|
|
INTEL 80386 PROGRAMMER'S REFERENCE MANUAL 1986
go to English version
translate
17.2.2.10 Virtual-8086 Mode Exceptions
Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines.
Virtual 8086 Mode exceptions are similar to those for the 8086 processor,
but there are some differences. Refer to Chapter 15 for details.
AAA ÄÄ ASCII Adjust after Addition
Opcode Instruction Clocks Description
37 AAA 4 ASCII adjust AL after addition
Operation
IF ((AL AND 0FH) > 9) OR (AF = 1)
THEN
AL � (AL + 6) AND 0FH;
AH � AH + 1;
AF � 1;
CF � 1;
ELSE
CF � 0;
AF � 0;
FI;
Description
Execute AAA only following an ADD instruction that leaves a byte result
in the AL register. The lower nibbles of the operands of the ADD instruction
should be in the range 0 through 9 (BCD digits). In this case, AAA adjusts
AL to contain the correct decimal digit result. If the addition produced a
decimal carry, the AH register is incremented, and the carry and auxiliary
carry flags are set to 1. If there was no decimal carry, the carry and
auxiliary flags are set to 0 and AH is unchanged. In either case, AL is left
with its top nibble set to 0. To convert AL to an ASCII result, follow the
AAA instruction with OR AL, 30H.
Flags Affected
AF and CF as described above; OF, SF, ZF, and PF are undefined
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
AAD ÄÄ ASCII Adjust AX before Division
Opcode Instruction Clocks Description
D5 0A AAD 19 ASCII adjust AX before division
Operation
AL � AH * 10 + AL;
AH � 0;
Description
AAD is used to prepare two unpacked BCD digits (the least-significant
digit in AL, the most-significant digit in AH) for a division operation that
will yield an unpacked result. This is accomplished by setting AL to
AL + (10 * AH), and then setting AH to 0. AX is then equal to the binary
equivalent of the original unpacked two-digit number.
Flags Affected
SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
AAM ÄÄ ASCII Adjust AX after Multiply
Opcode Instruction Clocks Description
D4 0A AAM 17 ASCII adjust AX after multiply
Operation
AH � AL / 10;
AL � AL MOD 10;
Description
Execute AAM only after executing a MUL instruction between two unpacked
BCD digits that leaves the result in the AX register. Because the result is
less than 100, it is contained entirely in the AL register. AAM unpacks the
AL result by dividing AL by 10, leaving the quotient (most-significant
digit) in AH and the remainder (least-significant digit) in AL.
Flags Affected
SF, ZF, and PF as described in Appendix C; OF, AF, and CF are undefined
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
AAS ÄÄ ASCII Adjust AL after Subtraction
Opcode Instruction Clocks Description
3F AAS 4 ASCII adjust AL after subtraction
Operation
IF (AL AND 0FH) > 9 OR AF = 1
THEN
AL � AL - 6;
AL � AL AND 0FH;
AH � AH - 1;
AF � 1;
CF � 1;
ELSE
CF � 0;
AF � 0;
FI;
Description
Execute AAS only after a SUB instruction that leaves the byte result in the
AL register. The lower nibbles of the operands of the SUB instruction must
have been in the range 0 through 9 (BCD digits). In this case, AAS adjusts
AL so it contains the correct decimal digit result. If the subtraction
produced a decimal carry, the AH register is decremented, and the carry and
auxiliary carry flags are set to 1. If no decimal carry occurred, the carry
and auxiliary carry flags are set to 0, and AH is unchanged. In either case,
AL is left with its top nibble set to 0. To convert AL to an ASCII result,
follow the AAS with OR AL, 30H.
Flags Affected
AF and CF as described above; OF, SF, ZF, and PF are undefined
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
ADC ÄÄ Add with Carry
Opcode Instruction Clocks Description
14 ib ADC AL,imm8 2 Add with carry immediate byte to AL
15 iw ADC AX,imm16 2 Add with carry immediate word to AX
15 id ADC EAX,imm32 2 Add with carry immediate dword to EAX
80 /2 ib ADC r/m8,imm8 2/7 Add with carry immediate byte to r/m
byte
81 /2 iw ADC r/m16,imm16 2/7 Add with carry immediate word to r/m
word
81 /2 id ADC r/m32,imm32 2/7 Add with CF immediate dword to r/m
dword
83 /2 ib ADC r/m16,imm8 2/7 Add with CF sign-extended immediate
byte to r/m word
83 /2 ib ADC r/m32,imm8 2/7 Add with CF sign-extended immediate
byte into r/m dword
10 /r ADC r/m8,r8 2/7 Add with carry byte register to r/m
byte
11 /r ADC r/m16,r16 2/7 Add with carry word register to r/m
word
11 /r ADC r/m32,r32 2/7 Add with CF dword register to r/m dword
12 /r ADC r8,r/m8 2/6 Add with carry r/m byte to byte
register
13 /r ADC r16,r/m16 2/6 Add with carry r/m word to word
register
13 /r ADC r32,r/m32 2/6 Add with CF r/m dword to dword register
Operation
DEST � DEST + SRC + CF;
Description
ADC performs an integer addition of the two operands DEST and SRC and the
carry flag, CF. The result of the addition is assigned to the first operand
(DEST), and the flags are set accordingly. ADC is usually executed as part
of a multi-byte or multi-word addition operation. When an immediate byte
value is added to a word or doubleword operand, the immediate value is first
sign-extended to the size of the word or doubleword operand.
Flags Affected
OF, SF, ZF, AF, CF, and PF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
ADD ÄÄ Add
Opcode Instruction Clocks Description
04 ib ADD AL,imm8 2 Add immediate byte to AL
05 iw ADD AX,imm16 2 Add immediate word to AX
05 id ADD EAX,imm32 2 Add immediate dword to EAX
80 /0 ib ADD r/m8,imm8 2/7 Add immediate byte to r/m byte
81 /0 iw ADD r/m16,imm16 2/7 Add immediate word to r/m word
81 /0 id ADD r/m32,imm32 2/7 Add immediate dword to r/m dword
83 /0 ib ADD r/m16,imm8 2/7 Add sign-extended immediate byte
to r/m word
83 /0 ib ADD r/m32,imm8 2/7 Add sign-extended immediate byte
to r/m dword
00 /r ADD r/m8,r8 2/7 Add byte register to r/m byte
01 /r ADD r/m16,r16 2/7 Add word register to r/m word
01 /r ADD r/m32,r32 2/7 Add dword register to r/m dword
02 /r ADD r8,r/m8 2/6 Add r/m byte to byte register
03 /r ADD r16,r/m16 2/6 Add r/m word to word register
03 /r ADD r32,r/m32 2/6 Add r/m dword to dword register
Operation
DEST � DEST + SRC;
Description
ADD performs an integer addition of the two operands (DEST and SRC). The
result of the addition is assigned to the first operand (DEST), and the
flags are set accordingly.
When an immediate byte is added to a word or doubleword operand, the
immediate value is sign-extended to the size of the word or doubleword
operand.
Flags Affected
OF, SF, ZF, AF, CF, and PF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
AND ÄÄ Logical AND
Opcode Instruction Clocks Description
24 ib AND AL,imm8 2 AND immediate byte to AL
25 iw AND AX,imm16 2 AND immediate word to AX
25 id AND EAX,imm32 2 AND immediate dword to EAX
80 /4 ib AND r/m8,imm8 2/7 AND immediate byte to r/m byte
81 /4 iw AND r/m16,imm16 2/7 AND immediate word to r/m word
81 /4 id AND r/m32,imm32 2/7 AND immediate dword to r/m dword
83 /4 ib AND r/m16,imm8 2/7 AND sign-extended immediate byte
with r/m word
83 /4 ib AND r/m32,imm8 2/7 AND sign-extended immediate byte
with r/m dword
20 /r AND r/m8,r8 2/7 AND byte register to r/m byte
21 /r AND r/m16,r16 2/7 AND word register to r/m word
21 /r AND r/m32,r32 2/7 AND dword register to r/m dword
22 /r AND r8,r/m8 2/6 AND r/m byte to byte register
23 /r AND r16,r/m16 2/6 AND r/m word to word register
23 /r AND r32,r/m32 2/6 AND r/m dword to dword register
Operation
DEST � DEST AND SRC;
CF � 0;
OF � 0;
Description
Each bit of the result of the AND instruction is a 1 if both corresponding
bits of the operands are 1; otherwise, it becomes a 0.
Flags Affected
CF = 0, OF = 0; PF, SF, and ZF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
ARPL ÄÄ Adjust RPL Field of Selector
Opcode Instruction Clocks Description
63 /r ARPL r/m16,r16 pm=20/21 Adjust RPL of r/m16 to not
less than RPL of r16
Operation
IF RPL bits(0,1) of DEST < RPL bits(0,1) of SRC
THEN
ZF � 1;
RPL bits(0,1) of DEST � RPL bits(0,1) of SRC;
ELSE
ZF � 0;
FI;
Description
The ARPL instruction has two operands. The first operand is a 16-bit
memory variable or word register that contains the value of a selector. The
second operand is a word register. If the RPL field ("requested privilege
level"ÄÄbottom two bits) of the first operand is less than the RPL field of
the second operand, the zero flag is set to 1 and the RPL field of the
first operand is increased to match the second operand. Otherwise, the zero
flag is set to 0 and no change is made to the first operand.
ARPL appears in operating system software, not in application programs. It
is used to guarantee that a selector parameter to a subroutine does not
request more privilege than the caller is allowed. The second operand of
ARPL is normally a register that contains the CS selector value of the
caller.
Flags Affected
ZF as described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 6; ARPL is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
BOUND ÄÄ Check Array Index Against Bounds
Opcode Instruction Clocks Description
62 /r BOUND r16,m16&16 10 Check if r16 is within bounds
(passes test)
62 /r BOUND r32,m32&32 10 Check if r32 is within bounds
(passes test)
Operation
IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8])
(* Under lower bound or over upper bound *)
THEN Interrupt 5;
FI;
Description
BOUND ensures that a signed array index is within the limits specified by a
block of memory consisting of an upper and a lower bound. Each bound uses
one word for an operand-size attribute of 16 bits and a doubleword for an
operand-size attribute of 32 bits. The first operand (a register) must be
greater than or equal to the first bound in memory (lower bound), and less
than or equal to the second bound in memory (upper bound). If the register
is not within bounds, an Interrupt 5 occurs; the return EIP points to the
BOUND instruction.
The bounds limit data structure is usually placed just before the array
itself, making the limits addressable via a constant offset from the
beginning of the array.
Flags Affected
None
Protected Mode Exceptions
Interrupt 5 if the bounds test fails, as described above; #GP(0) for an
illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
The second operand must be a memory operand, not a register. If BOUND is
executed with a ModRM byte representing a register as the second operand,
Real Address Mode Exceptions
Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the
operand would lie outside of the effective address space from 0 to 0FFFFH;
Interrupt 6 if the second operand is a register
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
BSF ÄÄ Bit Scan Forward
Opcode Instruction Clocks Description
0F BC BSF r16,r/m16 10+3n Bit scan forward on r/m word
0F BC BSF r32,r/m32 10+3n Bit scan forward on r/m dword
Notes
is the number of leading zero bits.
Operation
IF r/m = 0
THEN
ZF � 1;
register � UNDEFINED;
ELSE
temp � 0;
ZF � 0;
WHILE BIT[r/m, temp = 0]
DO
temp � temp + 1;
register � temp;
OD;
FI;
Description
BSF scans the bits in the second word or doubleword operand starting with
bit 0. The ZF flag is cleared if the bits are all 0; otherwise, the ZF flag
is set and the destination register is loaded with the bit index of the
first set bit.
Flags Affected
ZF as described above
Protected Mode Exceptions
FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
BSR ÄÄ Bit Scan Reverse
Opcode Instruction Clocks Description
0F BD BSR r16,r/m16 10+3n Bit scan reverse on r/m word
0F BD BSR r32,r/m32 10+3n Bit scan reverse on r/m dword
Operation
IF r/m = 0
THEN
ZF � 1;
register � UNDEFINED;
ELSE
temp � OperandSize - 1;
ZF � 0;
WHILE BIT[r/m, temp] = 0
DO
temp � temp - 1;
register � temp;
OD;
FI;
Description
BSR scans the bits in the second word or doubleword operand from the most
significant bit to the least significant bit. The ZF flag is cleared if the
bits are all 0; otherwise, ZF is set and the destination register is loaded
with the bit index of the first set bit found when scanning in the reverse
direction.
Flags Affected
ZF as described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
BT ÄÄ Bit Test
Opcode Instruction Clocks Description
0F A3 BT r/m16,r16 3/12 Save bit in carry flag
0F A3 BT r/m32,r32 3/12 Save bit in carry flag
0F BA /4 ib BT r/m16,imm8 3/6 Save bit in carry flag
0F BA /4 ib BT r/m32,imm8 3/6 Save bit in carry flag
Operation
CF � BIT[LeftSRC, RightSRC];
Description
BT saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag.
Flags Affected
CF as described above
Protected Mode Exceptions
FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The low-order
3 to 5 bits of the immediate bit offset are stored in the immediate bit
offset field, and the high-order 27 to 29 bits are shifted and combined with
the byte displacement in the addressing mode.
When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:
Effective Address + (4 * (BitOffset DIV 32))
for a 32-bit operand size, or two bytes starting from the memory address
given by:
Effective Address + (2 * (BitOffset DIV 16))
for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.
BTC ÄÄ Bit Test and Complement
Opcode Instruction Clocks Description
0F BB BTC r/m16,r16 6/13 Save bit in carry flag and complement
0F BB BTC r/m32,r32 6/13 Save bit in carry flag and complement
0F BA /7 ib BTC r/m16,imm8 6/8 Save bit in carry flag and complement
0F BA /7 ib BTC r/m32,imm8 6/8 Save bit in carry flag and complement
Operation
CF � BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] � NOT BIT[LeftSRC, RightSRC];
Description
BTC saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then complements the
bit.
Flags Affected
CF as described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The low-order
3 to 5 bits of the immediate bit offset are stored in the immediate bit
offset field, and the high-order 27 to 29 bits are shifted and combined with
the byte displacement in the addressing mode.
When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:
Effective Address + (4 * (BitOffset DIV 32))
for a 32-bit operand size, or two bytes starting from the memory address
given by:
Effective Address + (2 * (BitOffset DIV 16))
for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.
BTR ÄÄ Bit Test and Reset
Opcode Instruction Clocks Description
0F B3 BTR r/m16,r16 6/13 Save bit in carry flag and reset
0F B3 BTR r/m32,r32 6/13 Save bit in carry flag and reset
0F BA /6 ib BTR r/m16,imm8 6/8 Save bit in carry flag and reset
0F BA /6 ib BTR r/m32,imm8 6/8 Save bit in carry flag and reset
Operation
CF � BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] � 0;
Description
BTR saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then stores 0 in the
bit.
Flags Affected
CF as described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 (or 15) are supported by using the immediate bit offset field
in combination with the displacement field of the memory operand. The
low-order 3 to 5 bits of the immediate bit offset are stored in the
immediate bit offset field, and the high-order 27 to 29 bits are shifted and
combined with the byte displacement in the addressing mode.
When accessing a bit in memory, the 80386 may access four bytes starting
from the memory address given by:
Effective Address + 4 * (BitOffset DIV 32)
for a 32-bit operand size, or two bytes starting from the memory address
given by:
Effective Address + 2 * (BitOffset DIV 16)
for a 16-bit operand size. It may do so even when only a single byte needs
to be accessed in order to reach the given bit. You must therefore avoid
referencing areas of memory close to address space holes. In particular,
avoid references to memory-mapped I/O registers. Instead, use the MOV
instructions to load from or store to these addresses, and use the register
form of these instructions to manipulate the data.
BTS ÄÄ Bit Test and Set
Opcode Instruction Clocks Description
0F AB BTS r/m16,r16 6/13 Save bit in carry flag and set
0F AB BTS r/m32,r32 6/13 Save bit in carry flag and set
0F BA /5 ib BTS r/m16,imm8 6/8 Save bit in carry flag and set
0F BA /5 ib BTS r/m32,imm8 6/8 Save bit in carry flag and set
Operation
CF � BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] � 1;
Description
BTS saves the value of the bit indicated by the base (first operand) and the
bit offset (second operand) into the carry flag and then stores 1 in the
bit.
Flags Affected
CF as described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
The index of the selected bit can be given by the immediate constant in the
instruction or by a value in a general register. Only an 8-bit immediate
value is used in the instruction. This operand is taken modulo 32, so the
range of immediate bit offsets is 0..31. This allows any bit within a
register to be selected. For memory bit strings, this immediate field gives
only the bit offset within a word or doubleword. Immediate bit offsets
larger than 31 are supported by using the immediate bit offset field in
combination with the displacement field of the memory operand. The
low-order 3 to 5 bits of the immediate bit offset are stored in the
immediate bit offset field, and the high order 27 to 29 bits are shifted and
combined with the byte displacement in the addressing mode.
When accessing a bit in memory, the processor may access four bytes starting
from the memory address given by:
Effective Address + (4 * (BitOffset DIV 32))
for a 32-bit operand size, or two bytes starting from the memory address
given by:
Effective Address + (2 * (BitOffset DIV 16))
for a 16-bit operand size. It may do this even when only a single byte needs
to be accessed in order to get at the given bit. Thus the programmer must be
careful to avoid referencing areas of memory close to address space holes.
In particular, avoid references to memory-mapped I/O registers. Instead, use
the MOV instructions to load from or store to these addresses, and use the
register form of these instructions to manipulate the data.
CALL ÄÄ Call Procedure
Opcode Instruction Clocks
Values of ts are given by the following table:
New Task
386 TSS 386 TSS 286 TSS
Old VM = 0 VM = 1
Task Via Task Gate?
N Y N Y N Y
386 300 309 217 226 273 282
TSS VM=0
286 298 307 217 226 273 282
TSS Description
E8 cw CALL rel16 7+m Call near, displacement relative
to next instruction
FF /2 CALL r/m16 7+m/10+m Call near, register
indirect/memory indirect
9A cd CALL ptr16:16 17+m,pm=34+m Call intersegment, to full
pointer given
9A cd CALL ptr16:16 pm=52+m Call gate, same privilege
9A cd CALL ptr16:16 pm=86+m Call gate, more privilege, no
parameters
9A cd CALL ptr16:16 pm=94+4x+m Call gate, more privilege, x
parameters
9A cd CALL ptr16:16 ts Call to task
FF /3 CALL m16:16 22+m,pm=38+m Call intersegment, address at
r/m dword
FF /3 CALL m16:16 pm=56+m Call gate, same privilege
FF /3 CALL m16:16 pm=90+m Call gate, more privilege, no
parameters
FF /3 CALL m16:16 pm=98+4x+m Call gate, more privilege, x
parameters
FF /3 CALL m16:16 5 + ts Call to task
E8 cd CALL rel32 7+m Call near, displacement relative
to next instruction
FF /2 CALL r/m32 7+m/10+m Call near, indirect
9A cp CALL ptr16:32 17+m,pm=34+m Call intersegment, to full
pointer given
9A cp CALL ptr16:32 pm=52+m Call gate, same privilege
9A cp CALL ptr16:32 pm=86+m Call gate, more privilege, no
parameters
9A cp CALL ptr32:32 pm=94+4x+m Call gate, more privilege, x
parameters
9A cp CALL ptr16:32 ts Call to task
FF /3 CALL m16:32 22+m,pm=38+m Call intersegment, address at
r/m dword
FF /3 CALL m16:32 pm=56+m Call gate, same privilege
FF /3 CALL m16:32 pm=90+m Call gate, more privilege, no
parameters
FF /3 CALL m16:32 pm=98+4x+m Call gate, more privilege, x
parameters
FF /3 CALL m16:32 5 + ts Call to task
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTE:
Values of ts are given by the following table:
New Task
386 TSS 386 TSS 286 TSS
Old VM = 0 VM = 1
Task Via Task Gate?
N Y N Y N Y
386 300 309 217 226 273 282
TSS VM=0
286 298 307 217 226 273 282
TSS
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF rel16 or rel32 type of call
THEN (* near relative call *)
IF OperandSize = 16
THEN
Push(IP);
EIP � (EIP + rel16) AND 0000FFFFH;
ELSE (* OperandSize = 32 *)
Push(EIP);
EIP � EIP + rel32;
FI;
FI;
IF r/m16 or r/m32 type of call
THEN (* near absolute call *)
IF OperandSize = 16
THEN
Push(IP);
EIP � [r/m16] AND 0000FFFFH;
ELSE (* OperandSize = 32 *)
Push(EIP);
EIP � [r/m32];
FI;
FI;
IF (PE = 0 OR (PE = 1 AND VM = 1))
(* real mode or virtual 8086 mode *)
AND instruction = far CALL
(* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
THEN
IF OperandSize = 16
THEN
Push(CS);
Push(IP); (* address of next instruction; 16 bits *)
ELSE
Push(CS); (* padded with 16 high-order bits *)
Push(EIP); (* address of next instruction; 32 bits *)
FI;
IF operand type is m16:16 or m16:32
THEN (* indirect far call *)
IF OperandSize = 16
THEN
CS:IP � [m16:16];
EIP � EIP AND 0000FFFFH; (* clear upper 16 bits *)
ELSE (* OperandSize = 32 *)
CS:EIP � [m16:32];
FI;
FI;
IF operand type is ptr16:16 or ptr16:32
THEN (* direct far call *)
IF OperandSize = 16
THEN
CS:IP � ptr16:16;
EIP � EIP AND 0000FFFFH; (* clear upper 16 bits *)
ELSE (* OperandSize = 32 *)
CS:EIP � ptr16:32;
FI;
FI;
FI;
IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
AND instruction = far CALL
THEN
If indirect, then check access of EA doubleword;
#GP(0) if limit violation;
New CS selector must not be null else #GP(0);
Check that new CS selector index is within its
descriptor table limits; else #GP(new CS selector);
Examine AR byte of selected descriptor for various legal values;
depending on value:
go to CONFORMING-CODE-SEGMENT;
go to NONCONFORMING-CODE-SEGMENT;
go to CALL-GATE;
go to TASK-GATE;
go to TASK-STATE-SEGMENT;
ELSE #GP(code segment selector);
FI;
CONFORMING-CODE-SEGMENT:
DPL must be ó CPL ELSE #GP(code segment selector);
Segment must be present ELSE #NP(code segment selector);
Stack must be big enough for return address ELSE #SS(0);
Instruction pointer must be in code segment limit ELSE #GP(0);
Load code segment descriptor into CS register;
Load CS with new code segment selector;
Load EIP with zero-extend(new offset);
IF OperandSize=16 THEN EIP � EIP AND 0000FFFFH; FI;
NONCONFORMING-CODE-SEGMENT:
RPL must be ó CPL ELSE #GP(code segment selector)
DPL must be = CPL ELSE #GP(code segment selector)
Segment must be present ELSE #NP(code segment selector)
Stack must be big enough for return address ELSE #SS(0)
Instruction pointer must be in code segment limit ELSE #GP(0)
Load code segment descriptor into CS register
Load CS with new code segment selector
Set RPL of CS to CPL
Load EIP with zero-extend(new offset);
IF OperandSize=16 THEN EIP � EIP AND 0000FFFFH; FI;
CALL-GATE:
Call gate DPL must be ò CPL ELSE #GP(call gate selector)
Call gate DPL must be ò RPL ELSE #GP(call gate selector)
Call gate must be present ELSE #NP(call gate selector)
Examine code segment selector in call gate descriptor:
Selector must not be null ELSE #GP(0)
Selector must be within its descriptor table
limits ELSE #GP(code segment selector)
AR byte of selected descriptor must indicate code
segment ELSE #GP(code segment selector)
DPL of selected descriptor must be ó CPL ELSE
#GP(code segment selector)
IF non-conforming code segment AND DPL < CPL
THEN go to MORE-PRIVILEGE
ELSE go to SAME-PRIVILEGE
FI;
MORE-PRIVILEGE:
Get new SS selector for new privilege level from TSS
Check selector and descriptor for new SS:
Selector must not be null ELSE #TS(0)
Selector index must be within its descriptor
table limits ELSE #TS(SS selector)
Selector's RPL must equal DPL of code segment
ELSE #TS(SS selector)
Stack segment DPL must equal DPL of code
segment ELSE #TS(SS selector)
Descriptor must indicate writable data segment
ELSE #TS(SS selector)
Segment present ELSE #SS(SS selector)
IF OperandSize=32
THEN
New stack must have room for parameters plus 16 bytes
ELSE #SS(0)
EIP must be in code segment limit ELSE #GP(0)
Load new SS:eSP value from TSS
Load new CS:EIP value from gate
ELSE
New stack must have room for parameters plus 8 bytes ELSE #SS(0)
IP must be in code segment limit ELSE #GP(0)
Load new SS:eSP value from TSS
Load new CS:IP value from gate
FI;
Load CS descriptor
Load SS descriptor
Push long pointer of old stack onto new stack
Get word count from call gate, mask to 5 bits
Copy parameters from old stack onto new stack
Push return address onto new stack
Set CPL to stack segment DPL
Set RPL of CS to CPL
SAME-PRIVILEGE:
IF OperandSize=32
THEN
Stack must have room for 6-byte return address (padded to 8 bytes)
ELSE #SS(0)
EIP must be within code segment limit ELSE #GP(0)
Load CS:EIP from gate
ELSE
Stack must have room for 4-byte return address ELSE #SS(0)
IP must be within code segment limit ELSE #GP(0)
Load CS:IP from gate
FI;
Push return address onto stack
Load code segment descriptor into CS register
Set RPL of CS to CPL
TASK-GATE:
Task gate DPL must be ò CPL ELSE #TS(gate selector)
Task gate DPL must be ò RPL ELSE #TS(gate selector)
Task Gate must be present ELSE #NP(gate selector)
Examine selector to TSS, given in Task Gate descriptor:
Must specify global in the local/global bit ELSE #TS(TSS selector)
Index must be within GDT limits ELSE #TS(TSS selector)
TSS descriptor AR byte must specify nonbusy TSS
ELSE #TS(TSS selector)
Task State Segment must be present ELSE #NP(TSS selector)
SWITCH-TASKS (with nesting) to TSS
IP must be in code segment limit ELSE #TS(0)
TASK-STATE-SEGMENT:
TSS DPL must be ò CPL else #TS(TSS selector)
TSS DPL must be ò RPL ELSE #TS(TSS selector)
TSS descriptor AR byte must specify available TSS
ELSE #TS(TSS selector)
Task State Segment must be present ELSE #NP(TSS selector)
SWITCH-TASKS (with nesting) to TSS
IP must be in code segment limit ELSE #TS(0)
Description
The CALL instruction causes the procedure named in the operand to be
executed. When the procedure is complete (a return instruction is executed
within the procedure), execution continues at the instruction that follows
the CALL instruction.
