Free Web Page Hosting | Credit Report | Credit Cards | Web Hosting | Web Hosting
Search the Web

INTEL 80386 PROGRAMMER'S REFERENCE MANUAL 1986
Online Utenti astalalista main site mappa sito pagina gratis e-mail gratis blog
D ad un amico
di questo sito
Aggiorna pagina
Home
Cerca nel sito
aggiungi un link a
questa pagina
Aggiungi ai preferiti
Pagina iniziale
Guestbook
Stampa pagina
contatta AOL - ICQ
Compra da
Astalalista
inserisci annuncio
Aggiungi Link

powered by astalalista

questa ricerca sul tuo sito - incontri - altre ricerche - guadagna
Random Link!
Hosted By
HostedScripts.com

INTEL 80386 PROGRAMMER'S REFERENCE MANUAL 1986

 go to English version

translate

17.2.2.10  Virtual-8086 Mode Exceptions

Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines.
Virtual 8086 Mode exceptions are similar to those for the 8086 processor,
but there are some differences. Refer to Chapter 15 for details.


AAA  ASCII Adjust after Addition

Opcode    Instruction    Clocks    Description

37        AAA            4         ASCII adjust AL after addition


Operation

IF ((AL AND 0FH) > 9) OR (AF = 1)
THEN
   AL  (AL + 6) AND 0FH;
   AH  AH + 1;
   AF  1;
   CF  1;
ELSE
   CF  0;
   AF  0;
FI;

Description

Execute AAA only following an ADD instruction that leaves a byte result
in the AL register. The lower nibbles of the operands of the ADD instruction
should be in the range 0 through 9 (BCD digits). In this case, AAA adjusts
AL to contain the correct decimal digit result. If the addition produced a
decimal carry, the AH register is incremented, and the carry and auxiliary
carry flags are set to 1. If there was no decimal carry, the carry and
auxiliary flags are set to 0 and AH is unchanged. In either case, AL is left
with its top nibble set to 0. To convert AL to an ASCII result, follow the
AAA instruction with OR AL, 30H.

Flags Affected

AF and CF as described above; OF, SF, ZF, and PF are undefined

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


AAD  ASCII Adjust AX before Division

Opcode    Instruction    Clocks    Description

D5 0A     AAD            19        ASCII adjust AX before division


Operation

AL  AH * 10 + AL;
AH  0;

Description

AAD is used to prepare two unpacked BCD digits (the least-significant
digit in AL, the most-significant digit in AH) for a division operation that
will yield an unpacked result. This is accomplished by setting AL to
AL + (10 * AH), and then setting AH to 0. AX is then equal to the binary
equivalent of the original unpacked two-digit number.

Flags Affected

SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


AAM  ASCII Adjust AX after Multiply

Opcode    Instruction    Clocks    Description

D4 0A     AAM            17        ASCII adjust AX after multiply


Operation

AH  AL / 10;
AL  AL MOD 10;

Description

Execute AAM only after executing a MUL instruction between two unpacked
BCD digits that leaves the result in the AX register. Because the result is
less than 100, it is contained entirely in the AL register. AAM unpacks the
AL result by dividing AL by 10, leaving the quotient (most-significant
digit) in AH and the remainder (least-significant digit) in AL.

Flags Affected

SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


AAS  ASCII Adjust AL after Subtraction

Opcode    Instruction    Clocks    Description

3F        AAS            4         ASCII adjust AL after subtraction


Operation

IF (AL AND 0FH) > 9 OR AF = 1
THEN
   AL  AL - 6;
   AL  AL AND 0FH;
   AH  AH - 1;
   AF  1;
   CF  1;
ELSE
   CF  0;
   AF  0;
FI;

Description

Execute AAS only after a SUB instruction that leaves the byte result in the
AL register. The lower nibbles of the operands of the SUB instruction must
have been in the range 0 through 9 (BCD digits). In this case, AAS adjusts
AL so it contains the correct decimal digit result. If the subtraction
produced a decimal carry, the AH register is decremented, and the carry and
auxiliary carry flags are set to 1. If no decimal carry occurred, the carry
and auxiliary carry flags are set to 0, and AH is unchanged. In either case,
AL is left with its top nibble set to 0. To convert AL to an ASCII result,
follow the AAS with OR AL, 30H.

Flags Affected

AF and CF as described above; OF, SF, ZF, and PF are undefined

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


ADC  Add with Carry


Opcode    Instruction      Clocks    Description

14 ib     ADC AL,imm8      2         Add with carry immediate byte to AL
15 iw     ADC AX,imm16     2         Add with carry immediate word to AX
15 id     ADC EAX,imm32    2         Add with carry immediate dword to EAX
80 /2 ib  ADC r/m8,imm8    2/7       Add with carry immediate byte to r/m
                                     byte
81 /2 iw  ADC r/m16,imm16  2/7       Add with carry immediate word to r/m
                                     word
81 /2 id  ADC r/m32,imm32  2/7       Add with CF immediate dword to r/m
                                     dword
83 /2 ib  ADC r/m16,imm8   2/7       Add with CF sign-extended immediate
                                     byte to r/m word
83 /2 ib  ADC r/m32,imm8   2/7       Add with CF sign-extended immediate
                                     byte into r/m dword
10 /r     ADC r/m8,r8      2/7       Add with carry byte register to r/m
                                     byte
11 /r     ADC r/m16,r16    2/7       Add with carry word register to r/m
                                     word
11 /r     ADC r/m32,r32    2/7       Add with CF dword register to r/m dword
12 /r     ADC r8,r/m8      2/6       Add with carry r/m byte to byte
                                     register
13 /r     ADC r16,r/m16    2/6       Add with carry r/m word to word
                                     register
13 /r     ADC r32,r/m32    2/6       Add with CF r/m dword to dword register


Operation

DEST  DEST + SRC + CF;

Description

ADC performs an integer addition of the two operands DEST and SRC and the
carry flag, CF. The result of the addition is assigned to the first operand
(DEST), and the flags are set accordingly. ADC is usually executed as part
of a multi-byte or multi-word addition operation. When an immediate byte
value is added to a word or doubleword operand, the immediate value is first
sign-extended to the size of the word or doubleword operand.

Flags Affected

OF, SF, ZF, AF, CF, and PF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


ADD  Add

Opcode    Instruction         Clocks    Description

04 ib     ADD AL,imm8          2        Add immediate byte to AL
05 iw     ADD AX,imm16         2        Add immediate word to AX
05 id     ADD EAX,imm32        2        Add immediate dword to EAX
80 /0 ib  ADD r/m8,imm8        2/7      Add immediate byte to r/m byte
81 /0 iw  ADD r/m16,imm16      2/7      Add immediate word to r/m word
81 /0 id  ADD r/m32,imm32      2/7      Add immediate dword to r/m dword
83 /0 ib  ADD r/m16,imm8       2/7      Add sign-extended immediate byte
                                        to r/m word
83 /0 ib  ADD r/m32,imm8       2/7      Add sign-extended immediate byte
                                        to r/m dword
00 /r     ADD r/m8,r8          2/7      Add byte register to r/m byte
01 /r     ADD r/m16,r16        2/7      Add word register to r/m word
01 /r     ADD r/m32,r32        2/7      Add dword register to r/m dword
02 /r     ADD r8,r/m8          2/6      Add r/m byte to byte register
03 /r     ADD r16,r/m16        2/6      Add r/m word to word register
03 /r     ADD r32,r/m32        2/6      Add r/m dword to dword register


Operation

DEST  DEST + SRC;

Description

ADD performs an integer addition of the two operands (DEST and SRC). The
result of the addition is assigned to the first operand (DEST), and the
flags are set accordingly.

When an immediate byte is added to a word or doubleword operand, the
immediate value is sign-extended to the size of the word or doubleword
operand.

Flags Affected

OF, SF, ZF, AF, CF, and PF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


AND  Logical AND

Opcode    Instruction          Clocks    Description

24 ib     AND AL,imm8          2         AND immediate byte to AL
25 iw     AND AX,imm16         2         AND immediate word to AX
25 id     AND EAX,imm32        2         AND immediate dword to EAX
80 /4 ib  AND r/m8,imm8        2/7       AND immediate byte to r/m byte
81 /4 iw  AND r/m16,imm16      2/7       AND immediate word to r/m word
81 /4 id  AND r/m32,imm32      2/7       AND immediate dword to r/m dword
83 /4 ib  AND r/m16,imm8       2/7       AND sign-extended immediate byte
                                         with r/m word
83 /4 ib  AND r/m32,imm8       2/7       AND sign-extended immediate byte
                                         with r/m dword
20 /r     AND r/m8,r8          2/7       AND byte register to r/m byte
21 /r     AND r/m16,r16        2/7       AND word register to r/m word
21 /r     AND r/m32,r32        2/7       AND dword register to r/m dword
22 /r     AND r8,r/m8          2/6       AND r/m byte to byte register
23 /r     AND r16,r/m16        2/6       AND r/m word to word register
23 /r     AND r32,r/m32        2/6       AND r/m dword to dword register


Operation

DEST  DEST AND SRC;
CF  0;
OF  0;

Description

Each bit of the result of the AND instruction is a 1 if both corresponding
bits of the operands are 1; otherwise, it becomes a 0.

Flags Affected

CF = 0, OF = 0; PF, SF, and ZF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


ARPL  Adjust RPL Field of Selector

Opcode    Instruction          Clocks    Description

63 /r     ARPL r/m16,r16       pm=20/21  Adjust RPL of r/m16 to not
                                         less than RPL of r16


Operation

IF RPL bits(0,1) of DEST < RPL bits(0,1) of SRC
THEN
   ZF  1;
   RPL bits(0,1) of DEST  RPL bits(0,1) of SRC;
ELSE
   ZF  0;
FI;

Description

The ARPL instruction has two operands. The first operand is a 16-bit
memory variable or word register that contains the value of a selector. The
second operand is a word register. If the RPL field ("requested privilege
level"bottom two bits) of the first operand is less than the RPL field of
the second operand, the zero flag is set to 1 and the RPL field of the
first operand is increased to match the second operand. Otherwise, the zero
flag is set to 0 and no change is made to the first operand.

ARPL appears in operating system software, not in application programs. It
is used to guarantee that a selector parameter to a subroutine does not
request more privilege than the caller is allowed. The second operand of
ARPL is normally a register that contains the CS selector value of the
caller.

Flags Affected

ZF as described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 6; ARPL is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


BOUND  Check Array Index Against Bounds

Opcode    Instruction          Clocks    Description

62 /r     BOUND r16,m16&16     10        Check if r16 is within bounds
                                         (passes test)
62 /r     BOUND r32,m32&32     10        Check if r32 is within bounds
                                         (passes test)


Operation

IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8])
   (* Under lower bound or over upper bound *)
THEN Interrupt 5;
FI;

Description

BOUND ensures that a signed array index is within the limits specified by a
block of memory consisting of an upper and a lower bound. Each bound uses
one word for an operand-size attribute of 16 bits and a doubleword for an
operand-size attribute of 32 bits. The first operand (a register) must be
greater than or equal to the first bound in memory (lower bound), and less
than or equal to the second bound in memory (upper bound). If the register
is not within bounds, an Interrupt 5 occurs; the return EIP points to the
BOUND instruction.

The bounds limit data structure is usually placed just before the array
itself, making the limits addressable via a constant offset from the
beginning of the array.

Flags Affected

None

Protected Mode Exceptions

Interrupt 5 if the bounds test fails, as described above; #GP(0) for an
illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

The second operand must be a memory operand, not a register. If BOUND is
executed with a ModRM byte representing a register as the second operand,

Real Address Mode Exceptions

Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the
operand would lie outside of the effective address space from 0 to 0FFFFH;
Interrupt 6 if the second operand is a register

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


BSF  Bit Scan Forward

Opcode    Instruction          Clocks    Description

0F  BC    BSF r16,r/m16        10+3n     Bit scan forward on r/m word
0F  BC    BSF r32,r/m32        10+3n     Bit scan forward on r/m dword


Notes

 is the number of leading zero bits.

Operation

IF r/m = 0
THEN
   ZF  1;
   register  UNDEFINED;
ELSE
   temp  0;
   ZF  0;
   WHILE BIT[r/m, temp = 0]
   DO
      temp  temp + 1;
      register  temp;
   OD;
FI;

Description

BSF scans the bits in the second word or doubleword operand starting with
bit 0. The ZF flag is cleared if the bits are all 0; otherwise, the ZF flag
is set and the destination register is loaded with the bit index of the
first set bit.

Flags Affected

ZF as described above

Protected Mode Exceptions

FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


BSR  Bit Scan Reverse

Opcode    Instruction          Clocks    Description

0F  BD    BSR r16,r/m16        10+3n     Bit scan reverse on r/m word
0F  BD    BSR r32,r/m32        10+3n     Bit scan reverse on r/m dword


Operation

IF r/m = 0
THEN
   ZF  1;
   register  UNDEFINED;
ELSE
   temp  OperandSize - 1;
   ZF  0;
   WHILE BIT[r/m, temp] = 0
   DO
      temp  temp - 1;
      register  temp;
   OD;
FI;

Description

BSR scans the bits in the second word or doubleword operand from the most
significant bit to the least significant bit. The ZF flag is cleared if the
bits are all 0; otherwise, ZF is set and the destination register is loaded
with the bit index of the first set bit found when scanning in the reverse
direction.

Flags Affected

ZF as described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


BT  Bit Test

Opcode         Instruction     Clocks    Description

0F  A3         BT r/m16,r16    3/12      Save bit in carry flag
0F  A3         BT r/m32,r32    3/12      Save bit in carry flag
0F  BA /4 ib   BT r/m16,imm8   3/6       Save bit in carry flag
0F  BA /4 ib   BT r/m32,imm8   3/6       Save bit in carry flag


Operation

CF  BIT[LeftSRC, RightSRC];

Description

BT saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag.

Flags Affected

CF as described above

Protected Mode Exceptions

FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The low-order
3 to 5 bits of the immediate bit offset are stored in the immediate bit
offset field, and the high-order 27 to 29 bits are shifted and combined with
the byte displacement in the addressing mode.

When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:

   Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address
given by:

   Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.


BTC  Bit Test and Complement

Opcode        Instruction     Clocks  Description

0F  BB        BTC r/m16,r16   6/13    Save bit in carry flag and complement
0F  BB        BTC r/m32,r32   6/13    Save bit in carry flag and complement
0F  BA /7 ib  BTC r/m16,imm8  6/8     Save bit in carry flag and complement
0F  BA /7 ib  BTC r/m32,imm8  6/8     Save bit in carry flag and complement


Operation

CF  BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC]  NOT BIT[LeftSRC, RightSRC];

Description

BTC saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then complements the
bit.

Flags Affected

CF as described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The low-order
3 to 5 bits of the immediate bit offset are stored in the immediate bit
offset field, and the high-order 27 to 29 bits are shifted and combined with
the byte displacement in the addressing mode.

When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:

   Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address
given by:

   Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.


BTR  Bit Test and Reset

Opcode        Instruction     Clocks  Description

0F  B3        BTR r/m16,r16   6/13    Save bit in carry flag and reset
0F  B3        BTR r/m32,r32   6/13    Save bit in carry flag and reset
0F  BA /6 ib  BTR r/m16,imm8  6/8     Save bit in carry flag and reset
0F  BA /6 ib  BTR r/m32,imm8  6/8     Save bit in carry flag and reset


Operation

CF  BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC]  0;

Description

BTR saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then stores 0 in the
bit.

Flags Affected

CF as described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 (or 15) are supported by using the immediate bit offset field
in combination with the displacement field of the memory operand. The
low-order 3 to 5 bits of the immediate bit offset are stored in the
immediate bit offset field, and the high-order 27 to 29 bits are shifted and
combined with the byte displacement in the addressing mode.

When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:

   Effective Address + 4 * (BitOffset DIV 32)

for a 32-bit operand size, or two bytes starting from the memory address
given by:

   Effective Address + 2 * (BitOffset DIV 16)

for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.


BTS  Bit Test and Set

Opcode        Instruction     Clocks  Description

0F  AB        BTS r/m16,r16   6/13    Save bit in carry flag and set
0F  AB        BTS r/m32,r32   6/13    Save bit in carry flag and set
0F  BA /5 ib  BTS r/m16,imm8  6/8     Save bit in carry flag and set
0F  BA /5 ib  BTS r/m32,imm8  6/8     Save bit in carry flag and set


Operation

CF  BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC]  1;

Description

BTS saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then stores 1 in the
bit.

Flags Affected

CF as described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The
low-order 3 to 5 bits of the immediate bit offset are stored in the
immediate bit offset field, and the high order 27 to 29 bits are shifted and
combined with the byte displacement in the addressing mode.

When accessing a bit in memory, the processor may access four bytes starting
from the memory address given by:

   Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address
given by:

   Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do this even when only a single byte needs
to be accessed in order to get at the given bit. Thus the programmer must be
careful to avoid referencing areas of memory close to address space holes.
In particular, avoid references to memory-mapped I/O registers. Instead, use
the MOV instructions to load from or store to these addresses, and use the
register form of these instructions to manipulate the data.


CALL  Call Procedure


Opcode    Instruction     Clocks
  Values of ts are given by the following table:

                             New Task
              386 TSS         386 TSS         286 TSS
  Old         VM = 0          VM = 1
  Task                     Via Task Gate?

              N     Y         N     Y         N     Y

386          300   309       217   226       273   282
TSS VM=0

286          298   307       217   226       273   282
TSS         Description

E8  cw    CALL rel16       7+m            Call near, displacement relative
                                          to next instruction
FF  /2    CALL r/m16       7+m/10+m       Call near, register
                                          indirect/memory indirect
9A  cd    CALL ptr16:16    17+m,pm=34+m   Call intersegment, to full
                                          pointer given
9A  cd    CALL ptr16:16    pm=52+m        Call gate, same privilege
9A  cd    CALL ptr16:16    pm=86+m        Call gate, more privilege, no
                                          parameters
9A  cd    CALL ptr16:16    pm=94+4x+m     Call gate, more privilege, x
                                          parameters
9A  cd    CALL ptr16:16    ts             Call to task
FF  /3    CALL m16:16      22+m,pm=38+m   Call intersegment, address at
                                          r/m dword
FF  /3    CALL m16:16      pm=56+m        Call gate, same privilege
FF  /3    CALL m16:16      pm=90+m        Call gate, more privilege, no
                                          parameters
FF  /3    CALL m16:16      pm=98+4x+m     Call gate, more privilege, x
                                          parameters
FF  /3    CALL m16:16      5 + ts         Call to task
E8  cd    CALL rel32       7+m            Call near, displacement relative
                                          to next instruction
FF  /2    CALL r/m32       7+m/10+m       Call near, indirect
9A  cp    CALL ptr16:32    17+m,pm=34+m   Call intersegment, to full
                                          pointer given
9A  cp    CALL ptr16:32    pm=52+m        Call gate, same privilege
9A  cp    CALL ptr16:32    pm=86+m        Call gate, more privilege, no
                                          parameters
9A  cp    CALL ptr32:32    pm=94+4x+m     Call gate, more privilege, x
                                          parameters
9A  cp    CALL ptr16:32    ts             Call to task
FF  /3    CALL m16:32      22+m,pm=38+m   Call intersegment, address at
                                          r/m dword
FF  /3    CALL m16:32      pm=56+m        Call gate, same privilege
FF  /3    CALL m16:32      pm=90+m        Call gate, more privilege, no
                                          parameters
FF  /3    CALL m16:32      pm=98+4x+m     Call gate, more privilege, x
                                          parameters
FF  /3    CALL m16:32      5 + ts         Call to task



NOTE:
  Values of ts are given by the following table:

                             New Task
              386 TSS         386 TSS         286 TSS
  Old         VM = 0          VM = 1
  Task                     Via Task Gate?

              N     Y         N     Y         N     Y

386          300   309       217   226       273   282
TSS VM=0

286          298   307       217   226       273   282
TSS


Operation

IF rel16 or rel32 type of call
THEN (* near relative call *)
   IF OperandSize = 16
   THEN
      Push(IP);
      EIP  (EIP + rel16) AND 0000FFFFH;
   ELSE (* OperandSize = 32 *)
      Push(EIP);
      EIP  EIP + rel32;
   FI;
FI;

IF r/m16 or r/m32 type of call
THEN (* near absolute call *)
   IF OperandSize = 16
   THEN
      Push(IP);
      EIP  [r/m16] AND 0000FFFFH;
   ELSE (* OperandSize = 32 *)
      Push(EIP);
      EIP  [r/m32];
   FI;
FI;

IF (PE = 0 OR (PE = 1 AND VM = 1))
(* real mode or virtual 8086 mode *)
   AND instruction = far CALL
   (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
THEN
   IF OperandSize = 16
   THEN
      Push(CS);
      Push(IP); (* address of next instruction; 16 bits *)
   ELSE
      Push(CS); (* padded with 16 high-order bits *)
      Push(EIP); (* address of next instruction; 32 bits *)
   FI;
   IF operand type is m16:16 or m16:32
   THEN (* indirect far call *)
      IF OperandSize = 16
      THEN
         CS:IP  [m16:16];
         EIP  EIP AND 0000FFFFH; (* clear upper 16 bits *)
      ELSE (* OperandSize = 32 *)
         CS:EIP  [m16:32];
      FI;
   FI;
   IF operand type is ptr16:16 or ptr16:32
   THEN (* direct far call *)
      IF OperandSize = 16
      THEN
         CS:IP  ptr16:16;
         EIP  EIP AND 0000FFFFH; (* clear upper 16 bits *)
      ELSE (* OperandSize = 32 *)
         CS:EIP  ptr16:32;
      FI;
   FI;
FI;

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
   AND instruction = far CALL
THEN
   If indirect, then check access of EA doubleword;
      #GP(0) if limit violation;
   New CS selector must not be null else #GP(0);
   Check that new CS selector index is within its
      descriptor table limits; else #GP(new CS selector);
   Examine AR byte of selected descriptor for various legal values;
      depending on value:
      go to CONFORMING-CODE-SEGMENT;
      go to NONCONFORMING-CODE-SEGMENT;
      go to CALL-GATE;
      go to TASK-GATE;
      go to TASK-STATE-SEGMENT;
   ELSE #GP(code segment selector);
FI;

CONFORMING-CODE-SEGMENT:
   DPL must be  CPL ELSE #GP(code segment selector);
   Segment must be present ELSE #NP(code segment selector);
   Stack must be big enough for return address ELSE #SS(0);
   Instruction pointer must be in code segment limit ELSE #GP(0);
   Load code segment descriptor into CS register;
   Load CS with new code segment selector;
   Load EIP with zero-extend(new offset);
   IF OperandSize=16 THEN EIP  EIP AND 0000FFFFH; FI;

NONCONFORMING-CODE-SEGMENT:
   RPL must be  CPL ELSE #GP(code segment selector)
   DPL must be = CPL ELSE #GP(code segment selector)
   Segment must be present ELSE #NP(code segment selector)
   Stack must be big enough for return address ELSE #SS(0)
   Instruction pointer must be in code segment limit ELSE #GP(0)
   Load code segment descriptor into CS register
   Load CS with new code segment selector
   Set RPL of CS to CPL
   Load EIP with zero-extend(new offset);
   IF OperandSize=16 THEN EIP  EIP AND 0000FFFFH; FI;

CALL-GATE:
   Call gate DPL must be  CPL ELSE #GP(call gate selector)
   Call gate DPL must be  RPL ELSE #GP(call gate selector)
   Call gate must be present ELSE #NP(call gate selector)
   Examine code segment selector in call gate descriptor:
      Selector must not be null ELSE #GP(0)
      Selector must be within its descriptor table
         limits ELSE #GP(code segment selector)
   AR byte of selected descriptor must indicate code
      segment ELSE #GP(code segment selector)
   DPL of selected descriptor must be  CPL ELSE
      #GP(code segment selector)
   IF non-conforming code segment AND DPL < CPL
   THEN go to MORE-PRIVILEGE
   ELSE go to SAME-PRIVILEGE
   FI;

MORE-PRIVILEGE:
   Get new SS selector for new privilege level from TSS
      Check selector and descriptor for new SS:
         Selector must not be null ELSE #TS(0)
         Selector index must be within its descriptor
            table limits ELSE #TS(SS selector)
         Selector's RPL must equal DPL of code segment
            ELSE #TS(SS selector)
         Stack segment DPL must equal DPL of code
            segment ELSE #TS(SS selector)
         Descriptor must indicate writable data segment
            ELSE #TS(SS selector)
         Segment present ELSE #SS(SS selector)
      IF OperandSize=32
      THEN
         New stack must have room for parameters plus 16 bytes
            ELSE #SS(0)
         EIP must be in code segment limit ELSE #GP(0)
         Load new SS:eSP value from TSS
         Load new CS:EIP value from gate
      ELSE
         New stack must have room for parameters plus 8 bytes ELSE #SS(0)
         IP must be in code segment limit ELSE #GP(0)
         Load new SS:eSP value from TSS
         Load new CS:IP value from gate
      FI;
      Load CS descriptor
      Load SS descriptor
      Push long pointer of old stack onto new stack
      Get word count from call gate, mask to 5 bits
      Copy parameters from old stack onto new stack
      Push return address onto new stack
      Set CPL to stack segment DPL
      Set RPL of CS to CPL

SAME-PRIVILEGE:
   IF OperandSize=32
   THEN
      Stack must have room for 6-byte return address (padded to 8 bytes)
         ELSE #SS(0)
      EIP must be within code segment limit ELSE #GP(0)
      Load CS:EIP from gate
   ELSE
      Stack must have room for 4-byte return address ELSE #SS(0)
      IP must be within code segment limit ELSE #GP(0)
      Load CS:IP from gate
   FI;
   Push return address onto stack
   Load code segment descriptor into CS register
   Set RPL of CS to CPL

TASK-GATE:
   Task gate DPL must be  CPL ELSE #TS(gate selector)
   Task gate DPL must be  RPL ELSE #TS(gate selector)
   Task Gate must be present ELSE #NP(gate selector)
   Examine selector to TSS, given in Task Gate descriptor:
      Must specify global in the local/global bit ELSE #TS(TSS selector)
      Index must be within GDT limits ELSE #TS(TSS selector)
      TSS descriptor AR byte must specify nonbusy TSS
         ELSE #TS(TSS selector)
      Task State Segment must be present ELSE #NP(TSS selector)
   SWITCH-TASKS (with nesting) to TSS
   IP must be in code segment limit ELSE #TS(0)

TASK-STATE-SEGMENT:
   TSS DPL must be  CPL else #TS(TSS selector)
   TSS DPL must be  RPL ELSE #TS(TSS selector)
   TSS descriptor AR byte must specify available TSS
      ELSE #TS(TSS selector)
   Task State Segment must be present ELSE #NP(TSS selector)
   SWITCH-TASKS (with nesting) to TSS
   IP must be in code segment limit ELSE #TS(0)

Description

The CALL instruction causes the procedure named in the operand to be
executed. When the procedure is complete (a return instruction is executed
within the procedure), execution continues at the instruction that follows
the CALL instruction.

