Jump to content

ALP Programming Guide and Reference/Processor Reference

From EDM2
Revision as of 05:52, 31 December 2018 by Ak120 (talk | contribs) (Created page with "This chapter presents an overview of the instruction set and lists the complete instruction set in alphabetical order. For each instruction, the forms are given for each opera...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This chapter presents an overview of the instruction set and lists the complete instruction set in alphabetical order. For each instruction, the forms are given for each operand combination, including object code produced, operands required, execution time, and a description. For each instruction, there is an operational description and a summary of exceptions generated.

Intel Instruction Set Overview

This section contains an introduction to the Intel instruction set and presents the terminology necessary to understand the encoding and operation of each individual instruction.

Operand-Size and Address-Size Attributes

When executing an instruction, the processor can address memory using either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has associated with it an address-size attribute of either 16 or 32 bits. The use of 16-bit addresses implies both the use of 16-bit displacements in instructions and the generation of 16-bit address offsets (segment relative addresses) as the result of the effective address calculations. 32-bit addresses imply the use of 32-bit displacements and the generation of 32-bit address offsets. Similarly, an instruction that accesses words (16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits.

The attributes are determined by a combination of defaults, instruction prefixes, and (for programs executing in protected mode) size-specification bits in segment descriptors.

Default Segment Attribute

For programs running in protected mode, the D bit in executable-segment descriptors specifies the default attribute for both address size and operand size. These default attributes apply to the execution of all instructions in the segment. A clear D bit sets the default address size and operand size to 16 bits; a set D bit, to 32 bits.

Programs that execute in real mode or virtual-8086 mode have 16-bit addresses and operands by default.

Operand-Size and Address-Size Instruction Prefixes

The internal encoding of an instruction can include two byte-long prefixes: the address-size prefix, 67H, and the operand-size prefix, 66H. (A later section, "Instruction Format", shows the position of the prefixes in an instruction's encoding.) These prefixes override the default segment attributes for the instruction that follows. The following table shows the effect of each possible combination of defaults and overrides.

Effective Size Attributes
Segment Default D = ... 0 0 0 0 1 1 1 1
Operand-Size Prefix 66H N N Y Y N N Y Y
Address-Size Prefix 67H N Y N Y N Y N Y
Effective Operand Size 16 16 32 32 32 32 16 16
Effective Address Size 16 32 16 32 32 16 32 16
Y = Yes, this instruction prefix is present
N = No, this instruction prefix is not present

Address-Size Attribute for Stack

Instructions that use the stack implicitly (for example: POP EAX) also have a stack address-size attribute of either 16 or 32 bits. Instructions with a stack address-size attribute of 16 use the 16-bit SP stack pointer register; instructions with a stack address-size attribute of 32 bits use the 32-bit ESP register to form the address of the top of the stack.

The stack address-size attribute is controlled by the B bit of the data-segment descriptor in the SS register. A value of zero in the B bit selects a stack address-size attribute of 16; a value of one selects a stack address-size attribute of 32.

Instruction Format

All instruction encodings are subsets of the general instruction format shown in the following figure. Instructions consist of optional instruction prefixes (in any order), one or two primary opcode bytes, possibly an address specifier consisting of the ModR/M byte and the SIB (Scale Index Base) byte, a displacement, if required, and an immediate data field, if required.

Instruction Format
INSTRUCTION PREFIX ADDRESS-SIZE PREFIX OPERAND-SIZE PREFIX SEGMENT OVERRIDE
0 OR 1 0 OR 1 0 OR 1 0 OR 1
NUMBER OF BYTES
OPCODE MODR/M SIB DISPLACEMENT IMMEDIATE
0 OR 1 0 OR 1 0 OR 1 0 OR 1 0 OR 1
NUMBER OF BYTES

Smaller encoding fields can be defined within the primary opcode or opcodes. These fields define the direction of the operation, the size of the displacements, the register encoding, or sign extension; encoding fields vary depending on the class of operation.

Most instructions that can refer to an operand in memory have an addressing form byte following the primary opcode byte(s). This byte, called the ModR/M byte, specifies the address form to be used. Certain encodings of the ModR/M byte indicate a second addressing byte, the SIB (Scale Index Base) byte, which follows the ModR/M byte and is required to fully specify the addressing form.

Addressing forms can include a displacement immediately following either the ModR/M or SIB byte. If a displacement is present, it can be 8-, 16- or 32-bits.

If the instruction specifies an immediate operand, the immediate operand always follows any displacement bytes. The immediate operand, if specified, is always the last field of the instruction.

Zero or one bytes are reserved for each group of prefixes. The prefixes are grouped as follows:

  1. Instruction Prefixes: REP, REPE/REPZ, REPNE/REPNZ, LOCK
  2. Segment Override Prefixes: CS, SS, DS, ES, FS, GS
  3. Operand Size Override
  4. Address Size Override

For each instruction, one prefix may be used from each group. The effect of redundant prefixes (more than one prefix from a group) is undefined and may vary from processor to processor. The prefixes may come in any order.

The following are the allowable instruction prefix codes:

F3H     REP prefix (used only with string instructions)
F3H     REPE/REPZ prefix (used only with string instructions)
F2H     REPNE/REPNZ prefix (used only with string instructions)
F0H     LOCK prefix

The following are the segment override prefixes:

2EH     CS segment override prefix 
36H     SS segment override prefix 
3EH     DS segment override prefix 
26H     ES segment override prefix 
64H     FS segment override prefix 
65H     GS segment override prefix 
66H     Operand-size override 
67H     Address-size override

ModR/M and SIB Bytes

The ModR/M and SIB bytes follow the opcode byte(s) in many of the processor instructions. They contain the following information:

  • The indexing type or register number to be used in the instruction
  • The register to be used, or more information to select the instruction
  • The base, index, and scale information

The ModR/M byte contains three fields of information:

  • The mod field, which occupies the two most significant bits of the byte, combines with the r/m field to form 32 possible values: eight registers and 24 indexing modes.
  • The reg field, which occupies the next three bits following the mod field, specifies either a register number or three more bits of opcode information. The meaning of the reg field is determined by the first (opcode) byte of the instruction.
  • The r/m field, which occupies the three least significant bits of the byte, can specify a register as the location of an operand, or can form part of the addressing-mode encoding in combination with the mod field as described above.

The based indexed forms of 32-bit addressing require the SIB byte. The presence of the SIB byte is indicated by certain encodings of the ModR/M byte. The SIB byte then includes the following fields:

  • The ss field, which occupies the two most significant bits of the byte, specifies the scale factor.
  • The index field, which occupies the next three bits following the ss field and specifies the register number of the index register.
  • The base field, which occupies the three least significant bits of the byte, specifies the register number of the base register.

ModR/M and SIB Byte Formats

                 MODR/M BYTE
    7     6    5     4     3   2    1     0
  ┌──────────┬────────────────┬──────────────┐
  │  MOD     │   REG/OPCODE   │     R/M      │
  └──────────┴────────────────┴──────────────┘

           SIB (SCALE INDEX BASE) BYTE
    7     6    5     4     3   2    1     0
  ┌──────────┬────────────────┬──────────────┐
  │    SS    │     INDEX      │     BASE     │
  └──────────┴────────────────┴──────────────┘
16-Bit Addressing Forms with the ModR/M Byte
r8(/r)
r16(/r)
r32(/r)
/digit (Opcode)
REG =
AL
AX
EAX
0
000
CL
CX
ECX
1
001
DL
DX
EDX
2
010
BL
BX
EBX
3
011
AH
SP
ESP
4
100
CH
BP
EBP
5
101
DH
SI
ESI
6
110
BH
DI
EDI
7
111
Effective Address MOD R/M MODR/M Values in Hexadecimal
[BX+SI] 00 000 00 08 10 18 20 28 30 38
[BX+DI] 001 01 09 11 19 21 29 31 39
[BP+SI] 010 02 0A 12 1A 22 2A 32 3A
[BP+DI] 011 03 0B 13 1B 23 2B 33 3B
[SI] 100 04 0C 14 1C 24 2C 34 3C
[DI] 101 05 0D 15 1D 25 2D 35 3D
disp16 110 06 0E 16 1E 26 2E 36 3E
[BX] 111 07 0F 17 1F 27 2F 37 3F
[BX+SI]+disp8 01 000 40 48 50 58 60 68 70 78
[BX+DI]+disp8 001 41 49 51 59 61 69 71 79
[BP+SI]+disp8 010 42 4A 52 5A 62 6A 72 7A
[BP+DI]+disp8 011 43 4B 53 5B 63 6B 73 7B
[SI]+disp8 100 44 4C 54 5C 64 6C 74 7C
[DI]+disp8 101 45 4D 55 5D 65 6D 75 7D
[BP]+disp8 110 46 4E 56 5E 66 6E 76 7E
[BX]+disp8 111 47 4F 57 5F 67 6F 77 7F
[BX+SI]+disp16 10 000 80 88 90 98 A0 A8 B0 B8
[BX+DI]+disp16 001 81 89 91 99 A1 A9 B1 B9
[BP+SI]+disp16 010 82 8A 92 9A A2 AA B2 BA
[BP+DI]+disp16 011 83 8B 93 9B A3 AB B3 BB
[SI]+disp16 100 84 8C 94 9C A4 AC B4 BC
[DI]+disp16 101 85 8D 95 9D A5 AD B5 BD
[BP]+disp16 110 86 8E 96 9E A6 AE B6 BE
[BX]+disp16 111 87 8F 97 9F A7 AF B7 BF
EAX/AX/AL 11 000 C0 C8 D0 D8 E0 E8 F0 F8
ECX/CX/CL 001 C1 C9 D1 D9 E1 E9 F1 F9
EDX/DX/DL 010 C2 CA D2 DA E2 EA F2 FA
EBX/BX/BL 011 C3 CB D3 DB E3 EB F3 FB
ESP/SP/AH 100 C4 CC D4 DC E4 EC F4 FC
EBP/BP/CH 101 C5 CD D5 DD E5 ED F5 FD
ESI/SI/DH 110 C6 CE D6 DE E6 EE F6 FE
EDI/DI/BH 111 C7 CF D7 DF E7 EF F7 FF

Notes:

  1. disp8 denotes an 8-bit displacement following the ModR/M byte, to be sign-extended and added to the index.
  2. disp16 denotes a 16-bit displacement following the ModR/M byte, to be added to the index. Default segment register is SS for the effective addresses containing a BP index, DS for other effective addresses.
32-Bit Addressing Forms with the ModR/M Byte
r8(/r)
r16(/r)
r32(/r)
/digit (Opcode)
REG =
AL
AX
EAX
0
000
CL
CX
ECX
1
001
DL
DX
EDX
2
010
BL
BX
EBX
3
011
AH
SP
ESP
4
100
CH
BP
EBP
5
101
DH
SI
ESI
6
110
BH
DI
EDI
7
111
Effective Address MOD R/M MODR/M Values in Hexadecimal
[EAX]         | 00  |  000  | 00  | 08  | 10  | 18  | 20  | 28  | 30  | 38
[ECX]         |     |  001  | 01  | 09  | 11  | 19  | 21  | 29  | 31  | 39
[EDX]         |     |  010  | 02  | 0A  | 12  | 1A  | 22  | 2A  | 32  | 3A
[EBX]         |     |  011  | 03  | 0B  | 13  | 1B  | 23  | 2B  | 33  | 3B
[--][--]      |     |  100  | 04  | 0C  | 14  | 1C  | 24  | 2C  | 34  | 3C
disp32        |     |  101  | 05  | 0D  | 15  | 1D  | 25  | 2D  | 35  | 3D
[ESI]         |     |  110  | 06  | 0E  | 16  | 1E  | 26  | 2E  | 36  | 3E
[EDI]         |     |  111  | 07  | 0F  | 17  | 1F  | 27  | 2F  | 37  | 3F
disp8[EAX]    | 01  |  000  | 40  | 48  | 50  | 58  | 60  | 68  | 70  | 78
disp8[ECX]    |     |  001  | 41  | 49  | 51  | 59  | 61  | 69  | 71  | 79
disp8[EDX]    |     |  010  | 42  | 4A  | 52  | 5A  | 62  | 6A  | 72  | 7A
disp8[EBX]    |     |  011  | 43  | 4B  | 53  | 5B  | 63  | 6B  | 73  | 7B
disp8[--][--] |     |  100  | 44  | 4C  | 54  | 5C  | 64  | 6C  | 74  | 7C
disp8[EBP]    |     |  101  | 45  | 4D  | 55  | 5D  | 65  | 6D  | 75  | 7D
disp8[ESI]    |     |  110  | 46  | 4E  | 56  | 5E  | 66  | 6E  | 76  | 7E
disp8[EDI]    |     |  111  | 47  | 4F  | 57  | 5F  | 67  | 6F  | 77  | 7F
disp32[EAX]   | 10  |  000  | 80  | 88  | 90  | 98  | A0  | A8  | B0  | B8
disp32[ECX]   |     |  001  | 81  | 89  | 91  | 99  | A1  | A9  | B1  | B9
disp32[EDX]   |     |  010  | 82  | 8A  | 92  | 9A  | A2  | AA  | B2  | BA
disp32[EBX]   |     |  011  | 83  | 8B  | 93  | 9B  | A3  | AB  | B3  | BB
disp32[--][--]|     |  100  | 84  | 8C  | 94  | 9C  | A4  | AC  | B4  | BC
disp32[EBP]   |     |  101  | 85  | 8D  | 95  | 9D  | A5  | AD  | B5  | BD
disp32[ESI]   |     |  110  | 86  | 8E  | 96  | 9E  | A6  | AE  | B6  | BE
disp32[EDI]   |     |  111  | 87  | 8F  | 97  | 9F  | A7  | AF  | B7  | BF
EAX/AX/AL     | 11  |  000  | C0  | C8  | D0  | D8  | E0  | E8  | F0  | F8
ECX/CX/CL     |     |  001  | C1  | C9  | D1  | D9  | E1  | E9  | F1  | F9
EDX/DX/DL     |     |  010  | C2  | CA  | D2  | DA  | E2  | EA  | F2  | FA
EBX/BX/BL     |     |  011  | C3  | CB  | D3  | DB  | E3  | EB  | F3  | FB
ESP/SP/AH     |     |  100  | C4  | CC  | D4  | DC  | E4  | EC  | F4  | FC
EBP/BP/CH     |     |  101  | C5  | CD  | D5  | DD  | E5  | ED  | F5  | FD
ESI/SI/DH     |     |  110  | C6  | CE  | D6  | DE  | E6  | EE  | F6  | FE
EDI/DI/BH     |     |  111  | C7  | CF  | D7  | DF  | E7  | EF  | F7  | FF

Notes:

  1. [--][--] means a SIB follows the ModR/M byte.
  2. disp8 denotes an 8-bit displacement following the SIB byte, to be sign-extended and added to the index.
  3. disp32 denotes a 32-bit displacement following the SIB byte, to be added to the index.
32-Bit Addressing Forms with the SIB Byte
r32 EAX ECX EDX EBX ESP [*] ESI EDI
Base = 0 1 2 3 4 5 6 7
Base = 000 001 010 011 100 101 110 111
Scaled Index SS Index SIB Values in Hexadecimal
[EAX] 00 000 00 01 02 03 04 05 06 07
[ECX] 001 08 09 0A 0B 0C 0D 0E 0F
[EDX] 010 10 11 12 13 14 15 16 17
[EBX] 011 18 19 1A 1B 1C 1D 1E 1F
none 100 20 21 22 23 24 25 26 27
[EBP] 101 28 29 2A 2B 2C 2D 2E 2F
[ESI] 110 30 31 32 33 34 35 36 37
[EDI] 111 38 39 3A 3B 3C 3D 3E 3F
[EAX*2] 01 000 40 41 42 43 44 45 46 47
[ECX*2] 001 48 49 4A 4B 4C 4D 4E 4F
[EDX*2] 010 50 51 52 53 54 55 56 57
[EBX*2] 011 58 59 5A 5B 5C 5D 5E 5F
none 100 60 61 62 63 64 65 66 67
[EBP*2] 101 68 69 6A 6B 6C 6D 6E 6F
[ESI*2] 110 70 71 72 73 74 75 76 77
[EDI*2] 111 78 79 7A 7B 7C 7D 7E 7F
[EAX*4] 10 000 80 81 82 83 84 85 86 87
[ECX*4] 001 88 89 8A 8B 8C 8D 8E 8F
[EDX*4] 010 90 91 92 93 94 95 96 97
[EBX*4] 011 98 89 9A 9B 9C 9D 9E 9F
none 100 A0 A1 A2 A3 A4 A5 A6 A7
[EBP*4] 101 A8 A9 AA AB AC AD AE AF
[ESI*4] 110 B0 B1 B2 B3 B4 B5 B6 B7
[EDI*4] 111 B8 B9 BA BB BC BD BE BF
[EAX*8] 11 000 C0 C1 C2 C3 C4 C5 C6 C7
[ECX*8] 001 C8 C9 CA CB CC CD CE CF
[EDX*8] 010 D0 D1 D2 D3 D4 D5 D6 D7
[EBX*8] 011 D8 D9 DA DB DC DD DE DF
none 100 E0 E1 E2 E3 E4 E5 E6 E7
[EBP*8] 101 E8 E9 EA EB EC ED EE EF
[ESI*8] 110 F0 F1 F2 F3 F4 F5 F6 F7
[EDI*8] 111 F8 F9 FA FB FC FD FE FF

Notes: [*] means a disp32 with no base if MOD is 00, [EBP] otherwise. This provides the following addressing modes:

disp32[index]           (MOD=00)
disp8[EBP][index]       (MOD=01)
disp32[EBP][index]      (MOD=10)

How to Read the Instruction Set Pages

The following sections describe how to interpret the description pages for each instruction listed in the Intel Instruction Set section. Each instruction family is introduced by a descriptive heading such as the following:

CMC-Complement Carry Flag

Each instruction family may be accompanied by descriptive sections labeled as follows: Details Table, Operation, Flags Affected, Protected Mode Exceptions, Real Address Mode Exceptions, Virtual-8086 Mode Exceptions, and optionally, a Notes section. The following sections explain the notational conventions and abbreviations used in these paragraphs of the instruction descriptions.