The action of the different forms of the instruction are described below.
Near calls are those with destinations of type r/m16, r/m32, rel16, rel32;
changing or saving the segment register value is not necessary. The CALL
rel16 and CALL rel32 forms add a signed offset to the address of the
instruction following CALL to determine the destination. The rel16 form is
used when the instruction's operand-size attribute is 16 bits; rel32 is used
when the operand-size attribute is 32 bits. The result is stored in the
32-bit EIP register. With rel16, the upper 16 bits of EIP are cleared,
resulting in an offset whose value does not exceed 16 bits. CALL r/m16 and
CALL r/m32 specify a register or memory location from which the absolute
segment offset is fetched. The offset fetched from r/m is 32 bits for an
operand-size attribute of 32 (r/m32), or 16 bits for an operand-size of 16
(r/m16). The offset of the instruction following CALL is pushed onto the
stack. It will be popped by a near RET instruction within the procedure. The
CS register is not changed by this form of CALL.
The far calls, CALL ptr16:16 and CALL ptr16:32, use a four-byte or six-byte
operand as a long pointer to the procedure called. The CALL m16:16 and
m16:32 forms fetch the long pointer from the memory location
specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long
pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP
register (depending on the operand-size attribute). These forms of the
instruction push both CS and IP or EIP as a return address.
In Protected Mode, both long pointer forms consult the AR byte in the
descriptor indexed by the selector part of the long pointer. Depending on
the value of the AR byte, the call will perform one of the following types
of control transfers:
þ A far call to the same protection level
þ An inter-protection level far call
þ A task switch
For more information on Protected Mode control transfers, refer to
Chapter 6 and Chapter 7.
Flags Affected
All flags are affected if a task switch occurs; no flags are affected if a
task switch does not occur
Protected Mode Exceptions
For far calls: #GP, #NP, #SS, and #TS, as indicated in the list above
For near direct calls: #GP(0) if procedure location is beyond the code
segment limits; #SS(0) if pushing the return address exceeds the bounds of
the stack segment; #PF (fault-code) for a page fault
For a near indirect call: #GP(0) for an illegal memory operand effective
address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address
in the SS segment; #GP(0) if the indirect offset obtained is beyond the code
segment limits; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
Any far call from a 32-bit code segment to 16-bit code segments should be
made from the first 64K bytes of the 32-bit code segment, since the
operand-size attribute of the instruction is set to 16, thus allowing only a
16-bit return address offset to be saved.
CBW/CWDE ÄÄ Convert Byte to Word/Convert Word to Doubleword
Opcode Instruction Clocks Description
98 CBW 3 AX � sign-extend of AL
98 CWDE 3 EAX � sign-extend of AX
Operation
IF OperandSize = 16 (* instruction = CBW *)
THEN AX � SignExtend(AL);
ELSE (* OperandSize = 32, instruction = CWDE *)
EAX � SignExtend(AX);
FI;
Description
CBW converts the signed byte in AL to a signed word in AX by extending the
most significant bit of AL (the sign bit) into all of the bits of AH. CWDE
converts the signed word in AX to a doubleword in EAX by extending the most
significant bit of AX into the two most significant bytes of EAX. Note that
CWDE is different from CWD. CWD uses DX:AX rather than EAX as a destination.
Flags Affected
None
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
CLC ÄÄ Clear Carry Flag
Opcode Instruction Clocks Description
F8 CLC 2 Clear carry flag
Operation
CF � 0;
Description
CLC sets the carry flag to zero. It does not affect other flags or
registers.
Flags Affected
CF = 0
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
CLD ÄÄ Clear Direction Flag
Opcode Instruction Clocks Description
FC CLD 2 Clear direction flag; SI and DI
will increment during string
instructions
Operation
DF � 0;
Description
CLD clears the direction flag. No other flags or registers are affected.
After CLD is executed, string operations will increment the index registers
(SI and/or DI) that they use.
Flags Affected
DF = 0
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
CLI ÄÄ Clear Interrupt Flag
Opcode Instruction Clocks Description
FA CLI 3 Clear interrupt flag; interrupts disabled
Operation
IF � 0;
Description
CLI clears the interrupt flag if the current privilege level is at least as
privileged as IOPL. No other flags are affected. External interrupts are not
recognized at the end of the CLI instruction or from that point on until the
interrupt flag is set.
Flags Affected
IF = 0
Protected Mode Exceptions
the IOPL in the flags register. IOPL specifies the least privileged level at
which I/O can be performed.
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
CLTS ÄÄ Clear Task-Switched Flag in CR0
Opcode Instruction Clocks Description
OF 06 CLTS 5 Clear task-switched flag
Operation
TS Flag in CR0 � 0;
Description
CLTS clears the task-switched (TS) flag in register CR0. This flag is set by
the 80386 every time a task switch occurs. The TS flag is used to manage
processor extensions as follows:
þ Every execution of an ESC instruction is trapped if the TS flag is set.
þ Execution of a WAIT instruction is trapped if the MP flag and the TS
flag are both set.
Thus, if a task switch was made after an ESC instruction was begun, the
processor extension's context may need to be saved before a new ESC
instruction can be issued. The fault handler saves the context and resets
the TS flag.
CLTS appears in operating system software, not in application programs. It
is a privileged instruction that can only be executed at privilege level 0.
Flags Affected
TS = 0 (TS is in CR0, not the flag register)
Protected Mode Exceptions
Real Address Mode Exceptions
None (valid in Real Address Mode to allow initialization for Protected
Mode)
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
CMC ÄÄ Complement Carry Flag
Opcode Instruction Clocks Description
F5 CMC 2 Complement carry flag
Operation
CF � NOT CF;
Description
CMC reverses the setting of the carry flag. No other flags are affected.
Flags Affected
CF as described above
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
CMP ÄÄ Compare Two Operands
Opcode Instruction Clocks Description
3C ib CMP AL,imm8 2 Compare immediate byte to AL
3D iw CMP AX,imm16 2 Compare immediate word to AX
3D id CMP EAX,imm32 2 Compare immediate dword to EAX
80 /7 ib CMP r/m8,imm8 2/5 Compare immediate byte to r/m
byte
81 /7 iw CMP r/m16,imm16 2/5 Compare immediate word to r/m
word
81 /7 id CMP r/m32,imm32 2/5 Compare immediate dword to r/m
dword
83 /7 ib CMP r/m16,imm8 2/5 Compare sign extended immediate
byte to r/m word
83 /7 ib CMP r/m32,imm8 2/5 Compare sign extended immediate
byte to r/m dword
38 /r CMP r/m8,r8 2/5 Compare byte register to r/m
byte
39 /r CMP r/m16,r16 2/5 Compare word register to r/m
word
39 /r CMP r/m32,r32 2/5 Compare dword register to r/m
dword
3A /r CMP r8,r/m8 2/6 Compare r/m byte to byte
register
3B /r CMP r16,r/m16 2/6 Compare r/m word to word
register
3B /r CMP r32,r/m32 2/6 Compare r/m dword to dword
register
Operation
LeftSRC - SignExtend(RightSRC);
(* CMP does not store a result; its purpose is to set the flags *)
Description
CMP subtracts the second operand from the first but, unlike the SUB
instruction, does not store the result; only the flags are changed. CMP is
typically used in conjunction with conditional jumps and the SETcc
instruction. (Refer to Appendix D for the list of signed and unsigned flag
tests provided.) If an operand greater than one byte is compared to an
immediate byte, the byte value is first sign-extended.
Flags Affected
OF, SF, ZF, AF, PF, and CF as described in Appendix C
Protected Mode Exceptions
FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
CMPS/CMPSB/CMPSW/CMPSD ÄÄ Compare String Operands
Opcode Instruction Clocks Description
A6 CMPS m8,m8 10 Compare bytes ES:[(E)DI] (second
operand) with [(E)SI] (first
operand)
A7 CMPS m16,m16 10 Compare words ES:[(E)DI] (second
operand) with [(E)SI] (first
operand)
A7 CMPS m32,m32 10 Compare dwords ES:[(E)DI]
(second operand) with [(E)SI]
(first operand)
A6 CMPSB 10 Compare bytes ES:[(E)DI] with
DS:[SI]
A7 CMPSW 10 Compare words ES:[(E)DI] with
DS:[SI]
A7 CMPSD 10 Compare dwords ES:[(E)DI] with
DS:[SI]
Operation
IF (instruction = CMPSD) OR
(instruction has operands of type DWORD)
THEN OperandSize � 32;
ELSE OperandSize � 16;
FI;
IF AddressSize = 16
THEN
use SI for source-index and DI for destination-index
ELSE (* AddressSize = 32 *)
use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction
THEN
[source-index] - [destination-index]; (* byte comparison *)
IF DF = 0 THEN IncDec � 1 ELSE IncDec � -1; FI;
ELSE
IF OperandSize = 16
THEN
[source-index] - [destination-index]; (* word comparison *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
ELSE (* OperandSize = 32 *)
[source-index] - [destination-index]; (* dword comparison *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
FI;
source-index = source-index + IncDec;
destination-index = destination-index + IncDec;
Description
CMPS compares the byte, word, or doubleword pointed to by the source-index
register with the byte, word, or doubleword pointed to by the
destination-index register.
If the address-size attribute of this instruction is 16 bits, SI and DI
will be used for source- and destination-index registers; otherwise ESI and
EDI will be used. Load the correct index values into SI and DI (or ESI and
EDI) before executing CMPS.
The comparison is done by subtracting the operand indexed by
the destination-index register from the operand indexed by the source-index
register.
Note that the direction of subtraction for CMPS is [SI] - [DI] or
[ESI] - [EDI]. The left operand (SI or ESI) is the source and the right
operand (DI or EDI) is the destination. This is the reverse of the usual
Intel convention in which the left operand is the destination and the right
operand is the source.
The result of the subtraction is not stored; only the flags reflect the
change. The types of the operands determine whether bytes, words, or
doublewords are compared. For the first operand (SI or ESI), the DS register
is used, unless a segment override byte is present. The second operand (DI
or EDI) must be addressable from the ES register; no segment override is
possible.
After the comparison is made, both the source-index register and
destination-index register are automatically advanced. If the direction flag
is 0 (CLD was executed), the registers increment; if the direction flag is 1
(STD was executed), the registers decrement. The registers increment or
decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if
a doubleword is compared.
CMPSB, CMPSW and CMPSD are synonyms for the byte, word, and
doubleword CMPS instructions, respectively.
CMPS can be preceded by the REPE or REPNE prefix for block comparison of CX
or ECX bytes, words, or doublewords. Refer to the description of the REP
instruction for more information on this operation.
Flags Affected
OF, SF, ZF, AF, PF, and CF as described in Appendix C
Protected Mode Exceptions
FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault
CWD/CDQ ÄÄ Convert Word to Doubleword/Convert Doubleword to
Quadword
Opcode Instruction Clocks Description
99 CWD 2 DX:AX � sign-extend of AX
99 CDQ 2 EDX:EAX � sign-extend of EAX
Operation
IF OperandSize = 16 (* CWD instruction *)
THEN
IF AX < 0 THEN DX � 0FFFFH; ELSE DX � 0; FI;
ELSE (* OperandSize = 32, CDQ instruction *)
IF EAX < 0 THEN EDX � 0FFFFFFFFH; ELSE EDX � 0; FI;
FI;
Description
CWD converts the signed word in AX to a signed doubleword in DX:AX
by extending the most significant bit of AX into all the bits of DX. CDQ
converts the signed doubleword in EAX to a signed 64-bit integer in the
register pair EDX:EAX by extending the most significant bit of EAX
(the sign bit) into all the bits of EDX. Note that CWD is different from
CWDE. CWDE uses EAX as a destination, instead of DX:AX.
Flags Affected
None
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
DAA ÄÄ Decimal Adjust AL after Addition
Opcode Instruction Clocks Description
27 DAA 4 Decimal adjust AL after addition
Operation
IF ((AL AND 0FH) > 9) OR (AF = 1)
THEN
AL � AL + 6;
AF � 1;
ELSE
AF � 0;
FI;
IF (AL > 9FH) OR (CF = 1)
THEN
AL � AL + 60H;
CF � 1;
ELSE CF � 0;
FI;
Description
Execute DAA only after executing an ADD instruction that leaves a
two-BCD-digit byte result in the AL register. The ADD operands should
consist of two packed BCD digits. The DAA instruction adjusts AL to
contain the correct two-digit packed decimal result.
Flags Affected
AF and CF as described above; SF, ZF, PF, and CF as described in
Appendix C.
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
DAS ÄÄ Decimal Adjust AL after Subtraction
Opcode Instruction Clocks Description
2F DAS 4 Decimal adjust AL after subtraction
Operation
IF (AL AND 0FH) > 9 OR AF = 1
THEN
AL � AL - 6;
AF � 1;
ELSE
AF � 0;
FI;
IF (AL > 9FH) OR (CF = 1)
THEN
AL � AL - 60H;
CF � 1;
ELSE CF � 0;
FI;
Description
Execute DAS only after a subtraction instruction that leaves a
two-BCD-digit byte result in the AL register. The operands should consist
of two packed BCD digits. DAS adjusts AL to contain the correct packed
two-digit decimal result.
Flags Affected
AF and CF as described above; SF, ZF, and PF as described in Appendix C.
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
DEC ÄÄ Decrement by 1
Opcode Instruction Clocks Description
FE /1 DEC r/m8 2/6 Decrement r/m byte by 1
FF /1 DEC r/m16 2/6 Decrement r/m word by 1
DEC r/m32 2/6 Decrement r/m dword by 1
48+rw DEC r16 2 Decrement word register by 1
48+rw DEC r32 2 Decrement dword register by 1
Operation
DEST � DEST - 1;
Description
DEC subtracts 1 from the operand. DEC does not change the carry flag.
To affect the carry flag, use the SUB instruction with an immediate
operand of 1.
Flags Affected
OF, SF, ZF, AF, and PF as described in Appendix C.
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
DIV ÄÄ Unsigned Divide
Opcode Instruction Clocks Description
F6 /6 DIV AL,r/m8 14/17 Unsigned divide AX by r/m byte
(AL=Quo, AH=Rem)
F7 /6 DIV AX,r/m16 22/25 Unsigned divide DX:AX by r/m
word (AX=Quo, DX=Rem)
F7 /6 DIV EAX,r/m32 38/41 Unsigned divide EDX:EAX by r/m
dword (EAX=Quo, EDX=Rem)
Operation
temp � dividend / divisor;
IF temp does not fit in quotient
THEN Interrupt 0;
ELSE
quotient � temp;
remainder � dividend MOD (r/m);
FI;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Note:
Divisions are unsigned. The divisor is given by the r/m operand.
The dividend, quotient, and remainder use implicit registers. Refer to
the table under "Description."
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Description
DIV performs an unsigned division. The dividend is implicit; only the
divisor is given as an operand. The remainder is always less than the
divisor. The type of the divisor determines which registers to use as
follows:
Size Dividend Divisor Quotient Remainder
byte AX r/m8 AL AH
word DX:AX r/m16 AX DX
dword EDX:EAX r/m32 EAX EDX
Flags Affected
OF, SF, ZF, AR, PF, CF are undefined.
Protected Mode Exceptions
Interrupt 0 if the quotient is too large to fit in the designated register
(AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0)
for an illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 0 if the quotient is too big to fit in the designated register
(AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the
operand would lie outside of the effective address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
ENTER ÄÄ Make Stack Frame for Procedure Parameters
Opcode Instruction Clocks Description
C8 iw 00 ENTER imm16,0 10 Make procedure stack frame
C8 iw 01 ENTER imm16,1 12 Make stack frame for procedure
parameters
C8 iw ib ENTER imm16,imm8 15+4(n-1) Make stack frame for
procedure parameters
Operation
level � level MOD 32
IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) FI;
(* Save stack pointer *)
frame-ptr � eSP
IF level > 0
THEN (* level is rightmost parameter *)
FOR i � 1 TO level - 1
DO
IF OperandSize = 16
THEN
BP � BP - 2;
Push[BP]
ELSE (* OperandSize = 32 *)
EBP � EBP - 4;
Push[EBP];
FI;
OD;
Push(frame-ptr)
FI;
IF OperandSize = 16 THEN BP � frame-ptr ELSE EBP � frame-ptr; FI;
IF StackAddrSize = 16
THEN SP � SP - First operand;
ELSE ESP � ESP - ZeroExtend(First operand);
FI;
Description
ENTER creates the stack frame required by most block-structured
high-level languages. The first operand specifies the number of bytes of
dynamic storage allocated on the stack for the routine being entered.
The second operand gives the lexical nesting level (0 to 31) of the routine
within the high-level language source code. It determines the number of
stack frame pointers copied into the new stack frame from the preceding
frame. BP (or EBP, if the operand-size attribute is 32 bits) is the current
stack frame pointer.
If the operand-size attribute is 16 bits, the processor uses BP as the
frame pointer and SP as the stack pointer. If the operand-size attribute is
32 bits, the processor uses EBP for the frame pointer and ESP for the stack
pointer.
If the second operand is 0, ENTER pushes the frame pointer (BP or
EBP) onto the stack; ENTER then subtracts the first operand from the
stack pointer and sets the frame pointer to the current stack-pointer
value.
For example, a procedure with 12 bytes of local variables would have an
ENTER 12,0 instruction at its entry point and a LEAVE instruction
before every RET. The 12 local bytes would be addressed as negative
offsets from the frame pointer.
Flags Affected
None
Protected Mode Exceptions
instruction execution; #PF(fault-code) for a page fault
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
HLT ÄÄ Halt
Opcode Instruction Clocks Description
F4 HLT 5 Halt
Operation
Enter Halt state;
Description
HALT stops instruction execution and places the 80386 in a HALT state.
An enabled interrupt, NMI, or a reset will resume execution. If an
interrupt (including NMI) is used to resume execution after HLT, the saved
CS:IP (or CS:EIP) value points to the instruction following HLT.
Flags Affected
None
Protected Mode Exceptions
HLT is a privileged instruction; #GP(0) if the current privilege level is
not 0
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
IDIV ÄÄ Signed Divide
Opcode Instruction Clocks Description
F6 /7 IDIV r/m8 19 Signed divide AX by r/m byte
(AL=Quo, AH=Rem)
F7 /7 IDIV AX,r/m16 27 Signed divide DX:AX by EA word
(AX=Quo, DX=Rem)
F7 /7 IDIV EAX,r/m32 43 Signed divide EDX:EAX by DWORD
byte (EAX=Quo, EDX=Rem)
Operation
temp � dividend / divisor;
IF temp does not fit in quotient
THEN Interrupt 0;
ELSE
quotient � temp;
remainder � dividend MOD (r/m);
FI;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Notes:
Divisions are signed. The divisor is given by the r/m operand. The
dividend, quotient, and remainder use implicit registers. Refer to the
table under "Description."
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Description
IDIV performs a signed division. The dividend, quotient, and remainder
are implicitly allocated to fixed registers. Only the divisor is given as
an explicit r/m operand. The type of the divisor determines which registers
to use as follows:
Size Divisor Quotient Remainder Dividend
byte r/m8 AL AH AX
word r/m16 AX DX DX:AX
dword r/m32 EAX EDX EDX:EAX
If the resulting quotient is too large to fit in the destination, or if the
division is 0, an Interrupt 0 is generated. Nonintegral quotients are
truncated toward 0. The remainder has the same sign as the dividend
and the absolute value of the remainder is always less than the absolute
value of the divisor.
Flags Affected
OF, SF, ZF, AR, PF, CF are undefined.
Protected Mode Exceptions
Interrupt 0 if the quotient is too large to fit in the designated register
(AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 0 if the quotient is too large to fit in the designated register
(AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand
would lie outside of the effective address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
IMUL ÄÄ Signed Multiply
Opcode Instruction Clocks Description
F6 /5 IMUL r/m8 9-14/12-17 AX� AL * r/m byte
F7 /5 IMUL r/m16 9-22/12-25 DX:AX � AX * r/m word
F7 /5 IMUL r/m32 9-38/12-41 EDX:EAX � EAX * r/m dword
0F AF /r IMUL r16,r/m16 9-22/12-25 word register � word
register * r/m word
0F AF /r IMUL r32,r/m32 9-38/12-41 dword register � dword
register * r/m dword
6B /r ib IMUL r16,r/m16,imm8 9-14/12-17 word register � r/m16 *
sign-extended immediate byte
6B /r ib IMUL r32,r/m32,imm8 9-14/12-17 dword register � r/m32 *
sign-extended immediate byte
6B /r ib IMUL r16,imm8 9-14/12-17 word register � word
register * sign-extended
immediate byte
6B /r ib IMUL r32,imm8 9-14/12-17 dword register � dword
register * sign-extended
immediate byte
69 /r iw IMUL r16,r/m16,imm16 9-22/12-25 word register � r/m16 *
immediate word
69 /r id IMUL r32,r/m32,imm32 9-38/12-41 dword register � r/m32 *
immediate dword
69 /r iw IMUL r16,imm16 9-22/12-25 word register � r/m16 *
immediate word
69 /r id IMUL r32,imm32 9-38/12-41 dword register � r/m32 *
immediate dword
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
The 80386 uses an early-out multiply algorithm. The actual number of
clocks depends on the position of the most significant bit in the
optimizing multiplier, shown underlined above. The optimization occurs for
positive and negative values. Because of the early-out algorithm, clock
counts given are minimum to maximum. To calculate the actual clocks, use
the following formula:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Actual clock = if m <> 0 then max(ceiling(log{2} ³m³), 3) + 6 clocks
Actual clock = if m = 0 then 9 clocks
(where m is the multiplier)
Add three clocks if the multiplier is a memory operand.
Operation
result � multiplicand * multiplier;
Description
IMUL performs signed multiplication. Some forms of the instruction
use implicit register operands. The operand combinations for all forms
of the instruction are shown in the "Description" column above.
IMUL clears the overflow and carry flags under the following conditions:
Instruction Form Condition for Clearing CF and OF
r/m8 AL = sign-extend of AL to 16 bits
r/m16 AX = sign-extend of AX to 32 bits
r/m32 EDX:EAX = sign-extend of EAX to 32 bits
r16,r/m16 Result exactly fits within r16
r/32,r/m32 Result exactly fits within r32
r16,r/m16,imm16 Result exactly fits within r16
r32,r/m32,imm32 Result exactly fits within r32
Flags Affected
OF and CF as described above; SF, ZF, AF, and PF are undefined
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exeptions as in Real Address Mode; #PF(fault-code) for a page
fault
Notes
When using the accumulator forms (IMUL r/m8, IMUL r/m16, or IMUL
r/m32), the result of the multiplication is available even if the overflow
flag is set because the result is two times the size of the multiplicand
and multiplier. This is large enough to handle any possible result.
IN ÄÄ Input from Port
Opcode Instruction Clocks Description
E4 ib IN AL,imm8 12,pm=6*/26** Input byte from immediate port
into AL
E5 ib IN AX,imm8 12,pm=6*/26** Input word from immediate port
into AX
E5 ib IN EAX,imm8 12,pm=6*/26** Input dword from immediate port
into EAX
EC IN AL,DX 13,pm=7*/27** Input byte from port DX into AL
ED IN AX,DX 13,pm=7*/27** Input word from port DX into AX
ED IN EAX,DX 13,pm=7*/27** Input dword from port DX into
EAX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
*If CPL ó IOPL
**If CPL > IOPL or if in virtual 8086 mode
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
IF NOT I-O-Permission (SRC, width(SRC))
THEN #GP(0);
FI;
FI;
DEST � [SRC]; (* Reads from I/O address space *)
Description
IN transfers a data byte or data word from the port numbered by the
second operand into the register (AL, AX, or EAX) specified by the first
operand. Access any port from 0 to 65535 by placing the port number
in the DX register and using an IN instruction with DX as the second
parameter. These I/O instructions can be shortened by using an 8-bit
port I/O in the instruction. The upper eight bits of the port address will
be 0 when 8-bit port I/O is used.
Flags Affected
None
Protected Mode Exceptions
IOPL and any of the corresponding I/O permission bits in TSS equals 1
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
equals 1
INC ÄÄ Increment by 1
Opcode Instruction Clocks Description
FE /0 INC r/m8 Increment r/m byte by 1
FF /0 INC r/m16 Increment r/m word by 1
FF /6 INC r/m32 Increment r/m dword by 1
40 + rw INC r16 Increment word register by 1
40 + rd INC r32 Increment dword register by 1
Operation
DEST � DEST + 1;
Description
INC adds 1 to the operand. It does not change the carry flag. To affect
the carry flag, use the ADD instruction with a second operand of 1.
