ALP Programming Guide and Reference/Processor Reference

This chapter presents an overview of the instruction set and lists the complete instruction set in alphabetical order. For each instruction, the forms are given for each operand combination, including object code produced, operands required, execution time, and a description. For each instruction, there is an operational description and a summary of exceptions generated.

Intel Instruction Set Overview
This section contains an introduction to the Intel instruction set and presents the terminology necessary to understand the encoding and operation of each individual instruction.

Operand-Size and Address-Size Attributes
When executing an instruction, the processor can address memory using either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has associated with it an address-size attribute of either 16 or 32 bits. The use of 16-bit addresses implies both the use of 16-bit displacements in instructions and the generation of 16-bit address offsets (segment relative addresses) as the result of the effective address calculations. 32-bit addresses imply the use of 32-bit displacements and the generation of 32-bit address offsets. Similarly, an instruction that accesses words (16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits.

The attributes are determined by a combination of defaults, instruction prefixes, and (for programs executing in protected mode) size-specification bits in segment descriptors.

Default Segment Attribute
For programs running in protected mode, the D bit in executable-segment descriptors specifies the default attribute for both address size and operand size. These default attributes apply to the execution of all instructions in the segment. A clear D bit sets the default address size and operand size to 16 bits; a set D bit, to 32 bits.

Programs that execute in real mode or virtual-8086 mode have 16-bit addresses and operands by default.

Operand-Size and Address-Size Instruction Prefixes
The internal encoding of an instruction can include two byte-long prefixes: the address-size prefix, 67H, and the operand-size prefix, 66H. (A later section, "Instruction Format", shows the position of the prefixes in an instruction's encoding.) These prefixes override the default segment attributes for the instruction that follows. The following table shows the effect of each possible combination of defaults and overrides.
 * Y = Yes, this instruction prefix is present
 * N = No, this instruction prefix is not present

Address-Size Attribute for Stack
Instructions that use the stack implicitly (for example: POP EAX) also have a stack address-size attribute of either 16 or 32 bits. Instructions with a stack address-size attribute of 16 use the 16-bit SP stack pointer register; instructions with a stack address-size attribute of 32 bits use the 32-bit ESP register to form the address of the top of the stack.

The stack address-size attribute is controlled by the B bit of the data-segment descriptor in the SS register. A value of zero in the B bit selects a stack address-size attribute of 16; a value of one selects a stack address-size attribute of 32.

Instruction Format
All instruction encodings are subsets of the general instruction format shown in the following figure. Instructions consist of optional instruction prefixes (in any order), one or two primary opcode bytes, possibly an address specifier consisting of the ModR/M byte and the SIB (Scale Index Base) byte, a displacement, if required, and an immediate data field, if required.

Smaller encoding fields can be defined within the primary opcode or opcodes. These fields define the direction of the operation, the size of the displacements, the register encoding, or sign extension; encoding fields vary depending on the class of operation.

Most instructions that can refer to an operand in memory have an addressing form byte following the primary opcode byte(s). This byte, called the ModR/M byte, specifies the address form to be used. Certain encodings of the ModR/M byte indicate a second addressing byte, the SIB (Scale Index Base) byte, which follows the ModR/M byte and is required to fully specify the addressing form.

Addressing forms can include a displacement immediately following either the ModR/M or SIB byte. If a displacement is present, it can be 8-, 16- or 32-bits.

If the instruction specifies an immediate operand, the immediate operand always follows any displacement bytes. The immediate operand, if specified, is always the last field of the instruction.

Zero or one bytes are reserved for each group of prefixes. The prefixes are grouped as follows: For each instruction, one prefix may be used from each group. The effect of redundant prefixes (more than one prefix from a group) is undefined and may vary from processor to processor. The prefixes may come in any order.
 * 1) Instruction Prefixes: REP, REPE/REPZ, REPNE/REPNZ, LOCK
 * 2) Segment Override Prefixes: CS, SS, DS, ES, FS, GS
 * 3) Operand Size Override
 * 4) Address Size Override

The following are the allowable instruction prefix codes: F3H    REP prefix (used only with string instructions) F3H    REPE/REPZ prefix (used only with string instructions) F2H    REPNE/REPNZ prefix (used only with string instructions) F0H    LOCK prefix The following are the segment override prefixes: 2EH    CS segment override prefix 36H    SS segment override prefix 3EH    DS segment override prefix 26H    ES segment override prefix 64H    FS segment override prefix 65H    GS segment override prefix 66H    Operand-size override 67H    Address-size override

ModR/M and SIB Bytes
The ModR/M and SIB bytes follow the opcode byte(s) in many of the processor instructions. They contain the following information:
 * The indexing type or register number to be used in the instruction
 * The register to be used, or more information to select the instruction
 * The base, index, and scale information

The ModR/M byte contains three fields of information:
 * The mod field, which occupies the two most significant bits of the byte, combines with the r/m field to form 32 possible values: eight registers and 24 indexing modes.
 * The reg field, which occupies the next three bits following the mod field, specifies either a register number or three more bits of opcode information. The meaning of the reg field is determined by the first (opcode) byte of the instruction.
 * The r/m field, which occupies the three least significant bits of the byte, can specify a register as the location of an operand, or can form part of the addressing-mode encoding in combination with the mod field as described above.

The based indexed forms of 32-bit addressing require the SIB byte. The presence of the SIB byte is indicated by certain encodings of the ModR/M byte. The SIB byte then includes the following fields:
 * The ss field, which occupies the two most significant bits of the byte, specifies the scale factor.
 * The index field, which occupies the next three bits following the ss field and specifies the register number of the index register.
 * The base field, which occupies the three least significant bits of the byte, specifies the register number of the base register.

ModR/M and SIB Byte Formats MODR/M BYTE 7    6    5     4     3   2    1     0   ┌──────────┬────────────────┬──────────────┐   │  MOD     │   REG/OPCODE   │     R/M      │ └──────────┴────────────────┴──────────────┘           SIB (SCALE INDEX BASE) BYTE 7    6    5     4     3   2    1     0   ┌──────────┬────────────────┬──────────────┐   │    SS    │     INDEX      │     BASE     │ └──────────┴────────────────┴──────────────┘

16-Bit Addressing Forms with the ModR/M Byte
Notes:
 * 1) disp8 denotes an 8-bit displacement following the ModR/M byte, to be sign-extended and added to the index.
 * 2) disp16 denotes a 16-bit displacement following the ModR/M byte, to be added to the index. Default segment register is SS for the effective addresses containing a BP index, DS for other effective addresses.

32-Bit Addressing Forms with the ModR/M Byte
Notes:
 * 1) [--][--] means a SIB follows the ModR/M byte.
 * 2) disp8 denotes an 8-bit displacement following the SIB byte, to be sign-extended and added to the index.
 * 3) disp32 denotes a 32-bit displacement following the SIB byte, to be added to the index.

32-Bit Addressing Forms with the SIB Byte
Notes: [*] means a disp32 with no base if MOD is 00, [EBP] otherwise. This provides the following addressing modes: disp32[index]          (MOD=00) disp8[EBP][index]      (MOD=01) disp32[EBP][index]     (MOD=10)

How to Read the Instruction Set Pages
The following sections describe how to interpret the description pages for each instruction listed in the Intel Instruction Set section. Each instruction family is introduced by a descriptive heading such as the following:
 * CMC-Complement Carry Flag

Each instruction family may be accompanied by descriptive sections labeled as follows: Details Table, Operation, Flags Affected, Protected Mode Exceptions, Real Address Mode Exceptions, Virtual-8086 Mode Exceptions, and optionally, a Notes section. The following sections explain the notational conventions and abbreviations used in these paragraphs of the instruction descriptions.

Details Table
For each instruction family, a table is given to list the details of each individual instruction. The following is an example of this table:

The Encoding, Instruction, and Description columns are described in the following sections. The columns labeled 0, 1, 2, 3, 4, and 5 are collectively described in the Clocks section. A timing entry appearing in one of these columns is an indication that the associated processor implements that particular instruction variation. The column names are abbreviated, and are described as follows:
 * 0 The 8088/8086/8087 Processor Family
 * 1 The 80186/8087 Processor Family
 * 2 The 80286/80287 Processor Family
 * 3 The 80386/80387 Processor Family
 * 4 The 80486 Processor Family
 * 5 The Pentium Processor Family

Encoding Column
The "Encoding" column gives the complete object code produced for each form of the instruction. When possible, the codes are given as hexadecimal bytes, in the same order in which they appear in memory. Definitions of entries other than hexadecimal bytes are as follows:
 * /digit: (digit is between 0 and 7) indicates that the ModR/M byte of the instruction uses only the r/m (register or memory) operand. The reg field contains the digit that provides an extension to the instruction's opcode.
 * /r: indicates that the ModR/M byte of the instruction contains both a register operand and an r/m operand.
 * cb, cw, cd, cp: a 1-byte (cb), 2-byte (cw), 4-byte (cd) or 6-byte (cp) value following the opcode that is used to specify a code offset and possibly a new value for the code segment register.
 * ib, iw, id: a 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to the instruction that follows the opcode, ModR/M bytes or scale-indexing bytes. The opcode determines if the operand is a signed value. All words and doublewords are given with the low-order byte first.
 * +rb, +rw, +rd: a register code, from 0 through 7, added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The codes are:


 * +i: used in floating-point instructions when one of the operands is ST(i) from the FPU register stack. The number i (which can range from 0 to 7) is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte.

Instruction Column
The "Instruction" column gives the syntax of the instruction statement as it would appear in an assembler program. The following is a list of the symbols used to represent operands in the instruction statements:
 * rel8:A relative address in the range from 128 bytes before the end of the instruction to 127 bytes after the end of the instruction.
 * rel16:A relative address in the range from 32768 bytes before the end of the instruction to 32767 bytes after the end of the instruction. Applies to instructions with an operand-size attribute of 16 bits, and must be within the same code segment as the instruction assembled.
 * rel32:A relative address in the range from 2147483648 bytes before the end of the instruction to 2147483647 bytes after the end of the instruction. Applies to instructions with an operand-size attribute of 32 bits, and must be within the same code segment as the instruction assembled.
 * ptr16:16:A far pointer, typically in a code segment different from that of the instruction. The notation 16:16 indicates that the value of the pointer has two parts. The value to the left of the colon is a 16-bit selector or value destined for the code segment register. The value to the right reflects the operand-size attribute of the instruction (16 bits) and corresponds to the offset within the destination segment.
 * ptr16&#58;32:A far pointer, typically in a code segment different from that of the instruction. The notation 16:32 indicates that the value of the pointer has two parts. The value to the left of the colon is a 16-bit selector or value destined for the code segment register. The value to the right reflects the operand-size attribute of the instruction (32 bits) and corresponds to the offset within the destination segment.
 * r8:One of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH.
 * r16:One of the word registers AX, CX, DX, BX, SP, BP, SI, or DI.
 * r32:One of the doubleword registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or EDI.
 * imm8:An immediate byte value. imm8 is a signed number between -128 and +127 inclusive. For instructions in which imm8 is combined with a word or doubleword operand, the immediate value is sign-extended to form a word or doubleword. The upper byte of the word is filled with the topmost bit of the immediate value.
 * imm16:An immediate word value used for instructions whose operand-size attribute is 16 bits. This is a number between -32768 and +32767 inclusive.
 * imm32:An immediate doubleword value used for instructions whose operand-size attribute is 32-bits. It allows the use of a number between +2147483647 and -2147483648 inclusive.
 * r/m8:A one-byte operand that is either the contents of a byte register (AL, BL, CL, DL, AH, BH, CH, DH), or a byte from memory.
 * r/m16:A word register or memory operand used for instructions whose operand-size attribute is 16 bits. The word registers are: AX, BX, CX, DX, SP, BP, SI, DI. The contents of memory are found at the address provided by the effective address computation.
 * r/m32:A doubleword register or memory operand used for instructions whose operand-size attribute is 32-bits. The doubleword registers are: EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI. The contents of memory are found at the address provided by the effective address computation.
 * r/m64:A quadword register or memory operand used for instructions whose operand- size attribute is 64-bits. The reg/opcode field represents the opcode. The contents of memory are found at the address provided by the effective address computation.
 * m:A 16 or 32-bit memory operand.
 * m8:A memory byte addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).
 * m16:A memory word addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).
 * m32:A memory doubleword addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).
 * m16&#58;16:A memory operand containing a far pointer composed of two numbers. The number to the left of the colon corresponds to the pointer's segment selector. The number to the right corresponds to its offset.
 * m16&#58;32:A memory operand containing a far pointer composed of two numbers. The number to the left of the colon corresponds to the pointer's segment selector. The number to the right corresponds to its offset.
 * m16&16:A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the BOUND instruction to provide an operand containing an upper and lower bounds for array indices.
 * m16&32:A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the by LIDT and LGDT to provide a word with which to load the limit field, and a doubleword with which to load the base field of the corresponding Global and Interrupt Descriptor Table Registers.
 * m32&32:A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the BOUND instruction to provide an operand containing an upper and lower bounds for array indices.
 * moffs8:The memory offset of a BYTE variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.
 * moffs16:The memory offset of a WORD variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.
 * moffs32:The memory offset of a DWORD variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.
 * Sreg:A segment register. The segment register bit assignments are ES=0, CS=1, SS=2, DS=3, FS=4, and GS=5.
 * m32real:A single-precision floating-point operand in memory.
 * m64real:A double-precision floating-point operand in memory.
 * m80real:An extended-precision floating-point operand in memory.
 * m80bcd:A 80 byte binary-coded decimal operand in memory.
 * m16int:A word integer operand in memory. Used in some floating-point instructions.
 * m32int:A short integer operand in memory. Used in some floating-point instructions.
 * m64int:A long integer operand in memory. Used in some floating-point instructions.
 * m14byte:A 14-byte floating-point operand in memory.
 * m28byte:A 28-byte floating-point operand in memory.
 * m94byte:A 94-byte floating-point operand in memory.
 * m108byte:A 108-byte floating-point operand in memory.
 * ST or ST(0):Top element of the FPU register stack.
 * ST(i):ith element from the top of the FPU register stack. (i=0..7)

Clocks Columns
Each "Clocks" column gives the approximate number of clock cycles the instruction takes to execute on that particular processor. The clock count calculations makes the following assumptions: The following symbols are used in the clock count specifications: When an exception occurs during the execution of an instruction and the exception handler is in another task, the instruction execution time is increased by the number of clocks to effect a task switch. This parameter depends on several factors:
 * Data and instruction accesses hit in the cache.
 * The target of a jump instruction is in the cache.
 * No invalidate cycles contend with the instruction for use of the cache.
 * Page translation hits in the TLB.
 * Memory operands are aligned.
 * Effective address calculations use a base register which is not the destination register of the preceding instruction.
 * No exceptions are detected during execution.
 * There are no write-buffer delays.
 * n, which represents a number of repetitions.
 * m, which represents the number of components in the next instruction executed, where the entire displacement (if any) counts as one component, the entire immediate data (if any) counts as one component, and every other byte of the instruction and prefix(es) each counts as one component.
 * pm:, a clock count that applies when the instruction executes in Protected Mode. pm: is not given when the clock counts are the same for Protected and Real Address Modes.
 * The type of TSS used to represent the new task (32 bit TSS or 16 bit TSS).
 * Whether the current task is in V86 mode.
 * Whether the new task is in V86 mode.
 * Whether accesses hit in the cache.
 * Whether a task gate on an interrupt/trap gate is used.

The following table summarizes the task switch times for exceptions, assuming cache hits and the use of task gates.

Task Switch Times for Exceptions

Description Column
The "Description" column following the "Clocks" columns briefly explains the various forms of the instruction. The "Operation" and "Description" sections contain more details of the instruction's operation.

Description
The "Description" section contains further explanation of the instruction's operation.

Operation
The "Operation" section contains an algorithmic description of the instruction which uses a notation similar to the Algol or Pascal language. The algorithms are composed of the following elements: The following identifiers are used in the algorithmic descriptions: IF instruction = CMPSW THEN OperandSize ← 16; ELSE IF instruction = CMPSD THEN OperandSize ← 32; FI; FI; indicates that the operand-size attribute depends on the form of the CMPS instruction used. Refer to the explanation of address-size and operand-size attributes at the beginning of this chapter for general guidelines on how these attributes are determined. The following functions are used in the algorithmic descriptions: IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN SP ← SP -2; SS:[SP] ← value; (* 2 bytes assigned starting at byte address in SP *) ELSE (* OperandSize = 32 *) SP ← SP -4; SS:[SP] ← value; (* 4 bytes assigned starting at byte address in SP *) FI; ELSE (* StackAddrSize = 32 *) IF OperandSize = 16 THEN ESP ← ESP -2; SS:[ESP] ← value; (* 2 bytes assigned starting at byte address in ESP*) ELSE (* OperandSize = 32 *) ESP ← ESP -4; SS:[ESP] ← value; (* 4 bytes assigned starting at byte address in ESP*) FI; FI; IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN ret val ← SS:[SP]; (* 2-byte value *) SP ← SP + 2; ELSE (* OperandSize = 32 *) ret val ← SS:[SP]; (* 4-byte value *) SP ← SP + 4; FI; ELSE (* StackAddrSize = 32 *) IF OperandSize = 16 THEN ret val ← SS:[ESP]; (* 2 byte value *) ESP ← ESP + 2; ELSE (* OperandSize = 32 *) ret val ← SS:[ESP]; (* 4 byte value *) ESP ← ESP + 4; FI; FI; RETURN(ret val); (*returns a word or doubleword*) Pop ST is used on floating-point instruction pages to mean pop the FPU register stack. If the base operand is a register, the offset can be in the range 0..31. This offset addresses a bit within the indicated register. An example, 'BIT [EAX, 21]' is illustrated in the following figure.
 * Comments are enclosed within the symbol pairs "(*" and "*)".
 * Compound statements are enclosed between the keywords of the "if" statement (IF, THEN, ELSE, FI) or of the "do" statement (DO, OD), or of the "case" statement (CASE ... OF, ESAC).
 * Execution continues until the END statement is encountered.
 * A register name implies the contents of the register. A register name enclosed in brackets implies the contents of the location whose address is contained in that register. For example, ES:[DI] indicates the contents of the location whose ES segment relative address is in register DI. [SI] indicates the contents of the address contained in register SI relative to SI's default segment (DS) or overridden segment.
 * Brackets are also used for memory operands, where they mean that the contents of the memory location is a segment-relative offset. For example, [SRC] indicates that the contents of the source operand is a segment- relative offset.
 * A ← B; indicates that the value of B is assigned to A.
 * The symbols =, <>, ò, and ó are relational operators used to compare two values, meaning equal, not equal, greater or equal, less or equal, respectively. A relational expression such as A = B is TRUE if the value of A is equal to B; otherwise it is FALSE.
 * A * B indicates that the value of A is multiplied by the value of B.
 * OperandSize represents the operand-size attribute of the instruction, which is either 16 or 32 bits. AddressSize represents the address-size attribute, which is either 16 or 32 bits. For example,
 * StackAddrSize represents the stack address-size attribute associated with the instruction, which has a value of 16 or 32 bits, as explained earlier in the chapter.
 * SRC represents the source operand. When there are two operands, SRC is the one on the right.
 * DEST represents the destination operand. When there are two operands, DEST is the one on the left.
 * LeftSRC, RightSRC distinguishes between two operands when both are source operands.
 * eSP represents either the SP register or the ESP register depending on the setting of the B-bit for the current stack segment.
 * Truncate to 16 bits(value) reduces the size of the value to fit in 16 bits by discarding the uppermost bits as needed.
 * Addr(operand) returns the effective address of the operand (the result of the effective address calculation prior to adding the segment base).
 * ZeroExtend(value) returns a value zero-extended to the operand-size attribute of the instruction. For example, if OperandSize = 32, ZeroExtend of a byte value of -10 converts the byte from F6H to doubleword with hexadecimal value 000000F6H. If the value passed to ZeroExtend and the operand-size attribute are the same size, ZeroExtend returns the value unaltered.
 * SignExtend(value) returns a value sign-extended to the operand-size attribute of the instruction. For example, if OperandSize = 32, SignExtend of a byte containing the value -10 converts the byte from F6H to a doubleword with hexadecimal value FFFFFFF6H. If the value passed to SignExtend and the operand-size attribute are the same size, SignExtend returns the value unaltered.
 * Push(value) pushes a value onto the stack. The number of bytes pushed is determined by the operand-size attribute of the instruction. The action of Push is as follows:
 * Pop(value) removes the value from the top of the stack and returns it. The statement EAX ← Pop; assigns to EAX the 32-bit value that Pop took from the top of the stack. Pop will return either a word or a doubleword depending on the operand-size attribute. The action of Pop is as follows:
 * Bit[BitBase, BitOffset] returns the value of a bit within a bit string, which is a sequence of bits in memory or a register. Bits are numbered from low-order to high-order within registers and within memory bytes. In memory, the two bytes of a word are stored with the low-order byte at the lower address.

Bit Offset for BIT[EAX,21] 31           21                            0 ┌──────────────┬──┬────────────────────────────┐ └──────────────┴──┴────────────────────────────┘                  ↑                             ↑                  │                             │                  └────────BITOFFSET=21─────────┘ If BitBase is a memory address, BitOffset can range from -2 gigabits to 2 gigabits. The addressed bit is numbered (Offset MOD 8) within the byte at address (BitBase + (BitOffset DIV 8)), where DIV is signed division with rounding towards negative infinity, and MOD returns a positive number. This is illustrated in the following figure.

Memory Bit Indexing 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 ┌──┬──┬────────┬────────────────┬──────────────┐  └──┴──┴────────┴────────────────┴──────────────┘  │  BITBASE+1   │    BITBASE     │   BITBASE-1  │ ↑                          │      └──────OFFSET=+13───────────┘ 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 ┌──────────────┬────────────────┬──────────────┐  └──────────────┴────────────────┴──────────────┘  │  BITBASE     │   BITBASE-1    │   BITBASE-2  │ │                     ↑                 └─────OFFSET=-11───────┘ IF TSS type is 16-bit THEN RETURN FALSE; FI; Ptr← [TSS+66]; (* fetch bitmap pointer *) BitStringAddr ← SHR (I-O-Address, 3) + Ptr; MaskShift ← I-O-Address AND 7; CASE width OF: BYTE: nBitMask ← 1; WORD: nBitMask ← 3; DWORD: nBitMask ← 15; ESAC; mask ← SHL (nBitMask, MaskShift); CheckString ← [BitStringAddr] AND mask; IF CheckString = 0 THEN RETURN (TRUE); ELSE RETURN (FALSE); FI;
 * I-O-Permission(I-O-Address, width) returns TRUE or FALSE depending on the I/O permission bitmap and other factors. This function is defined as follows:
 * Switch-Tasks is described in detail in the Intel documentation.

Flags Affected
Pages describing basic instructions have a "Flags Affected" section the contains a flags information table similar to the following:

The first row of the table lists the mnemonic identifiers for the various flags. The entries in the second row are filled in according to how the flag is affected by the instruction: The following table lists the mnemonic identifier, full name, and purpose of the flags that are applicable to all processor families and that are most commonly used from within application-level programs. Not all flags are included in this table; see the Intel documentation for a more complete description of flag usage from within systems-level programs. The flags information table is usually followed by a paragraph description of how the flags are affected: All flags not listed are unchanged by the instruction.
 * If a flag is always cleared or always set by the instruction, the value is given (0 or 1) after the flag name. Arithmetic and logical instructions usually assign values to the status flags in a uniform manner. Nonconventional assignments are described in the Operation section.
 * The values of flags listed as "undefined" may be changed by the instruction in an indeterminate manner.

FPU Flags Affected
The floating-point instruction pages have a section called "FPU Flags Affected," which tells how each instruction can affect the four condition code bits of the FPU status word. These pages contain a condition code information table similar to the following:

The first row of the table lists the names of the floating-point condition code flags. The entries in the second row are filled in according to how the flag is affected by the instruction: The four FPU condition code bits (C0, C1, C2, and C3) are similar to the flags in a CPU; the processor updates these bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition code bits is summarized in the following table:

NOTES: O/U# When both IE and SF bits of status word are set, this bit distinguishes between stack overflow (C1=1) and underflow (C1=0).

Reduction If FPREM and FPREM1 produces a remainder that is less than the modulus, reduction is complete. When reduction is incomplete the value at the top of the stack is a parial remainder, which can be used as input to further reduction. For FPTAN, FSIN, FCOS and FSINCOS, the reduction bit is set if the operand at the top of the stack is too large. In this case, the original operand remains at the top of the stack.

Roundup When the PE bit of the status word is set, this bit indicates whether the last rounding in the instruction was upward.

UNDEFINED Do not rely on any specific value in these bits.