The action of the different forms of the instruction are described below.

Near calls are those with destinations of type r/m16, r/m32, rel16, rel32;
changing or saving the segment register value is not necessary. The CALL
rel16 and CALL rel32 forms add a signed offset to the address of the
instruction following CALL to determine the destination. The rel16 form is
used when the instruction's operand-size attribute is 16 bits; rel32 is used
when the operand-size attribute is 32 bits. The result is stored in the
32-bit EIP register. With rel16, the upper 16 bits of EIP are cleared,
resulting in an offset whose value does not exceed 16 bits. CALL r/m16 and
CALL r/m32 specify a register or memory location from which the absolute
segment offset is fetched. The offset fetched from r/m is 32 bits for an
operand-size attribute of 32 (r/m32), or 16 bits for an operand-size of 16
(r/m16). The offset of the instruction following CALL is pushed onto the
stack. It will be popped by a near RET instruction within the procedure. The
CS register is not changed by this form of CALL.

The far calls, CALL ptr16:16 and CALL ptr16:32, use a four-byte or six-byte
operand as a long pointer to the procedure called. The CALL m16:16 and
m16:32 forms fetch the long pointer from the memory location
specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long
pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP
register (depending on the operand-size attribute). These forms of the
instruction push both CS and IP or EIP as a return address.

In Protected Mode, both long pointer forms consult the AR byte in the
descriptor indexed by the selector part of the long pointer. Depending on
the value of the AR byte, the call will perform one of the following types
of control transfers:

    A far call to the same protection level
    An inter-protection level far call
    A task switch

For more information on Protected Mode control transfers, refer to
Chapter 6 and Chapter 7.

Flags Affected

All flags are affected if a task switch occurs; no flags are affected if a
task switch does not occur

Protected Mode Exceptions

For far calls: #GP, #NP, #SS, and #TS, as indicated in the list above

For near direct calls: #GP(0) if procedure location is beyond the code
segment limits; #SS(0) if pushing the return address exceeds the bounds of
the stack segment; #PF (fault-code) for a page fault

For a near indirect call: #GP(0) for an illegal memory operand effective
address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address
in the SS segment; #GP(0) if the indirect offset obtained is beyond the code
segment limits; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

Any far call from a 32-bit code segment to 16-bit code segments should be
made from the first 64K bytes of the 32-bit code segment, since the
operand-size attribute of the instruction is set to 16, thus allowing only a
16-bit return address offset to be saved.


CBW/CWDE  Convert Byte to Word/Convert Word to Doubleword

Opcode    Instruction     Clocks          Description

98        CBW             3               AX  sign-extend of AL
98        CWDE            3               EAX  sign-extend of AX


Operation

IF OperandSize = 16 (* instruction = CBW *)
THEN AX  SignExtend(AL);
ELSE (* OperandSize = 32, instruction = CWDE *)
   EAX  SignExtend(AX);
FI;

Description

CBW converts the signed byte in AL to a signed word in AX by extending the
most significant bit of AL (the sign bit) into all of the bits of AH. CWDE
converts the signed word in AX to a doubleword in EAX by extending the most
significant bit of AX into the two most significant bytes of EAX. Note that
CWDE is different from CWD. CWD uses DX:AX rather than EAX as a destination.

Flags Affected

None

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


CLC  Clear Carry Flag

Opcode    Instruction     Clocks          Description

F8        CLC             2               Clear carry flag


Operation

CF  0;

Description

CLC sets the carry flag to zero. It does not affect other flags or
registers.

Flags Affected

CF = 0

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


CLD  Clear Direction Flag

Opcode    Instruction     Clocks   Description

FC        CLD             2        Clear direction flag; SI and DI
                                   will increment during string
                                   instructions


Operation

DF  0;

Description

CLD clears the direction flag. No other flags or registers are affected.
After CLD is executed, string operations will increment the index registers
(SI and/or DI) that they use.

Flags Affected

DF = 0

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


CLI  Clear Interrupt Flag

Opcode    Instruction    Clocks   Description

FA        CLI            3        Clear interrupt flag; interrupts disabled


Operation

IF  0;

Description

CLI clears the interrupt flag if the current privilege level is at least as
privileged as IOPL. No other flags are affected. External interrupts are not
recognized at the end of the CLI instruction or from that point on until the
interrupt flag is set.

Flags Affected

IF = 0

Protected Mode Exceptions

the IOPL in the flags register. IOPL specifies the least privileged level at
which I/O can be performed.

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions



CLTS  Clear Task-Switched Flag in CR0

Opcode    Instruction    Clocks   Description

OF  06    CLTS           5        Clear task-switched flag


Operation

TS Flag in CR0  0;

Description

CLTS clears the task-switched (TS) flag in register CR0. This flag is set by
the 80386 every time a task switch occurs. The TS flag is used to manage
processor extensions as follows:

    Every execution of an ESC instruction is trapped if the TS flag is set.

    Execution of a WAIT instruction is trapped if the MP flag and the TS
     flag are both set.

Thus, if a task switch was made after an ESC instruction was begun, the
processor extension's context may need to be saved before a new ESC
instruction can be issued. The fault handler saves the context and resets
the TS flag.

CLTS appears in operating system software, not in application programs. It
is a privileged instruction that can only be executed at privilege level 0.

Flags Affected

TS = 0 (TS is in CR0, not the flag register)

Protected Mode Exceptions


Real Address Mode Exceptions

None (valid in Real Address Mode to allow initialization for Protected
Mode)

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode


CMC  Complement Carry Flag

Opcode    Instruction    Clocks   Description

F5        CMC            2        Complement carry flag


Operation

CF  NOT CF;

Description

CMC reverses the setting of the carry flag. No other flags are affected.

Flags Affected

CF as described above

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


CMP  Compare Two Operands


Opcode          Instruction        Clocks   Description

3C  ib          CMP AL,imm8        2        Compare immediate byte to AL
3D  iw          CMP AX,imm16       2        Compare immediate word to AX
3D  id          CMP EAX,imm32      2        Compare immediate dword to EAX
80  /7 ib       CMP r/m8,imm8      2/5      Compare immediate byte to r/m
                                            byte
81  /7 iw       CMP r/m16,imm16    2/5      Compare immediate word to r/m
                                            word
81  /7 id       CMP r/m32,imm32    2/5      Compare immediate dword to r/m
                                            dword
83  /7 ib       CMP r/m16,imm8     2/5      Compare sign extended immediate
                                            byte to r/m word
83  /7 ib       CMP r/m32,imm8     2/5      Compare sign extended immediate
                                            byte to r/m dword
38  /r          CMP r/m8,r8        2/5      Compare byte register to r/m
                                            byte
39  /r          CMP r/m16,r16      2/5      Compare word register to r/m
                                            word
39  /r          CMP r/m32,r32      2/5      Compare dword register to r/m
                                            dword
3A  /r          CMP r8,r/m8        2/6      Compare r/m byte to byte
                                            register
3B  /r          CMP r16,r/m16      2/6      Compare r/m word to word
                                            register
3B  /r          CMP r32,r/m32      2/6      Compare r/m dword to dword
                                            register


Operation

LeftSRC - SignExtend(RightSRC);
(* CMP does not store a result; its purpose is to set the flags *)

Description

CMP subtracts the second operand from the first but, unlike the SUB
instruction, does not store the result; only the flags are changed. CMP is
typically used in conjunction with conditional jumps and the SETcc
instruction. (Refer to Appendix D for the list of signed and unsigned flag
tests provided.) If an operand greater than one byte is compared to an
immediate byte, the byte value is first sign-extended.

Flags Affected

OF, SF, ZF, AF, PF, and CF as described in Appendix C

Protected Mode Exceptions

FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


CMPS/CMPSB/CMPSW/CMPSD  Compare String Operands

Opcode    Instruction        Clocks   Description

A6        CMPS m8,m8         10       Compare bytes ES:[(E)DI] (second
                                      operand) with   [(E)SI] (first 
                                      operand)
A7        CMPS m16,m16       10       Compare words ES:[(E)DI] (second
                                      operand) with   [(E)SI] (first 
                                      operand)
A7        CMPS m32,m32       10       Compare dwords ES:[(E)DI]
                                      (second operand) with [(E)SI] 
                                      (first operand)
A6        CMPSB              10       Compare bytes ES:[(E)DI] with
                                      DS:[SI]
A7        CMPSW              10       Compare words ES:[(E)DI] with
                                      DS:[SI]
A7        CMPSD              10       Compare dwords ES:[(E)DI] with
                                      DS:[SI]


Operation

IF (instruction = CMPSD) OR
   (instruction has operands of type DWORD)
THEN OperandSize  32;
ELSE OperandSize  16;
FI;
IF AddressSize = 16
THEN
   use SI for source-index and DI for destination-index
ELSE (* AddressSize = 32 *)
   use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction
THEN
   [source-index] - [destination-index]; (* byte comparison *)
   IF DF = 0 THEN IncDec  1 ELSE IncDec  -1; FI;
ELSE
   IF OperandSize = 16
   THEN
      [source-index] - [destination-index]; (* word comparison *)
      IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
   ELSE (* OperandSize = 32 *)
      [source-index] - [destination-index]; (* dword comparison *)
      IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
   FI;
FI;
source-index = source-index + IncDec;
destination-index = destination-index + IncDec;

Description

CMPS compares the byte, word, or doubleword pointed to by the source-index
register with the byte, word, or doubleword pointed to by the
destination-index register.

If the address-size attribute of this instruction is 16 bits, SI and DI
will be used for source- and destination-index registers; otherwise ESI and
EDI will be used. Load the correct index values into SI and DI (or ESI and
EDI) before executing CMPS.

The comparison is done by subtracting the operand indexed by
the destination-index register from the operand indexed by the source-index
register.

Note that the direction of subtraction for CMPS is [SI] - [DI] or
[ESI] - [EDI]. The left operand (SI or ESI) is the source and the right
operand (DI or EDI) is the destination. This is the reverse of the usual
Intel convention in which the left operand is the destination and the right
operand is the source.

The result of the subtraction is not stored; only the flags reflect the
change. The types of the operands determine whether bytes, words, or
doublewords are compared. For the first operand (SI or ESI), the DS register
is used, unless a segment override byte is present. The second operand (DI
or EDI) must be addressable from the ES register; no segment override is
possible.

After the comparison is made, both the source-index register and
destination-index register are automatically advanced. If the direction flag
is 0 (CLD was executed), the registers increment; if the direction flag is 1
(STD was executed), the registers decrement. The registers increment or
decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if
a doubleword is compared.

CMPSB, CMPSW and CMPSD are synonyms for the byte, word, and
doubleword CMPS instructions, respectively.

CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX
or ECX bytes, words, or doublewords. Refer to the description of the REP
instruction for more information on this operation.

Flags Affected

OF, SF, ZF, AF, PF, and CF as described in Appendix C

Protected Mode Exceptions

FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault


CWD/CDQ  Convert Word to Doubleword/Convert Doubleword to
           Quadword

Opcode    Instruction        Clocks   Description

99        CWD                2        DX:AX  sign-extend of AX
99        CDQ                2        EDX:EAX  sign-extend of EAX


Operation

IF OperandSize = 16 (* CWD instruction *)
THEN
   IF AX < 0 THEN DX  0FFFFH; ELSE DX  0; FI;
ELSE (* OperandSize = 32, CDQ instruction *)
   IF EAX < 0 THEN EDX  0FFFFFFFFH; ELSE EDX  0; FI;
FI;

Description

CWD converts the signed word in AX to a signed doubleword in DX:AX
by extending the most significant bit of AX into all the bits of DX. CDQ
converts the signed doubleword in EAX to a signed 64-bit integer in the
register pair EDX:EAX by extending the most significant bit of EAX
(the sign bit) into all the bits of EDX. Note that CWD is different from
CWDE. CWDE uses EAX as a destination, instead of DX:AX.

Flags Affected

None

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


DAA  Decimal Adjust AL after Addition

Opcode    Instruction        Clocks   Description

27        DAA                4        Decimal adjust AL after addition


Operation

IF ((AL AND 0FH) > 9) OR (AF = 1)
THEN
   AL  AL + 6;
   AF  1;
ELSE
   AF  0;
FI;
IF (AL > 9FH) OR (CF = 1)
THEN
   AL  AL + 60H;
   CF  1;
ELSE CF  0;
FI;

Description

Execute DAA only after executing an ADD instruction that leaves a
two-BCD-digit byte result in the AL register. The ADD operands should
consist of two packed BCD digits. The DAA instruction adjusts AL to
contain the correct two-digit packed decimal result.

Flags Affected

AF and CF as described above; SF, ZF, PF, and CF as described in
Appendix C.

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


DAS  Decimal Adjust AL after Subtraction

Opcode    Instruction        Clocks   Description

2F        DAS                4        Decimal adjust AL after subtraction


Operation

IF (AL AND 0FH) > 9 OR AF = 1
THEN
   AL  AL - 6;
   AF  1;
ELSE
   AF  0;
FI;
IF (AL > 9FH) OR (CF = 1)
THEN
   AL  AL - 60H;
   CF  1;
ELSE CF  0;
FI;

Description

Execute DAS only after a subtraction instruction that leaves a
two-BCD-digit byte result in the AL register. The operands should consist
of two packed BCD digits. DAS adjusts AL to contain the correct packed
two-digit decimal result.

Flags Affected

AF and CF as described above; SF, ZF, and PF as described in Appendix C.

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


DEC  Decrement by 1

Opcode    Instruction        Clocks   Description

FE /1     DEC r/m8           2/6      Decrement r/m byte by 1
FF /1     DEC r/m16          2/6      Decrement r/m word by 1
          DEC r/m32          2/6      Decrement r/m dword by 1
48+rw     DEC r16            2        Decrement word register by 1
48+rw     DEC r32            2        Decrement dword register by 1


Operation

DEST  DEST - 1;

Description

DEC subtracts 1 from the operand. DEC does not change the carry flag.
To affect the carry flag, use the SUB instruction with an immediate
operand of 1.

Flags Affected

OF, SF, ZF, AF, and PF as described in Appendix C.

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


DIV  Unsigned Divide

Opcode    Instruction        Clocks   Description

F6 /6     DIV AL,r/m8        14/17    Unsigned divide AX by r/m byte
                                      (AL=Quo, AH=Rem)
F7 /6     DIV AX,r/m16       22/25    Unsigned divide DX:AX by r/m
                                      word (AX=Quo, DX=Rem)
F7 /6     DIV EAX,r/m32      38/41    Unsigned divide EDX:EAX by r/m
                                      dword (EAX=Quo, EDX=Rem)


Operation

temp  dividend / divisor;
IF temp does not fit in quotient
THEN Interrupt 0;
ELSE
   quotient  temp;
   remainder  dividend MOD (r/m);
FI;


Note:
  Divisions are unsigned. The divisor is given by the r/m operand.
  The dividend, quotient, and remainder use implicit registers. Refer to
  the table under "Description."


Description

DIV performs an unsigned division. The dividend is implicit; only the
divisor is given as an operand. The remainder is always less than the
divisor. The type of the divisor determines which registers to use as
follows:

    Size    Dividend     Divisor   Quotient   Remainder
    byte    AX           r/m8       AL          AH
    word    DX:AX        r/m16      AX          DX
    dword   EDX:EAX      r/m32      EAX         EDX

Flags Affected

OF, SF, ZF, AR, PF, CF are undefined.

Protected Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register
(AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0)
for an illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 0 if the quotient is too big to fit in the designated register
(AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the
operand would lie outside of the effective address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


ENTER  Make Stack Frame for Procedure Parameters

Opcode      Instruction        Clocks     Description

C8 iw 00    ENTER imm16,0      10         Make procedure stack frame
C8 iw 01    ENTER imm16,1      12         Make stack frame for procedure
                                          parameters
C8 iw ib    ENTER imm16,imm8   15+4(n-1)  Make stack frame for
                                          procedure parameters


Operation

level  level MOD 32
IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) FI;
   (* Save stack pointer *)
frame-ptr  eSP
IF level > 0
THEN (* level is rightmost parameter *)
   FOR i  1 TO level - 1
   DO
      IF OperandSize = 16
      THEN
         BP  BP - 2;
         Push[BP]
      ELSE (* OperandSize = 32 *)
         EBP  EBP - 4;
         Push[EBP];
      FI;
   OD;
   Push(frame-ptr)
FI;
IF OperandSize = 16 THEN BP  frame-ptr ELSE EBP  frame-ptr; FI;
IF StackAddrSize = 16
THEN SP  SP - First operand;
ELSE ESP  ESP - ZeroExtend(First operand);
FI;

Description

ENTER creates the stack frame required by most block-structured
high-level languages. The first operand specifies the number of bytes of
dynamic storage allocated on the stack for the routine being entered.
The second operand gives the lexical nesting level (0 to 31) of the routine
within the high-level language source code. It determines the number of
stack frame pointers copied into the new stack frame from the preceding
frame. BP (or EBP, if the operand-size attribute is 32 bits) is the current
stack frame pointer.

If the operand-size attribute is 16 bits, the processor uses BP as the
frame pointer and SP as the stack pointer. If the operand-size attribute is
32 bits, the processor uses EBP for the frame pointer and ESP for the stack
pointer.

If the second operand is 0, ENTER pushes the frame pointer (BP or
EBP) onto the stack; ENTER then subtracts the first operand from the
stack pointer and sets the frame pointer to the current stack-pointer
value.

For example, a procedure with 12 bytes of local variables would have an
ENTER 12,0 instruction at its entry point and a LEAVE instruction
before every RET. The 12 local bytes would be addressed as negative
offsets from the frame pointer.

Flags Affected

None

Protected Mode Exceptions

instruction execution; #PF(fault-code) for a page fault

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


HLT  Halt

Opcode      Instruction        Clocks     Description

F4          HLT                5          Halt


Operation

Enter Halt state;

Description

HALT stops instruction execution and places the 80386 in a HALT state.
An enabled interrupt, NMI, or a reset will resume execution. If an
interrupt (including NMI) is used to resume execution after HLT, the saved
CS:IP (or CS:EIP) value points to the instruction following HLT.

Flags Affected

None

Protected Mode Exceptions

HLT is a privileged instruction; #GP(0) if the current privilege level is
not 0

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions



IDIV  Signed Divide

Opcode      Instruction        Clocks   Description

F6 /7       IDIV r/m8          19       Signed divide AX by r/m byte
                                        (AL=Quo, AH=Rem)
F7 /7       IDIV AX,r/m16      27       Signed divide DX:AX by EA word
                                        (AX=Quo, DX=Rem)
F7 /7       IDIV EAX,r/m32     43       Signed divide EDX:EAX by DWORD
                                        byte (EAX=Quo, EDX=Rem)


Operation

temp  dividend / divisor;
IF temp does not fit in quotient
THEN Interrupt 0;
ELSE
   quotient  temp;
   remainder  dividend MOD (r/m);
FI;


Notes:
  Divisions are signed. The divisor is given by the r/m operand. The
  dividend, quotient, and remainder use implicit registers. Refer to the
  table under "Description."


Description

IDIV performs a signed division. The dividend, quotient, and remainder
are implicitly allocated to fixed registers. Only the divisor is given as
an explicit r/m operand. The type of the divisor determines which registers
to use as follows:

Size     Divisor    Quotient    Remainder  Dividend
byte     r/m8        AL           AH       AX
word     r/m16       AX           DX       DX:AX
dword    r/m32       EAX          EDX      EDX:EAX

If the resulting quotient is too large to fit in the destination, or if the
division is 0, an Interrupt 0 is generated. Nonintegral quotients are
truncated toward 0. The remainder has the same sign as the dividend
and the absolute value of the remainder is always less than the absolute
value of the divisor.

Flags Affected

OF, SF, ZF, AR, PF, CF are undefined.

Protected Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register
(AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register
(AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand
would lie outside of the effective address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


IMUL  Signed Multiply


Opcode      Instruction            Clocks      Description

F6  /5      IMUL r/m8              9-14/12-17  AX AL * r/m byte
F7  /5      IMUL r/m16             9-22/12-25  DX:AX  AX * r/m word
F7  /5      IMUL r/m32             9-38/12-41  EDX:EAX  EAX * r/m dword
0F  AF /r   IMUL r16,r/m16         9-22/12-25  word register  word
                                               register * r/m word
0F  AF /r   IMUL r32,r/m32         9-38/12-41  dword register  dword
                                               register * r/m dword
6B  /r ib   IMUL r16,r/m16,imm8    9-14/12-17  word register  r/m16 *
                                               sign-extended immediate byte
6B  /r ib   IMUL r32,r/m32,imm8    9-14/12-17  dword register  r/m32 *
                                               sign-extended immediate byte
6B  /r ib   IMUL r16,imm8          9-14/12-17  word register  word
                                               register * sign-extended
                                               immediate byte
6B  /r ib   IMUL r32,imm8          9-14/12-17  dword register  dword
                                               register * sign-extended
                                               immediate byte
69  /r iw   IMUL r16,r/m16,imm16   9-22/12-25  word register  r/m16 *
                                               immediate word
69  /r id   IMUL r32,r/m32,imm32   9-38/12-41  dword register  r/m32 *
                                               immediate dword
69  /r iw   IMUL r16,imm16         9-22/12-25  word register  r/m16 *
                                               immediate word
69  /r id   IMUL r32,imm32         9-38/12-41  dword register  r/m32 *
                                               immediate dword



NOTES:
  The 80386 uses an early-out multiply algorithm. The actual number of
  clocks depends on the position of the most significant bit in the
  optimizing multiplier, shown underlined above. The optimization occurs for
  positive and negative values. Because of the early-out algorithm, clock
  counts given are minimum to maximum. To calculate the actual clocks, use
  the following formula:


  Actual clock = if m <> 0 then max(ceiling(log{2} m), 3) + 6 clocks  
  Actual clock = if m = 0 then 9 clocks   
  (where m is the multiplier)

Add three clocks if the multiplier is a memory operand.

Operation

result  multiplicand * multiplier;

Description

IMUL performs signed multiplication. Some forms of the instruction
use implicit register operands. The operand combinations for all forms
of the instruction are shown in the "Description" column above.

IMUL clears the overflow and carry flags under the following conditions:

   Instruction Form    Condition for Clearing CF and OF
   r/m8                AL = sign-extend of AL to 16 bits
   r/m16               AX = sign-extend of AX to 32 bits
   r/m32               EDX:EAX = sign-extend of EAX to 32 bits
   r16,r/m16           Result exactly fits within r16
   r/32,r/m32          Result exactly fits within r32
   r16,r/m16,imm16     Result exactly fits within r16
   r32,r/m32,imm32     Result exactly fits within r32

Flags Affected

OF and CF as described above; SF, ZF, AF, and PF are undefined

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exeptions as in Real Address Mode; #PF(fault-code) for a page
fault

Notes

When using the accumulator forms (IMUL r/m8, IMUL r/m16, or IMUL
r/m32), the result of the multiplication is available even if the overflow
flag is set because the result is two times the size of the multiplicand
and multiplier. This is large enough to handle any possible result.


IN  Input from Port

Opcode    Instruction   Clocks            Description

E4  ib    IN AL,imm8    12,pm=6*/26**     Input byte from immediate port
                                          into AL
E5  ib    IN AX,imm8    12,pm=6*/26**     Input word from immediate port
                                          into AX
E5  ib    IN EAX,imm8   12,pm=6*/26**     Input dword from immediate port
                                          into EAX
EC        IN AL,DX      13,pm=7*/27**     Input byte from port DX into AL
ED        IN AX,DX      13,pm=7*/27**     Input word from port DX into AX
ED        IN EAX,DX     13,pm=7*/27**     Input dword from port DX into
                                          EAX



NOTES:
   *If CPL  IOPL
  **If CPL > IOPL or if in virtual 8086 mode


Operation

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
   IF NOT I-O-Permission (SRC, width(SRC))
   THEN #GP(0);
   FI;
FI;
DEST  [SRC]; (* Reads from I/O address space *)

Description

IN transfers a data byte or data word from the port numbered by the
second operand into the register (AL, AX, or EAX) specified by the first
operand. Access any port from 0 to 65535 by placing the port number
in the DX register and using an IN instruction with DX as the second
parameter. These I/O instructions can be shortened by using an 8-bit
port I/O in the instruction. The upper eight bits of the port address will
be 0 when 8-bit port I/O is used.

Flags Affected

None

Protected Mode Exceptions

IOPL and any of the corresponding I/O permission bits in TSS equals 1

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

equals 1


INC  Increment by 1

Opcode      Instruction        Clocks      Description

FE  /0      INC r/m8                       Increment r/m byte by 1
FF  /0      INC r/m16                      Increment r/m word by 1
FF  /6      INC r/m32                      Increment r/m dword by 1
40 + rw     INC r16                        Increment word register by 1
40 + rd     INC r32                        Increment dword register by 1


Operation

DEST  DEST + 1;

Description

INC adds 1 to the operand. It does not change the carry flag. To affect
the carry flag, use the ADD instruction with a second operand of 1.

Flags Affected

OF, SF, ZF, AF, and PF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


INS/INSB/INSW/INSD  Input from Port to String

Opcode  Instruction    Clocks         Description

6C      INS r/m8,DX    15,pm=9*/29**  Input byte from port DX into ES:(E)DI
6D      INS r/m16,DX   15,pm=9*/29**  Input word from port DX into ES:(E)DI
6D      INS r/m32,DX   15,pm=9*/29**  Input dword from port DX into ES:(E)DI
6C      INSB           15,pm=9*/29**  Input byte from port DX into ES:(E)DI
6D      INSW           15,pm=9*/29**  Input word from port DX into ES:(E)DI
6D      INSD           15,pm=9*/29**  Input dword from port DX into ES:(E)DI



NOTES:
   *If CPL  IOPL
  **If CPL > IOPL or if in virtual 8086 mode


Operation

IF AddressSize = 16
THEN use DI for dest-index;
ELSE (* AddressSize = 32 *)
   use EDI for dest-index;
FI;
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
   IF NOT I-O-Permission (SRC, width(SRC))
   THEN #GP(0);
   FI;
FI;
IF byte type of instruction
THEN
   ES:[dest-index]  [DX]; (* Reads byte at DX from I/O address space *)
   IF DF = 0 THEN IncDec  1 ELSE IncDec  -1; FI;
FI;
IF OperandSize = 16
THEN
   ES:[dest-index]  [DX]; (* Reads word at DX from I/O address space *)
   IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
FI;
IF OperandSize = 32
THEN
   ES:[dest-index]  [DX]; (* Reads dword at DX from I/O address space *)
   IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
FI;
dest-index  dest-index + IncDec;

Description

INS transfers data from the input port numbered by the DX register to
the memory byte or word at ES:dest-index. The memory operand must
be addressable from ES; no segment override is possible. The destination
register is DI if the address-size attribute of the instruction is 16 bits,
or EDI if the address-size attribute is 32 bits.