Flags Affected
OF, SF, ZF, AF, and PF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
INS/INSB/INSW/INSD ÄÄ Input from Port to String
Opcode Instruction Clocks Description
6C INS r/m8,DX 15,pm=9*/29** Input byte from port DX into ES:(E)DI
6D INS r/m16,DX 15,pm=9*/29** Input word from port DX into ES:(E)DI
6D INS r/m32,DX 15,pm=9*/29** Input dword from port DX into ES:(E)DI
6C INSB 15,pm=9*/29** Input byte from port DX into ES:(E)DI
6D INSW 15,pm=9*/29** Input word from port DX into ES:(E)DI
6D INSD 15,pm=9*/29** Input dword from port DX into ES:(E)DI
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
*If CPL ó IOPL
**If CPL > IOPL or if in virtual 8086 mode
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF AddressSize = 16
THEN use DI for dest-index;
ELSE (* AddressSize = 32 *)
use EDI for dest-index;
FI;
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
IF NOT I-O-Permission (SRC, width(SRC))
THEN #GP(0);
FI;
FI;
IF byte type of instruction
THEN
ES:[dest-index] � [DX]; (* Reads byte at DX from I/O address space *)
IF DF = 0 THEN IncDec � 1 ELSE IncDec � -1; FI;
FI;
IF OperandSize = 16
THEN
ES:[dest-index] � [DX]; (* Reads word at DX from I/O address space *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
FI;
IF OperandSize = 32
THEN
ES:[dest-index] � [DX]; (* Reads dword at DX from I/O address space *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
dest-index � dest-index + IncDec;
Description
INS transfers data from the input port numbered by the DX register to
the memory byte or word at ES:dest-index. The memory operand must
be addressable from ES; no segment override is possible. The destination
register is DI if the address-size attribute of the instruction is 16 bits,
or EDI if the address-size attribute is 32 bits.
INS does not allow the specification of the port number as an immediate
value. The port must be addressed through the DX register value. Load
the correct value into DX before executing the INS instruction.
The destination address is determined by the contents of the destination
index register. Load the correct index into the destination index register
before executing INS.
After the transfer is made, DI or EDI advances automatically. If the
direction flag is 0 (CLD was executed), DI or EDI increments; if the
direction flag is 1 (STD was executed), DI or EDI decrements. DI
increments or decrements by 1 if a byte is input, by 2 if a word is input,
or by 4 if a doubleword is input.
INSB, INSW and INSD are synonyms of the byte, word, and doubleword
INS instructions. INS can be preceded by the REP prefix for block input of
CX bytes or words. Refer to the REP instruction for details of this
operation.
Flags Affected
None
Protected Mode Exceptions
corresponding I/O permission bits in TSS equals 1; #GP(0) if the
destination is in a nonwritable segment; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
an illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
equals 1; #PF(fault-code) for a page fault
INT/INTO ÄÄ Call to Interrupt Procedure
Opcode Instruction Clocks Description
CC INT 3 33 Interrupt 3--trap to debugger
CC INT 3 pm=59 Interrupt 3--Protected Mode, same
privilege
CC INT 3 pm=99 Interrupt 3--Protected Mode, more
privilege
CC INT 3 pm=119 Interrupt 3--from V86 mode to PL 0
CC INT 3 ts Interrupt 3--Protected Mode, via
task gate
CD ib INT imm8 37 Interrupt numbered by immediate
byte
CD ib INT imm8 pm=59 Interrupt--Protected Mode, same
privilege
CD ib INT imm8 pm=99 Interrupt--Protected Mode, more
privilege
CD ib INT imm8 pm=119 Interrupt--from V86 mode to PL 0
CD ib INT imm8 ts Interrupt--Protected Mode, via task
gate
CE INTO Fail:3,pm=3;
Pass:35 Interrupt 4--if overflow flag is 1
CE INTO pm=59 Interrupt 4--Protected Mode, same
privilege
CE INTO pm=99 Interrupt 4--Protected Mode, more
privilege
CE INTO pm=119 Interrupt 4--from V86 mode to PL 0
CE INTO ts Interrupt 4--Protected Mode, via
task gate
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTE:
Approximate values of ts are given by the following table:
New Task
Old Task 386 TSS 386 TSS 286 TSS
VM = 0 VM = 1
386
TSS VM=0 309 226 282
386
TSS VM=1 314 231 287
286
TSS 307 224 280
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTE:
The following operational description applies not only to the
above instructions but also to external interrupts and exceptions.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IF PE = 0
THEN GOTO REAL-ADDRESS-MODE;
ELSE GOTO PROTECTED-MODE;
FI;
REAL-ADDRESS-MODE:
Push (FLAGS);
IF � 0; (* Clear interrupt flag *)
TF � 0; (* Clear trap flag *)
Push(CS);
Push(IP);
(* No error codes are pushed *)
CS � IDT[Interrupt number * 4].selector;
IP � IDT[Interrupt number * 4].offset;
PROTECTED-MODE:
Interrupt vector must be within IDT table limits,
else #GP(vector number * 8+2+EXT);
Descriptor AR byte must indicate interrupt gate, trap gate, or task gate,
else #GP(vector number * 8+2+EXT);
IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *)
THEN
IF gate descriptor DPL < CPL
THEN #GP(vector number * 8+2+EXT);
FI;
FI;
Gate must be present, else #NP(vector number * 8+2+EXT);
IF trap gate OR interrupt gate
THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE;
ELSE GOTO TASK-GATE;
FI;
TRAP-GATE-OR-INTERRUPT-GATE:
Examine CS selector and descriptor given in the gate descriptor;
Selector must be non-null, else #GP (EXT);
Selector must be within its descriptor table limits
ELSE #GP(selector+EXT);
Descriptor AR byte must indicate code segment
ELSE #GP(selector + EXT);
Segment must be present, else #NP(selector+EXT);
IF code segment is non-conforming AND DPL < CPL
THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE;
ELSE
IF code segment is conforming OR code segment DPL = CPL
THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL;
ELSE #GP(CS selector + EXT);
FI;
FI;
INTERRUPT-TO-INNER-PRIVILEGE:
Check selector and descriptor for new stack in current TSS;
Selector must be non-null, else #GP(EXT);
Selector index must be within its descriptor table limits
ELSE #TS(SS selector+EXT);
Selector's RPL must equal DPL of code segment, else #TS(SS
selector+EXT);
Stack segment DPL must equal DPL of code segment, else #TS(SS
selector+EXT);
Descriptor must indicate writable data segment, else #TS(SS
selector+EXT);
Segment must be present, else #SS(SS selector+EXT);
IF 32-bit gate
THEN New stack must have room for 20 bytes else #SS(0)
ELSE New stack must have room for 10 bytes else #SS(0)
FI;
Instruction pointer must be within CS segment boundaries else #GP(0);
Load new SS and eSP value from TSS;
IF 32-bit gate
THEN CS:EIP � selector:offset from gate;
ELSE CS:IP � selector:offset from gate;
FI;
Load CS descriptor into invisible portion of CS register;
Load SS descriptor into invisible portion of SS register;
IF 32-bit gate
THEN
Push (long pointer to old stack) (* 3 words padded to 4 *);
Push (EFLAGS);
Push (long pointer to return location) (* 3 words padded to 4*);
ELSE
Push (long pointer to old stack) (* 2 words *);
Push (FLAGS);
Push (long pointer to return location) (* 2 words *);
FI;
Set CPL to new code segment DPL;
Set RPL of CS to CPL;
IF interrupt gate THEN IF � 0 (* interrupt flag to 0 (disabled) *); FI;
TF � 0;
NT � 0;
INTERRUPT-FROM-V86-MODE:
TempEFlags � EFLAGS;
VM � 0;
TF � 0;
IF service through Interrupt Gate THEN IF � 0;
TempSS � SS;
TempESP � ESP;
SS � TSS.SS0; (* Change to level 0 stack segment *)
ESP � TSS.ESP0; (* Change to level 0 stack pointer *)
Push(GS); (* padded to two words *)
Push(FS); (* padded to two words *)
Push(DS); (* padded to two words *)
Push(ES); (* padded to two words *)
GS � 0;
FS � 0;
DS � 0;
ES � 0;
Push(TempSS); (* padded to two words *)
Push(TempESP);
Push(TempEFlags);
Push(CS); (* padded to two words *)
Push(EIP);
CS:EIP � selector:offset from interrupt gate;
(* Starts execution of new routine in 80386 Protected Mode *)
INTERRUPT-TO-SAME-PRIVILEGE-LEVEL:
IF 32-bit gate
THEN Current stack limits must allow pushing 10 bytes, else #SS(0);
ELSE Current stack limits must allow pushing 6 bytes, else #SS(0);
FI;
IF interrupt was caused by exception with error code
THEN Stack limits must allow push of two more bytes;
ELSE #SS(0);
FI;
Instruction pointer must be in CS limit, else #GP(0);
IF 32-bit gate
THEN
Push (EFLAGS);
Push (long pointer to return location); (* 3 words padded to 4 *)
CS:EIP � selector:offset from gate;
ELSE (* 16-bit gate *)
Push (FLAGS);
Push (long pointer to return location); (* 2 words *)
CS:IP � selector:offset from gate;
FI;
Load CS descriptor into invisible portion of CS register;
Set the RPL field of CS to CPL;
Push (error code); (* if any *)
IF interrupt gate THEN IF � 0; FI;
TF � 0;
NT � 0;
TASK-GATE:
Examine selector to TSS, given in task gate descriptor;
Must specify global in the local/global bit, else #TS(TSS selector);
Index must be within GDT limits, else #TS(TSS selector);
AR byte must specify available TSS (bottom bits 00001),
else #TS(TSS selector;
TSS must be present, else #NP(TSS selector);
SWITCH-TASKS with nesting to TSS;
IF interrupt was caused by fault with error code
THEN
Stack limits must allow push of two more bytes, else #SS(0);
Push error code onto stack;
FI;
Instruction pointer must be in CS limit, else #GP(0);
Description
The INT instruction generates via software a call to an interrupt
handler. The immediate operand, from 0 to 255, gives the index number
into the Interrupt Descriptor Table (IDT) of the interrupt routine to be
called. In Protected Mode, the IDT consists of an array of eight-byte
descriptors; the descriptor for the interrupt invoked must indicate an
interrupt, trap, or task gate. In Real Address Mode, the IDT is an array
of four byte-long pointers. In Protected and Real Address Modes, the
base linear address of the IDT is defined by the contents of the IDTR.
The INTO conditional software instruction is identical to the INT
interrupt instruction except that the interrupt number is implicitly 4,
and the interrupt is made only if the 80386 overflow flag is set.
The first 32 interrupts are reserved by Intel for system use. Some of
these interrupts are use for internally generated exceptions.
INT n generally behaves like a far call except that the flags register is
pushed onto the stack before the return address. Interrupt procedures
return via the IRET instruction, which pops the flags and return address
from the stack.
In Real Address Mode, INT n pushes the flags, CS, and the return IP
onto the stack, in that order, then jumps to the long pointer indexed by
the interrupt number.
Flags Affected
None
Protected Mode Exceptions
Real Address Mode Exceptions
None; if the SP or ESP = 1, 3, or 5 before executing INT or INTO,
the 80386 will shut down due to insufficient stack space
Virtual 8086 Mode Exceptions
Interrupt 3 (0CCH) generates Interrupt 3; INTO generates Interrupt 4
if the overflow flag equals 1
IRET/IRETD ÄÄ Interrupt Return
Opcode Instruction Clocks Description
CF IRET 22,pm=38 Interrupt return (far return and pop
flags)
CF IRET pm=82 Interrupt return to lesser privilege
CF IRET ts Interrupt return, different task (NT = 1)
CF IRETD 22,pm=38 Interrupt return (far return and pop
flags)
CF IRETD pm=82 Interrupt return to lesser privilege
CF IRETD pm=60 Interrupt return to V86 mode
CF IRETD ts Interrupt return, different task (NT = 1)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTE:
Values of ts are given by the following table:
New Task
Old Task 386 TSS 386 TSS 286 TSS
VM = 0 VM = 1
386
TSS VM=0 275 224 271
286
TSS 265 214 232
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF PE = 0
THEN (* Real-address mode *)
IF OperandSize = 32 (* Instruction = IRETD *)
THEN EIP � Pop();
ELSE (* Instruction = IRET *)
IP � Pop();
FI;
CS � Pop();
IF OperandSize = 32 (* Instruction = IRETD *)
THEN EFLAGS � Pop();
ELSE (* Instruction = IRET *)
FLAGS � Pop();
FI;
ELSE (* Protected mode *)
IF VM = 1
THEN #GP(0);
ELSE
IF NT = 1
THEN GOTO TASK-RETURN;
ELSE
IF VM = 1 in flags image on stack
THEN GO TO STACK-RETURN-TO-V86;
ELSE GOTO STACK-RETURN;
FI;
FI;
FI;
FI;STACK-RETURN-TO-V86: (* Interrupted procedure was in V86 mode *)
IF return CS selector RPL < > 3
THEN #GP(Return selector);
FI;
IF top 36 bytes of stack not within limits
THEN #SS(0);
FI;
Examine return CS selector and associated descriptor:
IF selector is null, THEN #GP(0); FI;
IF selector index not within its descriptor table limits;
THEN #GP(Return selector);
FI;
IF AR byte does not indicate code segment
THEN #GP(Return selector);
FI;
IF code segment DPL not = 3;
THEN #GP(Return selector);
FI;
IF code segment not present
THEN #NP(Return selector);
FI;
Examine return SS selector and associated descriptor:
IF selector is null THEN #GP(0); FI;
IF selector index not within its descriptor table limits
THEN #GP(SS selector);
FI;
IF selector RPL not = RPL of return CS selector
THEN #GP(SS selector);
FI;
IF AR byte does not indicate a writable data segment
THEN #GP(SS selector);
FI;
IF stack segment DPL not = RPL of return CS selector
THEN #GP(SS selector);
FI;
IF SS not present
THEN #NP(SS selector);
FI;
IF instruction pointer not within code segment limit THEN #GP(0);
FI;
EFLAGS � SS:[eSP + 8]; (* Sets VM in interrupted routine *)
EIP � Pop();
CS � Pop(); (* CS behaves as in 8086, due to VM = 1 *)
throwaway � Pop(); (* pop away EFLAGS already read *)
ES � Pop(); (* pop 2 words; throw away high-order word *)
DS � Pop(); (* pop 2 words; throw away high-order word *)
FS � Pop(); (* pop 2 words; throw away high-order word *)
GS � Pop(); (* pop 2 words; throw away high-order word *)
IF CS.RPL > CPL
THEN
TempESP � Pop();
TempSS � Pop();
SS:ESP � TempSS:TempESP;
FI;
(* Resume execution in Virtual 8086 mode *)
TASK-RETURN:
Examine Back Link Selector in TSS addressed by the current task
register:
Must specify global in the local/global bit, else #TS(new TSS
selector);
Index must be within GDT limits, else #TS(new TSS selector);
AR byte must specify TSS, else #TS(new TSS selector);
New TSS must be busy, else #TS(new TSS selector);
TSS must be present, else #NP(new TSS selector);
SWITCH-TASKS without nesting to TSS specified by back link selector;
Mark the task just abandoned as NOT BUSY;
Instruction pointer must be within code segment limit ELSE #GP(0);
STACK-RETURN:
IF OperandSize=32
THEN Third word on stack must be within stack limits, else #SS(0);
ELSE Second word on stack must be within stack limits, else #SS(0);
FI;
Return CS selector RPL must be ò CPL, else #GP(Return selector);
IF return selector RPL = CPL
THEN GOTO RETURN-SAME-LEVEL;
ELSE GOTO RETURN-OUTER-LEVEL;
FI;
RETURN-SAME-LEVEL:
IF OperandSize=32
THEN
Top 12 bytes on stack must be within limits, else #SS(0);
Return CS selector (at eSP+4) must be non-null, else #GP(0);
ELSE
Top 6 bytes on stack must be within limits, else #SS(0);
Return CS selector (at eSP+2) must be non-null, else #GP(0);
FI;
Selector index must be within its descriptor table limits, else #GP
(Return selector);
AR byte must indicate code segment, else #GP(Return selector);
IF non-conforming
THEN code segment DPL must = CPL;
ELSE #GP(Return selector);
FI;
IF conforming
THEN code segment DPL must be ó CPL, else #GP(Return selector);
Segment must be present, else #NP(Return selector);
Instruction pointer must be within code segment boundaries, else #GP(0);
FI;
IF OperandSize=32
THEN
Load CS:EIP from stack;
Load CS-register with new code segment descriptor;
Load EFLAGS with third doubleword from stack;
Increment eSP by 12;
ELSE
Load CS-register with new code segment descriptor;
Load FLAGS with third word on stack;
Increment eSP by 6;
FI;
RETURN-OUTER-LEVEL:
IF OperandSize=32
THEN Top 20 bytes on stack must be within limits, else #SS(0);
ELSE Top 10 bytes on stack must be within limits, else #SS(0);
FI;
Examine return CS selector and associated descriptor:
Selector must be non-null, else #GP(0);
Selector index must be within its descriptor table limits;
ELSE #GP(Return selector);
AR byte must indicate code segment, else #GP(Return selector);
IF non-conforming
THEN code segment DPL must = CS selector RPL;
ELSE #GP(Return selector);
FI;
IF conforming
THEN code segment DPL must be > CPL;
ELSE #GP(Return selector);
FI;
Segment must be present, else #NP(Return selector);
Examine return SS selector and associated descriptor:
Selector must be non-null, else #GP(0);
Selector index must be within its descriptor table limits
ELSE #GP(SS selector);
Selector RPL must equal the RPL of the return CS selector
ELSE #GP(SS selector);
AR byte must indicate a writable data segment, else #GP(SS selector);
Stack segment DPL must equal the RPL of the return CS selector
ELSE #GP(SS selector);
SS must be present, else #NP(SS selector);
Instruction pointer must be within code segment limit ELSE #GP(0);
IF OperandSize=32
THEN
Load CS:EIP from stack;
Load EFLAGS with values at (eSP+8);
ELSE
Load CS:IP from stack;
Load FLAGS with values at (eSP+4);
FI;
Load SS:eSP from stack;
Set CPL to the RPL of the return CS selector;
Load the CS register with the CS descriptor;
Load the SS register with the SS descriptor;
FOR each of ES, FS, GS, and DS
DO;
IF the current value of the register is not valid for the outer level;
THEN zero the register and clear the valid flag;
FI;
To be valid, the register setting must satisfy the following
properties:
Selector index must be within descriptor table limits;
AR byte must indicate data or readable code segment;
IF segment is data or non-conforming code,
THEN DPL must be ò CPL, or DPL must be ò RPL;
OD;
Description
In Real Address Mode, IRET pops the instruction pointer, CS, and the
flags register from the stack and resumes the interrupted routine.
In Protected Mode, the action of IRET depends on the setting of the
nested task flag (NT) bit in the flag register. When popping the new
flag image from the stack, the IOPL bits in the flag register are changed
only when CPL equals 0.
If NT equals 0, IRET returns from an interrupt procedure without a
task switch. The code returned to must be equally or less privileged than
the interrupt routine (as indicated by the RPL bits of the CS selector
popped from the stack). If the destination code is less privileged, IRET
also pops the stack pointer and SS from the stack.
If NT equals 1, IRET reverses the operation of a CALL or INT that
caused a task switch. The updated state of the task executing IRET is
saved in its task state segment. If the task is reentered later, the code
that follows IRET is executed.
Flags Affected
All; the flags register is popped from stack
Protected Mode Exceptions
Real Address Mode Exceptions
Interrupt 13 if any part of the operand being popped lies beyond address
0FFFFH
Virtual 8086 Mode Exceptions
Jcc ÄÄ Jump if Condition is Met
Opcode Instruction Clocks Description
77 cb JA rel8 7+m,3 Jump short if above (CF=0 and
ZF=0)
73 cb JAE rel8 7+m,3 Jump short if above or equal
(CF=0)
72 cb JB rel8 7+m,3 Jump short if below (CF=1)
76 cb JBE rel8 7+m,3 Jump short if below or equal
(CF=1 or ZF=1)
72 cb JC rel8 7+m,3 Jump short if carry (CF=1)
E3 cb JCXZ rel8 9+m,5 Jump short if CX register is 0
E3 cb JECXZ rel8 9+m,5 Jump short if ECX register is 0
74 cb JE rel8 7+m,3 Jump short if equal (ZF=1)
74 cb JZ rel8 7+m,3 Jump short if 0 (ZF=1)
7F cb JG rel8 7+m,3 Jump short if greater (ZF=0 and
SF=OF)
7D cb JGE rel8 7+m,3 Jump short if greater or equal
(SF=OF)
7C cb JL rel8 7+m,3 Jump short if less (SF<>OF)
7E cb JLE rel8 7+m,3 Jump short if less or equal
(ZF=1 and SF<>OF)
76 cb JNA rel8 7+m,3 Jump short if not above (CF=1 or
ZF=1)
72 cb JNAE rel8 7+m,3 Jump short if not above or equal
(CF=1)
73 cb JNB rel8 7+m,3 Jump short if not below (CF=0)
77 cb JNBE rel8 7+m,3 Jump short if not below or equal
(CF=0 and ZF=0)
73 cb JNC rel8 7+m,3 Jump short if not carry (CF=0)
75 cb JNE rel8 7+m,3 Jump short if not equal (ZF=0)
7E cb JNG rel8 7+m,3 Jump short if not greater (ZF=1
or SF<>OF)
7C cb JNGE rel8 7+m,3 Jump short if not greater or
equal (SF<>OF)
7D cb JNL rel8 7+m,3 Jump short if not less (SF=OF)
7F cb JNLE rel8 7+m,3 Jump short if not less or equal
(ZF=0 and SF=OF)
71 cb JNO rel8 7+m,3 Jump short if not overflow
(OF=0)
7B cb JNP rel8 7+m,3 Jump short if not parity (PF=0)
79 cb JNS rel8 7+m,3 Jump short if not sign (SF=0)
75 cb JNZ rel8 7+m,3 Jump short if not zero (ZF=0)
70 cb JO rel8 7+m,3 Jump short if overflow (OF=1)
7A cb JP rel8 7+m,3 Jump short if parity (PF=1)
7A cb JPE rel8 7+m,3 Jump short if parity even (PF=1)
7B cb JPO rel8 7+m,3 Jump short if parity odd (PF=0)
78 cb JS rel8 7+m,3 Jump short if sign (SF=1)
74 cb JZ rel8 7+m,3 Jump short if zero (ZF = 1)
0F 87 cw/cd JA rel16/32 7+m,3 Jump near if above (CF=0 and
ZF=0)
0F 83 cw/cd JAE rel16/32 7+m,3 Jump near if above or equal
(CF=0)
0F 82 cw/cd JB rel16/32 7+m,3 Jump near if below (CF=1)
0F 86 cw/cd JBE rel16/32 7+m,3 Jump near if below or equal
(CF=1 or ZF=1)
0F 82 cw/cd JC rel16/32 7+m,3 Jump near if carry (CF=1)
0F 84 cw/cd JE rel16/32 7+m,3 Jump near if equal (ZF=1)
0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1)
0F 8F cw/cd JG rel16/32 7+m,3 Jump near if greater (ZF=0 and
SF=OF)
0F 8D cw/cd JGE rel16/32 7+m,3 Jump near if greater or equal
(SF=OF)
0F 8C cw/cd JL rel16/32 7+m,3 Jump near if less (SF<>OF)
0F 8E cw/cd JLE rel16/32 7+m,3 Jump near if less or equal (ZF=1
and SF<>OF)
0F 86 cw/cd JNA rel16/32 7+m,3 Jump near if not above (CF=1 or
ZF=1)
0F 82 cw/cd JNAE rel16/32 7+m,3 Jump near if not above or equal
(CF=1)
0F 83 cw/cd JNB rel16/32 7+m,3 Jump near if not below (CF=0)
0F 87 cw/cd JNBE rel16/32 7+m,3 Jump near if not below or equal
(CF=0 and ZF=0)
0F 83 cw/cd JNC rel16/32 7+m,3 Jump near if not carry (CF=0)
0F 85 cw/cd JNE rel16/32 7+m,3 Jump near if not equal (ZF=0)
0F 8E cw/cd JNG rel16/32 7+m,3 Jump near if not greater (ZF=1
or SF<>OF)
0F 8C cw/cd JNGE rel16/32 7+m,3 Jump near if not greater or
equal (SF<>OF)
0F 8D cw/cd JNL rel16/32 7+m,3 Jump near if not less (SF=OF)
0F 8F cw/cd JNLE rel16/32 7+m,3 Jump near if not less or equal
(ZF=0 and SF=OF)
0F 81 cw/cd JNO rel16/32 7+m,3 Jump near if not overflow (OF=0)
0F 8B cw/cd JNP rel16/32 7+m,3 Jump near if not parity (PF=0)
0F 89 cw/cd JNS rel16/32 7+m,3 Jump near if not sign (SF=0)
0F 85 cw/cd JNZ rel16/32 7+m,3 Jump near if not zero (ZF=0)
0F 80 cw/cd JO rel16/32 7+m,3 Jump near if overflow (OF=1)
0F 8A cw/cd JP rel16/32 7+m,3 Jump near if parity (PF=1)
0F 8A cw/cd JPE rel16/32 7+m,3 Jump near if parity even (PF=1)
0F 8B cw/cd JPO rel16/32 7+m,3 Jump near if parity odd (PF=0)
0F 88 cw/cd JS rel16/32 7+m,3 Jump near if sign (SF=1)
0F 84 cw/cd JZ rel16/32 7+m,3 Jump near if 0 (ZF=1)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
The first clock count is for the true condition (branch taken); the
second clock count is for the false condition (branch not taken). rel16/32
indicates that these instructions map to two; one with a 16-bit relative
displacement, the other with a 32-bit relative displacement, depending on
the operand-size attribute of the instruction.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF condition
THEN
EIP � EIP + SignExtend(rel8/16/32);
IF OperandSize = 16
THEN EIP � EIP AND 0000FFFFH;
FI;
FI;
Description
Conditional jumps (except JCXZ) test the flags which have been set by
a previous instruction. The conditions for each mnemonic are given in
parentheses after each description above. The terms "less" and "greater"
are used for comparisons of signed integers; "above" and "below" are
used for unsigned integers.
If the given condition is true, a jump is made to the location provided as
the operand. Instruction coding is most efficient when the target for the
conditional jump is in the current code segment and within -128 to
+127 bytes of the next instruction's first byte. The jump can also target
-32768 thru +32767 (segment size attribute 16) or -2^(31) thru +2^(31) -1
(segment size attribute 32) relative to the next instruction's first byte.