Details Table

For each instruction family, a table is given to list the details of each individual instruction. The following is an example of this table:

Encoding Instruction 0 1 2 3 4 5 Description
F5 CMC 2 2 2 2 2 2 Complement carry flag

The Encoding, Instruction, and Description columns are described in the following sections. The columns labeled 0, 1, 2, 3, 4, and 5 are collectively described in the Clocks section. A timing entry appearing in one of these columns is an indication that the associated processor implements that particular instruction variation. The column names are abbreviated, and are described as follows:

0 The 8088/8086/8087 Processor Family
1 The 80186/8087 Processor Family
2 The 80286/80287 Processor Family
3 The 80386/80387 Processor Family
4 The 80486 Processor Family
5 The Pentium Processor Family
Encoding Column

The "Encoding" column gives the complete object code produced for each form of the instruction. When possible, the codes are given as hexadecimal bytes, in the same order in which they appear in memory. Definitions of entries other than hexadecimal bytes are as follows:

  • /digit: (digit is between 0 and 7) indicates that the ModR/M byte of the instruction uses only the r/m (register or memory) operand. The reg field contains the digit that provides an extension to the instruction's opcode.
  • /r: indicates that the ModR/M byte of the instruction contains both a register operand and an r/m operand.
  • cb, cw, cd, cp: a 1-byte (cb), 2-byte (cw), 4-byte (cd) or 6-byte (cp) value following the opcode that is used to specify a code offset and possibly a new value for the code segment register.
  • ib, iw, id: a 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to the instruction that follows the opcode, ModR/M bytes or scale-indexing bytes. The opcode determines if the operand is a signed value. All words and doublewords are given with the low-order byte first.
  • +rb, +rw, +rd: a register code, from 0 through 7, added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte. The codes are:
rb rw rd
AL = 0 AX = 0 EAX = 0
CL = 1 CX = 1 ECX = 1
DL = 2 DX = 2 EDX = 2
BL = 3 BX = 3 EBX = 3
AH = 4 SP = 4 ESP = 4
CH = 5 BP = 5 EBP = 5
DH = 6 SI = 6 ESI = 6
BH = 7 DI = 7 EDI = 7
  • +i: used in floating-point instructions when one of the operands is ST(i) from the FPU register stack. The number i (which can range from 0 to 7) is added to the hexadecimal byte given at the left of the plus sign to form a single opcode byte.
Instruction Column

The "Instruction" column gives the syntax of the instruction statement as it would appear in an assembler program. The following is a list of the symbols used to represent operands in the instruction statements:

rel8

A relative address in the range from 128 bytes before the end of the instruction to 127 bytes after the end of the instruction.

rel16

A relative address in the range from 32768 bytes before the end of the instruction to 32767 bytes after the end of the instruction. Applies to instructions with an operand-size attribute of 16 bits, and must be within the same code segment as the instruction assembled.

rel32

A relative address in the range from 2147483648 bytes before the end of the instruction to 2147483647 bytes after the end of the instruction. Applies to instructions with an operand-size attribute of 32 bits, and must be within the same code segment as the instruction assembled.

ptr16
16

A far pointer, typically in a code segment different from that of the instruction. The notation 16:16 indicates that the value of the pointer has two parts. The value to the left of the colon is a 16-bit selector or value destined for the code segment register. The value to the right reflects the operand-size attribute of the instruction (16 bits) and corresponds to the offset within the destination segment.

ptr16
32

A far pointer, typically in a code segment different from that of the instruction. The notation 16:32 indicates that the value of the pointer has two parts. The value to the left of the colon is a 16-bit selector or value destined for the code segment register. The value to the right reflects the operand-size attribute of the instruction (32 bits) and corresponds to the offset within the destination segment.

r8

One of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH.

r16

One of the word registers AX, CX, DX, BX, SP, BP, SI, or DI.

r32

One of the doubleword registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or EDI.

imm8

An immediate byte value. imm8 is a signed number between -128 and +127 inclusive. For instructions in which imm8 is combined with a word or doubleword operand, the immediate value is sign-extended to form a word or doubleword. The upper byte of the word is filled with the topmost bit of the immediate value.

imm16

An immediate word value used for instructions whose operand-size attribute is 16 bits. This is a number between -32768 and +32767 inclusive.

imm32

An immediate doubleword value used for instructions whose operand-size attribute is 32-bits. It allows the use of a number between +2147483647 and -2147483648 inclusive.

r/m8

A one-byte operand that is either the contents of a byte register (AL, BL, CL, DL, AH, BH, CH, DH), or a byte from memory.

r/m16

A word register or memory operand used for instructions whose operand-size attribute is 16 bits. The word registers are: AX, BX, CX, DX, SP, BP, SI, DI. The contents of memory are found at the address provided by the effective address computation.

r/m32

A doubleword register or memory operand used for instructions whose operand-size attribute is 32-bits. The doubleword registers are: EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI. The contents of memory are found at the address provided by the effective address computation.

r/m64

A quadword register or memory operand used for instructions whose operand- size attribute is 64-bits. The reg/opcode field represents the opcode. The contents of memory are found at the address provided by the effective address computation.

m

A 16 or 32-bit memory operand.

m8

A memory byte addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).

m16

A memory word addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).

m32

A memory doubleword addressed by DS:[E]SI or ES:[E]DI (used only by string instructions).

m16
16

A memory operand containing a far pointer composed of two numbers. The number to the left of the colon corresponds to the pointer's segment selector. The number to the right corresponds to its offset.

m16
32

A memory operand containing a far pointer composed of two numbers. The number to the left of the colon corresponds to the pointer's segment selector. The number to the right corresponds to its offset.

m16&16

A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the BOUND instruction to provide an operand containing an upper and lower bounds for array indices.

m16&32

A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the by LIDT and LGDT to provide a word with which to load the limit field, and a doubleword with which to load the base field of the corresponding Global and Interrupt Descriptor Table Registers.

m32&32

A memory operand consisting of data item pairs whose sizes are indicated on the left and the right side of the ampersand. All memory addressing modes are allowed. Used by the BOUND instruction to provide an operand containing an upper and lower bounds for array indices.

moffs8

The memory offset of a BYTE variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.

moffs16

The memory offset of a WORD variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.

moffs32

The memory offset of a DWORD variable used in some variants of the MOV instruction. The actual address is given by a simple offset relative to the segment base. No ModR/M byte is used in the instruction. The address- size attribute of the instruction determines the size of the offset data.

Sreg

A segment register. The segment register bit assignments are ES=0, CS=1, SS=2, DS=3, FS=4, and GS=5.

m32real

A single-precision floating-point operand in memory.

m64real

A double-precision floating-point operand in memory.

m80real

An extended-precision floating-point operand in memory.

m80bcd

A 80 byte binary-coded decimal operand in memory.

m16int

A word integer operand in memory. Used in some floating-point instructions.

m32int

A short integer operand in memory. Used in some floating-point instructions.

m64int

A long integer operand in memory. Used in some floating-point instructions.

m14byte

A 14-byte floating-point operand in memory.

m28byte

A 28-byte floating-point operand in memory.

m94byte

A 94-byte floating-point operand in memory.

m108byte

A 108-byte floating-point operand in memory.

ST or ST(0)

Top element of the FPU register stack.

ST(i)

ith element from the top of the FPU register stack. (i=0..7)

Clocks Columns

Each "Clocks" column gives the approximate number of clock cycles the instruction takes to execute on that particular processor. The clock count calculations makes the following assumptions:

  • Data and instruction accesses hit in the cache.
  • The target of a jump instruction is in the cache.
  • No invalidate cycles contend with the instruction for use of the cache.
  • Page translation hits in the TLB.
  • Memory operands are aligned.
  • Effective address calculations use a base register which is not the destination register of the preceding instruction.
  • No exceptions are detected during execution.
  • There are no write-buffer delays.

The following symbols are used in the clock count specifications:

  • n, which represents a number of repetitions.
  • m, which represents the number of components in the next instruction executed, where the entire displacement (if any) counts as one component, the entire immediate data (if any) counts as one component, and every other byte of the instruction and prefix(es) each counts as one component.
  • pm:, a clock count that applies when the instruction executes in Protected Mode. pm: is not given when the clock counts are the same for Protected and Real Address Modes.

When an exception occurs during the execution of an instruction and the exception handler is in another task, the instruction execution time is increased by the number of clocks to effect a task switch. This parameter depends on several factors:

  • The type of TSS used to represent the new task (32 bit TSS or 16 bit TSS).
  • Whether the current task is in V86 mode.
  • Whether the new task is in V86 mode.
  • Whether accesses hit in the cache.
  • Whether a task gate on an interrupt/trap gate is used.

The following table summarizes the task switch times for exceptions, assuming cache hits and the use of task gates.

Task Switch Times for Exceptions

OLD TASK NEW TASK
TO 32 BIT TSS TO 16 BIT TSS TO VM TSS
VM/32 bit/16 bit TSS 85 87 71
Description Column

The "Description" column following the "Clocks" columns briefly explains the various forms of the instruction. The "Operation" and "Description" sections contain more details of the instruction's operation.

Description

The "Description" section contains further explanation of the instruction's operation.

Operation

The "Operation" section contains an algorithmic description of the instruction which uses a notation similar to the Algol or Pascal language. The algorithms are composed of the following elements:

  • Comments are enclosed within the symbol pairs "(*" and "*)".
  • Compound statements are enclosed between the keywords of the "if" statement (IF, THEN, ELSE, FI) or of the "do" statement (DO, OD), or of the "case" statement (CASE ... OF, ESAC).
  • Execution continues until the END statement is encountered.
  • A register name implies the contents of the register. A register name enclosed in brackets implies the contents of the location whose address is contained in that register. For example, ES:[DI] indicates the contents of the location whose ES segment relative address is in register DI. [SI] indicates the contents of the address contained in register SI relative to SI's default segment (DS) or overridden segment.
  • Brackets are also used for memory operands, where they mean that the contents of the memory location is a segment-relative offset. For example, [SRC] indicates that the contents of the source operand is a segment- relative offset.
  • A ← B; indicates that the value of B is assigned to A.
  • The symbols =, <>, ò, and ó are relational operators used to compare two values, meaning equal, not equal, greater or equal, less or equal, respectively. A relational expression such as A = B is TRUE if the value of A is equal to B; otherwise it is FALSE.
  • A * B indicates that the value of A is multiplied by the value of B.

The following identifiers are used in the algorithmic descriptions:

  • OperandSize represents the operand-size attribute of the instruction, which is either 16 or 32 bits. AddressSize represents the address-size attribute, which is either 16 or 32 bits. For example,
IF instruction = CMPSW
THEN OperandSize ← 16;
ELSE 
  IF instruction = CMPSD 
  THEN OperandSize ← 32;
  FI;
FI;

indicates that the operand-size attribute depends on the form of the CMPS instruction used. Refer to the explanation of address-size and operand-size attributes at the beginning of this chapter for general guidelines on how these attributes are determined.

  • StackAddrSize represents the stack address-size attribute associated with the instruction, which has a value of 16 or 32 bits, as explained earlier in the chapter.
  • SRC represents the source operand. When there are two operands, SRC is the one on the right.
  • DEST represents the destination operand. When there are two operands, DEST is the one on the left.
  • LeftSRC, RightSRC distinguishes between two operands when both are source operands.
  • eSP represents either the SP register or the ESP register depending on the setting of the B-bit for the current stack segment.

The following functions are used in the algorithmic descriptions:

  • Truncate to 16 bits(value) reduces the size of the value to fit in 16 bits by discarding the uppermost bits as needed.
  • Addr(operand) returns the effective address of the operand (the result of the effective address calculation prior to adding the segment base).
  • ZeroExtend(value) returns a value zero-extended to the operand-size attribute of the instruction. For example, if OperandSize = 32, ZeroExtend of a byte value of -10 converts the byte from F6H to doubleword with hexadecimal value 000000F6H. If the value passed to ZeroExtend and the operand-size attribute are the same size, ZeroExtend returns the value unaltered.
  • SignExtend(value) returns a value sign-extended to the operand-size attribute of the instruction. For example, if OperandSize = 32, SignExtend of a byte containing the value -10 converts the byte from F6H to a doubleword with hexadecimal value FFFFFFF6H. If the value passed to SignExtend and the operand-size attribute are the same size, SignExtend returns the value unaltered.
  • Push(value) pushes a value onto the stack. The number of bytes pushed is determined by the operand-size attribute of the instruction. The action of Push is as follows:
IF StackAddrSize = 16 
THEN 
  IF OperandSize = 16 
  THEN
     SP ← SP -2;
     SS:[SP] ← value; (* 2 bytes assigned starting at byte address in SP *)
  ELSE (* OperandSize = 32 *)
     SP ← SP -4;
     SS:[SP] ← value; (* 4 bytes assigned starting at byte address in SP *)
  FI;
ELSE (* StackAddrSize = 32 *)
  IF OperandSize = 16 
  THEN
  ESP ← ESP -2;
     SS:[ESP] ← value; (* 2 bytes assigned starting at byte address in ESP*)
  ELSE (* OperandSize = 32 *)
     ESP ← ESP -4;
     SS:[ESP] ← value; (* 4 bytes assigned starting at byte address in ESP*)
  FI;
FI;
  • Pop(value) removes the value from the top of the stack and returns it. The statement EAX ← Pop( ); assigns to EAX the 32-bit value that Pop took from the top of the stack. Pop will return either a word or a doubleword depending on the operand-size attribute. The action of Pop is as follows:
IF StackAddrSize = 16 
THEN 
  IF OperandSize = 16 
  THEN
     ret val ← SS:[SP]; (* 2-byte value *)
     SP ← SP + 2;
  ELSE (* OperandSize = 32 *)
     ret val ← SS:[SP]; (* 4-byte value *)
     SP ← SP + 4;
  FI;
ELSE (* StackAddrSize = 32 *)
  IF OperandSize = 16 
  THEN
     ret val ← SS:[ESP]; (* 2 byte value *)
     ESP ← ESP + 2;
  ELSE (* OperandSize = 32 *)
     ret val ← SS:[ESP]; (* 4 byte value *)
     ESP ← ESP + 4;
  FI;
FI;
RETURN(ret val); (*returns a word or doubleword*)

Pop ST is used on floating-point instruction pages to mean pop the FPU register stack.

  • Bit[BitBase, BitOffset] returns the value of a bit within a bit string, which is a sequence of bits in memory or a register. Bits are numbered from low-order to high-order within registers and within memory bytes. In memory, the two bytes of a word are stored with the low-order byte at the lower address.

If the base operand is a register, the offset can be in the range 0..31. This offset addresses a bit within the indicated register. An example, 'BIT [EAX, 21]' is illustrated in the following figure.

Bit Offset for BIT[EAX,21]

  31            21                            0
┌──────────────┬──┬────────────────────────────┐
└──────────────┴──┴────────────────────────────┘
                 ↑                             ↑
                 │                             │
                 └────────BITOFFSET=21─────────┘

If BitBase is a memory address, BitOffset can range from -2 gigabits to 2 gigabits. The addressed bit is numbered (Offset MOD 8) within the byte at address (BitBase + (BitOffset DIV 8)), where DIV is signed division with rounding towards negative infinity, and MOD returns a positive number. This is illustrated in the following figure.

Memory Bit Indexing

 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
 ┌──┬──┬────────┬────────────────┬──────────────┐
 └──┴──┴────────┴────────────────┴──────────────┘
 │  BITBASE+1   │    BITBASE     │   BITBASE-1  │
     ↑                           │
     └──────OFFSET=+13───────────┘

 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
 ┌──────────────┬────────────────┬──────────────┐
 └──────────────┴────────────────┴──────────────┘
 │  BITBASE     │   BITBASE-1    │   BITBASE-2  │
                │                      ↑
                └─────OFFSET=-11───────┘
  • I-O-Permission(I-O-Address, width) returns TRUE or FALSE depending on the I/O permission bitmap and other factors. This function is defined as follows:
IF TSS type is 16-bit THEN RETURN FALSE; FI;
Ptr← [TSS+66]; (* fetch bitmap pointer *)
BitStringAddr ← SHR (I-O-Address, 3) + Ptr;
MaskShift ← I-O-Address AND 7;
CASE width OF:
 BYTE: nBitMask ← 1;
 WORD: nBitMask ← 3;
 DWORD: nBitMask ← 15;
ESAC;
mask ← SHL (nBitMask, MaskShift);
CheckString ← [BitStringAddr] AND mask;
IF CheckString = 0 
THEN RETURN (TRUE);
ELSE RETURN (FALSE);
FI;
  • Switch-Tasks is described in detail in the Intel documentation.
Flags Affected

Pages describing basic instructions have a "Flags Affected" section the contains a flags information table similar to the following:

OF DF IF SF ZF AF PF CF
0 * * ? * 0

The first row of the table lists the mnemonic identifiers for the various flags. The entries in the second row are filled in according to how the flag is affected by the instruction:

VALUE MEANING
<blank> Instruction does not affect flag
0 Instruction clears the flag
1 Instruction sets the flag
? Instruction's effect on the flag is undefined
* Instruction modifies the flag (either sets or clears depending on operands)

The following table lists the mnemonic identifier, full name, and purpose of the flags that are applicable to all processor families and that are most commonly used from within application-level programs. Not all flags are included in this table; see the Intel documentation for a more complete description of flag usage from within systems-level programs.

MNEMONIC FLAG NAME PURPOSE
OF Overflow Result exceeds positive or negative limit of number range
DF Direction Setting the DF flag causes string instructions to auto-decrement, that is, to process strings from high addresses. Clearing the DF flag causes string instructions to auto-increment, or to process strings from low addresses to high addresses.
IF Interrupt Enable Controls the acceptance of external interrupts signalled via the INTR pin.
SF Sign Result is negative (less than zero)
ZF Zero Result is zero
AF Auxiliary carry Carry out of bit position 3 (used for BCD)
PF Parity Low byte of result has even parity (even number of set bits)
CF Carry Carry out of most significant bit of result

The flags information table is usually followed by a paragraph description of how the flags are affected:

  • If a flag is always cleared or always set by the instruction, the value is given (0 or 1) after the flag name. Arithmetic and logical instructions usually assign values to the status flags in a uniform manner. Nonconventional assignments are described in the Operation section.
  • The values of flags listed as "undefined" may be changed by the instruction in an indeterminate manner.

