 3-190, 3-194 Conditional jump . . . . . . . . . . . . . . . . . . . . . . 3-241 Conforming code segment . . . . . . . . . 3-248, 3-253 Constants (floating point) loading. . . . . . . . . . . . . . . . . . . . . . . . . . . 3-139 Control registers, moving values to and from . . . . . . . . . . . . . . . . . . . . 3-291 Cosine, FPU operation . . . . . . . . . . . . 3-115, 3-169 CPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53, 3-453 CPUID instruction . . . . . . . . . . . . . . . . . . . . . . 3-70 CR0 control register . . . . . . . . . . . . . . . . . . . 3-437 CS register . . . . 3- 38, 3-218, 3-233, 3-245, 3-286, 3-350 CS segment override prefix . . . . . . . . . . . . . . . 2- 1 Current privilege level ( see C PL) CWD instruction . . . . . . . . . . . . . . . . . . . . . . . 3-77 CWDE instruction . . . . . . . . . . . . . . . . . . . . . . 3-49 CX8 flag, CPUID instruction . . . . . . . . . . . . . . 3-73

. . . .

B
B (default stack size) flag, segment descriptor . . . 3-350, 3-385 Base (operand addr essing) . . . . . . . . . . . . . . . .2-2 BCD integer s packed . . . . . . . . . . . . 3-79, 3-81, 3-98, 3- 100 unpacked . . . . . . . . . . . 3-11, 3-12, 3-13, 3-14 Binary numbers . . . . . . . . . . . . . . . . . . . . . . . . .1-6 Binary-coded decimal (see BCD) Bit order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5 BOUND instruction . . . . . . . . . . . . . . . . . . . . . .3-23 BOUND range exceeded exception (#B R) . . . .3-23 BS F instruction . . . . . . . . . . . . . . . . . . . . . . . . .3-25 BS R instruction . . . . . . . . . . . . . . . . . . . . . . . .3-27 BS WAP instruction . . . . . . . . . . . . . . . . . . . . . .3-29 BT instruction . . . . . . . . . . . . . . . . . . . . . . . . . .3-30 BTC instruction . . . . . . . . . . . . . . . . . . . 3-32, 3- 273 BTR instruction . . . . . . . . . . . . . . . . . . . 3-34, 3- 273 BTS instruction . . . . . . . . . . . . . . . . . . . 3-36, 3- 273 Byte order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

C
C C C C C C aches, invalidating ( all gate . . . . . . . . . . ALL instruction . . . . alls ( see P rocedure BW instruction . . . . DQ instruction . . . . flushing) ....... ....... calls) ....... ....... . . . . . . 3- 230, 3- 456 . . . . . . . . . . . .3- 249 . . . . . . . . . . . . .3-38 . . . . . . . . . . . . .3-49 . . . . . . . . . . . . .3-77

D
D (default operation size) f descriptor . . . . . DAA instruction . . . . . . . . . DAS instruction . . . . . . . . . DE (debugging extensions instruction . . . . . lag, segment . . . 3-350, 3-354, .............. .............. ) flag, CPUID .............. 3-385 . 3-79 . 3-81 . 3-72

IND EX-1


INDEX

Debug registers, moving value to and fr om . .3- 293 DEC instruction . . . . . . . . . . . . . . . . . . 3-82, 3- 273 Denormal number (see Denormalized finite number) Denormalized finite number . . . . . . . . . . . . . .3- 194 DF (direction) flag, E FLA GS register . . 3-52, 3-64, 3-215, 3-275, 3-299, 3-317, 3-422, 3-440 Displacement (operand addressing) . . . . . . . . .2-3 DIV instruction . . . . . . . . . . . . . . . . . . . . . . . . .3-84 Divide er ror exception (#DE) . . . . . . . . . . . . . .3-84 DS register . . . . . 3-63, 3- 256, 3- 275, 3- 299, 3- 317 DS segment overr ide prefix . . . . . . . . . . . . . . . .2-2