When the target for the conditional jump is in a different segment, use
the opposite case of the jump instruction (i.e., JE and JNE), and then
access the target with an unconditional far jump to the other segment.
For example, you cannot codeÄÄ
JZ FARLABEL;
You must instead codeÄÄ
JNZ BEYOND;
JMP FARLABEL;
BEYOND:
Because there can be several ways to interpret a particular state of the
flags, ASM386 provides more than one mnemonic for most of the
conditional jump opcodes. For example, if you compared two characters in
AX and want to jump if they are equal, use JE; or, if you ANDed AX
with a bit field mask and only want to jump if the result is 0, use JZ, a
synonym for JE.
JCXZ differs from other conditional jumps because it tests the contents of
the CX or ECX register for 0, not the flags. JCXZ is useful at the beginning
of a conditional loop that terminates with a conditional loop instruction
(such as LOOPNE TARGET LABEL. The JCXZ prevents entering the loop with CX or
ECX equal to zero, which would cause the loop to execute 64K or 32G times
instead of zero times.
Flags Affected
None
Protected Mode Exceptions
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
JMP ÄÄ Jump
Opcode Instruction Clocks Description
EB cb JMP rel8 7+m Jump short
E9 cw JMP rel16 7+m Jump near, displacement relative
to next instruction
FF /4 JMP r/m16 7+m/10+m Jump near indirect
EA cd JMP ptr16:16 12+m,pm=27+m Jump intersegment, 4-byte
immediate address
EA cd JMP ptr16:16 pm=45+m Jump to call gate, same
privilege
EA cd JMP ptr16:16 ts Jump via task state segment
EA cd JMP ptr16:16 ts Jump via task gate
FF /5 JMP m16:16 43+m,pm=31+m Jump r/m16:16 indirect and
intersegment
FF /5 JMP m16:16 pm=49+m Jump to call gate, same
privilege
FF /5 JMP m16:16 5 + ts Jump via task state segment
FF /5 JMP m16:16 5 + ts Jump via task gate
E9 cd JMP rel32 7+m Jump near, displacement relative
to next instruction
FF /4 JMP r/m32 7+m,10+m Jump near, indirect
EA cp JMP ptr16:32 12+m,pm=27+m Jump intersegment, 6-byte
immediate address
EA cp JMP ptr16:32 pm=45+m Jump to call gate, same
privilege
EA cp JMP ptr16:32 ts Jump via task state segment
EA cp JMP ptr16:32 ts Jump via task gate
FF /5 JMP m16:32 43+m,pm=31+m Jump intersegment, address at
r/m dword
FF /5 JMP m16:32 pm=49+m Jump to call gate, same
privilege
FF /5 JMP m16:32 5 + ts Jump via task state segment
FF /5 JMP m16:32 5 + ts Jump via task gate
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTE:
Values of ts are given by the following table:
New Task
386 TSS 386 TASK 286 TSS
VM = 0 VM = 1
Old Task Via Task Gate?
N Y N Y N Y
386
TSS VM=0 303 312 220 229 276 285
286
TSS 301 310 218 227 274 283
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF instruction = relative JMP
(* i.e. operand is rel8, rel16, or rel32 *)
THEN
EIP � EIP + rel8/16/32;
IF OperandSize = 16
THEN EIP � EIP AND 0000FFFFH;
FI;
FI;
IF instruction = near indirect JMP
(* i.e. operand is r/m16 or r/m32 *)
THEN
IF OperandSize = 16
THEN
EIP � [r/m16] AND 0000FFFFH;
ELSE (* OperandSize = 32 *)
EIP � [r/m32];
FI;
FI;
IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *)
AND instruction = far JMP
(* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
THEN GOTO REAL-OR-V86-MODE;
IF operand type = m16:16 or m16:32
THEN (* indirect *)
IF OperandSize = 16
THEN
CS:IP � [m16:16];
EIP � EIP AND 0000FFFFH; (* clear upper 16 bits *)
ELSE (* OperandSize = 32 *)
CS:EIP � [m16:32];
FI;
FI;
IF operand type = ptr16:16 or ptr16:32
THEN
IF OperandSize = 16
THEN
CS:IP � ptr16:16;
EIP � EIP AND 0000FFFFH; (* clear upper 16 bits *)
ELSE (* OperandSize = 32 *)
CS:EIP � ptr16:32;
FI;
FI;
FI;
IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
AND instruction = far JMP
THEN
IF operand type = m16:16 or m16:32
THEN (* indirect *)
check access of EA dword;
#GP(0) or #SS(0) IF limit violation;
FI;
Destination selector is not null ELSE #GP(0)
Destination selector index is within its descriptor table limits ELSE
Depending on AR byte of destination descriptor:
GOTO CONFORMING-CODE-SEGMENT;
GOTO NONCONFORMING-CODE-SEGMENT;
GOTO CALL-GATE;
GOTO TASK-GATE;
GOTO TASK-STATE-SEGMENT;
ELSE #GP(selector); (* illegal AR byte in descriptor *)
FI;
CONFORMING-CODE-SEGMENT:
Descriptor DPL must be ó CPL ELSE #GP(selector);
Segment must be present ELSE #NP(selector);
Instruction pointer must be within code-segment limit ELSE #GP(0);
IF OperandSize = 32
THEN Load CS:EIP from destination pointer;
ELSE Load CS:IP from destination pointer;
FI;
Load CS register with new segment descriptor;
NONCONFORMING-CODE-SEGMENT:
RPL of destination selector must be ó CPL ELSE #GP(selector);
Descriptor DPL must be = CPL ELSE #GP(selector);
Segment must be present ELSE # NP(selector);
Instruction pointer must be within code-segment limit ELSE #GP(0);
IF OperandSize = 32
THEN Load CS:EIP from destination pointer;
ELSE Load CS:IP from destination pointer;
FI;
Load CS register with new segment descriptor;
Set RPL field of CS register to CPL;
CALL-GATE:
Descriptor DPL must be ò CPL ELSE #GP(gate selector);
Descriptor DPL must be ò gate selector RPL ELSE #GP(gate selector);
Gate must be present ELSE #NP(gate selector);
Examine selector to code segment given in call gate descriptor:
Selector must not be null ELSE #GP(0);
Selector must be within its descriptor table limits ELSE
#GP(CS selector);
Descriptor AR byte must indicate code segment
ELSE #GP(CS selector);
IF non-conforming
THEN code-segment descriptor, DPL must = CPL
ELSE #GP(CS selector);
FI;
IF conforming
THEN code-segment descriptor DPL must be ó CPL;
ELSE #GP(CS selector);
Code segment must be present ELSE #NP(CS selector);
Instruction pointer must be within code-segment limit ELSE #GP(0);
IF OperandSize = 32
THEN Load CS:EIP from call gate;
ELSE Load CS:IP from call gate;
FI;
Load CS register with new code-segment descriptor;
Set RPL of CS to CPL
TASK-GATE:
Gate descriptor DPL must be ò CPL ELSE #GP(gate selector);
Gate descriptor DPL must be ò gate selector RPL ELSE #GP(gate
selector);
Task Gate must be present ELSE #NP(gate selector);
Examine selector to TSS, given in Task Gate descriptor:
Must specify global in the local/global bit ELSE #GP(TSS selector);
Index must be within GDT limits ELSE #GP(TSS selector);
Descriptor AR byte must specify available TSS (bottom bits 00001);
ELSE #GP(TSS selector);
Task State Segment must be present ELSE #NP(TSS selector);
SWITCH-TASKS (without nesting) to TSS;
Instruction pointer must be within code-segment limit ELSE #GP(0);
TASK-STATE-SEGMENT:
TSS DPL must be ò CPL ELSE #GP(TSS selector);
TSS DPL must be ò TSS selector RPL ELSE #GP(TSS selector);
Descriptor AR byte must specify available TSS (bottom bits 00001)
ELSE #GP(TSS selector);
Task State Segment must be present ELSE #NP(TSS selector);
SWITCH-TASKS (without nesting) to TSS;
Instruction pointer must be within code-segment limit ELSE #GP(0);
Description
The JMP instruction transfers control to a different point in the
instruction stream without recording return information.
The action of the various forms of the instruction are shown below.
Jumps with destinations of type r/m16, r/m32, rel16, and rel32 are near
jumps and do not involve changing the segment register value.
The JMP rel16 and JMP rel32 forms of the instruction add an offset to
the address of the instruction following the JMP to determine the
destination. The rel16 form is used when the instruction's operand-size
attribute is 16 bits (segment size attribute 16 only); rel32 is used when
the operand-size attribute is 32 bits (segment size attribute 32 only). The
result is stored in the 32-bit EIP register. With rel16, the upper 16 bits
of EIP are cleared, which results in an offset whose value does not exceed
16 bits.
JMP r/m16 and JMP r/m32 specifies a register or memory location from which
the absolute offset from the procedure is fetched. The offset fetched from
r/m is 32 bits for an operand-size attribute of 32 bits (r/m32), or 16 bits
for an operand-size attribute of 16 bits (r/m16).
The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte
or six-byte operand as a long pointer to the destination. The JMP
and forms fetch the long pointer from the memory location
specified (indirection). In Real Address Mode or Virtual 8086 Mode,
the long pointer provides 16 bits for the CS register and 16 or 32 bits
for the EIP register (depending on the operand-size attribute). In
Protected Mode, both long pointer forms consult the Access Rights (AR)
byte in the descriptor indexed by the selector part of the long pointer.
Depending on the value of the AR byte, the jump will perform one of
the following types of control transfers:
þ A jump to a code segment at the same privilege level
þ A task switch
For more information on protected mode control transfers, refer to
Chapter 6 and Chapter 7.
Flags Affected
All if a task switch takes place; none if no task switch occurs
Protected Mode Exceptions
Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above.
Near direct jumps: #GP(0) if procedure location is beyond the code
segment limits.
Near indirect jumps: #GP(0) for an illegal memory operand effective
address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal
address in the SS segment; #GP if the indirect offset obtained is beyond
the code segment limits; #PF(fault-code) for a page fault.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would be outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as under Real Address Mode; #PF(fault-code) for a
page fault
LAHF ÄÄ Load Flags into AH Register
Opcode Instruction Clocks Description
9F LAHF 2 Load: AH = flags SF ZF xx AF xx PF xx CF
Operation
AH � SF:ZF:xx:AF:xx:PF:xx:CF;
Description
LAHF transfers the low byte of the flags word to AH. The bits, from
MSB to LSB, are sign, zero, indeterminate, auxiliary, carry,
indeterminate, parity, indeterminate, and carry.
Flags Affected
None
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
LAR ÄÄ Load Access Rights Byte
Opcode Instruction Clocks Description
0F 02 /r LAR r16,r/m16 pm=15/16 r16 � r/m16 masked by FF00
0F 02 /r LAR r32,r/m32 pm=15/16 r32 � r/m32 masked by 00FxFF00
Description
The LAR instruction stores a marked form of the second doubleword of
the descriptor for the source selector if the selector is visible at the
CPL (modified by the selector's RPL) and is a valid descriptor type. The
destination register is loaded with the high-order doubleword of the
descriptor masked by 00FxFF00, and ZF is set to 1. The x indicates that the
four bits corresponding to the upper four bits of the limit are undefined in
the value loaded by LAR. If the selector is invisible or of the wrong type,
ZF is cleared.
If the 32-bit operand size is specified, the entire 32-bit value is loaded
into the 32-bit destination register. If the 16-bit operand size is
specified, the lower 16-bits of this value are stored in the 16-bit
destination register.
All code and data segment descriptors are valid for LAR.
The valid special segment and gate descriptor types for LAR are given
in the following table:
Type Name Valid/Invalid
0 Invalid Invalid
1 Available 80286 TSS Valid
2 LDT Valid
3 Busy 80286 TSS Valid
4 80286 call gate Valid
5 80286/80386 task gate Valid
6 80286 trap gate Valid
7 80286 interrupt gate Valid
8 Invalid Invalid
9 Available 80386 TSS Valid
A Invalid Invalid
B Busy 80386 TSS Valid
C 80386 call gate Valid
D Invalid Invalid
E 80386 trap gate Valid
F 80386 interrupt gate Valid
Flags Affected
ZF as described above
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 6; LAR is unrecognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
LEA ÄÄ Load Effective Address
Opcode Instruction Clocks Description
8D /r LEA r16,m 2 Store effective address for m in register r16
8D /r LEA r32,m 2 Store effective address for m in register r32
8D /r LEA r16,m 2 Store effective address for m in register r16
8D /r LEA r32,m 2 Store effective address for m in register r32
Operation
IF OperandSize = 16 AND AddressSize = 16
THEN r16 � Addr(m);
ELSE
IF OperandSize = 16 AND AddressSize = 32
THEN
r16 � Truncate_to_16bits(Addr(m)); (* 32-bit address *)
ELSE
IF OperandSize = 32 AND AddressSize = 16
THEN
r32 � Truncate_to_16bits(Addr(m));
ELSE
IF OperandSize = 32 AND AddressSize = 32
THEN r32 � Addr(m);
FI;
FI;
FI;
FI;
Description
LEA calculates the effective address (offset part) and stores it in the
specified register. The operand-size attribute of the instruction
(represented by OperandSize in the algorithm under "Operation" above) is
determined by the chosen register. The address-size attribute (represented
by AddressSize) is determined by the USE attribute of the segment containing
the second operand. The address-size and operand-size attributes affect the
action performed by LEA, as follows:
Operand Size Address Size Action Performed
16 16 16-bit effective address is calculated and
stored in requested 16-bit register
destination.
16 32 32-bit effective address is calculated. The
lower 16 bits of the address are stored in
the requested 16-bit register destination.
32 16 16-bit effective address is calculated. The
16-bit address is zero-extended and stored
in the requested 32-bit register destination.
32 32 32-bit effective address is calculated and
stored in the requested 32-bit register
destination.
Flags Affected
None
Protected Mode Exceptions
Real Address Mode Exceptions
Interrupt 6 if the second operand is a register
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
LEAVE ÄÄ High Level Procedure Exit
Opcode Instruction Clocks Description
C9 LEAVE 4 Set SP to BP, then pop BP
C9 LEAVE 4 Set ESP to EBP, then pop EBP
Operation
IF StackAddrSize = 16
THEN
SP � BP;
ELSE (* StackAddrSize = 32 *)
ESP � EBP;
FI;
IF OperandSize = 16
THEN
BP � Pop();
ELSE (* OperandSize = 32 *)
EBP � Pop();
FI;
Description
LEAVE reverses the actions of the ENTER instruction. By copying the
frame pointer to the stack pointer, LEAVE releases the stack space used
by a procedure for its local variables. The old frame pointer is popped
into BP or EBP, restoring the caller's frame. A subsequent RET
instruction removes any arguments pushed onto the stack of the exiting
procedure.
Flags Affected
None
Protected Mode Exceptions
stack segment
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
LGDT/LIDT ÄÄ Load Global/Interrupt Descriptor Table Register
Opcode Instruction Clocks Description
0F 01 /2 LGDT m16&32 11 Load m into GDTR
0F 01 /3 LIDT m16&32 11 Load m into IDTR
Operation
IF instruction = LIDT
THEN
IF OperandSize = 16
THEN IDTR.Limit:Base � m16:24 (* 24 bits of base loaded *)
ELSE IDTR.Limit:Base � m16:32
FI;
ELSE (* instruction = LGDT *)
IF OperandSize = 16
THEN GDTR.Limit:Base � m16:24 (* 24 bits of base loaded *)
ELSE GDTR.Limit:Base � m16:32;
FI;
FI;
Description
The LGDT and LIDT instructions load a linear base address and limit
value from a six-byte data operand in memory into the GDTR or IDTR,
respectively. If a 16-bit operand is used with LGDT or LIDT, the
register is loaded with a 16-bit limit and a 24-bit base, and the
high-order eight bits of the six-byte data operand are not used. If a 32-bit
operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order
eight bits of the six-byte operand are used as high-order base address bits.
The SGDT and SIDT instructions always store into all 48 bits of the
six-byte data operand. With the 80286, the upper eight bits are undefined
after SGDT or SIDT is executed. With the 80386, the upper eight bits
are written with the high-order eight address bits, for both a 16-bit
operand and a 32-bit operand. If LGDT or LIDT is used with a 16-bit
operand to load the register stored by SGDT or SIDT, the upper eight
bits are stored as zeros.
LGDT and LIDT appear in operating system software; they are not used
in application programs. They are the only instructions that directly load
a linear address (i.e., not a segment relative address) in 80386 Protected
Mode.
Flags Affected
None
Protected Mode Exceptions
is a register; #GP(0) for an illegal memory operand effective address in
the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in
the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a
register
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Note:
These instructions are valid in Real Address Mode to allow
power-up initialization for Protected Mode
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
LGS/LSS/LDS/LES/LFS ÄÄ Load Full Pointer
Opcode Instruction Clocks Description
C5 /r LDS r16,m16:16 7,p=22 Load DS:r16 with pointer from memory
C5 /r LDS r32,m16:32 7,p=22 Load DS:r32 with pointer from memory
0F B2 /r LSS r16,m16:16 7,p=22 Load SS:r16 with pointer from memory
0F B2 /r LSS r32,m16:32 7,p=22 Load SS:r32 with pointer from memory
C4 /r LES r16,m16:16 7,p=22 Load ES:r16 with pointer from memory
C4 /r LES r32,m16:32 7,p=22 Load ES:r32 with pointer from memory
0F B4 /r LFS r16,m16:16 7,p=25 Load FS:r16 with pointer from memory
0F B4 /r LFS r32,m16:32 7,p=25 Load FS:r32 with pointer from memory
0F B5 /r LGS r16,m16:16 7,p=25 Load GS:r16 with pointer from memory
0F B5 /r LGS r32,m16:32 7,p=25 Load GS:r32 with pointer from memory
Operation
CASE instruction OF
LSS: Sreg is SS; (* Load SS register *)
LDS: Sreg is DS; (* Load DS register *)
LES: Sreg is ES; (* Load ES register *)
LFS: Sreg is FS; (* Load FS register *)
LGS: Sreg is DS; (* Load GS register *)
ESAC;
IF (OperandSize = 16)
THEN
r16 � [Effective Address]; (* 16-bit transfer *)
Sreg � [Effective Address + 2]; (* 16-bit transfer *)
(* In Protected Mode, load the descriptor into the segment register *)
ELSE (* OperandSize = 32 *)
r32 � [Effective Address]; (* 32-bit transfer *)
Sreg � [Effective Address + 4]; (* 16-bit transfer *)
(* In Protected Mode, load the descriptor into the segment register *)
FI;
Description
These instructions read a full pointer from memory and store it in the
selected segment register:register pair. The full pointer loads 16 bits
into the segment register SS, DS, ES, FS, or GS. The other register loads 32
bits if the operand-size attribute is 32 bits, or loads 16 bits if the
operand-size attribute is 16 bits. The other 16- or 32-bit register to be
loaded is determined by the r16 or r32 register operand specified.
When an assignment is made to one of the segment registers, the
descriptor is also loaded into the segment register. The data for the
register is obtained from the descriptor table entry for the selector
given.
A null selector (values 0000-0003) can be loaded into DS, ES, FS, or
GS registers without causing a protection exception. (Any subsequent
reference to a segment whose corresponding segment register is loaded
with a null selector to address memory causes a #GP(0) exception. No
memory reference to the segment occurs.)
The following is a listing of the Protected Mode checks and actions taken in
the loading of a segment register:
IF SS is loaded:
IF selector is null THEN #GP(0); FI;
Selector index must be within its descriptor table limits ELSE
#GP(selector);
Selector's RPL must equal CPL ELSE #GP(selector);
AR byte must indicate a writable data segment ELSE #GP(selector);
DPL in the AR byte must equal CPL ELSE #GP(selector);
Segment must be marked present ELSE #SS(selector);
Load SS with selector;
Load SS with descriptor;
IF DS, ES, FS, or GS is loaded with non-null selector:
Selector index must be within its descriptor table limits ELSE
#GP(selector);
AR byte must indicate data or readable code segment ELSE
#GP(selector);
IF data or nonconforming code
THEN both the RPL and the CPL must be less than or equal to DPL in
AR byte;
ELSE #GP(selector);
Segment must be marked present ELSE #NP(selector);
Load segment register with selector and RPL bits;
Load segment register with descriptor;
IF DS, ES, FS or GS is loaded with a null selector:
Clear descriptor valid bit;
Flags Affected
None
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
the second operand must be a memory operand, not a register; #GP(0)
if a null selector is loaded into SS; #PF(fault-code) for a page fault
Real Address Mode Exceptions
The second operand must be a memory operand, not a register; Interrupt
13 if any part of the operand would lie outside of the effective address
space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
LLDT ÄÄ Load Local Descriptor Table Register
Opcode Instruction Clocks Description
0F 00 /2 LLDT r/m16 20 Load selector r/m16 into LDTR
Operation
LDTR � SRC;
Description
LLDT loads the Local Descriptor Table register (LDTR). The word
operand (memory or register) to LLDT should contain a selector to the
Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor
Table. If so, then the LDTR is loaded from the entry. The descriptor
registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the
task state segment does not change.
The selector operand can be 0; if so, the LDTR is marked invalid. All
descriptor references (except by the LAR, VERR, VERW or LSL
instructions) cause a #GP fault.
LLDT is used in operating system software; it is not used in application
programs.
Flags Affected
None
Protected Mode Exceptions
selector operand does not point into the Global Descriptor Table, or if the
entry in the GDT is not a Local Descriptor Table; #NP(selector) if the
LDT descriptor is not present; #GP(0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 6; LLDT is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode (because the instruction is
not recognized, it will not execute or perform a memory reference)
Note
The operand-size attribute has no effect on this instruction.
LMSW ÄÄ Load Machine Status Word
Opcode Instruction Clocks Description
0F 01 /6 LMSW r/m16 10/13 Load r/m16 in machine status word
Operation
MSW � r/m16; (* 16 bits is stored in the machine status word *)
Description
LMSW loads the machine status word (part of CR0) from the source
operand. This instruction can be used to switch to Protected Mode; if so,
it must be followed by an intrasegment jump to flush the instruction
queue. LMSW will not switch back to Real Address Mode.
LMSW is used only in operating system software. It is not used in
application programs.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
Notes
The operand-size attribute has no effect on this instruction. This
instruction is provided for compatibility with the 80286; 80386 programs
should use MOV CR0, ... instead.
LOCK ÄÄ Assert LOCK# Signal Prefix
Opcode Instruction Clocks Description
F0 LOCK 0 Assert LOCK# signal for the next instruction
Description
The LOCK prefix causes the LOCK# signal of the 80386 to be asserted
during execution of the instruction that follows it. In a multiprocessor
environment, this signal can be used to ensure that the 80386 has
exclusive use of any shared memory while LOCK# is asserted. The
read-modify-write sequence typically used to implement test-and-set on the
80386 is the BTS instruction.
The LOCK prefix functions only with the following instructions:
BT, BTS, BTR, BTC mem, reg/imm
XCHG reg, mem
XCHG mem, reg
ADD, OR, ADC, SBB, AND, SUB, XOR mem, reg/imm
NOT, NEG, INC, DEC mem
An undefined opcode trap will be generated if a LOCK prefix is used
with any instruction not listed above.
XCHG always asserts LOCK# regardless of the presence or absence of
the LOCK prefix.
The integrity of the LOCK is not affected by the alignment of the
memory field. Memory locking is observed for arbitrarily misaligned
fields.
Locked access is not assured if another 80386 processor is executing an
instruction concurrently that has one of the following characteristics:
þ Is not preceded by a LOCK prefix
þ Is not one of the instructions in the preceding list
þ Specifies a memory operand that does not exactly overlap the
destination operand. Locking is not guaranteed for partial overlap,
even if one memory operand is wholly contained within another.
Flags Affected
None
Protected Mode Exceptions
section above; other exceptions can be generated by the subsequent
(locked) instruction
Real Address Mode Exceptions
Interrupt 6 if LOCK is used with an instruction not listed in the
"Description" section above; exceptions can still be generated by the
subsequent (locked) instruction
Virtual 8086 Mode Exceptions
section above; exceptions can still be generated by the subsequent (locked)
instruction
LODS/LODSB/LODSW/LODSD ÄÄ Load String Operand
Opcode Instruction Clocks Description
AC LODS m8 5 Load byte [(E)SI] into AL
AD LODS m16 5 Load word [(E)SI] into AX
AD LODS m32 5 Load dword [(E)SI] into EAX
AC LODSB 5 Load byte DS:[(E)SI] into AL
AD LODSW 5 Load word DS:[(E)SI] into AX
AD LODSD 5 Load dword DS:[(E)SI] into EAX
Operation
IF AddressSize = 16
THEN use SI for source-index
ELSE (* AddressSize = 32 *)
use ESI for source-index;
FI;
IF byte type of instruction
THEN
AL � [source-index]; (* byte load *)
IF DF = 0 THEN IncDec � 1 ELSE IncDec � -1; FI;
ELSE
IF OperandSize = 16
THEN
AX � [source-index]; (* word load *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
ELSE (* OperandSize = 32 *)
EAX � [source-index]; (* dword load *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
FI;
source-index � source-index + IncDec
Description
LODS loads the AL, AX, or EAX register with the memory byte, word,
or doubleword at the location pointed to by the source-index register.
After the transfer is made, the source-index register is automatically
advanced. If the direction flag is 0 (CLD was executed), the source index
increments; if the direction flag is 1 (STD was executed), it decrements.
The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded,
or 4 if a doubleword is loaded.
If the address-size attribute for this instruction is 16 bits, SI is used
for the source-index register; otherwise the address-size attribute is 32
bits, and the ESI register is used. The address of the source data is
determined solely by the contents of ESI/SI. Load the correct index value
into SI before executing the LODS instruction. LODSB, LODSW, LODSD are
synonyms for the byte, word, and doubleword LODS instructions.
LODS can be preceded by the REP prefix; however, LODS is used more typically
within a LOOP construct, because further processing of the data moved into
EAX, AX, or AL is usually necessary.