All flags not listed are unchanged by the instruction.

FPU Flags Affected

The floating-point instruction pages have a section called "FPU Flags Affected," which tells how each instruction can affect the four condition code bits of the FPU status word. These pages contain a condition code information table similar to the following:

C0 C1 C2 C3
? * ? ?

The first row of the table lists the names of the floating-point condition code flags. The entries in the second row are filled in according to how the flag is affected by the instruction:

VALUE MEANING
<blank> Instruction does not affect flag
0 Instruction clears the flag
1 Instruction sets the flag
? Instruction's effect on the flag is undefined
* Instruction modifies the flag (either sets or clears depending on operands)

The four FPU condition code bits (C0, C1, C2, and C3) are similar to the flags in a CPU; the processor updates these bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition code bits is summarized in the following table:

Condition Code Interpretation
INSTRUCTION C0 C3 C2 C1
FCOM, FCOMP, FCOMPP, FTST, FUCOMPP, FICOM, FICOMP Result of Comparison Operands is not Comparable Zero or O/U#
FXAM Operand class Sign or O/U#
FPREM, FPREM1 Q2 Q1 0=reduction complete

1=reduction incomplete

Q0 or O/U#
FIST, FBSTP, FRINDINT, FST, FSTP, FADD, FMUL, FDIV, FDIVR, FSUB, FSUBR, FSCALE, FSQRT, FPATAN, F2XM1, FYL2X, FYL2XP1 UNDEFINED Roundup or O/U#
FPTAN, FSIN, FCOS, FSINCOS UNDEFINED 0=reduction complete

1=reduction incomplete

Roundup or O/U#

(UNDEFINED if C2=1)

FCHS, FABS, FXCH, FINCSTP, FDECSTP, Constant Loads, FXTRACT, FLD, FILD, FBLD, FSTP (ext. real) UNDEFINED Zero or O/U#
FLDENV, FRSTOR Each bit loaded from memory
FLDCW, FSTENV, FSTCW, FSTSW, FCLEX UNDEFINED
FINIT, FSAVE Zero Zero Zero Zero

NOTES: O/U# When both IE and SF bits of status word are set, this bit distinguishes between stack overflow (C1=1) and underflow (C1=0).

Reduction If FPREM and FPREM1 produces a remainder that is less than the modulus, reduction is complete. When reduction is incomplete the value at the top of the stack is a parial remainder, which can be used as input to further reduction. For FPTAN, FSIN, FCOS and FSINCOS, the reduction bit is set if the operand at the top of the stack is too large. In this case, the original operand remains at the top of the stack.

Roundup When the PE bit of the status word is set, this bit indicates whether the last rounding in the instruction was upward.

UNDEFINED Do not rely on any specific value in these bits.

The condition code bits are used primarily for conditional branching. The FSTSW AX instruction stores the FPU status word directly into the AX register, allowing these condition codes to be inspected efficiently. The SAHF instruction can copy C3 - C0 directly to the CPU's flag bits to simplify conditional branching. The following table shows the mapping of these bits to the CPU flag bits.

FPU FLAG IU FLAG
C0 CF
C1 (None)
C2 PF
C3 ZF
Numeric Exceptions

For floating-point instruction pages, this section lists the exception flags of the FPU status word that each instruction can set. Exceptions are listed in abbreviated form, and are defined as follows:

IS Invalid operand due to stack overflow/underflow
I Invalid operand due to other cause
D Denormalized operand
Z Divide by zero
O Numeric overflow
U Numeric underflow
P Inexact result (precision)
Protected Mode Exceptions

This section lists the exceptions that can occur when the instruction is executed in protected mode. The exception names are a pound sign (#) followed by two letters and an optional error code in parentheses. For example, #GP(0) denotes a general protection exception with an error code of 0. The following table associates each two-letter name with the corresponding interrupt number.

Exceptions
MNEMONIC INTERRUPT DESCRIPTION
#UD 6 Invalid opcode
#NM 7 Device not available
#DF 8 Double fault
#TS 10 Invalid TSS
#NP 11 Segment or gate not present
#SS 12 Stack fault
#GP 13 General protection fault
#PF 14 Page fault
#MF 16 Floating-point error
#AC 17 Alignment check

Refer to the Intel documentation for a description of the exceptions and the processor state upon entry to the exception. Application programmers should consult the documentation provided with their operating systems to determine the actions taken when exceptions occur.

Real Address Mode Exceptions

Because less error checking is performed by the processor in Real Address Mode, this mode has fewer exception conditions. Refer to the Intel documentation for further information on these exceptions.

Virtual-8086 Mode Exceptions

Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines. Virtual 8086 Mode exceptions are similar to those for the 8086 processor, but there are some differences. Refer to the Intel documentation for complete information on Virtual Mode exceptions.

Intel Instruction Set

The following section describes the individual processor instructions in detail.

Protected Mode Exceptions

None

Real Address Mode Exceptions

None

Virtual 8086 Mode Exceptions

None

Flags Affected
OF DF IF SF ZF AF PF CF

None

FPU Flags Affected
C0 C1 C2 C3
? * ? ?

C1 as described in FPU Flags Affected; C0, C2, C3 undefined.

FPU Flags Affected
C0 C1 C2 C3
? ? ? ?

C0, C1, C2, C3 undefined.

FPU Flags Affected
C0 C1 C2 C3
* * * *

C0, C1, C2, C3 as described in FPU Flags Affected.

FPU Flags Affected
C0 C1 C2 C3
* * * *

C0, C1, C2, C3 as loaded.

AAA - ASCII Adjust after Addition

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
37 AAA X X X X X X ASCII adjust AL after addition
Description

Run the AAA instruction only following an ADD instruction that leaves a byte result in the AL register. The lower nibbles of the operands of the ADD instruction should be in the range 0 through 9 (BCD digits). In this case, the AAA instruction adjusts the AL register to contain the correct decimal digit result. If the addition produced a decimal carry, the AH register is incremented, and the CF and AF flags are set. If this same addition also produced FH in the upper nibble of AL then AH is incremented again. If there was no decimal carry, the CF and AF flags are cleared and the AH register is unchanged. In either case, the AL register is left with its top nibble set to 0. To convert the AL register to an ASCII result, follow the AAA instruction with OR AL, 30H.

Operation
ALcarry ← AL > 0F9H; (* 1 if true *)
IF ((AL AND 0FH) > 9) OR (AF = 1)
THEN 
   AL ← (AL + 6) AND 0FH;
   AH ← AH + 1 + ALcarry;
   AF ← 1;
   CF ← 1;
ELSE 
   AF ← 0;
   CF ← 0;
   AL ← AL AND 0FH;
FI;
Flags Affected
OF DF IF SF ZF AF PF CF
? ? ? * ? *

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the OF, SF, ZF, and PF flags are undefined.

AAD - ASCII Adjust AX before Division

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D5 0A AAD X X X X X X ASCII adjust before division
Description

The AAD instruction is used to prepare two unpacked BCD digits (the least-significant digit in the AL register, the most-significant digit in the AH register) for a division operation that will yield an unpacked result. This is accomplished by setting the AL register to AL+ (second byte of opcode * AH), and then clearing the AH register. The AX register is then equal to the binary equivalent of the original unpacked two-digit number.

Operation
regAL = AL;
regAH = AH;
AL ← (regAH * imm8 + regAL) AND OFFH;
AH ← 0;

Note: imm8 has the value of the instruction's second byte. The second byte under normally assembly of this instruction will be 0A, however, explicit modification of this byte will result in the operation described above and may alter results.

Flags Affected
OF DF IF SF ZF AF PF CF
? * * ? * ?

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are undefined.

AAM - ASCII Adjust AX after Multiply

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D4 0A AAM X X X X X X ASCII adjust AX after
Description

Run the AAM instruction only after running a MUL instruction between two unpacked BCD digits that leaves the result in the AX register. Because the result is less than 100, it is contained entirely in the AL register. The AAM instruction unpacks the AL result by dividing AL by the second byte of the opcode, leaving the quotient (most-significant digit) in the AH register and the remainder (least-significant digit) in the AL register.

Operation
regAL ← AL;
AH ← regAL / imm8;
AL ← regAL MOD imm8;

Note: imm8 has the value of the instruction's second byte. The second byte under normally assembly of this instruction will be 0A., however, explicit modification of this byte will result in the operation described above and may alter results.

Flags Affected
OF DF IF SF ZF AF PF CF
? * * ? * ?

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are undefined.

AAS - ASCII Adjust AL after Subtraction

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
3F AAS X X X X X X ASCII adjust AL after subtraction
Description

Run the AAS instruction only after a SUB instruction that leaves the byte result in the AL register. The lower nibbles of the operands of the SUB instruction must have been in the range of 0 through 9 (BCD digits). In this case, the AAS instruction adjusts the AL register so it contains the correct decimal digit result. If the subtraction produced a decimal carry, the AH register is decremented, and the CF and AF flags are set. If no decimal carry occurred, the CF and AF flags are cleared, and the AH register is unchanged. In either case, the AL register is left with its top nibble set to 0. To convert the AL result to an ASCII result, follow the AAS instruction with OR AL, 30H.

Operation
ALborrow ← AL < 6; (* 1 if true *)
IF (AL AND 0FH) > 9 OR AF = 1
THEN
   AL ← (AL - 6) AND 0FH;
   AH ← AH - 1 - ALborrow;
   AF ← 1;
   CF ← 1;
ELSE
   CF ← 0;
   AF ← 0;
   AL ← AL AND 0FH
FI;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|? |  |  |? |? |* |? |* 

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the OF, SF, ZF, and PF flags are undefined.

ADC - Add with Carry

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
14 ib ADC AL,imm8 X X X X X X Add with carry immediate byte to AL
15 iw ADC AX,imm16 X X X X X X Add with carry immediate word to AX
15 id ADC EAX,imm32 X X X Add with carry immediate dword to EAX
80 /2 ib ADC r/m8,imm8 X X X X X X Add with carry immediate byte to r/m byte
81 /2 iw ADC r/m16,imm16 X X X X X X Add with carry immediate word to r/m word
81 /2 id ADC r/m32,imm32 X X X Add with carry immediate dword to r/m dword
83 /2 ib ADC r/m16,imm8 X X X X X X Add with carry sign-extended immediate byte to r/m word
83 /2 ib ADC r/m32,imm8 X X X Add with carry sign-extended immediate byte into r/m dword
10 /r ADC r/m8,r8 X X X X X X Add with carry byte register to r/m byte
11 /r ADC r/m16,r16 X X X X X X Add with carry word register to r/m word
11 /r ADC r/m32,r32 X X X Add with carry dword register to r/m word
12 /r ADC r8,r/m8 X X X X X X Add with carry r/m byte to byte register
13 /r ADC r16,r/m16 X X X X X X Add with carry r/m word to word register
13 /r ADC r32,r/m32 X X X Add with carry r/m dword to dword register
Description

The ADC instruction performs an integer addition of the two operands DEST and SRC and the carry flag, CF. The result of the addition is assigned to the first operand (DEST), and the flags are set accordingly. The ADC instruction is usually run as part of a multi-byte or multi-word addition operation. When an immediate byte value is added to a word or doubleword operand, the immediate value is first sign-extended to the size of the word or doubleword operand.

Operation
DEST ← DEST + SRC + CF;
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * *

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

Protected Mode Exceptions

\#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

ADD - Add

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
04 ib ADD AL,imm8 X X X X X X Add immediate byte to AL
05 iw ADD AX,imm16 X X X X X X Add immediate word to AX
05 id ADD EAX,imm32 X X X Add immediate dword to EAX
80 /0 ib ADD r/m8,imm8 X X X X X X Add immediate byte to r/m byte
81 /0 iw ADD r/m16,imm16 X X X X X X Add immediate word to r/m word
81 /0 id ADD r/m32,imm32 X X X Add immediate dword to r/m dword
83 /0 ib ADD r/m16,imm8 X X X X X X Add sign-extended immediate byte to r/m word
83 /0 ib ADD r/m32,imm8 X X X Add sign-extended immediate byte to r/m dword
00 /r ADD r/m8,r8 X X X X X X Add byte register to r/m byte
01 /r ADD r/m16,r16 X X X X X X Add word register to r/m word
01 /r ADD r/m32,r32 X X X Add dword register to r/m dword
02 /r ADD r8,r/m8 X X X X X X Add r/m byte to byte register
03 /r ADD r16,r/m16 X X X X X X Add r/m word to word register
03 /r ADD r32,r/m32 X X X Add r/m dword to dword register
Description

The ADD instruction performs an integer addition of the two operands (DEST and SRC). The result of the addition is assigned to the first operand (DEST ), and the flags are set accordingly. When an immediate byte is added to a word or doubleword operand, the immediate value is sign-extended to the size of the word or doubleword operand.

Operation
DEST ← DEST + SRC;
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
* |  |  |* |* |* |* |*

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) is the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

AND - Logical AND

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
24 ib AND AL,imm8 X X X X X X AND immediate byte to AL
25 iw AND AX,imm16 X X X X X X AND immediate word to AX
25 id AND EAX,imm32 X X X AND immediate dword to EAX
80 /r ib AND r/m8,imm8 X X X X X X AND immediate byte to r/m byte
81 /4 iw AND r/m16,imm16 X X X X X X AND immediate word to r/m word
81 /r id AND r/m32,imm32 X X X AND immediate dword to r/m dword
83 /4 ib AND r/m16,imm8 X X X AND sign-extended immediate byte to r/m word
83 /4 ib AND r/m32,imm8 X X X AND sign-extended immediate byte with r/m dword
20 /r AND r/m8,r8 X X X X X X AND byte register to r/m byte
21 /r AND r/m16,r16 X X X X X X AND word register to r/m word
21 /r AND r/m32,r32 X X X AND dword register to r/m dword
22 /r AND r8,r/m8 X X X X X X AND r/m byte to byte register
23 /r AND r16,r/m16 X X X X X X AND r/m word to word register
23 /r AND r32,r/m32 X X X AND r/m dword to dword register
Description

Each bit of the result of the AND instruction is a 1 if both corresponding bits of the operands are 1; otherwise, it becomes a 0.

Operation
DEST ← DEST AND SRC;
CF ← 0;
OF ← 0;
Flags Affected
OF DF IF SF ZF AF PF CF
0 * * ? * 0

The CF and OF flags are cleared; the PF, SF, and ZF flags are set according to the result; the AF flag is undefined.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

ARPL - Adjust RPL Field of Selector

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
63 /r ARPL r/m16,r16 X X X X Adjust RPL of r/m16 to not less than RPL of r16
Description

The ARPL instruction has two operands. The first operand is a 16-bit memory variable or word register that contains the value of a selector. The second operand is a word register. If the RPL field ("requested privilege level" - bottom two bits) of the first operand is less than the RPL field of the second operand, the ZF flag is set and the RPL field of the first operand is increased to match the second operand. Otherwise, the ZF flag is cleared and no change is made to the first operand. The ARPL instruction appears in operating system software, not in application programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller is allowed. The second operand of the ARPL instruction is normally a register that contains the CS selector value of the caller.

Operation
IF RBL bits(0,1) of DEST < RPL bits(0,1) of SRC 
THEN 
   ZF ← 1;
   RPL bits(0,1) of DEST ← RPL bits (0,1) of SRC;
ELSE 
   ZF ← 0;
FI;
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
  |  |  |  |* |  |  |  

The ZF flag is set if the RPL field of the first operand is less than that of the second operand, otherwise ZF is cleared.

Protected Mode Exceptions
  1. GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 6; the ARPL instruction is not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Interrupt 6; the ARPL instruction is not recognized in Virtual 8086 Mode.

BOUND - Check Array Index Against Bounds

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
62 /r BOUND r16,m16&16 X X X X X Check if r16 is within m16&16 bounds (passes test)
62 /r BOUND r32,m32&32 X X X Check if r32 is within m32&32 bounds (passes test)
Description

The BOUND instruction ensures that a signed array index is within the limits specified by a block of memory consisting of an upper and a lower bound. Each bound uses one word when the operand-size attribute is 16-bits and a doubleword when the operand-size attribute is 32-bits. The first operand (a register) must be greater than or equal to the first bound in memory (lower bound), and less than or equal to the second bound in memory (upper bound) plus the number of bytes occupied for the operand size. If the register is not within bounds, an Interrupt 5 occurs; the return EIP points to the BOUND instruction. The bounds limit data structure is usually placed just before the array itself, making the limits addressable via a constant offset from the beginning of the array.

Operation
IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + 
OperandSize/8])
  (* Under lower bound or over upper bound *)
THEN Interrupt 5;
FI;
Protected Mode Exceptions

Interrupt 5 if the bounds test fails, as described above; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. The second operand must be a memory operand, not a register. If the BOUND instruction is run with a ModR/M byte representing a register as the second operand, #UD occurs.

Real Address Mode Exceptions

Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the second operand is a register.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

BSF - Bit Scan Forward

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F BC BSF r16,r/m16 X X X Bit scan forward on r/m word
0F BC BSF r32,r/m32 X X X Bit scan forward on r/m dword
Description

The BSF instruction scans the bits in the second word or doubleword operand starting with bit 0. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the destination register is loaded with the bit index of the first set bit.

Operation
IF r/m = 0
THEN
   ZF ← 1;
   register ← UNDEFINED;
ELSE
   temp ← 0;
   ZF ← 0;
   WHILE BIT[r/m,temp] = 0
   DO
      temp ← temp + 1;
      register ← temp;
  OD;
FI;
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
? |  |  |? |* |? |? |? 

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared. OF , SF, AF, PF, CF = undefined.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

BSR-Bit Scan Reverse

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F BD BSR r16,r/m16 X X X Bit scan reverse on r/m word
0F BD BSR r32,r/m32 X X X Bit scan reverse on r/m dword
Description

The BSR instruction scans the bits in the second word or doubleword operand from the most significant bit to the least significant bit. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the destination register is loaded with the bit index of the first set bit found when scanning in the reverse direction.