E
EDI register . . . . . . . . . . . . . . 3- 422, 3- 440, Effective address . . . . . . . . . . . . . . . . . . . . . EFLAGS register condition codes . . . . . . . . . . 3-58, 3- 107, flags affected by instructions . . . . . . . . . loading . . . . . . . . . . . . . . . . . . . . . . . . . . popping . . . . . . . . . . . . . . . . . . . . . . . . . . popping on return from interrupt . . . . . . . pushing . . . . . . . . . . . . . . . . . . . . . . . . . . pushing on interrupts . . . . . . . . . . . . . . . saving . . . . . . . . . . . . . . . . . . . . . . . . . . . status flags . . . . . . . 3-61, 3- 242, 3- 425, EIP register . . . . . . . . . 3-38, 3- 218, 3- 233, EMMS instruction . . . . . . . . . . . . . . . . . . . . . ENTER instruction . . . . . . . . . . . . . . . . . . . . ES register . . . . . . . . . 3- 256, 3- 317, 3- 422, ES segment override prefix . . . . . . . . . . . . . ESI register . . . . 3-63, 3- 275, 3- 299, 3- 317, ES P register . . . . . . . . . . . . . . . . . . . . . 3-39, Exceptions BOUND range exceeded (#B R) . . . . . . . list of . . . . . . . . . . . . . . . . . . . . . . . . . . . . notation . . . . . . . . . . . . . . . . . . . . . . . . . . overflow exception (#OF) . . . . . . . . . . . . returning from . . . . . . . . . . . . . . . . . . . . . Exponent extracting from floating-point number . . . Extract exponent and significand, FP U operation . . . . . . . . . . . . . . . 3- 443 .3- 259 . . . . . . . 3- 112 . .3-8 3- 252 3- 356 3- 233 3- 390 3- 218 3- 415 3- 450 3- 245 . .3-87 . .3-88 3- 443 . . .2-2 3- 440 3- 351 .3-23 . .3-9 . .1-7 3- 218 3- 233

. . . . .

.3- 198 .3- 198

F
F2XM1 instruction . FA BS instruction . . FADD instruction . . FADDP instruction . Far call CALL instruction Far pointer loading . . . . . . . Far return RET instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . -91, ... ... ... 3- 19 . .3-9 . .3-9 . .3-9 8 3 5 5

. . . . . . . . . . . . . . . . . . . . .3-38 . . . . . . . . . . . . . . . . . . . .3- 256 . . . . . . . . . . . . . . . . . . . .3- 407

FBLD instruction . . . . . . . . . . . . . . . . FBSTP instruction . . . . . . . . . . . . . . . FCHS instruction . . . . . . . . . . . . . . . FCLEX/FNCLEX instructions . . . . . . FCMOVcc instructions . . . . . . . . . . . FCOM instruction . . . . . . . . . . . . . . . FCOMI instr uction . . . . . . . . . . . . . . . FCOMIP instruction . . . . . . . . . . . . . FCOMP instr uction . . . . . . . . . . . . . . FCOMPP instruction . . . . . . . . . . . . . FCOS instruction . . . . . . . . . . . . . . . FDECSTP instruction . . . . . . . . . . . . FDIV instruction . . . . . . . . . . . . . . . . FDIVP instruction . . . . . . . . . . . . . . . FDIVR instruction . . . . . . . . . . . . . . . FDIVRP instruction . . . . . . . . . . . . . . Feature information, processor . . . . . FFREE instruction . . . . . . . . . . . . . . FIADD instruction . . . . . . . . . . . . . . . FICOM instr uction . . . . . . . . . . . . . . . FICOMP instruction . . . . . . . . . . . . . FIDIV instruction . . . . . . . . . . . . . . . . FIDIVR instruction . . . . . . . . . . . . . . FILD instruction . . . . . . . . . . . . . . . . FIMUL instruction . . . . . . . . . . . . . . . FINCSTP instruction . . . . . . . . . . . . . FINIT/FNINIT instructions . . . . . . . . . FIST instruction . . . . . . . . . . . . . . . . FISTP instruction . . . . . . . . . . . . . . . FISUB instruction . . . . . . . . . . . . . . . FISUBR instruction . . . . . . . . . . . . . . FLD instruction . . . . . . . . . . . . . . . . . FLD1 instruction . . . . . . . . . . . . . . . . FLDCW instruction . . . . . . . . . . . . . . FLDENV instruction . . . . . . . . . . . . . FLDL2E instruction . . . . . . . . . . . . . . FLDL2T instr uction . . . . . . . . . . . . . . FLDLG2 instruction . . . . . . . . . . . . . . FLDLN 2 instruction . . . . . . . . . . . . . . FLDPI instruction . . . . . . . . . . . . . . . FLDZ instr uction . . . . . . . . . . . . . . . . Floating-point exceptions list of, including mnemonics . . . . Flushing caches . . . . . . . . . . . . . . . . . . . . . TLB entry . . . . . . . . . . . . . . . . . . . FMUL instruction . . . . . . . . . . . . . . . FMULP instruction . . . . . . . . . . . . . . FNOP instruction . . . . . . . . . . . . . . . FNSTENV instruction . . . . . . . . . . . . FPATAN instruction . . . . . . . . . . . . . FPREM instruction . . . . . . . . . . . . . . FPREM1 instruction . . . . . . . . . . . . . FPTAN instruction . . . . . . . . . . . . . . FPU checking for pending FPU except constants . . . . . . . . . . . . . . . . . . . existence of . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

..... ..... ..... ..... . 3-73, ..... . 3-73, ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... 3-132, ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... .....