Flags Affected
None
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
LOOP/LOOPcond ÄÄ Loop Control with CX Counter
Opcode Instruction Clocks Description
E2 cb LOOP rel8 11+m DEC count; jump short if count <> 0
E1 cb LOOPE rel8 11+m DEC count; jump short if count <> 0 and ZF=1
E1 cb LOOPZ rel8 11+m DEC count; jump short if count <> 0 and ZF=1
E0 cb LOOPNE rel8 11+m DEC count; jump short if count <> 0 and ZF=0
E0 cb LOOPNZ rel8 11+m DEC count; jump short if count <> 0 and ZF=0
Operation
IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI;
CountReg � CountReg - 1;
IF instruction <> LOOP
THEN
IF (instruction = LOOPE) OR (instruction = LOOPZ)
THEN BranchCond � (ZF = 1) AND (CountReg <> 0);
FI;
IF (instruction = LOOPNE) OR (instruction = LOOPNZ)
THEN BranchCond � (ZF = 0) AND (CountReg <> 0);
FI;
FI;
IF BranchCond
THEN
IF OperandSize = 16
THEN
IP � IP + SignExtend(rel8);
ELSE (* OperandSize = 32 *)
EIP � EIP + SignExtend(rel8);
FI;
FI;
Description
LOOP decrements the count register without changing any of the flags.
Conditions are then checked for the form of LOOP being used. If the
conditions are met, a short jump is made to the label given by the operand
to LOOP. If the address-size attribute is 16 bits, the CX register is used
as the count register; otherwise the ECX register is used. The operand
of LOOP must be in the range from 128 (decimal) bytes before the
instruction to 127 bytes ahead of the instruction.
The LOOP instructions provide iteration control and combine loop index
management with conditional branching. Use the LOOP instruction by
loading an unsigned iteration count into the count register, then code the
LOOP at the end of a series of instructions to be iterated. The
destination of LOOP is a label that points to the beginning of the
iteration.
Flags Affected
None
Protected Mode Exceptions
segment
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
LSL ÄÄ Load Segment Limit
Opcode Instruction Clocks Description
0F 03 /r LSL r16,r/m16 pm=20/21 Load: r16 � segment limit,
selector r/m16 (byte granular)
0F 03 /r LSL r32,r/m32 pm=20/21 Load: r32 � segment limit,
selector r/m32 (byte granular)
0F 03 /r LSL r16,r/m16 pm=25/26 Load: r16 � segment limit,
selector r/m16 (page granular)
0F 03 /r LSL r32,r/m32 pm=25/26 Load: r32 � segment limit,
selector r/m32 (page granular)
Description
The LSL instruction loads a register with an unscrambled segment limit,
and sets ZF to 1, provided that the source selector is visible at the CPL
weakened by RPL, and that the descriptor is a type accepted by LSL.
Otherwise, ZF is cleared to 0, and the destination register is unchanged.
The segment limit is loaded as a byte granular value. If the descriptor
has a page granular segment limit, LSL will translate it to a byte limit
before loading it in the destination register (shift left 12 the 20-bit
"raw" limit from descriptor, then OR with 00000FFFH).
The 32-bit forms of this instruction store the 32-bit byte granular limit
in the 16-bit destination register.
Code and data segment descriptors are valid for LSL.
The valid special segment and gate descriptor types for LSL are given
in the following table:
Type Name Valid/Invalid
0 Invalid Invalid
1 Available 80286 TSS Valid
2 LDT Valid
3 Busy 80286 TSS Valid
4 80286 call gate Invalid
5 80286/80386 task gate Invalid
6 80286 trap gate Invalid
7 80286 interrupt gate Invalid
8 Invalid Valid
9 Available 80386 TSS Valid
A Invalid Invalid
B Busy 80386 TSS Valid
C 80386 call gate Invalid
D Invalid Invalid
E 80386 trap gate Invalid
F 80386 interrupt gate Invalid
Flags Affected
ZF as described above
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 6; LSL is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
LTR ÄÄ Load Task Register
Opcode Instruction Clocks Description
0F 00 /3 LTR r/m16 pm=23/27 Load EA word into task register
Description
LTR loads the task register from the source register or memory location
specified by the operand. The loaded task state segment is marked busy.
A task switch does not occur.
LTR is used only in operating system software; it is not used in
application programs.
Flags Affected
None
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
named by the source selector is not a TSS or is already busy;
a page fault
Real Address Mode Exceptions
Interrupt 6; LTR is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
Notes
The operand-size attribute has no effect on this instruction.
MOV ÄÄ Move Data
Opcode Instruction Clocks Description
88 /r MOV r/m8,r8 2/2 Move byte register to r/m byte
89 /r MOV r/m16,r16 2/2 Move word register to r/m word
89 /r MOV r/m32,r32 2/2 Move dword register to r/m dword
8A /r MOV r8,r/m8 2/4 Move r/m byte to byte register
8B /r MOV r16,r/m16 2/4 Move r/m word to word register
8B /r MOV r32,r/m32 2/4 Move r/m dword to dword register
8C /r MOV r/m16,Sreg 2/2 Move segment register to r/m word
8D /r MOV Sreg,r/m16 2/5,pm=18/19 Move r/m word to segment register
A0 MOV AL,moffs8 4 Move byte at (seg:offset) to AL
A1 MOV AX,moffs16 4 Move word at (seg:offset) to AX
A1 MOV EAX,moffs32 4 Move dword at (seg:offset) to EAX
A2 MOV moffs8,AL 2 Move AL to (seg:offset)
A3 MOV moffs16,AX 2 Move AX to (seg:offset)
A3 MOV moffs32,EAX 2 Move EAX to (seg:offset)
B0 + rb MOV reg8,imm8 2 Move immediate byte to register
B8 + rw MOV reg16,imm16 2 Move immediate word to register
B8 + rd MOV reg32,imm32 2 Move immediate dword to register
C6 MOV r/m8,imm8 2/2 Move immediate byte to r/m byte
C7 MOV r/m16,imm16 2/2 Move immediate word to r/m word
C7 MOV r/m32,imm32 2/2 Move immediate dword to r/m dword
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
moffs8, moffs16, and moffs32 all consist of a simple offset relative
to the segment base. The 8, 16, and 32 refer to the size of the data. The
address-size attribute of the instruction determines the size of the
offset, either 16 or 32 bits.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
DEST � SRC;
Description
MOV copies the second operand to the first operand.
If the destination operand is a segment register (DS, ES, SS, etc.), then
data from a descriptor is also loaded into the register. The data for the
register is obtained from the descriptor table entry for the selector
given. A null selector (values 0000-0003) can be loaded into DS and ES
registers without causing an exception; however, use of DS or ES causes a
A MOV into SS inhibits all interrupts until after the execution of the
next instruction (which is presumably a MOV into eSP).
Loading a segment register under 80386 Protected Mode results in special
checks and actions, as described in the following listing:
IF SS is loaded;
THEN
IF selector is null THEN #GP(0);
FI;
Selector index must be within its descriptor table limits else
#GP(selector);
Selector's RPL must equal CPL else #GP(selector);
AR byte must indicate a writable data segment else #GP(selector);
DPL in the AR byte must equal CPL else #GP(selector);
Segment must be marked present else #SS(selector);
Load SS with selector;
Load SS with descriptor.
FI;
IF DS, ES, FS or GS is loaded with non-null selector;
THEN
Selector index must be within its descriptor table limits
else #GP(selector);
AR byte must indicate data or readable code segment else
#GP(selector);
IF data or nonconforming code segment
THEN both the RPL and the CPL must be less than or equal to DPL in
AR byte;
ELSE #GP(selector);
FI;
Segment must be marked present else #NP(selector);
Load segment register with selector;
Load segment register with descriptor;
FI;
IF DS, ES, FS or GS is loaded with a null selector;
THEN
Load segment register with selector;
Clear descriptor valid bit;
FI;
Flags Affected
None
Protected Mode Exceptions
illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
MOV ÄÄ Move to/from Special Registers
Opcode Instruction Clocks Description
0F 20 /r MOV r32,CR0/CR2/CR3 6 Move (control register) to
(register)
0F 22 /r MOV CR0/CR2/CR3,r32 10/4/5 Move (register) to (control
register)
0F 21 /r MOV r32,DR0 -- 3 22 Move (debug register) to
(register)
0F 21 /r MOV r32,DR6/DR7 14 Move (debug register) to
(register)
0F 23 /r MOV DR0 -- 3,r32 22 Move (register) to (debug
register)
0F 23 /r MOV DR6/DR7,r32 16 Move (register) to (debug
register)
0F 24 /r MOV r32,TR6/TR7 12 Move (test register) to
(register)
0F 26 /r MOV TR6/TR7,r32 12 Move (register) to (test
register)
Operation
DEST � SRC;
Description
The above forms of MOV store or load the following special registers in
or from a general purpose register:
þ Control registers CR0, CR2, and CR3
þ Debug Registers DR0, DR1, DR2, DR3, DR6, and DR7
þ Test Registers TR6 and TR7
32-bit operands are always used with these instructions, regardless of the
operand-size attribute.
Flags Affected
OF, SF, ZF, AF, PF, and CF are undefined
Protected Mode Exceptions
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
Notes
The instructions must be executed at privilege level 0 or in real-address
mode; otherwise, a protection exception will be raised.
The reg field within the ModRM byte specifies which of the special
registers in each category is involved. The two bits in the field are
always 11. The r/m field specifies the general register involved.
MOVS/MOVSB/MOVSW/MOVSD ÄÄ Move Data from String to String
Opcode Instruction Clocks Description
A4 MOVS m8,m8 7 Move byte [(E)SI] to ES:[(E)DI]
A5 MOVS m16,m16 7 Move word [(E)SI] to ES:[(E)DI]
A5 MOVS m32,m32 7 Move dword [(E)SI] to ES:[(E)DI]
A4 MOVSB 7 Move byte DS:[(E)SI] to ES:[(E)DI]
A5 MOVSW 7 Move word DS:[(E)SI] to ES:[(E)DI]
A5 MOVSD 7 Move dword DS:[(E)SI] to ES:[(E)DI]
Operation
IF (instruction = MOVSD) OR (instruction has doubleword operands)
THEN OperandSize � 32;
ELSE OperandSize � 16;
IF AddressSize = 16
THEN use SI for source-index and DI for destination-index;
ELSE (* AddressSize = 32 *)
use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction
THEN
[destination-index] � [source-index]; (* byte assignment *)
IF DF = 0 THEN IncDec � 1 ELSE IncDec � -1; FI;
ELSE
IF OperandSize = 16
THEN
[destination-index] � [source-index]; (* word assignment *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
ELSE (* OperandSize = 32 *)
[destination-index] � [source-index]; (* doubleword assignment *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
FI;
source-index � source-index + IncDec;
destination-index � destination-index + IncDec;
Description
MOVS copies the byte or word at [(E)SI] to the byte or word at
ES:[(E)DI]. The destination operand must be addressable from the ES
register; no segment override is possible for the destination. A segment
override can be used for the source operand; the default is DS.
The addresses of the source and destination are determined solely by the
contents of (E)SI and (E)DI. Load the correct index values into (E)SI
and (E)DI before executing the MOVS instruction. MOVSB, MOVSW,
and MOVSD are synonyms for the byte, word, and doubleword MOVS
instructions.
After the data is moved, both (E)SI and (E)DI are advanced
automatically. If the direction flag is 0 (CLD was executed), the registers
are incremented; if the direction flag is 1 (STD was executed), the
registers are decremented. The registers are incremented or decremented by 1
if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved.
MOVS can be preceded by the REP prefix for block movement of CX
bytes or words. Refer to the REP instruction for details of this operation.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
MOVSX ÄÄ Move with Sign-Extend
Opcode Instruction Clocks Description
0F BE /r MOVSX r16,r/m8 3/6 Move byte to word with sign-extend
0F BE /r MOVSX r32,r/m8 3/6 Move byte to dword, sign-extend
0F BF /r MOVSX r32,r/m16 3/6 Move word to dword, sign-extend
Operation
DEST � SignExtend(SRC);
Description
MOVSX reads the contents of the effective address or register as a byte
or a word, sign-extends the value to the operand-size attribute of the
instruction (16 or 32 bits), and stores the result in the destination
register.
Flags Affected
None
Protected Mode Exceptions
ES, FS or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
MOVZX ÄÄ Move with Zero-Extend
Opcode Instruction Clocks Description
0F B6 /r MOVZX r16,r/m8 3/6 Move byte to word with zero-extend
0F B6 /r MOVZX r32,r/m8 3/6 Move byte to dword, zero-extend
0F B7 /r MOVZX r32,r/m16 3/6 Move word to dword, zero-extend
Operation
DEST � ZeroExtend(SRC);
Description
MOVZX reads the contents of the effective address or register as a byte
or a word, zero extends the value to the operand-size attribute of the
instruction (16 or 32 bits), and stores the result in the destination
register.
Flags Affected
None
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
MUL ÄÄ Unsigned Multiplication of AL or AX
Opcode Instruction Clocks Description
F6 /4 MUL AL,r/m8 9-14/12-17 Unsigned multiply (AX � AL * r/m byte)
F7 /4 MUL AX,r/m16 9-22/12-25 Unsigned multiply (DX:AX � AX * r/m
word)
F7 /4 MUL EAX,r/m32 9-38/12-41 Unsigned multiply (EDX:EAX � EAX * r/m
dword)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
The 80386 uses an early-out multiply algorithm. The actual number of
clocks depends on the position of the most significant bit in the
optimizing multiplier, shown underlined above. The optimization occurs
for positive and negative multiplier values. Because of the early-out
algorithm, clock counts given are minimum to maximum. To calculate the
actual clocks, use the following formula:
Actual clock = if <> 0 then max(ceiling(log{2} ³m³), 3) + 6 clocks;
Actual clock = if = 0 then 9 clocks
where m is the multiplier.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF byte-size operation
THEN AX � AL * r/m8
ELSE (* word or doubleword operation *)
IF OperandSize = 16
THEN DX:AX � AX * r/m16
ELSE (* OperandSize = 32 *)
EDX:EAX � EAX * r/m32
FI;
FI;
Description
MUL performs unsigned multiplication. Its actions depend on the size
of its operand, as follows:
þ A byte operand is multiplied by AL; the result is left in AX. The
carry and overflow flags are set to 0 if AH is 0; otherwise, they are
set to 1.
þ A word operand is multiplied by AX; the result is left in DX:AX.
DX contains the high-order 16 bits of the product. The carry and
overflow flags are set to 0 if DX is 0; otherwise, they are set to 1.
þ A doubleword operand is multiplied by EAX and the result is left in
EDX:EAX. EDX contains the high-order 32 bits of the product. The
carry and overflow flags are set to 0 if EDX is 0; otherwise, they are
set to 1.
Flags Affected
OF and CF as described above; SF, ZF, AF, PF, and CF are undefined
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
NEG ÄÄ Two's Complement Negation
Opcode Instruction Clocks Description
F6 /3 NEG r/m8 2/6 Two's complement negate r/m byte
F7 /3 NEG r/m16 2/6 Two's complement negate r/m word
F7 /3 NEG r/m32 2/6 Two's complement negate r/m dword
Operation
IF r/m = 0 THEN CF � 0 ELSE CF � 1; FI;
r/m � - r/m;
Description
NEG replaces the value of a register or memory operand with its two's
complement. The operand is subtracted from zero, and the result is placed
in the operand.
The carry flag is set to 1, unless the operand is zero, in which case the
carry flag is cleared to 0.
Flags Affected
CF as described above; OF, SF, ZF, and PF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
NOP ÄÄ No Operation
Opcode Instruction Clocks Description
90 NOP 3 No operation
Description
NOP performs no operation. NOP is a one-byte instruction that takes
up space but affects none of the machine context except (E)IP.
NOP is an alias mnemonic for the XCHG (E)AX, (E)AX instruction.
Flags Affected
None
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
NOT ÄÄ One's Complement Negation
Opcode Instruction Clocks Description
F6 /2 NOT r/m8 2/6 Reverse each bit of r/m byte
F7 /2 NOT r/m16 2/6 Reverse each bit of r/m word
F7 /2 NOT r/m32 2/6 Reverse each bit of r/m dword
Operation
r/m � NOT r/m;
Description
NOT inverts the operand; every 1 becomes a 0, and vice versa.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
OR ÄÄ Logical Inclusive OR
Opcode Instruction Clocks Description
0C ib OR AL,imm8 2 OR immediate byte to AL
0D iw OR AX,imm16 2 OR immediate word to AX
0D id OR EAX,imm32 2 OR immediate dword to EAX
80 /1 ib OR r/m8,imm8 2/7 OR immediate byte to r/m byte
81 /1 iw OR r/m16,imm16 2/7 OR immediate word to r/m word
81 /1 id OR r/m32,imm32 2/7 OR immediate dword to r/m dword
83 /1 ib OR r/m16,imm8 2/7 OR sign-extended immediate byte
with r/m word
83 /1 ib OR r/m32,imm8 2/7 OR sign-extended immediate byte
with r/m dword
08 /r OR r/m8,r8 2/6 OR byte register to r/m byte
09 /r OR r/m16,r16 2/6 OR word register to r/m word
09 /r OR r/m32,r32 2/6 OR dword register to r/m dword
0A /r OR r8,r/m8 2/7 OR byte register to r/m byte
0B /r OR r16,r/m16 2/7 OR word register to r/m word
0B /r OR r32,r/m32 2/7 OR dword register to r/m dword
Operation
DEST � DEST OR SRC;
CF � 0;
OF � 0
Description
OR computes the inclusive OR of its two operands and places the result
in the first operand. Each bit of the result is 0 if both corresponding
bits of the operands are 0; otherwise, each bit is 1.
Flags Affected
OF � 0, CF � 0; SF, ZF, and PF as described in Appendix C; AF is
undefined
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
OUT ÄÄ Output to Port
Opcode Instruction Clocks Description
E6 ib OUT imm8,AL 10,pm=4*/24** Output byte AL to immediate port
number
E7 ib OUT imm8,AX 10,pm=4*/24** Output word AL to immediate port
number
E7 ib OUT imm8,EAX 10,pm=4*/24** Output dword AL to immediate
port number
EE OUT DX,AL 11,pm=5*/25** Output byte AL to port number in
DX
EF OUT DX,AX 11,pm=5*/25** Output word AL to port number in
DX
EF OUT DX,EAX 11,pm=5*/25** Output dword AL to port number
in DX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
*If CPL ó IOPL
**If CPL > IOPL or if in virtual 8086 mode
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
IF NOT I-O-Permission (DEST, width(DEST))
THEN #GP(0);
FI;
FI;
[DEST] � SRC; (* I/O address space used *)
Description
OUT transfers a data byte or data word from the register (AL, AX, or
EAX) given as the second operand to the output port numbered by the
first operand. Output to any port from 0 to 65535 is performed by placing
the port number in the DX register and then using an OUT instruction
with DX as the first operand. If the instruction contains an eight-bit port
ID, that value is zero-extended to 16 bits.
Flags Affected
None
Protected Mode Exceptions
IOPL and any of the corresponding I/O permission bits in TSS equals 1
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
equals 1
OUTS/OUTSB/OUTSW/OUTSD ÄÄ Output String to Port
Opcode Instruction Clocks Description
6E OUTS DX,r/m8 14,pm=8*/28** Output byte [(E)SI] to port in DX
6F OUTS DX,r/m16 14,pm=8*/28** Output word [(E)SI] to port in DX
6F OUTS DX,r/m32 14,pm=8*/28** Output dword [(E)SI] to port in DX
6E OUTSB 14,pm=8*/28** Output byte DS:[(E)SI] to port in
DX
6F OUTSW 14,pm=8*/28** Output word DS:[(E)SI] to port in
DX
6F OUTSD 14,pm=8*/28** Output dword DS:[(E)SI] to port in
DX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NOTES:
*If CPL ó IOPL
**If CPL > IOPL or if in virtual 8086 mode
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Operation
IF AddressSize = 16
THEN use SI for source-index;
ELSE (* AddressSize = 32 *)
use ESI for source-index;
FI;
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
IF NOT I-O-Permission (DEST, width(DEST))
THEN #GP(0);
FI;
FI;
IF byte type of instruction
THEN
[DX] � [source-index]; (* Write byte at DX I/O address *)
IF DF = 0 THEN IncDec � 1 ELSE IncDec � -1; FI;
FI;
IF OperandSize = 16
THEN
[DX] � [source-index]; (* Write word at DX I/O address *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
FI;
IF OperandSize = 32
THEN
[DX] � [source-index]; (* Write dword at DX I/O address *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
FI;
source-index � source-index + IncDec;
Description
OUTS transfers data from the memory byte, word, or doubleword at the
source-index register to the output port addressed by the DX register. If
the address-size attribute for this instruction is 16 bits, SI is used for
the source-index register; otherwise, the address-size attribute is 32 bits,
and ESI is used for the source-index register.
OUTS does not allow specification of the port number as an immediate value.
The port must be addressed through the DX register value. Load the correct
value into DX before executing the OUTS instruction.
The address of the source data is determined by the contents of
source-index register. Load the correct index value into SI or ESI before
executing the OUTS instruction.
After the transfer, source-index register is advanced automatically. If
the direction flag is 0 (CLD was executed), the source-index register is
incremented; if the direction flag is 1 (STD was executed), it is
decremented. The amount of the increment or decrement is 1 if a byte is
output, 2 if a word is output, or 4 if a doubleword is output.
OUTSB, OUTSW, and OUTSD are synonyms for the byte, word, and
doubleword OUTS instructions. OUTS can be preceded by the REP
prefix for block output of CX bytes or words. Refer to the REP
instruction for details on this operation.
Flags Affected
None
Protected Mode Exceptions
permission bits in TSS equals 1; #GP(0) for an illegal memory operand
effective address in the CS, DS, or ES segments; #SS(0) for an illegal
address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
equals 1; #PF(fault-code) for a page fault
POP ÄÄ Pop a Word from the Stack
Opcode Instruction Clocks Description
8F /0 POP m16 5 Pop top of stack into memory word
8F /0 POP m32 5 Pop top of stack into memory dword
58 + rw POP r16 4 Pop top of stack into word register
58 + rd POP r32 4 Pop top of stack into dword register
1F POP DS 7,pm=21 Pop top of stack into DS
07 POP ES 7,pm=21 Pop top of stack into ES
17 POP SS 7,pm=21 Pop top of stack into SS
0F A1 POP FS 7,pm=21 Pop top of stack into FS
0F A9 POP GS 7,pm=21 Pop top of stack into GS
Operation
IF StackAddrSize = 16
THEN
IF OperandSize = 16
THEN
DEST � (SS:SP); (* copy a word *)
SP � SP + 2;
ELSE (* OperandSize = 32 *)
DEST � (SS:SP); (* copy a dword *)
SP � SP + 4;
FI;
ELSE (* StackAddrSize = 32 * )
IF OperandSize = 16
THEN
DEST � (SS:ESP); (* copy a word *)
ESP � ESP + 2;
ELSE (* OperandSize = 32 *)
DEST � (SS:ESP); (* copy a dword *)
ESP � ESP + 4;
FI;
FI;
Description
POP replaces the previous contents of the memory, the register, or the
segment register operand with the word on the top of the 80386 stack,
addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP
(addresssize attribute of 32 bits). The stack pointer SP is incremented
by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits.
It then points to the new top of stack.
POP CS is not an 80386 instruction. Popping from the stack into the CS
register is accomplished with a RET instruction.
If the destination operand is a segment register (DS, ES, FS, GS, or
SS), the value popped must be a selector. In protected mode, loading the
selector initiates automatic loading of the descriptor information
associated with that selector into the hidden part of the segment register;
loading also initiates validation of both the selector and the descriptor
information.
A null value (0000-0003) may be popped into the DS, ES, FS, or GS
register without causing a protection exception. An attempt to reference
a segment whose corresponding segment register is loaded with a null
value causes a #GP(0) exception. No memory reference occurs. The saved
value of the segment register is null.
A POP SS instruction inhibits all interrupts, including NMI, until after
execution of the next instruction. This allows sequential execution of POP
SS and POP eSP instructions without danger of having an invalid stack
during an interrupt. However, use of the LSS instruction is the preferred
method of loading the SS and eSP registers.
Loading a segment register while in protected mode results in special
checks and actions, as described in the following listing:
IF SS is loaded:
IF selector is null THEN #GP(0);
Selector index must be within its descriptor table limits ELSE
#GP(selector);
Selector's RPL must equal CPL ELSE #GP(selector);
AR byte must indicate a writable data segment ELSE #GP(selector);
DPL in the AR byte must equal CPL ELSE #GP(selector);
Segment must be marked present ELSE #SS(selector);
Load SS register with selector;
Load SS register with descriptor;
IF DS, ES, FS or GS is loaded with non-null selector:
AR byte must indicate data or readable code segment ELSE
#GP(selector);
IF data or nonconforming code
THEN both the RPL and the CPL must be less than or equal to DPL in
AR byte
ELSE #GP(selector);
FI;
Segment must be marked present ELSE #NP(selector);
Load segment register with selector;
Load segment register with descriptor;
IF DS, ES, FS, or GS is loaded with a null selector:
Load segment register with selector
Clear valid bit in invisible portion of register
Flags Affected
None
Protected Mode Exceptions
current top of stack is not within the stack segment; #GP(0) if the result
is in a nonwritable segment; #GP(0) for an illegal memory operand
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an
illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
POPA/POPAD ÄÄ Pop all General Registers
Opcode Instruction Clocks Description
61 POPA 24 Pop DI, SI, BP, SP, BX, DX, CX, and AX
61 POPAD 24 Pop EDI, ESI, EBP, ESP, EDX, ECX, and EAX
Operation
IF OperandSize = 16 (* instruction = POPA *)
THEN
DI � Pop();
SI � Pop();
BP � Pop();
throwaway � Pop (); (* Skip SP *)
BX � Pop();
DX � Pop();
CX � Pop();
AX � Pop();
ELSE (* OperandSize = 32, instruction = POPAD *)
EDI � Pop();
ESI � Pop();
EBP � Pop();
throwaway � Pop (); (* Skip ESP *)
EBX � Pop();
EDX � Pop();
ECX � Pop();
EAX � Pop();
FI;
Description
POPA pops the eight 16-bit general registers. However, the SP value is
discarded instead of loaded into SP. POPA reverses a previous PUSHA,
restoring the general registers to their values before PUSHA was
executed. The first register popped is DI.