The condition code bits are used primarily for conditional branching. The FSTSW AX instruction stores the FPU status word directly into the AX register, allowing these condition codes to be inspected efficiently. The SAHF instruction can copy C3 - C0 directly to the CPU's flag bits to simplify conditional branching. The following table shows the mapping of these bits to the CPU flag bits.

Numeric Exceptions
For floating-point instruction pages, this section lists the exception flags of the FPU status word that each instruction can set. Exceptions are listed in abbreviated form, and are defined as follows:
 * IS Invalid operand due to stack overflow/underflow
 * I Invalid operand due to other cause
 * D Denormalized operand
 * Z Divide by zero
 * O Numeric overflow
 * U Numeric underflow
 * P Inexact result (precision)

Protected Mode Exceptions
This section lists the exceptions that can occur when the instruction is executed in protected mode. The exception names are a pound sign (#) followed by two letters and an optional error code in parentheses. For example, #GP(0) denotes a general protection exception with an error code of 0. The following table associates each two-letter name with the corresponding interrupt number. Refer to the Intel documentation for a description of the exceptions and the processor state upon entry to the exception. Application programmers should consult the documentation provided with their operating systems to determine the actions taken when exceptions occur.

Real Address Mode Exceptions
Because less error checking is performed by the processor in Real Address Mode, this mode has fewer exception conditions. Refer to the Intel documentation for further information on these exceptions.

Virtual-8086 Mode Exceptions
Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines. Virtual 8086 Mode exceptions are similar to those for the 8086 processor, but there are some differences. Refer to the Intel documentation for complete information on Virtual Mode exceptions.

Intel Instruction Set
The following section describes the individual processor instructions in detail.

AAA - ASCII Adjust after Addition
Run the AAA instruction only following an ADD instruction that leaves a byte result in the AL register. The lower nibbles of the operands of the ADD instruction should be in the range 0 through 9 (BCD digits). In this case, the AAA instruction adjusts the AL register to contain the correct decimal digit result. If the addition produced a decimal carry, the AH register is incremented, and the CF and AF flags are set. If this same addition also produced FH in the upper nibble of AL then AH is incremented again. If there was no decimal carry, the CF and AF flags are cleared and the AH register is unchanged. In either case, the AL register is left with its top nibble set to 0. To convert the AL register to an ASCII result, follow the AAA instruction with OR AL, 30H.
 * Description

ALcarry ← AL > 0F9H; (* 1 if true *) IF ((AL AND 0FH) > 9) OR (AF = 1) THEN AL ← (AL + 6) AND 0FH; AH ← AH + 1 + ALcarry; AF ← 1; CF ← 1; ELSE AF ← 0; CF ← 0; AL ← AL AND 0FH; FI;
 * Operation

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the OF, SF, ZF, and PF flags are undefined.

AAD - ASCII Adjust AX before Division
The AAD instruction is used to prepare two unpacked BCD digits (the least-significant digit in the AL register, the most-significant digit in the AH register) for a division operation that will yield an unpacked result. This is accomplished by setting the AL register to AL+ (second byte of opcode * AH), and then clearing the AH register. The AX register is then equal to the binary equivalent of the original unpacked two-digit number.
 * Description

regAL = AL; regAH = AH; AL ← (regAH * imm8 + regAL) AND OFFH; AH ← 0; Note: imm8 has the value of the instruction's second byte. The second byte under normally assembly of this instruction will be 0A, however, explicit modification of this byte will result in the operation described above and may alter results.
 * Operation

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are undefined.

AAM - ASCII Adjust AX after Multiply
Run the AAM instruction only after running a MUL instruction between two unpacked BCD digits that leaves the result in the AX register. Because the result is less than 100, it is contained entirely in the AL register. The AAM instruction unpacks the AL result by dividing AL by the second byte of the opcode, leaving the quotient (most-significant digit) in the AH register and the remainder (least-significant digit) in the AL register.
 * Description

regAL ← AL; AH ← regAL / imm8; AL ← regAL MOD imm8; Note: imm8 has the value of the instruction's second byte. The second byte under normally assembly of this instruction will be 0A., however, explicit modification of this byte will result in the operation described above and may alter results.
 * Operation

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are undefined.

AAS - ASCII Adjust AL after Subtraction
Run the AAS instruction only after a SUB instruction that leaves the byte result in the AL register. The lower nibbles of the operands of the SUB instruction must have been in the range of 0 through 9 (BCD digits). In this case, the AAS instruction adjusts the AL register so it contains the correct decimal digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the CF and AF flags are set. If no decimal carry occurred, the CF and AF flags are cleared, and the AH register is unchanged. In either case, the AL register is left with its top nibble set to 0. To convert the AL result to an ASCII result, follow the AAS instruction with OR AL, 30H.
 * Description

ALborrow ← AL < 6; (* 1 if true *) IF (AL AND 0FH) > 9 OR AF = 1 THEN AL ← (AL - 6) AND 0FH; AH ← AH - 1 - ALborrow; AF ← 1; CF ← 1; ELSE CF ← 0; AF ← 0; AL ← AL AND 0FH FI;
 * Operation

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the OF, SF, ZF, and PF flags are undefined.

ADC - Add with Carry
The ADC instruction performs an integer addition of the two operands DEST and SRC and the carry flag, CF. The result of the addition is assigned to the first operand (DEST), and the flags are set accordingly. The ADC instruction is usually run as part of a multi-byte or multi-word addition operation. When an immediate byte value is added to a word or doubleword operand, the immediate value is first sign-extended to the size of the word or doubleword operand.
 * Description

DEST ← DEST + SRC + CF;
 * Operation

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

\#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

ADD - Add

 * Details Table

The ADD instruction performs an integer addition of the two operands (DEST and SRC). The result of the addition is assigned to the first operand (DEST ), and the flags are set accordingly. When an immediate byte is added to a word or doubleword operand, the immediate value is sign-extended to the size of the word or doubleword operand.
 * Description

DEST ← DEST + SRC;
 * Operation

The OF, SF, ZF, AF, CF, and PF flags are set according to the result. .#GP(0) is the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

AND - Logical AND

 * Details Table

Each bit of the result of the AND instruction is a 1 if both corresponding bits of the operands are 1; otherwise, it becomes a 0.
 * Description

DEST ← DEST AND SRC; CF ← 0; OF ← 0;
 * Operation

The CF and OF flags are cleared; the PF, SF, and ZF flags are set according to the result; the AF flag is undefined. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

ARPL - Adjust RPL Field of Selector
The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register that contains the value of a selector. The second operand is a word register. If the RPL field ("requested privilege level" - bottom two bits) of the first operand is less than the RPL field of the second operand, the ZF flag is set and the RPL field of the first operand is increased to match the second operand. Otherwise, the ZF flag is cleared and no change is made to the first operand. The ARPL instruction appears in operating system software, not in application programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller is allowed. The second operand of the ARPL instruction is normally a register that contains the CS selector value of the caller.
 * Description

IF RBL bits(0,1) of DEST < RPL bits(0,1) of SRC THEN ZF ← 1; RPL bits(0,1) of DEST ← RPL bits (0,1) of SRC; ELSE ZF ← 0; FI;
 * Operation

The ZF flag is set if the RPL field of the first operand is less than that of the second operand, otherwise ZF is cleared. Interrupt 6; the ARPL instruction is not recognized in Real Address Mode. Interrupt 6; the ARPL instruction is not recognized in Virtual 8086 Mode.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

BOUND - Check Array Index Against Bounds
The BOUND instruction ensures that a signed array index is within the limits specified by a block of memory consisting of an upper and a lower bound. Each bound uses one word when the operand-size attribute is 16-bits and a doubleword when the operand-size attribute is 32-bits. The first operand (a register) must be greater than or equal to the first bound in memory (lower bound), and less than or equal to the second bound in memory (upper bound) plus the number of bytes occupied for the operand size. If the register is not within bounds, an Interrupt 5 occurs; the return EIP points to the BOUND instruction. The bounds limit data structure is usually placed just before the array itself, making the limits addressable via a constant offset from the beginning of the array.
 * Description

IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8]) (* Under lower bound or over upper bound *) THEN Interrupt 5; FI;
 * Operation

Interrupt 5 if the bounds test fails, as described above; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The second operand must be a memory operand, not a register. If the BOUND instruction is run with a ModR/M byte representing a register as the second operand, #UD occurs. Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the second operand is a register. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

BSF - Bit Scan Forward
The BSF instruction scans the bits in the second word or doubleword operand starting with bit 0. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the destination register is loaded with the bit index of the first set bit.
 * Description

IF r/m = 0 THEN ZF ← 1; register ← UNDEFINED; ELSE temp ← 0; ZF ← 0; WHILE BIT[r/m,temp] = 0 DO      temp ← temp + 1; register ← temp; OD; FI;
 * Operation

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared. OF, SF, AF, PF, CF = undefined. _#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

BSR-Bit Scan Reverse
The BSR instruction scans the bits in the second word or doubleword operand from the most significant bit to the least significant bit. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the destination register is loaded with the bit index of the first set bit found when scanning in the reverse direction.
 * Description

IF r/m = 0 THEN ZF ← 1; register ← UNDEFINED; ELSE temp ← OperandSize =1; ZF ← 0; WHILE BIT[r/m,temp] = 0 DO       temp ← temp - 1; register ← temp; OD; FI;
 * Operation

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared. OS, SF, AF, PF, CF = undefined. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

BSWAP - Byte Swap
The BSWAP instruction reverses the byte order of a 32-bit register, converting a value in little/big endian form to big/little endian form. When BSWAP is used with 16-bit operand size, the result left in the destination register is undefined.
 * Description

TEMP ← r32 r32(7..0) ← TEMP(31..24) r32(15..8) ← TEMP(23..16) r32(23..16) ← TEMP(15..8) r32(31..24) ← TEMP(7.0)
 * Operation

BSWAP is not supported on Intel386 processors. Include functionally-equivalent code for Intel386 CPUs.
 * Notes

BT - Bit Test

 * Details Table

The BT instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag.
 * Description

CF ← BIT [LeftSRC, RightSRC];
 * Operation

The CF flag contains the value of the selected bit. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16 bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes
 * Effective Address + (4* (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address given by:
 * Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTC - Bit Test and Complement
The BTC instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then complements the bit.
 * Details Table
 * Description

CF ← BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] ← NOT BIT[LeftSrc, RightSRC];
 * Operation

The CF flag contains the complement of the selected bit. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value may be used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger then 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, and GS segments; # SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes
 * Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address given by:
 * Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. Therefore, referencing areas of memory close to address space holes should be avoided. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTR-Bit Test and Reset

 * Details Table

The BTR instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then stores 0 in the bit.
 * Description

CF ← BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] ← 0;
 * Operation

The CF flag contains the value of the selected bit.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5-bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes
 * Effective Address + 4 * (BitOffset DIV 32)

for a 32-bit operand size, or two bytes starting from the memory address given by:
 * Effective Address + 2 * (BitOffset DIV 16)

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTS-Bit Test and Set
The BTS instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then stores 1 in the bit.
 * Details Table
 * Description

CF ← BIT[LeftSRC, RightSRC]; BIT[LeftSRC, RightSRC] ← 1;
 * Operation

The CF flag contains the value of the selected bit.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by: Effective Address + (4 * (BitOffset DIV 32)) for a 32-bit operand size, or two bytes starting from the memory address given by: Effective Address + (2 * (BitOffset DIV 16)) for a 16-bit operand size. It may do this even when only a single byte needs to be accessed in order to get at the given bit. You must therefore be careful to avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

CALL - Call Procedure
The CALL instruction causes the procedure named in the operand to be run. When the procedure is complete (a return instruction is run within the procedure), processing continues at the instruction that follows the CALL instruction. The action of the different forms of the instruction are described below. Near calls are those with destination of type r/m16, r/m32, rel16, rel32; changing or saving the segment register value is not necessary. The CALL rel16 and CALL rel32 forms add a signed offset to the address of the instruction following the CALL instruction to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16-bits; rel32 is used when the operand-size attribute is 32-bits. The result is stored in the 32-bit EIP register. With rel16, the upper 16-bits of the EIP register are cleared, resulting in an offset whose value does not exceed 16-bits. CALL r/m16 and CALL r/m32 specify a register or memory location from which the absolute segment offset is fetched. The offset fetched from r/m is 32-bits for an operand-size attribute of 32 (r/m32), or 16-bits for an operand-size of 16 (r/m16). The offset of the instruction following the CALL instruction is pushed onto the stack. It will be popped by a near RET instruction within the procedure. The CS register is not changed by this form of CALL. The far calls, CALL ptr:16 and CALL ptr16:32, use a four-byte or six-byte operand as a long pointer to the procedure called. The CALL m16:16 and m16: 32 forms fetch the long pointer from the memory location specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16-bits for the CS register and 16 or 32-bits for the EIP register (depending on the operand-size attribute). These forms of the instruction push both the CS and IP or EIP registers as a return address. In Protected Mode, both long pointer forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the call will perform one of the following types of control transfers: A CALL-indirect-thru-memory, which uses the stack pointer (ESP) as a base register, references memory before the CALL. The base used is the value of the ESP before the instruction runs. For more information on Protected Mode control transfers, refer to the Intel documentation.
 * Details Table
 * Description
 * A far call to the same protection level
 * An inter-protection level far call
 * A task switch

IF rel/16 or rel32 type of call THEN (* near relative call *) IF OperandSize = 16 THEN Push(IP); EIP ← (EIP + rel16) AND 0000FFFFH; ELSE (* OperandSize = 32 *) Push(EIP); EIP ← EIP + rel32; FI; FI; IF r/m16 or r/m32 type of call THEN (* near absolute call *) IF OperandSize = 16 THEN Push(IP); EIP ← [r/m16] AND 0000FFFFH; ELSE (*OperandSize = 32 *) Push(EIP); EIP ←[r/m32] FI; FI IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or virtual 8086 mode *) AND instruction = far CALL (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32*) THEN IF OperandSize = 16 THEN Push(CS); Push(IP); (* address of next instruction; 16 bits *) ELSE Push(CS); (* padded with 16 high-order bits *) Push(EIP); (* address of next instruction; 32 bits *) FI; IF operand type is m16:16 or m16:32 THEN (* indirect far call *) IF OperandSize = 16 THEN CS:IP ← [m16:16]; EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ← [m16:32[; FI; FI; IF operand type is ptr:16 or ptr16:32 THEN (* direct far call *) IF OperandSize = 16 THEN CS:IP ← ptr:16; EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ← ptr16:32; FI; FI; FI; IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far CALL THEN If indirect, then check access of EA doubleword; #GP(0) if limit violation; New CS selector must not be null else #GP(0); Check that new CS selector index is within its descriptor table limits; else #GP(new CS selector); Examine AR byte of selected descriptor for various legal values; depending on value: go to CONFORMING-CODE-SEGMENT; go to NONCONFORMING-CODE-SEGMENT; go to CALL-GATE; go to TASK-GATE; go to TASK-STATE-SEGMENT; ELSE #GP(code segment selector); FI;
 * Operation

CONFORMING-CODE-SEGMENT: DPL must be ó CPL ELSE #GP(code segment selector); Segment must be present ELSE #NP(code segment selector); Stack must be big enough for return address ELSE #SS(0); Instruction pointer must be in code segment limit ELSE #GP(0); Load code segment descriptor into CS register; Load CS with new code segment selector; Load EIP with zero-extend(new offset); IF OperandSize=16 THEN EIP ← EIP AND 0000FFFFH; FI;

NONCONFORMING-CODE-SEGMENT: RPL must be ó CPL ELSE #GP(code segment selector) DPL must be = CPL ELSE #GP(code segment selector) Segment must be present ELSE #NP(code segment selector) Stack must be big enough for return address ELSE #SS(0) Instruction pointer must be in code segment limit ELSE #GP(0) Load code segment descriptor into CS register Load CS with new code segment selector Set RPL of CS to CPL Load EIP with zero-extend(new offset); IF OperandSize=16 THEN EIP ← EIP AND 0000FFFFH; FI;

CALL-GATE Call gate DPL must be ò CPL ELSE #GP(call gate elector) Call gate DPL must be ò RPL ELSE #GP(call gate elector) Call gate just be present ELSE #NP(call gate selector) Examine code segment selector in call gate descriptor: Selector must not be null ELSE #GP(0) Selector must be within its descriptor table limits ELSE #GP(code segment selector) AR byte of selected descriptor must indicate code segment ELSE #GP(code segment selector) DPL of selected descriptor must be ó CPL ELSE #GP(code segment selector) IF non-conforming code segment AND DPL < CPL THEN go to MORE-PRIVILEGE ELSE go to SAME-PRIVILEGE FI;

MORE-PRIVILEGE: Get new SS selector for new privilege level from TSS Check selector and descriptor for new SS: Selector must not be null ELSE #TS(0) Selector index must be within its descriptor table limits ELSE #TS(SS selector) Selector's RPL must equal DPL of code segment ELSE #TS(SS selector) Stack segment DPL must equal DPL of code segment ELSE #TS(SS selector) Descriptor must indicate writable data segment ELSE #TS(SS selector) Segment present ELSE #SS(SS selector) IF OperandSize=32 THEN New stack must have room for parameters plus 16 bytes ELSE #SS(SS selector) EIP must be in code segment limit ELSE #GP(0) Load new SS:eSP value from TSS Load new CS:EIP value from gate ELSE New stack must have room for parameters plus 8 bytes ELSE #SS(SS selector) IP must be in code segment limit ELSE #GP(0) Load new SS:eSP value from TSS Load new CS:IP value from gate FI; Load CS descriptor Load SS descriptor Push long pointer of old stack onto new stack Get word count from call gate, mask to 5 bits Copy parameters from old stack onto new stack Push return address onto new stack Set CPL to stack segment DPL Set RPL of CS to CPL

SAME-PRIVILEGE: IF OperandSize=32 THEN Stack must have room for 6-byte return address (padded to 8 bytes) ELSE #SS(0) EIP must be within code segment limit ELSE #GP(0) Load CS:EIP from gate ELSE Stack must have room for 4-byte return address ELSE #SS(0) IP must be within code segment limit ELSE #GP(0) Load CS:IP from gate FI; Push return address onto stack Load code segment descriptor into CS register Set RPL of CS to CPL

TASK-GATE: Task gate DPL must be ó CPL ELSE #TS(gate selector) Task gate DPL must be ó RPL ELSE #TS(gate selector) Task Gate must be present ELSE #NP(gate selector) Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit ELSE #TS(TSS selector) Index must be within GDT limits ELSE #TS(TSS selector) TSS descriptor AR byte must specify nonbusy TSS ELSE #TS(Tss selector) Task State Segment must be present ELSE #NP(TSS selector) SWITCH-TASKS (with nesting) to TSS IP must be in code segment limit ELSE #TS(0)

TASK-STATE-SEGMENT TSS DPL must be ó CPL ELSE #TS(TSS selector) TSS DPL must be ó RPL ELSE #TS(TSS selector) TSS descriptor AR byte must specify available TSS ELSE #TS(TSS selector) Task State Segment must be present ELSE #NP(TSS selector) SWITCH-TASKS (with nesting) to TSS IP must be in code segment limit ELSE #TS(0)

All flags are affected if a task switch occurs; no flags are affected if a task switch does not occur.

For far calls: #GP, #NP, #SS, and #TS, as indicated in the "Operation" section. For near direct calls: #GP(0) if procedure location is beyond the code segment limits; #SS(0) if pushing the return address exceeds the bounds of the stack segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. For a near indirect call: #GP(0) for an illegal memory operand effective address is the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Any far call from a 32-bit code segment to a 16-bit code segment should be made from the first 64 Kbytes of the 32-bit code segment, because the operand-size attribute of the instruction is set to 16, allowing only a 16-bit return address offset to be saved.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

CBW/CWDE-Convert Byte to Word/Convert Word to Doubleword
The CBW instruction converts the signed byte in the AL register to a signed word in the AX register by extending the most significant bit of the AL register (the sign bit) into all of the bits of the AH register. The CWDE instruction converts the signed word in the AX register to a doubleword in the EAX register by extending the most significant bit of the AX register into the two most significant bytes of the EAX register. Note that the CWDE instruction is different from the CWD instruction. The CWD instruction uses the DX:AX register pair rather than the EAX register as a destination.
 * Description

IF OperandSize = 16 (* instruction = CBW *) THEN AX ← Sign Extend(AL); ELSE (* OperandSize = 32, instruction = CWDE *) EAX ← Sign Extend(AX); FI;
 * Operation

CDQ - Convert Double to Quad
See entry for CWD/CDQ-Convert Word to Double/Convert Double to Quad.

CLC - Clear Carry Flag
The CLC instruction clears the CF flag. It does not affect other flags or registers.
 * Description

CF ← 0;
 * Operation

The CF flag is cleared.

CLD - Clear Direction Flag
The CLD instruction clears the direction flag. No other flags or registers are affected. After a CLD instruction is run, string operations will increment the index registers (SI and/or DI) that they use.
 * Description

DF ← 0;
 * Operation

The DF flag is cleared.

CLI - Clear Interrupt Flag
The CLI instruction clears the IF flag if the current privilege level is at least as privileged as IOPL. No other flags are affected. External interrupts are not recognized at the end of the CLI instruction from that point on until the IF flag is set.
 * Description

IF PE = 0 THEN IF ←0; ELSE IF VM = 0 (* Running in protected Mode *) THEN IF IOPL = 3 THEN IF ← 0; ELSE IF CPL ó IOPL THEN IF ← 0; ELSE #GP(0); FI; FI; ELSE (* Running in Virtual-8086 mode *) IF IOPL = 3 THEN IF ← ELSE #GP(0); FI; FI; FI;
 * Operation

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table. Notes: - Don't care Blank Action Not Taken Y Action in Column 1 taken
 * Decision Table

IF cleared.
 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege level in the flags register. The I/O privilege level specifies the least privileged level at which I/O can be performed.
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) as for protected mode.

CLTS - Clear Task-Switched Flag in CR0
The CLTS instruction clears the task-switched (TS) flag in the CR0 register. This flag is set by the processor every time a task switch occurs. The TS flag is used to manage processor extensions as follows: Thus, if a task switch was made after an ESC instruction was begun, the floating-point unit's context may need to be saved before a new ESC instruction can be issued. The fault handler saves the context and clears the TS flag. The CLTS instruction appears in operating system software, not in application programs. It is a privileged instruction that can only be run at privilege level 0.
 * Description
 * Every processing of an ESC instruction is trapped if the TS flag is set.
 * Processing of a WAIT instruction is trapped if the MP flag and the TS flag are both set.

TS Flag in CR0 ← 0;
 * Operation

The TS flag is cleared (the TS flag is in the CR0 register, not the flags register). None (valid in Real Address Mode to allow initialization for Protected Mode). Same exceptions as in Protected Mode.
 * Protected Mode Exceptions
 * 1) GP(0) if the CLTS instruction is run with a current privilege level other than 0.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

CMC - Complement Carry Flag
The CMC instruction reverses the setting of the CF flag. No other flags are affected.
 * Description

CF ← NOT CF;
 * Operation

The CF flag contains the complement of its original value.