. 3-98 3-100 3-103 3-105 3-107 3-109 3-112 3-112 3-109 3-109 3-115 3-117 3-118 3-118 3-122 3-122 . 3-70 3-126 . 3-95 3-127 3-127 3-118 3-122 3-129 3-145 3-131 3-162 3-134 3-134 3-182 3-185 3-137 3-139 3-141 3-143 3-139 3-139 3-139 3-139 3-139 3-139

. . . . . . . 3-10 . . . . . . . . . . 3-230, ..... ..... ..... ..... ..... ..... ..... ..... ..... 3-456 3-232 3-145 3-145 3-148 3-143 3-149 3-151 3-154 3-157

ions . . . 3-455 . . . . . . 3-139 . . . . . . . 3-72

INDEX-2


INDEX

initialization . . . . . . . . . . . . . . . . . . . . . . . .3- 132 FP U control word loading . . . . . . . . . . . . . . . . . . . . . 3- 141, 3- 143 RC field . . . . . . . . . . . . . . . 3- 135, 3- 139, 3- 173 restoring . . . . . . . . . . . . . . . . . . . . . . . . . .3- 160 saving . . . . . . . . . . . . . . . . . . . . . . 3- 162, 3- 178 storing . . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 176 FPU data pointer . . . . 3- 143, 3- 160, 3- 162, 3- 178 FPU flag, CP UID instruction . . . . . . . . . . . . . . .3-72 FP U instruction pointer . . . . 3- 143, 3- 160, 3- 162, 3- 178 FP U last opcode. . . . . 3- 143, 3- 160, 3- 162, 3- 178 FP U status word condition code flags . . . . . 3-109, 3-127, 3-188, 3-190, 3-194 FP U flags affected by instructions . . . . . . . .3-8 loading . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 143 restoring . . . . . . . . . . . . . . . . . . . . . . . . . .3- 160 saving . . . . . . . . . . . . . . . . 3- 162, 3- 178, 3- 180 TOP field . . . . . . . . . . . . . . . . . . . . . . . . . .3- 131 FPU tag word . . . . . . . 3- 143, 3- 160, 3- 162, 3- 178 FR NDINT instr uction . . . . . . . . . . . . . . . . . . .3- 159 FR STOR instruction . . . . . . . . . . . . . . . . . . . .3- 160 FS register . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 256 FS segment override prefix . . . . . . . . . . . . . . . .2-2 FS AVE/FNSAV E instructions . . . . . . . 3- 160, 3- 162 FSCALE instruction . . . . . . . . . . . . . . . . . . . .3- 165 FSIN instruction . . . . . . . . . . . . . . . . . . . . . . .3- 167 FSINCOS instruction . . . . . . . . . . . . . . . . . . .3- 169 FSQRT instruction . . . . . . . . . . . . . . . . . . . . .3- 171 FST instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 173 FSTCW/FNSTCW instr uctions . . . . . . . . . . . .3- 176 FS TENV /FNSTENV instructions . . . . . . . . . .3- 178 FSTP instruction. . . . . . . . . . . . . . . . . . . . . . .3- 173 FS TSW/FNS TSW instructions . . . . . . . . . . . .3- 180 FSUB instruction . . . . . . . . . . . . . . . . . . . . . .3- 182 FSUBP instruction . . . . . . . . . . . . . . . . . . . . .3- 182 FSUBR instruction . . . . . . . . . . . . . . . . . . . . .3- 185 FSUBRP instruction . . . . . . . . . . . . . . . . . . . .3- 185 FTST instruction . . . . . . . . . . . . . . . . . . . . . . .3- 188 FU COM instruction. . . . . . . . . . . . . . . . . . . . .3- 190 FU COMI instruction . . . . . . . . . . . . . . . . . . . .3- 112 FU COMIP instruction . . . . . . . . . . . . . . . . . . .3- 112 FU COMP instruction . . . . . . . . . . . . . . . . . . .3- 190 FU COMPP instruction . . . . . . . . . . . . . . . . . .3- 190 FXAM instruction . . . . . . . . . . . . . . . . . . . . . .3- 194 FXCH instruction . . . . . . . . . . . . . . . . . . . . . .3- 196 FXTRACT instruction . . . . . . . . . . . . . 3- 165, 3- 198 FYL2X instruction . . . . . . . . . . . . . . . . . . . . . .3- 200 FYL2XP1 instruction . . . . . . . . . . . . . . . . . . .3- 202

popping pushing GS r egister GS segmen

all all .. to

. . . v

..... ..... ..... erride

. . . p

. . . r

... ... ... efix

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

3-35 3-38 3-25 . . 2-

4 8 6 2

H
Hexadecimal numbers . . . . . . . . . . . . . . . . . . . 1- 6 HLT instruction . . . . . . . . . . . . . . . . . . . . . . . 3-204