POPAD pops the eight 32-bit general registers. The ESP value is
discarded instead of loaded into ESP. POPAD reverses the previous
PUSHAD, restoring the general registers to their values before PUSHAD
was executed. The first register popped is EDI.
Flags Affected
None
Protected Mode Exceptions
segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
POPF/POPFD ÄÄ Pop Stack into FLAGS or EFLAGS Register
Opcode Instruction Clocks Description
9D POPF 5 Pop top of stack FLAGS
9D POPFD 5 Pop top of stack into EFLAGS
Operation
Flags � Pop();
Description
POPF/POPFD pops the word or doubleword on the top of the stack and
stores the value in the flags register. If the operand-size attribute of
the instruction is 16 bits, then a word is popped and the value is stored in
FLAGS. If the operand-size attribute is 32 bits, then a doubleword is popped
and the value is stored in EFLAGS.
Refer to Chapter 2 and Chapter 4 for information about the FLAGS
and EFLAGS registers. Note that bits 16 and 17 of EFLAGS, called
VM and RF, respectively, are not affected by POPF or POPFD.
The I/O privilege level is altered only when executing at privilege level
0. The interrupt flag is altered only when executing at a level at least as
privileged as the I/O privilege level. (Real-address mode is equivalent to
privilege level 0.) If a POPF instruction is executed with insufficient
privilege, an exception does not occur, but the privileged bits do not
change.
Flags Affected
All flags except VM and RF
Protected Mode Exceptions
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
PUSH ÄÄ Push Operand onto the Stack
Opcode Instruction Clocks Description
FF /6 PUSH m16 5 Push memory word
FF /6 PUSH m32 5 Push memory dword
50 + /r PUSH r16 2 Push register word
50 + /r PUSH r32 2 Push register dword
6A PUSH imm8 2 Push immediate byte
68 PUSH imm16 2 Push immediate word
68 PUSH imm32 2 Push immediate dword
0E PUSH CS 2 Push CS
16 PUSH SS 2 Push SS
1E PUSH DS 2 Push DS
06 PUSH ES 2 Push ES
0F A0 PUSH FS 2 Push FS
OF A8 PUSH GS 2 Push GS
Operation
IF StackAddrSize = 16
THEN
IF OperandSize = 16 THEN
SP � SP - 2;
(SS:SP) � (SOURCE); (* word assignment *)
ELSE
SP � SP - 4;
(SS:SP) � (SOURCE); (* dword assignment *)
FI;
ELSE (* StackAddrSize = 32 *)
IF OperandSize = 16
THEN
ESP � ESP - 2;
(SS:ESP) � (SOURCE); (* word assignment *)
ELSE
ESP � ESP - 4;
(SS:ESP) � (SOURCE); (* dword assignment *)
FI;
FI;
Description
PUSH decrements the stack pointer by 2 if the operand-size attribute of
the instruction is 16 bits; otherwise, it decrements the stack pointer by
4. PUSH then places the operand on the new top of stack, which is
pointed to by the stack pointer.
The 80386 PUSH eSP instruction pushes the value of eSP as it existed
before the instruction. This differs from the 8086, where PUSH SP
pushes the new value (decremented by 2).
Flags Affected
None
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
None; if SP or ESP is 1, the 80386 shuts down due to a lack of stack
space
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
PUSHA/PUSHAD ÄÄ Push all General Registers
Opcode Instruction Clocks Description
60 PUSHA 18 Push AX, CX, DX, BX, original SP, BP, SI, and
DI
60 PUSHAD 18 Push EAX, ECX, EDX, EBX, original ESP, EBP,
ESI, and EDI
Operation
IF OperandSize = 16 (* PUSHA instruction *)
THEN
Temp � (SP);
Push(AX);
Push(CX);
Push(DX);
Push(BX);
Push(Temp);
Push(BP);
Push(SI);
Push(DI);
ELSE (* OperandSize = 32, PUSHAD instruction *)
Temp � (ESP);
Push(EAX);
Push(ECX);
Push(EDX);
Push(EBX);
Push(Temp);
Push(EBP);
Push(ESI);
Push(EDI);
FI;
Description
PUSHA and PUSHAD save the 16-bit or 32-bit general registers,
respectively, on the 80386 stack. PUSHA decrements the stack pointer
(SP) by 16 to hold the eight word values. PUSHAD decrements the
stack pointer (ESP) by 32 to hold the eight doubleword values. Because
the registers are pushed onto the stack in the order in which they were
given, they appear in the 16 or 32 new stack bytes in reverse order. The
last register pushed is DI or EDI.
Flags Affected
None
Protected Mode Exceptions
limit; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Before executing PUSHA or PUSHAD, the 80386 shuts down if SP or
ESP equals 1, 3, or 5; if SP or ESP equals 7, 9, 11, 13, or 15, exception
13 occurs
Virtual 8086 Mode Exceptions
Same exceptions as in real-address mode; #PF(fault-code) for a page
fault
PUSHF/PUSHFD ÄÄ Push Flags Register onto the Stack
Opcode Instruction Clocks Description
9C PUSHF 4 Push FLAGS
9C PUSHFD 4 Push EFLAGS
Operation
IF OperandSize = 32
THEN push(EFLAGS);
ELSE push(FLAGS);
FI;
Description
PUSHF decrements the stack pointer by 2 and copies the FLAGS
register to the new top of stack; PUSHFD decrements the stack pointer by
4, and the 80386 EFLAGS register is copied to the new top of stack
which is pointed to by SS:eSP. Refer to Chapter 2 and Chapter 4 for
information on the EFLAGS register.
Flags Affected
None
Protected Mode Exceptions
Real Address Mode Exceptions
None; the 80386 shuts down due to a lack of stack space
Virtual 8086 Mode Exceptions
RCL/RCR/ROL/ROR ÄÄ Rotate
Opcode Instruction Clocks Description
D0 /2 RCL r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) left
once
D2 /2 RCL r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) left CL
times
C0 /2 ib RCL r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) left
imm8 times
D1 /2 RCL r/m16,1 9/10 Rotate 17 bits (CF,r/m word) left
once
D3 /2 RCL r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) left
CL times
C1 /2 ib RCL r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) left
imm8 times
D1 /2 RCL r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) left
once
D3 /2 RCL r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) left
CL times
C1 /2 ib RCL r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) left
imm8 times
D0 /3 RCR r/m8,1 9/10 Rotate 9 bits (CF,r/m byte) right
once
D2 /3 RCR r/m8,CL 9/10 Rotate 9 bits (CF,r/m byte) right
CL times
C0 /3 ib RCR r/m8,imm8 9/10 Rotate 9 bits (CF,r/m byte) right
imm8 times
D1 /3 RCR r/m16,1 9/10 Rotate 17 bits (CF,r/m word) right
once
D3 /3 RCR r/m16,CL 9/10 Rotate 17 bits (CF,r/m word) right
CL times
C1 /3 ib RCR r/m16,imm8 9/10 Rotate 17 bits (CF,r/m word) right
imm8 times
D1 /3 RCR r/m32,1 9/10 Rotate 33 bits (CF,r/m dword) right
once
D3 /3 RCR r/m32,CL 9/10 Rotate 33 bits (CF,r/m dword) right
CL times
C1 /3 ib RCR r/m32,imm8 9/10 Rotate 33 bits (CF,r/m dword) right
imm8 times
D0 /0 ROL r/m8,1 3/7 Rotate 8 bits r/m byte left once
D2 /0 ROL r/m8,CL 3/7 Rotate 8 bits r/m byte left CL
times
C0 /0 ib ROL r/m8,imm8 3/7 Rotate 8 bits r/m byte left imm8
times
D1 /0 ROL r/m16,1 3/7 Rotate 16 bits r/m word left once
D3 /0 ROL r/m16,CL 3/7 Rotate 16 bits r/m word left CL
times
C1 /0 ib ROL r/m16,imm8 3/7 Rotate 16 bits r/m word left imm8
times
D1 /0 ROL r/m32,1 3/7 Rotate 32 bits r/m dword left once
D3 /0 ROL r/m32,CL 3/7 Rotate 32 bits r/m dword left CL
times
C1 /0 ib ROL r/m32,imm8 3/7 Rotate 32 bits r/m dword left imm8
times
D0 /1 ROR r/m8,1 3/7 Rotate 8 bits r/m byte right once
D2 /1 ROR r/m8,CL 3/7 Rotate 8 bits r/m byte right CL
times
C0 /1 ib ROR r/m8,imm8 3/7 Rotate 8 bits r/m word right imm8
times
D1 /1 ROR r/m16,1 3/7 Rotate 16 bits r/m word right once
D3 /1 ROR r/m16,CL 3/7 Rotate 16 bits r/m word right CL
times
C1 /1 ib ROR r/m16,imm8 3/7 Rotate 16 bits r/m word right imm8
times
D1 /1 ROR r/m32,1 3/7 Rotate 32 bits r/m dword right once
D3 /1 ROR r/m32,CL 3/7 Rotate 32 bits r/m dword right CL
times
C1 /1 ib ROR r/m32,imm8 3/7 Rotate 32 bits r/m dword right imm8
times
Operation
(* ROL - Rotate Left *)
temp � COUNT;
WHILE (temp <> 0)
DO
tmpcf � high-order bit of (r/m);
r/m � r/m * 2 + (tmpcf);
temp � temp - 1;
OD;
IF COUNT = 1
THEN
IF high-order bit of r/m <> CF
THEN OF � 1;
ELSE OF � 0;
FI;
ELSE OF � undefined;
FI;
(* ROR - Rotate Right *)
temp � COUNT;
WHILE (temp <> 0 )
DO
tmpcf � low-order bit of (r/m);
r/m � r/m / 2 + (tmpcf * 2^(width(r/m)));
temp � temp - 1;
DO;
IF COUNT = 1
THEN
IF (high-order bit of r/m) <> (bit next to high-order bit of r/m)
THEN OF � 1;
ELSE OF � 0;
FI;
ELSE OF � undefined;
FI;
Description
Each rotate instruction shifts the bits of the register or memory operand
given. The left rotate instructions shift all the bits upward, except for
the top bit, which is returned to the bottom. The right rotate instructions
do the reverse: the bits shift downward until the bottom bit arrives at
the top.
For the RCL and RCR instructions, the carry flag is part of the rotated
quantity. RCL shifts the carry flag into the bottom bit and shifts the top
bit into the carry flag; RCR shifts the carry flag into the top bit and
shifts the bottom bit into the carry flag. For the ROL and ROR
instructions, the original value of the carry flag is not a part of the
result, but the carry flag receives a copy of the bit that was shifted from
one end to the other.
The rotate is repeated the number of times indicated by the second
operand, which is either an immediate number or the contents of the CL
register. To reduce the maximum instruction execution time, the 80386
does not allow rotation counts greater than 31. If a rotation count greater
than 31 is attempted, only the bottom five bits of the rotation are used.
The 8086 does not mask rotation counts. The 80386 in Virtual 8086 Mode does
mask rotation counts.
The overflow flag is defined only for the single-rotate forms of the
instructions (second operand = 1). It is undefined in all other cases. For
left shifts/rotates, the CF bit after the shift is XORed with the
high-order result bit. For right shifts/rotates, the high-order two bits of
the result are XORed to get OF.
Flags Affected
OF only for single rotates; OF is undefined for multi-bit rotates; CF as
described above
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
REP/REPE/REPZ/REPNE/REPNZ ÄÄ Repeat Following String Operation
Opcode Instruction Clocks Description
F3 6C REP INS r/m8, DX 13+6*(E)CX,
pm=7+6*(E)CX
If CPL ó IOPL/
27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode Input (E)CX bytes from port
DX into ES:[(E)DI]
F3 6D REP INS r/m16,DX 13+6*(E)CX,
pm=7+6*(E)CX
If CPL ó IOPL/
27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode Input (E)CX words from port
DX into ES:[(E)DI]
F3 6D REP INS r/m32,DX 13+6*(E)CX,
pm=7+6*(E)CX
If CPL ó IOPL/
27+6*(E)CX
If CPL > IOPL or if in virtual 8086 mode Input (E)CX dwords from port
DX into ES:[(E)DI]
F3 A4 REP MOVS m8,m8 5+4*(E)CX Move (E)CX bytes from
[(E)SI] to ES:[(E)DI]
F3 A5 REP MOVS m16,m16 5+4*(E)CX Move (E)CX words from
[(E)SI] to ES:[(E)DI]
F3 A5 REP MOVS m32,m32 5+4*(E)CX Move (E)CX dwords from
[(E)SI] to ES:[(E)DI]
F3 6E REP OUTS DX,r/m8 5+12*(E)CX,
pm=6+5*(E)CX
If CPL ó IOPL/
26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode Output (E)CX bytes from
[(E)SI] to port DX
F3 6F REP OUTS DX,r/m16 5+12*(E)CX,
pm=6+5*(E)CX
If CPL ó IOPL/
26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode Output (E)CX words from
[(E)SI] to port DX
F3 6F REP OUTS DX,r/m32 5+12*(E)CX,
pm=6+5*(E)CX
If CPL ó IOPL/
26+5*(E)CX
If CPL > IOPL or if in virtual 8086 mode Output (E)CX dwords from
[(E)SI] to port DX
F3 AA REP STOS m8 5+5*(E)CX Fill (E)CX bytes at
ES:[(E)DI] with AL
F3 AB REP STOS m16 5+5*(E)CX Fill (E)CX words at
ES:[(E)DI] with AX
F3 AB REP STOS m32 5+5*(E)CX Fill (E)CX dwords at
ES:[(E)DI] with EAX
F3 A6 REPE CMPS m8,m8 5+9*N Find nonmatching bytes in
ES:[(E)DI] and [(E)SI]
F3 A7 REPE CMPS m16,m16 5+9*N Find nonmatching words in
ES:[(E)DI] and [(E)SI]
F3 A7 REPE CMPS m32,m32 5+9*N Find nonmatching dwords in
ES:[(E)DI] and [(E)SI]
F3 AE REPE SCAS m8 5+8*N Find non-AL byte starting
at ES:[(E)DI]
F3 AF REPE SCAS m16 5+8*N Find non-AX word starting
at ES:[(E)DI]
F3 AF REPE SCAS m32 5+8*N Find non-EAX dword starting
at ES:[(E)DI]
F2 A6 REPNE CMPS m8,m8 5+9*N Find matching bytes in
ES:[(E)DI] and [(E)SI]
F2 A7 REPNE CMPS m16,m16 5+9*N Find matching words in
ES:[(E)DI] and [(E)SI]
F2 A7 REPNE CMPS m32,m32 5+9*N Find matching dwords in
ES:[(E)DI] and [(E)SI]
F2 AE REPNE SCAS m8 5+8*N Find AL, starting at
ES:[(E)DI]
F2 AF REPNE SCAS m16 5+8*N Find AX, starting at
ES:[(E)DI]
F2 AF REPNE SCAS m32 5+8*N Find EAX, starting at
ES:[(E)DI]
Operation
IF AddressSize = 16
THEN use CX for CountReg;
ELSE (* AddressSize = 32 *) use ECX for CountReg;
FI;
WHILE CountReg <> 0
DO
service pending interrupts (if any);
perform primitive string instruction;
CountReg � CountReg - 1;
IF primitive operation is CMPB, CMPW, SCAB, or SCAW
THEN
IF (instruction is REP/REPE/REPZ) AND (ZF=1)
THEN exit WHILE loop
ELSE
IF (instruction is REPNZ or REPNE) AND (ZF=0)
THEN exit WHILE loop;
FI;
FI;
FI;
OD;
Description
REP, REPE (repeat while equal), and REPNE (repeat while not equal)
are prefix that are applied to string operation. Each prefix cause the
string instruction that follows to be repeated the number of times
indicated in the count register or (for REPE and REPNE) until the
indicated condition in the zero flag is no longer met.
Synonymous forms of REPE and REPNE are REPZ and REPNZ,
respectively.
The REP prefixes apply only to one string instruction at a time. To repeat
a block of instructions, use the LOOP instruction or another looping
construct.
The precise action for each iteration is as follows:
1. If the address-size attribute is 16 bits, use CX for the count
register; if the address-size attribute is 32 bits, use ECX for the
count register.
2. Check CX. If it is zero, exit the iteration, and move to the next
instruction.
3. Acknowledge any pending interrupts.
4. Perform the string operation once.
5. Decrement CX or ECX by one; no flags are modified.
6. Check the zero flag if the string operation is SCAS or CMPS. If
the repeat condition does not hold, exit the iteration and move to
the next instruction. Exit the iteration if the prefix is REPE and ZF
is 0 (the last comparison was not equal), or if the prefix is REPNE
and ZF is one (the last comparison was equal).
7. Return to step 1 for the next iteration.
Repeated CMPS and SCAS instructions can be exited if the count is
exhausted or if the zero flag fails the repeat condition. These two cases
can be distinguished by using either the JCXZ instruction, or by using
the conditional jumps that test the zero flag (JZ, JNZ, and JNE).
Flags Affected
ZF by REP CMPS and REP SCAS as described above
Protected Mode Exceptions
list above; further exceptions can be generated when the string operation is
executed; refer to the descriptions of the string instructions themselves
Real Address Mode Exceptions
Interrupt 6 if a repeat prefix is used before an instruction that is not in
the list above; further exceptions can be generated when the string
operation is executed; refer to the descriptions of the string instructions
themselves
Virtual 8086 Mode Exceptions
list above; further exceptions can be generated when the string operation is
executed; refer to the descriptions of the string instructions themselves
Notes
Not all input/output ports can handle the rate at which the REP INS
and REP OUTS instructions execute.
RET ÄÄ Return from Procedure
Opcode Instruction Clocks Description
C3 RET 10+m Return (near) to caller
CB RET 18+m,pm=32+m Return (far) to caller, same
privilege
CB RET pm=68 Return (far), lesser privilege,
switch stacks
C2 iw RET imm16 10+m Return (near), pop imm16 bytes of
parameters
CA iw RET imm16 18+m,pm=32+m Return (far), same privilege, pop
imm16 bytes
CA iw RET imm16 pm=68 Return (far), lesser privilege, pop
imm16 bytes
Operation
IF instruction = near RET
THEN;
IF OperandSize = 16
THEN
IP � Pop();
EIP � EIP AND 0000FFFFH;
ELSE (* OperandSize = 32 *)
EIP � Pop();
FI;
IF instruction has immediate operand THEN eSP � eSP + imm16; FI;
FI;
IF (PE = 0 OR (PE = 1 AND VM = 1))
(* real mode or virtual 8086 mode *)
AND instruction = far RET
THEN;
IF OperandSize = 16
THEN
IP � Pop();
EIP � EIP AND 0000FFFFH;
CS � Pop(); (* 16-bit pop *)
ELSE (* OperandSize = 32 *)
EIP � Pop();
CS � Pop(); (* 32-bit pop, high-order 16-bits discarded *)
FI;
IF instruction has immediate operand THEN eSP � eSP + imm16; FI;
FI;
IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
AND instruction = far RET
THEN
IF OperandSize=32
THEN Third word on stack must be within stack limits else #SS(0);
ELSE Second word on stack must be within stack limits else #SS(0);
FI;
Return selector RPL must be ò CPL ELSE #GP(return selector)
IF return selector RPL = CPL
THEN GOTO SAME-LEVEL;
ELSE GOTO OUTER-PRIVILEGE-LEVEL;
FI;
FI;
SAME-LEVEL:
Return selector must be non-null ELSE #GP(0)
Selector index must be within its descriptor table limits ELSE
#GP(selector)
Descriptor AR byte must indicate code segment ELSE #GP(selector)
IF non-conforming
THEN code segment DPL must equal CPL;
ELSE #GP(selector);
FI;
IF conforming
THEN code segment DPL must be ó CPL;
ELSE #GP(selector);
FI;
Code segment must be present ELSE #NP(selector);
Top word on stack must be within stack limits ELSE #SS(0);
IP must be in code segment limit ELSE #GP(0);
IF OperandSize=32
THEN
Load CS:EIP from stack
Load CS register with descriptor
Increment eSP by 8 plus the immediate offset if it exists
ELSE (* OperandSize=16 *)
Load CS:IP from stack
Load CS register with descriptor
Increment eSP by 4 plus the immediate offset if it exists
FI;
OUTER-PRIVILEGE-LEVEL:
IF OperandSize=32
THEN Top (16+immediate) bytes on stack must be within stack limits
ELSE #SS(0);
ELSE Top (8+immediate) bytes on stack must be within stack limits ELSE
#SS(0);
FI;
Examine return CS selector and associated descriptor:
Selector must be non-null ELSE #GP(0);
Selector index must be within its descriptor table limits ELSE
#GP(selector)
Descriptor AR byte must indicate code segment ELSE #GP(selector);
IF non-conforming
THEN code segment DPL must equal return selector RPL
ELSE #GP(selector);
FI;
IF conforming
THEN code segment DPL must be ó return selector RPL;
ELSE #GP(selector);
FI;
Segment must be present ELSE #NP(selector)
Examine return SS selector and associated descriptor:
Selector must be non-null ELSE #GP(0);
Selector index must be within its descriptor table limits
ELSE #GP(selector);
Selector RPL must equal the RPL of the return CS selector ELSE
#GP(selector);
Descriptor AR byte must indicate a writable data segment ELSE
#GP(selector);
Descriptor DPL must equal the RPL of the return CS selector ELSE
#GP(selector);
Segment must be present ELSE #NP(selector);
IP must be in code segment limit ELSE #GP(0);
Set CPL to the RPL of the return CS selector;
IF OperandMode=32
THEN
Load CS:EIP from stack;
Set CS RPL to CPL;
Increment eSP by 8 plus the immediate offset if it exists;
Load SS:eSP from stack;
ELSE (* OperandMode=16 *)
Load CS:IP from stack;
Set CS RPL to CPL;
Increment eSP by 4 plus the immediate offset if it exists;
Load SS:eSP from stack;
FI;
Load the CS register with the return CS descriptor;
Load the SS register with the return SS descriptor;
For each of ES, FS, GS, and DS
DO
IF the current register setting is not valid for the outer level,
set the register to null (selector � AR � 0);
To be valid, the register setting must satisfy the following
properties:
Selector index must be within descriptor table limits;
Descriptor AR byte must indicate data or readable code segment;
IF segment is data or non-conforming code, THEN
DPL must be ò CPL, or DPL must be ò RPL;
FI;
OD;
Description
RET transfers control to a return address located on the stack. The
address is usually placed on the stack by a CALL instruction, and the
return is made to the instruction that follows the CALL.
The optional numeric parameter to RET gives the number of stack bytes
(OperandMode=16) or words (OperandMode=32) to be released after the return
address is popped. These items are typically used as input parameters to the
procedure called.
For the intrasegment (near) return, the address on the stack is a segment
offset, which is popped into the instruction pointer. The CS register is
unchanged. For the intersegment (far) return, the address on the stack
is a long pointer. The offset is popped first, followed by the selector.
In real mode, CS and IP are loaded directly. In Protected Mode, an
intersegment return causes the processor to check the descriptor
addressed by the return selector. The AR byte of the descriptor must
indicate a code segment of equal or lesser privilege (or greater or equal
numeric value) than the current privilege level. Returns to a lesser
privilege level cause the stack to be reloaded from the value saved beyond
the parameter block.
The DS, ES, FS, and GS segment registers can be set to 0 by the RET
instruction during an interlevel transfer. If these registers refer to
segments that cannot be used by the new privilege level, they are set to
0 to prevent unauthorized access from the new privilege level.
Flags Affected
None
Protected Mode Exceptions
a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would be outside the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SAHF ÄÄ Store AH into Flags
Opcode Instruction Clocks Description
9E SAHF 3 Store AH into flags SF ZF xx AF xx PF xx CF
Operation
SF:ZF:xx:AF:xx:PF:xx:CF � AH;
Description
SAHF loads the flags listed above with values from the AH register,
from bits 7, 6, 4, 2, and 0, respectively.