CMP - Compare Two Operands

 * Details Table

The CMP instruction subtracts the second operand from the first but, unlike the SUB instruction, does not store the result; only the flags are changed. The CMP instruction is typically used in conjunction with conditional jumps and the SETcc instruction. (Refer to Appendix D for the list of signed and unsigned flag tests provided.) If an operand greater than one byte is compared to an immediate byte, the byte value is first sign-extended.
 * Description

LeftSRC - SignExtend(RightSRC); (* CMP does not store a result; its purpose is to set the flags *)
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are set according to the result. ,Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

CMPS/CMPSB/CMPSW/CMPSD - Compare String Operands
The CMPS instruction compares the byte, word, or doubleword pointed to by the source-index register with the byte, word, or doubleword pointed to by the destination-index register. If the address-size attribute of this instruction of 16-bits, the SI and DI registers will be used for source- and destination-index registers; otherwise the ESI and EDI registers will be used. Load the correct index values into the SI and DI (or ESI and EDI) registers before running the CMPS instruction. The comparison is done by subtracting the operand indexed by the destination-index register from the operand indexed by the source-index register. Note that the direction of subtraction for the CMPS instruction is [SI] - [ DI] or [ESI] - [EDI]. The left operand (SI or ESI) is the source and the right operand (DI or EDI) is the destination. This is the reverse of the usual Intel convention in which the left operand is the destination and the right operand is the source. The result of the subtraction is not stored; only the flags reflect the change. The types of the operands determine whether bytes, words, or doublewords are compared. For the first operand (SI or ESI), the DS register is used, unless a segment override byte is present. The second operand (DI or EDI) must be addressable from the ES register; no segment override is possible. After the comparison is made, both the source-index register and destination-index register are automatically advanced. If the DF flag is 0 (a CLD instruction was run), the registers increment; if the DF flag is 1 (an STD instruction was run), the registers decrement. The registers increment or decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if a doubleword is compared. The CMPSB, CMPSW and CMPSD instructions are synonyms for the byte, word, and doubleword CMPS instructions, respectively. The CMPS instruction can be preceded by the REPE or REPNE prefix for block comparison of CX or ECX bytes, words, or doublewords. Refer to the description of the REP instruction for more information on this operation.
 * Description

IF (instruction = CMPSD) OR   (instruction has operands of type DWORD) THEN OperandSize ← 32; ELSE OperandSize ← 16; FI; IF AddressSize = 16 THEN use SI for source-index and DI for destination-index ELSE (* AddressSize = 32 *) use ESI for source-index and EDI for destination-index; FI; IF byte type of instruction THEN set ZF based on  [source-index] - [destination-index] ; (* byte comparison *) IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI; ELSE IF OperandSize = 16 THEN set ZF based on     [source-index] - [destination-index] ; (* word comparison *) IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI; ELSE (* OperandSize = 32 *) set ZF based on     [source-index] - [destination-index] ; (* dword comparison *) IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI; FI; source-index = source-index + IncDec; destination-index = destination-index + IncDec;
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

CMPXCHG - Compare and Exchange
The CMPXCHG instruction compares the accumulator (AL, AX, or EAX register) with DEST. If they are equal, SRC is loaded into DEST. Otherwise, DEST is loaded into the accumulator.
 * Description

IF accumulator=DEST ZF ← 1 DEST ← SRC ELSE ZF ← 0 accumulator ← DEST
 * Operation

The CF, PF, AF, SF, and OF flags are affected as if a CMP instruction had been run with DEST and the accumulator as operands. The ZF flag is set if the destination operand and the accumulator are equal; otherwise it is cleared. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. This instruction can be used with a LOCK prefix. In order to simplify interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. DEST is written back if the comparison fails, and SRC is written into the destination otherwise. (The processor never produces a locked read without also producing a locked write.) This instruction is not supported on Intel386 processors.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

CMPXCHG8B - Compare and Exchange 8 Bytes
The CMPXCHG8B instruction compares the 64-bit value in EDX:EAX with DEST. EDX contains the high-order 32 bits, and EAX contains the low-order 32 bits of 64-bit value. If they are equal, the 64-bit value in ECX:EBX is stored into DEST. ECX contains the high-order 32 bits and EBX contains the low- order 32 bits. Otherwise, DEST is loaded into EDX:EAX.
 * Description

IF EDX:EAX=DEST ZF ← 1 DEST ← ECX:EBX ELSE ZF ← 0 EDX:EAX ← DEST
 * Operation

The ZF flag is set if the destination operand and EDX:EAX are equal; otherwise it is cleared. The CF, PF, AF, SF, and OF flags are unaffected. The destination operand must be a memory operand, not a register. If the CMPXCHG8B instruction is run with a modr/m byte representing a register as the destination operand, #UD occurs. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. #UD if modr/m byte represents a register as the destination. This instruction can be used with a LOCK prefix. In order to simplify interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. DEST is written back if the comparison fails, and SRC is written into the destination otherwise. (The processor never produces a locked read without also producing a locked write.) The "r/m64" syntax had previously been used only in the context of floating point operations. It indicates a 64-bit value, in memory at an address determined by the modr/m byte. This instruction is not supported on Intel486 processors.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

CPUID - CPU Identification
The CPUID instruction provides information to software about the vendor, family, model, and stepping of microprocessor on which it is running. An input value loaded into the EAX register for this instruction indicates what information should be returned by the CPUID instruction. Following processing of the CPUID instruction with a zero in EAX, the EAX register contains the highest input value understood by the CPUID instruction. For the Pentium processor, the value in EAX will be a one. Also included in the output of this instruction with an input value of zero in EAX is a vendor identification string contained in the EBX, EDX, and ECX registers. EBX contains the first four characters, EDX contains the next four characters and ECX contains the last four characters. For Intel processors, the vendor identification string is "GenuineIntel" as follows: EBX ← 756e6547h (* "Genu", with G in the low nibble of BL *) EDX ← 49656e69h (* "ineI", with i in the low nibble of DL *) ECX ← 6c65746eh (* "ntel", with n in the low nibble of CL *) Following processing of the CPUID instruction with an input value of one loaded into the EAX register, EAX[3:0] contains the stepping id of the microprocessor, EAX[7:4] contains the model (the first model will be indicated by 0001B in these bits) and EAX[11:8] contains the family (5 for the Pentium processor family). EAX[31:12] are reserved, as well as EBX, and ECX. The Pentium processor sets the feature register, EDX, to 1BFH indicating which features the Pentium processor supports. A feature flag set to one indicates that the corresponding feature is supported. The feature set register is defined as follows: EDX[0:0] FPU on chip EDX[6:1] Refer to the Intel documentation EDX[7:7] Machine Check Exception EDX[8:8] CMPXCHG8B Instruction EDX[31:9] Reserved Software should determine the vendor identification in order to properly interpret the feature register flag bits. For more information on the feature set register, see the Intel documentation.
 * Description

switch (EAX) case 0: EAX ← hv;(* hv=1 for the Pentium processor *) (* hv is the highest input value that is understood by CPUID. *) EBX ← Vendor identification string; EDX ← Vendor identification string; ECX ← Vendor identification string; break; case 1: EAX[3:0] ← Stepping ID; EAX[7:4] ← Model; EAX[11:8] ← Family; EAX[31:12] ← Reserved; EBX ← reserved;     (* 0 *) ECX ← reserved;     (* 0 *) EBX ← feature flags; break; default: (* EAX > hv *) EAX ← reserved, undefined; EBX ← reserved, undefined; ECX ← reserved, undefined; EDX ← reserved, undefined; break; end-of-switch
 * Operation

CWD/CDQ - Convert Word to Double/Convert Double to Quad
CWD and CDQ double the size of the source operand. The CWD instruction copies the sign (bit 15) of the word in the AX register into every bit position in the DX register. The CDQ instruction copies the sing (bit 31) of the doubleword in the EAX register into every bit position in the EDX register. The CWD instruction can be used to produce a doubleword dividend from a word before a word division, and the CDQ instruction can be used to produce a quadword dividend from a doubleword before doubleword division. The CWD and CDQ instructions are different mnemonics for the same opcode. Which one gets run is determined by whether it is in a 16- or 32-bit segment and the presence of any operand-size override prefixes.
 * Description

IF OperandSize = 16 (* instruction = CWD *) THEN DX ← SignExtend(AX); ELSE (* OperandSize = 32, instruction = CDQ *) EDX ←SignExtend(EAX); FI;
 * Operation

CWDE - Convert Word to Doubleword
See entry for CBW/CWDE-Convert Byte to Word/Convert Word to Doubleword.

DAA - Decimal Adjust AL after Addition
Run the DAA instruction only after running an ADD instruction that leaves a two-BCD-digit byte result in the AL register. The ADD operands should consist of two packaged BCD digits. The DAA instruction adjusts the AL register to contain the correct two-digit packed decimal result.
 * Description

IF (((AL AND 0FH) > 09H) or EFLAGS.AF = 1) THEN AL ← AL + 06H; FI; IF (((AL AND 0F0H) > 90H) or EFLAGS.CF = 1) THEN AL ← AL + 60H; CF ← 1; FI;
 * Operation

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the SF, ZF and PF flags are set according to the result. The OF flag is undefined.

DAS - Decimal Adjust AL after Subtraction
Run the DAS instruction only after a subtraction instruction that leaves a two-BCD-digit byte result in the AL register. The operands should consist of two packed BCD digits. The DAS instruction adjusts the AL register to contain the correct packed two-digit decimal result.
 * Description

tmpCF ← 0; tmpAL ← AL; IF (((tmpAL AND 0FH) > 9H) or AF = 1) THEN AF ← 1; AL ← AL - 6H; tmpCF ← (AL < 0) OR CF; FI; IF ((tmpAL > 99H) or CF = 1) THEN AL ← AL - 60H; tmpCF ← 1; FI; CF ← tmpCF;
 * Operation

The AF and CF flags are set if there is a decimal borrow, cleared if there is no decimal borrow; the SF, ZF and PF flags are set according to the result. The OF flag is undefined.

DEC - Decrement by 1
The DEC instruction subtracts 1 from the operand. The DEC instruction does not change the CF flag. To affect the CF flag, use the SUB instruction with an immediate operand of 1.
 * Description

DEST ← DEST - 1;
 * Operation

The OF, SF, ZF, AF, and PF flags are set according to the result.


 * Protected Mode Exceptions
 * 1) GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

DIV - Unsigned Divide
The DIV instruction performs an unsigned division. The dividend is implicit ; only the divisor is given as an operand. The remainder is always less than the divisor. The type of the divisor determines which registers to use as follows:
 * Description

temp ← dividend / divisor; IF temp does not fit in quotient THEN Interrupt 0; ELSE quotient ← temp; remainder ← dividend MOD (r/m); FI; Note: Divisions are unsigned. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description".
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Interrupt 0 if the quotient is too large to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions

Interrupt 0 if the quotient is too big to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

ENTER - Make Stack Frame for Procedure Parameters
The ENTER instruction creates the stack frame required by most block- structured high-level languages. The first operand specifies the number of bytes of dynamic storage allocated on the stack for the routine being entered. The second operand gives the lexical nesting level (0 to 31) of the routine within the high-level language source code. It determines the number of stack frame pointers copied into the new stack frame from the preceding frame. Both the operand-size attribute and the stack-size attribute are used to determine whether BP or EBP is used for the current frame pointer and SP or ESP is used for the stack pointer. If the operand-size attribute is 16-bits, the processor uses the BP register as the frame pointer and the SP register as the stack pointer, unless the stack-size attribute is 32-bits in which case it uses EBP for the frame pointer and ESP for the stack pointer. If the operand-size attribute is 32-bits, the processor uses the EBP register for the frame pointer and the ESP register for the stack pointer, unless the stack-size attribute is 16-bits in which case it uses BP for the frame pointer and SP for the stack pointer. If the second operand is 0, the ENTER instruction pushes the frame pointer (BP or EBP register) onto the stack; the ENTER instruction then subtracts the first operand from the stack pointer and sets the frame pointer to the current stack-pointer value. For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at its entry point and a LEAVE instruction before every RET instruction. The 12 local bytes would be addressed as negative offsets from the frame pointer.
 * Description

level ← level MOD 32 2ndOperand <- 2ndOperand MOD 32 IF operand_size = 16 THEN Push(bp) ELSE Push(ebp) FI; IF stkSize = 16 THEN framePtr = sp ELSE framePtr = esp FI; FOR i ← 1 TO (2ndOperand - 1) DO   IF oprand_size = 16 THEN IF stkSize = 16 THEN bp = bp - 2 Push([bp]) (* word push *) ELSE (* stkSize = 32 *) ebp = ebp - 2 Push([ebp]) (* word push *) FI; ELSE (* operand_size = 32 *) IF stkSize = 16 bp = bp - 4 Push([bp]) (* doubleword push *) ELSE (* stkSize = 32 *) ebp = ebp - 4 Push([ebp]) (* doubleword push *) FI; FI; OD; IF stkSize = 16 THEN Push(framePtr); (* word push *) ELSE Pushd(framePtr); (* doubleword push *) FI; IF stkSize = 16 THEN bp = framePtr sp = sp - 1stOperand ELSE ebp = framePtr esp = esp - 1stOperand FI;
 * Operation


 * Protected Mode Exceptions
 * 1) SS(0) if the SP or ESP value would exceed the stack limit at any point during instruction processing; #PF(fault-code) for a page fault.

F2XM1 - Compute (2 to the power of X) minus 1
F2XM1 replaces the contents of ST with (2ST-1). ST must lie in the range -1 < ST < 1.
 * Description

ST ← (2ST-1);
 * Operation

P, U, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. If the operand is outside the acceptable range, the result of F2XM1 is undefined. Values other than 2 can be exponentiated using the formula xy = 2(y * log2x) The instructions FLDL2T and FLDL2E load the constants log210 and log2e, respectively. FYL2X can be used to calculate y * log2x for arbitrary positive x.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FABS - Absolute Value
The absolute value instruction clears the sign bit of ST. This operation leaves a positive value unchanged, or replaces a negative value with a positive value of equal magnitude.
 * Description

sign bit of ST ← 0
 * Operation

IS Interrupt 7 if either EM or TS in CR0 is set. The invalid-operation exception is raised only on stack underflow. No exception is raised if the operand is a signalling NaN or is in an unsupported format.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FADD/FADDP/FIADD - Add
The addition instructions add the source and destination operands and return the sum to the destination. The operand at the stack top can be doubled by coding: FADD ST, ST(0)
 * Description

DEST ← DEST +SRC; If instruction = FADDP THEN pop ST FI;
 * Operation

P, U, O, D, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes:If the source operand is in memory, it is automatically converted to the extended-real format.

FBLD - Load Binary Coded Decimal
FBLD converts the BCD source operand into extended-real format, and pushes it onto the FPU stack. See Figure 6-10 for BCD data layout.
 * Description

Decrement FPU stack-top pointer; ST(0) ← SRC;
 * Operation

IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The source is loaded without rounding error. The sign of the source is preserved, including the case where the value is negative zero. The packed decimal digits are assumed to be in the range 0-9. The instruction does not check for invalid digits (A-FH), and the result of attempting to load an invalid encoding is undefined. ST(7) must be empty to avoid causing an invalid-operation exception.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FBSTP - Store Binary Coded Decimal and Pop
FBSTP converts the value in ST into a packed decimal integer, stores the result at the destination in memory, and pops ST. Non-integral values are first rounded according to the RC field of the control word. See Figure 6- 10 for BCD data layout.
 * Description

DEST ← ST(0); pop ST;
 * Operation

P, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

FCHS - Change Sign
The change sign instruction inverts the sign bit of ST. This operation replaces a positive value with a negative value of equal magnitude, or vice-versa.
 * Description

sign bit of ST ← NOT (sign bit of ST)
 * Operation

IS Interrupt 7 if either EM or TS in CRO is set. The invalid-operation exception is raised only on stack underflow, even if the operand is signalling NaN or is an unsupported format.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FCLEX/FNCLEX - Clear Exceptions
FCLEX clears the exception flags, the exception status flag, and the busy flag of the FPU status word.
 * Description

SW[0..7] ← 0; SW[15]  ← 0;
 * Operation
 * Numeric Exceptions:None
 * Protected Mode Exceptions:#NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions:Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:#NM if either EM or TS in CR0 is set.
 * Notes:FCLEX checks for unmasked floating-point error conditions before clearing the exception flags, FNCLEX does not.

FCOM/FCOMP/FCOMPP - Compare Real
The compare real instructions compare the stack top to the source, which can be a register or a single- or double-real memory operand. If no operand is encoded, ST is compared to ST(1). Following the instruction, the condition codes reflect the relation between ST and the source operand.
 * Description

Case (relation of operands) OF   Not comparable:     C3, C2, C0 ← 111; ST > SRC:          C3, C2, C0 ← 000; ST < SRC:          C3, C2, C0 ← 001; ST = SRC:          C3, C2, C0 ← 100; If instruction = FCOMP THEN pop ST; Fl; If instruction = FCOMPP THEN pop ST; pop ST; Fl;
 * Operation

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above. D, I, IS. Interrupt 13 if any part of the operand would like outside effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. If either operand is NaN or is in an undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered." The sign of zero is ignored, so that -0.0 =-+0.0.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FCOS - Cosine
The cosine instruction replaces the contents of ST with cos(ST). ST, expressed in radians, must lie in the range 101 < 2 63.
 * Description

IF operand is in range THEN C2 ← 0; ST ← cos(ST); ELSE C2 ← 1; FI;
 * Operation

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.


 * Numeric Exceptions:P,D,I,IS.
 * Protected Mode Exceptions:#NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions:Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:#NM if either EM or TS in CR0 is set.


 * Notes:If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. See the Intel documentation for discussion of the proper value to use for ã in performing such reductions.

FDECSTP - Decrement Stack-Top Pointer
FDESCSTP subtracts one (without carry) from the three-bit TOP field of the FPU status word.
 * Description

IF TOP=0 THEN TOP ← 7; ELSE TOP ← TOP-1; FI;
 * Operation

None. .#NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. The effect of FDECSTP is to rotate the stack. It does not alter register tags or contents, nor does it transfer data.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Notes

FDISI/FNDISI - Disable Interrupts

 * Description


 * Operation


 * Numeric Exceptions


 * Protected Mode Exceptions


 * Real Address Mode Exceptions


 * Notes

FDIV/FDIVP/FIDIV - Divide
The division instructions divide the stack top by other operand and return the quotient to the destination.
 * Description

FDIV DEST, SRC DEST ← DEST ö SRC If instruction = FDIVP THEN pop ST FI;
 * Operation

P, U, O, Z, D, I, IS.
 * Numeric Exceptions


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

If the source operand is in memory, it is automatically converted to the extended-real format. The performance of the division instructions depends on the PC (Precision Control) field of the FPU control word. If PC specifies a precision of 53 bits, the division instructions will run in 33 clocks. If the specified precision is 24 bits, the division instructions will take only 19 clocks.
 * Notes

FDIVR/FDIVRP/FIDIVR - Reverse Divide

 * Details Table

The division instructions divide the other operand by the stack top and return the quotient to the destination.
 * Description

FDIVR DEST, SRC DEST ← SRC ö DEST IF instruction = FDIVRP THEN pop ST FI;
 * Operation

P, U, O, Z, D, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. If the source operand is in memory, it is automatically converted to the extended-real format. The performance of the division instructions depends on the PC (Precision Control) field of the FPU control word. If PC specifies a precision of 53 bits, the reverse division instructions will run in 33 clocks. If the specified precision is 24 bits, the reverse division instructions will take only 19 clocks.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FENI/FNENI - Enable Interrupts

 * Description


 * Operation


 * Numeric Exceptions


 * Protected Mode Exceptions


 * Real Address Mode Exceptions


 * Notes

FFREE - Free Floating-Point Register
FFREE tags the destination register as empty. TAG(i) ← 11B; None .#NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. .#NM if either EM or TS in CR0 is set.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes:FFREE does not affect the contents of the destination register. The floating-point stack pointer (TOP) is also unaffected.

FICOM/FICOMP - Compare Integer
The compare integer instructions compare the stack top to the source. Following the instruction, the condition codes reflect the relation between ST and the source operand.
 * Description

CASE (relation of operands) OF    Not comparable:  C3, C2, C0 ← 111; ST > SRC:       C3, C2, C0 ← 000; ST < SRC:       C3, C2, C0 ← 001; ST = SRC:       C3, C2, C0 ← 100; If instruction = FICOMP THEN pop ST; FI;
 * Operation

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above. D, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The memory operand is converted to extended-real format before the comparison performed. If either operand is a NaN or is in an undefined format, of if a stack fault occurs, the invalid operation exception is raised, and the condition bits are set to "unordered".
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FILD - Load Integer
FILD converts the source signed integer operand into extended-real format, and pushes it onto the FPU stack.
 * Description

Decrement FPU stack-top pointer; ST(0) ← SRC;
 * Operation

IS. .#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The source is loaded without rounding error. ST(7) must be empty to avoid causing an invalid-operation exception.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FINCSTP - Increment Stack-Top Pointer
FINCSTP adds one (without carry) to the three-bit TOP field of the FPU status word.
 * Description

IF TOP = 7 THEN TOP ← 0; ELSE TOP ← TOP + 1; FI; None Interrupt 7 if either EM or TS in CR0 is set. The effect of FINCSTP is to rotate the stack. It does not alter register tags or contents, nor does it transfer data. It is not equivalent to popping the stack, because it does not set the tag of the old stack-top to empty.
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM is either EM or TS in CR0 is set.
 * Notes

FINIT/FNINIT - Initialize Floating-Point Unit
The initialization instructions set the FPU into a known state, unaffected by any previous activity. The FPU control word is set to 037FH (round to nearest, all exceptions masked, 64-bit precision). The status word is cleared (no exception flags set, stack register R0=stack-top). The stack registers are all tagged as empty. The error pointers (both instruction and data) are cleared.
 * Description

CW ← 037FH;     (* Control word *) SW ← 0;         (*Status word*) TW ← FFFFH;     (* Tag word *) FEA ← 0; FDS ← 0; (* Data pointer *) FIP ← 0; FOP ← 0; FCS ← 0; (* Instruction pointer *)
 * Operation

C0, C1, C2, C3 cleared.

None Interrupt 7 if either EM or TS in CR0 is set. FINIT checks for unmasked floating-point error conditions before performing the initialization; FNINIT does not. On the Pentium processor, unlike the Intel387 math coprocessor, FINIT and FNINIT clear the error pointers.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FIST/FISTP-Store Integer
FIST converts the value in ST into a signed integer according to the RC field of the control word and transfers the result to the destination. ST remains unchanged. FIST accepts word and short integer destinations; FISTP accepts these and long integers as well.
 * Description

DEST ← ST(0); IF instruction = FISTP THEN pop ST FI; P, I, IS.
 * Operation
 * Numeric Exceptions


 * Protected Mode Exceptions
 * 1) GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

Negative zero is stored with the same encoding (00..00) as positive zero. If the value is too large to represent as an integer, an I exception is raised. The masked response is to write the most negative integer to memory.
 * Notes

FLD-Load Real

 * Details Table

FLD pushes the source operand onto the FPU stack. If the source is a register, the register number used is that before the stack-top pointer is decremented. In particular, coding FLD ST(0) duplicates the stack top.
 * Description

Decrement FPU stack-top pointer; ST(0) ← SRC;
 * Operation

D, I, IS.
 * Numeric Exceptions


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

If the source operand is single- or double-real format, it is automatically converted to the extended-real format. Loading an extended-real operand does not require conversion, so the I and D exceptions will not occur in this case. ST(7) must be empty to avoid causing an invalid-operation exception.
 * Notes

FLD1/FLDL2T/FLDL2E/FLDPI/FLDLG2/FLDLN2/FLDZ - Load Constant
Each of the constant instructions pushes a commonly-used constant (in extended-real format) onto the FPU stack.
 * Description

Decrement FPU stack-top pointer; ST(0) ← CONSTANT;
 * Operation

IS .#NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. .#NM if either EM or TS in CR0 is set. ST(7) must be empty to avoid an invalid exception. An internal 66-bit constant is used and rounded to external-real format (as specified by the RC bit of the control words). The precision exception is not raised.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FLDCW - Load Control Word
FLDCW replaces the current value of the FPU control word with the value contained in the specified memory word.
 * Description

CW ← SRC; None, except for unmasking an existing exception. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. FLDCW is typically used to establish or change the FPU's mode of operation. If an exception bit in the status word is set, loading a new control word that unmasks that exception will result in a floating-point error condition. When changing modes, the recommended procedure is to clear any pending exceptions before loading the new control word.
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FLDENV - Load FPU Environment
FLDENV reloads the FPU environment from the memory area defined by the source operand. This data should have been written by previous FSTENV or FNSTENV instruction. The FPU environment conists of the FPU control word, status word, tag word, and error pointers (both data and instruction). The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: The 14-byte operand applies to a USE16 segment, and the 28- byte operand applies to a USE32 segment. Refer to the Intel documentation for figures of the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) FLDENV should be run in the same operating mode as the corresponding FSTENV or FNSTENV. FPU environment ← SRC;
 * Description
 * Operation
 * Numeric Exceptions:None, except for loading an unmasked exception.
 * Protected Mode Exceptions:#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions:Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Notes:If the environment image contains an unmasked exception, loading it will result in a floating-point error condition.

FMUL/FMULP/FIMUL - Multiply
The multiplication instructions multiply the destination operand by the source operand and return the product to the destination. DEST ← DEST * SRC; IF instruction = FMULP THEN pop ST FI; P, U, O, D, I. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments;
 * 2) SS(0) for an illegal address in the SS segment;
 * 3) PF(fault-code) for a page fault;
 * 4) NM if either EM or TS in CR0 is set;
 * 5) AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

If the source operand is in memory, it is automatically converted to the extended-real format.
 * Notes

FNOP-No Operation
FNOP performs no operation. It affects nothing except instruction pointers. None Interrupt 7 if either EM or TS in CR0 is set.
 * Description
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.

FPATAN-Partial Arctangent
The partial arctangent instruction computes the arctangent of ST(1) ö ST, and returns computed value, expressed in radians, to ST(1). It then pops ST. The result has the same sign as the operand from ST(1), and a magnitude less than ã.
 * Description

ST(1) ← arctan(ST(1) ö ST); pop ST;
 * Operation

P, U, D, I, IS.
 * Numeric Exceptions


 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.