I
IDIV instruction . . . . . . . . . . . . . . . . . . . . . . . 3-205 IDT (interrupt descriptor table) . . . . . . 3-219, 3-265 IDTR (interrupt descriptor table register) . . . 3-265, 3-427 IF (interrupt enable) flag, EFLAGS register . . 3-53, 3-441 Immediate operands . . . . . . . . . . . . . . . . . . . . . 2- 3 IMUL instruction . . . . . . . . . . . . . . . . . . . . . . 3-208 IN instr uction . . . . . . . . . . . . . . . . . . . . . . . . . 3-211 INC instruction . . . . . . . . . . . . . . . . . . 3-213, 3-273 Index (oper and addressing) . . . . . . . . . . . . . . . 2- 2 Initialization FPU . . . . . . . . . . . . . . . . . . . . . . 3-132 Input/output (see I/O) INS instruction . . . . . . . . . . . . . . . . . . 3-215, 3-404 INSB instruction . . . . . . . . . . . . . . . . . . . . . . 3-215 INSD instruction . . . . . . . . . . . . . . . . . . . . . . 3-215 Instruction format base field . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 description of r eference information . . . . . . 3- 1 displacement . . . . . . . . . . . . . . . . . . . . . . . . 2- 3 illustration of . . . . . . . . . . . . . . . . . . . . . . . . 2- 1 immediate . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 3 index field . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 Mod field . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 ModR/M byte . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 opcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 1 reg/opcode field. . . . . . . . . . . . . . . . . . . . . . 2- 2 r/m field . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 scale field . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 SIB byte . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 2 Instruction operands . . . . . . . . . . . . . . . . . . . . . 1- 6 Instruction prefixes (see Prefixes) Instruction reference, nomenclatur e . . . . . . . . . 3- 1 Instruction set refer ence . . . . . . . . . . . . . . . . . . . . . . . . . . . 3- 1 string instructions . . 3- 63, 3-215, 3-275, 3-299, 3-317, 3-443 INSW instruction . . . . . . . . . . . . . . . . . . . . . . 3-215 INT 3 instruction . . . . . . . . . . . . . . . . . . . . . . 3-218 Integer, FPU data type stor ing . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-134 Inter-privilege level call CALL instr uction . . . . . . . . . . . . . . . . . . . . 3-38 Inter-privilege level return RET instruction . . . . . . . . . . . . . . . . . . . . 3-407

G
GDT (global descriptor table) . . . . . . . 3- 265, 3- 268 GDTR (global descriptor table register) . . . . 3-265, 3-427 General-purpose registers moving value to and from . . . . . . . . . . . . .3- 286

INDEX-3


INDEX

Interrupts interrupt vector 4 . . . . . . . . returning from . . . . . . . . . . software . . . . . . . . . . . . . . INTn instr uction . . . . . . . . . . . INTO instruction . . . . . . . . . . . INV D instruction . . . . . . . . . . . INV LPG instr uction. . . . . . . . . IOP L (I/O privilege level) field, register . . . . . . . . . . IRE T instruction . . . . . . . . . . . IRE TD instruction . . . . . . . . . . I/O privilege level (see IOPL)

........... ........... ........... ........... ........... ........... ........... EFLAGS . 3-53, 3- 390, ........... ...........

. . . . . . .

3333333-

21 23 21 21 21 23 23

8 3 8 8 8 0 2

3- 441 .3- 233 .3- 233

J
Jcc instructions . . . . . . . . . . . . . . . . . . . . . . . .3- 241 JMP instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 245 Jump oper ation . . . . . . . . . . . . . . . . . . . . . . .3- 245

L
AHF instruction. . . . . . . . . . . . . . . AR instruction . . . . . . . . . . . . . . . . DS instruction . . . . . . . . . . . . . . . . DT (local descriptor table) . . . . . . DTR (local descriptor table register) . . . . . . . . . . . . . LEA instruction . . . . . . . . . . . . . . . . LEAVE instruction . . . . . . . . . . . . . LES instruction . . . . . . . . . . . . . . . . LFS instruction . . . . . . . . . . . . . . . . LGDT instruction . . . . . . . . . . . . . . LGS instruction . . . . . . . . . . . . . . . . LIDT instr uction . . . . . . . . . . . . . . . LLDT instruction . . . . . . . . . . . . . . . LMS W instruction . . . . . . . . . . . . . . Load effective address operation . . LOCK prefix . 2-1, 3- 66, 3-68, 3- 27 Locking operation . . . . . . . . . . . . . . LODS instruction . . . . . . . . . . . . . . LODSB instruction . . . . . . . . . . . . . LODSD instruction . . . . . . . . . . . . . LODSW instruction. . . . . . . . . . . . . Log epsilon, FP U oper ation . . . . . . Log (base 2), FPU operation . . . . . LOOP instructions . . . . . . . . . . . . . LOOP cc instructions . . . . . . . . . . . LSL instr uction . . . . . . . . . . . . . . . . LSS instruction . . . . . . . . . . . . . . . . LTR instruction . . . . . . . . . . . . . . . . L L L L L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333325 25 25 26 2 3 6 8