Flags Affected
SF, ZF, AF, PF, and CF as described above
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
SAL/SAR/SHL/SHR ÄÄ Shift Instructions
Opcode Instruction Clocks Description
D0 /4 SAL r/m8,1 3/7 Multiply r/m byte by 2, once
D2 /4 SAL r/m8,CL 3/7 Multiply r/m byte by 2, CL times
C0 /4 ib SAL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8
times
D1 /4 SAL r/m16,1 3/7 Multiply r/m word by 2, once
D3 /4 SAL r/m16,CL 3/7 Multiply r/m word by 2, CL times
C1 /4 ib SAL r/m16,imm8 3/7 Multiply r/m word by 2, imm8
times
D1 /4 SAL r/m32,1 3/7 Multiply r/m dword by 2, once
D3 /4 SAL r/m32,CL 3/7 Multiply r/m dword by 2, CL
times
C1 /4 ib SAL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8
times
D0 /7 SAR r/m8,1 3/7 Signed divide^(1) r/m byte by 2,
once
D2 /7 SAR r/m8,CL 3/7 Signed divide^(1) r/m byte by 2,
CL times
C0 /7 ib SAR r/m8,imm8 3/7 Signed divide^(1) r/m byte by 2,
imm8 times
D1 /7 SAR r/m16,1 3/7 Signed divide^(1) r/m word by 2,
once
D3 /7 SAR r/m16,CL 3/7 Signed divide^(1) r/m word by 2,
CL times
C1 /7 ib SAR r/m16,imm8 3/7 Signed divide^(1) r/m word by 2,
imm8 times
D1 /7 SAR r/m32,1 3/7 Signed divide^(1) r/m dword by 2,
once
D3 /7 SAR r/m32,CL 3/7 Signed divide^(1) r/m dword by 2,
CL times
C1 /7 ib SAR r/m32,imm8 3/7 Signed divide^(1) r/m dword by 2,
imm8 times
D0 /4 SHL r/m8,1 3/7 Multiply r/m byte by 2, once
D2 /4 SHL r/m8,CL 3/7 Multiply r/m byte by 2, CL times
C0 /4 ib SHL r/m8,imm8 3/7 Multiply r/m byte by 2, imm8
times
D1 /4 SHL r/m16,1 3/7 Multiply r/m word by 2, once
D3 /4 SHL r/m16,CL 3/7 Multiply r/m word by 2, CL times
C1 /4 ib SHL r/m16,imm8 3/7 Multiply r/m word by 2, imm8
times
D1 /4 SHL r/m32,1 3/7 Multiply r/m dword by 2, once
D3 /4 SHL r/m32,CL 3/7 Multiply r/m dword by 2, CL
times
C1 /4 ib SHL r/m32,imm8 3/7 Multiply r/m dword by 2, imm8
times
D0 /5 SHR r/m8,1 3/7 Unsigned divide r/m byte by 2,
once
D2 /5 SHR r/m8,CL 3/7 Unsigned divide r/m byte by 2,
CL times
C0 /5 ib SHR r/m8,imm8 3/7 Unsigned divide r/m byte by 2,
imm8 times
D1 /5 SHR r/m16,1 3/7 Unsigned divide r/m word by 2,
once
D3 /5 SHR r/m16,CL 3/7 Unsigned divide r/m word by 2,
CL times
C1 /5 ib SHR r/m16,imm8 3/7 Unsigned divide r/m word by 2,
imm8 times
D1 /5 SHR r/m32,1 3/7 Unsigned divide r/m dword by 2,
once
D3 /5 SHR r/m32,CL 3/7 Unsigned divide r/m dword by 2,
CL times
C1 /5 ib SHR r/m32,imm8 3/7 Unsigned divide r/m dword by 2,
imm8 times
Not the same division as IDIV; rounding is toward negative infinity.
Operation
(* COUNT is the second parameter *)
(temp) � COUNT;
WHILE (temp <> 0)
DO
IF instruction is SAL or SHL
THEN CF � high-order bit of r/m;
FI;
IF instruction is SAR or SHR
THEN CF � low-order bit of r/m;
FI;
IF instruction = SAL or SHL
THEN r/m � r/m * 2;
FI;
IF instruction = SAR
THEN r/m � r/m /2 (*Signed divide, rounding toward negative infinity*);
FI;
IF instruction = SHR
THEN r/m � r/m / 2; (* Unsigned divide *);
FI;
temp � temp - 1;
OD;
(* Determine overflow for the various instructions *)
IF COUNT = 1
THEN
IF instruction is SAL or SHL
THEN OF � high-order bit of r/m <> (CF);
FI;
IF instruction is SAR
THEN OF � 0;
FI;
IF instruction is SHR
THEN OF � high-order bit of operand;
FI;
ELSE OF � undefined;
FI;
Description
SAL (or its synonym, SHL) shifts the bits of the operand upward. The
high-order bit is shifted into the carry flag, and the low-order bit is set
to 0.
SAR and SHR shift the bits of the operand downward. The low-order
bit is shifted into the carry flag. The effect is to divide the operand by
2. SAR performs a signed divide with rounding toward negative infinity (not
the same as IDIV); the high-order bit remains the same. SHR performs an
unsigned divide; the high-order bit is set to 0.
The shift is repeated the number of times indicated by the second
operand, which is either an immediate number or the contents of the CL
register. To reduce the maximum execution time, the 80386 does not
allow shift counts greater than 31. If a shift count greater than 31 is
attempted, only the bottom five bits of the shift count are used. (The
8086 uses all eight bits of the shift count.)
The overflow flag is set only if the single-shift forms of the instructions
are used. For left shifts, OF is set to 0 if the high bit of the answer is
the same as the result of the carry flag (i.e., the top two bits of the
original operand were the same); OF is set to 1 if they are different. For
SAR, OF is set to 0 for all single shifts. For SHR, OF is set to the
high-order bit of the original operand.
Flags Affected
OF for single shifts; OF is undefined for multiple shifts; CF, ZF, PF,
and SF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SBB ÄÄ Integer Subtraction with Borrow
Opcode Instruction Clocks Description
1C ib SBB AL,imm8 2 Subtract with borrow immediate byte
from AL
1D iw SBB AX,imm16 2 Subtract with borrow immediate word
from AX
1D id SBB EAX,imm32 2 Subtract with borrow immediate
dword from EAX
80 /3 ib SBB r/m8,imm8 2/7 Subtract with borrow immediate byte
from r/m byte
81 /3 iw SBB r/m16,imm16 2/7 Subtract with borrow immediate word
from r/m word
81 /3 id SBB r/m32,imm32 2/7 Subtract with borrow immediate
dword from r/m dword
83 /3 ib SBB r/m16,imm8 2/7 Subtract with borrow sign-extended
immediate byte from r/m word
83 /3 ib SBB r/m32,imm8 2/7 Subtract with borrow sign-extended
immediate byte from r/m dword
18 /r SBB r/m8,r8 2/6 Subtract with borrow byte register
from r/m byte
19 /r SBB r/m16,r16 2/6 Subtract with borrow word register
from r/m word
19 /r SBB r/m32,r32 2/6 Subtract with borrow dword register
from r/m dword
1A /r SBB r8,r/m8 2/7 Subtract with borrow byte register
from r/m byte
1B /r SBB r16,r/m16 2/7 Subtract with borrow word register
from r/m word
1B /r SBB r32,r/m32 2/7 Subtract with borrow dword register
from r/m dword
Operation
IF SRC is a byte and DEST is a word or dword
THEN DEST = DEST - (SignExtend(SRC) + CF)
ELSE DEST � DEST - (SRC + CF);
Description
SBB adds the second operand (DEST) to the carry flag (CF) and
subtracts the result from the first operand (SRC). The result of the
subtraction is assigned to the first operand (DEST), and the flags are
set accordingly.
When an immediate byte value is subtracted from a word operand, the
immediate value is first sign-extended.
Flags Affected
OF, SF, ZF, AF, PF, and CF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SCAS/SCASB/SCASW/SCASD ÄÄ Compare String Data
Opcode Instruction Clocks Description
AE SCAS m8 7 Compare bytes AL-ES:[DI], update (E)DI
AF SCAS m16 7 Compare words AX-ES:[DI], update (E)DI
AF SCAS m32 7 Compare dwords EAX-ES:[DI], update (E)DI
AE SCASB 7 Compare bytes AL-ES:[DI], update (E)DI
AF SCASW 7 Compare words AX-ES:[DI], update (E)DI
AF SCASD 7 Compare dwords EAX-ES:[DI], update (E)DI
Operation
IF AddressSize = 16
THEN use DI for dest-index;
ELSE (* AddressSize = 32 *) use EDI for dest-index;
FI;
IF byte type of instruction
THEN
AL - [dest-index]; (* Compare byte in AL and dest *)
IF DF = 0 THEN IndDec � 1 ELSE IncDec � -1; FI;
ELSE
IF OperandSize = 16
THEN
AX - [dest-index]; (* compare word in AL and dest *)
IF DF = 0 THEN IncDec � 2 ELSE IncDec � -2; FI;
ELSE (* OperandSize = 32 *)
EAX - [dest-index];(* compare dword in EAX & dest *)
IF DF = 0 THEN IncDec � 4 ELSE IncDec � -4; FI;
FI;
FI;
dest-index = dest-index + IncDec
Description
SCAS subtracts the memory byte or word at the destination register from
the AL, AX or EAX register. The result is discarded; only the flags are set.
The operand must be addressable from the ES segment; no segment override is
possible.
If the address-size attribute for this instruction is 16 bits, DI is used
as the destination register; otherwise, the address-size attribute is 32
bits and EDI is used.
The address of the memory data being compared is determined solely by the
contents of the destination register, not by the operand to SCAS. The
operand validates ES segment addressability and determines the data type.
Load the correct index value into DI or EDI before executing SCAS.
After the comparison is made, the destination register is automatically
updated. If the direction flag is 0 (CLD was executed), the destination
register is incremented; if the direction flag is 1 (STD was executed), it
is decremented. The increments or decrements are by 1 if bytes are compared,
by 2 if words are compared, or by 4 if doublewords are compared.
SCASB, SCASW, and SCASD are synonyms for the byte, word and
doubleword SCAS instructions that don't require operands. They are
simpler to code, but provide no type or segment checking.
SCAS can be preceded by the REPE or REPNE prefix for a block search
of CX or ECX bytes or words. Refer to the REP instruction for further
details.
Flags Affected
OF, SF, ZF, AF, PF, and CF as described in Appendix C
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SETcc ÄÄ Byte Set on Condition
Opcode Instruction Clocks Description
0F 97 SETA r/m8 4/5 Set byte if above (CF=0 and ZF=0)
0F 93 SETAE r/m8 4/5 Set byte if above or equal (CF=0)
0F 92 SETB r/m8 4/5 Set byte if below (CF=1)
0F 96 SETBE r/m8 4/5 Set byte if below or equal (CF=1 or (ZF=1)
0F 92 SETC r/m8 4/5 Set if carry (CF=1)
0F 94 SETE r/m8 4/5 Set byte if equal (ZF=1)
0F 9F SETG r/m8 4/5 Set byte if greater (ZF=0 or SF=OF)
0F 9D SETGE r/m8 4/5 Set byte if greater or equal (SF=OF)
0F 9C SETL r/m8 4/5 Set byte if less (SF<>OF)
0F 9E SETLE r/m8 4/5 Set byte if less or equal (ZF=1 and
SF<>OF)
0F 96 SETNA r/m8 4/5 Set byte if not above (CF=1)
0F 92 SETNAE r/m8 4/5 Set byte if not above or equal (CF=1)
0F 93 SETNB r/m8 4/5 Set byte if not below (CF=0)
0F 97 SETNBE r/m8 4/5 Set byte if not below or equal (CF=0 and
ZF=0)
0F 93 SETNC r/m8 4/5 Set byte if not carry (CF=0)
0F 95 SETNE r/m8 4/5 Set byte if not equal (ZF=0)
0F 9E SETNG r/m8 4/5 Set byte if not greater (ZF=1 or SF<>OF)
0F 9C SETNGE r/m8 4/5 Set if not greater or equal (SF<>OF)
0F 9D SETNL r/m8 4/5 Set byte if not less (SF=OF)
0F 9F SETNLE r/m8 4/5 Set byte if not less or equal (ZF=1 and
SF<>OF)
0F 91 SETNO r/m8 4/5 Set byte if not overflow (OF=0)
0F 9B SETNP r/m8 4/5 Set byte if not parity (PF=0)
0F 99 SETNS r/m8 4/5 Set byte if not sign (SF=0)
0F 95 SETNZ r/m8 4/5 Set byte if not zero (ZF=0)
0F 90 SETO r/m8 4/5 Set byte if overflow (OF=1)
0F 9A SETP r/m8 4/5 Set byte if parity (PF=1)
0F 9A SETPE r/m8 4/5 Set byte if parity even (PF=1)
0F 9B SETPO r/m8 4/5 Set byte if parity odd (PF=0)
0F 98 SETS r/m8 4/5 Set byte if sign (SF=1)
0F 94 SETZ r/m8 4/5 Set byte if zero (ZF=1)
Operation
IF condition THEN r/m8 � 1 ELSE r/m8 � 0; FI;
Description
SETcc stores a byte at the destination specified by the effective address
or register if the condition is met, or a 0 byte if the condition is not
met.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SGDT/SIDT ÄÄ Store Global/Interrupt Descriptor Table Register
Opcode Instruction Clocks Description
0F 01 /0 SGDT m 9 Store GDTR to m
0F 01 /1 SIDT m 9 Store IDTR to m
Operation
DEST � 48-bit BASE/LIMIT register contents;
Description
SGDT/SIDT copies the contents of the descriptor table register the six
bytes of memory indicated by the operand. The LIMIT field of the
register is assigned to the first word at the effective address. If the
operand-size attribute is 32 bits, the next three bytes are assigned the
BASE field of the register, and the fourth byte is written with zero. The
last byte is undefined. Otherwise, if the operand-size attribute is 16
bits, the next four bytes are assigned the 32-bit BASE field of the
register.
SGDT and SIDT are used only in operating system software; they are
not used in application programs.
Flags Affected
None
Protected Mode Exceptions
Interrupt 6 if the destination operand is a register; #GP(0) if the
destination is in a nonwritable segment; #GP(0) for an illegal memory
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for
an illegal address in the SS segment; #PF(fault-code) for a page fault
Real Address Mode Exceptions
Interrupt 6 if the destination operand is a register; Interrupt 13 if any
part of the operand would lie outside of the effective address space from
0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
Compatability Note
The 16-bit forms of the SGDT/SIDT instructions are compatible with
the 80286, if the value in the upper eight bits is not referenced. The
80286 stores 1's in these upper bits, whereas the 80386 stores 0's if the
operand-size attribute is 16 bits. These bits were specified as undefined
by the SGDT/SIDT instructions in the iAPX 286 Programmer's
Reference Manual.
SHLD ÄÄ Double Precision Shift Left
Opcode Instruction Clocks Description
0F A4 SHLD r/m16,r16,imm8 3/7 r/m16 gets SHL of r/m16 concatenated
with r16
0F A4 SHLD r/m32,r32,imm8 3/7 r/m32 gets SHL of r/m32 concatenated
with r32
0F A5 SHLD r/m16,r16,CL 3/7 r/m16 gets SHL of r/m16 concatenated
with r16
0F A5 SHLD r/m32,r32,CL 3/7 r/m32 gets SHL of r/m32 concatenated
with r32
Operation
(* count is an unsigned integer corresponding to the last operand of the
instruction, either an immediate byte or the byte in register CL *)
ShiftAmt � count MOD 32;
inBits � register; (* Allow overlapped operands *)
IF ShiftAmt = 0
THEN no operation
ELSE
IF ShiftAmt ò OperandSize
THEN (* Bad parameters *)
r/m � UNDEFINED;
CF, OF, SF, ZF, AF, PF � UNDEFINED;
ELSE (* Perform the shift *)
CF � BIT[Base, OperandSize - ShiftAmt];
(* Last bit shifted out on exit *)
FOR i � OperandSize - 1 DOWNTO ShiftAmt
DO
BIT[Base, i] � BIT[Base, i - ShiftAmt];
OF;
FOR i � ShiftAmt - 1 DOWNTO 0
DO
BIT[Base, i] � BIT[inBits, i - ShiftAmt + OperandSize];
OD;
Set SF, ZF, PF (r/m);
(* SF, ZF, PF are set according to the value of the result *)
AF � UNDEFINED;
FI;
FI;
Description
SHLD shifts the first operand provided by the r/m field to the left as
many bits as specified by the count operand. The second operand (r16 or r32)
provides the bits to shift in from the right (starting with bit 0). The
result is stored back into the r/m operand. The register remains unaltered.
The count operand is provided by either an immediate byte or the contents
of the CL register. These operands are taken MODULO 32 to provide a number
between 0 and 31 by which to shift. Because the bits to shift are provided
by the specified registers, the operation is useful for multiprecision
shifts (64 bits or more). The SF, ZF and PF flags are set according to the
value of the result. CS is set to the value of the last bit shifted out. OF
and AF are left undefined.
Flags Affected
OF, SF, ZF, PF, and CF as described above; AF and OF are undefined
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
SHRD ÄÄ Double Precision Shift Right
Opcode Instruction Clocks Description
0F AC SHRD r/m16,r16,imm8 3/7 r/m16 gets SHR of r/m16 concatenated
with r16
0F AC SHRD r/m32,r32,imm8 3/7 r/m32 gets SHR of r/m32 concatenated
with r32
0F AD SHRD r/m16,r16,CL 3/7 r/m16 gets SHR of r/m16 concatenated
with r16
0F AD SHRD r/m32,r32,CL 3/7 r/m32 gets SHR of r/m32 concatenated
with r32
Operation
(* count is an unsigned integer corresponding to the last operand of the
instruction, either an immediate byte or the byte in register CL *)
ShiftAmt � count MOD 32;
inBits � register; (* Allow overlapped operands *)
IF ShiftAmt = 0
THEN no operation
ELSE
IF ShiftAmt ò OperandSize
THEN (* Bad parameters *)
r/m � UNDEFINED;
CF, OF, SF, ZF, AF, PF � UNDEFINED;
ELSE (* Perform the shift *)
CF � BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *)
FOR i � 0 TO OperandSize - 1 - ShiftAmt
DO
BIT[r/m, i] � BIT[r/m, i - ShiftAmt];
OD;
FOR i � OperandSize - ShiftAmt TO OperandSize - 1
DO
BIT[r/m,i] � BIT[inBits,i+ShiftAmt - OperandSize];
OD;
Set SF, ZF, PF (r/m);
(* SF, ZF, PF are set according to the value of the result *)
Set SF, ZF, PF (r/m);
AF � UNDEFINED;
FI;
FI;
Description
SHRD shifts the first operand provided by the r/m field to the right as many
bits as specified by the count operand. The second operand (r16 or r32)
provides the bits to shift in from the left (starting with bit 31). The
result is stored back into the r/m operand. The register remains unaltered.
The count operand is provided by either an immediate byte or the contents
of the CL register. These operands are taken MODULO 32 to provide a number
between 0 and 31 by which to shift. Because the bits to shift are provided
by the specified register, the operation is useful for multi-precision
shifts (64 bits or more). The SF, ZF and PF flags are set according to the
value of the result. CS is set to the value of the last bit shifted out. OF
and AF are left undefined.
Flags Affected
OF, SF, ZF, PF, and CF as described above; AF and OF are undefined
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
SLDT ÄÄ Store Local Descriptor Table Register
Opcode Instruction Clocks Description
0F 00 /0 SLDT r/m16 pm=2/2 Store LDTR to EA word
Operation
r/m16 � LDTR;
Description
SLDT stores the Local Descriptor Table Register (LDTR) in the two-byte
register or memory location indicated by the effective address operand.
This register is a selector that points into the Global Descriptor Table.
SLDT is used only in operating system software. It is not used in
application programs.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 6; SLDT is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
The operand-size attribute has no effect on the operation of the
instruction.
SMSW ÄÄ Store Machine Status Word
Opcode Instruction Clocks Description
0F 01 /4 SMSW r/m16 2/3,pm=2/2 Store machine status word to EA
word
Operation
r/m16 � MSW;
Description
SMSW stores the machine status word (part of CR0) in the two-byte register
or memory location indicated by the effective address operand.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
Notes
This instruction is provided for compatibility with the 80286; 80386
programs should use MOV ..., CR0.
STC ÄÄ Set Carry Flag
Opcode Instruction Clocks Description
F9 STC 2 Set carry flag
Operation
CF � 1;
Description
STC sets the carry flag to 1.
Flags Affected
CF = 1
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
STD ÄÄ Set Direction Flag
Opcode Instruction Clocks Description
FD STD 2 Set direction flag so (E)SI and/or (E)DI
decrement
Operation
DF � 1;
Description
STD sets the direction flag to 1, causing all subsequent string operations
to decrement the index registers, (E)SI and/or (E)DI, on which they
operate.
Flags Affected
DF = 1
Protected Mode Exceptions
None
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
STI ÄÄ Set Interrupt Flag
Opcode Instruction Clocks Description
F13 STI 3 Set interrupt flag; interrupts enabled at the
end of the next instruction
Operation
IF � 1
Description
STI sets the interrupt flag to 1. The 80386 then responds to external
interrupts after executing the next instruction if the next instruction
allows the interrupt flag to remain enabled. If external interrupts are
disabled and you code STI, RET (such as at the end of a subroutine),
the RET is allowed to execute before external interrupts are recognized.
Also, if external interrupts are disabled and you code STI, CLI, then
external interrupts are not recognized because the CLI instruction clears
the interrupt flag during its execution.
Flags Affected
IF = 1
Protected Mode Exceptions
the I/O privilege level
Real Address Mode Exceptions
None
Virtual 8086 Mode Exceptions
None
STOS/STOSB/STOSW/STOSD ÄÄ Store String Data
Opcode Instruction Clocks Description
AA STOS m8 4 Store AL in byte ES:[(E)DI], update (E)DI
AB STOS m16 4 Store AX in word ES:[(E)DI], update (E)DI
AB STOS m32 4 Store EAX in dword ES:[(E)DI], update (E)DI
AA STOSB 4 Store AL in byte ES:[(E)DI], update (E)DI
AB STOSW 4 Store AX in word ES:[(E)DI], update (E)DI
AB STOSD 4 Store EAX in dword ES:[(E)DI], update (E)DI
Operation
IF AddressSize = 16
THEN use ES:DI for DestReg
ELSE (* AddressSize = 32 *) use ES:EDI for DestReg;
FI;
IF byte type of instruction
THEN
(ES:DestReg) � AL;
IF DF = 0
THEN DestReg � DestReg + 1;
ELSE DestReg � DestReg - 1;
FI;
ELSE IF OperandSize = 16
THEN
(ES:DestReg) � AX;
IF DF = 0
THEN DestReg � DestReg + 2;
ELSE DestReg � DestReg - 2;
FI;
ELSE (* OperandSize = 32 *)
(ES:DestReg) � EAX;
IF DF = 0
THEN DestReg � DestReg + 4;
ELSE DestReg � DestReg - 4;
FI;
FI;
FI;
Description
STOS transfers the contents of all AL, AX, or EAX register to the memory
byte or word given by the destination register relative to the ES segment.
The destination register is DI for an address-size attribute of 16 bits or
EDI for an address-size attribute of 32 bits.
The destination operand must be addressable from the ES register. A segment
override is not possible.
The address of the destination is determined by the contents of the
destination register, not by the explicit operand of STOS. This operand is
used only to validate ES segment addressability and to determine the data
type. Load the correct index value into the destination register before
executing STOS.
After the transfer is made, DI is automatically updated. If the direction
flag is 0 (CLD was executed), DI is incremented; if the direction flag is
1 (STD was executed), DI is decremented. DI is incremented or decremented by
1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is
stored.
STOSB, STOSW, and STOSD are synonyms for the byte, word, and doubleword STOS
instructions, that do not require an operand. They are simpler to use, but
provide no type or segment checking.
STOS can be preceded by the REP prefix for a block fill of CX or ECX bytes,
words, or doublewords. Refer to the REP instruction for further details.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
STR ÄÄ Store Task Register
Opcode Instruction Clocks Description
0F 00 /1 STR r/m16 pm=23/27 Load EA word into task register
Operation
r/m � task register;
Description
The contents of the task register are copied to the two-byte register or
memory location indicated by the effective address operand.
STR is used only in operating system software. It is not used in application
programs.
Flags Affected
None
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 6; STR is not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode
Notes
The operand-size attribute has no effect on this instruction.
SUB ÄÄ Integer Subtraction
Opcode Instruction Clocks Description
2C ib SUB AL,imm8 2 Subtract immediate byte from AL
2D iw SUB AX,imm16 2 Subtract immediate word from AX
2D id SUB EAX,imm32 2 Subtract immediate dword from EAX
80 /5 ib SUB r/m8,imm8 2/7 Subtract immediate byte from r/m byte
81 /5 iw SUB r/m16,imm16 2/7 Subtract immediate word from r/m word
81 /5 id SUB r/m32,imm32 2/7 Subtract immediate dword from r/m
dword
83 /5 ib SUB r/m16,imm8 2/7 Subtract sign-extended immediate byte
from r/m word
83 /5 ib SUB r/m32,imm8 2/7 Subtract sign-extended immediate byte
from r/m dword
28 /r SUB r/m8,r8 2/6 Subtract byte register from r/m byte
29 /r SUB r/m16,r16 2/6 Subtract word register from r/m word
29 /r SUB r/m32,r32 2/6 Subtract dword register from r/m
dword
2A /r SUB r8,r/m8 2/7 Subtract byte register from r/m byte
2B /r SUB r16,r/m16 2/7 Subtract word register from r/m word
2B /r SUB r32,r/m32 2/7 Subtract dword register from r/m
dword
Operation
IF SRC is a byte and DEST is a word or dword
THEN DEST = DEST - SignExtend(SRC);
ELSE DEST � DEST - SRC;
FI;
Description
SUB subtracts the second operand (SRC) from the first operand (DEST). The
first operand is assigned the result of the subtraction, and the flags are
set accordingly.
When an immediate byte value is subtracted from a word operand, the
immediate value is first sign-extended to the size of the destination
operand.
Flags Affected
OF, SF, ZF, AF, PF, and CF as described in Appendix C
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
TEST ÄÄ Logical Compare
Opcode Instruction Clocks Description
A8 ib TEST AL,imm8 2 AND immediate byte with AL
A9 iw TEST AX,imm16 2 AND immediate word with AX
A9 id TEST EAX,imm32 2 AND immediate dword with EAX
F6 /0 ib TEST r/m8,imm8 2/5 AND immediate byte with r/m byte
F7 /0 iw TEST r/m16,imm16 2/5 AND immediate word with r/m word
F7 /0 id TEST r/m32,imm32 2/5 AND immediate dword with r/m dword
84 /r TEST r/m8,r8 2/5 AND byte register with r/m byte
85 /r TEST r/m16,r16 2/5 AND word register with r/m word
85 /r TEST r/m32,r32 2/5 AND dword register with r/m dword
Operation
DEST : = LeftSRC AND RightSRC;
CF � 0;
OF � 0;
Description
TEST computes the bit-wise logical AND of its two operands. Each bit
of the result is 1 if both of the corresponding bits of the operands are 1;
otherwise, each bit is 0. The result of the operation is discarded and only
the flags are modified.
Flags Affected
OF = 0, CF = 0; SF, ZF, and PF as described in Appendix C
Protected Mode Exceptions
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
VERR, VERW ÄÄ Verify a Segment for Reading or Writing
Opcode Instruction Clocks Description
0F 00 /4 VERR r/m16 pm=10/11 Set ZF=1 if segment can be read,
selector in r/m16
0F 00 /5 VERW r/m16 pm=15/16 Set ZF=1 if segment can be written,
selector in r/m16
Operation
IF segment with selector at (r/m) is accessible
with current protection level
AND ((segment is readable for VERR) OR
(segment is writable for VERW))
THEN ZF � 0;
ELSE ZF � 1;
FI;
Description
The two-byte register or memory operand of VERR and VERW contains
the value of a selector. VERR and VERW determine whether the
segment denoted by the selector is reachable from the current privilege
level and whether the segment is readable (VERR) or writable (VERW).