INS does not allow the specification of the port number as an immediate
value. The port must be addressed through the DX register value. Load
the correct value into DX before executing the INS instruction.

The destination address is determined by the contents of the destination
index register. Load the correct index into the destination index register
before executing INS.

After the transfer is made, DI or EDI advances automatically. If the
direction flag is 0 (CLD was executed), DI or EDI increments; if the
direction flag is 1 (STD was executed), DI or EDI decrements. DI
increments or decrements by 1 if a byte is input, by 2 if a word is input,
or by 4 if a doubleword is input.

INSB, INSW and INSD are synonyms of the byte, word, and doubleword
INS instructions. INS can be preceded by the REP prefix for block input of
CX bytes or words. Refer to the REP instruction for details of this
operation.

Flags Affected

None

Protected Mode Exceptions

corresponding I/O permission bits in TSS equals 1; #GP(0) if the
destination is in a nonwritable segment; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
an illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

equals 1; #PF(fault-code) for a page fault


INT/INTO  Call to Interrupt Procedure


Opcode    Instruction  Clocks          Description

CC        INT 3        33              Interrupt 3--trap to debugger
CC        INT 3        pm=59           Interrupt 3--Protected Mode, same
                                       privilege
CC        INT 3        pm=99           Interrupt 3--Protected Mode, more
                                       privilege
CC        INT 3        pm=119          Interrupt 3--from V86 mode to PL 0
CC        INT 3        ts              Interrupt 3--Protected Mode, via
                                       task gate
CD ib     INT imm8     37              Interrupt numbered by immediate
                                       byte
CD ib     INT imm8     pm=59           Interrupt--Protected Mode, same
                                       privilege
CD ib     INT imm8     pm=99           Interrupt--Protected Mode, more
                                       privilege
CD ib     INT imm8     pm=119          Interrupt--from V86 mode to PL 0
CD ib     INT imm8     ts              Interrupt--Protected Mode, via task
                                       gate
CE        INTO         Fail:3,pm=3;
                       Pass:35         Interrupt 4--if overflow flag is 1
CE        INTO         pm=59           Interrupt 4--Protected Mode, same
                                       privilege
CE        INTO         pm=99           Interrupt 4--Protected Mode, more
                                       privilege
CE        INTO         pm=119          Interrupt 4--from V86 mode to PL 0
CE        INTO         ts              Interrupt 4--Protected Mode, via
                                       task gate



NOTE:
  Approximate values of ts are given by the following table:

                            New Task

Old Task       386 TSS       386 TSS       286 TSS
               VM = 0        VM = 1

386
TSS VM=0         309           226           282

386
TSS VM=1         314           231           287

286
TSS              307           224           280


Operation


NOTE:
  The following operational description applies not only to the
  above instructions but also to external interrupts and exceptions.


IF PE = 0
THEN GOTO REAL-ADDRESS-MODE;
ELSE GOTO PROTECTED-MODE;
FI;

REAL-ADDRESS-MODE:
   Push (FLAGS);
   IF  0; (* Clear interrupt flag *)
   TF  0; (* Clear trap flag *)
   Push(CS);
   Push(IP);
   (* No error codes are pushed *)
   CS  IDT[Interrupt number * 4].selector;
   IP  IDT[Interrupt number * 4].offset;

PROTECTED-MODE:
   Interrupt vector must be within IDT table limits,
      else #GP(vector number * 8+2+EXT);
   Descriptor AR byte must indicate interrupt gate, trap gate, or task gate,
      else #GP(vector number * 8+2+EXT);
   IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *)
   THEN
      IF gate descriptor DPL < CPL
      THEN #GP(vector number * 8+2+EXT);
      FI;
   FI;
   Gate must be present, else #NP(vector number * 8+2+EXT);
   IF trap gate OR interrupt gate
   THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE;
   ELSE GOTO TASK-GATE;
   FI;

TRAP-GATE-OR-INTERRUPT-GATE:
   Examine CS selector and descriptor given in the gate descriptor;
   Selector must be non-null, else #GP (EXT);
   Selector must be within its descriptor table limits
      ELSE #GP(selector+EXT);
   Descriptor AR byte must indicate code segment
      ELSE #GP(selector + EXT);
   Segment must be present, else #NP(selector+EXT);
   IF code segment is non-conforming AND DPL < CPL
   THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE;
   ELSE
      IF code segment is conforming OR code segment DPL = CPL
      THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL;
      ELSE #GP(CS selector + EXT);
      FI;
   FI;

INTERRUPT-TO-INNER-PRIVILEGE:
   Check selector and descriptor for new stack in current TSS;
      Selector must be non-null, else #GP(EXT);
      Selector index must be within its descriptor table limits
         ELSE #TS(SS selector+EXT);
      Selector's RPL must equal DPL of code segment, else #TS(SS
         selector+EXT);
      Stack segment DPL must equal DPL of code segment, else #TS(SS
         selector+EXT);
      Descriptor must indicate writable data segment, else #TS(SS
         selector+EXT);
      Segment must be present, else #SS(SS selector+EXT);
   IF 32-bit gate
   THEN New stack must have room for 20 bytes else #SS(0)
   ELSE New stack must have room for 10 bytes else #SS(0)
   FI;
   Instruction pointer must be within CS segment boundaries else #GP(0);
   Load new SS and eSP value from TSS;
   IF 32-bit gate
   THEN CS:EIP  selector:offset from gate;
   ELSE CS:IP  selector:offset from gate;
   FI;
   Load CS descriptor into invisible portion of CS register;
   Load SS descriptor into invisible portion of SS register;
   IF 32-bit gate
   THEN
      Push (long pointer to old stack) (* 3 words padded to 4 *);
      Push (EFLAGS);
      Push (long pointer to return location) (* 3 words padded to 4*);
   ELSE
      Push (long pointer to old stack) (* 2 words *);
      Push (FLAGS);
      Push (long pointer to return location) (* 2 words *);
   FI;
   Set CPL to new code segment DPL;
   Set RPL of CS to CPL;
   IF interrupt gate THEN IF  0 (* interrupt flag to 0 (disabled) *); FI;
   TF  0;
   NT  0;

INTERRUPT-FROM-V86-MODE:
   TempEFlags  EFLAGS;
   VM  0;
   TF  0;
   IF service through Interrupt Gate THEN IF  0;
   TempSS  SS;
   TempESP  ESP;
   SS  TSS.SS0; (* Change to level 0 stack segment *)
   ESP  TSS.ESP0; (* Change to level 0 stack pointer *)
   Push(GS); (* padded to two words *)
   Push(FS); (* padded to two words *)
   Push(DS); (* padded to two words *)
   Push(ES); (* padded to two words *)
   GS  0;
   FS  0;
   DS  0;
   ES  0;
   Push(TempSS); (* padded to two words *)
   Push(TempESP);
   Push(TempEFlags);
   Push(CS); (* padded to two words *)
   Push(EIP);
   CS:EIP  selector:offset from interrupt gate;
   (* Starts execution of new routine in 80386 Protected Mode *)

INTERRUPT-TO-SAME-PRIVILEGE-LEVEL:
   IF 32-bit gate
   THEN Current stack limits must allow pushing 10 bytes, else #SS(0);
   ELSE Current stack limits must allow pushing 6 bytes, else #SS(0);
   FI;
   IF interrupt was caused by exception with error code
   THEN Stack limits must allow push of two more bytes;
   ELSE #SS(0);
   FI;
   Instruction pointer must be in CS limit, else #GP(0);
   IF 32-bit gate
   THEN
      Push (EFLAGS);
      Push (long pointer to return location); (* 3 words padded to 4 *)
      CS:EIP  selector:offset from gate;
   ELSE (* 16-bit gate *)
      Push (FLAGS);
      Push (long pointer to return location); (* 2 words *)
      CS:IP  selector:offset from gate;
   FI;
   Load CS descriptor into invisible portion of CS register;
   Set the RPL field of CS to CPL;
   Push (error code); (* if any *)
   IF interrupt gate THEN IF  0; FI;
   TF  0;
   NT  0;

TASK-GATE:
   Examine selector to TSS, given in task gate descriptor;
      Must specify global in the local/global bit, else #TS(TSS selector);
      Index must be within GDT limits, else #TS(TSS selector);
      AR byte must specify available TSS (bottom bits 00001),
         else #TS(TSS selector;
      TSS must be present, else #NP(TSS selector);
   SWITCH-TASKS with nesting to TSS;
   IF interrupt was caused by fault with error code
   THEN
      Stack limits must allow push of two more bytes, else #SS(0);
      Push error code onto stack;
   FI;
   Instruction pointer must be in CS limit, else #GP(0);

Description

The INT  instruction generates via software a call to an interrupt
handler. The immediate operand, from 0 to 255, gives the index number
into the Interrupt Descriptor Table (IDT) of the interrupt routine to be
called. In Protected Mode, the IDT consists of an array of eight-byte
descriptors; the descriptor for the interrupt invoked must indicate an
interrupt, trap, or task gate. In Real Address Mode, the IDT is an array
of four byte-long pointers. In Protected and Real Address Modes, the
base linear address of the IDT is defined by the contents of the IDTR.

The INTO conditional software instruction is identical to the INT
interrupt instruction except that the interrupt number is implicitly 4,
and the interrupt is made only if the 80386 overflow flag is set.

The first 32 interrupts are reserved by Intel for system use. Some of
these interrupts are use for internally generated exceptions.

INT n generally behaves like a far call except that the flags register is
pushed onto the stack before the return address. Interrupt procedures
return via the IRET instruction, which pops the flags and return address
from the stack.

In Real Address Mode, INT n pushes the flags, CS, and the return IP
onto the stack, in that order, then jumps to the long pointer indexed by
the interrupt number.

Flags Affected

None

Protected Mode Exceptions


Real Address Mode Exceptions

None; if the SP or ESP = 1, 3, or 5 before executing INT or INTO,
the 80386 will shut down due to insufficient stack space

Virtual 8086 Mode Exceptions

Interrupt 3 (0CCH) generates Interrupt 3; INTO generates Interrupt 4
if the overflow flag equals 1


IRET/IRETD  Interrupt Return

Opcode  Instruction  Clocks       Description

CF      IRET         22,pm=38     Interrupt return (far return and pop
                                  flags)
CF      IRET         pm=82        Interrupt return to lesser privilege
CF      IRET         ts           Interrupt return, different task (NT = 1)
CF      IRETD        22,pm=38     Interrupt return (far return and pop
                                  flags)
CF      IRETD        pm=82        Interrupt return to lesser privilege
CF      IRETD        pm=60        Interrupt return to V86 mode
CF      IRETD        ts           Interrupt return, different task (NT = 1)



NOTE:
  Values of ts are given by the following table:

                            New Task

Old Task       386 TSS       386 TSS       286 TSS
               VM = 0        VM = 1

386
TSS VM=0         275           224           271

286
TSS              265           214           232


Operation

IF PE = 0
THEN (* Real-address mode *)
   IF OperandSize = 32 (* Instruction = IRETD *)
   THEN EIP  Pop();
   ELSE (* Instruction = IRET *)
      IP  Pop();
   FI;
   CS  Pop();
   IF OperandSize = 32 (* Instruction = IRETD *)
   THEN EFLAGS  Pop();
   ELSE (* Instruction = IRET *)
      FLAGS  Pop();
   FI;
ELSE (* Protected mode *)
   IF VM = 1
   THEN #GP(0);
   ELSE
      IF NT = 1
      THEN GOTO TASK-RETURN;
      ELSE
         IF VM = 1 in flags image on stack
         THEN GO TO STACK-RETURN-TO-V86;
         ELSE GOTO STACK-RETURN;
         FI;
      FI;
   FI;
FI;STACK-RETURN-TO-V86: (* Interrupted procedure was in V86 mode *)
   IF return CS selector RPL < > 3
   THEN #GP(Return selector);
   FI;
   IF top 36 bytes of stack not within limits
   THEN #SS(0);
   FI;
   Examine return CS selector and associated descriptor:
      IF selector is null, THEN #GP(0); FI;
      IF selector index not within its descriptor table limits;
      THEN #GP(Return selector);
      FI;
      IF AR byte does not indicate code segment
      THEN #GP(Return selector);
      FI;
      IF code segment DPL not = 3;
      THEN #GP(Return selector);
      FI;
      IF code segment not present
      THEN #NP(Return selector);
      FI;

   Examine return SS selector and associated descriptor:
      IF selector is null THEN #GP(0); FI;
      IF selector index not within its descriptor table limits
      THEN #GP(SS selector);
      FI;
      IF selector RPL not = RPL of return CS selector
      THEN #GP(SS selector);
      FI;
      IF AR byte does not indicate a writable data segment
      THEN #GP(SS selector);
      FI;
      IF stack segment DPL not = RPL of return CS selector
      THEN #GP(SS selector);
      FI;
      IF SS not present
      THEN #NP(SS selector);
      FI;

   IF instruction pointer not within code segment limit  THEN #GP(0);
   FI;
   EFLAGS  SS:[eSP + 8]; (* Sets VM in interrupted routine *)
   EIP  Pop();
   CS  Pop(); (* CS behaves as in 8086, due to VM = 1 *)
   throwaway  Pop(); (* pop away EFLAGS already read *)
   ES  Pop(); (* pop 2 words; throw away high-order word *)
   DS  Pop(); (* pop 2 words; throw away high-order word *)
   FS  Pop(); (* pop 2 words; throw away high-order word *)
   GS  Pop(); (* pop 2 words; throw away high-order word *)
   IF CS.RPL > CPL
   THEN
      TempESP  Pop();
      TempSS  Pop();
      SS:ESP  TempSS:TempESP;
   FI;

   (* Resume execution in Virtual 8086 mode *)

TASK-RETURN:
   Examine Back Link Selector in TSS addressed by the current task
      register:
      Must specify global in the local/global bit, else #TS(new TSS
         selector);
      Index must be within GDT limits, else #TS(new TSS selector);
      AR byte must specify TSS, else #TS(new TSS selector);
      New TSS must be busy, else #TS(new TSS selector);
      TSS must be present, else #NP(new TSS selector);
   SWITCH-TASKS without nesting to TSS specified by back link selector;
   Mark the task just abandoned as NOT BUSY;
   Instruction pointer must be within code segment limit ELSE #GP(0);

STACK-RETURN:
   IF OperandSize=32
   THEN Third word on stack must be within stack limits, else #SS(0);
   ELSE Second word on stack must be within stack limits, else #SS(0);
   FI;
   Return CS selector RPL must be  CPL, else #GP(Return selector);
   IF return selector RPL = CPL
   THEN GOTO RETURN-SAME-LEVEL;
   ELSE GOTO RETURN-OUTER-LEVEL;
   FI;

RETURN-SAME-LEVEL:
   IF OperandSize=32
   THEN
      Top 12 bytes on stack must be within limits, else #SS(0);
      Return CS selector (at eSP+4) must be non-null, else #GP(0);
   ELSE
      Top 6 bytes on stack must be within limits, else #SS(0);
      Return CS selector (at eSP+2) must be non-null, else #GP(0);
   FI;
   Selector index must be within its descriptor table limits, else #GP
      (Return selector);
   AR byte must indicate code segment, else #GP(Return selector);
   IF non-conforming
   THEN code segment DPL must = CPL;
   ELSE #GP(Return selector);
   FI;
   IF conforming
   THEN code segment DPL must be  CPL, else #GP(Return selector);
   Segment must be present, else #NP(Return selector);
   Instruction pointer must be within code segment boundaries, else #GP(0);
   FI;
   IF OperandSize=32
   THEN
      Load CS:EIP from stack;
      Load CS-register with new code segment descriptor;
      Load EFLAGS with third doubleword from stack;
      Increment eSP by 12;
   ELSE
      Load CS-register with new code segment descriptor;
      Load FLAGS with third word on stack;
      Increment eSP by 6;
   FI;

RETURN-OUTER-LEVEL:
   IF OperandSize=32
   THEN Top 20 bytes on stack must be within limits, else #SS(0);
   ELSE Top 10 bytes on stack must be within limits, else #SS(0);
   FI;
   Examine return CS selector and associated descriptor:
      Selector must be non-null, else #GP(0);
      Selector index must be within its descriptor table limits;
         ELSE #GP(Return selector);
      AR byte must indicate code segment, else #GP(Return selector);
      IF non-conforming
      THEN code segment DPL must = CS selector RPL;
      ELSE #GP(Return selector);
      FI;
      IF conforming
      THEN code segment DPL must be > CPL;
      ELSE #GP(Return selector);
      FI;
      Segment must be present, else #NP(Return selector);
   Examine return SS selector and associated descriptor:
      Selector must be non-null, else #GP(0);
      Selector index must be within its descriptor table limits
         ELSE #GP(SS selector);
      Selector RPL must equal the RPL of the return CS selector
         ELSE #GP(SS selector);
      AR byte must indicate a writable data segment, else #GP(SS selector);
      Stack segment DPL must equal the RPL of the return CS selector
         ELSE #GP(SS selector);
      SS must be present, else #NP(SS selector);

   Instruction pointer must be within code segment limit ELSE #GP(0);
   IF OperandSize=32
   THEN
      Load CS:EIP from stack;
      Load EFLAGS with values at (eSP+8);
   ELSE
      Load CS:IP from stack;
      Load FLAGS with values at (eSP+4);
   FI;
   Load SS:eSP from stack;
   Set CPL to the RPL of the return CS selector;
   Load the CS register with the CS descriptor;
   Load the SS register with the SS descriptor;
   FOR each of ES, FS, GS, and DS
   DO;
      IF the current value of the register is not valid for the outer level;
      THEN zero the register and clear the valid flag;
      FI;
      To be valid, the register setting must satisfy the following
         properties:
         Selector index must be within descriptor table limits;
         AR byte must indicate data or readable code segment;
         IF segment is data or non-conforming code,
         THEN DPL must be  CPL, or DPL must be  RPL;
   OD;

Description

In Real Address Mode, IRET pops the instruction pointer, CS, and the
flags register from the stack and resumes the interrupted routine.

In Protected Mode, the action of IRET depends on the setting of the
nested task flag (NT) bit in the flag register. When popping the new
flag image from the stack, the IOPL bits in the flag register are changed
only when CPL equals 0.

If NT equals 0, IRET returns from an interrupt procedure without a
task switch. The code returned to must be equally or less privileged than
the interrupt routine (as indicated by the RPL bits of the CS selector
popped from the stack). If the destination code is less privileged, IRET
also pops the stack pointer and SS from the stack.

If NT equals 1, IRET reverses the operation of a CALL or INT that
caused a task switch. The updated state of the task executing IRET is
saved in its task state segment. If the task is reentered later, the code
that follows IRET is executed.

Flags Affected

All; the flags register is popped from stack

Protected Mode Exceptions


Real Address Mode Exceptions

Interrupt 13 if any part of the operand being popped lies beyond address
0FFFFH

Virtual 8086 Mode Exceptions



Jcc  Jump if Condition is Met


Opcode         Instruction       Clocks   Description

77  cb         JA rel8           7+m,3    Jump short if above (CF=0 and
                                          ZF=0)
73  cb         JAE rel8          7+m,3    Jump short if above or equal
                                          (CF=0)
72  cb         JB rel8           7+m,3    Jump short if below (CF=1)
76  cb         JBE rel8          7+m,3    Jump short if below or equal
                                          (CF=1 or ZF=1)
72  cb         JC rel8           7+m,3    Jump short if carry (CF=1)
E3  cb         JCXZ rel8         9+m,5    Jump short if CX register is 0
E3  cb         JECXZ rel8        9+m,5    Jump short if ECX register is 0
74  cb         JE rel8           7+m,3    Jump short if equal (ZF=1)
74  cb         JZ rel8           7+m,3    Jump short if 0 (ZF=1)
7F  cb         JG rel8           7+m,3    Jump short if greater (ZF=0 and
                                          SF=OF)
7D  cb         JGE rel8          7+m,3    Jump short if greater or equal
                                          (SF=OF)
7C  cb         JL rel8           7+m,3    Jump short if less (SF<>OF)
7E  cb         JLE rel8          7+m,3    Jump short if less or equal
                                          (ZF=1 and SF<>OF)
76  cb         JNA rel8          7+m,3    Jump short if not above (CF=1 or
                                          ZF=1)
72  cb         JNAE rel8         7+m,3    Jump short if not above or equal
                                          (CF=1)
73  cb         JNB rel8          7+m,3    Jump short if not below (CF=0)
77  cb         JNBE rel8         7+m,3    Jump short if not below or equal
                                          (CF=0 and ZF=0)
73  cb         JNC rel8          7+m,3    Jump short if not carry (CF=0)
75  cb         JNE rel8          7+m,3    Jump short if not equal (ZF=0)
7E  cb         JNG rel8          7+m,3    Jump short if not greater (ZF=1
                                          or SF<>OF)
7C  cb         JNGE rel8         7+m,3    Jump short if not greater or
                                          equal (SF<>OF)
7D  cb         JNL rel8          7+m,3    Jump short if not less (SF=OF)
7F  cb         JNLE rel8         7+m,3    Jump short if not less or equal
                                          (ZF=0 and SF=OF)
71  cb         JNO rel8          7+m,3    Jump short if not overflow
                                          (OF=0)
7B  cb         JNP rel8          7+m,3    Jump short if not parity (PF=0)
79  cb         JNS rel8          7+m,3    Jump short if not sign (SF=0)
75  cb         JNZ rel8          7+m,3    Jump short if not zero (ZF=0)
70  cb         JO rel8           7+m,3    Jump short if overflow (OF=1)
7A  cb         JP rel8           7+m,3    Jump short if parity (PF=1)
7A  cb         JPE rel8          7+m,3    Jump short if parity even (PF=1)
7B  cb         JPO rel8          7+m,3    Jump short if parity odd (PF=0)
78  cb         JS rel8           7+m,3    Jump short if sign (SF=1)
74  cb         JZ rel8           7+m,3    Jump short if zero (ZF = 1)
0F  87 cw/cd   JA rel16/32       7+m,3    Jump near if above (CF=0 and
                                          ZF=0)
0F  83 cw/cd   JAE rel16/32      7+m,3    Jump near if above or equal
                                          (CF=0)
0F  82 cw/cd   JB rel16/32       7+m,3    Jump near if below (CF=1)
0F  86 cw/cd   JBE rel16/32      7+m,3    Jump near if below or equal
                                          (CF=1 or ZF=1)
0F  82 cw/cd   JC rel16/32       7+m,3    Jump near if carry (CF=1)
0F  84 cw/cd   JE rel16/32       7+m,3    Jump near if equal (ZF=1)
0F  84 cw/cd   JZ rel16/32       7+m,3    Jump near if 0 (ZF=1)
0F  8F cw/cd   JG rel16/32       7+m,3    Jump near if greater (ZF=0 and
                                          SF=OF)
0F  8D cw/cd   JGE rel16/32      7+m,3    Jump near if greater or equal
                                          (SF=OF)
0F  8C cw/cd   JL rel16/32       7+m,3    Jump near if less (SF<>OF)
0F  8E cw/cd   JLE rel16/32      7+m,3    Jump near if less or equal (ZF=1
                                          and SF<>OF)
0F  86 cw/cd   JNA rel16/32      7+m,3    Jump near if not above (CF=1 or
                                          ZF=1)
0F  82 cw/cd   JNAE rel16/32     7+m,3    Jump near if not above or equal
                                          (CF=1)
0F  83 cw/cd   JNB rel16/32      7+m,3    Jump near if not below (CF=0)
0F  87 cw/cd   JNBE rel16/32     7+m,3    Jump near if not below or equal
                                          (CF=0 and ZF=0)
0F  83 cw/cd   JNC rel16/32      7+m,3    Jump near if not carry (CF=0)
0F  85 cw/cd   JNE rel16/32      7+m,3    Jump near if not equal (ZF=0)
0F  8E cw/cd   JNG rel16/32      7+m,3    Jump near if not greater (ZF=1
                                          or SF<>OF)
0F  8C cw/cd   JNGE rel16/32     7+m,3    Jump near if not greater or
                                          equal (SF<>OF)
0F  8D cw/cd   JNL rel16/32      7+m,3    Jump near if not less (SF=OF)
0F  8F cw/cd   JNLE rel16/32     7+m,3    Jump near if not less or equal
                                          (ZF=0 and SF=OF)
0F  81 cw/cd   JNO rel16/32      7+m,3    Jump near if not overflow (OF=0)
0F  8B cw/cd   JNP rel16/32      7+m,3    Jump near if not parity (PF=0)
0F  89 cw/cd   JNS rel16/32      7+m,3    Jump near if not sign (SF=0)
0F  85 cw/cd   JNZ rel16/32      7+m,3    Jump near if not zero (ZF=0)
0F  80 cw/cd   JO rel16/32       7+m,3    Jump near if overflow (OF=1)
0F  8A cw/cd   JP rel16/32       7+m,3    Jump near if parity (PF=1)
0F  8A cw/cd   JPE rel16/32      7+m,3    Jump near if parity even (PF=1)
0F  8B cw/cd   JPO rel16/32      7+m,3    Jump near if parity odd (PF=0)
0F  88 cw/cd   JS rel16/32       7+m,3    Jump near if sign (SF=1)
0F  84 cw/cd   JZ rel16/32       7+m,3    Jump near if 0 (ZF=1)



NOTES:
  The first clock count is for the true condition (branch taken); the
  second clock count is for the false condition (branch not taken). rel16/32
  indicates that these instructions map to two; one with a 16-bit relative
  displacement, the other with a 32-bit relative displacement, depending on
  the operand-size attribute of the instruction.


Operation

IF condition
THEN
   EIP  EIP + SignExtend(rel8/16/32);
   IF OperandSize = 16
   THEN EIP  EIP AND 0000FFFFH;
   FI;
FI;

Description

Conditional jumps (except JCXZ) test the flags which have been set by
a previous instruction. The conditions for each mnemonic are given in
parentheses after each description above. The terms "less" and "greater"
are used for comparisons of signed integers; "above" and "below" are
used for unsigned integers.