Mod field, instruction format . . . . . . . ModR/M byte 16-bit addressing forms of. . . . . . 32-bit addressing forms of. . . . . . description of . . . . . . . . . . . . . . . . format of . . . . . . . . . . . . . . . . . . . MOV instruction . . . . . . . . . . . . . . . . MOV instruction (control registers) . . MOV instruction (debug registers) . . MOVS instruction . . . . . . . . . . . . . . . MOVSB instr uction . . . . . . . . . . . . . . MOVSD instruction . . . . . . . . . . . . . . MOVSW instruction . . . . . . . . . . . . . MOVSX instr uction . . . . . . . . . . . . . . MOVZX instruction . . . . . . . . . . . . . . MSR flag, CPUID instruction . . . . . . MSRs (model specific registers) existence of . . . . . . . . . . . . . . . . . reading . . . . . . . . . . . . . . . . . . . . writing . . . . . . . . . . . . . . . . . . . . . MTRRs (memory type range register flag, CPUID instruction . . . . . . . . MUL instr uction . . . . . . . . . . . . . . . . .

. . . . . . . . 2- 2 . . . . . . . . . . . . . . ..... ..... ..... ..... ..... ..... ..... 3-299, ..... ..... ..... ..... ..... ..... . . 2- 4 . . 2- 5 . . 2- 2 . . 2- 1 3-286 3-291 3-293 3-404 3-299 3-299 3-299 3-302 3-304 . 3-72

.. .. .. s) .. ..

. . . . . 3-72 . . . . 3-399 . . . . 3-458 . . . . . 3-73 3-13, 3-306

N
NaN testing for . . . . . . . . . . . . . . . . . . Near call CALL instr uction . . . . . . . . . . . . . Near r eturn RET instruction . . . . . . . . . . . . . . NEG instruction . . . . . . . . . . . . . . . . Nomenclature, used in instr uction refer ence pages . . . . . . . . Nonconforming code segment . . . . . NOP instruction . . . . . . . . . . . . . . . . NOT instr uction . . . . . . . . . . . . . . . . . Notation bit and byte order . . . . . . . . . . . . exceptions . . . . . . . . . . . . . . . . . . hexadecimal and binary numbers instruction operands . . . . . . . . . . reserved bits . . . . . . . . . . . . . . . . segmented addressing . . . . . . . . Notational conventions . . . . . . . . . . . NT (nested task) flag, EFLAGS r egis . . . . . . 3-188 . . . . . . . 3-38 . . . . . . 3-407 . 3-273, 3-308 . . . . ..... ..... ..... 3-273, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3- 1 3-248 3-310 3-311 .. .. .. .. .. .. .. 3111111123 5 7 6 6 5 7 5 3

.. .. .. .. .. .. .. .. .. .. .. 3, .. .. .. .. .. .. .. .. .. .. .. ..

3- 268, ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... 3- 460, ..... 3- 275, ..... ..... ..... ..... ..... ..... ..... ..... ..... .....

3.3.3.3.3.3.3.3.3.3.33.33.3.3.3.3.3.3.3.3.3.3-

435 259 261 256 256 265 256 265 268 271 259 462 273 404 275 275 275 200 202 278 278 280 256 284

.. .. .. .. .. .. .. ter

O
OF (carry) flag, EFLAGS register . . . . OF (overflow) flag, EFLAGS register . 3-218, 3-306, 3-420, 3-430, 3-448 Opcodes format of . . . . . . . . . . . . . . . . . . . . Operand instruction . . . . . . . . . . . . . . . . . . . . . . . . 3-209 . 3-15, 3-17, 3-432, . . . . . . . 2- 2 . . . . . . . 1- 6

M
Machine status word, MCA ( machine check instruction . MCE ( machine check instruction . CR0 regist ar chitectur ......... exception) ......... er . . e), C .... flag, .... 3- 271, 3- 437 PUID . . . . . . .3-73 CPUID . . . . . . .3-73