Operation
IF r/m = 0 
THEN 
   ZF ← 1;
   register ← UNDEFINED;
ELSE 
   temp ← OperandSize =1;
   ZF ← 0;
   WHILE BIT[r/m,temp] = 0 
   DO 
      temp ← temp - 1;
      register ← temp;
  OD;
FI;
Flags Affected
OF DF IF SF ZF AF PF CF
? ? * ? ? ?

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared. OS , SF, AF, PF, CF = undefined.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

BSWAP - Byte Swap

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F C8+rd BSWAP r32 X X Swap bytes to convert little/big endian data in a 32-bit register to big/little endian form
Description

The BSWAP instruction reverses the byte order of a 32-bit register, converting a value in little/big endian form to big/little endian form. When BSWAP is used with 16-bit operand size, the result left in the destination register is undefined.

Operation
TEMP ← r32 
r32(7..0) ← TEMP(31..24)
r32(15..8) ← TEMP(23..16)
r32(23..16) ← TEMP(15..8)
r32(31..24) ← TEMP(7.0)
Notes

BSWAP is not supported on Intel386 processors. Include functionally-equivalent code for Intel386 CPUs.

BT - Bit Test

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F A3 BT r/m16,r16 X X X Save bit in carry flag
0F A3 BT r/m32,r32 X X X Save bit in carry flag
0F BA /4 ib BT r/m16,imm8 X X X Save bit in carry flag
0F BA /4 ib BT r/m32,imm8 X X X Save bit in carry flag
Description

The BT instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag.

Operation
CF ← BIT [LeftSRC, RightSRC];
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|  |  |  |  |  |  |  |* 

The CF flag contains the value of the selected bit.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16 bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:

Effective Address + (4* (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address given by:

Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTC - Bit Test and Complement

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F BB BTC r/m16,r16 X X X Save bit in carry flag and complement
0F BB BTC r/m32,r32 X X X Save bit in carry flag and complement
0F BA /7 ib BTC r/m16,imm8 X X X Save bit in carry flag and complement
0F BA /7 ib BTC r/m32,imm8 X X X Save bit in carry flag and complement
Description

The BTC instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then complements the bit.

Operation
CF ← BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] ← NOT BIT[LeftSrc, RightSRC];
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|  |  |  |  |  |  |  |* 

The CF flag contains the complement of the selected bit.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, and GS segments; # SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value may be used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger then 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:

Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address given by:

Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. Therefore, referencing areas of memory close to address space holes should be avoided. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTR-Bit Test and Reset

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F B3 BTR r/m16,r16 X X X Save bit in carry flag and reset
0F B3 BTR r/m32,r32 X X X Save bit in carry flag and reset
0F BA /6 ib BTR r/m16,imm8 X X X Save bit in carry flag and reset
0F BA /6 ib BTR r/m32,imm8 X X X Save bit in carry flag and reset
Description

The BTR instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then stores 0 in the bit.

Operation
CF ← BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] ← 0;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |* |

The CF flag contains the value of the selected bit.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5-bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:

Effective Address + 4 * (BitOffset DIV 32)

for a 32-bit operand size, or two bytes starting from the memory address given by:

Effective Address + 2 * (BitOffset DIV 16)

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed in order to reach the given bit. You must therefore avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

BTS-Bit Test and Set

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F AB BTS r/m16,r16 X X X Save bit in carry flag and set
0F AB BTS r/m32,r32 X X X Save bit in carry flag and set
0F BA /5 ib BTS r/m16,imm8 X X X Save bit in carry flag and set
0F BA /5 ib BTS r/m32,imm8 X X X Save bit in carry flag and set
Description

The BTS instruction saves the value of the bit indicated by the base (first operand) and the bit offset (second operand) into the CF flag and then stores 1 in the bit.

Operation
CF ← BIT[LeftSRC, RightSRC];
BIT[LeftSRC, RightSRC] ← 1;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|  |  |  |  |  |  |  |* 

The CF flag contains the value of the selected bit.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The index of the selected bit can be given by the immediate constant in the instruction or by a value in a general register. Only an 8-bit immediate value is used in the instruction. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This allows any bit within a register to be selected. For memory bit strings, this immediate field gives only the bit offset within a word or doubleword. Immediate bit offsets larger than 31 are supported by some assemblers by using the immediate bit offset field in combination with the displacement field of the memory operand. In this case, the low-order 3 to 5 bits (3 for 16-bit operands, 5 for 32-bit operands) of the immediate bit offset are stored in the immediate bit offset field, and the high-order bits are shifted and combined with the byte displacement in the addressing mode by the assembler. The processor will ignore the high-order bits if they are not zero. When accessing a bit in memory, the processor may access four bytes starting from the memory address given by:

   Effective Address + (4 * (BitOffset DIV 32))

for a 32-bit operand size, or two bytes starting from the memory address given by:

   Effective Address + (2 * (BitOffset DIV 16))

for a 16-bit operand size. It may do this even when only a single byte needs to be accessed in order to get at the given bit. You must therefore be careful to avoid referencing areas of memory close to address space holes. In particular, avoid references to memory-mapped I/O registers. Instead, use the MOV instructions to load from or store to these addresses, and use the register form of these instructions to manipulate the data.

CALL - Call Procedure

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
E8 cw CALL rel16 X X X X X X Call near, displacement relative to next instruction
FF /2 CALL r/m16 X X X X X X Call near, register indirect/memory indirect
9A cd CALL ptr16:16 X X X X X X Call intersegment, to full pointer given
9A cd CALL ptr16:16 X X X X Call gate, same privilege
9A cd CALL ptr16:16 X X X X Call gate, more privilege, no parameters
9A cd CALL ptr16:16 X X X X Call gate, more privilege, x parameters
9A cd CALL ptr16:16 X X X X Call to task (via task state segment/task gate for 286)
FF /3 CALL m16:16 X X X X X X Call intersegment, address at r/m dword
FF /3 CALL m16:16 X X X X Call gate, same privilege
FF /3 CALL m16:16 X X X X Call gate, more privilege, no parameters
FF /3 CALL m16:16 X X X X Call gate, more privilege, x parameters
FF /3 CALL m16:16 X X X X Call to task (via task state segment/task gate for 286)
E8 cd CALL rel32 X X X Call near, displacement relative to next instruction
FF /2 CALL r/m32 X X X Call near, register indirect/memory indirect
9A cp CALL ptr16:32 X X X Call intersegment, to full pointer given
9A cp CALL ptr16:32 X X X Call gate, same privilege
9A cp CALL ptr16:32 X X X Call gate, more privilege, no parameters
9A cp CALL ptr16:32 X X X Call gate, more privilege, x parameters
9A cp CALL ptr16:32 X X X Call to task
FF /3 CALL m16:32 X X X Call intersegment, address at r/m fword
FF /3 CALL m16:32 X X X Call gate, same privilege
FF /3 CALL m16:32 X X X Call gate, more privilege, no parameters
FF /3 CALL m16:32 X X X Call gate, more privilege, x parameters
FF /3 CALL m16:32 X X X Call to task
Description

The CALL instruction causes the procedure named in the operand to be run. When the procedure is complete (a return instruction is run within the procedure), processing continues at the instruction that follows the CALL instruction. The action of the different forms of the instruction are described below. Near calls are those with destination of type r/m16, r/m32, rel16, rel32; changing or saving the segment register value is not necessary. The CALL rel16 and CALL rel32 forms add a signed offset to the address of the instruction following the CALL instruction to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16- bits; rel32 is used when the operand-size attribute is 32-bits. The result is stored in the 32-bit EIP register. With rel16, the upper 16-bits of the EIP register are cleared, resulting in an offset whose value does not exceed 16-bits. CALL r/m16 and CALL r/m32 specify a register or memory location from which the absolute segment offset is fetched. The offset fetched from r/m is 32-bits for an operand-size attribute of 32 (r/m32), or 16-bits for an operand-size of 16 (r/m16). The offset of the instruction following the CALL instruction is pushed onto the stack. It will be popped by a near RET instruction within the procedure. The CS register is not changed by this form of CALL. The far calls, CALL ptr:16 and CALL ptr16:32, use a four-byte or six-byte operand as a long pointer to the procedure called. The CALL m16:16 and m16: 32 forms fetch the long pointer from the memory location specified (indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16-bits for the CS register and 16 or 32-bits for the EIP register (depending on the operand-size attribute). These forms of the instruction push both the CS and IP or EIP registers as a return address. In Protected Mode, both long pointer forms consult the AR byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the call will perform one of the following types of control transfers:

  • A far call to the same protection level
  • An inter-protection level far call
  • A task switch

A CALL-indirect-thru-memory, which uses the stack pointer (ESP) as a base register, references memory before the CALL. The base used is the value of the ESP before the instruction runs. For more information on Protected Mode control transfers, refer to the Intel documentation.

Operation
IF rel/16 or rel32 type of call 
THEN (* near relative call *)
   IF OperandSize = 16 
   THEN 
      Push(IP);
      EIP ← (EIP + rel16) AND 0000FFFFH;
   ELSE (* OperandSize = 32 *)
      Push(EIP);
      EIP ← EIP + rel32;
   FI;
FI;
IF r/m16 or r/m32 type of call 
THEN (* near absolute call *)
IF OperandSize = 16 
   THEN 
      Push(IP);
      EIP ← [r/m16] AND 0000FFFFH;
   ELSE (*OperandSize = 32 *)
      Push(EIP);
      EIP ←[r/m32]
   FI;
FI 

IF (PE = 0 OR (PE = 1 AND VM = 1))
(* real mode or virtual 8086 mode *)
   AND instruction = far CALL 
     (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32*)
THEN 
    IF OperandSize = 16 
    THEN 
      Push(CS);
      Push(IP); (* address of next instruction; 16 bits *)
    ELSE 
      Push(CS); (* padded with 16 high-order bits *)
      Push(EIP); (* address of next instruction; 32 bits *)
FI;
IF operand type is m16:16 or m16:32
THEN (* indirect far call *)
   IF OperandSize = 16 
   THEN 
      CS:IP ← [m16:16];
   EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *)
   ELSE (* OperandSize = 32 *)
      CS:EIP ← [m16:32[;
   FI;
FI;
IF operand type is ptr:16 or ptr16:32
THEN (* direct far call *)
   IF OperandSize = 16 
   THEN 
      CS:IP ← ptr:16;
      EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *)
   ELSE (* OperandSize = 32 *)
      CS:EIP ← ptr16:32;
   FI;
 FI;
FI;

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
 AND instruction = far CALL  
THEN 
 If indirect, then check access of EA doubleword;
   #GP(0) if limit violation;
 New CS selector must not be null else #GP(0);
 Check that new CS selector index is within its 
   descriptor table limits; else #GP(new CS selector);
 Examine AR byte of selected descriptor for various legal values;
   depending on value:
   go to CONFORMING-CODE-SEGMENT;
   go to NONCONFORMING-CODE-SEGMENT;
   go to CALL-GATE;
   go to TASK-GATE;
   go to TASK-STATE-SEGMENT;
 ELSE #GP(code segment selector);
FI;
CONFORMING-CODE-SEGMENT:
 DPL must be ó CPL ELSE #GP(code segment selector);
 Segment must be present ELSE #NP(code segment selector);
 Stack must be big enough for return address ELSE #SS(0);
 Instruction pointer must be in code segment limit ELSE #GP(0);
 Load code segment descriptor into CS register;
 Load CS with new code segment selector;
 Load EIP with zero-extend(new offset);
 IF OperandSize=16 THEN EIP ← EIP AND 0000FFFFH; FI;
NONCONFORMING-CODE-SEGMENT:
 RPL must be ó CPL ELSE #GP(code segment selector)
 DPL must be = CPL ELSE #GP(code segment selector)
 Segment must be present ELSE #NP(code segment selector)
 Stack must be big enough for return address ELSE #SS(0)
 Instruction pointer must be in code segment limit ELSE #GP(0)
 Load code segment descriptor into CS register 
 Load CS with new code segment selector 
 Set RPL of CS to CPL 
 Load EIP with zero-extend(new offset);
 IF OperandSize=16 THEN EIP ← EIP AND 0000FFFFH; FI;
 CALL-GATE
 Call gate DPL must be ò CPL ELSE #GP(call gate elector)
 Call gate DPL must be ò RPL ELSE #GP(call gate elector)
 Call gate just be present ELSE #NP(call gate selector)
 Examine code segment selector in call gate descriptor:
   Selector must not be null ELSE #GP(0)
   Selector must be within its descriptor table 
     limits ELSE #GP(code segment selector)
   AR byte of selected descriptor must indicate code 
     segment ELSE #GP(code segment selector)
   DPL of selected descriptor must be ó CPL ELSE 
     #GP(code segment selector)
   IF non-conforming code segment AND DPL < CPL 
   THEN go to MORE-PRIVILEGE
   ELSE go to SAME-PRIVILEGE
   FI;
MORE-PRIVILEGE:
 Get new SS selector for new privilege level from TSS 
   Check selector and descriptor for new SS:
     Selector must not be null ELSE #TS(0)
     Selector index must be within its descriptor 
       table limits ELSE #TS(SS selector)
     Selector's RPL must equal DPL of code segment 
       ELSE #TS(SS selector)
     Stack segment DPL must equal DPL of code 
       segment ELSE #TS(SS selector)
     Descriptor must indicate writable data segment 
       ELSE #TS(SS selector)
     Segment present ELSE #SS(SS selector)
IF OperandSize=32
 THEN 
     New stack must have room for parameters plus 16 bytes 
       ELSE #SS(SS selector)
     EIP must be in code segment limit ELSE #GP(0)
     Load new SS:eSP value from TSS 
     Load new CS:EIP value from gate 
 ELSE 
   New stack must have room for parameters plus 8 bytes 
     ELSE #SS(SS selector)
   IP must be in code segment limit ELSE #GP(0)
   Load new SS:eSP value from TSS 
   Load new CS:IP value from gate 
 FI;
 Load CS descriptor 
 Load SS descriptor 
 Push long pointer of old stack onto new stack 
 Get word count from call gate, mask to 5 bits 
 Copy parameters from old stack onto new stack 
 Push return address onto new stack 
 Set CPL to stack segment DPL 
 Set RPL of CS to CPL 
SAME-PRIVILEGE:
 IF OperandSize=32
 THEN 
   Stack must have room for 6-byte return address (padded to 8 bytes)
     ELSE #SS(0)
   EIP must be within code segment limit ELSE #GP(0)
   Load CS:EIP from gate 
 ELSE 
   Stack must have room for 4-byte return address ELSE #SS(0)
   IP must be within code segment limit ELSE #GP(0)
   Load CS:IP from gate 
FI;
Push return address onto stack 
Load code segment descriptor into CS register 
Set RPL of CS to CPL 
TASK-GATE:
   Task gate DPL must be ó CPL ELSE #TS(gate selector)
   Task gate DPL must be ó RPL ELSE #TS(gate selector)
   Task Gate must be present ELSE #NP(gate selector)
   Examine selector to TSS, given in Task Gate descriptor:
     Must specify global in the local/global bit ELSE #TS(TSS selector)
     Index must be within GDT limits ELSE #TS(TSS selector)
     TSS descriptor AR byte must specify nonbusy TSS 
       ELSE #TS(Tss selector)
     Task State Segment must be present ELSE #NP(TSS selector)
 SWITCH-TASKS (with nesting) to TSS 
 IP must be in code segment limit ELSE #TS(0)
TASK-STATE-SEGMENT
 TSS DPL must be ó CPL ELSE #TS(TSS selector)
 TSS DPL must be ó RPL ELSE #TS(TSS selector)
 TSS descriptor AR byte must specify available TSS 
    ELSE #TS(TSS selector)
 Task State Segment must be present ELSE #NP(TSS selector)
 SWITCH-TASKS (with nesting) to TSS 
 IP must be in code segment limit ELSE #TS(0)
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |  |

All flags are affected if a task switch occurs; no flags are affected if a task switch does not occur.

Protected Mode Exceptions

For far calls: #GP, #NP, #SS, and #TS, as indicated in the "Operation" section. For near direct calls: #GP(0) if procedure location is beyond the code segment limits; #SS(0) if pushing the return address exceeds the bounds of the stack segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. For a near indirect call: #GP(0) for an illegal memory operand effective address is the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

Any far call from a 32-bit code segment to a 16-bit code segment should be made from the first 64 Kbytes of the 32-bit code segment, because the operand-size attribute of the instruction is set to 16, allowing only a 16- bit return address offset to be saved.

CBW/CWDE-Convert Byte to Word/Convert Word to Doubleword

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
98 CBW X X X X X X AX ← sign extend of AL
98 CWDE X X X EAX ← sign-extend of AX
Description

The CBW instruction converts the signed byte in the AL register to a signed word in the AX register by extending the most significant bit of the AL register (the sign bit) into all of the bits of the AH register. The CWDE instruction converts the signed word in the AX register to a doubleword in the EAX register by extending the most significant bit of the AX register into the two most significant bytes of the EAX register. Note that the CWDE instruction is different from the CWD instruction. The CWD instruction uses the DX:AX register pair rather than the EAX register as a destination.

Operation
IF OperandSize = 16 (* instruction = CBW *)
THEN AX ← Sign Extend(AL);
ELSE (* OperandSize = 32, instruction = CWDE *)
  EAX ← Sign Extend(AX);
FI;

CDQ - Convert Double to Quad

See entry for CWD/CDQ-Convert Word to Double/Convert Double to Quad.

CLC - Clear Carry Flag

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+----------------
|F8        |CLC                 |X|X|X|X|X|X|Clear carry flag
Description

The CLC instruction clears the CF flag. It does not affect other flags or registers.

Operation
CF ← 0;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |0 |

The CF flag is cleared.

CLD - Clear Direction Flag

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+--------------------
|FC        |CLD                 |X|X|X|X|X|X|Clear direction flag
Description

The CLD instruction clears the direction flag. No other flags or registers are affected. After a CLD instruction is run, string operations will increment the index registers (SI and/or DI) that they use.