Interrupt 7 if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.

There is no restriction on the range of arguments that FPATAN can accept. The fact that FPATAN takes two arguments and computes the arctangent of their ratio simplifies the calculation of other trigonometric functions. For instance, arcsin(x) (which is the arctangent of x ö û(1-xý)) can be computed using the following sequence of operations: Push x onto the FPU stack; compute û(1-xý) and push the resulting value onto the stack; run FPATAN.
 * Notes

FPREM-Partial Remainder
The partial remainder instruction computes the remainder obtained on dividing ST by ST(1), and leaves the result in ST. The sign of the remainder is the same as the sign of the original dividend in ST. The magnitude of the remainder is less than that of the modulus.
 * Description

EXPDIF ← exponent(ST) - exponent(ST(1)); IF EXPDIF < 64 THEN Q ← integer obtained by chopping ST ö ST(1) toward zero; ST ← ST - (ST(1) * Q); C2 ← 0; C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *) ELSE C2 ← 1; N ← a number between 32 and 63; QQ ← integer obtained by chopping (ST ö ST(1)) ö 2EXPDIF-N toward zero; ST ← ST - (ST(1) * QQ * 2EXPDIF-N; FI; U, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. FREM produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The FPREM instruction is not the remainder operation specified in IEEE Std 754. To get that remainder, the FPREM1 instruction should be used. FPREM is supported for compatibility with the 8087 and Intel287 math coprocessors. FPREM works by iterative subtraction, can reduce the exponent of ST by no more than 63 in one execution. If FPREM succeeds in producing a remainder that is less than the modulus, the function is complete and the C2 flag is cleared. Otherwise, C2 is set, and the result in ST is called the partial remainder. The exponent of the partial remainder is less than the exponent of the original dividend by at least 32. Software can run the instruction again (using the partial remainder in ST as the dividend) until C2 is cleared. A higher-priority interrupting routine that needs the FPU can force a context switch between the instructions in the remainder loop. An important use of FPREM is to reduce the arguments of periodic functions. When reduction is complete, FPREM provides the three least-significant bits of the quotient in flags C3, C1, and C0. This is important in argument reduction for the tangent function (using a modulus of ã/4), because it locates the original angle in the correct one of eight sectors of the unit circle.
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FPREM1 - Partial Remainder
The partial remainder instruction computes the remainder obtained on dividing ST by ST(1), and leaves the result in ST. The magnitude of the remainder is less than that of the modulus.
 * Description

EXPDIF ← exponent(ST) - exponent(ST(1)); IF EXPDIF < 64 THEN Q ← integer obtained by rounding ST ö ST(1) to the nearest integer; (*or the nearest even integer if the result is exactly halfway between 2 integers *) ST ← ST - (ST(1) * Q); C2 ← 0; Q ← ST - (ST(1) * Q); C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *) C2 ← 0; C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *) ELSE C2 ← 1; N ← a number between 32 and 63; QQ ← integer obtained by chopping (ST ö ST(1)) ö 2EXPDIF-N; toward zero; ST ← ST - (ST(1) * QQ * 2EXPDIF-N FI;
 * Operation

U, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. FPREM1 produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The FPREM1 instruction is not the remainder operation specified in IEEE Std 754. It differs from FPREM in the way it rounds the quotient of ST and ST(1), when the exponent difference of exp(ST) -exp(ST)1 is less than 64. FPREM1 works by iterative subtraction, can reduce the exponent of ST by no more than 63 in one execution. If FPREM1 succeeds in producing a remainder that is less than one half the modulus, the function is complete and the C2 flag is cleared. Otherwise, C2 is set, and the result in ST is called the partial remainder. The exponent of the partial remainder is less than the exponent of the original dividend by at least 32. Software can run the instruction again (using the partial remainder in ST as the dividend) until C2 is cleared. A higher-priority interrupting routine that needs the FPU can force a context switch between the instructions in the remainder loop. An important use of FPREM1 is to reduce the arguments of periodic functions. When reduction is complete, FPREM1 provides the three least-significant bits of the quotient in flags C3, C1, and C0. This is important in argument reduction for the tangent function (using a modulus of ã/4), because it locates the original angle in the correct one of eight sectors of the unit circle.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FPTAN-Partial Tangent
The partial tangent instruction replaces the contents of ST with tan(ST), and then pushes 1.0 onto the FPU stack. ST, expressed in radians, must lie in the range |0| < 263.
 * Description

IF operand is in range THEN C2 ← 0; ST ← tan(ST); Decrement stack-top pointer; ST ← 1.0; ELSE C2 ← 1; FI;
 * Operation

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

P, U, D, I, IS. Interrupt 7 either EM or TS in CR0 is set. If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation 6 for a discussion of the proper value to use for ã in performing such reductions. The fact that FPTAN pushes 1.0 onto the FPU stack after computing tan(ST) maintains compatibility with the 8087 and Intel287 math coprocessors, and simplifies the calculation of other trigonometric functions. For instance, the cotangent (which is the reciprocal of the tangent) can be computed by running FDIVR after FPTAN. ST(7) must be empty to avoid an invalid-operation exception.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FRNDINT-Round to Integer
The round to integer instruction rounds the value in ST to an integer according to the RC field of the FPU control word.
 * Description

ST ← rounded ST;
 * Operation

P, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.

FRSTOR/FRSTRW/FRSTRD - Restore FRU State

 * Description:FRSTOR reloads the FPU state (environment and register stack) from the memory area defined by the source operand. This data should have been written by a previous FSAVE or FNSAVE instruction.
 * The FPU environment consists of the FPU control word, status word, tag word, and error pointers (both data and instruction). The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 14-byte operand applies to a USE16 segment, and the 28- byte operand applies to a USE32 segment. Refer to the Intel documentation for the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) The stack registers, beginning with ST and ending with ST(7), are in the 80 bytes that immediately follow the environment image. FRSTOR should be run in the same operating mode as the corresponding FSAVE or FNSAVE.

FPU state ← SRC;
 * Operation
 * Numeric Exceptions:None, except for loading an unmasked exception.
 * Protected Mode Exceptions:#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions:Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Notes:If the state image contains an unmasked exception, loading it will result in a floating-point error condition.

FSAVE/FNSAVE-Store FPU State
The save instructions write the current FPU state (environment and register stack) to the specified destination, and then re-initialize the FPU. The environment consists of the FPU control word, status word, tag word, and error pointers (both data and instruction).
 * Description

The state layout in memory depends on both operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 94-byte operand applies to USE16 segment, and the 108-byte operand applies to a USE32 segment.

Refer to the Intel documentation for the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) The stack registers, beginning with ST and ending with ST( 7), are stored in the 80 bytes that immediately follow the environment image.

DEST ← FPU state; initialize FPU; (* Equivalent to FNINIT *)
 * Operation

C0, C1, C2, C3 cleared.

None
 * Numeric Exceptions


 * Protected Mode Exceptions
 * 1) GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

FSAVE and FNSAVE do not store the FPU state until all FPU activity is complete. Thus, the saved image reflects the state of the FPU after any previously decoded instruction has been run. If a program is to read from the memory image of the state following a save instruction, it must issue an FWAIT instruction to ensure that the storage is complete. The save instructions are typically used when an operating system needs to perform a context switch, or an exception handler needs to use the FPU, or an application program wants to pass a "clean" FPU to a subroutine.
 * Notes

FSCALE-Scale
The scale instruction inteprets the value in (ST(1) as an integer, and adds this integer to the exponent of ST. Thus, FSCALE provides rapid multiplication or division by integral powers of 2. ST ← ST * 2ST(1); P, U, O, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. FSCALE can be used as an inverse to FXTRACT. Because FSCALE does not pop the exponent part, however, FSCALE must be followed by FSTP ST(1) in order to completely undo the effect of a preceding FXTRACT. There is no limit on the range of the scale factor in ST(1). If the value is not integral, FSCALE uses the nearest integer smaller in magnitude; i.e., it chops the value toward 0. If the resulting integer is zero, the value in ST is not changed.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FSETPM-Set Protected Mode
Sets the operating mode of the 80287 to Protected Virtual-Address mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a hardware RESET can return the NPX to operation in Real-Address mode. When the 80287 operates in Protected mode, the NPX exception pointers are represented differently than they are in Real-Address mode (see the FSAVE and FSTENV instructions). This distinction is evident primarily to writers of numeric exception handlers, however. For general application programmers, the operating mode of the 80287 need not be a concern.
 * Description
 * Operation


 * FPU Flags Affected


 * Numeric Exceptions


 * Protected Mode Exceptions


 * Real Address Mode Exceptions

FSIN-Sine
The sine instruction replaces the contents of ST with sin(ST). ST, expressed in radians, must lie in the range |01| < 263. If operand is in range THEN C2 ← 0; ELSE C2 ← 1; FI:
 * Description
 * Operation

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

P, U, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation for a discussion of the proper value to use the ã in performing such reductions.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FSINCOS-Sine and Cosine
FSINCOS computes both sin(ST) and cos(ST), replaces ST with the sine and then pushes the cosine onto the FPU stack. ST, expressed in radians, must lie in the range |0| < 263.
 * Description

IF operand is in range THEN C2 ← 0; TEMP ← cos(ST); ST ← sin(ST); Decrement FPU stack-top pointer; ST ← TEMP; ELSE C2 ← 1; FI:
 * Operation

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

P, U, D, I, IS. .#NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. .#NM if either EM or TS in CR0 is set. If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation for a discussion of the proper value to use for ã in performing such reductions. It is faster to run FSINCOS than to run both FSIN and FCOS.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FSQRT-Square Root
The square root instruction replaces the value in ST with its square root. ST ← square root of ST; P, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. The square root of -0 is -0.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FST/FSTP-Store Real
FST copies the current value in the ST register to the destination, which can be another register or a single- or double-real memory operand. FSTP copies and then pops ST; it accepts extended-real memory operands as well as the types accepted by FST. If the source is register, the register number used is that before the stack is popped. DEST ← ST(0); IF instruction = FSTP THEN pop ST FI;
 * Description
 * Operation
 * Numeric Exceptions
 * Register or extended-real destinations: IS
 * Single- or double-real destinations: P, U, O, I, IS

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. If the destination is single- or double-real, the significand is rounded to the width of the destination according to the RC field of the control word, and the exponent is converted to the width and bias of the destination format. The over/underflow condition is checked for as well. If ST contains zero, ñì, or a NaN, then the significand is not rounded, but chopped (on the right) to fit the destination. Nor is the exponent converted; it too is chopped on the right. These operations preserve the value's identity as ì or NaN (exponent all ones). The invalid-operation exception is not raised when the destination is a nonempty stack element. A denormal operand in ST(0) causes an underflow. No denormal operand exception is raised.
 * Protected Mode Exceptions
 * 1) GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FSTCW/FNSTCW-Store Control Word
FSTCW and FNSTCW write the current value of the FPU control word to the specified destination. DEST ← CW;
 * Description
 * Operation
 * Numeric Exceptions:None
 * Protected Mode Exceptions:#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions:Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:Same exceptions as in Real Address Mode; #PF(fault-code for a page fault; # AC for unaligned memory reference if the current privilege level is 3.
 * Notes:FSTCW checks for unmasked floating-point error conditions before storing the control word FNSTCW does not.

FSTENV/FNSTENV-Store FPU Environment

 * Description:The store environment instructions write the current FPU environment to the specified destination, and then mask all floating-point exceptions. The FPU environment consists of the FPU control word, status word, tag word, and error pointer (both data and instruction).
 * The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 14-byte operand applies to a USE16 segment, and the 28-byte operand applies to a USE32 segment. Figures 6-6 through 6-8 show the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used).

DEST ← FPU environment; CW[0..5] ← 111111B;
 * Operation
 * Numeric Exceptions:None
 * Protected Mode Exceptions:#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions:Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Notes:FSTENV and FNSTENV do not store the environment until FPU activity is complete. Thus, the save environment reflects the state of the FPU after any previously decoded instruction has been run.
 * The store environment instructions are often used by exception handlers because they provide access to the FPU error pointers. The environment is typically saved onto the memory stack. After saving the environment, FSTENV and FNSTENV sets all the exception masks in the FPU control word. This prevents floating-point errors from interrupting the exception handler.
 * FSTENV checks for unmasked floating-point error conditions before storing the FPU environment; FNSTENV does not.

FSTSW/FNSTSW-Store Status Word
FSTSW and FNSTSW write the current value of the FPU status word to the specified destination, which can be either a two-byte location in memory or the AX register. DEST ← SW; None Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. FSTSW checks for unmasked floating-point error conditions before storing the status word; FNSTSW does not. FSTSW and FNSTSW are used primarily in conditional branching (after a comparison, FPREM, FPREM1, or FXAM instruction). They can also be used to invoke exception handlers (by polling the exception bits) in environments that do not use interrupts. When FNSTSW AX is run, the AX register is updated before the processor runs any further instructions. The status stored is that from the completion of the prior ESC instruction.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FSUB/FSUBP/FISUB-Subtract
The subtraction instructions subtract the other operand from the stack top and return the difference to the destination. DEST ← ST - Other Operand; IF instruction = FSUBP THEN pop ST FI; P, U, O, D, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. If the source operand is in memory, it is automatically converted to the extended-real format.
 * Description
 * Operation
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FSUBR/FSUBRP/FISUBR-Reverse Subtract
The reverse subtraction instructions subtract the stack top from the other operand and return the difference to the destination.
 * Description

DEST ← Other Operand - ST; IF instruction = FSUBRP THEN pop ST FI;
 * Operation

P, U, O, D, I, IS. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. If the source operand is in memory, it is automatically converted to the extended-real format.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault- code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FTST-Test
The test instruction compares the stack top to 0.0. Following the instruction, the condition codes reflect the result of the comparison. CASE (relation of operands) OF     Not comparable:   C3, C2, C0 ← 111; ST > SRC:        C3, C2, C0 ← 000; ST < SRC:        C3, C2, C0 ← 001; ST = SRC:        C3, C2, C0 ← 100;
 * Description
 * Operation

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.

D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. If ST contains a NaN or an object of undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered." The sign of zero is ignored, so that -0.0=+0.0.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FUCOM/FUCOMP/FUCOMPP-Unordered Compared Real
CASE (relation of operands) OF     Not comparable:   C3, C2, C0 ← 111; ST > SRC:        C3, C2, C0 ← 000; ST < SRC:        C3, C2, C0 ← 001; ST = SRC:        C3, C2, C0 ← 100; IF instruction = FUCOMP THEN pop ST; FI; IF instruction = FUCOMPP THEN pop ST; pop ST; FI; C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.
 * Description:The unordered compare real instructions compare the stack top to the source, which must be a register. If no operand is encoded, ST is compared to ST(1). Following the instruction, the condition codes reflect the relation between ST and the source operand.
 * Operation
 * FPU Flags Affected
 * Numeric Exceptions:D, I, IS.
 * Protected Mode Exceptions:#NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions:Interrupt 7 if either EM or TS in CR0 is set.
 * Virtual 8086 Mode Exceptions:#NM if either EM or TS in CR0 is set.
 * Notes:If either operand is an SNaN or is in an undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered".
 * If either operand is a QNaN, the condition bits are set to "unordered." Unlike the ordinary compare instructions (FCOM, etc.), the unordered compare instructions do not raise the invalid-operation exception on account of a QNaN operand.
 * The sign of zero is ignored, so that -0.0=+0.0.

FWAIT-Wait
FWAIT causes the processor to check for pending unmasked numeric exceptions before proceeding. None Interrupt 7 if both MP and TS in CR0 are set. As its opcode shows, FWAIT is not actually an ESC instruction, but an alternate mnemonic for WAIT. Coding FWAIT after an ESC instruction ensures that any unmasked floating-point exceptions the instruction may cause are handled before the processor has a chance to modify the instruction's results. Refer to the Intel documentation for more information about when to use FWAIT.
 * Description
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if both MP and TS in CR0 are set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if both MP and TS in CR0 are set.
 * Notes

FXAM-Examine
The examine instruction reports the type of object contained in the ST register by setting the FPU Flags. C1 ← sign bit of ST; (* 0 for positive, 1 for negative *) CASE (type of object in ST) OF     Unsupported:  C3, C2, C0 ← 000; NaN:        C3, C2, C0 ← 001; Normal:     C3, C2, C0 ← 010; Infinity:   C3, C2, C0 ← 011; Zero:       C3, C2, C0 ← 100; Empty:      C3, C2, C0 ← 101; Denormal:   C3, C2, C0 ← 110;
 * Description
 * Operation

C0, C1, C2, C3 as shown above. None Interrupt 7 if either EM or TS in CR0 is set. C1 bit represents the sign of ST(0) regardless of whether ST(0) is empty or full.
 * FPU Flags Affected
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FXCH-Exchange Register Contents
FXCH swaps the contents of the destination and stack-top registers. If the destination is not coded explicitly, ST(1) is used.
 * Description

TEMP ← ST; ST ← DEST; DEST ← TEMP;
 * Operation

IS. &#35;NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. &#35;NM if either EM or TS in CR0 is set. Many numeric instructions operate only on the stack top; FXCH provides a simple means for using these instructions on lower stack elements. For example, the following sequence takes the square root of the third register from the top (assuming that ST is nonempty): FXCH ST (3) FSQRT FXCH ST (3) FXCH can be paired with some floating point instructions (i.e., FADD, FSUB, FMUL, FLD, FCOM, FUCOM, FCHS, FTST, FABS, FDIV. This set also includes the FADDP, FSUBRP, etc., instructions). When paired, the FXCH gets run in parallel, and does not take any additional clocks.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

FXTRACT-Extract Exponent and Significand
FXTRACT splits the value in ST into its exponent and significand. The exponent replaces the original operand on the stack and the significand is pushed onto the stack. Following execution of FXTRACT, ST (the new stack top) contains the value of the original significand expressed as a real number: its sign is the same as the operand's, its exponent is 0 true (16, 383 or 3FFFH biased), and its significand is identical to the original operand's. ST(1) contains the value of the original operand's true (unbiased) exponent expressed as a real number. To illustrate the operation of FXTRACT, assume that ST contains a number whose true exponent is +4 (i.e., its exponent field contains 4003H). After running FXTRACT, ST(1) will contain the real number +4.0; its sign will be positive, its exponent field will contain 4001H (+2 true) and its significand field will contain 1ë00...00B. In other words, the value in ST( 1) will be 1.0 * 2ý = 4. If ST contains an operand whose true exponent is - 7 (i.e., its exponent field contains 3FF8H), then FXTRACT will return an "exponent" of -7.0; after the instruction runs, ST(1)'s sign and exponent fields will contain C001H (negative sign, true exponent of 2), and its significand will be 1ë1100...00B. In other words, the value in ST(1) will be -1.75 * 2ý=-7.0. In both cases, following FXTRACT, ST's sign and significand fields will be the same as the original operand's, and its exponent field will contain 3FFFH (0 true).
 * Description

TEMP ← significand of ST; ST ← exponent of ST; Decrement FPU stack-top pointer; ST ← TEMP;
 * Operation

Z, D, I, IS. &#35;NM if either EM or TS in CR0 is set. Interrupt 7 if either EM or TS in CR0 is set. &#35;NM if either EM or TS in CR0 is set.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

FXTRACT (extract exponent and significand) performs a superset of the IEEE- recommended logb(x) function. If the original operand is zero, FXTRACT leaves -ì in ST(1) (the exponent) while ST is assigned the value zero with a sign equal to that of the original operand. The zero-divide exception is raised in this case, as well. ST(7) must be empty to avoid the invalid-operation exception. FXTRACT is useful for power and range scaling operations. Both FXTRACT and the base 2 exponential instruction F2XM1 are needed to perform a general power operation. Converting numbers in extended-real format to decimal representations (e.g., for printing or displaying) requires not only FBSTP but also FXTRACT to allow scaling that does not overflow the range of the extended format. FXTRACT can also be useful for debugging, because it allows the exponent and significand parts of a real number to be examined separately.
 * Notes

FYL2X-Compute y * log2x
FYL2X computes the base-2 logarithm of ST, multiplies the logarithm by ST(1), and returns the resulting value to ST(1). It then pops ST. The operand in ST must not be negative or zero. ST(1) ← ST(1) * log2ST; pop ST;
 * Description
 * Operation

P, U, O, Z, D, I, IS. Interrupt 7 if either EM or TS in CR0 is set. If the operand in ST is negative, the invalid-operation exception is raised. The FYL2X instruction is designed with a built-in multiplication to optimize the calculation of logarithms with arbitrary positive base: logbx = (log2b) -1 * log2x The instructions FLDL2T and FLDL2E load the constants log210 and log2e, respectively.
 * Numeric Exceptions
 * Protected Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

FYL2XP1-Compute y * log2(x + 1)
FYL2XP1 computes the base-2 logarithm of (ST+1.0), multiples the logarithm by ST(1), and returns the resulting value to ST(1). It then pops ST. The operand in ST must be in the range -(1-(û2 / 2)) ó ST ó û2 -1 ST(1) ← ST(1) * log2(ST+1.0); pop ST;
 * Description
 * Operation

P, U, D, I, IS. Protected Mode Exceptions Real Address Mode Exceptions Interrupt 7 if either EM or TS in CR0 is set. Virtual 8086 Mode Exceptions If the operand in ST is outside the acceptable range, the result of FYL2XP1 is undefined. The FYL2XP1 instruction provides improved accuracy over FYL2X when computing the logarithms of numbers very close to 1. When î is small, more significant digits can be retained by providing î as an argument to FYL2XP1 than by providing 1+î as an argument to FYL2X.
 * Numeric Exceptions
 * 1) NM if either EM or TS in CR0 is set.
 * 1) NM if either EM or TS in CR0 is set.
 * Notes

HLT-Halt
The HLT instruction stops instruction processing and places the processor in a HALT state. An enabled interrupt, NMI, or a reset will resume execution. If an interrupt (including NMI) is used to resume execution after a HLT instruction, the saved CS:IP (or CS:EIP) value points to the instruction following the HLT instruction.
 * Description

Enter Halt state;
 * Operation

The HLT instruction is a privileged instruction; #GP(0) if the current privilege level is not 0.
 * Protected Mode Exceptions

&#35;GP(0); the HLT instruction is a privileged instruction.
 * Virtual 8086 Mode Exceptions

IDIV-Signed Divide
The IDIV instruction performs a signed division. The dividend, quotient, and remainder are implicitly allocated to fixed registers. Only the divisor is given as an explicit r/m operand. The type of the divisor determines which registers to use as follows:
 * Description

If the resulting quotient is too large to fit in the destination, or if the divisor is 0, an Interrupt 0 is generated. Nonintegral quotients are truncated toward 0. The remainder has the same sign as the dividend and the absolute value of the remainder is always less than the absolute value of the divisor.

temp ← dividend / divisor; IF temp does not fit in quotient THEN Interrupt 0; ELSE quotient ← temp; remainder ← dividend MOD (r/m); FI; Note: Divisions are signed. The dividend must be sign-extended. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description."
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are undefined. Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

IMUL-Signed Multiply
The IMUL instruction performs signed multiplication. Some forms of the instruction use implicit register operands. The operand combinations for all forms of the instruction are shown in the "Description" column above. The IMUL instruction clears the OF and CF flags under the following conditions (otherwise the CF and OF flags are set):
 * Description

result ← multiplicand * multiplier;
 * Operation

The OF and CF flags as described in the table in the "Description" section above; the SF, ZF, AF, and PF flags are undefined.


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

When using the accumulator forms (IMUL r/m8, IMUL rm16, or IMUL r/m32), the result of the multiplication is available even if the overflow flag is set because the result is twice the size of the multiplicand and multiplier. This is large enough to handle any possible result.
 * Notes

IN-Input from Port
The IN instruction transfers a data byte or data word from the port numbered by the second operand into the register (AL, AX, or EAX) specified by the first operand. Access any port from 0 to 65535 by placing the port number in the DX register and using an IN instruction with the DX register as the second parameter. These I/O instructions can be shortened by using an 8-bit port I/O in the instruction. The upper eight bits of the port address will be 0 when 8-bit port I/O is used.
 * Description

IF (PE = 1) AND ((VM = 1) OR (CPL>IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL>IOPL *) IF NOT I-O-Permission (SRC, width(SRC)) THEN #GP(0); FI; FI; DEST ← [SRC]; (* Reads from I/O address space *)
 * Operation


 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is larger (has less privilege) than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1.
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1.