INDEX-4


INDEX

Operand-size attribute override prefix . . . . . . Operand-size override pr OR instruction . . . . . . . . OUT instruction . . . . . . . OUTS instruction . . . . . . OUTS B instruction . . . . . OUTS D instruction . . . . . OUTS W instruction . . . . Overflow exception (#OF Overflow , FP U exception exception)

.... efix . .... .... .... .... .... .... ) ... (see

. . . . . . . . . . . . . .2-2 . . . . . . . . . . . . . .2-2 . . . . . . 3- 273, 3- 313 . . . . . . . . . . . .3- 315 . . . . . . 3- 317, 3- 404 . . . . . . . . . . . .3- 317 . . . . . . . . . . . .3- 317 . . . . . . . . . . . .3- 317 . . . . . . . . . . . .3- 218 Numeric overflow

P
PA PA PA PA PA PA PA PA PA PA PA CKSSDW instruction . . . . . . . . . . . . . . . . .3- 320 CKSSWB instruction . . . . . . . . . . . . . . . . .3- 320 CKUSWB instruction . . . . . . . . . . . . . . . . .3- 323 DDB instruction . . . . . . . . . . . . . . . . . . . . .3- 325 DDD instruction . . . . . . . . . . . . . . . . . . . . .3- 325 DDSB instruction . . . . . . . . . . . . . . . . . . . .3- 328 DDSW instr uction . . . . . . . . . . . . . . . . . . .3- 328 DDUSB instruction . . . . . . . . . . . . . . . . . .3- 331 DDUSW instruction . . . . . . . . . . . . . . . . . .3- 331 DDW instruction . . . . . . . . . . . . . . . . . . . .3- 325 E (physical address extension) flag, CPUID instruction . . . . . . . . . . . . . . . . . . . . .3-73 PA ND instruction . . . . . . . . . . . . . . . . . . . . . .3- 334 PA NDN instruction . . . . . . . . . . . . . . . . . . . . .3- 336 PCMPE QB instruction . . . . . . . . . . . . . . . . . .3- 338 PCMPE QD instruction . . . . . . . . . . . . . . . . . .3- 338 PCMPE QW instruction . . . . . . . . . . . . . . . . . .3- 338 PCMPGTB instruction . . . . . . . . . . . . . . . . . .3- 341 PCMPGTD instruction . . . . . . . . . . . . . . . . . .3- 341 PCMPGTW instruction . . . . . . . . . . . . . . . . . .3- 341 PE (pr otection enable) flag, CR0 register . . .3- 271 Pentium Pro processor introduction to . . . . . . . . . . . . . . . . . . . . . . . .2-1 Performance-monitoring counters reading . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 401 PGE (page-table-entry global flag), CPUID instruction . . . . . . . . . . . . . . . . . . . . .3-73 Pi loading . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 139 PMADDWD instruction . . . . . . . . . . . . . . . . . .3- 344 PMULHW instruction . . . . . . . . . . . . . . . . . . .3- 346 PMULLW instruction . . . . . . . . . . . . . . . . . . .3- 348 POP instruction . . . . . . . . . . . . . . . . . . . . . . .3- 350 POPA instruction . . . . . . . . . . . . . . . . . . . . . .3- 354 POPA D instruction . . . . . . . . . . . . . . . . . . . . .3- 354 POPF instruction . . . . . . . . . . . . . . . . . . . . . .3- 356 POPFD instruction . . . . . . . . . . . . . . . . . . . . .3- 356 POR instr uction . . . . . . . . . . . . . . . . . . . . . . .3- 359 Prefixes address size override . . . . . . . . . . . . . . . . . .2-2 instruction, description of . . . . . . . . . . . . . . .2-1 LOCK . . . . . . . . . . . . . . . . . . . . . . . . 2-1, 3- 273 operand-size override . . . . . . . . . . . . . . . . . .2-2

repeat . . . . . . . . . . . . . . . . . . . . . . REP/REPE/REPZ/REPNE/REPNZ segment override . . . . . . . . . . . . . Procedure stack pushing values on . . . . . . . . . . . . . PSE (page size extensions) flag, CPU instruction . . . . . . . . . . . . . . PSLLD instruction . . . . . . . . . . . . . . . . PSLLQ instruction . . . . . . . . . . . . . . . . PSLLW instruction . . . . . . . . . . . . . . . PSR AD instruction . . . . . . . . . . . . . . . PSR AW instruction . . . . . . . . . . . . . . . PSR LD instruction . . . . . . . . . . . . . . . PSR LQ instruction . . . . . . . . . . . . . . . PSR LW instruction . . . . . . . . . . . . . . . PSU BB instruction . . . . . . . . . . . . . . . PSU BD instruction . . . . . . . . . . . . . . . PSU BSB instruction . . . . . . . . . . . . . . PSU BSW instruction . . . . . . . . . . . . . . PSU BUSB instruction . . . . . . . . . . . . . PSU BUSW instruction . . . . . . . . . . . . PSU BW instruction . . . . . . . . . . . . . . . PUNPCKHBW instruction . . . . . . . . . . PUNPCKHDQ instruction . . . . . . . . . . PUNPCKHWD instruction . . . . . . . . . . PUNPCKLBW instruction . . . . . . . . . . PUNPCKLDQ instr uction . . . . . . . . . . PUNPCKLWD instruction . . . . . . . . . . PUSH instruction . . . . . . . . . . . . . . . . PUSHA instruction . . . . . . . . . . . . . . . PUSHAD instruction . . . . . . . . . . . . . . PUSHF instruction . . . . . . . . . . . . . . . PUSHFD instruction . . . . . . . . . . . . . . PXOR instruction . . . . . . . . . . . . . . . .