If the given condition is true, a jump is made to the location provided as
the operand. Instruction coding is most efficient when the target for the
conditional jump is in the current code segment and within -128 to
+127 bytes of the next instruction's first byte. The jump can also target
-32768 thru +32767 (segment size attribute 16) or -2^(31) thru +2^(31) -1
(segment size attribute 32) relative to the next instruction's first byte.
When the target for the conditional jump is in a different segment, use
the opposite case of the jump instruction (i.e., JE and JNE), and then
access the target with an unconditional far jump to the other segment.
For example, you cannot code

JZ FARLABEL;

You must instead code

   JNZ BEYOND;
   JMP FARLABEL;
BEYOND:

Because there can be several ways to interpret a particular state of the
flags, ASM386 provides more than one mnemonic for most of the
conditional jump opcodes. For example, if you compared two characters in
AX and want to jump if they are equal, use JE; or, if you ANDed AX
with a bit field mask and only want to jump if the result is 0, use JZ, a
synonym for JE.

JCXZ differs from other conditional jumps because it tests the contents of
the CX or ECX register for 0, not the flags. JCXZ is useful at the beginning
of a conditional loop that terminates with a conditional loop instruction
(such as LOOPNE TARGET LABEL. The JCXZ prevents entering the loop with CX or
ECX equal to zero, which would cause the loop to execute 64K or 32G times
instead of zero times.

Flags Affected

None

Protected Mode Exceptions


Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


JMP  Jump


Opcode    Instruction     Clocks          Description

EB  cb    JMP rel8        7+m             Jump short
E9  cw    JMP rel16       7+m             Jump near, displacement relative
                                          to next instruction
FF  /4    JMP r/m16       7+m/10+m        Jump near indirect
EA  cd    JMP ptr16:16    12+m,pm=27+m    Jump intersegment, 4-byte
                                          immediate address
EA  cd    JMP ptr16:16    pm=45+m         Jump to call gate, same
                                          privilege
EA  cd    JMP ptr16:16    ts              Jump via task state segment
EA  cd    JMP ptr16:16    ts              Jump via task gate
FF  /5    JMP m16:16      43+m,pm=31+m    Jump r/m16:16 indirect and
                                          intersegment
FF  /5    JMP m16:16      pm=49+m         Jump to call gate, same
                                          privilege
FF  /5    JMP m16:16      5 + ts          Jump via task state segment
FF  /5    JMP m16:16      5 + ts          Jump via task gate
E9  cd    JMP rel32       7+m             Jump near, displacement relative
                                          to next instruction
FF  /4    JMP r/m32       7+m,10+m        Jump near, indirect
EA  cp    JMP ptr16:32    12+m,pm=27+m    Jump intersegment, 6-byte
                                          immediate address
EA  cp    JMP ptr16:32    pm=45+m         Jump to call gate, same
                                          privilege
EA  cp    JMP ptr16:32    ts              Jump via task state segment
EA  cp    JMP ptr16:32    ts              Jump via task gate
FF  /5    JMP m16:32      43+m,pm=31+m    Jump intersegment, address at
                                          r/m dword
FF  /5    JMP m16:32      pm=49+m         Jump to call gate, same
                                          privilege
FF  /5    JMP m16:32      5 + ts          Jump via task state segment
FF  /5    JMP m16:32      5 + ts          Jump via task gate



NOTE:
Values of ts are given by the following table:

                               New Task

                386 TSS       386 TASK       286 TSS
                VM = 0        VM = 1

Old Task                   Via Task Gate?

                N     Y       N      Y       N     Y
386
TSS VM=0       303   312     220    229     276   285

286
TSS            301   310     218    227     274   283


Operation

IF instruction = relative JMP
   (* i.e. operand is rel8, rel16, or rel32 *)
THEN
   EIP  EIP + rel8/16/32;
   IF OperandSize = 16
   THEN EIP  EIP AND 0000FFFFH;
   FI;
FI;
IF instruction = near indirect JMP
   (* i.e. operand is r/m16 or r/m32 *)
THEN
   IF OperandSize = 16
   THEN
      EIP  [r/m16] AND 0000FFFFH;
   ELSE (* OperandSize = 32 *)
      EIP  [r/m32];
   FI;
FI;

IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *)
   AND instruction = far JMP
   (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
THEN GOTO REAL-OR-V86-MODE;
   IF operand type = m16:16 or m16:32
   THEN (* indirect *)
      IF OperandSize = 16
      THEN
         CS:IP  [m16:16];
         EIP  EIP AND 0000FFFFH; (* clear upper 16 bits *)
      ELSE (* OperandSize = 32 *)
         CS:EIP  [m16:32];
      FI;
   FI;
   IF operand type = ptr16:16 or ptr16:32
   THEN
      IF OperandSize = 16
      THEN
         CS:IP  ptr16:16;
         EIP  EIP AND 0000FFFFH; (* clear upper 16 bits *)
      ELSE (* OperandSize = 32 *)
         CS:EIP  ptr16:32;
      FI;
   FI;
FI;

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
   AND instruction = far JMP
THEN
   IF operand type = m16:16 or m16:32
   THEN (* indirect *)
      check access of EA dword;
      #GP(0) or #SS(0) IF limit violation;
   FI;
   Destination selector is not null ELSE #GP(0)
   Destination selector index is within its descriptor table limits ELSE
   Depending on AR byte of destination descriptor:
      GOTO CONFORMING-CODE-SEGMENT;
      GOTO NONCONFORMING-CODE-SEGMENT;
      GOTO CALL-GATE;
      GOTO TASK-GATE;
      GOTO TASK-STATE-SEGMENT;
   ELSE #GP(selector); (* illegal AR byte in descriptor *)
FI;

CONFORMING-CODE-SEGMENT:
   Descriptor DPL must be  CPL ELSE #GP(selector);
   Segment must be present ELSE #NP(selector);
   Instruction pointer must be within code-segment limit ELSE #GP(0);
   IF OperandSize = 32
   THEN Load CS:EIP from destination pointer;
   ELSE Load CS:IP from destination pointer;
   FI;
   Load CS register with new segment descriptor;

NONCONFORMING-CODE-SEGMENT:
   RPL of destination selector must be  CPL ELSE #GP(selector);
   Descriptor DPL must be = CPL ELSE #GP(selector);
   Segment must be present ELSE # NP(selector);
   Instruction pointer must be within code-segment limit ELSE #GP(0);
   IF OperandSize = 32
   THEN Load CS:EIP from destination pointer;
   ELSE Load CS:IP from destination pointer;
   FI;
   Load CS register with new segment descriptor;
   Set RPL field of CS register to CPL;

CALL-GATE:
   Descriptor DPL must be  CPL ELSE #GP(gate selector);
   Descriptor DPL must be  gate selector RPL ELSE #GP(gate selector);
   Gate must be present ELSE #NP(gate selector);
   Examine selector to code segment given in call gate descriptor:
      Selector must not be null ELSE #GP(0);
      Selector must be within its descriptor table limits ELSE
         #GP(CS selector);
      Descriptor AR byte must indicate code segment
         ELSE #GP(CS selector);
      IF non-conforming
      THEN code-segment descriptor, DPL must = CPL
      ELSE #GP(CS selector);
      FI;
      IF conforming
      THEN code-segment descriptor DPL must be  CPL;
      ELSE #GP(CS selector);
      Code segment must be present ELSE #NP(CS selector);
      Instruction pointer must be within code-segment limit ELSE #GP(0);
      IF OperandSize = 32
      THEN Load CS:EIP from call gate;
      ELSE Load CS:IP from call gate;
      FI;
   Load CS register with new code-segment descriptor;
   Set RPL of CS to CPL

TASK-GATE:
   Gate descriptor DPL must be  CPL ELSE #GP(gate selector);
   Gate descriptor DPL must be  gate selector RPL ELSE #GP(gate
     selector);
   Task Gate must be present ELSE #NP(gate selector);
   Examine selector to TSS, given in Task Gate descriptor:
   Must specify global in the local/global bit ELSE #GP(TSS selector);
   Index must be within GDT limits ELSE #GP(TSS selector);
   Descriptor AR byte must specify available TSS (bottom bits 00001);
      ELSE #GP(TSS selector);
   Task State Segment must be present ELSE #NP(TSS selector);
SWITCH-TASKS (without nesting) to TSS;
Instruction pointer must be within code-segment limit ELSE #GP(0);

TASK-STATE-SEGMENT:
   TSS DPL must be  CPL ELSE #GP(TSS selector);
   TSS DPL must be  TSS selector RPL ELSE #GP(TSS selector);
   Descriptor AR byte must specify available TSS (bottom bits 00001)
      ELSE #GP(TSS selector);
   Task State Segment must be present ELSE #NP(TSS selector);
   SWITCH-TASKS (without nesting) to TSS;
   Instruction pointer must be within code-segment limit ELSE #GP(0);

Description

The JMP instruction transfers control to a different point in the
instruction stream without recording return information.

The action of the various forms of the instruction are shown below.

Jumps with destinations of type r/m16, r/m32, rel16, and rel32 are near
jumps and do not involve changing the segment register value.

The JMP rel16 and JMP rel32 forms of the instruction add an offset to
the address of the instruction following the JMP to determine the
destination. The rel16 form is used when the instruction's operand-size
attribute is 16 bits (segment size attribute 16 only); rel32 is used when
the operand-size attribute is 32 bits (segment size attribute 32 only). The
result is stored in the 32-bit EIP register. With rel16, the upper 16 bits
of EIP are cleared, which results in an offset whose value does not exceed
16 bits.

JMP r/m16 and JMP r/m32 specifies a register or memory location from which
the absolute offset from the procedure is fetched. The offset fetched from
r/m is 32 bits for an operand-size attribute of 32 bits (r/m32), or 16 bits
for an operand-size attribute of 16 bits (r/m16).

The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte
or six-byte operand as a long pointer to the destination. The JMP
and  forms fetch the long pointer from the memory location
specified (indirection). In Real Address Mode or Virtual 8086 Mode,
the long pointer provides 16 bits for the CS register and 16 or 32 bits
for the EIP register (depending on the operand-size attribute). In
Protected Mode, both long pointer forms consult the Access Rights (AR)
byte in the descriptor indexed by the selector part of the long pointer.

Depending on the value of the AR byte, the jump will perform one of
the following types of control transfers:

    A jump to a code segment at the same privilege level
    A task switch

For more information on protected mode control transfers, refer to
Chapter 6 and Chapter 7.

Flags Affected

All if a task switch takes place; none if no task switch occurs

Protected Mode Exceptions

Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above.

Near direct jumps: #GP(0) if procedure location is beyond the code
segment limits.

Near indirect jumps: #GP(0) for an illegal memory operand effective
address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal
address in the SS segment; #GP if the indirect offset obtained is beyond
the code segment limits; #PF(fault-code) for a page fault.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would be outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as under Real Address Mode; #PF(fault-code) for a
page fault


LAHF  Load Flags into AH Register

Opcode  Instruction   Clocks   Description

9F      LAHF          2        Load: AH = flags SF ZF xx AF xx PF xx CF


Operation

AH  SF:ZF:xx:AF:xx:PF:xx:CF;

Description

LAHF transfers the low byte of the flags word to AH. The bits, from
MSB to LSB, are sign, zero, indeterminate, auxiliary, carry,
indeterminate, parity, indeterminate, and carry.

Flags Affected

None

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


LAR  Load Access Rights Byte

Opcode        Instruction      Clocks      Description

0F  02 /r     LAR r16,r/m16    pm=15/16    r16  r/m16 masked by FF00
0F  02 /r     LAR r32,r/m32    pm=15/16    r32  r/m32 masked by 00FxFF00


Description

The LAR instruction stores a marked form of the second doubleword of
the descriptor for the source selector if the selector is visible at the
CPL (modified by the selector's RPL) and is a valid descriptor type. The
destination register is loaded with the high-order doubleword of the
descriptor masked by 00FxFF00, and ZF is set to 1. The x indicates that the
four bits corresponding to the upper four bits of the limit are undefined in
the value loaded by LAR. If the selector is invisible or of the wrong type,
ZF is cleared.

If the 32-bit operand size is specified, the entire 32-bit value is loaded
into the 32-bit destination register. If the 16-bit operand size is
specified, the lower 16-bits of this value are stored in the 16-bit
destination register.

All code and data segment descriptors are valid for LAR.

The valid special segment and gate descriptor types for LAR are given
in the following table:

Type   Name                     Valid/Invalid

  0    Invalid                  Invalid
  1    Available 80286 TSS      Valid
  2    LDT                      Valid
  3    Busy 80286 TSS           Valid
  4    80286 call gate          Valid
  5    80286/80386 task gate    Valid
  6    80286 trap gate          Valid
  7    80286 interrupt gate     Valid
  8    Invalid                  Invalid
  9    Available 80386 TSS      Valid
  A    Invalid                  Invalid
  B    Busy 80386 TSS           Valid
  C    80386 call gate          Valid
  D    Invalid                  Invalid
  E    80386 trap gate          Valid
  F    80386 interrupt gate     Valid

Flags Affected

ZF as described above

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 6; LAR is unrecognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode


LEA  Load Effective Address

Opcode  Instruction  Clocks  Description

8D  /r  LEA r16,m    2       Store effective address for m in register r16
8D  /r  LEA r32,m    2       Store effective address for m in register r32
8D  /r  LEA r16,m    2       Store effective address for m in register r16
8D  /r  LEA r32,m    2       Store effective address for m in register r32


Operation

IF OperandSize = 16 AND AddressSize = 16
THEN r16  Addr(m);
ELSE
   IF OperandSize = 16 AND AddressSize = 32
   THEN
      r16  Truncate_to_16bits(Addr(m));   (* 32-bit address *)
   ELSE
      IF OperandSize = 32 AND AddressSize = 16
      THEN
         r32  Truncate_to_16bits(Addr(m));
      ELSE
         IF OperandSize = 32 AND AddressSize = 32
         THEN  r32  Addr(m);
         FI;
      FI;
   FI;
FI;

Description

LEA calculates the effective address (offset part) and stores it in the
specified register. The operand-size attribute of the instruction
(represented by OperandSize in the algorithm under "Operation" above) is
determined by the chosen register. The address-size attribute (represented
by AddressSize) is determined by the USE attribute of the segment containing
the second operand. The address-size and operand-size attributes affect the
action performed by LEA, as follows:

Operand Size  Address Size  Action Performed

    16            16        16-bit effective address is calculated and
                            stored in requested 16-bit register
                            destination.

    16            32        32-bit effective address is calculated. The
                            lower 16 bits of the address are stored in
                            the requested 16-bit register destination.

    32            16        16-bit effective address is calculated. The
                            16-bit address is zero-extended and stored
                            in the requested 32-bit register destination.

    32            32        32-bit effective address is calculated and
                            stored in the requested 32-bit register
                            destination.

Flags Affected

None

Protected Mode Exceptions


Real Address Mode Exceptions

Interrupt 6 if the second operand is a register

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode


LEAVE  High Level Procedure Exit

Opcode  Instruction  Clocks  Description

C9      LEAVE        4       Set SP to BP, then pop BP
C9      LEAVE        4       Set ESP to EBP, then pop EBP


Operation

IF StackAddrSize = 16
THEN
   SP  BP;
ELSE (* StackAddrSize = 32 *)
   ESP  EBP;
FI;
IF OperandSize = 16
THEN
   BP  Pop();
ELSE (* OperandSize = 32 *)
   EBP  Pop();
FI;

Description

LEAVE reverses the actions of the ENTER instruction. By copying the
frame pointer to the stack pointer, LEAVE releases the stack space used
by a procedure for its local variables. The old frame pointer is popped
into BP or EBP, restoring the caller's frame. A subsequent RET
instruction removes any arguments pushed onto the stack of the exiting
procedure.

Flags Affected

None

Protected Mode Exceptions

stack segment

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode


LGDT/LIDT  Load Global/Interrupt Descriptor Table Register

Opcode       Instruction      Clocks        Description

0F  01 /2    LGDT m16&32      11            Load m into GDTR
0F  01 /3    LIDT m16&32      11            Load m into IDTR


Operation

IF instruction = LIDT
THEN
   IF OperandSize = 16
   THEN IDTR.Limit:Base  m16:24 (* 24 bits of base loaded *)
   ELSE IDTR.Limit:Base  m16:32
   FI;
ELSE (* instruction = LGDT *)
   IF OperandSize = 16
   THEN GDTR.Limit:Base  m16:24 (* 24 bits of base loaded *)
   ELSE GDTR.Limit:Base  m16:32;
   FI;
FI;

Description

The LGDT and LIDT instructions load a linear base address and limit
value from a six-byte data operand in memory into the GDTR or IDTR,
respectively. If a 16-bit operand is used with LGDT or LIDT, the
register is loaded with a 16-bit limit and a 24-bit base, and the
high-order eight bits of the six-byte data operand are not used. If a 32-bit
operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order
eight bits of the six-byte operand are used as high-order base address bits.

The SGDT and SIDT instructions always store into all 48 bits of the
six-byte data operand. With the 80286, the upper eight bits are undefined
after SGDT or SIDT is executed. With the 80386, the upper eight bits
are written with the high-order eight address bits, for both a 16-bit
operand and a 32-bit operand. If LGDT or LIDT is used with a 16-bit
operand to load the register stored by SGDT or SIDT, the upper eight
bits are stored as zeros.

LGDT and LIDT appear in operating system software; they are not used
in application programs. They are the only instructions that directly load
a linear address (i.e., not a segment relative address) in 80386 Protected
Mode.

Flags Affected

None

Protected Mode Exceptions

is a register; #GP(0) for an illegal memory operand effective address in
the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in
the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a
register


Note:
  These instructions are valid in Real Address Mode to allow
  power-up initialization for Protected Mode


Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


LGS/LSS/LDS/LES/LFS  Load Full Pointer

Opcode      Instruction      Clocks   Description

C5  /r      LDS r16,m16:16   7,p=22   Load DS:r16 with pointer from memory
C5  /r      LDS r32,m16:32   7,p=22   Load DS:r32 with pointer from memory
0F  B2 /r   LSS r16,m16:16   7,p=22   Load SS:r16 with pointer from memory
0F  B2 /r   LSS r32,m16:32   7,p=22   Load SS:r32 with pointer from memory
C4  /r      LES r16,m16:16   7,p=22   Load ES:r16 with pointer from memory
C4  /r      LES r32,m16:32   7,p=22   Load ES:r32 with pointer from memory
0F  B4 /r   LFS r16,m16:16   7,p=25   Load FS:r16 with pointer from memory
0F  B4 /r   LFS r32,m16:32   7,p=25   Load FS:r32 with pointer from memory
0F  B5 /r   LGS r16,m16:16   7,p=25   Load GS:r16 with pointer from memory
0F  B5 /r   LGS r32,m16:32   7,p=25   Load GS:r32 with pointer from memory


Operation

CASE instruction OF
   LSS: Sreg is SS; (* Load SS register *)
   LDS: Sreg is DS; (* Load DS register *)
   LES: Sreg is ES; (* Load ES register *)
   LFS: Sreg is FS; (* Load FS register *)
   LGS: Sreg is DS; (* Load GS register *)
ESAC;
IF (OperandSize = 16)
THEN
   r16  [Effective Address]; (* 16-bit transfer *)
   Sreg  [Effective Address + 2]; (* 16-bit transfer *)
   (* In Protected Mode, load the descriptor into the segment register *)
ELSE (* OperandSize = 32 *)
   r32  [Effective Address]; (* 32-bit transfer *)
   Sreg  [Effective Address + 4]; (* 16-bit transfer *)
   (* In Protected Mode, load the descriptor into the segment register *)
FI;

Description

These instructions read a full pointer from memory and store it in the
selected segment register:register pair. The full pointer loads 16 bits
into the segment register SS, DS, ES, FS, or GS. The other register loads 32
bits if the operand-size attribute is 32 bits, or loads 16 bits if the
operand-size attribute is 16 bits. The other 16- or 32-bit register to be
loaded is determined by the r16 or r32 register operand specified.

When an assignment is made to one of the segment registers, the
descriptor is also loaded into the segment register. The data for the
register is obtained from the descriptor table entry for the selector
given.

A null selector (values 0000-0003) can be loaded into DS, ES, FS, or
GS registers without causing a protection exception. (Any subsequent
reference to a segment whose corresponding segment register is loaded
with a null selector to address memory causes a #GP(0) exception. No
memory reference to the segment occurs.)

The following is a listing of the Protected Mode checks and actions taken in
the loading of a segment register:

IF SS is loaded:
   IF selector is null THEN #GP(0); FI;
   Selector index must be within its descriptor table limits ELSE
      #GP(selector);
   Selector's RPL must equal CPL ELSE #GP(selector);
   AR byte must indicate a writable data segment ELSE #GP(selector);
   DPL in the AR byte must equal CPL ELSE #GP(selector);
   Segment must be marked present ELSE #SS(selector);
   Load SS with selector;
   Load SS with descriptor;
IF DS, ES, FS, or GS is loaded with non-null selector:
   Selector index must be within its descriptor table limits ELSE
      #GP(selector);
   AR byte must indicate data or readable code segment ELSE
      #GP(selector);
   IF data or nonconforming code
   THEN both the RPL and the CPL must be less than or equal to DPL in
      AR byte;
   ELSE #GP(selector);
   Segment must be marked present ELSE #NP(selector);
Load segment register with selector and RPL bits;
Load segment register with descriptor;
IF DS, ES, FS or GS is loaded with a null selector:
   Clear descriptor valid bit;

Flags Affected

None

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
the second operand must be a memory operand, not a register; #GP(0)
if a null selector is loaded into SS; #PF(fault-code) for a page fault

Real Address Mode Exceptions

The second operand must be a memory operand, not a register; Interrupt
13 if any part of the operand would lie outside of the effective address
space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


LLDT  Load Local Descriptor Table Register

Opcode      Instruction      Clocks   Description

0F  00 /2   LLDT r/m16       20       Load selector r/m16 into LDTR


Operation

LDTR  SRC;

Description

LLDT loads the Local Descriptor Table register (LDTR). The word
operand (memory or register) to LLDT should contain a selector to the
Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor
Table. If so, then the LDTR is loaded from the entry. The descriptor
registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the
task state segment does not change.

The selector operand can be 0; if so, the LDTR is marked invalid. All
descriptor references (except by the LAR, VERR, VERW or LSL
instructions) cause a #GP fault.

LLDT is used in operating system software; it is not used in application
programs.

Flags Affected

None

Protected Mode Exceptions

selector operand does not point into the Global Descriptor Table, or if the
entry in the GDT is not a Local Descriptor Table; #NP(selector) if the
LDT descriptor is not present; #GP(0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 6; LLDT is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode (because the instruction is
not recognized, it will not execute or perform a memory reference)

Note

The operand-size attribute has no effect on this instruction.


LMSW  Load Machine Status Word

Opcode      Instruction      Clocks   Description

0F  01 /6   LMSW r/m16       10/13    Load r/m16 in machine status word


Operation

MSW  r/m16; (* 16 bits is stored in the machine status word *)

Description

LMSW loads the machine status word (part of CR0) from the source
operand. This instruction can be used to switch to Protected Mode; if so,
it must be followed by an intrasegment jump to flush the instruction
queue. LMSW will not switch back to Real Address Mode.

LMSW is used only in operating system software. It is not used in
application programs.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault

Notes

The operand-size attribute has no effect on this instruction. This
instruction is provided for compatibility with the 80286; 80386 programs
should use MOV CR0, ... instead.


LOCK  Assert LOCK# Signal Prefix

Opcode  Instruction  Clocks  Description

F0      LOCK         0       Assert LOCK# signal for the next instruction


Description

The LOCK prefix causes the LOCK# signal of the 80386 to be asserted
during execution of the instruction that follows it. In a multiprocessor
environment, this signal can be used to ensure that the 80386 has
exclusive use of any shared memory while LOCK# is asserted. The
read-modify-write sequence typically used to implement test-and-set on the
80386 is the BTS instruction.

The LOCK prefix functions only with the following instructions:

BT, BTS, BTR, BTC                   mem, reg/imm
XCHG                                reg, mem
XCHG                                mem, reg
ADD, OR, ADC, SBB, AND, SUB, XOR    mem, reg/imm
NOT, NEG, INC, DEC                  mem

An undefined opcode trap will be generated if a LOCK prefix is used
with any instruction not listed above.

XCHG always asserts LOCK# regardless of the presence or absence of
the LOCK prefix.

The integrity of the LOCK is not affected by the alignment of the
memory field. Memory locking is observed for arbitrarily misaligned
fields.

Locked access is not assured if another 80386 processor is executing an
instruction concurrently that has one of the following characteristics:

    Is not preceded by a LOCK prefix

    Is not one of the instructions in the preceding list

    Specifies a memory operand that does not exactly overlap the
     destination operand. Locking is not guaranteed for partial overlap,
     even if one memory operand is wholly contained within another.

Flags Affected

None

Protected Mode Exceptions

section above; other exceptions can be generated by the subsequent
(locked) instruction

Real Address Mode Exceptions

Interrupt 6 if LOCK is used with an instruction not listed in the
"Description" section above; exceptions can still be generated by the
subsequent (locked) instruction

Virtual 8086 Mode Exceptions

section above; exceptions can still be generated by the subsequent (locked)
instruction


LODS/LODSB/LODSW/LODSD  Load String Operand

Opcode  Instruction   Clocks   Description

AC      LODS m8       5        Load byte [(E)SI] into AL
AD      LODS m16      5        Load word [(E)SI] into AX
AD      LODS m32      5        Load dword [(E)SI] into EAX
AC      LODSB         5        Load byte DS:[(E)SI] into AL
AD      LODSW         5        Load word DS:[(E)SI] into AX
AD      LODSD         5        Load dword DS:[(E)SI] into EAX


Operation

IF AddressSize = 16
THEN use SI for source-index
ELSE (* AddressSize = 32 *)
   use ESI for source-index;
FI;
IF byte type of instruction
THEN
   AL  [source-index]; (* byte load *)
   IF DF = 0 THEN IncDec  1 ELSE IncDec  -1; FI;
ELSE
   IF OperandSize = 16
   THEN
      AX  [source-index]; (* word load *)
      IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
   ELSE (* OperandSize = 32 *)
      EAX  [source-index]; (* dword load *)
      IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
   FI;
FI;
source-index  source-index + IncDec

Description

LODS loads the AL, AX, or EAX register with the memory byte, word,
or doubleword at the location pointed to by the source-index register.
After the transfer is made, the source-index register is automatically
advanced. If the direction flag is 0 (CLD was executed), the source index
increments; if the direction flag is 1 (STD was executed), it decrements.
The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded,
or 4 if a doubleword is loaded.