INC-Increment by 1
The INC instruction adds 1 to the operand. It does not change the CF flag. To affect the CF flag, use the ADD instruction with a second operand of 1.
 * Description

DEST ← DEST + 1;
 * Operation

The OF, SF, ZF, AF, and PF flags are set according to the result.
 * Protected Mode Exceptions
 * 1) GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

INS/INSB/INSW/INSD-Input from Port to String
The INS instruction transfers data from the input port numbered by the DX register to the memory byte or word at ES:dest-index. The memory operand must be addressable from the ES register; no segment override is possible. The destination register is the DI register if the address-size attribute of the instruction is 16-bits, or the EDI register if the address-size attribute is 32-bits. The INS instruction does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into the DX register before running the INS instruction. The destination address is determined by the contents of the destination index register. Load the correct index into the destination index register before running the INS instruction. After the transfer is made, the DI or EDI register advances automatically. If the DF flag is 0 (a CLD instruction was run), the DI or EDI register increments; if the DF flag is 1 (an STD instruction was run), the DI or EDI register decrements. The DI register increments or decrements by 1 if a byte is input, by 2 if a word is input, or by 4 if a doubleword is input. The INSB, INSW and INSD instructions are synonyms of the byte, word, and doubleword INS instructions. The INS instruction can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP instruction for details of this operation.
 * Description

IF AddressSize = 16 THEN use DI for dest-index; ELSE (* AddressSize = 32 *) use EDI for dest-index; FI; IF (PE = 1) AND ((VM = 1) OR (CPL>IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL>IOPL *) IF NOT I-O-Permission (SRC, width(SRC)) THEN #GP(0); FI; FI; IF byte type of instruction THEN ES:[dest-index] ← [DX]; (* Reads byte at DX from I/O address space *) IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI; FI; IF OperandSize = 16 THEN ES:[dest-index] ← [DX]; (* Reads byte at DX from I/O address space *) IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI; FI; IF OperandSize = 32 THEN ES:[dest-index] ← [DX]; (* Reads dword at DX from I/O address space *) IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI; dest-index ← dest-index + IncDec;
 * Operation


 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is numerically greater than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the ES, segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

INT/INTO-Call to Interrupt Procedure
The INT n instruction generates a call to an interrupt handler. The immediate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table (IDT) of the interrupt routine to be called. In protected mode, the IDT consists of an array of eight-byte descriptors; the descriptor for the interrupt invoked must indicate an interrupt, trap, or task gate. In real-address mode, the IDT is an array of four byte-long pointers. In protected and real-address modes, the base linear address of the IDT is defined by the contents of the IDTR. The initial value of IDTR is zero upon reset into real-address mode. When the processor is running in virtual-8086 mode (VM=1), the IOPL determines whether the INT n causes a general protection exception (IOPL<3) or runs a protected mode interrupt to privilege level 0. The interrupt gate's DPL must be set to three and the target CPL of the interrupt service routine must be zero to run the protected mode interrupt to privilege level 0. The INTO conditional software instruction is identical to the INT n interrupt instruction except that the interrupt number is implicitly 4, and the interrupt is made only if the overflow flag is set. The first 32 interrupts are reserved by Intel for system use. Some of these interrupts are used for internally generated exceptions. The INT n instruction generally behaves like a far call except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags and return address from the stack. In Real Address Mode, the INT n instruction pushes the flags, the CS register, and the return IP onto the stack, in that order, then jumps to the long pointer indexed by the interrupt number.
 * Description

Note: The following operational description applies not only to the above instructions but also to external interrupts and exceptions. IF PE = 0 THEN CALL REAL-ADDRESS-MODE; ELSE CALL PROTECTED-MODE; IF task gate THEN CALL TASK-GATE; ELSE CALL TRAP-OR-INT-GATE; (* PE=1, int/trap gate *) IF code segment is non-conforming AND DPL < CPL THEN IF VM=0 THEN CALL INT-TO-INNER-PRIV; (*PE=1,int/trap gate,DPLCPL *) FI; FI; FI; FI; END;
 * Operation

REAL-ADDRESS-MODE PROC Push (FLAGS); IF ← 0; (* Clear interrupt flag *) TF ← 0; (* Clear trap flag *) Push(CS); Push(IP); (* No error codes are pushed *) CS ← IDT[Interrupt number * 4].selector; IP ← IDT[Interrupt number * 4].offset; (* Start processing in real address mode *) REAL-ADDRESS-MODE ENDPROC

PROTECTED-MODE PROC Interrupt vector must be within IDT table limits, else #GP(vector number * 8+2+EXT); Descriptor AR byte must indicate interrupt gate, trap gate, or task gate, else #GP(vector number * 8+2+EXT); IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *) THEN IF gate descriptor DPL<CPL THEN #GP(vector number * 8+2+EXT); (* PE=1, DPL<CPL, software interrupt *) FI; FI; Gate must be present, else #NP(vector number * 8+2+EXT); PROTECTED-MODE ENDPROC

TRAP-OR-INT-GATE PROC Examine CS selector and descriptor given in the gate descriptor; Selector must be non-null, else #GP (EXT); Selector must be within its descriptor table limits ELSE #GP(selector+EXT); Descriptor AR byte must indicate code segment ELSE #GP(selector + EXT); Segment must be present, else #NP(selector+EXT); TRAP-OR-INT-GATE ENDPROC

INT-TO-INNER-PRIV PROC (* PE=1, DPL<CPL and non-conforming, (* PE=1, int/trap gate, DPL<CPL, VM=0 *) Check selector and descriptor for new stack in current TSS;    Selector must be non-null, else #TS(EXT);    Selector index must be within its descriptor table limits       ELSE #TS(SS selector+EXT);    Selector's RPL must equal DPL of code segment, else #TS(SS selector+EXT);   Stack segment DPL must equal DPL of code segment, else #TS(SS selector+EXT);   Descriptor must indicate writable data segment, else #TS(SS selector+EXT);   Segment must be present, else #SS (SS selector+EXT);  If 32-bit gate   THEN New stack must have room for 20 bytes else #SS(0)  ELSE New stack must have room for 10 bytes else #SS(0)  FI;  Instruction pointer must be within CS segment boundaries else #GP(0);  Load new SS and eSP value from TSS;  If 32-bit gate     THEN CS:EIP ← selector:offset from gate;  ELSE CS:IP ← selector:offset from gate;  FI;  Load CS descriptor into invisible portion of CS register;  Load SS descriptor into invisible portion of SS register;  IF 32-bit gate  THEN     Push (long pointer to old stack) (* 3 words padded to 4 *);    Push (EFLAGS);    Push (long pointer to return location) (* 3 words padded to 4 *); ELSE     Push (long pointer to old stack) (* 2 words *);    Push (FLAGS);    Push (long pointer to return location) (* 2 words *);  FI;  Set CPL to new code segment DPL;  Set RPL of CS to CPL; IF interrupt gate THEN IF ← 0 (* interrupt flag to 0 (disable) *); FI; TF ← 0; NT ← 0; INT-FROM-INNER-PRIV ENDPROC

INT-FROM-V86-MODE PROC Check selector and descriptor for new stack in current TSS; Selector must be non-null, else #TS(EXT); Selector index must be within its descriptor table limits ELSE #TS(SS selector+EXT); Selector's RPL must equal DPL of code segment, else #TS(SS   selector+EXT); Stack segment DPL must equal DPL of code segment, else #TS(SS   selector+EXT); Descriptor must indicate writable data segment, else #TS(SS   selector+EXT); Segment must be present, else #SS(SS selector+EXT); IF 32-bit gate THEN New stack must have room for 20 bytes else #SS(0) ELSE New stack must have room for 10 bytes else #SS(0) FI; Instruction pointer must be within CS segment boundaries else #GP(0); IF IOPL < 3 THEN #GP(0); (*V86 monitor trap: PE=1,int/trap gate, DPL 0 THEN #GP(0); ELSE TempEFlags ← EFLAGS; VM ← 0; TF ← 0; IF service through Interrupt Gate THEN IF ← 0; FI; TempSS ← SS; TempESP ← ESP; SS ← TSS.SS0; (* Change to level 0 stack segment *) ESP ← TSS.ESP0; (* Change to level 0 stack pointer *) Push(GS); (* padded to two words *) Push(FS); (* padded to two words *) Push(DS); (* padded to two words *) Push(ES); (* padded to two words *) GS ← 0; (* segment registers nullified - invalid in       protected mode *) FS ← 0; DS ← 0; ES ← 0; Push(TempSS); (* Padded to two words *) Push(TempESP); Push(TempEFlags); Push(CS); (* Padded to two words *) Push(EIP); CS:EIP ← selector:offset from interrupt gate; (* Starts processing of new routine in Protected Mode *) FI; ELSE (* GATE'S_DPL <> 3 *) #GP(0); FI; FI; INT-FROM-V86-MODE ENDPROC

INT-TO-SAME-PRIV PROC (* PE=1, DPL=CPL or conforming segment *) IF 32-bit gate THEN Current stack limits must allow pushing 10 bytes, else #SS(0); ELSE Current stack limits must allow pushing 6 bytes, else #SS(0); FI;

IF interrupt was caused by exception with error code THEN Stack limits must allow push to two more bytes; ELSE #SS(0); FI; Instruction pointer must be in CS limit, else #GP(0); IF 32-bit gate THEN Push (EFLAGS); Push (long pointer to return location); (* 3 words padded to 4 *) CS:EIP ← selector:offset from gate; ELSE (* 16-bit gate *) Push (FLAGS); Push (long pointer to return location); (* 2 words *) CS:IP ← selector:offset from gate; FI; Load CS descriptor into invisible portion of CS register; Set the RPL field of CS to CPL; Push (error code); (* if any *) IF interrupt gate THEN IF ← 0; FI; TF ← 0; NT ← 0; INT-TO-SAME-PRIV ENDPROC

TASK-GATE PROC (* PE=1, task gate *) Examine selector to TSS, given in task gate descriptor; Must specify global in the local/global bit, else #TS(TSS selector); Index must be within GDT limits, else #TS(TSS selector); AR byte must specify available TSS (bottom bits 00001); else #TS(TSS selector); TSS must be present, else #NP(TSS selector); SWITCH-TASKS with nesting to TSS; IF interrupt was caused by fault with error code THEN Stack limits must allow push of two more bytes, else #SS(0); Push error code onto stack; FI; Instruction pointer must be in CS limit, else #GP(0); TASK-GATE ENDPROC

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table. Each Y in the lower section of the decision table represents a procedure defined above in the Operation section for this instruction (except #GP(0)) and the number following the Y indicates the order in which the procedure is run. Notes: - Don't Care Yx Yes, Action Taken, x = the order of processing Blank Action Not Taken
 * Decision Table

None


 * Protected Mode Exceptions
 * GP, #NP, #SS, and #TS as indicated under "Operation" above.

None; if the SP or ESP register is 1, 3, or 5 before running the INT or INTO instruction, the processor will shut down due to insufficient stack space.
 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if IOPL is less than 3, for the INT n instruction only, to permit emulation; Interrupt 3 (0CCH) generates a breakpoint exception; the INTO instruction generates an overflow exception if the OF flag is set.

INVD-Invalidate Cache
The internal cache is invalidated, and a special-function bus cycle is issued which indicates that external caches should also be invalidated. Data held in write-back external caches is not instructed to be written back. INVALIDATE INTERNAL CACHE SIGNAL EXTERNAL CACHE TO INVALIDATE The INVD instruction is a privileged instruction; #GP(0) if the current privilege level is not 0. &#35;GP(0); the INVD instruction is a privileged instruction. INVD should be used with care. It does not write back modified cache lines; therefore, it can cause the data cache to become inconsistent with other memories in the system. Unless there is a specific requirement or benefit to invalidate a cache without writing back the modified lines (i.e., testing or fault recovery where cache coherency with main memory is not a concern), software should use the WBINVD instruction. This instruction is implementation-dependent; its function may be implemented differently on future Intel processors. This instruction does not wait for the external cache to complete its invalidation before the processor proceeds. It is the responsibility of hardware to respond to the external cache invalidation indication. This instruction is not supported on Intel386 processors. See the Intel documentation for CPUID detection at runtime. See the WBINVD description to write back dirty data to memory. See the Intel documentation for information on disabling the cache.
 * Description
 * Operation
 * Protected Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

INVLPG-Invalidate TLB Entry
The INVLPG instruction is used to ensure there are no invalid entries in the TLB, the cache used for page table entries. If the TLB contains a valid entry, which maps the address of the memory operand, all of the relevant TLB entries are marked invalid. INVALIDATE RELEVANT TLB ENTRY(S) The INVLPG instruction is a privileged instruction; #GP(0) if the current privilege level is not 0. An invalid-opcode exception is generated when used with a register operand. An invalid-opcode exception is generated when used with a register operand. #GP(0); the INVLPG instruction is a privileged instruction. This instruction is not supported on Intel386 processors. See the Intel documentation for information on detecting the processor type at runtime. See the Intel documentation for information on disabling the cache.
 * Description
 * Operation
 * Protected Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

IRET/IRETD-Interrupt Return
In Real Address Mode, the IRET instruction pops the instruction pointer, the CS register, and the flags register from the stack and resumes the interrupted routine. In Protected Mode, the action of the IRET instruction depends on the setting of the nested task flag (NT) bit in the flag register. When the new flag image is popped from the stack, the IOPL bits in the flag register are changed only when CPL equals 0. If the NT flag is cleared, the IRET instruction returns from an interrupt procedure without a task switch. The code returned to must be equally or less privileged than the interrupt routine (as indicated by the RPL bits of the CS selector popped from the stack). If the destination code is less privileged, the IRET instruction also pops the stack pointer and SS from the stack. If the NT flag is set, the IRET instruction reverses the operation of a CALL or INT that caused a task switch. The updated state of the task running the IRET instruction is saved in its task state segment. If the task is reentered later, the code that follows the IRET instruction is run. IF PE = 0 THEN GOTO REAL_ADDRESS_MODE:; ELSE GOTO PROTECTED_MODE; FI; REAL_ADDRESS_MODE; IF OperandSize = 32 (* Instruction = IRETD *) THEN EIP ← Pop ; ELSE (* Instruction = IRET *) IP ← Pop; FI; CS ← Pop ; IF OperandSize = 32 (* Instruction = IRETD *) THEN Pop; EFLAGS ← Pop; ELSE (* Instruction = IRET *) FLAGS ← Pop; FI; END; PROTECTED_MODE: IF VM = 1 (* Virtual mode:PE=1, VM=1 *) THEN GOTO STACK_RETURN_FROM_V86; (* PE=1, VM=1 *) ELSE IF NT=1 THEN GOTO TASK_RETURN; (* PE=1, VM=1, NT=1 *) ELSE IF VM=1 in flags image on stack THEN GOTO STACK_RETURN_TO_V86; (* PE=1, VM=1 in flags                    inage *) ELSE GOTO STACK_RETURN; (* PE=1, VM=0 in flags image *) FI; FI; FI; STACK_RETURN_FROM_V86: IF IOPL=3 (* Virtual mode: PE=1, VM=1, IOPL=3 *) THEN IF OperandSize = 16 IP ← Pop;(* 16-bit pops *) CS ← Pop; FLAGS ←Pop; ELSE (* OperandSize = 32 *) EIP ← Pop; (* 32-bit pops *) CS ← Pop; EFLAGS ←Pop; (*VM,IOPL,VIP,and VIF EFLAG bits are not modified by IRETD*) FI; ELSE #GP(0); (* trap to virtual-8086 monitor: PE=1, VM=1, IOPL<3 *) FI; END; STACK_RETURN_TO_V86: (* Interrupted procedure was in V86 mode: PE=1, VM=1 in flags image *) IF top 36 bytes of stack not within limits THEN #SS(0); FI; IF instruction pointer not within code segment limit THEN #GP(0); FI; EFLAGS ← SS:[ESP + 8]; (* Sets VM in interrupted routine *) EIP ← Pop; CS ← Pop; (* CS behaves as in 8086, due to VM=1 *) throwaway ← Pop; (* pop away EFLAGS already read *) TempESP ← Pop; TempSS ← Pop; ES ← Pop; (* pop 2 words; throw away high-order word *) DS ← Pop; (* pop 2 words; throw away high-order word *) FS ← Pop; (* pop 2 words; throw away high-order word *) GS ← Pop; (* pop 2 words; throw away high-order word *) SS:ESP ← TempSS:TempESP; (* Resume processing in Virtual 8086 mode *) END; TASK-RETURN: (* PE=1, VM=1, NT=1 *) Examine Back Link Selector in TSS addressed by the current task register: Must specify global in the local/global bit, else #TS(new TSS selector); Index must be within GDT limits, else #TS(new TSS selector); AR byte must specify TSS, else #TS(new TSS selector); New TSS must be busy, else #TS(new TSS selector); TSS must be present, else #NP(new TSS selector); SWITCH-TASKS without nesting to TSS specified by back link selector; Mark the task just abandoned as NOT BUSY; Instruction pointer must be within code segment limit ELSE #GP(0); END;
 * Description
 * Operation

STACK-RETURN: (* PE=1, VM=0 in flags image *) IF OperandSize=32 THEN Third word on stack must be within stack limits, else #SS(0); ELSE Second word on stack must be within stack limits, else #SS(0); FI; Return CS selector RPL must be ò CPL, else #GP(Return selector); IF return selector RPL = CPL THEN GOTO RETURN-SAME-LEVEL; ELSE GOTO RETURN-OTHER-LEVEL; FI;

RETURN-SAME-LEVEL: (* PE=1, VM=0 in flags image, RPL=CPL *) IF OperandSize=32 THEN Top 12 bytes on stack must be within limits, else #SS(0); Return CS selector (at eSP+4) must be non-null, else #GP(0); ELSE Top 6 bytes on stack must be within limits, else #SS(0); Return CS selector (at eSP+2) must be non-null, else #GP(0); FI; Selector index must be within its descriptor table limits, else #GP (Return selector); AR byte must indicate code segment, else #GP(Return selector); IF non-conforming THEN code segment DPL must = CPL; ELSE #GP(Return selector); (* PE=1, VM=0 in flags image, RPL=CPL,non-conforming,DPL<> CPL *) FI; IF conforming THEN IF DPL>CPL #GP(Return selector); (* PE=1, VM=0 in flags image,     RPL=CPL,conforming,DPL>CPL *) Segment must be present, else #NP(Return selector); Instruction pointer must be within code segment boundaries, else #GP(0); FI; IF OperandSize=32 put comments here THEN Load CS:EIP from stack; Load CS-register with new code segment descriptor; Load EFLAGS with third doubleword from stack; Increment eSP by 12; ELSE Load CS-register with new code segment descriptor; Load FLAGS with third word on stack; Increment eSP by 6; FI; END;

RETURN-OUTER-LEVEL: IF OperandSize=32 THEN Top 20 bytes on stack must be within limits, else #SS(0); ELSE Top 10 bytes on stack must be within limits, else #SS(0); FI; Examine return CS selector and associated descriptor: Selector must be non-null, ELSE #GP(0); Selector index must be within its descriptor table limits; ELSE #GP(Return selector); AR byte must indicate code segment, else #GP(Return selector); IF non-conforming THEN code segment DPL must = CS selector RPL; ELSE #GP(Return selector); FI; IF conforming THEN code segment DPL must be > CPL; ELSE #GP(Return selector); FI; Segment must be present, else #NP(Return selector); Examine return SS selector and associated descriptor: Selector must be non-null, else #GP(0); Selector index must be within its descriptor table limits ELSE #GP(SS selector); Selector RPL must equal the RPL of the return CS selector ELSE #GP(SS selector); AR byte must indicate a writable data segment, else #GP(SS selector); Stack segment DPL must equal the RPL of the return CS selector ELSE #GP(SS selector); SS must be present, else #NP(SS selector); Instruction pointer must be within code segment limit ELSE #GP(0); IF OperandSize=32 THEN Load CS:EIP from stack; Load EFLAGS with values at (eSP+8); ELSE Load CS:IP from stack; Load FLAGS with values at (eSP+4); FI; Load SS:eSP from stack; Set CPL to the RPL of the return CS selector; Load the CS register with the CS descriptor; Load the SS register with the SS descriptor; FOR each of ES, FS, GS, and DS  DO; IF the current value of the register is not valid for the outer level; THEN zero the register and clear the valid flag; FI; To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits; AR byte must indicate data or readable code segment; IF segment is data or non-conforming code, THEN DPL must be > CPL, or DPL must be < RPL; OD; END:

All flags are affected; the flags register is popped from stack.

Interrupt 13 if any part of the operand being popped lies beyond address 0FFFFH.
 * Protected Mode Exceptions
 * GP, #NP, or #SS, as indicated under "Operation" above; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault occurs if the I/O privilege level is less than 3, to permit emulation; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Jcc - Jump if Condition is Met
Conditional jumps (except the JCXZ instruction) test the flags that have been set by a previous instruction. The conditions for each mnemonic are given in parentheses after each description above. The terms "less" and "greater"; are used for comparisons of signed integers; "above" and "below" are used for unsigned integers. If the given condition is true, a jump is made to the location provided as the operand. Instruction coding is most efficient when the target for the conditional jump is in the current code segment and within -128 to +127 bytes of the next instruction's first byte. The jump can also target -32768 thru +32767 (segment size attribute 16) or -231 thru +231 - 1 (segment size attribute 32) relative to the next instruction's first byte. When the target for the conditional jump is in a different segment, use the opposite case of the jump instruction (i.e., the JE and JNE instructions), and then access the target with an unconditional far jump to the other segment. For example, you cannot code JZ FARLABEL You must instead code JNZ BEYOND JMP FARLABEL BEYOND: Because there can be several ways to interpret a particular state of the flags, ASM386 provides more than one mnemonic for most of the conditional jump opcodes. For example, if you compared two characters in AX and want to jump if they are equal, use the JE instructions; or, if you ANDed the AX register with a bit field mask and only want to jump if the result is 0, use the JZ instruction, a synonym for the JE instruction. The JCXZ instruction differs from other conditional jumps because it tests the contents of the CX or ECX register for 0, not the flags. The JCXZ instruction is useful at the beginning of a conditional loop that terminates with a conditional loop instruction (such as LOOPNE TARGET LABEL. The JCXZ instruction prevents entering the loop with the CX or ECX register equal to zero, which would cause the loop to run 64K or 23ý times instead of zero times.
 * Description

IF condition THEN EIP ← EIP + SignExtend(rel8/16/32); IF OperandSize = 16 THEN EIP ← EIP AND 0000FFFFH; FI; FI;
 * Operation

The JCXZ instruction takes longer to run than a two-instruction sequence, which compares the count register to zero and jumps if the count is zero. All branches are converted into 16-byte code fetches regardless of jump address or cacheability.
 * Protected Mode Exceptions
 * 1) GP(0) if the offset jumped to is beyond the limits of the code segment.
 * Notes

JMP - Jump
The JMP instruction transfers control to a different point in the instruction stream without recording return information. The action of the various forms of the instruction are shown below. Jumps with destinations of type r/m16, r/m32, rel16,, and rel32 are near jumps and do not involve changing the segment register value. The JMP rel16 and JMP rel32 forms of the instruction add an offset to the address of the instruction following the JMP to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16-bits (segment size attribute 16 only); rel32 is used when the operand-size attribute is 32-bits (segment size attribute 32 only). The result is stored in the 32-bit EIP register. With rel16, the upper 16-bits of the EIP register are cleared, which results in an offset whose value does not exceed 16-bits. The JMP r/m16 and JMP r/m32 forms specify a register or memory location from which the absolute offset from the procedure is fetched. The offset fetched from r/m is 32-bits for an operand-size attribute of 32-bits (r/m32 ), or 16-bits for an operand-size attribute of 16-bits (r/m16). The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte or six-byte operand as a long pointer to the destination. The JMP m16:16 and m16:32 forms fetch the long pointer from the memory location specified ( indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16-bits for the CS register and 16 or 32-bits for the EIP register (depending on the operand-size attribute). In Protected Mode, both long pointer forms consult the Access Rights (AR) byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the jump will perform one of the following types of control transfers: For more information on protected mode control transfers, refer to the Intel documentation.
 * Description
 * A jump to a code segment at the same privilege level
 * A task switch

IF instruction = relative JMP (* i.e. operand is rel8, rel16, or rel32 *) THEN EIP ← EIP + rel18/16/32; IF OperandSize = 16 THEN EIP ← EIP AND 0000FFFFH; FI; FI; IF instruction = near indirect JMP (* i.e. operand is r/m16 or r/m32 *) THEN IF OperandSize = 16 THEN EIP ← [r/m16] AND 0000FFFFH; ELSE (* OperandSize = 32 *) EIP ← [r/m32; FI; FI; IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *) AND instruction = far JMP (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *) THEN GOTO REAL-OR-V86-MODE; IF operand type = m16:16 or m16:32 THEN (* indirect *) IF OperandSize = 16 THEN CS:IP ← [m16:16]; EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ← [m16:32]; FI; FI; IF operand type = ptr16:16 or ptr16:32 THEN IF OperandSize = 16 THEN CS:IP ← ptr16:16; EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *) ELSE (* OperandSize = 32 *) CS:EIP ← ptr16:32; FI; FI; FI;
 * Operation

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far JMP THEN IF operand type = m16:16 or m16:32 THEN (* indirect *) check access of EA dword; #GP(0) or #SS(0) IF limit violation; FI; Destination selector is not null ELSE #GP(0) Destination selector index is within its descriptor table limits ELSE #GP(selector) Depending on AR byte of destination descriptor; GOTO CONFORMING-CODE-SEGMENT; GOTO NONCONFORMING-CODE-SEGMENT; GOTO CALL-GATE; GOTO TASK-GATE; GOTO TASK-STATE-SEGMENT; ELSE #GP(selector); (* illegal AR byte in descriptor *) FI;

CONFORMING-CODE-SEGMENT: Descriptor DPL must be ó CPL ELSE #GP(selector); Segment must be present ELSE #NP(selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from destination pointer; ELSE Load CS:IP from destination pointer; FI; Load CS register with new segment descriptor;

NONCONFORMING-CODE-SEGMENT: RPL of destination selector must be ò CPL ELSE #GP(selector); Descriptor DPL must be = CPL ELSE #GP(selector); Segment must be present ELSE #NP(selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from destination pointer; ELSE Load CS:IP from destination pointer; FI; Load CS register with new segment descriptor; Set RPL field of CS register to CPL;

CALL-GATE: Descriptor DPL must be ò CPL ELSE #GP(gate selector); Descriptor DPL must be ò gate selector RPL ELSE #GP(gate selector); Gate must be present ELSE #NP(gate selector); Examine selector to code segment given in call gate descriptor: Selector must not be null ELSE #GP(0); Selector must be within its descriptor table limits ELSE #GP(CS selector); Descriptor AR byte must indicate code segment ELSE #GP(CS selector); IF non-conforming THEN code-segment descriptor DPL must = CPL ELSE #GP(CS selector); FI; IF conforming THEN code-segment descriptor DPL must be ó CPL; ELSE #GP(CS selector); Code segment must be present ELSE #NP(CS selector); Instruction pointer must be within code-segment limit ELSE #GP(0); IF OperandSize = 32 THEN Load CS:EIP from call gate; ELSE Load CS:IP from call gate; FI; Load CS register with new code-segment descriptor; Set RPL of CS to CPL

TASK-GATE: Gate descriptor DPL must be ò CPL ELSE #GP(gate selector); Gate descriptor DPL must be ò gate selector RPL ELSE #GP(gate selector); Task Gate must be present ELSE #NP(gate selector); Examine selector to TSS, given in Task Gate descriptor: Must specify global in the local/global bit ELSE #GP(TSS selector); Index must be within GDT limits ELSE #GP(TSS selector); Descriptor AR byte must specify available TSS (bottom bits 00001); ELSE #GP(TSS selector); Task State Segment must be present ELSE #NP(TSS selector); SWITCH-TASKS (without nesting) to TSS; Instruction pointer must be within code-segment limit ELSE #GP(0);

TASK-STATE-SEGMENT: TSS DPL must be ò CPL ELSE #GP(TSS selector); TSS DPL must be ò TSS selector RPL ELSE #GP(TSS selector); Descriptor AR byte must specify available TSS (bottom bits 00001) ELSE #GP(TSS selector); Task State Segment must be present ELSE #NP(TSS selector); SWITCH-TASKS (without nesting) to TSS; Instruction pointer must be within code-segment limit ELSE #GP(0);

All if a task switch takes place; none if no task switch occurs.

Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above. Near direct jumps: #GP(0) if procedure location is beyond the code segment limits; #AC for unaligned memory reference if the current privilege level is 3. Near indirect jumps: #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #GP if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions

Interrupt 13 if any part of the operand would be outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as under Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

All branches are converted into 16-byte code fetches regardless of jump address or cacheability.
 * Notes

LAHF - Load Flags into AH Register
The LAHF instruction transfers the low byte of the flags word to the AH register. The bits, from MSB to LSB, are sign, zero, indeterminate, auxiliary, carry, indeterminate, parity, indeterminate, and carry. AH ← SF:ZF:xx:AF:xx:PF:xx:CF;
 * Description
 * Operation
 * Related Information

LAR-Load Access Rights Byte
The LAR instruction stores a marked form of the second doubleword of the descriptor for the source selector if the selector is visible at the current privilege level (modified by the selector's RPL) and is a valid descriptor type within the descriptor limits. The destination register is loaded with the high-order doubleword of the descriptor masked by 00FxFF00, and the ZF flag is set. The x indicates that the four bits corresponding to the upper four bits of the limit are undefined in the value loaded by the LAR instruction. If the selector is invisible or of the wrong type, the ZF flag is cleared. If the 32-bit operand size is specified, the entire 32-bit value is loaded into the 32-bit destination register. If the 16-bit operand size is specified, the lower 16-bits of this value are stored in the 16-bit destination register. All code and data segment descriptors are valid for the LAR instruction. The valid special segment and gate descriptor types for the LAR instruction are given in the following table:
 * Description

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the ZF flag is cleared. Interrupt 6; the LAR instruction is unrecognized in Real Address Mode. Same exceptions as in Real Address Mode.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

LDS/LES/LFS/LGS/LSS-Load Full Pointer
The LGS, LSS, LDS, LES, and LFS instructions read a full pointer from memory and store it in the selected segment register:register pair. The full pointer loads 16-bits into the segment register SS, DS, ES, FS, or GS. The other register loads 32-bits if the operand-size attribute is 32-bits, or loads 16-bits if the operand-size attribute is 16-bits. The other 16- or 32-bit register to be loaded is determined by the r16 or r32 register operand specified. When an assignment is made to one of the segment registers, the descriptor is also loaded into the segment register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into DS, ES, FS, or GS registers without causing a protection exception. (Any subsequent reference to a segment whose corresponding segment register is loaded with a null selector to address memory causes a #GP(0) exception. No memory reference to the segement occurs.) The following is a listing of the Protected Mode checks and actions taken in the loading of a segment register: IF SS is loaded; IF selector is null THEN #GP(0); FI; Selector index must be within its descriptor table limits ELSE #GP(selector); Selector's RPL must equal CPL ELSE #GP(selector); AR byte must indicate a writable data segment ELSE #GP(selector); DPL in the AR byte must equal CPL ELSE #GP(selector); Segment must be marked present ELSE #SS(selector); Load SS with selector; Load SS with descriptor;
 * Description

IF DS, ES, FS, or GS is loaded with non-null selector: Selector index must be within its descriptor table limits ELSE #GP(selector); AR byte must indicate data or readable code segment ELSE #GP(selector); IF data or nonconforming code THEN both the RPL and the CPL must be less than or equal to DPL in    AR byte; ELSE #GP(selector); Segment must be marked present ELSE #NP(selector); Load segment register with selector and RPL bits; Load segment register with descriptor;

IF DS, ES, FS or GS is loaded with a null selector: Load segment register with selector; Clear descriptor valid bit;

CASE instruction OF  LSS: Sreg is SS; (* Load SS register *) LDS: Sreg is DS; (* Load DS register *) LES: Sreg is ES; (* Load ES register *) LFS: Sreg is FS; (* Load FS register *) LGS: Sreg is DS; (* Load GS register *) ESAC; IF (OperandSize = 16) THEN r16 ← [Effective Address]; (* 16-bit transfer *) Sreg ← [Effective Address + 2]; (* 16-bit transfer *) (* In Protected Mode, load the descriptor into the segment register *) ELSE (* OperandSize = 32 *) r32 ← [Effective Address]; (* 32-bit transfer *) Sreg ← [Effective Address + 4]; (* 16-bit transfer *) (* In Protected Mode, load the descriptor into the segment register *) FI;
 * Operation

The second operand must be a memory operand, not a register, Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; the second operand must be a memory operand, not a register-if a register then #UD Fault; #GP(0) if a null selector is loaded into SS; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

LEA-Load Effective Address
The LEA instruction calculates the effective address (offset part) and stores it in the specified register. The operand-size attribute of the instruction (represented by OperandSize in the algorithm under "Operation" above) is determined by the chosen register. The address-size attribute ( represented by AddressSize) is determined by the attribute of the code segment. (See Operand-Size and Address-Size Attributes.) The address-size and operand-size attributes affect the action performed by the LEA instruction, as follows: IF OperandSize = 16 AND AddressSize = 16 THEN r16 ← Addr(m); ELSE IF OperandSize = 16 AND AddressSize = 32 THEN r16 ← Truncate_to_16bits(Addr(m)); (* 32-bit address *) ELSE IF OperandSize = 32 AND AddressSize = 16 THEN r32 ← Truncate_to_16bits(Addr(m)) and zero extend; ELSE IF OperandSize = 32 AND AddressSize = 32 THEN r32 ← Addr(m); FI; FI; FI; FI;
 * Description
 * Operation
 * Protected Mode Exceptions: #UD if the second operand is a register.
 * Real Address Mode Exceptions: Interrupt 6 if the second operand is a register.
 * Virtual 8086 Mode Exceptions: Same exceptions as in Real Address Mode.

Different assemblers may use different algorithms based on the size attribute and symbolic reference of the second operand.
 * Notes

LEAVE-High Level Procedure Exit
The LEAVE instruction reverses the actions of the ENTER instruction. By copying the frame pointer to the stack pointer, the LEAVE instruction releases the stack space used by a procedure for its local variables. The old frame pointer is popped into the BP or EBP register, restoring the caller's frame. A subsequent RET nn instruction removes any arguments pushed onto the stack of the exiting procedure.
 * Description

IF StackAddrSize = 16 THEN SP ← BP; ELSE (* StackAddrSize = 32 *) ESP ← EBP; FI; IF OperandSize = 16 THEN BP ← Pop; ELSE (* OperandSize = 32 *) EBP ← Pop; FI;
 * Operation
 * Protected Mode Exceptions: #SS(0) if the BP register does not point to a location within the limits of the current stack segment.
 * Real Address Mode Exceptions: Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Virtual 8086 Mode Exceptions: Same exceptions as in Real Address Mode.

LES-Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS.

LFS-Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS.

LGDT/LIDT-Load Global/Interrupt Descriptor Table Register
The LGDT and LIDT instructions load a linear base address and limit value from a six-byte data operand in memory into the GDTR or IDTR, respectively. If a 16-bit operand is used with the LGDT or LIDT instruction, the register is loaded with a 16-bit limit and a 24-bit base, and the high-order eight bits of the six-byte data operand are not used. If a 32-bit operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order eight bits of the six-byte operand are used as high-order base address bits. The SGDT and SIDT instructions always store into all 48 bits of the six- byte data operand. With the 16-bit processors, the upper eight bits are undefined after the SGDT or SIDT instruction is run. With the 32-bit processors, the upper right eight bits are written with the high-order eight address bits, for both a 16-bit operand and a 32-bit operand. If the LGDT or LIDT instruction is used with a 16-bit operand to load the register stored by the SGDT or SIDT instruction, the upper eight bits are stored as zeros. The LGDT and LIDT instructions appear in operating system software; they are not used in application programs. They are the only instructions that directly load a linear address (i.e., not a segment relative address) in Protected Mode. IF instruction = LIDT THEN IF OperandSize = 16 THEN IDTR.Limit:Base ← m16:24 (* 24-bits of base loaded *) ELSE IDTR.Limit:Base ← m16:32 FI; ELSE (* instruction = LGDT *) IF OperandSize = 16 THEN GDTR.Limit:Base ← m16:24 (* 24-bits of base loaded *) ELSE GDTR.Limit:Base ← m16:32; FI; FI;
 * Description
 * Operation

Note: These instructions are valid in Real Address Mode to allow power-up initialization for Protected Mode.
 * Protected Mode Exceptions: #GP(0) if the current privilege level is not 0; #UD if the source operand is a register; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
 * Real Address Mode Exceptions: Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a register.
 * Virtual 8086 Mode Exceptions: Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.

LGS-Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS.

LLDT-Load Local Descriptor Table Register
The LLDT instruction loads the Local Descriptor Table register (LDTR). The word operand (memory or register) to the LLDT instruction should contain a selector to the Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If so, then the LDTR is loaded from the entry. The descriptor registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the task state segment does not change. The selector operand can be 0; if so, the LDTR is marked invalid. All descriptor references (except by the LAR, VERR, VERW or LSL instructions) cause a #GP fault. The LLDT instruction is used in operating system software; it is not used in application programs.
 * Description

LDTR ← SRC;
 * Operation

Interrupt 6; the LLDT instruction is not recognized in Real Address Mode. Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference). The operand-size attribute has no effect on this instruction.
 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is not 0; #GP(selector) if the selector operand does not point into the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table; #NP(selector) if the LDT descriptor is not present; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Note

LIDT - Load Interrupt Descriptor Table Register
See entry for LGDT/LIDT-Load Global Descriptor Table Register/Load Interrupt Descriptor Table Register.

LMSW - Load Machine Status Word
The LMSW instruction loads the machine status word (part of the CR0 register) from the source operand. This instruction can be used to switch to Protected Mode; if so, it must be followed by an intrasegment jump to flush the instruction queue. The LMSW instruction will not switch back to Real Address Mode. The LMSW instruction is used only in operating system software. It is not used in application programs.
 * Description

MSW ← r/m16; (* 16 bits is stored in the machine status word *)
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Protected Mode. The operand-size attribute has no effect on this instruction. This instruction is provided for compatibility with the Intel286 processor; programs for the Intel386, Intel486, and Pentium processors should use the MOV CR0, ... instruction instead. The LMSW instruction does not affect the PG, ET, or NE bits, and it cannot be used to clear the PE bit.
 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is not 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

LOCK - Assert LOCK# Signal Prefix
The LOCK prefix causes the LOCK# signal of the processor to be asserted during processing of the instruction that follows it. In a multiprocessor environment, this signal can be used to ensure that the processor has exclusive use of any shared memory while LOCK# is asserted. The read-modify -write sequence typically used to implement test-and-set on the Pentium processor is the BTS instruction. The LOCK prefix functions only with the following instructions:
 * Description

An undefined opcode trap will be generated if a LOCK prefix is used with any instruction not listed above. The XCHG instruction always asserts LOCK# regardless of the presence or absence of the LOCK prefix. The integrity of the LOCK prefix is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields.

'#UD if the LOCK prefix is used with an instruction not listed in the "Description"; section above; other exceptions can be generated by the subsequent (locked) instruction.
 * Protected Mode Exceptions

Interrupt 6 if the LOCK prefix is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction. '#UD if the LOCK prefix is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

LODS/LODSB/LODSW/LODSD-Load String Operand
The LODS instruction loads the AL, AX, or EAX register with the memory byte, word, or doubleword at the location pointed to by the source-index register. After the transfer is made, the source-index register is automatically advanced. If the DF flag is 0 (the CLD instruction was run), the source index increments; if the DF flag is 1 (the STD instruction was run), it decrements. The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded, or 4 if a doubleword is loaded. If the address-size attribute for this instruction is 16-bits, the SI register is used for the source-index register; otherwise the address-size attribute is 32-bits, and the ESI register is used. The address of the source data is determined solely by the contents of the ESI or SI register. Load the correct index value into the SI register before running the LODS instruction. The LODSB, LODSW, and LODSD instructions are synonyms for the byte, word, and doubleword LODS instructions. The LODS instruction can be preceded by the REP prefix; however, the LODS instruction is used more typically within a LOOP construct, because further processing of the data moved into the EAX, AX, or AL register is usually necessary.
 * Description

AddressSize = 16 THEN use SI for source-index ELSE (* AddressSize = 32 *) use ESI for source-index; FI; IF byte type of instruction THEN AL ←[source-index]; (* byte load *) IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI; ELSE IF OperandSize = 16 THEN AX ← [source-index]; (* word load *) IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI; ELSE (* OperandSize = 32 *) FAX ← [source-index]; (* dword load *) IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI; FI; source-index ← source-index + IncDec
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

LOOP/LOOPcond-Loop Control with CX Counter
The LOOP instruction decrements the count register without changing any of the flags. Conditions are then checked for the form of the LOOP instruction being used. If the conditions are met, a short jump is made to the label given by the operand to the LOOP instruction. If the address-size attribute is 16-bits, the CX register is used as the count register; otherwise the ECX register is used. The operand of the LOOP instruction must be in the range from 128 (decimal) bytes before the instruction to 127 bytes ahead of the instruction. The LOOP instructions provide iteration control and combine loop index management with conditional branching. Use the LOOP instruction by loading an unsigned iteration count into the count register, then code the LOOP instruction at the end of a series of instructions to be iterated. The destination of the LOOP instruction is a label that points to the beginning of the iteration.
 * Details Table
 * Description

IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI; CountReg ← CountReg - 1;
 * Operation

IF instruction<> LOOP THEN IF (instruction = LOOPE) OR (instruction = LOOPZ) THEN BranchCond ← (ZF = 1) AND (CountReg <> 0); FI; IF (instruction = LOOPNE) OR (instruction = LOOPNZ) THEN BranchCond ← (ZF = 0) AND (CountReg <> 0); FI; FI;

IF BranchCond THEN IF OperandSize = 16 THEN IP ← IP + SignExtend(rel8); ELSE (* OperandSize = 32 *) EIP ← EIP + SignExtend(rel8); FI; FI;


 * Protected Mode Exceptions
 * 1) GP(0) if the offset jumped to is beyond the limits of the current code segment.

The unconditional LOOP instruction takes longer to run than a two- instruction sequence, which decrements the counter register and jumps if the count does not equal zero. All branches are converted into 16-byte code fetches regardless of jump address or cacheability.
 * Notes

LSL - Load Segment Limit
The LSL instruction loads a register with an unscrambled segment limit, and sets the ZF flag, provided that the source selector is visible at the current privilege level and RPL, within the descriptor table, and that the descriptor is a type accepted by the LSL instruction. Otherwise, the ZF flag is cleared, and the destination register is unchanged. The segment limit is loaded as a byte granular value. If the descriptor has a page granular segment limit, the LSL instruction will translate it to a byte limit before loading it in the destination register (shift left 12 the 20- bit "raw" limit from descriptor, then OR with 00000FFFH). The 32-bit forms of the LSL instruction store the 32-bit byte granular limit in the 32-bit destination register. For 16-bit operand sizes, the limit is computed to form a valid 32-bit limit. However, the upper 16 bits are chopped and only the low-order 16 bits are loaded into the destination operand. Code and data segment descriptors are valid for the LSL instruction. The valid special segment and gate descriptor types for the LSL instruction are given in the following table:
 * Description

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the ZF flag is cleared.


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 6; the LSL instruction is not recognized in Real Address Mode.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference).
 * Virtual 8086 Mode Exceptions

LSS-Load Full Pointer
See entry for LDS/LES/LFS/LGS/LSS.

LTR-Load Task Register
The LTR instruction loads the task register with a selector from the source register or memory location specified by the operand. The loaded TSS is marked busy. A task switch does not occur. The LTR instruction is used only in operating system software; it is not used in application programs.
 * Description


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the current privilege level is not 0; #GP(selector) if the object named by the source selector is not a TSS or is already busy; #NP(selector) if the TSS is marked "not present;" #PF(fault-code) for a page fault.


 * Real Address Mode Exceptions

Interrupt 6; the LTR instruction is not recognized in Real Address Mode.

Same exceptions as in Real Address Mode.
 * Virtual 8086 Mode Exceptions

The operand-size attribute has no effect on this instruction.
 * Notes

MOV - Move Data
The MOV instruction copies the second operand to the first operand. If the destination operand is a segment register (DS, ES, SS, etc.), then data from a descriptor is also loaded into the shadow portion of the register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into the DS, ES, FS, and GS registers without causing an exception; however, use of these registers causes a #GP(0) exception, and no memory reference occurs. A MOV into SS instruction inhibits all interrupts until after the processing of the next instruction (which should be a MOV into ESP instruction). Loading a segment register under Protected Mode results in special checks and actions, as described in the following listing: IF SS is loaded; THEN IF selector is null THEN #GP(0); Selector index must be within its descriptor table limits else #GP(selector); Selector's RPL must equal CPL else #GP(selector); AR byte must indicate a writable data segment else #GP(selector); DPL in the AR byte must equal CPL else #GP(selector); Segment must be marked present else #SS(selector); Load SS with selector; Load SS with descriptor. FI; IF DS, ES, FS or GS is loaded with non-null selector; THEN Selector index must be within its descriptor table limits else #GP(selector); AR byte must indicate data or readable code segment else #GP(selector); IF data or nonconforming code segment THEN both the RPL and the CPL must be less than or equal to DPL in AR byte; ELSE #GP(selector); FI; Segment must be marked present else #NP(selector); Load segment register with selector; Load segment register with descriptor; FI; IF DS, ES, FS or GS is loaded with a null selector; THEN Load segment register with selector; Clear descriptor valid bit; FI;
 * Description

DEST ← SRC;
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * GP, #SS, and #NP if a segment register is being loaded; otherwise, #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

MOV - Move to/from Control Registers
The above forms of the MOV instruction store or load CR0, CR2, CR3, and CR4 to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute. Operation
 * Description

DEST ← SRC;

The OF, SF, ZF, AF, PF, and CF flags are undefined.


 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is not 0. #GP(0) if an attempt is made to write a 1 to any reserved bits of CR4.

Interrupt 13 if an attempt is made to write a 1 to any reserved bits of CR4.
 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) if instruction processing is attempted.

The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.
 * Notes

MOV-Move to/from Debug Registers
The above forms of the MOV instruction store or load the DR0, DR1, DR2, DR3, DR6 and DR7 debug resisters to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute. When the DE (Debug Extension) bit in CR4 is clear, MOV instructions using debug registers operate in a manner that is compatible with Intel386 and Intel486 CPUs. References to DR4 and DR5 refer to DR6 and DR7, respectively. When the DE bit in CR4 is set, attempts to run MOV instructions using DR4 and DR5 result in an Undefined Opcode (#UD) exception.
 * Description

IF ((DE = 1) and (SRC or DEST = DR4 or DR5)) THEN #UD; ELSE DEST ← SRC;
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are undefined.


 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is not 0. #UD if the DE (Debug Extensions) bit of CR4 is set and a MOV instruction is run using DR4 or DR5.


 * Real Address Mode Exceptions
 * 1) GP(0) if an attempt is made to write a 1 to any reserved bits of CR4. #UD if the DE (Debug Extensions) bit of CR4 is set and a MOV instruction is run using DR4 or DR5.


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) if instruction processing is attempted.

The instructions must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be raised. The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.
 * Notes

MOV-Move to/from Test Registers
The above forms of the MOV instruction store or load TR3, TR4, TR5, TR6, and TR7 to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute.
 * Description

DEST ← SRC;
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are undefined. Interrupt 13 if an attempt is made to write a 1 to any reserved bits of CR4. The instructions must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be raised. The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.
 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is not 0. #GP(0) if an attempt is made to write a 1 to any reserved bits of CR4.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) if instruction processing is attempted.
 * Notes

MOVS/MOVSB/MOVSW/MOVSD - Move Data from String to String
The MOVS instruction copies the byte or word at [(E)SI] to the byte or word at ES:[(E)DI]. The destination operand must be addressable from the ES register; no segment override is possible for the destination. A segment override can be used for the source operand; the default is the DS register. The addresses of the source and destination are determined solely by the contents of the (E)SI and (E)DI registers. Load the correct index values into the (E)SI and (E)DI registers before running the MOVS instruction. The MOVSB, MOVSW, and MOVSD instructions are synonyms for the byte, word, and doubleword MOVS instructions. After the data is moved, both the (E)SI and (E)DI registers are advanced automatically. If the DF flag is 0 (the CLD instruction was run), the registers are incremented; if the DF flag is 1 (the STD instruction was run ), the registers are decremented. The registers are incremented or decremented by 1 if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved. The MOVS instruction can be preceded by the REP prefix for block movement of ECX bytes or words. Refer to the REP instruction for details of this operation.
 * Description


 * Operation
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

MOVSX - Move with Sign-Extend
The MOVSX instruction reads the contents of the effective address or register as a byte or a word, sign-extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register.
 * Description

DEST ← SignExtend(SRC);
 * Operation


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

MOVZX - Move with Zero-Extend
The MOVZX instruction reads the contents of the effective address or register as a byte or a word, zero extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register.
 * Description

DEST ←ZeroExtend(SRC);
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same Exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

MUL - Unsigned Multiplication of AL, AX, or EAX
The MUL instruction performs unsigned multiplication. Its actions depend on the size of its operand, as follows: IF byte-size operation THEN AX ← AL * r/m8 ELSE (* word or doubleword operation *) IF OperandSize = 16 THEN DX:AX ← AX * r/m16 ELSE (* OperandSize = 32 *) EDX:EAX ← EAX * r/m32 FI; FI;
 * Description
 * A byte operand is multiplied by the AL value; the result is left in the AX register. The CF and OF flags are cleared if the AH value is 0; otherwise, they are set.
 * A word operand is multiplied by the AX value; the result is left in the DX :AX register pair. The DX register contains the high-order 16-bits of the product. The CF and OF flags are cleared if the DX value is 0; otherwise, they are set.
 * A doubleword operand is multiplied by the EAX value and the result is left in the EDX:EAX register. The EDX register contains the high-order 32-bits of the product. The CF and OF flags are cleared if the EDX value is 0; otherwise, they are set.
 * Operation

The OF and CF flags are cleared if the upper half of the result is 0; otherwise they are set; the SF, ZF, AF, and PF flags are undefined.