. . . . . . . 2- 1 . . . . . 3-404 . . . . . . . 2- 1 .. ID .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . 3-385 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-72 3-361 3-361 3-361 3-364 3-364 3-367 3-367 3-367 3-370 3-370 3-373 3-373 3-376 3-376 3-370 3-379 3-379 3-379 3-382 3-382 3-382 3-385 3-388 3-388 3-390 3-390 3-392

Q
Quiet NaN (see QNaN)

R
RC (r ounding control) field, FPU control word . . . . . . . . . . . . 3-135, 3-139, RCL instruction . . . . . . . . . . . . . . . . . . . . . . . RCR instruction . . . . . . . . . . . . . . . . . . . . . . RDMSR instruction . . . . . . . . . . 3-72, 3-399, RDPMC instruction . . . . . . . . . . . . . . . . . . . . RDTSC instruction . . . . . . . . . . . . . . . . 3-72, Reg/opcode field, instruction for mat . . . . . . . Related literature . . . . . . . . . . . . . . . . . . . . . Remainder, FPU operation . . . . . . . . . 3-151, REP/REPE/REPZ/REPNE/REPNZ prefixes . 3-64, 3-216, 3-318, 3-404 Reserved bits . . . . . . . . . . . . . . . . . . . . . . . . RET instruction . . . . . . . . . . . . . . . . . . . . . . . ROL instruction . . . . . . . . . . . . . . . . . . . . . . . ROR instruction . . . . . . . . . . . . . . . . . . . . . . Rotate operation . . . . . . . . . . . . . . . . . . . . . . 3-173 3-394 3-394 3-403 3-401 3-403 . . 2- 2 . . 1- 8 3-154 . . 2-1 , . . 13-40 3-39 3-39 3-39 5 7 4 4 4

INDEX-5


INDEX

Rounding round to integer, RPL field. . . . . . . . . RSM instruction . . . R/m field, instruction

FPU oper ........ ........ format . .

ati .. .. ..

on .. .. ..

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

3- 159 .3-21 3- 414 . .2-2

STOSW instruction STR instruction . . . String operations . 3-299, 3SUB instruction . . .

.. .. .. 31 ..

.. .. .. 7, ..