Operation
DF ← 0;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |0 |  |  |  |  |  |  |

The DF flag is cleared.

CLI - Clear Interrupt Flag

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
FA CLI X X X X X X Clear interrupt flag; interrupts disabled when interrupt flag cleared
Description

The CLI instruction clears the IF flag if the current privilege level is at least as privileged as IOPL. No other flags are affected. External interrupts are not recognized at the end of the CLI instruction from that point on until the IF flag is set.

Operation
IF PE = 0 
THEN 
  IF ←0;
ELSE 
  IF VM = 0 (* Running in protected Mode *)
  THEN
     IF IOPL = 3 
     THEN IF ← 0;
     ELSE IF CPL ó IOPL 
               THEN IF ← 0;
               ELSE #GP(0);
               FI;
     FI;
  ELSE (* Running in Virtual-8086 mode *)
     IF IOPL = 3 
     THEN IF ← 
     ELSE #GP(0);
     FI;
  FI;
FI;
Decision Table

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table.

PE = 0 1 1 1 1
VM = - 0 - 0 1
CPL - óIOPL - >IOPL -
IOPL - - = 3 - < 3
IF ← 0 Y Y Y
#GP(0) Y Y

Notes: - Don't care Blank Action Not Taken Y Action in Column 1 taken

Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |0 |  |  |  |  |  |

IF cleared.

Protected Mode Exceptions
  1. GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege level in the flags register. The I/O privilege level specifies the least privileged level at which I/O can be performed.
Virtual 8086 Mode Exceptions
  1. GP(0) as for protected mode.

CLTS - Clear Task-Switched Flag in CR0

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 06 CLTS X X X X Clear task-switched flag
Description

The CLTS instruction clears the task-switched (TS) flag in the CR0 register. This flag is set by the processor every time a task switch occurs. The TS flag is used to manage processor extensions as follows:

  • Every processing of an ESC instruction is trapped if the TS flag is set.
  • Processing of a WAIT instruction is trapped if the MP flag and the TS flag are both set.

Thus, if a task switch was made after an ESC instruction was begun, the floating-point unit's context may need to be saved before a new ESC instruction can be issued. The fault handler saves the context and clears the TS flag. The CLTS instruction appears in operating system software, not in application programs. It is a privileged instruction that can only be run at privilege level 0.

Operation
TS Flag in CR0 ← 0;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |  |

The TS flag is cleared (the TS flag is in the CR0 register, not the flags register).

Protected Mode Exceptions
  1. GP(0) if the CLTS instruction is run with a current privilege level other than 0.
Real Address Mode Exceptions

None (valid in Real Address Mode to allow initialization for Protected Mode ).

Virtual 8086 Mode Exceptions

Same exceptions as in Protected Mode.

CMC - Complement Carry Flag

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F5 CMC X X X X X X Complement carry flag
Description

The CMC instruction reverses the setting of the CF flag. No other flags are affected.

Operation
CF ← NOT CF;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|  |  |  |  |  |  |  |*

The CF flag contains the complement of its original value.

CMP - Compare Two Operands

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
3C ib CMP AL,imm8 X X X X X X Compare immediate byte to AL
3D iw CMP AX,imm16 X X X X X X Compare immediate word to AX
3D id CMP EAX,imm32 X X X Compare immediate dword to EAX
80 /7 ib CMP r/m8,imm8 X X X X X X Compare immediate byte to r/m byte
81 /7 iw CMP r/m16,imm16 X X X X X X Compare immediate word to r/m word
81 /7 id CMP r/m32,imm32 X X X Compare immediate dword to r/m dword
83 /7 ib CMP r/m16,imm8 X X X X X X Compare sign-extended immediate byte to r/m word
83 /7 ib CMP r/m32,imm8 X X X Compare sign-extended immediate byte to r/m dword
38 /r CMP r/m8,r8 X X X X X X Compare byte register to r/m byte
39 /r CMP r/m16,r16 X X X X X X Compare word register to r/m word
39 /r CMP r/m32,r32 X X X Compare dword register to r/m dword
3A /r CMP r8,r/m8 X X X X X X Compare r/m byte to byte register
3B /r CMP r16,r/m16 X X X X X X Compare r/m word to word register
3B /r CMP r32,r/m32 X X X Compare r/m dword to dword register
Description

The CMP instruction subtracts the second operand from the first but, unlike the SUB instruction, does not store the result; only the flags are changed. The CMP instruction is typically used in conjunction with conditional jumps and the SETcc instruction. (Refer to Appendix D for the list of signed and unsigned flag tests provided.) If an operand greater than one byte is compared to an immediate byte, the byte value is first sign-extended.

Operation
LeftSRC - SignExtend(RightSRC);

(* CMP does not store a result; its purpose is to set the flags *)

Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |* |* |* |* |* 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

,Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

CMPS/CMPSB/CMPSW/CMPSD - Compare String Operands

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
A6 CMPS m8,m8 X X X X X X Compare bytes ES:[(E)DI] (second operand) with [(E)SI] (first operand)
A7 CMPS m16,m16 X X X X X X Compare words ES:[(E)DI] (second operand) with [(E)SI] (first operand)
A7 CMPS m32,m32 X X X Compare dwords ES:[(E)DI] (second operand) with [(E)SI] (first operand)
A6 CMPSB X X X X X X Compare bytes ES:[(E)DI] with DS:[(E)SI]
A7 CMPSW X X X X X X Compare words ES:[(E)DI] with DS:[(E)SI]
A7 CMPSD X X X Compare dwords ES:[(E)DI] with DS:[(E)SI]
Description

The CMPS instruction compares the byte, word, or doubleword pointed to by the source-index register with the byte, word, or doubleword pointed to by the destination-index register. If the address-size attribute of this instruction of 16-bits, the SI and DI registers will be used for source- and destination-index registers; otherwise the ESI and EDI registers will be used. Load the correct index values into the SI and DI (or ESI and EDI) registers before running the CMPS instruction. The comparison is done by subtracting the operand indexed by the destination-index register from the operand indexed by the source-index register. Note that the direction of subtraction for the CMPS instruction is [SI] - [ DI] or [ESI] - [EDI]. The left operand (SI or ESI) is the source and the right operand (DI or EDI) is the destination. This is the reverse of the usual Intel convention in which the left operand is the destination and the right operand is the source. The result of the subtraction is not stored; only the flags reflect the change. The types of the operands determine whether bytes, words, or doublewords are compared. For the first operand (SI or ESI), the DS register is used, unless a segment override byte is present. The second operand (DI or EDI) must be addressable from the ES register; no segment override is possible. After the comparison is made, both the source-index register and destination-index register are automatically advanced. If the DF flag is 0 (a CLD instruction was run), the registers increment; if the DF flag is 1 (an STD instruction was run), the registers decrement. The registers increment or decrement by 1 if a byte is compared, by 2 if a word is compared, or by 4 if a doubleword is compared. The CMPSB, CMPSW and CMPSD instructions are synonyms for the byte, word, and doubleword CMPS instructions, respectively. The CMPS instruction can be preceded by the REPE or REPNE prefix for block comparison of CX or ECX bytes, words, or doublewords. Refer to the description of the REP instruction for more information on this operation.

Operation
IF (instruction = CMPSD) OR
   (instruction has operands of type DWORD)
THEN OperandSize ← 32;
ELSE OperandSize ← 16;
FI;
IF AddressSize = 16
THEN
  use SI for source-index and DI for destination-index
ELSE (* AddressSize = 32 *)
  use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction
THEN
  set ZF based on
  [source-index] - [destination-index] ; (* byte comparison *)
  IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
ELSE
  IF OperandSize = 16
  THEN
     set ZF based on
     [source-index] - [destination-index] ; (* word comparison *)
     IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
  ELSE (* OperandSize = 32 *)
     set ZF based on
     [source-index] - [destination-index] ; (* dword comparison *)
     IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI;
  FI;
FI;
source-index = source-index + IncDec;
destination-index = destination-index + IncDec;
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * *

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

CMPXCHG - Compare and Exchange

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F B0 /r CMPXCHG r/m8,r8 X X Compare AL with r/m byte. If equal, set ZF and load byte reg into r/m byte. Else, clear ZF and load r/m byte into AL
0F B1 /r CMPXCHG r/m16,r16 X X Compare AX with r/m word. If equal, set ZF and load word reg into r/m word. Else, clear ZF and load r/m word into AX
0F B1 /r CMPXCHG r/m32,r32 X X Compare EAX with r/m dword. If equal, set ZF and load dword reg into r/m dword. Else, clear ZF and load r/m dword into EAX.
Description

The CMPXCHG instruction compares the accumulator (AL, AX, or EAX register) with DEST. If they are equal, SRC is loaded into DEST. Otherwise, DEST is loaded into the accumulator.

Operation
IF accumulator=DEST
         ZF ← 1 
         DEST ← SRC 
ELSE 
         ZF ← 0 
         accumulator ← DEST 
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * *

The CF, PF, AF, SF, and OF flags are affected as if a CMP instruction had been run with DEST and the accumulator as operands. The ZF flag is set if the destination operand and the accumulator are equal; otherwise it is cleared.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

This instruction can be used with a LOCK prefix. In order to simplify interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. DEST is written back if the comparison fails, and SRC is written into the destination otherwise. (The processor never produces a locked read without also producing a locked write.) This instruction is not supported on Intel386 processors.

CMPXCHG8B - Compare and Exchange 8 Bytes

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F C7 /1 CMPXCHG8B r/m64 X Compare EDX:EAX with r/m qword.
If equal, set ZF and load ECX:EBX into r/m qword. Else, clear ZF and load r/m qword into EDX:EAX
Description

The CMPXCHG8B instruction compares the 64-bit value in EDX:EAX with DEST. EDX contains the high-order 32 bits, and EAX contains the low-order 32 bits of 64-bit value. If they are equal, the 64-bit value in ECX:EBX is stored into DEST. ECX contains the high-order 32 bits and EBX contains the low- order 32 bits. Otherwise, DEST is loaded into EDX:EAX.

Operation
IF EDX:EAX=DEST
         ZF ← 1 
         DEST ← ECX:EBX
ELSE 
         ZF ← 0 
         EDX:EAX ← DEST 
Flags Affected
OF DF IF SF ZF AF PF CF
*

The ZF flag is set if the destination operand and EDX:EAX are equal; otherwise it is cleared. The CF, PF, AF, SF, and OF flags are unaffected.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

The destination operand must be a memory operand, not a register. If the CMPXCHG8B instruction is run with a modr/m byte representing a register as the destination operand, #UD occurs.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3. #UD if modr/m byte represents a register as the destination.

Notes

This instruction can be used with a LOCK prefix. In order to simplify interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. DEST is written back if the comparison fails, and SRC is written into the destination otherwise. (The processor never produces a locked read without also producing a locked write.) The "r/m64" syntax had previously been used only in the context of floating point operations. It indicates a 64-bit value, in memory at an address determined by the modr/m byte. This instruction is not supported on Intel486 processors.

CPUID - CPU Identification

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F A2 CPUID X EAX ← CPU identification information
Description

The CPUID instruction provides information to software about the vendor, family, model, and stepping of microprocessor on which it is running. An input value loaded into the EAX register for this instruction indicates what information should be returned by the CPUID instruction. Following processing of the CPUID instruction with a zero in EAX, the EAX register contains the highest input value understood by the CPUID instruction. For the Pentium processor, the value in EAX will be a one. Also included in the output of this instruction with an input value of zero in EAX is a vendor identification string contained in the EBX, EDX, and ECX registers. EBX contains the first four characters, EDX contains the next four characters and ECX contains the last four characters. For Intel processors, the vendor identification string is "GenuineIntel" as follows:

EBX ← 756e6547h (* "Genu", with G in the low nibble of BL *)
EDX ← 49656e69h (* "ineI", with i in the low nibble of DL *)
ECX ← 6c65746eh (* "ntel", with n in the low nibble of CL *)

Following processing of the CPUID instruction with an input value of one loaded into the EAX register, EAX[3:0] contains the stepping id of the microprocessor, EAX[7:4] contains the model (the first model will be indicated by 0001B in these bits) and EAX[11:8] contains the family (5 for the Pentium processor family). EAX[31:12] are reserved, as well as EBX, and ECX. The Pentium processor sets the feature register, EDX, to 1BFH indicating which features the Pentium processor supports. A feature flag set to one indicates that the corresponding feature is supported. The feature set register is defined as follows:

EDX[0:0] FPU on chip
EDX[6:1] Refer to the Intel documentation
EDX[7:7] Machine Check Exception
EDX[8:8] CMPXCHG8B Instruction
EDX[31:9] Reserved

Software should determine the vendor identification in order to properly interpret the feature register flag bits. For more information on the feature set register, see the Intel documentation.

Operation
switch (EAX)
  case 0:
      EAX ← hv;(* hv=1 for the Pentium processor *)
                      (* hv is the highest input value that is understood by CPUID. *)
      EBX ← Vendor identification string;
      EDX ← Vendor identification string;
      ECX ← Vendor identification string;
      break;
  case 1:
      EAX[3:0] ← Stepping ID;
      EAX[7:4] ← Model;
      EAX[11:8] ← Family;
      EAX[31:12] ← Reserved;
      EBX ← reserved;      (* 0 *)
      ECX ← reserved;      (* 0 *)
      EBX ← feature flags;
      break;
  default:  (* EAX > hv *)
      EAX ← reserved, undefined;
      EBX ← reserved, undefined;
      ECX ← reserved, undefined;
      EDX ← reserved, undefined;
      break;
end-of-switch

CWD/CDQ - Convert Word to Double/Convert Double to Quad

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
99 CWD X X X X X X DX ← sign-extend of AX
99 CDQ X X X EDX ← sign-extend of EAX
Description

CWD and CDQ double the size of the source operand. The CWD instruction copies the sign (bit 15) of the word in the AX register into every bit position in the DX register. The CDQ instruction copies the sing (bit 31) of the doubleword in the EAX register into every bit position in the EDX register. The CWD instruction can be used to produce a doubleword dividend from a word before a word division, and the CDQ instruction can be used to produce a quadword dividend from a doubleword before doubleword division. The CWD and CDQ instructions are different mnemonics for the same opcode. Which one gets run is determined by whether it is in a 16- or 32-bit segment and the presence of any operand-size override prefixes.

Operation
IF OperandSize = 16 (* instruction = CWD *)
THEN DX ← SignExtend(AX);
ELSE (* OperandSize = 32, instruction = CDQ *)
  EDX ←SignExtend(EAX);
FI;

CWDE - Convert Word to Doubleword

See entry for CBW/CWDE-Convert Byte to Word/Convert Word to Doubleword.

DAA - Decimal Adjust AL after Addition

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+--------------------------------
|27        |DAA                 |X|X|X|X|X|X|Decimal adjust AL after addition
Description

Run the DAA instruction only after running an ADD instruction that leaves a two-BCD-digit byte result in the AL register. The ADD operands should consist of two packaged BCD digits. The DAA instruction adjusts the AL register to contain the correct two-digit packed decimal result.

Operation
IF (((AL AND 0FH) > 09H) or EFLAGS.AF = 1)
THEN 
  AL ← AL + 06H;
FI;
IF (((AL AND 0F0H) > 90H) or EFLAGS.CF = 1)
THEN 
  AL ← AL + 60H;
  CF ← 1;
FI;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|? |  |  |* |* |* |* |* |

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal carry; the SF, ZF and PF flags are set according to the result. The OF flag is undefined.

DAS - Decimal Adjust AL after Subtraction

Details Table
|Encoding |Instruction  |0|1|2|3|4|5|Description 
|---------+-------------+-+-+-+-+-+-+----------------------------------
|2F       |DAS          |X|X|X|X|X|X|Decimal adjust AL after subtraction
Description

Run the DAS instruction only after a subtraction instruction that leaves a two-BCD-digit byte result in the AL register. The operands should consist of two packed BCD digits. The DAS instruction adjusts the AL register to contain the correct packed two-digit decimal result.

Operation
tmpCF ← 0;
tmpAL ← AL;
IF (((tmpAL AND 0FH) > 9H) or AF = 1)
THEN 
  AF ← 1;
  AL ← AL - 6H;
  tmpCF ← (AL < 0) OR CF;
FI;
IF ((tmpAL > 99H) or CF = 1)
THEN 
  AL ← AL - 60H;
  tmpCF ← 1;
FI;
CF ← tmpCF;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|? |  |  |* |* |* |* |* |

The AF and CF flags are set if there is a decimal borrow, cleared if there is no decimal borrow; the SF, ZF and PF flags are set according to the result. The OF flag is undefined.

DEC - Decrement by 1

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
FE /1 DEC r/m8 X X X X X X Decrement r/m byte by 1
FF /1 DEC r/m16 X X X X X X Decrement r/m word by 1
FF /1 DEC r/m32 X X X Decrement r/m dword by 1
48+rw DEC r16 X X X X X X Decrement word register by 1
48+rd DEC r32 X X X Decrement dword register by 1
Description

The DEC instruction subtracts 1 from the operand. The DEC instruction does not change the CF flag. To affect the CF flag, use the SUB instruction with an immediate operand of 1.

Operation
DEST ← DEST - 1;
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * *

The OF, SF, ZF, AF, and PF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

DIV - Unsigned Divide

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /6 DIV r/m8 X X X X X X Unsigned divide AX by r/m byte

(AL=Quotient, AH=Remainder)

F7 /6 DIV r/m16 X X X X X X Unsigned divide DX:AX by r/m word

(AX=Quotient, DX=Remainder)

F7 /6 DIV r/m32 X X X Unsigned divide EDX:EAX by r/m

dword (EAX=Quotient, EDX=Remainder)

Description

The DIV instruction performs an unsigned division. The dividend is implicit ; only the divisor is given as an operand. The remainder is always less than the divisor. The type of the divisor determines which registers to use as follows:

SIZE DIVIDEND DIVISOR QUOTIENT REMAINDER
byte AX r/m8 AL AH
word DX:AX r/m16 AX DX
dword EDX:EAX r/m32 EAX EDX
Operation
temp ← dividend / divisor;
IF temp does not fit in quotient 
THEN Interrupt 0;
ELSE 
  quotient ← temp;
  remainder ← dividend MOD (r/m);
FI;

Note: Divisions are unsigned. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description".

Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|? |  |  |? |? |? |? |? |

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 0 if the quotient is too big to fit in the designated register (AL, AX, or EAX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

ENTER - Make Stack Frame for Procedure Parameters

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
C8 iw 00 ENTER imm16,0 X X X X X Make procedure stack frame
C8 iw 01 ENTER imm16,1 X X X X X Make stack frame for procedure parameters
C8 iw ib ENTER imm16,imm8 X X X X X Make stack frame for procedure parameters
Description

The ENTER instruction creates the stack frame required by most block- structured high-level languages. The first operand specifies the number of bytes of dynamic storage allocated on the stack for the routine being entered. The second operand gives the lexical nesting level (0 to 31) of the routine within the high-level language source code. It determines the number of stack frame pointers copied into the new stack frame from the preceding frame. Both the operand-size attribute and the stack-size attribute are used to determine whether BP or EBP is used for the current frame pointer and SP or ESP is used for the stack pointer. If the operand-size attribute is 16-bits, the processor uses the BP register as the frame pointer and the SP register as the stack pointer, unless the stack-size attribute is 32-bits in which case it uses EBP for the frame pointer and ESP for the stack pointer. If the operand-size attribute is 32-bits, the processor uses the EBP register for the frame pointer and the ESP register for the stack pointer, unless the stack-size attribute is 16-bits in which case it uses BP for the frame pointer and SP for the stack pointer. If the second operand is 0, the ENTER instruction pushes the frame pointer (BP or EBP register) onto the stack; the ENTER instruction then subtracts the first operand from the stack pointer and sets the frame pointer to the current stack-pointer value. For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 instruction at its entry point and a LEAVE instruction before every RET instruction. The 12 local bytes would be addressed as negative offsets from the frame pointer.

Operation
level ← level MOD 32 
2ndOperand <- 2ndOperand MOD 32 
IF operand_size = 16 THEN Push(bp) ELSE Push(ebp) FI;
IF stkSize = 16 THEN framePtr = sp ELSE framePtr = esp FI;
FOR i ← 1 TO (2ndOperand - 1)
DO 
  IF oprand_size = 16 
  THEN
      IF stkSize = 16 
      THEN
        bp = bp - 2 
        Push([bp]) (* word push *)
      ELSE (* stkSize = 32 *)
        ebp = ebp - 2 
        Push([ebp]) (* word push *)
      FI;
  ELSE (* operand_size = 32 *)
      IF stkSize = 16 
        bp = bp - 4 
        Push([bp]) (* doubleword push *)
      ELSE (* stkSize = 32 *)
        ebp = ebp - 4 
        Push([ebp]) (* doubleword push *)
      FI;
  FI;
OD;
IF stkSize = 16 
THEN Push(framePtr); (* word push *)
ELSE Pushd(framePtr); (* doubleword push *)
FI;
IF stkSize = 16 
THEN 
  bp = framePtr 
  sp = sp - 1stOperand 
ELSE 
  ebp = framePtr 
  esp = esp - 1stOperand 
FI;
Protected Mode Exceptions
  1. SS(0) if the SP or ESP value would exceed the stack limit at any point during instruction processing; #PF(fault-code) for a page fault.

F2XM1 - Compute (2 to the power of X) minus 1

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-------------------------
|D9 F0     |F2XM1               |X|X|X|X|X|X|Replace ST with (2ST - 1)
Description

F2XM1 replaces the contents of ST with (2ST-1). ST must lie in the range -1 < ST < 1.

Operation
ST ← (2ST-1);
Numeric Exceptions

P, U, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

If the operand is outside the acceptable range, the result of F2XM1 is undefined. Values other than 2 can be exponentiated using the formula xy = 2(y * log2x) The instructions FLDL2T and FLDL2E load the constants log210 and log2e, respectively. FYL2X can be used to calculate y * log2x for arbitrary positive x.

FABS - Absolute Value

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+----------------------------------
|D9 E1     |FABS                |X|X|X|X|X|X|Replace ST with its absolute value
Description

The absolute value instruction clears the sign bit of ST. This operation leaves a positive value unchanged, or replaces a negative value with a positive value of equal magnitude.

Operation
sign bit of ST ← 0 
Numeric Exceptions

IS

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

The invalid-operation exception is raised only on stack underflow. No exception is raised if the operand is a signalling NaN or is in an unsupported format.

FADD/FADDP/FIADD - Add

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DE C1 FADD X X X X X X Add ST to ST(1) and pop ST
D8 C0+i FADD ST,ST(i) X X X X X X Add ST(i) to ST
DC C0+i FADD ST(i),ST X X X X X X Add ST to ST(i)
D8 /0 FADD m32real X X X X X X Add m32real to ST
DC /0 FADD m64real X X X X X X Add m64real to ST
DE C0+i FADDP ST(i),ST X X X X X X Add ST to ST(i) and pop ST
DE /0 FIADD m16int X X X X X X Add m16int to ST
DA /0 FIADD m32int X X X X X X Add m32int to ST
Description

The addition instructions add the source and destination operands and return the sum to the destination. The operand at the stack top can be doubled by coding: FADD ST, ST(0)

Operation
DEST ← DEST +SRC;
If instruction = FADDP THEN pop ST FI;
Numeric Exceptions

P, U, O, D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes
If the source operand is in memory, it is automatically converted to the extended-real format.

FBLD - Load Binary Coded Decimal

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------------------
|DF /4     |FBLD m80bcd         |X|X|X|X|X|X|Push m80bcd onto the FPU stack
Description

FBLD converts the BCD source operand into extended-real format, and pushes it onto the FPU stack. See Figure 6-10 for BCD data layout.

Operation
Decrement FPU stack-top pointer;
ST(0) ← SRC;
Numeric Exceptions

IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The source is loaded without rounding error. The sign of the source is preserved, including the case where the value is negative zero. The packed decimal digits are assumed to be in the range 0-9. The instruction does not check for invalid digits (A-FH), and the result of attempting to load an invalid encoding is undefined. ST(7) must be empty to avoid causing an invalid-operation exception.

FBSTP - Store Binary Coded Decimal and Pop

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-----------------------------
|DF /6     |FBSTP m80bcd        |X|X|X|X|X|X|Store ST in m80bcd and pop ST
Description

FBSTP converts the value in ST into a packed decimal integer, stores the result at the destination in memory, and pops ST. Non-integral values are first rounded according to the RC field of the control word. See Figure 6- 10 for BCD data layout.

Operation
DEST ← ST(0);
pop ST;
Numeric Exceptions

P, I, IS.

Protected Mode Exceptions
  1. GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

FCHS - Change Sign

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+--------------------------
|D9 E0     |FCHS                |X|X|X|X|X|X|Replace ST with a value of
|          |                    | | | | | | |opposite sign
Description

The change sign instruction inverts the sign bit of ST. This operation replaces a positive value with a negative value of equal magnitude, or vice -versa.

Operation
sign bit of ST ← NOT (sign bit of ST)
Numeric Exceptions

IS

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CRO is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

The invalid-operation exception is raised only on stack underflow, even if the operand is signalling NaN or is an unsupported format.

FCLEX/FNCLEX - Clear Exceptions

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DB E2 FCLEX X X X X X X Clear FP exception flags after checking for FP error conditions
DB E2 FNCLEX X X X X X X Clear FP exeption flags without checking for FP error conditions
Description

FCLEX clears the exception flags, the exception status flag, and the busy flag of the FPU status word.

Operation
SW[0..7] ← 0;
SW[15]   ← 0;
Numeric Exceptions
None
Protected Mode Exceptions
#NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions
Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set.
Notes
FCLEX checks for unmasked floating-point error conditions before clearing the exception flags, FNCLEX does not.

FCOM/FCOMP/FCOMPP - Compare Real

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D8 D1 FCOM X X X X X X Compare ST with ST(1)
D8 D0+i FCOM ST(i) X X X X X X Compare ST with ST(i)
D8 /2 FCOM m32real X X X X X X Compare ST with m32real
DC /2 FCOM m64real X X X X X X Compare ST with m64real
D8 D9 FCOMP X X X X X X Compare ST with ST(1) and pop ST
D8 D8+i FCOMP ST(i) X X X X X X Compare ST with ST(i) and pop ST
D8 /3 FCOMP m32real X X X X X X Compare ST with m32real and pop ST
DC /3 FCOMP m64real X X X X X X Compare ST with m64real and pop ST
DE D9 FCOMPP X X X X X X Compare ST with ST(1) and pop ST twice
Description

The compare real instructions compare the stack top to the source, which can be a register or a single- or double-real memory operand. If no operand is encoded, ST is compared to ST(1). Following the instruction, the condition codes reflect the relation between ST and the source operand.

Operation
Case (relation of operands) OF 
  Not comparable:     C3, C2, C0 ← 111;
  ST > SRC:           C3, C2, C0 ← 000;
  ST < SRC:           C3, C2, C0 ← 001;
  ST = SRC:           C3, C2, C0 ← 100;
If instruction = FCOMP THEN pop ST; Fl;
If instruction = FCOMPP THEN pop ST; pop ST; Fl;
FPU Flags Affected
FPU FLAGS |EFLAGS
----------+------
C0        |CF
----------+------
C1        |None
----------+------
C2        |PF
----------+------
C3        |ZF

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.

Numeric Exceptions

D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF ( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would like outside effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If either operand is NaN or is in an undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered." The sign of zero is ignored, so that -0.0 =-+0.0.

FCOS - Cosine

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+--------------------------
|D9 FF     |FCOS                | | | |X|X|X|Replace ST with its cosine
Description

The cosine instruction replaces the contents of ST with cos(ST). ST, expressed in radians, must lie in the range 101 < 2 63.

Operation
IF operand is in range 
THEN 
    C2 ← 0;
    ST ← cos(ST);
ELSE 
    C2 ← 1;
FI;
FPU Flags Affected
|C0|C1|C2|C3|
|--+--+--+--|
|? |* |? |* |

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

Numeric Exceptions
P,D,I,IS.
Protected Mode Exceptions
#NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions
Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set.
Notes
If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. See the Intel documentation for discussion of the proper value to use for ã in performing such reductions.

FDECSTP - Decrement Stack-Top Pointer

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+----------------------------------
|D9 F6     |FDECSTP             |X|X|X|X|X|X|Decrement top-of-stack pointer for
|          |                    | | | | | | |FPU register stack
Description

FDESCSTP subtracts one (without carry) from the three-bit TOP field of the FPU status word.

Operation
IF TOP=0
THEN TOP ← 7;
ELSE TOP ← TOP-1;
FI;
Numeric Exceptions

None.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Notes

The effect of FDECSTP is to rotate the stack. It does not alter register tags or contents, nor does it transfer data.

FDISI/FNDISI - Disable Interrupts

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DB E1 FDISI X X Sets the interrupt enable mask in the control word
DB E1 FNDISI X X Sets the interrupt enable mask in the control word
Description
Operation
FPU Flags Affected
C0|C1|C2|C3
--+--+--+--
  |  |  |
Numeric Exceptions
Protected Mode Exceptions
Real Address Mode Exceptions
Notes

FDIV/FDIVP/FIDIV - Divide

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D8 /6 FDIV m32real X X X X X X Replace ST with ST ö m32real
DC /6 FDIV m64real X X X X X X Replace ST with ST ö m64real
D8 F0+i FDIV ST,ST(i) X X X X X X Replace ST with ST ö ST(i)
DC F8+i FDIV ST(i),ST X X X X X X Replace ST(i) with ST(i) ö ST
DE F8+i FDIVP ST(i),ST X X X X X X Replace ST(i) with ST(i) ö ST; pop ST
DE F9 FDIV X X X X X X Replace ST(1) with ST(1) ö ST; pop ST
DE /6 FIDIV m16int X X X X X X Replace ST with ST ö m16int
DA /6 FIDIV m32int X X X X X X Replace ST with ST ö m32int
Description

The division instructions divide the stack top by other operand and return the quotient to the destination.

Operation
FDIV DEST, SRC 
DEST ← DEST ö SRC 
If instruction = FDIVP THEN pop ST FI;
Numeric Exceptions

P, U, O, Z, D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is in memory, it is automatically converted to the extended-real format. The performance of the division instructions depends on the PC (Precision Control) field of the FPU control word. If PC specifies a precision of 53 bits, the division instructions will run in 33 clocks. If the specified precision is 24 bits, the division instructions will take only 19 clocks.

FDIVR/FDIVRP/FIDIVR - Reverse Divide

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D8 /7 FDIVR m32real X X X X X X Replace ST with m32real ö ST
DC /7 FDIVR m64real X X X X X X Replace ST with m64real ö ST
D8 F8+i FDIVR ST,ST(i) X X X X X X Replace ST with ST(i) ö ST
DC F0+i FDIVR ST(i),ST X X X X X X Replace ST(i) with ST ö ST(i)
DE F0+i FDIVRP ST(i),ST X X X X X X Replace ST(i) with ST ö ST(i); pop ST
DE F1 FDIVR X X X X X X Replace ST(1) with ST ö ST(1); pop ST
DE /7 FIDIVR m16int X X X X X X Replace ST with m16int ö ST
DA /7 FIDIVR m32int X X X X X X Replace ST with m32int ö ST
Description

The division instructions divide the other operand by the stack top and return the quotient to the destination.

Operation
FDIVR DEST, SRC 
DEST ← SRC ö DEST 
IF instruction = FDIVRP THEN pop ST FI;
Numeric Exceptions

P, U, O, Z, D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is in memory, it is automatically converted to the extended-real format. The performance of the division instructions depends on the PC (Precision Control) field of the FPU control word. If PC specifies a precision of 53 bits, the reverse division instructions will run in 33 clocks. If the specified precision is 24 bits, the reverse division instructions will take only 19 clocks.

FENI/FNENI - Enable Interrupts

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DB E0 FENI X X Clears the interrupt control mask in the control word
DB E0 FNENI X X Clears the interrupt enable mask in the control word
Description
Operation
FPU Flags Affected
|C0|C1|C2|C3
|--+--+--+--
|  |  |  |
Numeric Exceptions
Protected Mode Exceptions
Real Address Mode Exceptions
Notes

FFREE - Free Floating-Point Register

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------
|DD C0+i   |FFREE ST(i)         |X|X|X|X|X|X|Tag ST(i) as empty
Description

FFREE tags the destination register as empty.

Operation
TAG(i) ← 11B;
Numeric Exceptions

None

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

FFREE does not affect the contents of the destination register. The floating-point stack pointer (TOP) is also unaffected.

FICOM/FICOMP - Compare Integer

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DE /2 FICOM m16int X X X X X X Compare ST with m16int
DA /2 FICOM m32int X X X X X X Compare ST with m32int
DE /3 FICOMP m16int X X X X X X Compare ST with m16int and pop ST
DA /3 FICOMP m32int X X X X X X Compare ST with m32int and pop ST
Description

The compare integer instructions compare the stack top to the source. Following the instruction, the condition codes reflect the relation between ST and the source operand.

Operation
CASE (relation of operands) OF 
   Not comparable:  C3, C2, C0 ← 111;
   ST > SRC:        C3, C2, C0 ← 000;
   ST < SRC:        C3, C2, C0 ← 001;
   ST = SRC:        C3, C2, C0 ← 100;
If instruction = FICOMP THEN pop ST; FI;
FPU Flags Affected
FPU FLAGS  |EFLAGS
-----------+------
C0         |CF
-----------+------
C1         |(none)
-----------+------
C2         |PF
-----------+------
C3         |ZF

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.

Numeric Exceptions

D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The memory operand is converted to extended-real format before the comparison performed. If either operand is a NaN or is in an undefined format, of if a stack fault occurs, the invalid operation exception is raised, and the condition bits are set to "unordered".

FILD - Load Integer

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------------------
|DF /0     |FILD m16int         |X|X|X|X|X|X|Push m16int onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|DB /0     |FILD m32int         |X|X|X|X|X|X|Push m32int onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|DF /5     |FILD m64int         |X|X|X|X|X|X|Push m64int onto the FPU stack
Description

FILD converts the source signed integer operand into extended-real format, and pushes it onto the FPU stack.

Operation
Decrement FPU stack-top pointer;
ST(0) ← SRC;
Numeric Exceptions

IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

The source is loaded without rounding error. ST(7) must be empty to avoid causing an invalid-operation exception.

FINCSTP - Increment Stack-Top Pointer

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F7 FINCSTP X X X X X X Increment top-of-stack pointer for FPU register stack
Description

FINCSTP adds one (without carry) to the three-bit TOP field of the FPU status word.

Operation
IF TOP = 7 
THEN TOP ← 0;
ELSE TOP ← TOP + 1;
FI;
Numeric Exceptions

None

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM is either EM or TS in CR0 is set.
Notes

The effect of FINCSTP is to rotate the stack. It does not alter register tags or contents, nor does it transfer data. It is not equivalent to popping the stack, because it does not set the tag of the old stack-top to empty.

FINIT/FNINIT - Initialize Floating-Point Unit

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DB E3 FINIT X X X X X X Initialize FPU after checking for unmasked FP error condition
DB E3 FNINIT X X X X X X Initialize FPU without checking for unmasked FP error condition
Description

The initialization instructions set the FPU into a known state, unaffected by any previous activity. The FPU control word is set to 037FH (round to nearest, all exceptions masked, 64-bit precision). The status word is cleared (no exception flags set, stack register R0=stack-top). The stack registers are all tagged as empty. The error pointers (both instruction and data) are cleared.

Operation
CW ← 037FH;      (* Control word *)
SW ← 0;          (*Status word*)
TW ← FFFFH;      (* Tag word *)
FEA ← 0; FDS ← 0; (* Data pointer *)
FIP ← 0; FOP ← 0; FCS ← 0; (* Instruction pointer *)
FPU Flags Affected
C0|C1|C2|C3
--+--+--+--
0 |0 |0 |0

C0, C1, C2, C3 cleared.