If the address-size attribute for this instruction is 16 bits, SI is used
for the source-index register; otherwise the address-size attribute is 32
bits, and the ESI register is used. The address of the source data is
determined solely by the contents of ESI/SI. Load the correct index value
into SI before executing the LODS instruction. LODSB, LODSW, LODSD are
synonyms for the byte, word, and doubleword LODS instructions.

LODS can be preceded by the REP prefix; however, LODS is used more typically
within a LOOP construct, because further processing of the data moved into
EAX, AX, or AL is usually necessary.

Flags Affected

None

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


LOOP/LOOPcond  Loop Control with CX Counter

Opcode   Instruction  Clocks  Description

E2  cb   LOOP rel8    11+m    DEC count; jump short if count <> 0
E1  cb   LOOPE rel8   11+m    DEC count; jump short if count <> 0 and ZF=1
E1  cb   LOOPZ rel8   11+m    DEC count; jump short if count <> 0 and ZF=1
E0  cb   LOOPNE rel8  11+m    DEC count; jump short if count <> 0 and ZF=0
E0  cb   LOOPNZ rel8  11+m    DEC count; jump short if count <> 0 and ZF=0


Operation

IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI;
CountReg  CountReg - 1;
IF instruction <> LOOP
THEN
   IF (instruction = LOOPE) OR (instruction = LOOPZ)
   THEN BranchCond  (ZF = 1) AND (CountReg <> 0);
   FI;
   IF (instruction = LOOPNE) OR (instruction = LOOPNZ)
   THEN BranchCond  (ZF = 0) AND (CountReg <> 0);
   FI;
FI;

IF BranchCond
THEN
   IF OperandSize = 16
   THEN
      IP  IP + SignExtend(rel8);
   ELSE (* OperandSize = 32 *)
      EIP  EIP + SignExtend(rel8);
   FI;
FI;

Description

LOOP decrements the count register without changing any of the flags.
Conditions are then checked for the form of LOOP being used. If the
conditions are met, a short jump is made to the label given by the operand
to LOOP. If the address-size attribute is 16 bits, the CX register is used
as the count register; otherwise the ECX register is used. The operand
of LOOP must be in the range from 128 (decimal) bytes before the
instruction to 127 bytes ahead of the instruction.

The LOOP instructions provide iteration control and combine loop index
management with conditional branching. Use the LOOP instruction by
loading an unsigned iteration count into the count register, then code the
LOOP at the end of a series of instructions to be iterated. The
destination of LOOP is a label that points to the beginning of the
iteration.

Flags Affected

None

Protected Mode Exceptions

segment

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


LSL  Load Segment Limit

Opcode       Instruction      Clocks      Description

0F  03 /r    LSL r16,r/m16    pm=20/21    Load: r16  segment limit,
                                          selector r/m16 (byte granular)
0F  03 /r    LSL r32,r/m32    pm=20/21    Load: r32  segment limit,
                                          selector r/m32 (byte granular)
0F  03 /r    LSL r16,r/m16    pm=25/26    Load: r16  segment limit,
                                          selector r/m16 (page granular)
0F  03 /r    LSL r32,r/m32    pm=25/26    Load: r32  segment limit,
                                          selector r/m32 (page granular)


Description

The LSL instruction loads a register with an unscrambled segment limit,
and sets ZF to 1, provided that the source selector is visible at the CPL
weakened by RPL, and that the descriptor is a type accepted by LSL.
Otherwise, ZF is cleared to 0, and the destination register is unchanged.
The segment limit is loaded as a byte granular value. If the descriptor
has a page granular segment limit, LSL will translate it to a byte limit
before loading it in the destination register (shift left 12 the 20-bit
"raw" limit from descriptor, then OR with 00000FFFH).

The 32-bit forms of this instruction store the 32-bit byte granular limit
in the 16-bit destination register.

Code and data segment descriptors are valid for LSL.

The valid special segment and gate descriptor types for LSL are given
in the following table:

Type   Name                      Valid/Invalid

  0    Invalid                   Invalid
  1    Available 80286 TSS       Valid
  2    LDT                       Valid
  3    Busy 80286 TSS            Valid
  4    80286 call gate           Invalid
  5    80286/80386 task gate     Invalid
  6    80286 trap gate           Invalid
  7    80286 interrupt gate      Invalid
  8    Invalid                   Valid
  9    Available 80386 TSS       Valid
  A    Invalid                   Invalid
  B    Busy 80386 TSS            Valid
  C    80386 call gate           Invalid
  D    Invalid                   Invalid
  E    80386 trap gate           Invalid
  F    80386 interrupt gate      Invalid

Flags Affected

ZF as described above

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 6; LSL is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode


LTR  Load Task Register

Opcode       Instruction    Clocks    Description

0F  00 /3    LTR r/m16      pm=23/27  Load EA word into task register


Description

LTR loads the task register from the source register or memory location
specified by the operand. The loaded task state segment is marked busy.
A task switch does not occur.

LTR is used only in operating system software; it is not used in
application programs.

Flags Affected

None

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
named by the source selector is not a TSS or is already busy;
a page fault

Real Address Mode Exceptions

Interrupt 6; LTR is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode

Notes

The operand-size attribute has no effect on this instruction.


MOV  Move Data


Opcode   Instruction       Clocks        Description

88  /r   MOV r/m8,r8       2/2           Move byte register to r/m byte
89  /r   MOV r/m16,r16     2/2           Move word register to r/m word
89  /r   MOV r/m32,r32     2/2           Move dword register to r/m dword
8A  /r   MOV r8,r/m8       2/4           Move r/m byte to byte register
8B  /r   MOV r16,r/m16     2/4           Move r/m word to word register
8B  /r   MOV r32,r/m32     2/4           Move r/m dword to dword register
8C  /r   MOV r/m16,Sreg    2/2           Move segment register to r/m word
8D  /r   MOV Sreg,r/m16    2/5,pm=18/19  Move r/m word to segment register
A0       MOV AL,moffs8     4             Move byte at (seg:offset) to AL
A1       MOV AX,moffs16    4             Move word at (seg:offset) to AX
A1       MOV EAX,moffs32   4             Move dword at (seg:offset) to EAX
A2       MOV moffs8,AL     2             Move AL to (seg:offset)
A3       MOV moffs16,AX    2             Move AX to (seg:offset)
A3       MOV moffs32,EAX   2             Move EAX to (seg:offset)
B0 + rb  MOV reg8,imm8     2             Move immediate byte to register
B8 + rw  MOV reg16,imm16   2             Move immediate word to register
B8 + rd  MOV reg32,imm32   2             Move immediate dword to register
C6       MOV r/m8,imm8     2/2           Move immediate byte to r/m byte
C7       MOV r/m16,imm16   2/2           Move immediate word to r/m word
C7       MOV r/m32,imm32   2/2           Move immediate dword to r/m dword



NOTES:
  moffs8, moffs16, and moffs32 all consist of a simple offset relative
  to the segment base. The 8, 16, and 32 refer to the size of the data. The
  address-size attribute of the instruction determines the size of the
  offset, either 16 or 32 bits.


Operation

DEST  SRC;

Description

MOV copies the second operand to the first operand.

If the destination operand is a segment register (DS, ES, SS, etc.), then
data from a descriptor is also loaded into the register. The data for the
register is obtained from the descriptor table entry for the selector
given. A null selector (values 0000-0003) can be loaded into DS and ES
registers without causing an exception; however, use of DS or ES causes a

A MOV into SS inhibits all interrupts until after the execution of the
next instruction (which is presumably a MOV into eSP).

Loading a segment register under 80386 Protected Mode results in special
checks and actions, as described in the following listing:

IF SS is loaded;
THEN
   IF selector is null THEN #GP(0);
FI;
   Selector index must be within its descriptor table limits else
      #GP(selector);
   Selector's RPL must equal CPL else #GP(selector);
AR byte must indicate a writable data segment else #GP(selector);
   DPL in the AR byte must equal CPL else #GP(selector);
   Segment must be marked present else #SS(selector);
   Load SS with selector;
   Load SS with descriptor.
FI;
IF DS, ES, FS or GS is loaded with non-null selector;
THEN
   Selector index must be within its descriptor table limits
      else #GP(selector);
   AR byte must indicate data or readable code segment else
      #GP(selector);
   IF data or nonconforming code segment
   THEN both the RPL and the CPL must be less than or equal to DPL in
      AR byte;
   ELSE #GP(selector);
   FI;
   Segment must be marked present else #NP(selector);
   Load segment register with selector;
   Load segment register with descriptor;
FI;
IF DS, ES, FS or GS is loaded with a null selector;
THEN
   Load segment register with selector;
   Clear descriptor valid bit;
FI;

Flags Affected

None

Protected Mode Exceptions

illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


MOV  Move to/from Special Registers

Opcode      Instruction           Clocks   Description

0F  20 /r   MOV r32,CR0/CR2/CR3   6        Move (control register) to
                                           (register)
0F  22 /r   MOV CR0/CR2/CR3,r32   10/4/5   Move (register) to (control
                                           register)
0F  21 /r   MOV r32,DR0 -- 3      22       Move (debug register) to
                                           (register)
0F  21 /r   MOV r32,DR6/DR7       14       Move (debug register) to
                                           (register)
0F  23 /r   MOV DR0 -- 3,r32      22       Move (register) to (debug
                                           register)
0F  23 /r   MOV DR6/DR7,r32       16       Move (register) to (debug
                                           register)
0F  24 /r   MOV r32,TR6/TR7       12       Move (test register) to
                                           (register)
0F  26 /r   MOV TR6/TR7,r32       12       Move (register) to (test
                                           register)


Operation

DEST  SRC;

Description

The above forms of MOV store or load the following special registers in
or from a general purpose register:

    Control registers CR0, CR2, and CR3
    Debug Registers DR0, DR1, DR2, DR3, DR6, and DR7
    Test Registers TR6 and TR7

32-bit operands are always used with these instructions, regardless of the
operand-size attribute.

Flags Affected

OF, SF, ZF, AF, PF, and CF are undefined

Protected Mode Exceptions


Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions


Notes

The instructions must be executed at privilege level 0 or in real-address
mode; otherwise, a protection exception will be raised.

The reg field within the ModRM byte specifies which of the special
registers in each category is involved. The two bits in the  field are
always 11. The r/m field specifies the general register involved.


MOVS/MOVSB/MOVSW/MOVSD  Move Data from String to String

Opcode  Instruction      Clocks   Description

A4      MOVS m8,m8       7        Move byte [(E)SI] to ES:[(E)DI]
A5      MOVS m16,m16     7        Move word [(E)SI] to ES:[(E)DI]
A5      MOVS m32,m32     7        Move dword [(E)SI] to ES:[(E)DI]
A4      MOVSB            7        Move byte DS:[(E)SI] to ES:[(E)DI]
A5      MOVSW            7        Move word DS:[(E)SI] to ES:[(E)DI]
A5      MOVSD            7        Move dword DS:[(E)SI] to ES:[(E)DI]


Operation

IF (instruction = MOVSD) OR (instruction has doubleword operands)
THEN OperandSize  32;
ELSE OperandSize  16;
IF AddressSize = 16
THEN use SI for source-index and DI for destination-index;
ELSE (* AddressSize = 32 *)
   use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction
THEN
   [destination-index]  [source-index]; (* byte assignment *)
   IF DF = 0 THEN IncDec  1 ELSE IncDec  -1; FI;
ELSE
   IF OperandSize = 16
   THEN
      [destination-index]  [source-index]; (* word assignment *)
      IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
   ELSE (* OperandSize = 32 *)
      [destination-index]  [source-index]; (* doubleword assignment *)
      IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
   FI;
FI;
source-index  source-index + IncDec;
destination-index  destination-index + IncDec;

Description

MOVS copies the byte or word at [(E)SI] to the byte or word at
ES:[(E)DI]. The destination operand must be addressable from the ES
register; no segment override is possible for the destination. A segment
override can be used for the source operand; the default is DS.

The addresses of the source and destination are determined solely by the
contents of (E)SI and (E)DI. Load the correct index values into (E)SI
and (E)DI before executing the MOVS instruction. MOVSB, MOVSW,
and MOVSD are synonyms for the byte, word, and doubleword MOVS
instructions.

After the data is moved, both (E)SI and (E)DI are advanced
automatically. If the direction flag is 0 (CLD was executed), the registers
are incremented; if the direction flag is 1 (STD was executed), the
registers are decremented. The registers are incremented or decremented by 1
if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved.

MOVS can be preceded by the REP prefix for block movement of CX
bytes or words. Refer to the REP instruction for details of this operation.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


MOVSX  Move with Sign-Extend

Opcode     Instruction        Clocks   Description

0F  BE /r  MOVSX r16,r/m8     3/6      Move byte to word with sign-extend
0F  BE /r  MOVSX r32,r/m8     3/6      Move byte to dword, sign-extend
0F  BF /r  MOVSX r32,r/m16    3/6      Move word to dword, sign-extend


Operation

DEST  SignExtend(SRC);

Description

MOVSX reads the contents of the effective address or register as a byte
or a word, sign-extends the value to the operand-size attribute of the
instruction (16 or 32 bits), and stores the result in the destination
register.

Flags Affected

None

Protected Mode Exceptions

ES, FS or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


MOVZX  Move with Zero-Extend

Opcode      Instruction        Clocks   Description

0F  B6 /r   MOVZX r16,r/m8     3/6      Move byte to word with zero-extend
0F  B6 /r   MOVZX r32,r/m8     3/6      Move byte to dword, zero-extend
0F  B7 /r   MOVZX r32,r/m16    3/6      Move word to dword, zero-extend


Operation

DEST  ZeroExtend(SRC);

Description

MOVZX reads the contents of the effective address or register as a byte
or a word, zero extends the value to the operand-size attribute of the
instruction (16 or 32 bits), and stores the result in the destination
register.

Flags Affected

None

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


MUL  Unsigned Multiplication of AL or AX

Opcode  Instruction     Clocks       Description

F6  /4  MUL AL,r/m8     9-14/12-17   Unsigned multiply (AX  AL * r/m byte)
F7  /4  MUL AX,r/m16    9-22/12-25   Unsigned multiply (DX:AX  AX * r/m
                                     word)
F7  /4  MUL EAX,r/m32   9-38/12-41   Unsigned multiply (EDX:EAX  EAX * r/m
                                     dword)



NOTES:
  The 80386 uses an early-out multiply algorithm. The actual number of
  clocks depends on the position of the most significant bit in the 
  optimizing multiplier, shown underlined above. The optimization occurs
  for positive and negative multiplier values. Because of the early-out
  algorithm, clock counts given are minimum to maximum. To calculate the
  actual clocks, use the following formula:

    Actual clock = if  <> 0 then max(ceiling(log{2} m), 3) + 6 clocks;

    Actual clock = if  = 0 then 9 clocks

  where m is the multiplier.


Operation

IF byte-size operation
THEN AX  AL * r/m8
ELSE (* word or doubleword operation *)
   IF OperandSize = 16
   THEN DX:AX  AX * r/m16
   ELSE (* OperandSize = 32 *)
      EDX:EAX  EAX * r/m32
   FI;
FI;

Description

MUL performs unsigned multiplication. Its actions depend on the size
of its operand, as follows:

    A byte operand is multiplied by AL; the result is left in AX. The
     carry and overflow flags are set to 0 if AH is 0; otherwise, they are
     set to 1.

    A word operand is multiplied by AX; the result is left in DX:AX.
     DX contains the high-order 16 bits of the product. The carry and
     overflow flags are set to 0 if DX is 0; otherwise, they are set to 1.

    A doubleword operand is multiplied by EAX and the result is left in
     EDX:EAX. EDX contains the high-order 32 bits of the product. The
     carry and overflow flags are set to 0 if EDX is 0; otherwise, they are
     set to 1.

Flags Affected

OF and CF as described above; SF, ZF, AF, PF, and CF are undefined

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


NEG  Two's Complement Negation

Opcode  Instruction   Clocks    Description

F6  /3  NEG r/m8      2/6       Two's complement negate r/m byte
F7  /3  NEG r/m16     2/6       Two's complement negate r/m word
F7  /3  NEG r/m32     2/6       Two's complement negate r/m dword


Operation

IF r/m = 0 THEN CF  0 ELSE CF  1; FI;
r/m  - r/m;

Description

NEG replaces the value of a register or memory operand with its two's
complement. The operand is subtracted from zero, and the result is placed
in the operand.

The carry flag is set to 1, unless the operand is zero, in which case the
carry flag is cleared to 0.

Flags Affected

CF as described above; OF, SF, ZF, and PF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


NOP  No Operation

Opcode  Instruction   Clocks    Description

90      NOP           3         No operation


Description

NOP performs no operation. NOP is a one-byte instruction that takes
up space but affects none of the machine context except (E)IP.

NOP is an alias mnemonic for the XCHG (E)AX, (E)AX instruction.

Flags Affected

None

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


NOT  One's Complement Negation

Opcode    Instruction   Clocks    Description

F6   /2   NOT r/m8       2/6      Reverse each bit of r/m byte
F7   /2   NOT r/m16      2/6      Reverse each bit of r/m word
F7   /2   NOT r/m32      2/6      Reverse each bit of r/m dword


Operation

r/m  NOT r/m;

Description

NOT inverts the operand; every 1 becomes a 0, and vice versa.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


OR  Logical Inclusive OR

Opcode       Instruction       Clocks    Description

0C  ib       OR AL,imm8        2         OR immediate byte to AL
0D  iw       OR AX,imm16       2         OR immediate word to AX
0D  id       OR EAX,imm32      2         OR immediate dword to EAX
80  /1 ib    OR r/m8,imm8      2/7       OR immediate byte to r/m byte
81  /1 iw    OR r/m16,imm16    2/7       OR immediate word to r/m word
81  /1 id    OR r/m32,imm32    2/7       OR immediate dword to r/m dword
83  /1 ib    OR r/m16,imm8     2/7       OR sign-extended immediate byte
                                         with r/m word
83  /1 ib    OR r/m32,imm8     2/7       OR sign-extended immediate byte
                                         with r/m dword
08  /r       OR r/m8,r8        2/6       OR byte register to r/m byte
09  /r       OR r/m16,r16      2/6       OR word register to r/m word
09  /r       OR r/m32,r32      2/6       OR dword register to r/m dword
0A  /r       OR r8,r/m8        2/7       OR byte register to r/m byte
0B  /r       OR r16,r/m16      2/7       OR word register to r/m word
0B  /r       OR r32,r/m32      2/7       OR dword register to r/m dword


Operation

DEST  DEST OR SRC;
CF  0;
OF  0

Description

OR computes the inclusive OR of its two operands and places the result
in the first operand. Each bit of the result is 0 if both corresponding
bits of the operands are 0; otherwise, each bit is 1.

Flags Affected

OF  0, CF  0; SF, ZF, and PF as described in Appendix C; AF is
undefined

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


OUT  Output to Port

Opcode    Instruction     Clocks          Description

E6  ib    OUT imm8,AL     10,pm=4*/24**   Output byte AL to immediate port
                                          number
E7  ib    OUT imm8,AX     10,pm=4*/24**   Output word AL to immediate port
                                          number
E7  ib    OUT imm8,EAX    10,pm=4*/24**   Output dword AL to immediate
                                          port number
EE        OUT DX,AL       11,pm=5*/25**   Output byte AL to port number in
DX
EF        OUT DX,AX       11,pm=5*/25**   Output word AL to port number in
DX
EF        OUT DX,EAX      11,pm=5*/25**   Output dword AL to port number
                                          in DX



NOTES:
   *If CPL  IOPL
  **If CPL > IOPL or if in virtual 8086 mode


Operation

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
   IF NOT I-O-Permission (DEST, width(DEST))
   THEN #GP(0);
   FI;
FI;
[DEST]  SRC; (* I/O address space used *)

Description

OUT transfers a data byte or data word from the register (AL, AX, or
EAX) given as the second operand to the output port numbered by the
first operand. Output to any port from 0 to 65535 is performed by placing
the port number in the DX register and then using an OUT instruction
with DX as the first operand. If the instruction contains an eight-bit port
ID, that value is zero-extended to 16 bits.

Flags Affected

None

Protected Mode Exceptions

IOPL and any of the corresponding I/O permission bits in TSS equals 1

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

equals 1


OUTS/OUTSB/OUTSW/OUTSD  Output String to Port

Opcode   Instruction     Clocks          Description

6E       OUTS DX,r/m8    14,pm=8*/28**   Output byte [(E)SI] to port in DX
6F       OUTS DX,r/m16   14,pm=8*/28**   Output word [(E)SI] to port in DX
6F       OUTS DX,r/m32   14,pm=8*/28**   Output dword [(E)SI] to port in DX
6E       OUTSB           14,pm=8*/28**   Output byte DS:[(E)SI] to port in
                                         DX
6F       OUTSW           14,pm=8*/28**   Output word DS:[(E)SI] to port in
                                         DX
6F       OUTSD           14,pm=8*/28**   Output dword DS:[(E)SI] to port in
                                         DX



NOTES:
   *If CPL  IOPL
  **If CPL > IOPL or if in virtual 8086 mode


Operation

IF AddressSize = 16
THEN use SI for source-index;
ELSE (* AddressSize = 32 *)
   use ESI for source-index;
FI;

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
   IF NOT I-O-Permission (DEST, width(DEST))
   THEN #GP(0);
   FI;
FI;
IF byte type of instruction
THEN
   [DX]  [source-index]; (* Write byte at DX I/O address *)
   IF DF = 0 THEN IncDec  1 ELSE IncDec  -1; FI;
FI;
IF OperandSize = 16
THEN
   [DX]  [source-index]; (* Write word at DX I/O address *)
   IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
FI;
IF OperandSize = 32
THEN
   [DX]  [source-index]; (* Write dword at DX I/O address *)
   IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
   FI;
FI;
source-index  source-index + IncDec;

Description

OUTS transfers data from the memory byte, word, or doubleword at the
source-index register to the output port addressed by the DX register. If
the address-size attribute for this instruction is 16 bits, SI is used for
the source-index register; otherwise, the address-size attribute is 32 bits,
and ESI is used for the source-index register.

OUTS does not allow specification of the port number as an immediate value.
The port must be addressed through the DX register value. Load the correct
value into DX before executing the OUTS instruction.

The address of the source data is determined by the contents of
source-index register. Load the correct index value into SI or ESI before
executing the OUTS instruction.

After the transfer, source-index register is advanced automatically. If
the direction flag is 0 (CLD was executed), the source-index register is
incremented; if the direction flag is 1 (STD was executed), it is
decremented. The amount of the increment or decrement is 1 if a byte is
output, 2 if a word is output, or 4 if a doubleword is output.

OUTSB, OUTSW, and OUTSD are synonyms for the byte, word, and
doubleword OUTS instructions. OUTS can be preceded by the REP
prefix for block output of CX bytes or words. Refer to the REP
instruction for details on this operation.

Flags Affected

None

Protected Mode Exceptions

permission bits in TSS equals 1; #GP(0) for an illegal memory operand
effective address in the CS, DS, or ES segments; #SS(0) for an illegal
address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

equals 1; #PF(fault-code) for a page fault


POP  Pop a Word from the Stack

Opcode      Instruction   Clocks     Description

8F   /0     POP m16       5          Pop top of stack into memory word
8F   /0     POP m32       5          Pop top of stack into memory dword
58 + rw     POP r16       4          Pop top of stack into word register
58 + rd     POP r32       4          Pop top of stack into dword register
1F          POP DS        7,pm=21    Pop top of stack into DS
07          POP ES        7,pm=21    Pop top of stack into ES
17          POP SS        7,pm=21    Pop top of stack into SS
0F   A1     POP FS        7,pm=21    Pop top of stack into FS
0F   A9     POP GS        7,pm=21    Pop top of stack into GS


Operation

IF StackAddrSize = 16
THEN
   IF OperandSize = 16
   THEN
      DEST  (SS:SP); (* copy a word *)
      SP  SP + 2;
   ELSE (* OperandSize = 32 *)
      DEST  (SS:SP); (* copy a dword *)
      SP  SP + 4;
   FI;
ELSE (* StackAddrSize = 32 * )
   IF OperandSize = 16
   THEN
      DEST  (SS:ESP); (* copy a word *)
      ESP  ESP + 2;
   ELSE (* OperandSize = 32 *)
      DEST  (SS:ESP); (* copy a dword *)
      ESP  ESP + 4;
   FI;
FI;

Description

POP replaces the previous contents of the memory, the register, or the
segment register operand with the word on the top of the 80386 stack,
addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP
(addresssize attribute of 32 bits). The stack pointer SP is incremented
by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits.
It then points to the new top of stack.

POP CS is not an 80386 instruction. Popping from the stack into the CS
register is accomplished with a RET instruction.

If the destination operand is a segment register (DS, ES, FS, GS, or
SS), the value popped must be a selector. In protected mode, loading the
selector initiates automatic loading of the descriptor information
associated with that selector into the hidden part of the segment register;
loading also initiates validation of both the selector and the descriptor
information.

A null value (0000-0003) may be popped into the DS, ES, FS, or GS
register without causing a protection exception. An attempt to reference
a segment whose corresponding segment register is loaded with a null
value causes a #GP(0) exception. No memory reference occurs. The saved
value of the segment register is null.

A POP SS instruction inhibits all interrupts, including NMI, until after
execution of the next instruction. This allows sequential execution of POP
SS and POP eSP instructions without danger of having an invalid stack
during an interrupt. However, use of the LSS instruction is the preferred
method of loading the SS and eSP registers.