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

NEG-Two's Complement Negation
The NEG instruction replaces the value of a register or memory operand with its two's complement. The operand is subtracted from zero, and the result is placed in the operand. The CF flag is set, unless the operand is zero, in which case the CF flag is cleared.
 * Description

IF r/m = 0 THEN CF ← 0 ELSE CF ← 1; FI; r/m ← - r/m
 * Operation

The CF flag is set unless the operand is zero, in which case the CF flag is cleared; the OF, SF, ZF, and PF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

NOP - No Operation
The NOP instruction performs no operation. The NOP instruction is a one- byte instruction that takes up space but affects none of the machine context except the (E)IP register. The NOP instruction is an alias mnemonic for the XCHG (E)AX, (E)AX instruction.
 * Description

NOT - One's Complement Negation
The NOT instruction inverts the operand; every 1 becomes a 0, and vice versa.
 * Description

r/m ← NOT r/m Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Operation
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

OR-Logical Inclusive OR
The OR instruction computes the inclusive OR of its two operands and places the result in the first operand. Each bit of the result if 0 if both corresponding bits of the operands are 0; otherwise, each bit is 1. DEST ← DEST OR SRC; CF ← 0; OF ← 0
 * Description
 * Operation

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result; the AF flag is undefined. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

OUT - Output to Port
The OUT instruction transfers a data byte or data word from the register (AL, AX, or EAX) given as the second operand to the output port numbered by the first operand. Output to any port from 0 to 65535 is performed by placing the port number in the DX register and then using an OUT instruction with the DX register as the first operand. If the instruction contains an eight-bit port ID, that value is zero-extended to 16-bits.
 * Description

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (DEST, width(DEST)) THEN #GP(0); FI; FI; [DEST] ← SRC; (* I/O address space used *)
 * Operation

After the OUT or OUTS instructions are run, the Pentium processor ensures that the EWBE# has been sampled active before beginning to run the next instruction. Note that the instruction may be prefetched if EWBE# is not active, but it will not run until EWBE# is sampled active.
 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is higher (has less privilege) than the I/O privilege level and any of the corresponding I/O permission bits in the TSS equals 1.
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if any of the corresponding I/O permission bits in the TSS equals 1.
 * Notes

OUTS/OUTSB/OUTSW/OUTSD - Output String to Port
The OUTS instruction transfers data from the memory byte, word, or doubleword at the source-index register to the output port addressed by the DX register. If the address-size attribute for this instruction is 16-bits, the SI register is used for the source-index register; otherwise, the address-size attribute is 32-bits, and the ESI register is used for the source-index register. The OUTS instruction does not allow specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into the DX register before running the OUTS instruction. The address of the source data is determined by the contents of source- index register. Load the correct index value into the SI or ESI register before running the OUTS instruction. After the transfer, source-index register is advanced automatically. If the DF flag is 0 (the CLD instruction was run), the source-index register is incremented; if the DF flag is 1 (the STD instruction was run), it is decremented. The amount of the increment or decrement is 1 if a byte is output, 2 if a word is output, or 4 if a doubleword is output. The OUTSB, OUTSW, and OUTSD instructions are synonyms for the byte, word, and doubleword OUTS instructions. The OUTS instruction can be preceded by the REP prefix for block output of ECX bytes or words. Refer to the REP instruction for details on this operation. IF AddressSize = 16 THEN use SI for source-index; ELSE (* AddressSize = 32 *) use ESI for source-index; FI;
 * Description
 * Operation

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) IF NOT I-O-Permission (DEST, width(DEST)) THEN #GP(0); FI; FI; IF byte type of instruction THEN [DX] ← [source-index]; (* Write byte at DX I/O address *) IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI; FI; IF OperandSize = 16 THEN [DX] ← [source-index]; (* Write word at DX I/O address *) IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI; FI; IF OperandSize = 32 THEN [DX] ← [source-index]; (* Write dword at DX I/O address *) IF DF = THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI; FI; source-index ← source-index + IncDec; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. After the OUT or OUTS instructions are run, the Pentium processor ensures that the EWBE# has been sampled active before beginning to run the next instruction. Note that the instruction may be prefetched if EWBE# is not active, but it will not run until EWBE# is sampled active.
 * Protected Mode Exceptions:#GP(0) if the current privilege level is greater than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1; #GP (0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Notes

POP - Pop a Word from the Stack
The POP instruction replaces the previous contents of the memory, the register, or the segment register operand with the word on the top of the processor stack, addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP (address-size attribute of 32 bits). The stack pointer SP is incremented by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits. It then points to the new top of stack. The POP CS instruction is not a processor instruction. Popping from the stack into the CS register is accomplished with a RET instruction. If the destination operand is a segment register (DS, ES, FS, GS, or SS), the value popped must be a selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates validation of both the selector and the descriptor information. A null value (0000-0003) may be popped into the DS, ES, FS, or GS register without causing a protection exception. An attempt to reference a segment whose corresponding segment register is loaded with a null value causes a # GP(0) exception. No memory reference occurs. The saved value of the segment register is null. A POP SS instruction inhibits all interrupts, including NMI, until after processing of the next instruction. This allows sequential processing of POP SS and MOV eSP, eBP instructions without danger of having an invalid stack during an interrupt. However, use of the LSS instruction is the preferred method of loading the SS and eSP registers. A POP-to-memory instruction, which uses the stack pointer (ESP) as a base register, references memory after the POP. The base used is the value of the ESP after the instruction runs. Loading a segment register while in protected mode results in special checks and actions, as described in the following listing: IF SS is loaded: IF selector is null THEN #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector); Selector's RPL must equal CPL ELSE #GP(selector); AR byte must indicate a writable data segment ELSE #GP(selector); DPL in the AR byte must equal CPL ELSE #GP(selector); Segment must be marked present ELSE #SS(selector); Load SS register with selector; Load SS register with descriptor;
 * Description

IF DS, ES, FS or GS is loaded with non-null selector: AR byte must indicate data or readable code segment ELSE #GP(selector); IF data or nonconforming code THEN both the RPL and the CPL must be less than or equal to DPL in   AR byte ELSE #GP(selector); FI; Segment must be marked present ELSE #NP(selector); Load segment register with selector; Load segment register with descriptor;

IF DS, ES, FS, or GS is loaded with a null selector: Load segment register with selector Clear valid bit in invisible portion of register IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN DEST ← (SS:SP); (* copy a word *) SP ← SP + 2; ELSE (* OperandSize = 32 *) DEST ← (SS:SP); (* copy a dword *) SP ← SP + 4; FI; ELSE (* StackAddrSize = 32 *) IF OperandSize = 16 THEN DEST ← (SS:ESP); (* copy a word *) ESP ← ESP + 2; ELSE (* OperandSize = 32 *) DEST ← (SS:ESP); (* copy a dword *) ESP ← ESP + 4; FI; FI; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Back-to-back PUSH/POP instruction sequences are allowed without incurring an additional clock. The stack segment descriptor's B bit will determine the size of Stack Addr Size. Pop ESP instructions increments the stack pointer (ESP) before data at the old top of stack is written into the destination.
 * Operation
 * Protected Mode Exceptions
 * GP, #SS, and #NP if a segment register is being loaded, #SS(0) if the current top of stack is not within the stack segment; #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

POPA/POPAD-Pop all General Registers
The POPA instruction pops the eight 16-bit general registers. However, the SP value is discarded instead of loaded into the SP register. The POPA instruction reverses a previous PUSHA instruction, restoring the general registers to their values before the PUSHA instruction was run. The first register popped is the DI register. The POPAD instruction pops the eight 32-bit general registers. The ESP value is discarded instead of loaded into the ESP register. The POPAD instruction reverses the previous PUSHAD instruction, restoring the general registers to their values before the PUSHAD instruction was run. The first register popped is the EDI register.
 * Description

IF OperandSize = 16 (* instruction = POPA *) THEN DI ← Pop; SI ← Pop; BP ← Pop; increment SP by 2 (* skip next 2 bytes of stack *) BX ← Pop; DX ← Pop; CX ← Pop; AX ← Pop; ELSE (* OperandSize = 32, instruction = POPAD *) EDI ← Pop; ESI ← Pop; EBP ← Pop; increment SP by 4 (* skip next 4 bytes of stack *) EBX ← Pop; EDX ← Pop; ECX ← Pop; EAX ← Pop; FI;
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault.
 * Protected Mode Exceptions
 * 1) SS(0) if the starting or ending stack address is not within the stack segment; #PF(fault-code) for a page fault.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

POPF/POPFD - Pop Stack into FLAGS or EFLAGS Register
The POPF and POPFD instructions pop the word or doubleword on the top of the stack and store the value in the FLAGS register. If the operand-size attribute of the instruction is 16 bits, then a word is popped and the value is stored in the FLAGS register. If the operand-size attribute is 32 bits, then a doubleword is popped and the value is stored in the EFLAGS register. When the IOPL is less than 3 in virtual-8086 mode, the POPF instruction causes a general protection exception. When the IOPL is equal to 3 while running in virtual-8086 mode, POPF pops a word into the FLAGS register. Refer to the Intel documentation for information about the FLAGS and EFLAGS registers. Note that bits 16 and 17 of the EFLAGS register, called the VM and RF flags, respectively, are not affected by the POPF or POPFD instruction. The I/O privilege level is altered only when running at privilege level 0. The interrupt flag is altered only when running at a level at least as privileged as the I/O privilege level. (Real-address mode is equivalent to privilege level 0.) If a POPF instruction is run with insufficient privilege, an exception does not occur, but the privileged bits do not change.
 * Description

IF VM=0 (* Not in Virtual-8086 Mode *) THEN IF OperandSize=32; THEN EFLAGS ← Pop AND 277FD7H; ELSE FLAGE ← Pop; FI; ELSE (* In Virtual-8086 Mode *) IF IOPL=3 THEN IF OperandSize=32 THEN TempEflags ← Pop; EFLAGS ← ((EFLAGS AND 1B3000H) OR (TempEflags AND ~ 1B3000H)) (* VM, RF, IOPL, VIP, and VIF of EGLAGS bits are                               not modified by POPFD *) ELSE FLAGS ← Pop FI; ELSE #GP(0); (* trap to virtual-8086 monitor *) FI; FI;
 * Operation

All flags except the VM, RF, IOPL, VIF and VIP flags. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Protected Mode Exceptions
 * 1) SS(0) if the top of stack is not within the stack segment.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if the I/O privilege level is less than 3 in order to permit emulation. #GP(0) if an attempt is made to run POPF with an operand-size override prefix.

PUSH - Push Operand onto the Stack
The PUSH instruction decrements the stack pointer by 2 if the operand-size attribute of the instruction is 16 bits; otherwise, it decrements the stack pointer by 4. The PUSH instruction then places the operand on the new top of stack, which is pointed to by the stack pointer. The PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction. This differs from the 8086, where the PUSH SP instruction pushes the new value (decremented by 2). Likewise, a PUSH-from-memory instruction, which uses the stack pointer (ESP ) as a base register, references memory before the PUSH. The base used is the value of the ESP before the instruction runs.
 * Description

IF StackAddrSize = 16 THEN IF OperandSize = 16 THEN SP ← SP - 2; (SS:SP) ← (SOURCE); (* word assignment *) ELSE SP ← SP - 4; (SS:SP) ← (SOURCE); (* dword assignment *) FI; ELSE (* StackAddrSize = 32 *) IF OperandSize = 16 THEN ESP ← ESP -2; (SS:ESP) ← (SOURCE); (* word assignment *) ELSE ESP ← ESP -4; (SS:ESP) ← (SOURCE); (* dword assignment *) FI; FI; None; if the SO or ESP register is 1, the processor shuts down due to a lack of stack space. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. When used with an operand in memory, the PUSH instruction takes longer to run than a two-instruction sequence, which moves the operand through a register. Back-to-back PUSH/POP instruction sequences are allowed without incurring an additional clock. Selective pushes write only the top of the stack.
 * Operation
 * Protected Mode Exceptions
 * 1) SS(0) if the new value of the SP or ESP register is outside the stack segment limit; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

PUSHA/PUSHAD - Push all General Registers
The PUSHA and PUSHAD instructions save the 16-bit or 32-bit general registers, respectively, on the processor stack. The PUSHA instruction decrements the stack pointer (SP) by 16 to hold the eight word values. The PUSHAD instruction decrements the stack pointer (ESP) by 32 to hold the eight doubleword values. Because the registers are pushed onto the stack in the order in which they were given, they appear in the 16 or 32 new stack bytes in reverse order. The last register pushed is the DI or EDI register.
 * Description

IF OperandSize = 16 (* PUSHA instruction *) THEN  Temp ← (SP); Push(AX); Push(CX); Push(DX); Push(BX); Push(Temp); Push(BP); Push(SI); Push(DI); ELSE (* OperandSize = 31, PUSHAD instruction *) Temp ← (ESP); Push(EAX); Push(ECX); Push(EDX); Push(EBX); Push(Temp); Push(EPS); Push(ESI); Push(EDI); FI;
 * Operation


 * Protected Mode Exceptions
 * 1) SS(0) if the starting or ending stack address is outside the stack segment limit; #PF(fault-code) for a page fault.

Before running the PUSHA or PUSHAD instruction, the Pentium processor shuts down if the SP or ESP register equals 1, 3, or 5; if the SP or ESP register equals 7, 9, 11, 13, or 15, exception 13 occurs.
 * Real Address Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault.
 * Virtual 8086 Mode Exceptions

PUSHF/PUSHFD-Push Flags Register onto the Stack
The PUSHF instruction decrements the stack pointer by 2 and copies the FLAGS register to the new top of stack; the PUSHFD instruction decrements the stack pointer by 4, and the EFLAGS register is copied to the new top of stack, which is pointed to by SS:ESP. Refer to the Intel documentation for information on the EFLAGS register.
 * Description

IF VM=0 (* Not in Virtual-8086 Mode *) THEN IF OperandSize = 32 THEN push(EFLAGS AND 0FCFFFFH); (* VM and RF EFLAG bits are cleared *) ELSE push(FLAGS); FI; ELSE (* In Virtual-8086 Mode *) IF IOPL=3 THEN IF OperandSize = 32 THEN push(EFLAGS AND 0FCFFFFH); (* VM and RF EFLAGS bits are cleared *) ELSE push(FLAGS); FI; ELSE #GP(0); (* Trap to virtual-8086 monitor *) FI; FI;
 * Operation


 * Protected Mode Exceptions
 * 1) SS(0) if the new value of the ESP register is outside the stack segment boundaries.

None; the processor shuts down due to a lack of stack space.
 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) fault if the I/O privilege level is less than 3, to permit emulation.

RCL/RCR/ROL/ROR - Rotate
Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all the bits upward, except for the top bit, which is returned to the bottom. The right rotate instructions do the reverse: the bits shift downward until the bottom bit arrives at the top. For the RCL and RCR instructions, the CF flag is part of the rotated quantity. The RCL instruction shifts the CF flag into the bottom bit and shifts the top bit into the CF flag; the RCR instruction shifts the CF flag into the top bit and shifts the bottom bit into the CF flag. For the ROL and ROR instructions, the original value of the CF flag is not a part of the result, but the CF flag receives a copy of the bit that was shifted from one end to the other. The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum instruction processing time, the Pentium processor does not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the rotation are used. The 8086 does not mask rotation counts. The Pentium processor in Virtual 8086 Mode does mask rotation counts. The OF flags is defined only for the single-rotate forms of the instructions (second operand is a 1). It is undefined in all other cases. For left shifts/rotates, the CF bit after the shift is XORed with the high- order result bit. For right shifts/rotates, the high-order two bits of the result are XORed to get the OF flag.
 * Description
 * Operation

(* ROL - Rotate Left *) temp ← COUNT; WHILE (temp <> 0) DO tmpcf ← high-order bit of (r/m); r/m ← r/m * 2 + (tmpcf); temp ← temp - 1; OD; IF COUNT = 1 THEN IF high-order bit of r/m <> CF   THEN OF ← 1; ELSE OF ← 0; FI; ELSE OF ← undefined; FI; (* ROR - Rotate Right *) temp ← COUNT; WHILE (temp <> 0) DO tmpcf ← low-order bit of (r/m); r/m ← r/m / 2 + (tmpcf * 2widty(r/m)); temp ← temp - 1; DO; IF COUNT = 1 THEN IF (high-order bit of r/m) <> (bit next to high-order bit of r/m) THEN OF ← 1; ELSE OF ← 0; FI; ELSE OF ← undefined; FI;

The OF flag is affected only for single-bit rotates; the OF flag is undefined for multi-bit rotates; the CF flag contains the value of the bit shifted into it; the SF, ZF, AF, and PF flags are not affected. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

RDMSR - Read from Model Specific Register
The value in ECX specifies one of the 64-bit Model Specific Registers of the Pentium processor. The content of that Model-Specific Register is copied into EDX:EAX. EDX is loaded with the high-order 32 bits, and EAX is loaded with the low-order 32 bits. The following values are used to select model specific registers on the Pentium processor. For other values used to perform cache, TLB, and BTB testing and performance monitoring, see the Intel documentation. EDX:EAX ← MSR[ECX]; This instruction must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be generated. If less than 64 bits are implemented in a model specific register, the value returned to EDX:EAX, in the locations corresponding to the unimplemented bits, is unpredictable. RDMSR is used to read the content of Model-Specific Registers that control functions for testability, execution tracing, performance monitoring and machine check errors. Refer to the Pentium(TM) Processor Data Book for more information. The values 3H, 0FH, and values above 13H are reserved. Do not run RDMSR with reserved values in ECX.
 * Description
 * Operation
 * Protected Mode Exceptions
 * 1) GP(0) if either the current privilege level is not 0 or the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.
 * Real Address Mode Exceptions
 * 1) GP if the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.
 * Virtual 8086 Mode Exceptions
 * 1) GP(0) if instruction processing is attempted.
 * Notes

RDTSC - Read Time Stamp Counter

 * Description


 * Operation


 * Protected Mode Exceptions


 * Real Address Mode Exceptions


 * Virtual 8086 Mode Exceptions

REP/REPE/REPZ/REPNE/REPNZ - Repeat Following String Operation
The REP, REPE (repeat while equal), and REPNE (repeat while not equal) prefixes are applied to string operation. Each prefix causes the string instruction that follows to be repeated the number of times indicated in the count register or (for the REPE and REPNE prefixes) until the indicated condition in the ZF flag is no longer met. Synonymous forms of the REPE and REPNE prefixes are the REPZ and REPNZ prefixes, respectively. The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use the LOOP instruction or another looping construct. The precise action for each iteration is as follows: Repeated CMPS and SCAS instructions can be exited if the count is exhausted or if the ZF flag fails the repeat condition. These two cases can be distinguished by using either the JCXZ instruction, or by using the conditional jumps that test the ZF flag (the JZ, JNZ, and JNE instructions).
 * Description
 * 1) If the address-size attribute is 16 bits, use the CX register for the count register; if the address-size attribute is 32 bits, use the ECX register for the count register.
 * 2) Check the count register. If it is zero, exit the iteration, and move to the next instruction.
 * 3) Acknowledge any pending interrupts.
 * 4) Perform the string operation once.
 * 5) Decrement the CX or count register by one; no flags are modified.
 * 6) Check the ZF flag is the string operation is a SCAS or CMPS instruction. If the repeat condition does not hold, exit the iteration and move to the next instruction. Exit the iteration if the prefix if REPE and the ZF flag is 0 (the last comparison was not equal), or if the prefix is REPNE and the ZF flag is one (the last comparison was equal).
 * 7) Return to step 2 for the next iteration.

IF AddressSize = 16 THEN use CX for CountReg; ELSE (* AddressSize = 32 *) use ECX for CountReg; FI; WHILE CountReg <> 0 DO   service pending interrupts (if any); perform primitive string instruction; CountReg ← CountReg -1; IF primitive operation is CMPSB, CMPSW, CMPSD, SCASB, SCASW, or SCASD THEN IF (instruction is REP/REPE/REPZ) AND (ZF=0) THEN exit WHILE loop ELSE IF (instruction if REPNZ or REPNE) AND (ZF=1) THEN exit WHILE loop; FI; FI; FO; OD;
 * Operation

The ZF flag is affected by the REP CMPS and REP SCAS as described above.

Not all I/O ports can handle the rate at which the REP INS and REP OUTS instructions run. Do not use the REP prefix with the LOOP instruction. Proper LOOP operation is not guaranteed when used with the REP prefix and the effect of this combination is unpredictable. The behavior of the REP prefix is undefined when used with non-string instructions. When a page fault occurs during CMPS or SCAS instructions that are prefixed with REPNE, the EFLAGS value is restored to the state prior to the processing of the instruction. Because SCAS and CMPS do not use EFLAGS as an input, the processor can resume the instruction after the page fault handler.
 * Notes

RET - Return from Procedure
The RET instruction transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction. The optional numeric parameter to the RET instruction gives the number of stack bytes (OperandMode=16) or words (OperandMode=32) to be released after the return address is popped. These items are typically used as input parameters to the procedure called. For the intrasegment (near) return, the address on the stack is a segment offset, which is popped into the instruction pointer. The CS register is unchanged. For the intersegment (far) return, the address on the stack is a long pointer. The offset is popped first, followed by the selector. In real mode, the CS and IP registers are loaded directly. In Protected Mode, an intersegment return causes the processor to check the descriptor addressed by the return selector. The AR byte of the descriptor must indicate a code segment of equal or lesser privilege (or greater or equal numeric value) than the current privilege level. Returns to a lesser privilege level cause the stack to be reloaded from the value saved beyond the parameter block. The DS, ES, FS, and GS segment registers can be cleared by the RET instruction during an interlevel transfer. If there registers refer to segments that cannot be used by the new privilege level, they are cleared to prevent unauthorized access from the new privilege level.
 * Description

IF instruction = near RET THEN; IF OperandSize = 16 THEN IP ← Pop; EIP ← EIP AND 0000FFFFH; ELSE (* OperandSize = 32 *) EIP ← Pop; FI; IF instruction has immediate operand THEN eSP ← eSP + imm16; FI; FI;
 * Operation

IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or virtual 8086 mode *) AND instruction = far RET THEN; IF OperandSize = 16 THEN IP ← Pop; EIP ← EIP AND 0000FFFFH; CS ← Pop; (* 16-bit pop *) ELSE (* OperandSize = 32 *) EIP ← Pop ; CS ← Pop; (* 32-bit pop, high-order 16-bits discarded *) FI; IF instruction has immediate operand THEN eSP ← eSP + imm16; FI; FI;

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) AND instruction = far RET THEN IF OperandSize=32 THEN Third word on stack must be within stack limits else #SS(0); ELSE Second word on stack must be within stack limits else #SS(0); FI; Return selector RPL must be ó CPL ELSE #GP(return selector) IF return selector RPL = CPL THEN GOTO SAME-LEVEL; ELSE GOTO OUTER-PRIVILEGE-LEVEL; FI; FI;

SAME-LEVEL: Return selector must be non-null ELSE #GP(0) Selector index must be within its descriptor table limits ELSE #GP(selector) Descriptor AR byte must indicate code segment ELSE #GP(selector) IF non-conforming THEN code segment DPL must equal CPL; ELSE #GP(selector); FI; IF conforming THEN code segment DPL must be ó CPL; ELSE #GP(selector); FI; Code segment must be present ELSE #NP(selector); Top word on stack must be within stack limits ELSE #SS(0); IP must be in code segment limit ELSE #GP(0); IF OperandSize=32 THEN Load CS:EIP from stack Load CS register with descriptor Increment eSP by 8 plus the immediate offset if it exists ELSE (* OperandSize=16 *) Load CS:IP from stack Load CS register with descriptor Increment eSP by 4 plus the immediate offset if it exists FI;

OUTER-PRIVILEGE-LEVEL: IF OperandSize=32 THEN Top (16+immediate) bytes on stack must be within stack limits ELSE #SS(0); ELSE Top (8+immmediate) bytes on stack must be within stack limits ELSE #SS(0); FI; Examine return CS selector and associated descriptor: Selector must be non-null ELSE #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector) Descriptor AR byte must indicate code segment ELSE #GP(selector); IF non-conforming THEN code segment DPL must equal return selector RPL ELSE #GP(selector); FI;

IF conforming THEN code segment DPL must be ó return selector RPL; ELSE #GP(selector); FI; Segment must be present ELSE #NP(selector) Examine return SS selector and associated descriptor: Selector must be non-null ELSE #GP(0); Selector index must be within its descriptor table limits ELSE #GP(selector); Selector RPL must equal the RPL of the return CS selector ELSE #GP(selector); Descriptor AR byte must indicate a writable data segment ELSE #GP(selector); Descriptor DPL must equal the RPL of the return CS selector ELSE #GP(selector); Segment must be present ELSE #NP(selector); IP must be in code segment limit ELSE #GP(0); Set CPL to the RPL of the return CS selector; IF OperandSize=32 THEN Load CS:EIP from stack; Set CS RPL to CPL; Increment eSP by 8 plus the immediate offset if it exists; Load SS:eSP from stack; ELSE (* OperandSize=16 *) Load CS:IP from stack; Set CS RPL to CPL; Increment eSP by 4 plus the immediate offset if it exists; Load SS:eSP from stack; FI; Load the CS register with the return CS descriptor; Load the SS register with the return SS descriptor; For each of ES, FS, GS, and DS   DO      IF the current register setting is not valid for the outer level, set the register to null (selector ← AR ← 0); To be valid, the register setting must satisfy the following properties: Selector index must be within descriptor table limits; Descriptor AR byte must indicate data or readable code segment; IF segment is data or non-conforming code, THEN DPL must be ò CPL, or DPL must be ò RPL; FI; OD;

&#35;GP, #NP, or #SS, as described under "Operation" above; #PF(fault-code) for a page fault. Interrupt 13 if any part of the operand would be outside the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

ROL/ROR - Rotate
See entry for RCL/RCR/ROL/ROR.