Numeric Exceptions

None

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

FINIT checks for unmasked floating-point error conditions before performing the initialization; FNINIT does not. On the Pentium processor, unlike the Intel387 math coprocessor, FINIT and FNINIT clear the error pointers.

FIST/FISTP-Store Integer

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DF /2 FIST m16int X X X X X X Store ST in m16int
DB /2 FIST m32int X X X X X X Store ST in m32int
DF /3 FISTP m16int X X X X X X Store ST in m16int and pop ST
DB /3 FISTP m32int X X X X X X Store ST in m32int and pop ST
DF /7 FISTP m64int X X X X X X Store ST in m64int and pop ST
Description

FIST converts the value in ST into a signed integer according to the RC field of the control word and transfers the result to the destination. ST remains unchanged. FIST accepts word and short integer destinations; FISTP accepts these and long integers as well.

Operation
DEST ← ST(0);
IF instruction = FISTP THEN pop ST FI;
Numeric Exceptions

P, I, IS.

Protected Mode Exceptions
  1. GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

Negative zero is stored with the same encoding (00..00) as positive zero. If the value is too large to represent as an integer, an I exception is raised. The masked response is to write the most negative integer to memory.

FLD-Load Real

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 /0 FLD m32real X X X X X X Push m32real onto the FPU stack
DD /0 FLD m64real X X X X X X Push m64real onto the FPU stack
DB /5 FLD m80real X X X X X X Push m80real onto the FPU stack
D9 C0+i FLD ST(i) X X X X X X Push ST(i) onto the FPU stack
Description

FLD pushes the source operand onto the FPU stack. If the source is a register, the register number used is that before the stack-top pointer is decremented. In particular, coding FLD ST(0) duplicates the stack top.

Operation

Decrement FPU stack-top pointer; ST(0) ← SRC;

Numeric Exceptions

D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is single- or double-real format, it is automatically converted to the extended-real format. Loading an extended-real operand does not require conversion, so the I and D exceptions will not occur in this case. ST(7) must be empty to avoid causing an invalid-operation exception.

FLD1/FLDL2T/FLDL2E/FLDPI/FLDLG2/FLDLN2/FLDZ - Load Constant

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 E8     |FLD1                |X|X|X|X|X|X|Push +1.0 onto the FPU Stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 E9     |FLDL2T              |X|X|X|X|X|X|Push log210 onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 EA     |FLDL2E              |X|X|X|X|X|X|Push log2e onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 EB     |FLDPI               |X|X|X|X|X|X|Load ã (pi) onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 EC     |FLDLG2              |X|X|X|X|X|X|Push log102 onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 ED     |FLDLN2              |X|X|X|X|X|X|Push loge2 onto the FPU stack
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 EE     |FLDZ                |X|X|X|X|X|X|Push +0.0 onto the FPU stack
Description

Each of the constant instructions pushes a commonly-used constant (in extended-real format) onto the FPU stack.

Operation
Decrement FPU stack-top pointer;
ST(0) ← CONSTANT;
Numeric Exceptions

IS

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

ST(7) must be empty to avoid an invalid exception. An internal 66-bit constant is used and rounded to external-real format (as specified by the RC bit of the control words). The precision exception is not raised.

FLDCW - Load Control Word

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------------------
|D9 /5     |FLDCW m16           |X|X|X|X|X|X|Load FPU control word from m16
Description

FLDCW replaces the current value of the FPU control word with the value contained in the specified memory word.

Operation
CW ← SRC;
Numeric Exceptions

None, except for unmasking an existing exception.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

FLDCW is typically used to establish or change the FPU's mode of operation. If an exception bit in the status word is set, loading a new control word that unmasks that exception will result in a floating-point error condition. When changing modes, the recommended procedure is to clear any pending exceptions before loading the new control word.

FLDENV - Load FPU Environment

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 /4 FLDENV m14byte/m28byte X X X X X X Load FPU environment from m14byte or m28byte
D9 /4 FLDENVW m14byte X X X Load FPU environment from m14byte
D9 /4 FLDENVD m28byte X X X Load FPU environment from m28byte
Description

FLDENV reloads the FPU environment from the memory area defined by the source operand. This data should have been written by previous FSTENV or FNSTENV instruction. The FPU environment conists of the FPU control word, status word, tag word, and error pointers (both data and instruction). The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: The 14-byte operand applies to a USE16 segment, and the 28- byte operand applies to a USE32 segment. Refer to the Intel documentation for figures of the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) FLDENV should be run in the same operating mode as the corresponding FSTENV or FNSTENV.

Operation
FPU environment ← SRC;
Numeric Exceptions
None, except for loading an unmasked exception.
Protected Mode Exceptions
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Notes
If the environment image contains an unmasked exception, loading it will result in a floating-point error condition.

FMUL/FMULP/FIMUL - Multiply

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DE C9 FMUL X X X X X X Multiply ST(1) by ST and pop ST
D8 /1 FMUL m32real X X X X X X Multiply ST by m32real
DC /1 FMUL m64real X X X X X X Multiply ST by m64real
D8 C8+i FMUL ST,ST(i) X X X X X X Multiply ST by ST(i)
DC C8+i FMUL ST(i),ST X X X X X X Multiply ST(i) by ST
DE C8+i FMULP ST(i),ST X X X X X X Multiply ST(i) by ST and pop ST
DE /1 FIMUL m16int X X X X X X Multiply ST by m16int
DA /1 FIMUL m32int X X X X X X Multiply ST by m32int
Description

The multiplication instructions multiply the destination operand by the source operand and return the product to the destination.

Operation
DEST ← DEST * SRC;
IF instruction = FMULP THEN pop ST FI;
Numeric Exceptions

P, U, O, D, I.

Protected Mode Exceptions
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments;
#SS(0) for an illegal address in the SS segment;
#PF(fault-code) for a page fault;
#NM if either EM or TS in CR0 is set;
#AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is in memory, it is automatically converted to the extended-real format.

FNOP-No Operation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 D0 FNOP X X X X X X No operation is performed
Description

FNOP performs no operation. It affects nothing except instruction pointers.

Numeric Exceptions

None

Protected Mode Exceptions
#NM if either EM or TS in CR0 is set. 
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set.

FPATAN-Partial Arctangent

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F3 FPATAN X X X X X X Replaces ST(1) with arctan(ST(1) ö ST) and pop ST
Description

The partial arctangent instruction computes the arctangent of ST(1) ö ST, and returns computed value, expressed in radians, to ST(1). It then pops ST. The result has the same sign as the operand from ST(1), and a magnitude less than ã.

Operation

ST(1) ← arctan(ST(1) ö ST); pop ST;

Numeric Exceptions

P, U, D, I, IS.

Protected Mode Exceptions
#NM if either EM or TS in CR0 is set. 
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set. 
Notes

There is no restriction on the range of arguments that FPATAN can accept. The fact that FPATAN takes two arguments and computes the arctangent of their ratio simplifies the calculation of other trigonometric functions. For instance, arcsin(x) (which is the arctangent of x ö û(1-xý)) can be computed using the following sequence of operations: Push x onto the FPU stack; compute û(1-xý) and push the resulting value onto the stack; run FPATAN.

FPREM-Partial Remainder

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F8 FPREM X X X X X X Replace ST with the remainder obtained on dividing ST by ST(1)
Description

The partial remainder instruction computes the remainder obtained on dividing ST by ST(1), and leaves the result in ST. The sign of the remainder is the same as the sign of the original dividend in ST. The magnitude of the remainder is less than that of the modulus.

Operation
EXPDIF ← exponent(ST) - exponent(ST(1));
IF EXPDIF < 64 
THEN 
   Q ← integer obtained by chopping ST ö ST(1) toward zero;
   ST ← ST - (ST(1) * Q);
   C2 ← 0;
   C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *)
ELSE 
   C2 ← 1;
   N ← a number between 32 and 63;
   QQ ← integer obtained by chopping (ST ö ST(1)) ö 2EXPDIF-N
       toward zero;
   ST ← ST - (ST(1) * QQ * 2EXPDIF-N;
FI;
Numeric Exceptions

U, D, I, IS.

Protected Mode Exceptions
#NM if either EM or TS in CR0 is set. 
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set. 
Notes

FREM produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The FPREM instruction is not the remainder operation specified in IEEE Std 754. To get that remainder, the FPREM1 instruction should be used. FPREM is supported for compatibility with the 8087 and Intel287 math coprocessors. FPREM works by iterative subtraction, can reduce the exponent of ST by no more than 63 in one execution. If FPREM succeeds in producing a remainder that is less than the modulus, the function is complete and the C2 flag is cleared. Otherwise, C2 is set, and the result in ST is called the partial remainder. The exponent of the partial remainder is less than the exponent of the original dividend by at least 32. Software can run the instruction again (using the partial remainder in ST as the dividend) until C2 is cleared. A higher-priority interrupting routine that needs the FPU can force a context switch between the instructions in the remainder loop. An important use of FPREM is to reduce the arguments of periodic functions. When reduction is complete, FPREM provides the three least-significant bits of the quotient in flags C3, C1, and C0. This is important in argument reduction for the tangent function (using a modulus of ã/4), because it locates the original angle in the correct one of eight sectors of the unit circle.

FPREM1 - Partial Remainder

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F5 FPREM1 X X X Replace ST with the remainder obtained on dividing ST by ST(1)
Description

The partial remainder instruction computes the remainder obtained on dividing ST by ST(1), and leaves the result in ST. The magnitude of the remainder is less than that of the modulus.

Operation
EXPDIF ← exponent(ST) - exponent(ST(1));
IF EXPDIF < 64
THEN
  Q ← integer obtained by rounding ST ö ST(1) to the nearest integer;
      (*or the nearest even integer if the result is exactly halfway between 2 integers *)
  ST ← ST - (ST(1) * Q);
  C2 ← 0;
  Q ← ST - (ST(1) * Q);
  C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *)
  C2 ← 0;
  C0, C1, C3 ← three least-significant bits of Q; (* Q2, Q1, Q0 *)
ELSE
  C2 ← 1;
  N ← a number between 32 and 63;
  QQ ← integer obtained by chopping (ST ö ST(1)) ö 2EXPDIF-N;
      toward zero;
  ST ← ST - (ST(1) * QQ * 2EXPDIF-N
FI;
Numeric Exceptions

U, D, I, IS.

Protected Mode Exceptions
#NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set.
Notes

FPREM1 produces an exact result; the precision (inexact) exception does not occur and the rounding control has no effect. The FPREM1 instruction is not the remainder operation specified in IEEE Std 754. It differs from FPREM in the way it rounds the quotient of ST and ST(1), when the exponent difference of exp(ST) -exp(ST)1 is less than 64. FPREM1 works by iterative subtraction, can reduce the exponent of ST by no more than 63 in one execution. If FPREM1 succeeds in producing a remainder that is less than one half the modulus, the function is complete and the C2 flag is cleared. Otherwise, C2 is set, and the result in ST is called the partial remainder. The exponent of the partial remainder is less than the exponent of the original dividend by at least 32. Software can run the instruction again (using the partial remainder in ST as the dividend) until C2 is cleared. A higher-priority interrupting routine that needs the FPU can force a context switch between the instructions in the remainder loop. An important use of FPREM1 is to reduce the arguments of periodic functions. When reduction is complete, FPREM1 provides the three least-significant bits of the quotient in flags C3, C1, and C0. This is important in argument reduction for the tangent function (using a modulus of ã/4), because it locates the original angle in the correct one of eight sectors of the unit circle.

FPTAN-Partial Tangent

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F2 FPTAN X X X X X X Replace ST with its tangent and push 1 onto the FPU stack
Description

The partial tangent instruction replaces the contents of ST with tan(ST), and then pushes 1.0 onto the FPU stack. ST, expressed in radians, must lie in the range |0| < 263.

Operation
IF operand is in range 
THEN 
  C2 ← 0;
  ST ← tan(ST);
  Decrement stack-top pointer;
  ST ← 1.0;
ELSE 
  C2 ← 1;
FI;
FPU Flags Affected
|C0|C1|C2|C3|
|--+--+--+--|
|? |* |* |? |

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

Numeric Exceptions

P, U, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation 6 for a discussion of the proper value to use for ã in performing such reductions. The fact that FPTAN pushes 1.0 onto the FPU stack after computing tan(ST) maintains compatibility with the 8087 and Intel287 math coprocessors, and simplifies the calculation of other trigonometric functions. For instance, the cotangent (which is the reciprocal of the tangent) can be computed by running FDIVR after FPTAN. ST(7) must be empty to avoid an invalid-operation exception.

FRNDINT-Round to Integer

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 FC FRNDINT X X X X X X Round ST to an integer
Description

The round to integer instruction rounds the value in ST to an integer according to the RC field of the FPU control word.

Operation

ST ← rounded ST;

Numeric Exceptions

P, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.

FRSTOR/FRSTRW/FRSTRD - Restore FRU State

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DD /4 FRSTOR m94byte/m108byte X X X X X X Load FPU state from m94byte or m108byte
DD /5 FRSTORW m94byte X X X Load FPU state from m94byte
DD /4 FRSTORD m108byte X X X Load FPU state from m108byte
Description
FRSTOR reloads the FPU state (environment and register stack) from the memory area defined by the source operand. This data should have been written by a previous FSAVE or FNSAVE instruction.
The FPU environment consists of the FPU control word, status word, tag word, and error pointers (both data and instruction). The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 14-byte operand applies to a USE16 segment, and the 28- byte operand applies to a USE32 segment. Refer to the Intel documentation for the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) The stack registers, beginning with ST and ending with ST(7), are in the 80 bytes that immediately follow the environment image. FRSTOR should be run in the same operating mode as the corresponding FSAVE or FNSAVE.
Operation
FPU state ← SRC;
Numeric Exceptions
None, except for loading an unmasked exception.
Protected Mode Exceptions
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Notes
If the state image contains an unmasked exception, loading it will result in a floating-point error condition.

FSAVE/FNSAVE-Store FPU State

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DD /6 FSAVE m94byte/m108byte X X X X X X Store FPU state to m94byte or m108byte after checking for unmasked FP error condition; then re-initialize the CPU
9B DD /6 FSAVEW m94byte X X X Store FPU state to m94byte after checking for unmasked FP error condition; then re-initialize the FPU
9B DD /6 FSAVED m108byte X X X Store FPU state to m108byte after checking for unmasked FP error condition; then re-initialize the FPU
DD /6 FNSAVE m94byte/ X X X X X X Store FPU environment to m94byte or m108byte without checking for unmasked FP error condition; then re-initialize the FPU
DD /6 FNSAVEW m94byte X X X Store FPU environment to m94byte without checking for unmasked FP error condition; then re-initialize the FPU
DD /6 FNSAVED m108byte X X X Store FPU environment to m108byte without checking for unmasked FP error condition; then re-initialize the FPU
Description

The save instructions write the current FPU state (environment and register stack) to the specified destination, and then re-initialize the FPU. The environment consists of the FPU control word, status word, tag word, and error pointers (both data and instruction).

The state layout in memory depends on both operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 94-byte operand applies to USE16 segment, and the 108-byte operand applies to a USE32 segment.

Refer to the Intel documentation for the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) The stack registers, beginning with ST and ending with ST( 7), are stored in the 80 bytes that immediately follow the environment image.

Operation
DEST ← FPU state;
initialize FPU; (* Equivalent to FNINIT *)
FPU Flags Affected
|C0|C1|C2|C3|
|--+--+--+--|
|0 |0 |0 |0 |

C0, C1, C2, C3 cleared.

Numeric Exceptions

None

Protected Mode Exceptions
  1. GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

FSAVE and FNSAVE do not store the FPU state until all FPU activity is complete. Thus, the saved image reflects the state of the FPU after any previously decoded instruction has been run. If a program is to read from the memory image of the state following a save instruction, it must issue an FWAIT instruction to ensure that the storage is complete. The save instructions are typically used when an operating system needs to perform a context switch, or an exception handler needs to use the FPU, or an application program wants to pass a "clean" FPU to a subroutine.

FSCALE-Scale

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 FD FSCALE X X X X X X Scale ST by ST(1)
Description

The scale instruction inteprets the value in (ST(1) as an integer, and adds this integer to the exponent of ST. Thus, FSCALE provides rapid multiplication or division by integral powers of 2.

Operation
ST ← ST * 2ST(1);
Numeric Exceptions

P, U, O, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

FSCALE can be used as an inverse to FXTRACT. Because FSCALE does not pop the exponent part, however, FSCALE must be followed by FSTP ST(1) in order to completely undo the effect of a preceding FXTRACT. There is no limit on the range of the scale factor in ST(1). If the value is not integral, FSCALE uses the nearest integer smaller in magnitude; i.e. , it chops the value toward 0. If the resulting integer is zero, the value in ST is not changed.

FSETPM-Set Protected Mode

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DB E4 FSETPM X Sets the operating mode of the 80287 to protected virtual address mode
Description

Sets the operating mode of the 80287 to Protected Virtual-Address mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a hardware RESET can return the NPX to operation in Real-Address mode. When the 80287 operates in Protected mode, the NPX exception pointers are represented differently than they are in Real-Address mode (see the FSAVE and FSTENV instructions). This distinction is evident primarily to writers of numeric exception handlers, however. For general application programmers, the operating mode of the 80287 need not be a concern.

Operation
FPU Flags Affected
C0 C1 C2 C3
Numeric Exceptions
Protected Mode Exceptions
Real Address Mode Exceptions

FSIN-Sine

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+------------------------
|D9 FE     |FSIN                | | | |X|X|X|Replace ST with its sine
Description

The sine instruction replaces the contents of ST with sin(ST). ST, expressed in radians, must lie in the range |01| < 263.

Operation
If operand is in range 
THEN 
  C2 ← 0;
ELSE 
  C2 ← 1;
FI:
FPU Flags Affected
|C0|C1|C2|C3|
|--+--+--+--|
|? |* |* |? |

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

Numeric Exceptions

P, U, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation for a discussion of the proper value to use the ã in performing such reductions.