Loading a segment register while in protected mode results in special
checks and actions, as described in the following listing:

IF SS is loaded:
   IF selector is null THEN #GP(0);
   Selector index must be within its descriptor table limits ELSE
      #GP(selector);
   Selector's RPL must equal CPL ELSE #GP(selector);
   AR byte must indicate a writable data segment ELSE #GP(selector);
   DPL in the AR byte must equal CPL ELSE #GP(selector);
   Segment must be marked present ELSE #SS(selector);
   Load SS register with selector;
   Load SS register with descriptor;

IF DS, ES, FS or GS is loaded with non-null selector:
   AR byte must indicate data or readable code segment ELSE
      #GP(selector);
   IF data or nonconforming code
   THEN both the RPL and the CPL must be less than or equal to DPL in
      AR byte
   ELSE #GP(selector);
   FI;
   Segment must be marked present ELSE #NP(selector);
   Load segment register with selector;
   Load segment register with descriptor;

IF DS, ES, FS, or GS is loaded with a null selector:
   Load segment register with selector
   Clear valid bit in invisible portion of register

Flags Affected

None

Protected Mode Exceptions

current top of stack is not within the stack segment; #GP(0) if the result
is in a nonwritable segment; #GP(0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


POPA/POPAD  Pop all General Registers

Opcode   Instruction   Clocks   Description

61       POPA          24       Pop DI, SI, BP, SP, BX, DX, CX, and AX
61       POPAD         24       Pop EDI, ESI, EBP, ESP, EDX, ECX, and EAX


Operation

IF OperandSize = 16 (* instruction = POPA *)
THEN
   DI  Pop();
   SI  Pop();
   BP  Pop();
   throwaway  Pop (); (* Skip SP *)
   BX  Pop();
   DX  Pop();
   CX  Pop();
   AX  Pop();
ELSE (* OperandSize = 32, instruction = POPAD *)
   EDI  Pop();
   ESI  Pop();
   EBP  Pop();
   throwaway  Pop (); (* Skip ESP *)
   EBX  Pop();
   EDX  Pop();
   ECX  Pop();
   EAX  Pop();
FI;

Description

POPA pops the eight 16-bit general registers. However, the SP value is
discarded instead of loaded into SP. POPA reverses a previous PUSHA,
restoring the general registers to their values before PUSHA was
executed. The first register popped is DI.

POPAD pops the eight 32-bit general registers. The ESP value is
discarded instead of loaded into ESP. POPAD reverses the previous
PUSHAD, restoring the general registers to their values before PUSHAD
was executed. The first register popped is EDI.

Flags Affected

None

Protected Mode Exceptions

segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


POPF/POPFD  Pop Stack into FLAGS or EFLAGS Register

Opcode   Instruction   Clocks   Description

9D       POPF          5        Pop top of stack FLAGS
9D       POPFD         5        Pop top of stack into EFLAGS


Operation

Flags  Pop();

Description

POPF/POPFD pops the word or doubleword on the top of the stack and
stores the value in the flags register. If the operand-size attribute of
the instruction is 16 bits, then a word is popped and the value is stored in
FLAGS. If the operand-size attribute is 32 bits, then a doubleword is popped
and the value is stored in EFLAGS.

Refer to Chapter 2 and Chapter 4 for information about the FLAGS
and EFLAGS registers. Note that bits 16 and 17 of EFLAGS, called
VM and RF, respectively, are not affected by POPF or POPFD.

The I/O privilege level is altered only when executing at privilege level
0. The interrupt flag is altered only when executing at a level at least as
privileged as the I/O privilege level. (Real-address mode is equivalent to
privilege level 0.) If a POPF instruction is executed with insufficient
privilege, an exception does not occur, but the privileged bits do not
change.

Flags Affected

All flags except VM and RF

Protected Mode Exceptions


Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions



PUSH  Push Operand onto the Stack

Opcode     Instruction   Clocks   Description

FF   /6    PUSH m16      5        Push memory word
FF   /6    PUSH m32      5        Push memory dword
50 + /r    PUSH r16      2        Push register word
50 + /r    PUSH r32      2        Push register dword
6A         PUSH imm8     2        Push immediate byte
68         PUSH imm16    2        Push immediate word
68         PUSH imm32    2        Push immediate dword
0E         PUSH CS       2        Push CS
16         PUSH SS       2        Push SS
1E         PUSH DS       2        Push DS
06         PUSH ES       2        Push ES
0F   A0    PUSH FS       2        Push FS
OF   A8    PUSH GS       2        Push GS


Operation

IF StackAddrSize = 16
THEN
   IF OperandSize = 16 THEN
      SP  SP - 2;
      (SS:SP)  (SOURCE); (* word assignment *)
   ELSE
      SP  SP - 4;
      (SS:SP)  (SOURCE); (* dword assignment *)
   FI;
ELSE (* StackAddrSize = 32 *)
   IF OperandSize = 16
   THEN
      ESP  ESP - 2;
      (SS:ESP)  (SOURCE); (* word assignment *)
   ELSE
      ESP  ESP - 4;
      (SS:ESP)  (SOURCE); (* dword assignment *)
   FI;
FI;

Description

PUSH decrements the stack pointer by 2 if the operand-size attribute of
the instruction is 16 bits; otherwise, it decrements the stack pointer by
4. PUSH then places the operand on the new top of stack, which is
pointed to by the stack pointer.

The 80386 PUSH eSP instruction pushes the value of eSP as it existed
before the instruction. This differs from the 8086, where PUSH SP
pushes the new value (decremented by 2).

Flags Affected

None

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

None; if SP or ESP is 1, the 80386 shuts down due to a lack of stack
space

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


PUSHA/PUSHAD  Push all General Registers

Opcode  Instruction  Clocks   Description

60      PUSHA        18       Push AX, CX, DX, BX, original SP, BP, SI, and
                              DI
60      PUSHAD       18       Push EAX, ECX, EDX, EBX, original ESP, EBP,
                              ESI, and EDI


Operation

IF OperandSize = 16 (* PUSHA instruction *)
THEN
   Temp  (SP);
   Push(AX);
   Push(CX);
   Push(DX);
   Push(BX);
   Push(Temp);
   Push(BP);
   Push(SI);
   Push(DI);
ELSE (* OperandSize = 32, PUSHAD instruction *)
   Temp  (ESP);
   Push(EAX);
   Push(ECX);
   Push(EDX);
   Push(EBX);
   Push(Temp);
   Push(EBP);
   Push(ESI);
   Push(EDI);
FI;

Description

PUSHA and PUSHAD save the 16-bit or 32-bit general registers,
respectively, on the 80386 stack. PUSHA decrements the stack pointer
(SP) by 16 to hold the eight word values. PUSHAD decrements the
stack pointer (ESP) by 32 to hold the eight doubleword values. Because
the registers are pushed onto the stack in the order in which they were
given, they appear in the 16 or 32 new stack bytes in reverse order. The
last register pushed is DI or EDI.

Flags Affected

None

Protected Mode Exceptions

limit; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Before executing PUSHA or PUSHAD, the 80386 shuts down if SP or
ESP equals 1, 3, or 5; if SP or ESP equals 7, 9, 11, 13, or 15, exception
13 occurs

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page
fault


PUSHF/PUSHFD  Push Flags Register onto the Stack

Opcode  Instruction  Clocks   Description

9C      PUSHF        4        Push FLAGS
9C      PUSHFD       4        Push EFLAGS


Operation

IF OperandSize = 32
THEN push(EFLAGS);
ELSE push(FLAGS);
FI;

Description

PUSHF decrements the stack pointer by 2 and copies the FLAGS
register to the new top of stack; PUSHFD decrements the stack pointer by
4, and the 80386 EFLAGS register is copied to the new top of stack
which is pointed to by SS:eSP. Refer to Chapter 2 and Chapter 4 for
information on the EFLAGS register.

Flags Affected

None

Protected Mode Exceptions


Real Address Mode Exceptions

None; the 80386 shuts down due to a lack of stack space

Virtual 8086 Mode Exceptions



RCL/RCR/ROL/ROR  Rotate


Opcode       Instruction       Clocks  Description

D0  /2       RCL r/m8,1        9/10    Rotate 9 bits (CF,r/m byte) left
                                       once
D2  /2       RCL r/m8,CL       9/10    Rotate 9 bits (CF,r/m byte) left CL
                                       times
C0  /2 ib    RCL r/m8,imm8     9/10    Rotate 9 bits (CF,r/m byte) left
                                       imm8 times
D1  /2       RCL r/m16,1       9/10    Rotate 17 bits (CF,r/m word) left
                                       once
D3  /2       RCL r/m16,CL      9/10    Rotate 17 bits (CF,r/m word) left
                                       CL times
C1  /2 ib    RCL r/m16,imm8    9/10    Rotate 17 bits (CF,r/m word) left
                                       imm8 times
D1  /2       RCL r/m32,1       9/10    Rotate 33 bits (CF,r/m dword) left
                                       once
D3  /2       RCL r/m32,CL      9/10    Rotate 33 bits (CF,r/m dword) left
                                       CL times
C1  /2 ib    RCL r/m32,imm8    9/10    Rotate 33 bits (CF,r/m dword) left
                                       imm8 times
D0  /3       RCR r/m8,1        9/10    Rotate 9 bits (CF,r/m byte) right
                                       once
D2  /3       RCR r/m8,CL       9/10    Rotate 9 bits (CF,r/m byte) right
                                       CL times
C0  /3 ib    RCR r/m8,imm8     9/10    Rotate 9 bits (CF,r/m byte) right
                                       imm8 times
D1  /3       RCR r/m16,1       9/10    Rotate 17 bits (CF,r/m word) right
                                       once
D3  /3       RCR r/m16,CL      9/10    Rotate 17 bits (CF,r/m word) right
                                       CL times
C1  /3 ib    RCR r/m16,imm8    9/10    Rotate 17 bits (CF,r/m word) right
                                       imm8 times
D1  /3       RCR r/m32,1       9/10    Rotate 33 bits (CF,r/m dword) right
                                       once
D3  /3       RCR r/m32,CL      9/10    Rotate 33 bits (CF,r/m dword) right
                                       CL times
C1  /3 ib    RCR r/m32,imm8    9/10    Rotate 33 bits (CF,r/m dword) right
                                       imm8 times
D0  /0       ROL r/m8,1        3/7     Rotate 8 bits r/m byte left once
D2  /0       ROL r/m8,CL       3/7     Rotate 8 bits r/m byte left CL
                                       times
C0  /0 ib    ROL r/m8,imm8     3/7     Rotate 8 bits r/m byte left imm8
                                       times
D1  /0       ROL r/m16,1       3/7     Rotate 16 bits r/m word left once
D3  /0       ROL r/m16,CL      3/7     Rotate 16 bits r/m word left CL
                                       times
C1  /0 ib    ROL r/m16,imm8    3/7     Rotate 16 bits r/m word left imm8
                                       times
D1  /0       ROL r/m32,1       3/7     Rotate 32 bits r/m dword left once
D3  /0       ROL r/m32,CL      3/7     Rotate 32 bits r/m dword left CL
                                       times
C1  /0 ib    ROL r/m32,imm8    3/7     Rotate 32 bits r/m dword left imm8
                                       times
D0  /1       ROR r/m8,1        3/7     Rotate 8 bits r/m byte right once
D2  /1       ROR r/m8,CL       3/7     Rotate 8 bits r/m byte right CL
                                       times
C0  /1 ib    ROR r/m8,imm8     3/7     Rotate 8 bits r/m word right imm8
                                       times
D1  /1       ROR r/m16,1       3/7     Rotate 16 bits r/m word right once
D3  /1       ROR r/m16,CL      3/7     Rotate 16 bits r/m word right CL
                                       times
C1  /1 ib    ROR r/m16,imm8    3/7     Rotate 16 bits r/m word right imm8
                                       times
D1  /1       ROR r/m32,1       3/7     Rotate 32 bits r/m dword right once
D3  /1       ROR r/m32,CL      3/7     Rotate 32 bits r/m dword right CL
                                       times
C1  /1 ib    ROR r/m32,imm8    3/7     Rotate 32 bits r/m dword right imm8
                                       times


Operation

(* ROL - Rotate Left *)
temp  COUNT;
WHILE (temp <> 0)
DO
   tmpcf  high-order bit of (r/m);
   r/m  r/m * 2 + (tmpcf);
   temp  temp - 1;
OD;
IF COUNT = 1
THEN
   IF high-order bit of r/m <> CF
   THEN OF  1;
   ELSE OF  0;
   FI;
ELSE OF  undefined;
FI;
(* ROR - Rotate Right *)
temp  COUNT;
WHILE (temp <> 0 )
DO
   tmpcf  low-order bit of (r/m);
   r/m  r/m / 2 + (tmpcf * 2^(width(r/m)));
   temp  temp - 1;
DO;
IF COUNT = 1
THEN
   IF (high-order bit of r/m) <> (bit next to high-order bit of r/m)
   THEN OF  1;
   ELSE OF  0;
   FI;
ELSE OF  undefined;
FI;

Description

Each rotate instruction shifts the bits of the register or memory operand
given. The left rotate instructions shift all the bits upward, except for
the top bit, which is returned to the bottom. The right rotate instructions
do the reverse: the bits shift downward until the bottom bit arrives at
the top.

For the RCL and RCR instructions, the carry flag is part of the rotated
quantity. RCL shifts the carry flag into the bottom bit and shifts the top
bit into the carry flag; RCR shifts the carry flag into the top bit and
shifts the bottom bit into the carry flag. For the ROL and ROR
instructions, the original value of the carry flag is not a part of the
result, but the carry flag receives a copy of the bit that was shifted from
one end to the other.

The rotate is repeated the number of times indicated by the second
operand, which is either an immediate number or the contents of the CL
register. To reduce the maximum instruction execution time, the 80386
does not allow rotation counts greater than 31. If a rotation count greater
than 31 is attempted, only the bottom five bits of the rotation are used.
The 8086 does not mask rotation counts. The 80386 in Virtual 8086 Mode does
mask rotation counts.

The overflow flag is defined only for the single-rotate forms of the
instructions (second operand = 1). It is undefined in all other cases. For
left shifts/rotates, the CF bit after the shift is XORed with the
high-order result bit. For right shifts/rotates, the high-order two bits of
the result are XORed to get OF.

Flags Affected

OF only for single rotates; OF is undefined for multi-bit rotates; CF as
described above

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


REP/REPE/REPZ/REPNE/REPNZ  Repeat Following String Operation


Opcode    Instruction         Clocks           Description

F3  6C    REP INS r/m8, DX    13+6*(E)CX,
                              pm=7+6*(E)CX
If CPL  IOPL/
                              27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Input (E)CX bytes from port
                                               DX into ES:[(E)DI]
F3  6D    REP INS r/m16,DX    13+6*(E)CX,
                              pm=7+6*(E)CX
If CPL  IOPL/
                              27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Input (E)CX words from port
                                               DX into ES:[(E)DI]
F3  6D    REP INS r/m32,DX    13+6*(E)CX,
                              pm=7+6*(E)CX
If CPL  IOPL/
                              27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Input (E)CX dwords from port
                                               DX into ES:[(E)DI]
F3  A4    REP MOVS m8,m8      5+4*(E)CX        Move (E)CX bytes from
                                               [(E)SI] to ES:[(E)DI]
F3  A5    REP MOVS m16,m16    5+4*(E)CX        Move (E)CX words from
                                               [(E)SI] to ES:[(E)DI]
F3  A5    REP MOVS m32,m32    5+4*(E)CX        Move (E)CX dwords from
                                               [(E)SI] to ES:[(E)DI]
F3  6E    REP OUTS DX,r/m8    5+12*(E)CX,
                              pm=6+5*(E)CX
If CPL  IOPL/
                              26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Output (E)CX bytes from
                                               [(E)SI] to port DX
F3  6F    REP OUTS DX,r/m16   5+12*(E)CX,
                              pm=6+5*(E)CX
If CPL  IOPL/
                              26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Output (E)CX words from
                                               [(E)SI] to port DX
F3  6F    REP OUTS DX,r/m32   5+12*(E)CX,
                              pm=6+5*(E)CX
If CPL  IOPL/
                              26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode      Output (E)CX dwords from
                                               [(E)SI] to port DX
F3  AA    REP STOS m8         5+5*(E)CX        Fill (E)CX bytes at
                                               ES:[(E)DI] with AL
F3  AB    REP STOS m16        5+5*(E)CX        Fill (E)CX words at
                                               ES:[(E)DI] with AX
F3  AB    REP STOS m32        5+5*(E)CX        Fill (E)CX dwords at
                                               ES:[(E)DI] with EAX
F3  A6    REPE CMPS m8,m8     5+9*N            Find nonmatching bytes in
                                               ES:[(E)DI] and [(E)SI]
F3  A7    REPE CMPS m16,m16   5+9*N            Find nonmatching words in
                                               ES:[(E)DI] and [(E)SI]
F3  A7    REPE CMPS m32,m32   5+9*N            Find nonmatching dwords in
                                               ES:[(E)DI] and [(E)SI]
F3  AE    REPE SCAS m8        5+8*N            Find non-AL byte starting
                                               at ES:[(E)DI]
F3  AF    REPE SCAS m16       5+8*N            Find non-AX word starting
                                               at ES:[(E)DI]
F3  AF    REPE SCAS m32       5+8*N            Find non-EAX dword starting
                                               at ES:[(E)DI]
F2  A6    REPNE CMPS m8,m8    5+9*N            Find matching bytes in
                                               ES:[(E)DI] and [(E)SI]
F2  A7    REPNE CMPS m16,m16  5+9*N            Find matching words in
                                               ES:[(E)DI] and [(E)SI]
F2  A7    REPNE CMPS m32,m32  5+9*N            Find matching dwords in
                                               ES:[(E)DI] and [(E)SI]
F2  AE    REPNE SCAS m8       5+8*N            Find AL, starting at
                                               ES:[(E)DI]
F2  AF    REPNE SCAS m16      5+8*N            Find AX, starting at
                                               ES:[(E)DI]
F2  AF    REPNE SCAS m32      5+8*N            Find EAX, starting at
                                               ES:[(E)DI]


Operation

IF AddressSize = 16
THEN use CX for CountReg;
ELSE (* AddressSize = 32 *) use ECX for CountReg;
FI;
WHILE CountReg <> 0
DO
   service pending interrupts (if any);
   perform primitive string instruction;
   CountReg  CountReg - 1;
   IF primitive operation is CMPB, CMPW, SCAB, or SCAW
   THEN
      IF (instruction is REP/REPE/REPZ) AND (ZF=1)
      THEN exit WHILE loop
      ELSE
         IF (instruction is REPNZ or REPNE) AND (ZF=0)
         THEN exit WHILE loop;
         FI;
      FI;
   FI;
OD;

Description

REP, REPE (repeat while equal), and REPNE (repeat while not equal)
are prefix that are applied to string operation. Each prefix cause the
string instruction that follows to be repeated the number of times
indicated in the count register or (for REPE and REPNE) until the
indicated condition in the zero flag is no longer met.

Synonymous forms of REPE and REPNE are REPZ and REPNZ,
respectively.

The REP prefixes apply only to one string instruction at a time. To repeat
a block of instructions, use the LOOP instruction or another looping
construct.

The precise action for each iteration is as follows:

  1.  If the address-size attribute is 16 bits, use CX for the count
      register; if the address-size attribute is 32 bits, use ECX for the
      count register.

  2.  Check CX. If it is zero, exit the iteration, and move to the next
      instruction.

  3.  Acknowledge any pending interrupts.

  4.  Perform the string operation once.

  5.  Decrement CX or ECX by one; no flags are modified.

  6.  Check the zero flag if the string operation is SCAS or CMPS. If
      the repeat condition does not hold, exit the iteration and move to
      the next instruction. Exit the iteration if the prefix is REPE and ZF
      is 0 (the last comparison was not equal), or if the prefix is REPNE
      and ZF is one (the last comparison was equal).

  7.  Return to step 1 for the next iteration.

Repeated CMPS and SCAS instructions can be exited if the count is
exhausted or if the zero flag fails the repeat condition. These two cases
can be distinguished by using either the JCXZ instruction, or by using
the conditional jumps that test the zero flag (JZ, JNZ, and JNE).

Flags Affected

ZF by REP CMPS and REP SCAS as described above

Protected Mode Exceptions

list above; further exceptions can be generated when the string operation is
executed; refer to the descriptions of the string instructions themselves

Real Address Mode Exceptions

Interrupt 6 if a repeat prefix is used before an instruction that is not in
the list above; further exceptions can be generated when the string
operation is executed; refer to the descriptions of the string instructions
themselves

Virtual 8086 Mode Exceptions

list above; further exceptions can be generated when the string operation is
executed; refer to the descriptions of the string instructions themselves

Notes

Not all input/output ports can handle the rate at which the REP INS
and REP OUTS instructions execute.


RET  Return from Procedure

Opcode     Instruction  Clocks         Description

C3         RET          10+m           Return (near) to caller
CB         RET          18+m,pm=32+m   Return (far) to caller, same
                                       privilege
CB         RET          pm=68          Return (far), lesser privilege,
                                       switch stacks
C2  iw     RET imm16    10+m           Return (near), pop imm16 bytes of
                                       parameters
CA  iw     RET imm16    18+m,pm=32+m   Return (far), same privilege, pop
                                       imm16 bytes
CA  iw     RET imm16    pm=68          Return (far), lesser privilege, pop
                                       imm16 bytes


Operation

IF instruction = near RET
THEN;
   IF OperandSize = 16
   THEN
      IP  Pop();
      EIP  EIP AND 0000FFFFH;
   ELSE (* OperandSize = 32 *)
      EIP  Pop();
   FI;
   IF instruction has immediate operand THEN eSP  eSP + imm16; FI;
FI;

IF (PE = 0 OR (PE = 1 AND VM = 1))
   (* real mode or virtual 8086 mode *)
   AND instruction = far RET
THEN;
   IF OperandSize = 16
   THEN
      IP  Pop();
      EIP  EIP AND 0000FFFFH;
      CS  Pop(); (* 16-bit pop *)
   ELSE (* OperandSize = 32 *)
      EIP  Pop();
      CS  Pop(); (* 32-bit pop, high-order 16-bits discarded *)
   FI;
   IF instruction has immediate operand THEN eSP  eSP + imm16; FI;
FI;

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
   AND instruction = far RET
THEN
   IF OperandSize=32
   THEN Third word on stack must be within stack limits else #SS(0);
   ELSE Second word on stack must be within stack limits else #SS(0);
   FI;
   Return selector RPL must be  CPL ELSE #GP(return selector)
   IF return selector RPL = CPL
   THEN GOTO SAME-LEVEL;
   ELSE GOTO OUTER-PRIVILEGE-LEVEL;
   FI;
FI;

SAME-LEVEL:
   Return selector must be non-null ELSE #GP(0)
   Selector index must be within its descriptor table limits ELSE
      #GP(selector)
   Descriptor AR byte must indicate code segment ELSE #GP(selector)
   IF non-conforming
   THEN code segment DPL must equal CPL;
   ELSE #GP(selector);
   FI;
   IF conforming
   THEN code segment DPL must be  CPL;
   ELSE #GP(selector);
   FI;
   Code segment must be present ELSE #NP(selector);
   Top word on stack must be within stack limits ELSE #SS(0);
   IP must be in code segment limit ELSE #GP(0);
   IF OperandSize=32
   THEN
      Load CS:EIP from stack
      Load CS register with descriptor
      Increment eSP by 8 plus the immediate offset if it exists
   ELSE (* OperandSize=16 *)
      Load CS:IP from stack
      Load CS register with descriptor
      Increment eSP by 4 plus the immediate offset if it exists
   FI;

OUTER-PRIVILEGE-LEVEL:
   IF OperandSize=32
   THEN Top (16+immediate) bytes on stack must be within stack limits
      ELSE #SS(0);
   ELSE Top (8+immediate) bytes on stack must be within stack limits ELSE
      #SS(0);
   FI;
   Examine return CS selector and associated descriptor:
      Selector must be non-null ELSE #GP(0);
      Selector index must be within its descriptor table limits ELSE
         #GP(selector)
      Descriptor AR byte must indicate code segment ELSE #GP(selector);
      IF non-conforming
      THEN code segment DPL must equal return selector RPL
      ELSE #GP(selector);
      FI;
      IF conforming
      THEN code segment DPL must be  return selector RPL;
      ELSE #GP(selector);
      FI;
      Segment must be present ELSE #NP(selector)
   Examine return SS selector and associated descriptor:
      Selector must be non-null ELSE #GP(0);
      Selector index must be within its descriptor table limits
         ELSE #GP(selector);
      Selector RPL must equal the RPL of the return CS selector ELSE
         #GP(selector);
      Descriptor AR byte must indicate a writable data segment ELSE
         #GP(selector);
      Descriptor DPL must equal the RPL of the return CS selector ELSE
         #GP(selector);
      Segment must be present ELSE #NP(selector);
   IP must be in code segment limit ELSE #GP(0);
   Set CPL to the RPL of the return CS selector;
   IF OperandMode=32
   THEN
      Load CS:EIP from stack;
      Set CS RPL to CPL;
      Increment eSP by 8 plus the immediate offset if it exists;
      Load SS:eSP from stack;
   ELSE (* OperandMode=16 *)
      Load CS:IP from stack;
      Set CS RPL to CPL;
      Increment eSP by 4 plus the immediate offset if it exists;
      Load SS:eSP from stack;
   FI;
   Load the CS register with the return CS descriptor;
   Load the SS register with the return SS descriptor;
   For each of ES, FS, GS, and DS
   DO
      IF the current register setting is not valid for the outer level,
         set the register to null (selector  AR  0);
      To be valid, the register setting must satisfy the following
         properties:
         Selector index must be within descriptor table limits;
         Descriptor AR byte must indicate data or readable code segment;
         IF segment is data or non-conforming code, THEN
            DPL must be  CPL, or DPL must be  RPL;
      FI;
   OD;

Description

RET transfers control to a return address located on the stack. The
address is usually placed on the stack by a CALL instruction, and the
return is made to the instruction that follows the CALL.

The optional numeric parameter to RET gives the number of stack bytes
(OperandMode=16) or words (OperandMode=32) to be released after the return
address is popped. These items are typically used as input parameters to the
procedure called.

For the intrasegment (near) return, the address on the stack is a segment
offset, which is popped into the instruction pointer. The CS register is
unchanged. For the intersegment (far) return, the address on the stack
is a long pointer. The offset is popped first, followed by the selector.

In real mode, CS and IP are loaded directly. In Protected Mode, an
intersegment return causes the processor to check the descriptor
addressed by the return selector. The AR byte of the descriptor must
indicate a code segment of equal or lesser privilege (or greater or equal
numeric value) than the current privilege level. Returns to a lesser
privilege level cause the stack to be reloaded from the value saved beyond
the parameter block.

The DS, ES, FS, and GS segment registers can be set to 0 by the RET
instruction during an interlevel transfer. If these registers refer to
segments that cannot be used by the new privilege level, they are set to
0 to prevent unauthorized access from the new privilege level.

Flags Affected

None

Protected Mode Exceptions

a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would be outside the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SAHF  Store AH into Flags

Opcode  Instruction  Clocks   Description

9E      SAHF         3        Store AH into flags SF ZF xx AF xx PF xx CF


Operation

SF:ZF:xx:AF:xx:PF:xx:CF  AH;

Description

SAHF loads the flags listed above with values from the AH register,
from bits 7, 6, 4, 2, and 0, respectively.