RSM - Resume from System Management Mode
The processor state is restored from the dump created upon entrance to SMM. Note, however, that the contents of the model-specific registers are not affected. The processor leaves SMM and returns control to the interrupted application or operating system. If the processor detects any invalid state information, it enters the shutdown state. This happens in any of the following situations: Resume operation of a program interrupted by a System Management Mode interrupt.
 * Description
 * The value stored in the State Dump Base field is not a 32Kbyte aligned address.
 * Any reserved bit of CR4 is set to 1.
 * Any combination of bits in CR0 is illegal; namely, (PG=1 and PE=0) or (NW= 1 and CD=0).
 * Operation

Flags Affected

All Refer to the Intel documentation for more information about System Management Mode and the behavior of the RSM instruction.
 * Protected Mode Exceptions
 * 1) UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
 * Real Address Mode Exceptions
 * 1) UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
 * Virtual 8086 Mode Exceptions
 * 1) UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
 * Notes

SAHF - Store AH into Flags
Description The SAHF instruction loads the SF, ZF, AF, PF,A and CF flags with values from the AH register, from bits 7, 6, 4, 2, and 0, respectively.

SF:ZF:xx:AF:xx:PF:xx:CF← AH;
 * Operation

The SF, ZF, AF, PF, and CF flags are loaded with values from the AH register.

SAL/SAR/SHL/SHR - Shift Instructions

 * Details Table

Description The SAL instruction (or its synonym, SHL) shifts the bits of the operand upward. The high-order bit is shifted into the CF flag, and the low-order bit is cleared. The SAR and SHR instructions shift the bits of the operand downward. The low-order bit is shifted into the CF flag. The effect is to divide the operand by two. The SAR instruction performs a signed divide with rounding toward negative infinity (not the same as the IDIV instruction); the high-order bit remains the same. The SHR instruction performs an unsigned divide ; the high-order bit is cleared. The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum processing time, the Pentium processor does not allow shift counts greater than 31. If a shift count greater than 31 is attempted, only the bottom five bits of the shift count are used. (The 8086 uses all eight bits of the shift count.) The OF flag is affected only if the single-shift forms of the instructions are used. For left shifts, the OF flag is cleared if the high bit of the answer is the same as the result of the CF flag (i.e., the top two bits of the original operand were the same); the OF flag is set if they are different. For the SAR instruction, the OF flag is cleared for all single shifts. For the SHR instruction, the OF flag is set for the high-order bit of the original operand.


 * Operation

(* COUNT is the second parameter *) (temp) ← COUNT; WHILE (temp<> 0) DO   IF instruction is SAL or SHL THEN CF ← high-order bit of r/m; FI; IF instruction is SAR or SHR THEN CF ← low-order bit of r/m; FI; IF instruction = SAL or SHL THEN r/m ← r/m * 2; FI; IF instruction = SAR THEN r/m ← r/m ;2 (*Signed divide, rounding toward negative infinity*); FI; IF instruction = SHR THEN r/m ← r/m / 2; (* Unsigned divide *); FI; temp ← temp - 1; OD; IF COUNT = 1 THEN IF instruction is SAL or SHL THEN OF ← high-order bit of r/m <> (CF); FI; IF instruction is SAR THEN OF ← 0; FI; IF instruction is SHR THEN OF ← high-order bit of operand; FI; ELSE OF ← undefined; FI;
 * Determine overflow for the various instructions *)

If count = 0, the flags are not affected. The CF flag contains the value of the last bit shifted out. The CF flag is undefined for SHL and SHR instructions in which the shift lengths are greater than or equal to the size of the operand to be shifted. The OF flag is affected for single shifts; the OF flag is undefined for multiple shifts; the CF, ZF, PF, and SF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

SBB - Integer Subtraction with Borrow
The SBB instruction adds the second operand (SRC) to the CF flag and subtracts the result from the first operand (DEST). The result of the subtraction is assigned to the first operand (DEST), and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended.
 * Description

F SRC is a byte and DEST is a word or dword THEN DEST = DEST - (SignExtend(SRC) + CF) ELSE DEST ← DEST - (SRC + CF);
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

SCAS/SCASB/SCASW/SCASD - Compare String Data
The SCAS instruction subtracts the memory byte or word at the destination register from the AL, AX or EAX register. The result is discarded; only the flags are set. The operand must be addressable from the ES segment; no segment override is possible. If the address-size attribute for this instruction is 16 bits, the DI register is used as the destination register, otherwise, the address-size attribute is 32 bits and the EDI register is used. The address of the memory data being compared is determined solely by the contents of the destination register, not by the operand to the SCAS instruction. The operand validates ES segment addressability and determines the data type. Load the correct index value into the DI or EDI register before running the SCAS instruction. After the comparison is made, the destination register is automatically updated. If the direction flag is 0 (the CLD instruction was run), the destination register is incremented; if the direction flag is 1 (the STD instruction was run), it is decremented. The increments or decrements are by 1 if bytes are compared, by 2 if words are compared, or by 4 if doublewords are compared. The SCASB, SCASW, and SCASD instructions are synonyms for the byre, word and doubleword SCAS instructions that don't require operands. They are simpler to code, but provide no type or segment checking. The SCAS instruction can be preceded by the REPE or REPNE prefix for a block search of CX or ECX bytes or words. Refer to the REP instruction for further details.
 * Description

IF AddressSize = 16THEN use DI for dest-index;ELS E (* AddressSize = 32 *) use EDI for dest-index; FI; If byte type of instruction THEN AL - [dest-index]; (* Compare byte in AL and dest *) IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI; ELSE IF OperandSize = 16 THEN AX - [dest-index]; (* compare word in AL and dest *) IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI; ELSE (* OperandSize = 32 *) EAX - [dest-index];(* compare dword in EAX and dest *) IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI; FI; dest-index = dest-index + IncDec
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the ES segment; # PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

SETcc-Byte Set on Condition
The SETcc instruction stores a 1 byte at the destination specified by the effective address or register if the condition is met, or a 0 byte if the condition is not met.
 * Description

IF condition THEN r/m8 ← 1 ELSE r/m8 ← 0; FI;
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a non-writable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

SGDT/SIDT - Store Global/Interrupt Descriptor Table Register
The SGDT and SIDT instructions copy the contents of the descriptor table register to the six bytes of memory indicated by the operand. The LIMIT field of the register is assigned to the first word at the effective address. If the operand-size attribute is 16 bits, the next three bytes are assigned the BASE field of the register, and the fourth byte is undefined. Otherwise, if the operand-size attribute is 32 bits, the next four bytes are assigned the 32-bit BASE field of the register. The SGDT and SIDT instructions are used only in operating system software; they are not used in application programs.
 * Description

DEST ← 48-bit BASE/LIMIT register contents;
 * Operation

Interrupt 6 if the destination operand is a register; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. Interrupt 6 if the destination operand is a register; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The 16-bit forms of the SGDT and SIDT instruction are compatible with the Intel 286 processor, if the value in the upper eight bits is not referenced. The Intel 286 processor stores 1's in these upper bits, whereas the 32- bit processors store 0's if the operand-size attribute is 16 bits. These bits were specified as undefined by the SGDT and SIDT instructions in the 80286 Programming Reference Manual (Intel Order No. 210498).
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Compatibility Note

SHL/SHR - Shift Instruction
See entry for SAL/SAR/SHL/SHR.

SHLD - Double Precision Shift Left
The SHLD instruction shifts the first operand provided by the r/m field to the left as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the right (starting with bit 0). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified registers, the operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. The CF flag is set to the value of the last bit shifted out. The OF and AF flags are left undefined.
 * Description

(* count is an unsigned integer corresponding to the last operand of the instruction,    either an immediate byte or the byte in register CL *) ShiftAmt ← count MOD 32; inBits ← register; (* Allow overlapped operands *) IF ShiftAmt = 0 THEN no operation ELSE IF ShiftAmt ò OperandSize THEN (* Bad parameters *) r/m ← UNDEFINED; CF, OF, SF, ZF, AF, PF ← UNDEFINED; ELSE (* Perform the shift *) CF ← BIT[Base, OperandSize - ShiftAmt]; (* Last bit shifted out on exit *) FOR i ← OperandSize - 1 DOWNTO ShiftAmt DO      BIT[Base, i] ← BIT[Base, i - ShiftAmt]; OF; FOR i ← ShiftAmt - 1 DOWNTO 0 DO      BIT[Base, i] ← BIT[inBits, i - ShiftAmt + OperandSize]; OD; Set SF, ZF, PF (r/m); (* SF, ZF, PF are set according to the value of the result *) AF ← UNDEFINED; FI; FI;
 * Operation

If count = 0, the flags are not affected. The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign change occurred, otherwise it is cleared; after a shift of more than one bit position, the OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which does not affect any flags. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

SHRD - Double Precision Shift Right
The SHRD instruction shifts the first operand provided by the r/m field to the right as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the left (starting with bit 31). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified register, the operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. The CF flag is set to the value of the last bit shifted out. The OF and AF flags are left undefined.
 * Description


 * Operation

(* count is an unsigned integer corresponding to the last operand of the instruction, either an immediate byte or the byte in register CL *)

ShiftAmt ← count MOD 32; inBits ← register; (* Allow overlapped operands *) IF ShiftAmt = 0 THEN no operation ELSE IF ShiftAmt ò OperandSize THEN (* Bad parameters *) r/m ← UNDEFINED; CF, OF, SF, ZF, AF, PF ← UNDEFINED; ELSE (* Perform the shift *) CF ← BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *) FOR i ← 0 TO OperandSize - 1 - ShiftAmt DO      BIT[r/m, i] ← BIT[r/m, i - ShiftAmt]; OD; FOR i ← OperandSize - ShiftAmt TO OperandSize-1 DO      BIT[r/m,i] ← BIT[inBits,i+ShiftAmt - OperandSize]; OD; (* SF, ZF, PF are set according to the value of the result *) Set SF, ZF, PF (r/m); AF ←UNDEFINED; FI; FI;

Flags Affected If count = 0, the flags are not affected. The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign change occurred, otherwise it is cleared; after a shift of more than one bit position, the OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which does not affect any flags. Protected Mode Exceptions Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the current privilege level is 3.
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

SIDT - Store Interrupt Descriptor Table Register
See entry for SGDT/SIDT.

SLDT - Store Local Descriptor Table Register
The SLDT instruction stores the Local Descriptor Table Register (LDTR) in the two-byte register or memory location indicated by the effective address operand. This register is a selector that points into the Global Descriptor Table. The SLDT instruction is used only in operating system software. It is not used in application programs.
 * Description

r/m16 ← LDTR;
 * Operation

Interrupt 6; the SLDT instruction is not recognized in Real Address Mode. Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference). When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

SMSW - Store Machine Status Word
The SMSW instruction stores the machine status word (part of the CR0 register) in the two-byte register or memory location indicated by the effective address operand.
 * Description

r/m16 ← MSW;
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode, #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. This instruction is provided for compatibility with the Intel 286 processor; programs for the Pentium processor should use the MOV ..., CR0 instruction. When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

STC - Set Carry Flag
CF ← 1;
 * Description: The STC instruction sets the CF flag.
 * Operation

The CF flag is set.

STD - Set Direction Flag
The STD instruction sets the direction flag, causing all subsequent string operations to decrement the index registers, (E)SI and/or (E)DI, on which they operate.
 * Description

DF ← 1;
 * Operation

The DF flag is set.

STI - Set Interrupt Flag
The STI instruction sets the IF. The processor then responds to external interrupts after running the next instruction if the next instruction allows the IF flag to remain enabled. If external interrupts are disabled and the STI instruction is followed by the RET instruction (such as at the end of a subroutine), the RET instruction is allowed to run before external interrupts are recognized. Also, if external interrupts are disabled and the STI instruction is followed by a CLI instruction, which clears the IF flag, then external interrupts are not recognized because the CLI instruction clears the IF flag during its processing.
 * Description

IF PE=0 (* Running in real-address mode *) THEN IF ← 1; (* Set Interrupt Flag *) ELSE (* Running in protected mode or virtual-8086 mode *) IF VM=0 (* Running in protected mode *) THEN IF IOPL=3 THEN IF ← 1; (* Set Interrupt Flag *) ELSE IF CPL òIOPL THEN IF ← 1; ELSE #GP(0); FI; FI; ELSE (* Running in Virtual-8086 mode *) #GP(0); (* Trap to virtual-8086 monitor *) FI; FI;
 * Operation

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table. Notes: - Don't care Blank Action not taken Y Action in Column 1 taken
 * Decision Table

The IF flag is set.


 * Protected Mode Exceptions
 * 1) GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege level.


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) as for protected mode.

In case of an NMI, trap, or fault following STI the interrupt will be taken before running the next sequential instruction in the code. For information on this instruction when using virtual mode extensions, see the Intel documentation.
 * Notes

STOS/STOSB/STOSW/STOSD - Store String Data

 * Details Table

The STOS instruction transfers the contents of the AL, AX, or EAX register to the memory byte or word given by the destination register relative to the ES segment. The destination register is the DI register for an address- size attribute of 16 bits or the EDI register for an address-size attribute of 32 bits. The destination operand must be addressable from the ES register. A segment override is not possible. The address of the destination is determined by the contents of the destination register, not by the explicit operand of the STOS instruction. This operand is used only to validate ES segment addressability and to determine the data type. Load the correct index value into the destination register before running the STOS instruction. After the transfer is made, the (E)DI register is automatically updated. If the DF flag is 0 (the CLD instruction was run), the (E)DI register is incremented; if the DF flag is 1 (the STD instruction was executed), the (E )DI register is decremented. The (E)DI register is incremented or decremented by 1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is stored. The STOSB, STOSW, and STOSD instructions are synonyms for the byte, word, and doubleword STOS instructions, that do not require an operand. They are simpler to use, but provide no type or segment checking. The STOS instruction can be preceded by the REP prefix for a block fill of CX or ECX bytes, words, or doublewords. Refer to the REP instruction for further details.
 * Description

IF AddressSize = 16 THEN use ES:DI for DestReg ELSE (* AddressSize = 32 *) use ES:EDI for DestReg; FI; IF byte type of instruction THEN (ES:DestReg) ← AL; IF DF = 0 THEN DestReg ← DestReg + 1; ELSE DestReg ← DestReg - 1; FI; ELSE IF OperandSize = 16 THEN (ES:DestReg) ← AX; IF DF = 0 THEN DestReg ← DestReg + 2; ELSE DestReg ← DestReg - 2; FI; ELSE (* OperandSize = 32 *) (ES:DestReg) ← EAX; IF DF = 0 THEN DestReg ← DestReg + 4; ELSE DestReg ← DestReg - 4; FI; FI; FI; Protected Mode Exceptions Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Operation
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the ES segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

STR - Store Task Register
The contents of the task register are copied to the two-byte register or memory location indicated by the effective address operand. The STR instruction is used only in operating system software. It is not used in application programs.
 * Description

r/m ← task register;
 * Operation

Real Address Mode Exceptions Interrupt 6; the STR instruction is not recognized in Real Address Mode. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.
 * Notes

SUB - Integer Subtraction
The SUB instruction subtracts the second operand (SRC) from the first operand (DEST). The first operand is assigned the result of the subtraction, and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended to the size of the destination operand.
 * Description

IF SRC is a byte and DEST is a word or dword THEN DEST = DEST - SignExtend(SRC); ELSE DEST ← DEST - SRC; FI;
 * Operation

The OF, SF, ZF, AF, PF, and CF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

TEST - Logical Compare
The TEST instruction computes the bit-wise logical AND of its two operands. Each bit of the result is 1 if both of the corresponding bits of the operands are 1; otherwise, each bit is 0. The result of the operation is discarded and only the flags are modified.
 * Details Table
 * Description


 * Operation

DEST : = LeftSRC AND RightSRC; CF ← 0; OF ← 0;

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

VERR, VERW - Verify a Segment for Reading or Writing
The two-byte register or memory operand of the VERR and VERW instructions contains the value of a selector. The VERR and VERW instructions determine whether the segment denoted by the selector is reachable from the current privilege level and whether the segment is readable (VERR) or writeable (VERW). If the segment is accessible, the ZF flag is set; if the segment is not accessible, the ZF flag is cleared. To set the ZF flag, the following conditions must be met: The validation performed is the same as if the segment were loaded into the DS, ES, FS, or GS register, and the indicated access (read or write) were performed. The ZF flag receives the result of the validation. The selector' s value cannot result in a protection exception, enabling the software to anticipate possible segment access problems.
 * Details Table
 * Description
 * The selector must denote a descriptor within the bounds of the table (GDT or LDT); the selector must be "defined."
 * The selector must denote the descriptor of a code or data segment (not that of a task state segment, LDT, or a gate).
 * For the VERR instruction, the segment must be readable. For the VERW instruction, the segment must be a writeable data segment.
 * If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any value for the VERR instruction. Otherwise, the DPL must be greater than or equal to (have less or the same privilege as) both the current privilege level and the selector's RPL.

IF segment with selector at (r/m) is accessible with current protection level AND ((segment is readable for VERR) OR    (segment is writable for VERW)) THEN ZF ← 1; ELSE ZF ← 0; FI;
 * Operation

The ZF flag is set if the segment is accessible, cleared if it is not. Faults generated by illegal addressing of the memory operand that contains the selector; the selector is not loaded into any segment register, and no faults attributable to the selector operand are generated.
 * Protected Mode Exceptions
 * GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments;
 * SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 6; the VERR and VERW instructions are not recognized in Real Address Mode. Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions

WAIT - Wait
WAIT causes the processor to check for pending unmasked numeric exceptions before proceeding. .#NM if both MP and TS in CR0 are set. Interrupt 7 if both MP and TS is CR0 are set. .#NM if both MP and TS in CR0 are set.
 * Description
 * Protected Mode Exceptions
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes:Coding WAIT after an ESC instruction ensures that any unmasked floating- point exceptions the instruction may cause are handled before the processor has a chance to modify the instruction's results.
 * FWAIT is an alternate mnemonic for WAIT.
 * Refer to the Intel documentation for more information about when to use WAIT (FWAIT).

WBINVD - Write-Back and Invalidate Cache
The internal cache is flushed, and a special-function bus cycle is issued, which indicates that external cache should write-back its contents to main memory. Another special-function bus cycle follows, directing the external cache to flush itself.
 * Description

FLUSH INTERNAL CACHE SIGNAL EXTERNAL CACHE TO WRITE-BACK SIGNAL EXTERNAL CACHE TO FLUSH
 * Operation

The WBINVD instruction is a privileged instruction; #GP(0) if the current privilege level is not 0. INVD should be used with care. It does not write back modified cache lines; therefore, it can cause the data cache to become inconsistent with other memories in the system. Unless there is a specific requirement or benefit to invalidate a cache without writing back the modified lines (i.e., testing or fault recovery where cache coherency with main memory is not a concern), software should use the WBINVD instruction. This instruction is implementation-dependent; its function may be implemented differently on future Intel processors. It is the responsibility of hardware to respond to the external cache write -back and flush indications. This instruction is not supported on Intel386 processors. See the Intel documentation for information on detecting the processor type at runtime. See the Intel documentation for information on disabling the cache.
 * Protected Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * 1) GP(0); the WBINVD instruction is a privileged instruction.
 * Notes

WRMSR - Write to Model Specific Register
The value in ECX specifies one of the 64-bit Model Specific Registers of the Pentium processor. The contents of EDX:EAX is copied into that Model-Specific Register. The high-order 32 bits are copied from EDX and the low-order 32 bits are copied from EAX. The following values are used to select model specific registers on the Pentium processor:
 * Description

For other values used to perform cache, TLB, and BTB testing and performance monitoring, see the Intel documentation.

MSR[ECX] ← EDX:EAX;
 * Operation


 * Protected Mode Exceptions
 * 1) GP(0) if either the current privilege level is not 0 or the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.


 * Real Address Mode Exceptions
 * 1) GP(0) if the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor. No error code is pushed.


 * Virtual 8086 Mode Exceptions
 * 1) GP(0) if instruction execution is attempted.

Always set undefined or reserved bits to the value previously read. WRMSR is used to write the content of Model-Specific Registers that control functions for testability, execution tracing, performance monitoring, and machine check errors. Refer to the Pentium(TM) Processor Data Book for more information. The values 3H, 0FH, and values above 13H are reserved. Do not execute WRMSR with reserved values in ECX.
 * Notes

XADD - Exchange and Add
The XADD instruction loads DEST into SRC, and then loads the sum of DEST and the original value of SRC into DEST.
 * Description

TEMP ← SRC + DEST SRC ← DEST DEST ← TEMP
 * Operation

The CF, PF, AF, SF, ZF, and OF flags are affected as if an ADD instruction had been executed. Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH. Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. This instruction can be used with a LOCK prefix. The Intel386 DX microprocessor does not implement this instruction. If this instruction is used, you should provide an equivalent code sequence that runs on an Intel386 DX processor as well. See the Intel documentation for details on how to detect a particular processor at runtime.
 * Protected Mode Exceptions
 * 1) GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set, #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Notes

XCHG - Exchange Register/Memory with Register

 * Details Table

The XCHG instruction exchanges two operands. The operands can be in either order. If a memory operand is involved, the LOCK# signal is asserted for the duration of the exchange, regardless of the presence or absence of the LOCK prefix or of the value of the IOPL.
 * Description

temp ← DEST DEST ← SRC SRC ← temp
 * Operation

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. XCHG can be used for BSWAP for 16-bit data.
 * Protected Mode Exceptions
 * 1) GP(0) if either operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions
 * Virtual 8086 Mode Exceptions
 * Note

XLAT/XLATB - Table Look-up Translation
The XLAT instruction changes the AL register from the table index to the table entry. The AL register should be the unsigned index into a table addressed by the DS:BX register pair (for an address-size attribute of 16 bits) or the DS:EBX register pair (for an address-size attribute of 32 bits ). The operand to the XLAT instruction allows for the possibility of a segment override. The XLAT instruction uses the contents of the BX register even if they differ from the offset of the operand. The offset of the operand should have been moved into the BX or EBX register with a previous instruction. The no-operand form, the XLATB instruction, can be used if the BX or EBX table will always reside in the DS segment.
 * Description

IF AddressSize = 16 THEN AL ← (BX + ZeroExtend(AL)) ELSE (* AddressSize = 32 *) AL ← (EBX + ZeroExtend(AL)); FI;
 * Operation


 * Protected Mode Exceptions
 * 1) GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Real Address Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Virtual 8086 Mode Exceptions

XOR - Logical Exclusive OR
The XOR instruction computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer replaces the first operand.
 * Description

DEST ← LeftSRC XOR RightSRC CF ← 0 OF ← 0
 * Operation

The CF and OF flags are cleared; the SF, ZF, and PF flags are set according to the result; the AF flag is undefined.


 * Protected Mode Exceptions:#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
 * Real Address Mode Exceptions:Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
 * Virtual 8086 Mode Exceptions:Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.