..... ..... ..... 3-443 . 3- 14

. . . . . . . . . . . 3-443 . . . . . . . . . . . 3-446 3- 63, 3-215, 3-275,

, 3-81, 3-273, 3-448

S
SA L instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 416 SA R instruction . . . . . . . . . . . . . . . . . . . . . . .3- 416 SB B instruction . . . . . . . . . . . . . . . . . . 3- 273, 3- 420 Scale (operand addressing) . . . . . . . . . . . . . . . .2-2 Scale, FP U oper ation . . . . . . . . . . . . . . . . . . .3- 165 SCA S instruction . . . . . . . . . . . . . . . . 3- 404, 3- 422 SCA SB instruction . . . . . . . . . . . . . . . . . . . . .3- 422 SCA SD instruction . . . . . . . . . . . . . . . . . . . . .3- 422 SCA SW instruction. . . . . . . . . . . . . . . . . . . . .3- 422 Segment descriptor segment limit. . . . . . . . . . . . . . . . . . . . . . .3- 280 Segment limit . . . . . . . . . . . . . . . . . . . . . . . . .3- 280 Segment over ride prefixes . . . . . . . . . . . . . . . . .2-1 Segment registers moving values to and fr om . . . . . . . . . . . .3- 286 Segment selector RPL field . . . . . . . . . . . . . . . . . . . . . . . . . . .3-21 Segmented addressing . . . . . . . . . . . . . . . . . . .1-7 SE Tcc instructions . . . . . . . . . . . . . . . . . . . . .3- 425 SF (sign) flag, EFLAGS r egister . . . . . . . 3-15, 3-17 SGDT instruction . . . . . . . . . . . . . . . . . . . . . .3- 427 SHA F instruction . . . . . . . . . . . . . . . . . . . . . .3- 415 SHL instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 416 SHLD instruction . . . . . . . . . . . . . . . . . . . . . .3- 430 SHR instruction . . . . . . . . . . . . . . . . . . . . . . .3- 416 SHRD instruction . . . . . . . . . . . . . . . . . . . . . .3- 432 SIB byte 32-bit addressing forms of . . . . . . . . . . . . . .2-6 descr iption of . . . . . . . . . . . . . . . . . . . . . . . .2-2 format of . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1 SIDT instruction . . . . . . . . . . . . . . . . . . . . . . .3- 427 Signaling NaN (see S NaN) Significand extracting from floating-point number . . . .3- 198 Sine, FPU operation . . . . . . . . . . . . . . 3- 167, 3- 169 SLDT instruction. . . . . . . . . . . . . . . . . . . . . . .3- 435 SMSW instruction . . . . . . . . . . . . . . . . . . . . . .3- 437 Square root, FPU operation . . . . . . . . . . . . . .3- 171 SS register . . . . . . . . . . . . . . . 3- 256, 3- 287, 3- 351 SS segment override prefix . . . . . . . . . . . . . . . .2-1 Stack (see Procedure stack) Status flags, EFLAGS register 3-58, 3- 61, 3-107, 3-112, 3-242, 3-425, 3-450 STC instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 439 STD instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 440 STI instruction . . . . . . . . . . . . . . . . . . . . . . . .3- 441 STOS instruction . . . . . . . . . . . . . . . . 3- 404, 3- 443 STOSB instruction . . . . . . . . . . . . . . . . . . . . .3- 443 STOSD instruction . . . . . . . . . . . . . . . . . . . . .3- 443

T
Tangent, FPU operation . . . . . . . . . . . . Task gate . . . . . . . . . . . . . . . . . . . . . . . Task r egister loading. . . . . . . . . . . . . . . . . . . . . . . stor ing . . . . . . . . . . . . . . . . . . . . . . . Task state segment (see TSS) Task switch CALL instr uction . . . . . . . . . . . . . . . retur n from nested task, IRET instruction . . . . . . . . . . . . . . . . . TEST instruction . . . . . . . . . . . . . . . . . . Time-stamp counter, reading . . . . . . . . TLB entry, invalidating (flushing) . . . . . TS (task switched) flag, CR0 r egister . . TS C (time stamp counter) flag, CPUID instruction . . . . . . . . . . . . . . . TSD flag, CR4 register . . . . . . . . . . . . . TSS relationship to task register . . . . . . . . . . . 3-157 . . . . 3-249 . . . . 3-284 . . . . 3-446 . . . . . 3-38 . . . . . . . . . . . . . . . . . . . . 3-2 3-4 3-4 3-2 . 33 5 0 3 5 3 0 3 2 5

. . . . . 3-72 . . . . 3-403 . . . . 3-446

U
UD2 instruction . . . . . . . . . . . . . . . . . . . . . . . 3-452 Undefined format opcodes . . . . . . . . . . . . . . . . . . . . 3-188 Underflow, FPU exception (see Numeric underflow exception) Unordered values . . . . 3-109, 3-112, 3-188, 3-190

V
Vector (see Interrupt vector) VER R instruction . . . . . . . . . . . . . . . . . . Version information, processor . . . . . . . . VER W instruction . . . . . . . . . . . . . . . . . . VM (vir tual 8086 mode) flag, EFLAGS register . . . . . . . . . . . . . . . . . . VME ( virtual 8086 mode enhancements) CPUID instruction . . . . . . . . . . . . . 3-453 . . . . 3-70 . . . 3-453 . . . 3-233 flag, . . . . 3-72

W
WAIT/FWAIT instructions WBINVD instruction . . . . Wr ite-back and invalidate WR MSR instruction . . . . ... ... cac ... . . h . .. .. es .. . . . . . . . . . . . . . . . . . . . . . . . 3 ... ... ... -72, 3-455 3-456 3-456 3-458

X
XAD D instruction . . . . . . . . . . . . . . . . 3-273, 3-460

INDEX-6


INDEX

XCHG instr uction . . . . . . . . . . . . . . . . 3- 273, 3- 462 XLAT/XLA TB instruction . . . . . . . . . . . . . . . .3- 464 XOR instr uction . . . . . . . . . . . . . . . . . 3- 273, 3- 466

Z
ZF (zero) flag, EFLAGS register . . . . . . . . . . 3-66, 3-68, 3-253, 3-278, 3-280, 3-404, 3-453

INDEX-7