Flags Affected

SF, ZF, AF, PF, and CF as described above

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


SAL/SAR/SHL/SHR  Shift Instructions


Opcode          Instruction       Clocks  Description

D0   /4         SAL r/m8,1        3/7     Multiply r/m byte by 2, once
D2   /4         SAL r/m8,CL       3/7     Multiply r/m byte by 2, CL times
C0   /4 ib      SAL r/m8,imm8     3/7     Multiply r/m byte by 2, imm8
                                          times
D1   /4         SAL r/m16,1       3/7     Multiply r/m word by 2, once
D3   /4         SAL r/m16,CL      3/7     Multiply r/m word by 2, CL times
C1   /4 ib      SAL r/m16,imm8    3/7     Multiply r/m word by 2, imm8
                                          times
D1   /4         SAL r/m32,1       3/7     Multiply r/m dword by 2, once
D3   /4         SAL r/m32,CL      3/7     Multiply r/m dword by 2, CL
                                          times
C1   /4 ib      SAL r/m32,imm8    3/7     Multiply r/m dword by 2, imm8
                                          times
D0   /7         SAR r/m8,1        3/7     Signed divide^(1) r/m byte by 2,
                                          once
D2   /7         SAR r/m8,CL       3/7     Signed divide^(1) r/m byte by 2,
                                          CL times
C0   /7 ib      SAR r/m8,imm8     3/7     Signed divide^(1) r/m byte by 2,
                                          imm8 times
D1   /7         SAR r/m16,1       3/7     Signed divide^(1) r/m word by 2,
                                          once
D3   /7         SAR r/m16,CL      3/7     Signed divide^(1) r/m word by 2,
                                          CL times
C1   /7 ib      SAR r/m16,imm8    3/7     Signed divide^(1) r/m word by 2,
                                          imm8 times
D1   /7         SAR r/m32,1       3/7     Signed divide^(1) r/m dword by 2,
                                          once
D3   /7         SAR r/m32,CL      3/7     Signed divide^(1) r/m dword by 2,
                                          CL times
C1   /7 ib      SAR r/m32,imm8    3/7     Signed divide^(1) r/m dword by 2,
                                          imm8 times
D0   /4         SHL r/m8,1        3/7     Multiply r/m byte by 2, once
D2   /4         SHL r/m8,CL       3/7     Multiply r/m byte by 2, CL times
C0   /4 ib      SHL r/m8,imm8     3/7     Multiply r/m byte by 2, imm8
                                          times
D1   /4         SHL r/m16,1       3/7     Multiply r/m word by 2, once
D3   /4         SHL r/m16,CL      3/7     Multiply r/m word by 2, CL times
C1   /4 ib      SHL r/m16,imm8    3/7     Multiply r/m word by 2, imm8
                                          times
D1   /4         SHL r/m32,1       3/7     Multiply r/m dword by 2, once
D3   /4         SHL r/m32,CL      3/7     Multiply r/m dword by 2, CL
                                          times
C1   /4 ib      SHL r/m32,imm8    3/7     Multiply r/m dword by 2, imm8
                                          times
D0   /5         SHR r/m8,1        3/7     Unsigned divide r/m byte by 2,
                                          once
D2   /5         SHR r/m8,CL       3/7     Unsigned divide r/m byte by 2,
                                          CL times
C0   /5 ib      SHR r/m8,imm8     3/7     Unsigned divide r/m byte by 2,
                                          imm8 times
D1   /5         SHR r/m16,1       3/7     Unsigned divide r/m word by 2,
                                          once
D3   /5         SHR r/m16,CL      3/7     Unsigned divide r/m word by 2,
                                          CL times
C1   /5 ib      SHR r/m16,imm8    3/7     Unsigned divide r/m word by 2,
                                          imm8 times
D1   /5         SHR r/m32,1       3/7     Unsigned divide r/m dword by 2,
                                          once
D3   /5         SHR r/m32,CL      3/7     Unsigned divide r/m dword by 2,
                                          CL times
C1   /5 ib      SHR r/m32,imm8    3/7     Unsigned divide r/m dword by 2,
                                          imm8 times


Not the same division as IDIV; rounding is toward negative infinity.

Operation

(* COUNT is the second parameter *)
(temp)  COUNT;
WHILE (temp <> 0)
DO
   IF instruction is SAL or SHL
   THEN CF  high-order bit of r/m;
   FI;
   IF instruction is SAR or SHR
   THEN CF  low-order bit of r/m;
   FI;
   IF instruction = SAL or SHL
   THEN r/m  r/m * 2;
   FI;
   IF instruction = SAR
   THEN r/m  r/m /2 (*Signed divide, rounding toward negative infinity*);
   FI;
   IF instruction = SHR
   THEN r/m  r/m / 2; (* Unsigned divide *);
   FI;
   temp  temp - 1;
OD;
(* Determine overflow for the various instructions *)
IF COUNT = 1
THEN
   IF instruction is SAL or SHL
   THEN OF  high-order bit of r/m <> (CF);
   FI;
   IF instruction is SAR
   THEN OF  0;
   FI;
   IF instruction is SHR
   THEN OF  high-order bit of operand;
   FI;
ELSE OF  undefined;
FI;

Description

SAL (or its synonym, SHL) shifts the bits of the operand upward. The
high-order bit is shifted into the carry flag, and the low-order bit is set
to 0.

SAR and SHR shift the bits of the operand downward. The low-order
bit is shifted into the carry flag. The effect is to divide the operand by
2. SAR performs a signed divide with rounding toward negative infinity (not
the same as IDIV); the high-order bit remains the same. SHR performs an
unsigned divide; the high-order bit is set to 0.

The shift is repeated the number of times indicated by the second
operand, which is either an immediate number or the contents of the CL
register. To reduce the maximum execution time, the 80386 does not
allow shift counts greater than 31. If a shift count greater than 31 is
attempted, only the bottom five bits of the shift count are used. (The
8086 uses all eight bits of the shift count.)

The overflow flag is set only if the single-shift forms of the instructions
are used. For left shifts, OF is set to 0 if the high bit of the answer is
the same as the result of the carry flag (i.e., the top two bits of the
original operand were the same); OF is set to 1 if they are different. For
SAR, OF is set to 0 for all single shifts. For SHR, OF is set to the
high-order bit of the original operand.

Flags Affected

OF for single shifts; OF is undefined for multiple shifts; CF, ZF, PF,
and SF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SBB  Integer Subtraction with Borrow


Opcode       Instruction       Clocks  Description

1C  ib       SBB AL,imm8       2       Subtract with borrow immediate byte
                                       from AL
1D  iw       SBB AX,imm16      2       Subtract with borrow immediate word
                                       from AX
1D  id       SBB EAX,imm32     2       Subtract with borrow immediate
                                       dword from EAX
80  /3 ib    SBB r/m8,imm8     2/7     Subtract with borrow immediate byte
                                       from r/m byte
81  /3 iw    SBB r/m16,imm16   2/7     Subtract with borrow immediate word
                                       from r/m word
81  /3 id    SBB r/m32,imm32   2/7     Subtract with borrow immediate
                                       dword from r/m dword
83  /3 ib    SBB r/m16,imm8    2/7     Subtract with borrow sign-extended
                                       immediate byte from r/m word
83  /3 ib    SBB r/m32,imm8    2/7     Subtract with borrow sign-extended
                                       immediate byte from r/m dword
18  /r       SBB r/m8,r8       2/6     Subtract with borrow byte register
                                       from r/m byte
19  /r       SBB r/m16,r16     2/6     Subtract with borrow word register
                                       from r/m word
19  /r       SBB r/m32,r32     2/6     Subtract with borrow dword register
                                       from r/m dword
1A  /r       SBB r8,r/m8       2/7     Subtract with borrow byte register
                                       from r/m byte
1B  /r       SBB r16,r/m16     2/7     Subtract with borrow word register
                                       from r/m word
1B  /r       SBB r32,r/m32     2/7     Subtract with borrow dword register
                                       from r/m dword


Operation

IF SRC is a byte and DEST is a word or dword
THEN DEST = DEST - (SignExtend(SRC) + CF)
ELSE DEST  DEST - (SRC + CF);

Description

SBB adds the second operand (DEST) to the carry flag (CF) and
subtracts the result from the first operand (SRC). The result of the
subtraction is assigned to the first operand (DEST), and the flags are
set accordingly.

When an immediate byte value is subtracted from a word operand, the
immediate value is first sign-extended.

Flags Affected

OF, SF, ZF, AF, PF, and CF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SCAS/SCASB/SCASW/SCASD  Compare String Data

Opcode  Instruction  Clocks  Description

AE      SCAS m8      7       Compare bytes AL-ES:[DI], update (E)DI
AF      SCAS m16     7       Compare words AX-ES:[DI], update (E)DI
AF      SCAS m32     7       Compare dwords EAX-ES:[DI], update (E)DI
AE      SCASB        7       Compare bytes AL-ES:[DI], update (E)DI
AF      SCASW        7       Compare words AX-ES:[DI], update (E)DI
AF      SCASD        7       Compare dwords EAX-ES:[DI], update (E)DI


Operation

IF AddressSize = 16
THEN use DI for dest-index;
ELSE (* AddressSize = 32 *) use EDI for dest-index;
FI;
IF byte type of instruction
THEN
   AL - [dest-index]; (* Compare byte in AL and dest *)
   IF DF = 0 THEN IndDec  1 ELSE IncDec  -1; FI;
ELSE
   IF OperandSize = 16
   THEN
      AX - [dest-index]; (* compare word in AL and dest *)
      IF DF = 0 THEN IncDec  2 ELSE IncDec  -2; FI;
   ELSE (* OperandSize = 32 *)
      EAX - [dest-index];(* compare dword in EAX & dest *)
      IF DF = 0 THEN IncDec  4 ELSE IncDec  -4; FI;
   FI;
FI;
dest-index = dest-index + IncDec

Description

SCAS subtracts the memory byte or word at the destination register from
the AL, AX or EAX register. The result is discarded; only the flags are set.
The operand must be addressable from the ES segment; no segment override is
possible.

If the address-size attribute for this instruction is 16 bits, DI is used
as the destination register; otherwise, the address-size attribute is 32
bits and EDI is used.

The address of the memory data being compared is determined solely by the
contents of the destination register, not by the operand to SCAS. The
operand validates ES segment addressability and determines the data type.
Load the correct index value into DI or EDI before executing SCAS.

After the comparison is made, the destination register is automatically
updated. If the direction flag is 0 (CLD was executed), the destination
register is incremented; if the direction flag is 1 (STD was executed), it
is decremented. The increments or decrements are by 1 if bytes are compared,
by 2 if words are compared, or by 4 if doublewords are compared.

SCASB, SCASW, and SCASD are synonyms for the byte, word and
doubleword SCAS instructions that don't require operands. They are
simpler to code, but provide no type or segment checking.

SCAS can be preceded by the REPE or REPNE prefix for a block search
of CX or ECX bytes or words. Refer to the REP instruction for further
details.

Flags Affected

OF, SF, ZF, AF, PF, and CF as described in Appendix C

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SETcc  Byte Set on Condition


Opcode   Instruction  Clocks  Description

0F  97   SETA r/m8    4/5     Set byte if above (CF=0 and ZF=0)
0F  93   SETAE r/m8   4/5     Set byte if above or equal (CF=0)
0F  92   SETB r/m8    4/5     Set byte if below (CF=1)
0F  96   SETBE r/m8   4/5     Set byte if below or equal (CF=1 or (ZF=1)
0F  92   SETC r/m8    4/5     Set if carry (CF=1)
0F  94   SETE r/m8    4/5     Set byte if equal (ZF=1)
0F  9F   SETG r/m8    4/5     Set byte if greater (ZF=0 or SF=OF)
0F  9D   SETGE r/m8   4/5     Set byte if greater or equal (SF=OF)
0F  9C   SETL r/m8    4/5     Set byte if less (SF<>OF)
0F  9E   SETLE r/m8   4/5     Set byte if less or equal (ZF=1 and
                              SF<>OF)
0F  96   SETNA r/m8   4/5     Set byte if not above (CF=1)
0F  92   SETNAE r/m8  4/5     Set byte if not above or equal (CF=1)
0F  93   SETNB r/m8   4/5     Set byte if not below (CF=0)
0F  97   SETNBE r/m8  4/5     Set byte if not below or equal (CF=0 and
                              ZF=0)
0F  93   SETNC r/m8   4/5     Set byte if not carry (CF=0)
0F  95   SETNE r/m8   4/5     Set byte if not equal (ZF=0)
0F  9E   SETNG r/m8   4/5     Set byte if not greater (ZF=1 or SF<>OF)
0F  9C   SETNGE r/m8  4/5     Set if not greater or equal (SF<>OF)
0F  9D   SETNL r/m8   4/5     Set byte if not less (SF=OF)
0F  9F   SETNLE r/m8  4/5     Set byte if not less or equal (ZF=1 and
                              SF<>OF)
0F  91   SETNO r/m8   4/5     Set byte if not overflow (OF=0)
0F  9B   SETNP r/m8   4/5     Set byte if not parity (PF=0)
0F  99   SETNS r/m8   4/5     Set byte if not sign (SF=0)
0F  95   SETNZ r/m8   4/5     Set byte if not zero (ZF=0)
0F  90   SETO r/m8    4/5     Set byte if overflow (OF=1)
0F  9A   SETP r/m8    4/5     Set byte if parity (PF=1)
0F  9A   SETPE r/m8   4/5     Set byte if parity even (PF=1)
0F  9B   SETPO r/m8   4/5     Set byte if parity odd (PF=0)
0F  98   SETS r/m8    4/5     Set byte if sign (SF=1)
0F  94   SETZ r/m8    4/5     Set byte if zero (ZF=1)


Operation

IF condition THEN r/m8  1 ELSE r/m8  0; FI;

Description

SETcc stores a byte at the destination specified by the effective address
or register if the condition is met, or a 0 byte if the condition is not
met.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SGDT/SIDT  Store Global/Interrupt Descriptor Table Register

Opcode       Instruction   Clocks   Description

0F  01 /0    SGDT m        9        Store GDTR to m
0F  01 /1    SIDT m        9        Store IDTR to m


Operation

DEST  48-bit BASE/LIMIT register contents;

Description

SGDT/SIDT copies the contents of the descriptor table register the six
bytes of memory indicated by the operand. The LIMIT field of the
register is assigned to the first word at the effective address. If the
operand-size attribute is 32 bits, the next three bytes are assigned the
BASE field of the register, and the fourth byte is written with zero. The
last byte is undefined. Otherwise, if the operand-size attribute is 16
bits, the next four bytes are assigned the 32-bit BASE field of the
register.

SGDT and SIDT are used only in operating system software; they are
not used in application programs.

Flags Affected

None

Protected Mode Exceptions

Interrupt 6 if the destination operand is a register; #GP(0) if the
destination is in a nonwritable segment; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
an illegal address in the SS segment; #PF(fault-code) for a page fault

Real Address Mode Exceptions

Interrupt 6 if the destination operand is a register; Interrupt 13 if any
part of the operand would lie outside of the effective address space from
0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault

Compatability Note

The 16-bit forms of the SGDT/SIDT instructions are compatible with
the 80286, if the value in the upper eight bits is not referenced. The
80286 stores 1's in these upper bits, whereas the 80386 stores 0's if the
operand-size attribute is 16 bits. These bits were specified as undefined
by the SGDT/SIDT instructions in the iAPX 286 Programmer's
Reference Manual.


SHLD  Double Precision Shift Left

Opcode   Instruction          Clocks   Description

0F  A4   SHLD r/m16,r16,imm8  3/7      r/m16 gets SHL of r/m16 concatenated
                                       with r16
0F  A4   SHLD r/m32,r32,imm8  3/7      r/m32 gets SHL of r/m32 concatenated
                                       with r32
0F  A5   SHLD r/m16,r16,CL    3/7      r/m16 gets SHL of r/m16 concatenated
                                       with r16
0F  A5   SHLD r/m32,r32,CL    3/7      r/m32 gets SHL of r/m32 concatenated
                                       with r32


Operation

(* count is an unsigned integer corresponding to the last operand of the
instruction, either an immediate byte or the byte in register CL *)
ShiftAmt  count MOD 32;
inBits  register; (* Allow overlapped operands *)
IF ShiftAmt = 0
THEN no operation
ELSE
   IF ShiftAmt  OperandSize
   THEN (* Bad parameters *)
      r/m  UNDEFINED;
      CF, OF, SF, ZF, AF, PF  UNDEFINED;
   ELSE (* Perform the shift *)
      CF  BIT[Base, OperandSize - ShiftAmt];
         (* Last bit shifted out on exit *)
   FOR i  OperandSize - 1 DOWNTO ShiftAmt
   DO
      BIT[Base, i]  BIT[Base, i - ShiftAmt];
   OF;
   FOR i  ShiftAmt - 1 DOWNTO 0
   DO
      BIT[Base, i]  BIT[inBits, i - ShiftAmt + OperandSize];
   OD;
   Set SF, ZF, PF (r/m);
      (* SF, ZF, PF are set according to the value of the result *)
   AF  UNDEFINED;
   FI;
FI;

Description

SHLD shifts the first operand provided by the r/m field to the left as
many bits as specified by the count operand. The second operand (r16 or r32)
provides the bits to shift in from the right (starting with bit 0). The
result is stored back into the r/m operand. The register remains unaltered.

The count operand is provided by either an immediate byte or the contents
of the CL register. These operands are taken MODULO 32 to provide a number
between 0 and 31 by which to shift. Because the bits to shift are provided
by the specified registers, the operation is useful for multiprecision
shifts (64 bits or more). The SF, ZF and PF flags are set according to the
value of the result. CS is set to the value of the last bit shifted out. OF
and AF are left undefined.

Flags Affected

OF, SF, ZF, PF, and CF as described above; AF and OF are undefined

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


SHRD  Double Precision Shift Right

Opcode   Instruction           Clocks  Description

0F  AC   SHRD r/m16,r16,imm8   3/7     r/m16 gets SHR of r/m16 concatenated
                                       with r16
0F  AC   SHRD r/m32,r32,imm8   3/7     r/m32 gets SHR of r/m32 concatenated
                                       with r32
0F  AD   SHRD r/m16,r16,CL     3/7     r/m16 gets SHR of r/m16 concatenated
                                       with r16
0F  AD   SHRD r/m32,r32,CL     3/7     r/m32 gets SHR of r/m32 concatenated
                                       with r32


Operation

(* count is an unsigned integer corresponding to the last operand of the
instruction, either an immediate byte or the byte in register CL *)
ShiftAmt  count MOD 32;
inBits  register; (* Allow overlapped operands *)
IF ShiftAmt = 0
THEN no operation
ELSE
   IF ShiftAmt  OperandSize
   THEN (* Bad parameters *)
      r/m  UNDEFINED;
      CF, OF, SF, ZF, AF, PF  UNDEFINED;
   ELSE (* Perform the shift *)
      CF  BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *)
      FOR i  0 TO OperandSize - 1 - ShiftAmt
      DO
         BIT[r/m, i]  BIT[r/m, i - ShiftAmt];
      OD;
      FOR i  OperandSize - ShiftAmt TO OperandSize - 1
      DO
         BIT[r/m,i]  BIT[inBits,i+ShiftAmt - OperandSize];
      OD;
      Set SF, ZF, PF (r/m);
         (* SF, ZF, PF are set according to the value of the result *)
      Set SF, ZF, PF (r/m);
      AF  UNDEFINED;
   FI;
FI;

Description

SHRD shifts the first operand provided by the r/m field to the right as many
bits as specified by the count operand. The second operand (r16 or r32)
provides the bits to shift in from the left (starting with bit 31). The
result is stored back into the r/m operand. The register remains unaltered.

The count operand is provided by either an immediate byte or the contents
of the CL register. These operands are taken MODULO 32 to provide a number
between 0 and 31 by which to shift. Because the bits to shift are provided
by the specified register, the operation is useful for multi-precision
shifts (64 bits or more). The SF, ZF and PF flags are set according to the
value of the result. CS is set to the value of the last bit shifted out. OF
and AF are left undefined.

Flags Affected

OF, SF, ZF, PF, and CF as described above; AF and OF are undefined

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


SLDT  Store Local Descriptor Table Register

Opcode      Instruction   Clocks      Description

0F  00 /0   SLDT r/m16    pm=2/2      Store LDTR to EA word


Operation

r/m16  LDTR;

Description

SLDT stores the Local Descriptor Table Register (LDTR) in the two-byte
register or memory location indicated by the effective address operand.
This register is a selector that points into the Global Descriptor Table.

SLDT is used only in operating system software. It is not used in
application programs.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 6; SLDT is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

The operand-size attribute has no effect on the operation of the
instruction.


SMSW  Store Machine Status Word

Opcode      Instruction     Clocks          Description

0F  01 /4   SMSW r/m16      2/3,pm=2/2      Store machine status word to EA
                                            word


Operation

r/m16  MSW;

Description

SMSW stores the machine status word (part of CR0) in the two-byte register
or memory location indicated by the effective address operand.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault

Notes

This instruction is provided for compatibility with the 80286; 80386
programs should use MOV ..., CR0.


STC  Set Carry Flag

Opcode      Instruction     Clocks      Description

F9          STC             2           Set carry flag


Operation

CF  1;

Description

STC sets the carry flag to 1.

Flags Affected

CF = 1

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


STD  Set Direction Flag

Opcode  Instruction   Clocks    Description

FD      STD           2         Set direction flag so (E)SI and/or (E)DI
                                decrement


Operation

DF  1;

Description

STD sets the direction flag to 1, causing all subsequent string operations
to decrement the index registers, (E)SI and/or (E)DI, on which they
operate.

Flags Affected

DF = 1

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


STI  Set Interrupt Flag

Opcode  Instruction   Clocks   Description

F13     STI           3        Set interrupt flag; interrupts enabled at the
                               end of the next instruction


Operation

IF  1

Description

STI sets the interrupt flag to 1. The 80386 then responds to external
interrupts after executing the next instruction if the next instruction
allows the interrupt flag to remain enabled. If external interrupts are
disabled and you code STI, RET (such as at the end of a subroutine),
the RET is allowed to execute before external interrupts are recognized.
Also, if external interrupts are disabled and you code STI, CLI, then
external interrupts are not recognized because the CLI instruction clears
the interrupt flag during its execution.

Flags Affected

IF = 1

Protected Mode Exceptions

the I/O privilege level

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None


STOS/STOSB/STOSW/STOSD  Store String Data

Opcode  Instruction  Clocks   Description

AA      STOS m8      4        Store AL in byte ES:[(E)DI], update (E)DI
AB      STOS m16     4        Store AX in word ES:[(E)DI], update (E)DI
AB      STOS m32     4        Store EAX in dword ES:[(E)DI], update (E)DI
AA      STOSB        4        Store AL in byte ES:[(E)DI], update (E)DI
AB      STOSW        4        Store AX in word ES:[(E)DI], update (E)DI
AB      STOSD        4        Store EAX in dword ES:[(E)DI], update (E)DI


Operation

IF AddressSize = 16
THEN use ES:DI for DestReg
ELSE (* AddressSize = 32 *) use ES:EDI for DestReg;
FI;
IF byte type of instruction
THEN
   (ES:DestReg)  AL;
   IF DF = 0
   THEN DestReg  DestReg + 1;
   ELSE DestReg  DestReg - 1;
   FI;
ELSE IF OperandSize = 16
   THEN
      (ES:DestReg)  AX;
      IF DF = 0
      THEN DestReg  DestReg + 2;
      ELSE DestReg  DestReg - 2;
      FI;
   ELSE (* OperandSize = 32 *)
      (ES:DestReg)  EAX;
      IF DF = 0
      THEN DestReg  DestReg + 4;
      ELSE DestReg  DestReg - 4;
      FI;
   FI;
FI;

Description

STOS transfers the contents of all AL, AX, or EAX register to the memory
byte or word given by the destination register relative to the ES segment.
The destination register is DI for an address-size attribute of 16 bits or
EDI for an address-size attribute of 32 bits.

The destination operand must be addressable from the ES register. A segment
override is not possible.

The address of the destination is determined by the contents of the
destination register, not by the explicit operand of STOS. This operand is
used only to validate ES segment addressability and to determine the data
type. Load the correct index value into the destination register before
executing STOS.

After the transfer is made, DI is automatically updated. If the direction
flag is 0 (CLD was executed), DI is incremented; if the direction flag is
1 (STD was executed), DI is decremented. DI is incremented or decremented by
1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is
stored.

STOSB, STOSW, and STOSD are synonyms for the byte, word, and doubleword STOS
instructions, that do not require an operand. They are simpler to use, but
provide no type or segment checking.

STOS can be preceded by the REP prefix for a block fill of CX or ECX bytes,
words, or doublewords. Refer to the REP instruction for further details.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


STR  Store Task Register

Opcode        Instruction   Clocks       Description

0F  00 /1     STR r/m16     pm=23/27     Load EA word into task register


Operation

r/m  task register;

Description

The contents of the task register are copied to the two-byte register or
memory location indicated by the effective address operand.

STR is used only in operating system software. It is not used in application
programs.

Flags Affected

None

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 6; STR is not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode

Notes

The operand-size attribute has no effect on this instruction.


SUB  Integer Subtraction

Opcode      Instruction      Clocks   Description

2C  ib      SUB AL,imm8      2        Subtract immediate byte from AL
2D  iw      SUB AX,imm16     2        Subtract immediate word from AX
2D  id      SUB EAX,imm32    2        Subtract immediate dword from EAX
80  /5 ib   SUB r/m8,imm8    2/7      Subtract immediate byte from r/m byte
81  /5 iw   SUB r/m16,imm16  2/7      Subtract immediate word from r/m word
81  /5 id   SUB r/m32,imm32  2/7      Subtract immediate dword from r/m
                                      dword
83  /5 ib   SUB r/m16,imm8   2/7      Subtract sign-extended immediate byte
                                      from r/m word
83  /5 ib   SUB r/m32,imm8   2/7      Subtract sign-extended immediate byte
                                      from r/m dword
28  /r      SUB r/m8,r8      2/6      Subtract byte register from r/m byte
29  /r      SUB r/m16,r16    2/6      Subtract word register from r/m word
29  /r      SUB r/m32,r32    2/6      Subtract dword register from r/m
                                      dword
2A  /r      SUB r8,r/m8      2/7      Subtract byte register from r/m byte
2B  /r      SUB r16,r/m16    2/7      Subtract word register from r/m word
2B  /r      SUB r32,r/m32    2/7      Subtract dword register from r/m
                                      dword


Operation

IF SRC is a byte and DEST is a word or dword
THEN DEST = DEST - SignExtend(SRC);
ELSE DEST  DEST - SRC;
FI;

Description

SUB subtracts the second operand (SRC) from the first operand (DEST). The
first operand is assigned the result of the subtraction, and the flags are
set accordingly.