If the segment is accessible, the zero flag is set to 1; if the segment is
not accessible, the zero flag is set to 0. To set ZF, the following
conditions must be met:
þ The selector must denote a descriptor within the bounds of the table
(GDT or LDT); the selector must be "defined."
þ The selector must denote the descriptor of a code or data segment
(not that of a task state segment, LDT, or a gate).
þ For VERR, the segment must be readable. For VERW, the segment
must be a writable data segment.
þ If the code segment is readable and conforming, the descriptor
privilege level (DPL) can be any value for VERR. Otherwise, the
DPL must be greater than or equal to (have less or the same
privilege as) both the current privilege level and the selector's RPL.
The validation performed is the same as if the segment were loaded into
DS, ES, FS, or GS, and the indicated access (read or write) were
performed. The zero flag receives the result of the validation. The
selector's value cannot result in a protection exception, enabling the
software to anticipate possible segment access problems.
Flags Affected
ZF as described above
Protected Mode Exceptions
Faults generated by illegal addressing of the memory operand that
contains the selector, the selector is not loaded into any segment
register, and no faults attributable to the selector operand are generated
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 6; VERR and VERW are not recognized in Real Address Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
WAIT ÄÄ Wait until BUSY# Pin is Inactive (HIGH)
Opcode Instruction Clocks Description
9B WAIT 6 min. Wait until BUSY pin is inactive (HIGH)
Description
WAIT suspends execution of 80386 instructions until the BUSY# pin is
inactive (high). The BUSY# pin is driven by the 80287 numeric processor
extension.
Flags Affected
None
Protected Mode Exceptions
of register CR0) is set; #MF if the ERROR# input pin is asserted (i.e., the
80287 has detected an unmasked numeric error)
Real Address Mode Exceptions
Same exceptions as in Protected Mode
Virtual 8086 Mode Exceptions
Same exceptions as in Protected Mode
XCHG ÄÄ Exchange Register/Memory with Register
Opcode Instruction Clocks Description
90 + r XCHG AX,r16 3 Exchange word register with AX
90 + r XCHG r16,AX 3 Exchange word register with AX
90 + r XCHG EAX,r32 3 Exchange dword register with EAX
90 + r XCHG r32,EAX 3 Exchange dword register with EAX
86 /r XCHG r/m8,r8 3 Exchange byte register with EA byte
86 /r XCHG r8,r/m8 3/5 Exchange byte register with EA byte
87 /r XCHG r/m16,r16 3 Exchange word register with EA word
87 /r XCHG r16,r/m16 3/5 Exchange word register with EA word
87 /r XCHG r/m32,r32 3 Exchange dword register with EA dword
87 /r XCHG r32,r/m32 3/5 Exchange dword register with EA dword
Operation
temp � DEST
DEST � SRC
SRC � temp
Description
XCHG exchanges two operands. The operands can be in either order. If a
memory operand is involved, BUS LOCK is asserted for the duration of the
exchange, regardless of the presence or absence of the LOCK prefix or of the
value of the IOPL.
Flags Affected
None
Protected Mode Exceptions
illegal memory operand effective address in the CS, DS, ES, FS, or GS
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code)
for a page fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
XLAT/XLATB ÄÄ Table Look-up Translation
D7 XLAT m8 5 Set AL to memory byte DS:[(E)BX + unsigned AL]
D7 XLATB 5 Set AL to memory byte DS:[(E)BX + unsigned AL]
Operation
IF AddressSize = 16
THEN
AL � (BX + ZeroExtend(AL))
ELSE (* AddressSize = 32 *)
AL � (EBX + ZeroExtend(AL));
FI;
Description
XLAT changes the AL register from the table index to the table entry. AL
should be the unsigned index into a table addressed by DS:BX (for an
address-size attribute of 16 bits) or DS:EBX (for an address-size attribute
of 32 bits).
The operand to XLAT allows for the possibility of a segment override. XLAT
uses the contents of BX even if they differ from the offset of the operand.
The offset of the operand should have been moved intoBX/EBX with a previous
instruction.
The no-operand form, XLATB, can be used if the BX/EBX table will always
reside in the DS segment.
Flags Affected
None
Protected Mode Exceptions
FS, or GS segments; #SS(0) for an illegal address in the SS segment;
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault
XOR ÄÄ Logical Exclusive OR
Opcode Instruction Clocks Description
34 ib XOR AL,imm8 2 Exclusive-OR immediate byte to AL
35 iw XOR AX,imm16 2 Exclusive-OR immediate word to AX
35 id XOR EAX,imm32 2 Exclusive-OR immediate dword to EAX
80 /6 ib XOR r/m8,imm8 2/7 Exclusive-OR immediate byte to r/m
byte
81 /6 iw XOR r/m16,imm16 2/7 Exclusive-OR immediate word to r/m
word
81 /6 id XOR r/m32,imm32 2/7 Exclusive-OR immediate dword to r/m
dword
83 /6 ib XOR r/m16,imm8 2/7 XOR sign-extended immediate byte
with r/m word
83 /6 ib XOR r/m32,imm8 2/7 XOR sign-extended immediate byte
with r/m dword
30 /r XOR r/m8,r8 2/6 Exclusive-OR byte register to r/m
byte
31 /r XOR r/m16,r16 2/6 Exclusive-OR word register to r/m
word
31 /r XOR r/m32,r32 2/6 Exclusive-OR dword register to r/m
dword
32 /r XOR r8,r/m8 2/7 Exclusive-OR byte register to r/m
byte
33 /r XOR r16,r/m16 2/7 Exclusive-OR word register to r/m
word
33 /r XOR r32,r/m32 2/7 Exclusive-OR dword register to r/m
dword
Operation
DEST � LeftSRC XOR RightSRC
CF � 0
OF � 0
Description
XOR computes the exclusive OR of the two operands. Each bit of the result
is 1 if the corresponding bits of the operands are different; each bit is 0
if the corresponding bits are the same. The answer replaces the first
operand.
Flags Affected
CF = 0, OF = 0; SF, ZF, and PF as described in Appendix C; AF is undefined
Protected Mode Exceptions
memory operand effective address in the CS, DS, ES, FS, or GS segments;
fault
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective
address space from 0 to 0FFFFH
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page
fault
Appendix A Opcode Map
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The opcode tables that follow aid in interpreting 80386 object code. Use
the high-order four bits of the opcode as an index to a row of the opcode
table; use the low-order four bits as an index to a column of the table. If
the opcode is 0FH, refer to the two-byte opcode table and use the second
byte of the opcode to index the rows and columns of that table.
Key to Abbreviations
Operands are identified by a two-character code of the form Zz. The first
character, an uppercase letter, specifies the addressing method; the second
character, a lowercase letter, specifies the type of operand.
Codes for Addressing Method
A Direct address; the instruction has no modR/M byte; the address of the
operand is encoded in the instruction; no base register, index register,
or scaling factor can be applied; e.g., far JMP (EA).
C The reg field of the modR/M byte selects a control register; e.g., MOV
(0F20, 0F22).
D The reg field of the modR/M byte selects a debug register; e.g., MOV
(0F21,0F23).
E A modR/M byte follows the opcode and specifies the operand. The operand
is either a general register or a memory address. If it is a memory
address, the address is computed from a segment register and any of the
following values: a base register, an index register, a scaling factor,
a displacement.
F Flags Register.
G The reg field of the modR/M byte selects a general register; e.g., ADD
(00).
I Immediate data. The value of the operand is encoded in subsequent bytes
of the instruction.
J The instruction contains a relative offset to be added to the
instruction pointer register; e.g., JMP short, LOOP.
M The modR/M byte may refer only to memory; e.g., BOUND, LES, LDS, LSS,
LFS, LGS.
O The instruction has no modR/M byte; the offset of the operand is coded as
a word or double word (depending on address size attribute) in the
instruction. No base register, index register, or scaling factor can be
applied; e.g., MOV (A0-A3).
R The mod field of the modR/M byte may refer only to a general register;
e.g., MOV (0F20-0F24, 0F26).
S The reg field of the modR/M byte selects a segment register; e.g., MOV
(8C,8E).
T The reg field of the modR/M byte selects a test register; e.g., MOV
(0F24,0F26).
X Memory addressed by DS:SI; e.g., MOVS, COMPS, OUTS, LODS, SCAS.
Y Memory addressed by ES:DI; e.g., MOVS, CMPS, INS, STOS.
Codes for Operant Type
a Two one-word operands in memory or two double-word operands in memory,
depending on operand size attribute (used only by BOUND).
b Byte (regardless of operand size attribute)
c Byte or word, depending on operand size attribute.
d Double word (regardless of operand size attribute)
p 32-bit or 48-bit pointer, depending on operand size attribute.
s Six-byte pseudo-descriptor
v Word or double word, depending on operand size attribute.
w Word (regardless of operand size attribute)
Register Codes
When an operand is a specific register encoded in the opcode, the register
is identified by its name; e.g., AX, CL, or ESI. The name of the register
indicates whether the register is 32-, 16-, or 8-bits wide. A register
identifier of the form eXX is used when the width of the register depends on
the operand size attribute; for example, eAX indicates that the AX register
is used when the operand size attribute is 16 and the EAX register is used
when the operand size attribute is 32.
One-Byte Opcode Map
0 1 2 3 4 5 6 7 8 9 A B C D E F
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍ»
º ADD ³ PUSH ³ POP ³ OR ³ PUSH ³ 2-byte º
0ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ º
º Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ ES ³ ES ³ Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ CS ³ escape º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ADC ³ PUSH ³ POP ³ SBB ³ PUSH ³ POP º
1ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ º
º Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ SS ³ SS ³ Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ DS ³ DS º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º AND ³ SEG ³ ³ SUB ³ SEG ³ º
2ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ DAA ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ DAS º
º Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ =ES ³ ³ Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ =CS ³ º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º XOR ³ SEG ³ ³ CMP ³ SEG ³ º
3ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ AAA ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ AAS º
º Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ =SS ³ ³ Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ AL,Ib ³ eAX,Iv ³ =CS ³ º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º INC general register ³ DEC general register º
4ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º eAX ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI ³ eAX ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º PUSH general register ³ POP into general register º
5ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º eAX ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI ³ eAX ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ BOUND ³ ARPL ³ SEG ³ SEG ³ Operand³ Address³ PUSH ³ IMUL ³ PUSH ³ IMUL ³ INSB ³ INSW/D ³ OUTSB ³OUTSW/D º
6º PUSHA ³ POPA ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ Gv,Ma ³ Ew,Rw ³ =FS ³ =GS ³ Size ³ Size ³ Ib ³ GvEvIv ³ Ib ³ GvEvIv ³ Yb,DX ³ Yb,DX ³ Dx,Xb ³ DX,Xv º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º Short displacement jump of condition (Jb) ³ Short-displacement jump on condition(Jb) º
7ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º JO ³ JNO ³ JB ³ JNB ³ JZ ³ JNZ ³ JBE ³ JNBE ³ JS ³ JNS ³ JP ³ JNP ³ JL ³ JNL ³ JLE ³ JNLE º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º Immediate Grpl ³ ³ Grpl ³ TEST ³ XCNG ³ MOV ³ MOV ³ LEA ³ MOV ³ POP º
8ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ º
º Eb,Ib ³ Ev,Iv ³ ³ Ev,Iv ³ Eb,Gb ³ Ev,Gv ³ Eb,Gb ³ Ev,Gv ³ Eb,Gb ³ Ev,Gv ³ Gb,Eb ³ Gv,Ev ³ Ew,Sw ³ Gv,M ³ Sw,Ew ³ Ev º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ XCHG word or double-word register with eAX ³ ³ ³ CALL ³ ³ PUSHF ³ POPF ³ ³ º
9º NOP ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ CBW ³ CWD ³ ³ WAIT ³ ³ ³ SAHF ³ LAHF º
º ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI ³ ³ ³ Ap ³ ³ Fv ³ Fv ³ ³ º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º MOV ³ MOVSB ³ MOVSW/D ³ CMPSB ³CMPSW/D ³ TEST ³ STOSB ³ STOSW/D ³ LODSB ³ LODSW/D ³ SCASB ³SCASW/D º
AÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³ º
º AL,Ob ³ eAX,Ov ³ Ob,AL ³ Ov,eAX ³ Xb,Yb ³ Xv,Yv ³ Xb,Yb ³ Xv,Yv ³ AL,Ib ³ eAX,Iv ³ Yb,AL ³ Yv,eAX ³ AL,Xb ³ eAX,Xv ³ AL,Xb ³eAX,Xv º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º MOV immediate byte into byte register ³ MOV immediate word or double into word or double register º
BÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º AL ³ CL ³ DL ³ BL ³ AH ³ CH ³ DH ³ BH ³ eAX ³ eCX ³ eDX ³ eBX ³ eSP ³ eBP ³ eSI ³ eDI º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º Shift Grp2 ³ RET near ³ LES ³ LDS ³ MOV ³ ENTER ³ ³ RET far ³ INT ³ INT ³ ³ º
CÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ÃÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ ³ LEAVE ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ ³ ³ INTO ³ IRET º
º Eb,Ib ³ Ev,Iv ³ Iw ³ ³ Gv,Mp ³ Gv,Mp ³ Eb,Ib ³ Ev,Iv ³ Iw,Ib ³ ³ Iw ³ ³ 3 ³ Ib ³ ³ º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º Shift Grp2 ³ ³ ³ ³ ³ º
DÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ´ AAM ³ AAD ³ ³ XLAT ³ ESC(Escape to coprocessor instruction set) º
º Eb,1 ³ Ev,1 ³ Eb,CL ³ Ev,CL ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
º LOOPNE ³ LOOPE ³ LOOP ³ JCXZ ³ IN ³ OUT ³ CALL ³ JNP ³ IN ³ OUT º
Eº ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º Jb ³ Jb ³ Jb ³ Jb ³ AL,Ib ³ eAX,Ib ³ Ib,AL ³ Ib,eAX ³ Av ³ Jv ³ Ap ³ Jb ³ AL,DX ³ eAX,DX ³ DX,AL ³ DX,eAX º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ REP ³ ³ ³ Unary Grp3 ³ ³ ³ ³ ³ ³ ³INC/DEC ³Indirct º
Fº LOCK ³ ³ REPNE ³ ³ HLT ³ CMC ÃÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ CLC ³ STC ³ CLI ³ STI ³ CLD ³ STD ³ ³ º
º ³ ³ ³ REPE ³ ³ ³ Eb ³ Ev ³ ³ ³ ³ ³ ³ ³ Grp4 ³ Grp5 º
ÈÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍͼ
Two-Byte Opcode Map (first byte is 0FH)
0 1 2 3 4 5 6 7 8 9 A B C D E F
ÉÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍ»
º ³ ³ LAR ³ LSL ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
0º Grp6 ³ Grp7 ³ ³ ³ ³ ³ CLTS ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ Gw,Ew ³ Gv,Ew ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
1º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º MOV ³ MOV ³ MOV ³ MOV ³ MOV ³ ³ MOV ³ ³ ³ ³ ³ ³ ³ ³ ³ º
2º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º Cd,Rd ³ Dd,Rd ³ Rd,Cd ³ Rd,Dd ³ Td,Rd ³ ³ Rd,Td ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
3º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
4º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
5º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
6º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
7º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º Long-displacement jump on condition (Jv) ³ Long-displacement jump on condition (Jv) º
8ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄĶ
º JO ³ JNO ³ JB ³ JNB ³ JZ ³ JNZ ³ JBE ³ JNBE ³ JS ³ JNS ³ JP ³ JNP ³ JL ³ JNL ³ JLE ³ JNLE º
ÌÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º Byte Set on condition (Eb) ³ ³ ³ ³ ³ ³ ³ ³ º
9ÇÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ SETS ³ SETNS ³ SETP ³ SETNP ³ SETL ³ SETNL ³ SETLE ³ SETNLE º
º SETO ³ SETNO ³ SETB ³ SETNB ³ SETZ ³ SETNZ ³ SETBE ³ SETNBE ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º PUSH ³ POP ³ ³ BT ³ SHLD ³ SHLD ³ ³ ³ PUSH ³ POP ³ ³ BTS ³ SHRD ³ SHRD ³ ³ IMUL º
Aº ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º FS ³ FS ³ ³ Ev,Gv ³ EvGvIb ³ EvGvCL ³ ³ ³ GS ³ GS ³ ³ Ev,Gv ³ EvGvIb ³ EvGvCL ³ ³ Gv,Ev º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍ͹
º ³ ³ LSS ³ BTR ³ LFS ³ LGS ³ MOVZX ³ ³ ³ Grp-8 ³ BTC ³ BSF ³ BSR ³ MOVSX º
Bº ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
º ³ ³ Mp ³ Ev,Gv ³ Mp ³ Mp ³ Gv,Eb ³ Gv,Ew ³ ³ ³ Ev,Ib ³ Ev,Gv ³ Gv,Ev ³ Gv,Ev ³ Gv,Eb Gv,Ew º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
Cº ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
Dº ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
Eº ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÌÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍ͹
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
Fº ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
º ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ º
ÈÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍͼ
Opcodes determined by bits 5,4,3 of modR/M byte:
G ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿
r ³ mod ³ nnn ³ R/M ³
o ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ
u
p 000 001 010 011 100 101 110 111
ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿
1³ ADD ³ OR ³ ADC ³ SBB ³ AND ³ SUB ³ XOR ³ CMP ³
³ ³ ³ ³ ³ ³ ³ ³ ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
2³ ROL ³ ROR ³ RCL ³ RCR ³ SHL ³ SHR ³ ³ SAR ³
³ ³ ³ ³ ³ ³ ³ ³ ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
3³ TEST ³ ³ NOT ³ NEG ³ MUL ³ IMUL ³ DIV ³ IDIV ³
³ Ib/Iv ³ ³ ³ ³AL/eAX ³AL/eAX ³AL/eAX ³AL/eAX ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
4³ INC ³ DEC ³ ³ ³ ³ ³ ³ ³
³ Eb ³ Eb ³ ³ ³ ³ ³ ³ ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
5³ INC ³ DEC ³ CALL ³ CALL ³ JMP ³ JMP ³ PUSH ³ ³
³ Ev ³ Ev ³ Ev ³ eP ³ Ev ³ Ep ³ Ev ³ ³
ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ
Opcodes determined by bits 5,4,3 of modR/M byte:
G ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿
r ³ mod ³ nnn ³ R/M ³
o ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ
u
p 000 001 010 011 100 101 110 111
ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿
6³ SLDT ³ STR ³ LLDT ³ LTR ³ VERR ³ VERW ³ ³ ³
³ Ew ³ Ew ³ Ew ³ Ew ³ Ew ³ Ew ³ ³ ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
7³ SGDT ³ SIDT ³ LGDT ³ LIDT ³ SMSW ³ ³ LMSW ³ ³
³ Ms ³ Ms ³ Ms ³ Ms ³ Ew ³ ³ Ew ³ ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄ´
8³ ³ ³ ³ ³ BT ³ BTS ³ BTR ³ BTC ³
³ ³ ³ ³ ³ ³ ³ ³ ³
ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ
Appendix B Complete Flag Cross-Reference
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Key to Codes
T = instruction tests flag
M = instruction modifies flag
(either sets or resets depending on operands)
0 = instruction resets flag
1 = instruction sets flag
ÄÄ = instruction's effect on flag is undefined
R = instruction restores prior value of flag
blank = instruction does not affect flag
Instruction OF SF ZF AF PF CF TF IF DF NT RF
AAA ÄÄ ÄÄ ÄÄ TM ÄÄ M
AAD ÄÄ M M ÄÄ M ÄÄ
AAM ÄÄ M M ÄÄ M ÄÄ
AAS ÄÄ ÄÄ ÄÄ TM ÄÄ M
ADC M M M M M TM
ADD M M M M M M
AND 0 M M ÄÄ M 0
ARPL M
BOUND
BSF/BSR ÄÄ ÄÄ M ÄÄ ÄÄ ÄÄ
BT/BTS/BTR/BTC ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ M
CALL
CBW
CLC 0
CLD 0
CLI 0
CLTS
CMC M
CMP M M M M M M
CMPS M M M M M M T
CWD
DAA ÄÄ M M TM M TM
DAS ÄÄ M M TM M TM
DEC M M M M M
DIV ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ
ENTER
ESC
HLT
IDIV ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ
IMUL M ÄÄ ÄÄ ÄÄ ÄÄ M
IN
INC M M M M M
INS T
INT 0 0
INTO T 0 0
IRET R R R R R R R R R T
Jcond T T T T T
JCXZ
JMP
LAHF
LAR M
LDS/LES/LSS/LFS/LGS
LEA
LEAVE
LGDT/LIDT/LLDT/LMSW
LOCK
LODS T
LOOP
LOOPE/LOOPNE T
LSL M
LTR
MOV
MOV control, debug ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ
MOVS T
MOVSX/MOVZX
MUL M ÄÄ ÄÄ ÄÄ ÄÄ M
NEG M M M M M M
NOP
NOT
OR 0 M M ÄÄ M 0
OUT
OUTS T
POP/POPA
POPF R R R R R R R R R R
PUSH/PUSHA/PUSHF
RCL/RCR 1 M TM
RCL/RCR count ÄÄ TM
REP/REPE/REPNE
RET
ROL/ROR 1 M M
ROL/ROR count ÄÄ M
SAHF R R R R R
SAL/SAR/SHL/SHR 1 M M M ÄÄ M M
SAL/SAR/SHL/SHR count ÄÄ M M ÄÄ M M
SBB M M M M M TM
SCAS M M M M M M T
SET cond T T T T T
SGDT/SIDT/SLDT/SMSW
SHLD/SHRD ÄÄ M M ÄÄ M M
STC 1
STD 1
STI 1
STOS T
STR
SUB M M M M M M
TEST 0 M M ÄÄ M 0
VERR/VERRW M
WAIT
XCHG
XLAT
XOR 0 M M ÄÄ M 0
Appendix C Status Flag Summary
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Status Flags' Functions
Bit Name Function
0 CF Carry Flag ÄÄ Set on high-order bit carry or borrow; cleared
otherwise.
2 PF Parity Flag ÄÄ Set if low-order eight bits of result contain
an even number of 1 bits; cleared otherwise.
4 AF Adjust flag ÄÄ Set on carry from or borrow to the low order
four bits of AL; cleared otherwise. Used for decimal
arithmetic.
6 ZF Zero Flag ÄÄ Set if result is zero; cleared otherwise.
7 SF Sign Flag ÄÄ Set equal to high-order bit of result (0 is
positive, 1 if negative).
11 OF Overflow Flag ÄÄ Set if result is too large a positive number
or too small a negative number (excluding sign-bit) to fit in
destination operand; cleared otherwise.
Key to Codes
T = instruction tests flag
M = instruction modifies flag
(either sets or resets depending on operands)
0 = instruction resets flag
ÄÄ = instruction's effect on flag is undefined
blank = instruction does not affect flag
Instruction OF SF ZF AF PF CF
AAA ÄÄ ÄÄ ÄÄ TM ÄÄ M
AAS ÄÄ ÄÄ ÄÄ TM ÄÄ M
AAD ÄÄ M M ÄÄ M ÄÄ
AAM ÄÄ M M ÄÄ M ÄÄ
DAA ÄÄ M M TM M TM
DAS ÄÄ M M TM M TM
ADC M M M M M TM
ADD M M M M M M
SBB M M M M M TM
SUB M M M M M M
CMP M M M M M M
CMPS M M M M M M
SCAS M M M M M M
NEG M M M M M M
DEC M M M M M
INC M M M M M
IMUL M ÄÄ ÄÄ ÄÄ ÄÄ M
MUL M ÄÄ ÄÄ ÄÄ ÄÄ M
RCL/RCR 1 M TM
RCL/RCR count ÄÄ TM
ROL/ROR 1 M M
ROL/ROR count ÄÄ M
SAL/SAR/SHL/SHR 1 M M M ÄÄ M M
SAL/SAR/SHL/SHR count ÄÄ M M ÄÄ M M
SHLD/SHRD ÄÄ M M ÄÄ M M
BSF/BSR ÄÄ ÄÄ M ÄÄ ÄÄ ÄÄ
BT/BTS/BTR/BTC ÄÄ ÄÄ ÄÄ ÄÄ ÄÄ M
AND 0 M M ÄÄ M 0
OR 0 M M ÄÄ M 0
TEST 0 M M ÄÄ M 0
XOR 0 M M ÄÄ M 0
Appendix D Condition Codes
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Note:
The terms "above" and "below" refer to the relation between two
unsigned values (neither SF nor OF is tested). The terms "greater" and
"less" refer to the relation between two signed values (SF and OF are
tested).
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Definition of Conditions
(For conditional instructions Jcond, and SETcond)
Instruction Condition
Mnemonic Meaning Subcode Tested
O Overflow 0000 OF = 1
NO No overflow 0001 OF = 0
B Below
NAE Neither above nor equal 0010 CF = 1
NB Not below
AE Above or equal 0011 CF = 0
E Equal
Z Zero 0100 ZF = 1
NE Not equal
NZ Not zero 0101 ZF = 0
BE Below or equal
NA Not above 0110 (CF or ZF) = 1
NBE Neither below nor equal
NA Above 0111 (CF or ZF) = 0
S Sign 1000 SF = 1
NS No sign 1001 SF = 0
P Parity
PE Parity even 1010 PF = 1
NP No parity
PO Parity odd 1011 PF = 0
L Less
NGE Neither greater nor equal 1100 (SF xor OF) = 1
NL Not less
GE Greater or equal 1101 (SF xor OF) = 0
LE Less or equal
NG Not greater 1110 ((SF xor OF) or ZF) = 1
NLE Neither less nor equal
G Greater 1111 ((SF xor OF) or ZF) = 0
first page
|