When an immediate byte value is subtracted from a word operand, the
immediate value is first sign-extended to the size of the destination
operand.

Flags Affected

OF, SF, ZF, AF, PF, and CF as described in Appendix C

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


TEST  Logical Compare

Opcode       Instruction       Clocks   Description

A8   ib      TEST AL,imm8      2        AND immediate byte with AL
A9   iw      TEST AX,imm16     2        AND immediate word with AX
A9   id      TEST EAX,imm32    2        AND immediate dword with EAX
F6   /0 ib   TEST r/m8,imm8    2/5      AND immediate byte with r/m byte
F7   /0 iw   TEST r/m16,imm16  2/5      AND immediate word with r/m word
F7   /0 id   TEST r/m32,imm32  2/5      AND immediate dword with r/m dword
84   /r      TEST r/m8,r8      2/5      AND byte register with r/m byte
85   /r      TEST r/m16,r16    2/5      AND word register with r/m word
85   /r      TEST r/m32,r32    2/5      AND dword register with r/m dword


Operation

DEST : = LeftSRC AND RightSRC;
CF  0;
OF  0;

Description

TEST computes the bit-wise logical AND of its two operands. Each bit
of the result is 1 if both of the corresponding bits of the operands are 1;
otherwise, each bit is 0. The result of the operation is discarded and only
the flags are modified.

Flags Affected

OF = 0, CF = 0; SF, ZF, and PF as described in Appendix C

Protected Mode Exceptions

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


VERR, VERW  Verify a Segment for Reading or Writing

Opcode       Instruction   Clocks      Description

0F  00 /4    VERR r/m16    pm=10/11    Set ZF=1 if segment can be read,
                                       selector in r/m16
0F  00 /5    VERW r/m16    pm=15/16    Set ZF=1 if segment can be written,
                                       selector in r/m16


Operation

IF segment with selector at (r/m) is accessible
   with current protection level
   AND ((segment is readable for VERR) OR
      (segment is writable for VERW))
THEN ZF  0;
ELSE ZF  1;
FI;

Description

The two-byte register or memory operand of VERR and VERW contains
the value of a selector. VERR and VERW determine whether the
segment denoted by the selector is reachable from the current privilege
level and whether the segment is readable (VERR) or writable (VERW).
If the segment is accessible, the zero flag is set to 1; if the segment is
not accessible, the zero flag is set to 0. To set ZF, the following
conditions must be met:

    The selector must denote a descriptor within the bounds of the table
     (GDT or LDT); the selector must be "defined."

    The selector must denote the descriptor of a code or data segment
     (not that of a task state segment, LDT, or a gate).

    For VERR, the segment must be readable. For VERW, the segment
     must be a writable data segment.

    If the code segment is readable and conforming, the descriptor
     privilege level (DPL) can be any value for VERR. Otherwise, the
     DPL must be greater than or equal to (have less or the same
     privilege as) both the current privilege level and the selector's RPL.

The validation performed is the same as if the segment were loaded into
DS, ES, FS, or GS, and the indicated access (read or write) were
performed. The zero flag receives the result of the validation. The
selector's value cannot result in a protection exception, enabling the
software to anticipate possible segment access problems.

Flags Affected

ZF as described above

Protected Mode Exceptions

Faults generated by illegal addressing of the memory operand that
contains the selector, the selector is not loaded into any segment
register, and no faults attributable to the selector operand are generated

ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 6; VERR and VERW are not recognized in Real Address Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


WAIT  Wait until BUSY# Pin is Inactive (HIGH)

Opcode   Instruction   Clocks     Description

9B       WAIT          6 min.     Wait until BUSY pin is inactive (HIGH)


Description

WAIT suspends execution of 80386 instructions until the BUSY# pin is
inactive (high). The BUSY# pin is driven by the 80287 numeric processor
extension.

Flags Affected

None

Protected Mode Exceptions

of register CR0) is set; #MF if the ERROR# input pin is asserted (i.e., the
80287 has detected an unmasked numeric error)

Real Address Mode Exceptions

Same exceptions as in Protected Mode

Virtual 8086 Mode Exceptions

Same exceptions as in Protected Mode


XCHG  Exchange Register/Memory with Register

Opcode    Instruction      Clocks     Description

90 + r    XCHG AX,r16      3          Exchange word register with AX
90 + r    XCHG r16,AX      3          Exchange word register with AX
90 + r    XCHG EAX,r32     3          Exchange dword register with EAX
90 + r    XCHG r32,EAX     3          Exchange dword register with EAX
86  /r    XCHG r/m8,r8     3          Exchange byte register with EA byte
86  /r    XCHG r8,r/m8     3/5        Exchange byte register with EA byte
87  /r    XCHG r/m16,r16   3          Exchange word register with EA word
87  /r    XCHG r16,r/m16   3/5        Exchange word register with EA word
87  /r    XCHG r/m32,r32   3          Exchange dword register with EA dword
87  /r    XCHG r32,r/m32   3/5        Exchange dword register with EA dword


Operation

temp  DEST
DEST  SRC
SRC  temp

Description

XCHG exchanges two operands. The operands can be in either order. If a
memory operand is involved, BUS LOCK is asserted for the duration of the
exchange, regardless of the presence or absence of the LOCK prefix or of the
value of the IOPL.

Flags Affected

None

Protected Mode Exceptions

illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


XLAT/XLATB  Table Look-up Translation

D7    XLAT m8    5     Set AL to memory byte DS:[(E)BX + unsigned AL]
D7    XLATB      5     Set AL to memory byte DS:[(E)BX + unsigned AL]


Operation

IF AddressSize = 16
THEN
   AL  (BX + ZeroExtend(AL))
ELSE (* AddressSize = 32 *)
   AL  (EBX + ZeroExtend(AL));
FI;

Description

XLAT changes the AL register from the table index to the table entry. AL
should be the unsigned index into a table addressed by DS:BX (for an
address-size attribute of 16 bits) or DS:EBX (for an address-size attribute
of 32 bits).

The operand to XLAT allows for the possibility of a segment override. XLAT
uses the contents of BX even if they differ from the offset of the operand.
The offset of the operand should have been moved intoBX/EBX with a previous
instruction.

The no-operand form, XLATB, can be used if the BX/EBX table will always
reside in the DS segment.

Flags Affected

None

Protected Mode Exceptions

FS, or GS segments; #SS(0) for an illegal address in the SS segment;

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault


XOR  Logical Exclusive OR


Opcode      Instruction      Clocks   Description

34  ib      XOR AL,imm8      2        Exclusive-OR immediate byte to AL
35  iw      XOR AX,imm16     2        Exclusive-OR immediate word to AX
35  id      XOR EAX,imm32    2        Exclusive-OR immediate dword to EAX
80  /6 ib   XOR r/m8,imm8    2/7      Exclusive-OR immediate byte to r/m
                                      byte
81  /6 iw   XOR r/m16,imm16  2/7      Exclusive-OR immediate word to r/m
                                      word
81  /6 id   XOR r/m32,imm32  2/7      Exclusive-OR immediate dword to r/m
                                      dword
83  /6 ib   XOR r/m16,imm8   2/7      XOR sign-extended immediate byte
                                      with r/m word
83  /6 ib   XOR r/m32,imm8   2/7      XOR sign-extended immediate byte
                                      with r/m dword
30  /r      XOR r/m8,r8      2/6      Exclusive-OR byte register to r/m
                                      byte
31  /r      XOR r/m16,r16    2/6      Exclusive-OR word register to r/m
                                      word
31  /r      XOR r/m32,r32    2/6      Exclusive-OR dword register to r/m
                                      dword
32  /r      XOR r8,r/m8      2/7      Exclusive-OR byte register to r/m
                                      byte
33  /r      XOR r16,r/m16    2/7      Exclusive-OR word register to r/m
                                      word
33  /r      XOR r32,r/m32    2/7      Exclusive-OR dword register to r/m
                                      dword


Operation

DEST  LeftSRC XOR RightSRC
CF  0
OF  0

Description

XOR computes the exclusive OR of the two operands. Each bit of the result
is 1 if the corresponding bits of the operands are different; each bit is 0
if the corresponding bits are the same. The answer replaces the first
operand.

Flags Affected

CF = 0, OF = 0; SF, ZF, and PF as described in Appendix C; AF is undefined

Protected Mode Exceptions

memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault


Appendix A  Opcode Map



The opcode tables that follow aid in interpreting 80386 object code. Use
the high-order four bits of the opcode as an index to a row of the opcode
table; use the low-order four bits as an index to a column of the table. If
the opcode is 0FH, refer to the two-byte opcode table and use the second
byte of the opcode to index the rows and columns of that table.


Key to Abbreviations

Operands are identified by a two-character code of the form Zz. The first
character, an uppercase letter, specifies the addressing method; the second
character, a lowercase letter, specifies the type of operand.


Codes for Addressing Method

A  Direct address; the instruction has no modR/M byte; the address of the
   operand is encoded in the instruction; no base register, index register,
   or scaling factor can be applied; e.g., far JMP (EA).

C  The reg field of the modR/M byte selects a control register; e.g., MOV
   (0F20, 0F22).

D  The reg field of the modR/M byte selects a debug register; e.g., MOV
   (0F21,0F23).

E  A modR/M byte follows the opcode and specifies the operand. The operand
   is either a general register or a memory address. If it is a memory
   address, the address is computed from a segment register and any of the
   following values: a base register, an index register, a scaling factor,
   a displacement.

F  Flags Register.

G  The reg field of the modR/M byte selects a general register; e.g., ADD
   (00).

I  Immediate data. The value of the operand is encoded in subsequent bytes
   of the instruction.

J  The instruction contains a relative offset to be added to the
   instruction pointer register; e.g., JMP short, LOOP.

M  The modR/M byte may refer only to memory; e.g., BOUND, LES, LDS, LSS,
   LFS, LGS.

O  The instruction has no modR/M byte; the offset of the operand is coded as
   a word or double word (depending on address size attribute) in the
   instruction. No base register, index register, or scaling factor can be
   applied; e.g., MOV (A0-A3).

R  The mod field of the modR/M byte may refer only to a general register;
   e.g., MOV (0F20-0F24, 0F26).

S  The reg field of the modR/M byte selects a segment register; e.g., MOV
   (8C,8E).

T  The reg field of the modR/M byte selects a test register; e.g., MOV
   (0F24,0F26).

X  Memory addressed by DS:SI; e.g., MOVS, COMPS, OUTS, LODS, SCAS.

Y  Memory addressed by ES:DI; e.g., MOVS, CMPS, INS, STOS.


Codes for Operant Type

a  Two one-word operands in memory or two double-word operands in memory,
   depending on operand size attribute (used only by BOUND).

b  Byte (regardless of operand size attribute)

c  Byte or word, depending on operand size attribute.

d  Double word (regardless of operand size attribute)

p  32-bit or 48-bit pointer, depending on operand size attribute.

s  Six-byte pseudo-descriptor

v  Word or double word, depending on operand size attribute.

w  Word (regardless of operand size attribute)


Register Codes

When an operand is a specific register encoded in the opcode, the register
is identified by its name; e.g., AX, CL, or ESI. The name of the register
indicates whether the register is 32-, 16-, or 8-bits wide. A register
identifier of the form eXX is used when the width of the register depends on
the operand size attribute; for example, eAX indicates that the AX register
is used when the operand size attribute is 16 and the EAX register is used
when the operand size attribute is 32.


One-Byte Opcode Map


       0         1         2         3         4         5         6        7        8         9         A         B         C         D         E        F
 ͻ
                               ADD                            PUSH     POP                               OR                              PUSH   2-byte 
0Ĵ                Ĵ                
   Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv     ES      ES     Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv     CS    escape 
 ͹
                               ADC                            PUSH     POP                              SBB                              PUSH    POP   
1Ĵ                Ĵ                
   Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv     SS      SS     Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv     DS      DS   
 ͹
                               AND                            SEG                                       SUB                              SEG           
2Ĵ           DAA  Ĵ          DAS   
   Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv    =ES             Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv    =CS           
 ͹
                               XOR                            SEG                                       CMP                              SEG           
3Ĵ           AAA  Ĵ          AAS   
   Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv    =SS             Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    AL,Ib   eAX,Iv    =CS           
 ͹
                                INC general register                                                        DEC general register                           
4Ķ
    eAX      eCX      eDX      eBX      eSP      eBP     eSI     eDI      eAX      eCX      eDX      eBX      eSP      eBP      eSI    eDI   
 ͹
                                PUSH general register                                                   POP into general register                          
5Ķ
    eAX      eCX      eDX      eBX      eSP      eBP     eSI     eDI      eAX      eCX      eDX      eBX      eSP      eBP     eSI     eDI   
 ͹
                     BOUND    ARPL      SEG      SEG    Operand Address  PUSH     IMUL     PUSH     IMUL     INSB    INSW/D   OUTSB  OUTSW/D 
6  PUSHA    POPA                                                                                                                             
                     Gv,Ma    Ew,Rw     =FS      =GS     Size    Size     Ib     GvEvIv     Ib     GvEvIv    Yb,DX    Yb,DX   Dx,Xb   DX,Xv  
 ͹
                     Short displacement jump of condition (Jb)                                   Short-displacement jump on condition(Jb)                  
7Ķ
    JO       JNO      JB       JNB      JZ      JNZ       JBE    JNBE     JS       JNS      JP       JNP      JL      JNL      JLE     JNLE  
 ͹
   Immediate Grpl              Grpl          TEST              XCNG                        MOV                      MOV      LEA     MOV     POP   
8Ĵ                  Ĵ                                  
   Eb,Ib    Ev,Iv             Ev,Iv    Eb,Gb    Ev,Gv    Eb,Gb   Ev,Gv   Eb,Gb    Ev,Gv    Gb,Eb    Gv,Ev    Ew,Sw    Gv,M     Sw,Ew    Ev   
 ͹
                        XCHG word or double-word register with eAX                               CALL              PUSHF    POPF                   
9   NOP   Ĵ   CBW      CWD              WAIT                       SAHF    LAHF  
             eCX      eDX      eBX      eSP      eBP     eSI     eDI                        Ap                Fv       Fv                    
 ͹
                   MOV                    MOVSB   MOVSW/D  CMPSB  CMPSW/D        TEST          STOSB   STOSW/D   LODSB   LODSW/D  SCASB  SCASW/D 
AĴ                                  Ĵ                                                    
   AL,Ob    eAX,Ov   Ob,AL    Ov,eAX   Xb,Yb    Xv,Yv    Xb,Yb   Xv,Yv   AL,Ib   eAX,Iv    Yb,AL    Yv,eAX   AL,Xb   eAX,Xv    AL,Xb eAX,Xv  
 ͹
                        MOV immediate byte into byte register                         MOV immediate word or double into word or double register            
BĶ
     AL      CL       DL       BL       AH       CH       DH      BH      eAX      eCX      eDX      eBX      eSP      eBP      eSI    eDI   
 ͹
     Shift Grp2           RET near        LES      LDS          MOV         ENTER                 RET far        INT      INT                    
CĴ                  Ĵ           LEAVE  Ĵ                    INTO    IRET  
   Eb,Ib    Ev,Iv      Iw              Gv,Mp    Gv,Mp    Eb,Ib   Ev,Iv   Iw,Ib              Iw                3       Ib                     
 ͹
                Shift Grp2                                                                                                                             
DĴ   AAM      AAD             XLAT                    ESC(Escape to coprocessor instruction set)                 
    Eb,1    Ev,1     Eb,CL    Ev,CL                                                                                                                 
 ͹
  LOOPNE    LOOPE     LOOP    JCXZ           IN                OUT          CALL               JNP                     IN                OUT       
E                                    Ĵ         Ķ
    Jb       Jb        Jb      Jb      AL,Ib   eAX,Ib    Ib,AL  Ib,eAX     Av      Jv       Ap       Jb      AL,DX   eAX,DX   DX,AL   DX,eAX 
 ͹
                               REP                          Unary Grp3                                                        INC/DEC Indirct 
F  LOCK              REPNE              HLT      CMC   Ĵ   CLC      STC      CLI      STI      CLD      STD                   
                              REPE                        Eb      Ev                                                           Grp4    Grp5  
 ͼ


Two-Byte Opcode Map (first byte is 0FH)


      0         1         2         3         4         5         6        7        8         9         A         B         C         D         E        F
 ͻ
                      LAR      LSL                                                                                                           
0  Grp6     Grp7                                         CLTS                                                                                
                     Gw,Ew    Gv,Ew                                                                                                          
 ͹
                                                                                                                                             
1                                                                                                                                            
                                                                                                                                             
 ͹
    MOV      MOV      MOV      MOV      MOV               MOV                                                                                
2                                                                                                                                            
   Cd,Rd    Dd,Rd    Rd,Cd    Rd,Dd    Td,Rd             Rd,Td                                                                               
 ͹
                                                                                                                                             
3                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
4                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
5                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
6                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
7                                                                                                                                            
                                                                                                                                             
 ͹
                       Long-displacement jump on condition (Jv)                                Long-displacement jump on condition (Jv)                    
8Ķ
    JO       JNO      JB       JNB      JZ       JNZ      JBE    JNBE     JS       JNS      JP       JNP      JL       JNL      JLE    JNLE  
 ͹
                               Byte Set on condition (Eb)                                                                                           
9Ĵ  SETS     SETNS    SETP     SETNP    SETL     SETNL    SETLE  SETNLE 
   SETO     SETNO    SETB     SETNB    SETZ     SETNZ    SETBE  SETNBE                                                                       
 ͹
   PUSH      POP               BT      SHLD     SHLD                     PUSH      POP               BTS     SHRD     SHRD             IMUL  
A                                                                                                                                            
    FS       FS               Ev,Gv   EvGvIb   EvGvCL                     GS       GS               Ev,Gv   EvGvIb   EvGvCL           Gv,Ev  
 ͹
                      LSS      BTR      LFS      LGS         MOVZX                          Grp-8     BTC      BSF      BSR         MOVSX      
B                                                      Ĵ                                                      Ķ
                      Mp      Ev,Gv     Mp       Mp     Gv,Eb   Gv,Ew                      Ev,Ib    Ev,Gv    Gv,Ev    Gv,Ev    Gv,Eb   Gv,Ew  
 ͹
                                                                                                                                             
C                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
D                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
E                                                                                                                                            
                                                                                                                                             
 ͹
                                                                                                                                             
F                                                                                                                                            
                                                                                                                                             
 ͼ


Opcodes determined by bits 5,4,3 of modR/M byte:

     G                       Ŀ
     r                         mod    nnn    R/M  
     o                       
     u
     p   000     001     010     011     100     101     110     111
      Ŀ
     1  ADD    OR     ADC    SBB    AND    SUB    XOR    CMP  
                                                              
      Ĵ
     2  ROL    ROR    RCL    RCR    SHL    SHR           SAR  
                                                              
      Ĵ
     3 TEST           NOT    NEG    MUL   IMUL    DIV   IDIV  
       Ib/Iv                      AL/eAX AL/eAX AL/eAX AL/eAX 
      Ĵ
     4  INC    DEC                                            
        Eb     Eb                                             
      Ĵ
     5  INC    DEC   CALL   CALL    JMP    JMP   PUSH         
        Ev     Ev     Ev     eP     Ev     Ep     Ev          
      


Opcodes determined by bits 5,4,3 of modR/M byte:

     G                       Ŀ
     r                         mod    nnn    R/M  
     o                       
     u
     p   000     001     010     011     100     101     110     111
      Ŀ
     6 SLDT    STR   LLDT    LTR   VERR   VERW                
        Ew     Ew     Ew     Ew     Ew     Ew                 
      Ĵ
     7 SGDT   SIDT   LGDT   LIDT   SMSW          LMSW         
        Ms     Ms     Ms      Ms    Ew            Ew          
      Ĵ
     8                              BT     BTS    BTR    BTC  
                                                              
      


Appendix B  Complete Flag Cross-Reference



Key to Codes

T     = instruction tests flag

M     = instruction modifies flag
        (either sets or resets depending on operands)

0     = instruction resets flag

1     = instruction sets flag

    = instruction's effect on flag is undefined

R     = instruction restores prior value of flag

blank = instruction does not affect flag


Instruction            OF   SF   ZF   AF   PF   CF   TF   IF   DF   NT   RF

AAA                             TM      M
AAD                       M    M       M    
AAM                       M    M       M    
AAS                             TM      M
ADC                    M    M    M    M    M    TM
ADD                    M    M    M    M    M    M
AND                    0    M    M       M    0
ARPL                             M
BOUND
BSF/BSR                      M          
BT/BTS/BTR/BTC                        M
CALL
CBW
CLC                                             0
CLD                                                            0
CLI                                                       0
CLTS
CMC                                             M
CMP                    M    M    M    M    M    M
CMPS                   M    M    M    M    M    M              T
CWD
DAA                       M    M    TM   M    TM
DAS                       M    M    TM   M    TM
DEC                    M    M    M    M    M
DIV                                   
ENTER
ESC
HLT
IDIV                                  
IMUL                   M                M
IN
INC                    M    M    M    M    M
INS                                                            T
INT                                                  0              0
INTO                   T                             0              0
IRET                   R    R    R    R    R    R    R    R    R    T
Jcond                  T    T    T    T    T
JCXZ
JMP
LAHF
LAR                              M
LDS/LES/LSS/LFS/LGS
LEA
LEAVE
LGDT/LIDT/LLDT/LMSW
LOCK
LODS                                                           T
LOOP
LOOPE/LOOPNE                     T
LSL                              M
LTR
MOV
MOV control, debug                    
MOVS                                                           T
MOVSX/MOVZX
MUL                    M                M
NEG                    M    M    M    M    M    M
NOP
NOT
OR                     0    M    M       M    0
OUT
OUTS                                                           T
POP/POPA
POPF                   R    R    R    R    R    R    R    R    R    R
PUSH/PUSHA/PUSHF
RCL/RCR 1              M                        TM
RCL/RCR count                                 TM
REP/REPE/REPNE
RET
ROL/ROR 1              M                        M
ROL/ROR count                                 M
SAHF                        R    R    R    R    R
SAL/SAR/SHL/SHR 1      M    M    M       M    M
SAL/SAR/SHL/SHR count     M    M       M    M
SBB                    M    M    M    M    M    TM
SCAS                   M    M    M    M    M    M              T
SET cond               T    T    T         T    T
SGDT/SIDT/SLDT/SMSW
SHLD/SHRD                 M    M       M    M
STC                                             1
STD                                                            1
STI                                                       1
STOS                                                           T
STR
SUB                    M    M    M    M    M    M
TEST                   0    M    M       M    0
VERR/VERRW                       M
WAIT
XCHG
XLAT
XOR                    0    M    M       M    0


Appendix C  Status Flag Summary



Status Flags' Functions

Bit  Name   Function

 0   CF     Carry Flag  Set on high-order bit carry or borrow; cleared
            otherwise.
 2   PF     Parity Flag  Set if low-order eight bits of result contain
            an even number of 1 bits; cleared otherwise.
 4   AF     Adjust flag  Set on carry from or borrow to the low order
            four bits of   AL; cleared otherwise. Used for decimal
            arithmetic.
 6   ZF     Zero Flag  Set if result is zero; cleared otherwise.
 7   SF     Sign Flag  Set equal to high-order bit of result (0 is
            positive, 1 if negative).
11   OF     Overflow Flag  Set if result is too large a positive number
            or too small a negative number (excluding sign-bit) to fit in
            destination operand; cleared otherwise.

Key to Codes

T     = instruction tests flag
M     = instruction modifies flag
        (either sets or resets depending on operands)
0     = instruction resets flag
    = instruction's effect on flag is undefined
blank = instruction does not affect flag



Instruction            OF   SF   ZF   AF   PF   CF
AAA                             TM      M
AAS                             TM      M
AAD                       M    M       M    
AAM                       M    M       M    
DAA                       M    M    TM   M    TM
DAS                       M    M    TM   M    TM
ADC                    M    M    M    M    M    TM
ADD                    M    M    M    M    M    M
SBB                    M    M    M    M    M    TM
SUB                    M    M    M    M    M    M
CMP                    M    M    M    M    M    M
CMPS                   M    M    M    M    M    M
SCAS                   M    M    M    M    M    M
NEG                    M    M    M    M    M    M
DEC                    M    M    M    M    M
INC                    M    M    M    M    M
IMUL                   M                M
MUL                    M                M
RCL/RCR 1              M                        TM
RCL/RCR count                                 TM
ROL/ROR 1              M                        M
ROL/ROR count                                 M
SAL/SAR/SHL/SHR 1      M    M    M       M    M
SAL/SAR/SHL/SHR count     M    M       M    M
SHLD/SHRD                 M    M       M    M
BSF/BSR                      M          
BT/BTS/BTR/BTC                        M
AND                    0    M    M       M    0
OR                     0    M    M       M    0
TEST                   0    M    M       M    0
XOR                    0    M    M       M    0


Appendix D  Condition Codes




Note:
  The terms "above" and "below" refer to the relation between two
  unsigned values (neither SF nor OF is tested). The terms "greater" and
  "less" refer to the relation between two signed values (SF and OF are
  tested).


Definition of Conditions

(For conditional instructions Jcond, and SETcond)


                                       Instruction  Condition
Mnemonic  Meaning                      Subcode      Tested

O         Overflow                     0000         OF = 1

NO        No overflow                  0001         OF = 0

B         Below
NAE       Neither above nor equal      0010         CF = 1

NB        Not below
AE       Above or equal                0011         CF = 0

E         Equal
Z         Zero                         0100         ZF = 1

NE        Not equal
NZ        Not zero                     0101         ZF = 0

BE        Below or equal
NA        Not above                    0110         (CF or ZF) = 1

NBE       Neither below nor equal
NA        Above                        0111         (CF or ZF) = 0

S         Sign                         1000         SF = 1

NS        No sign                      1001         SF = 0

P         Parity
PE        Parity even                  1010         PF = 1

NP        No parity
PO        Parity odd                   1011         PF = 0

L         Less
NGE       Neither greater nor equal    1100         (SF xor OF) = 1

NL        Not less
GE        Greater or equal             1101         (SF xor OF) = 0

LE        Less or equal
NG        Not greater                  1110         ((SF xor OF) or ZF) = 1

NLE       Neither less nor equal
G         Greater                      1111         ((SF xor OF) or ZF) = 0

first page

Creato da: Astalalista - Ultima modifica: 26/Gen/2004 alle 02:57
Labelled with ICRA This page is powered by Copyright Button(TM).
Click here to read how this page is protected by copyright laws.
Please send any
comments to Webmaster


KingsClick Sponsor - Click Here
KingsClick-Your Website Deserves to be King