FSINCOS-Sine and Cosine

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+----------------------------------
|D9 FB     |FSINCOS             | | | |X|X|X|Compute the sine and cosine of ST;
|          |                    | | | | | | |replace ST with the sine, then
|          |                    | | | | | | |push the cosine onto the FPU stack
Description

FSINCOS computes both sin(ST) and cos(ST), replaces ST with the sine and then pushes the cosine onto the FPU stack. ST, expressed in radians, must lie in the range |0| < 263.

Operation
IF operand is in range 
THEN 
  C2 ← 0;
  TEMP ← cos(ST);
  ST ← sin(ST);
  Decrement FPU stack-top pointer;
  ST ← TEMP;
ELSE 
  C2 ← 1;
FI:
FPU Flags Affected
|C0|C1|C2|C3|
|--+--+--+--|
|? |* |* |? |

C1, C2 as described in FPU Flags Affected; C0, C3 undefined.

Numeric Exceptions

P, U, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

If the operand is outside the acceptable range, the C2 flag is set, and ST remains unchanged. It is the programmer's responsibility to reduce the operand to an absolute value smaller than 263 by subtracting an appropriate integer multiple of 2ã. Refer to the Intel documentation for a discussion of the proper value to use for ã in performing such reductions. It is faster to run FSINCOS than to run both FSIN and FCOS.

FSQRT-Square Root

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 FA FSQRT X X X X X X Replace ST with its square root
Description

The square root instruction replaces the value in ST with its square root.

Operation
ST ← square root of ST;
Numeric Exceptions

P, D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

The square root of -0 is -0.

FST/FSTP-Store Real

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 /2 FST m32real X X X X X X Copy ST to m32real
DD /2 FST m64real X X X X X X Copy ST to m64real
DD D0+i FST ST(i) X X X X X X Copy ST to ST(i)
D9 /3 FSTP m32real X X X X X X Copy ST to m32real and pop ST
DD /3 FSTP m64real X X X X X X Copy ST to m64real and pop ST
DB /7 FSTP m80real X X X X X X Copy ST to m80real and pop ST
DD D8+i FSTP ST(i) X X X X X X Copy ST to ST(i) and pop ST
Description

FST copies the current value in the ST register to the destination, which can be another register or a single- or double-real memory operand. FSTP copies and then pops ST; it accepts extended-real memory operands as well as the types accepted by FST. If the source is register, the register number used is that before the stack is popped.

Operation
DEST ← ST(0);
IF instruction = FSTP THEN pop ST FI;
Numeric Exceptions
Register or extended-real destinations: IS
Single- or double-real destinations: P, U, O, I, IS
Protected Mode Exceptions
  1. GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the destination is single- or double-real, the significand is rounded to the width of the destination according to the RC field of the control word, and the exponent is converted to the width and bias of the destination format. The over/underflow condition is checked for as well. If ST contains zero, ñì, or a NaN, then the significand is not rounded, but chopped (on the right) to fit the destination. Nor is the exponent converted; it too is chopped on the right. These operations preserve the value's identity as ì or NaN (exponent all ones). The invalid-operation exception is not raised when the destination is a nonempty stack element. A denormal operand in ST(0) causes an underflow. No denormal operand exception is raised.

FSTCW/FNSTCW-Store Control Word

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B D9 /7 FSTCW m16 X X X X X X Store FPU control word to m16 after checking for unmasked FP error condition
D9 /7 FNSTCW m16 X X X X X X Store FPU control word to m16 without checking for unmasked FP error condition
Description

FSTCW and FNSTCW write the current value of the FPU control word to the specified destination.

Operation
DEST ← CW;
Numeric Exceptions
None
Protected Mode Exceptions
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code for a page fault; # AC for unaligned memory reference if the current privilege level is 3.
Notes
FSTCW checks for unmasked floating-point error conditions before storing the control word FNSTCW does not.

FSTENV/FNSTENV-Store FPU Environment

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B D9 /6 FSTENV m14byte/m28byte X X X X X X Store FPU environment to m14byte or m28byte after checking for unmasked FP error condition; then mask all FP exceptions.
9B D9 /6 FSTENVW m14byte X X X Store FPU environment to m14byte after checking for unmasked FP error condition; then mask all FP exceptions
9B D9 /6 FSTENVD m28byte X X X Store FPU environment to m28byte after checking for unmasked FP error condition; then mask all FP exceptions
D9 /6 FNSTENV m14byte/m28byte X X X X X X Store FPU environment to m14byte or m28byte without checking for unmasked FP error condition; then mask all FP exceptions
D9 /6 FNSTENVW m14byte X X X Store FPU environment to m14byte without checking for unmasked FP error condition; then mask all FP exceptions
D9 /6 FNSTENVD m28byte X X X Store FPU environment to m28byte without checking for unmasked FP error condition; then mask all FP exceptions
Description
The store environment instructions write the current FPU environment to the specified destination, and then mask all floating-point exceptions. The FPU environment consists of the FPU control word, status word, tag word, and error pointer (both data and instruction).
The environment layout in memory depends on both the operand size and the current operating mode of the processor. The USE attribute of the current code segment determines the operand size: the 14-byte operand applies to a USE16 segment, and the 28-byte operand applies to a USE32 segment. Figures 6-6 through 6-8 show the environment layouts for both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the real mode layout is used).
Operation
DEST ← FPU environment;
CW[0..5] ← 111111B;
Numeric Exceptions
None
Protected Mode Exceptions
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Notes
FSTENV and FNSTENV do not store the environment until FPU activity is complete. Thus, the save environment reflects the state of the FPU after any previously decoded instruction has been run.
The store environment instructions are often used by exception handlers because they provide access to the FPU error pointers. The environment is typically saved onto the memory stack. After saving the environment, FSTENV and FNSTENV sets all the exception masks in the FPU control word. This prevents floating-point errors from interrupting the exception handler.
FSTENV checks for unmasked floating-point error conditions before storing the FPU environment; FNSTENV does not.

FSTSW/FNSTSW-Store Status Word

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9B DF /7 FSTSW m16 X X X X X X Store FPU status word to m16 after checking for unmasked FP error condition
9B DF E0 FSTSW AX X X X X Store FPU status word to AX register after checking for unmasked FP error condition
DF /7 FNSTSW m16 X X X X X X Store FPU status word to m16 without checking for unmasked FP error condition
DF E0 FNSTSW AX X X X X Store FPU status word to AX register without checking for unmasked FP error condition
Description

FSTSW and FNSTSW write the current value of the FPU status word to the specified destination, which can be either a two-byte location in memory or the AX register.

Operation
DEST ← SW;
Numeric Exceptions

None

Protected Mode Exceptions
  1. GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

FSTSW checks for unmasked floating-point error conditions before storing the status word; FNSTSW does not. FSTSW and FNSTSW are used primarily in conditional branching (after a comparison, FPREM, FPREM1, or FXAM instruction). They can also be used to invoke exception handlers (by polling the exception bits) in environments that do not use interrupts. When FNSTSW AX is run, the AX register is updated before the processor runs any further instructions. The status stored is that from the completion of the prior ESC instruction.

FSUB/FSUBP/FISUB-Subtract

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D8 /4 FSUB m32real X X X X X X Replace ST with ST - m32real
DC /4 FSUB m64real X X X X X X Replace ST with ST - m64real
D8 E0+i FSUB ST,ST(i) X X X X X X Replace ST with ST - ST(i)
DC E8+i FSUB ST(i),ST X X X X X X Replace ST(i) with ST(i) - ST
DE E8+i FSUBP ST(i),ST X X X X X X Replace ST(i) with ST - ST(i); pop ST
DE E9 FSUB X X X X X X Replace ST(1) with ST - ST(1); pop ST
DE /4 FISUB m16int X X X X X X Replace ST with ST - m16int
DA /4 FISUB m32int X X X X X X Replace ST with ST - m32int
Description

The subtraction instructions subtract the other operand from the stack top and return the difference to the destination.

Operation
DEST ← ST - Other Operand;
IF instruction = FSUBP THEN pop ST FI;
Numeric Exceptions

P, U, O, D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is in memory, it is automatically converted to the extended-real format.

FSUBR/FSUBRP/FISUBR-Reverse Subtract

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D8 /5 FSUBR m32real X X X X X X Replace ST with m32real - ST
DC /5 FSUBR m64real X X X X X X Replace ST with m64real - ST
D8 E8+i FSUBR ST,ST(i) X X X X X X Replace ST with ST(i) - ST
DC E0+i FSUBR ST(i),ST X X X X X X Replace ST(i) with ST - ST(i)
DE E0+i FSUBRP ST(i),ST X X X X X X Replace ST(i) with ST - ST(i)
DE E1 FSUBR X X X X X X Replace ST(1) with ST - ST(1); pop ST
DE /5 FISUBR m16int X X X X X X Replace ST with m16int - ST
DA /5 FISUBR m32int X X X X X X Replace ST with m32int - ST
Description

The reverse subtraction instructions subtract the stack top from the other operand and return the difference to the destination.

Operation
DEST ← Other Operand - ST;
IF instruction = FSUBRP THEN pop ST FI;
Numeric Exceptions

P, U, O, D, I, IS.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in SS segment; #PF(fault- code) for a page fault; #NM if either EM or TS in CR0 is set; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH; Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

If the source operand is in memory, it is automatically converted to the extended-real format.

FTST-Test

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-------------------
|D9 E4     |FTST                |X|X|X|X|X|X|Compare ST with 0.0
Description

The test instruction compares the stack top to 0.0. Following the instruction, the condition codes reflect the result of the comparison.

Operation
CASE (relation of operands) OF 
     Not comparable:   C3, C2, C0 ← 111;
     ST > SRC:         C3, C2, C0 ← 000;
     ST < SRC:         C3, C2, C0 ← 001;
     ST = SRC:         C3, C2, C0 ← 100;
FPU Flags Affected
|FPU FLAGS   |EFLAGS
|------------+------
|C0          |CF
|------------+------
|C1          |(none)   
|------------+------
|C2          |PF
|------------+------
|C3          |ZF

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.

Numeric Exceptions

D, I, IS.

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

If ST contains a NaN or an object of undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered." The sign of zero is ignored, so that -0.0=+0.0.

FUCOM/FUCOMP/FUCOMPP-Unordered Compared Real

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
DD E1 FUCOM X X X Compare ST with ST(1)
DD E0+i FUCOM ST(i) X X X Compare ST with ST(i)
DD E9 FUCOMP X X X Compare ST with ST(1) and pop ST
DD E8+i FUCOMP ST(i) X X X Compare ST with ST(i) and pop ST
DA E9 FUCOMPP X X X Compare ST with ST(1) and pop ST twice
Description
The unordered compare real instructions compare the stack top to the source , which must be a register. If no operand is encoded, ST is compared to ST( 1). Following the instruction, the condition codes reflect the relation between ST and the source operand.
Operation
CASE (relation of operands) OF
     Not comparable:   C3, C2, C0 ← 111;
     ST > SRC:         C3, C2, C0 ← 000;
     ST < SRC:         C3, C2, C0 ← 001;
     ST = SRC:         C3, C2, C0 ← 100;
IF instruction = FUCOMP THEN pop ST; FI;
IF instruction = FUCOMPP THEN pop ST; pop ST; FI;
FPU Flags Affected
FPU FLAGS EFLAGS
C0 CF
C1 (none)
C2 PF
C3 ZF

C1 as described in FPU Flags Affected; C0, C2, C3 as specified above.

Numeric Exceptions
D, I, IS.
Protected Mode Exceptions
#NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions
Interrupt 7 if either EM or TS in CR0 is set.
Virtual 8086 Mode Exceptions
#NM if either EM or TS in CR0 is set.
Notes
If either operand is an SNaN or is in an undefined format, or if a stack fault occurs, the invalid-operation exception is raised, and the condition bits are set to "unordered".
If either operand is a QNaN, the condition bits are set to "unordered." Unlike the ordinary compare instructions (FCOM, etc.), the unordered compare instructions do not raise the invalid-operation exception on account of a QNaN operand.
The sign of zero is ignored, so that -0.0=+0.0.

FWAIT-Wait

Details Table
|Encoding |Instruction   |0|1|2|3|4|5|Description
|---------+--------------+-+-+-+-+-+-+--------------
|9B       |FWAIT         |X|X|X|X|X|X|Alias for WAIT
Description

FWAIT causes the processor to check for pending unmasked numeric exceptions before proceeding.

Numeric Exceptions

None

Protected Mode Exceptions
  1. NM if both MP and TS in CR0 are set.
Real Address Mode Exceptions

Interrupt 7 if both MP and TS in CR0 are set.

Virtual 8086 Mode Exceptions
  1. NM if both MP and TS in CR0 are set.
Notes

As its opcode shows, FWAIT is not actually an ESC instruction, but an alternate mnemonic for WAIT. Coding FWAIT after an ESC instruction ensures that any unmasked floating-point exceptions the instruction may cause are handled before the processor has a chance to modify the instruction's results. Refer to the Intel documentation for more information about when to use FWAIT.

FXAM-Examine

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 E5 FXAM X X X X X X Report the type of object in the ST register
Description

The examine instruction reports the type of object contained in the ST register by setting the FPU Flags.

Operation
C1 ← sign bit of ST; (* 0 for positive, 1 for negative *)

CASE (type of object in ST) OF 
     Unsupported:  C3, C2, C0 ← 000;
     NaN:         C3, C2, C0 ← 001;
     Normal:      C3, C2, C0 ← 010;
     Infinity:    C3, C2, C0 ← 011;
     Zero:        C3, C2, C0 ← 100;
     Empty:       C3, C2, C0 ← 101;
     Denormal:    C3, C2, C0 ← 110;
FPU Flags Affected
FPU FLAGS EFLAGS
C0 CF
C1 (none)
C2 PF
C3 ZF

C0, C1, C2, C3 as shown above.

Numeric Exceptions

None

Protected Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions
  1. NM if either EM or TS in CR0 is set.
Notes

C1 bit represents the sign of ST(0) regardless of whether ST(0) is empty or full.

FXCH-Exchange Register Contents

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 C9 FXCH X X X X X X Exchange the contents of ST and ST(1)
D9 C8+i FXCH ST(i) X X X X X X Exchange the contents of ST and ST(i)
Description

FXCH swaps the contents of the destination and stack-top registers. If the destination is not coded explicitly, ST(1) is used.

Operation
TEMP ← ST;
ST ← DEST;
DEST ← TEMP;
Numeric Exceptions

IS.

Protected Mode Exceptions

#NM if either EM or TS in CR0 is set.

Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

#NM if either EM or TS in CR0 is set.

Notes

Many numeric instructions operate only on the stack top; FXCH provides a simple means for using these instructions on lower stack elements. For example, the following sequence takes the square root of the third register from the top (assuming that ST is nonempty):

FXCH ST (3)
FSQRT
FXCH ST (3)

FXCH can be paired with some floating point instructions (i.e., FADD, FSUB, FMUL, FLD, FCOM, FUCOM, FCHS, FTST, FABS, FDIV. This set also includes the FADDP, FSUBRP, etc., instructions). When paired, the FXCH gets run in parallel, and does not take any additional clocks.

FXTRACT-Extract Exponent and Significand

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D9 F4 FXTRACT X X X X X X Separate ST into its exponent and significand; replace ST with exponent then push significand onto FPU stack
Description

FXTRACT splits the value in ST into its exponent and significand. The exponent replaces the original operand on the stack and the significand is pushed onto the stack. Following execution of FXTRACT, ST (the new stack top) contains the value of the original significand expressed as a real number: its sign is the same as the operand's, its exponent is 0 true (16, 383 or 3FFFH biased), and its significand is identical to the original operand's. ST(1) contains the value of the original operand's true (unbiased) exponent expressed as a real number. To illustrate the operation of FXTRACT, assume that ST contains a number whose true exponent is +4 (i.e., its exponent field contains 4003H). After running FXTRACT, ST(1) will contain the real number +4.0; its sign will be positive, its exponent field will contain 4001H (+2 true) and its significand field will contain 1ë00...00B. In other words, the value in ST( 1) will be 1.0 * 2ý = 4. If ST contains an operand whose true exponent is - 7 (i.e., its exponent field contains 3FF8H), then FXTRACT will return an "exponent" of -7.0; after the instruction runs, ST(1)'s sign and exponent fields will contain C001H (negative sign, true exponent of 2), and its significand will be 1ë1100...00B. In other words, the value in ST(1) will be -1.75 * 2ý=-7.0. In both cases, following FXTRACT, ST's sign and significand fields will be the same as the original operand's, and its exponent field will contain 3FFFH (0 true).

Operation
TEMP ← significand of ST;
ST ← exponent of ST;
Decrement FPU stack-top pointer;
ST ← TEMP;
Numeric Exceptions

Z, D, I, IS.

Protected Mode Exceptions

#NM if either EM or TS in CR0 is set.

Real Address Mode Exceptions

Interrupt 7 if either EM or TS in CR0 is set.

Virtual 8086 Mode Exceptions

#NM if either EM or TS in CR0 is set.

Notes

FXTRACT (extract exponent and significand) performs a superset of the IEEE- recommended logb(x) function. If the original operand is zero, FXTRACT leaves -ì in ST(1) (the exponent) while ST is assigned the value zero with a sign equal to that of the original operand. The zero-divide exception is raised in this case, as well. ST(7) must be empty to avoid the invalid-operation exception. FXTRACT is useful for power and range scaling operations. Both FXTRACT and the base 2 exponential instruction F2XM1 are needed to perform a general power operation. Converting numbers in extended-real format to decimal representations (e.g., for printing or displaying) requires not only FBSTP but also FXTRACT to allow scaling that does not overflow the range of the extended format. FXTRACT can also be useful for debugging, because it allows the exponent and significand parts of a real number to be examined separately.

FYL2X-Compute y * log2x

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+----------------------------------
|D9 F1     |FYL2X               |X|X|X|X|X|X|Replace ST with ST(1) * log2ST and
|          |                    | | | | | | |pop ST
Description

FYL2X computes the base-2 logarithm of ST, multiplies the logarithm by ST(1 ), and returns the resulting value to ST(1). It then pops ST. The operand in ST must not be negative or zero.

Operation
ST(1) ← ST(1) * log2ST;
pop ST;
Numeric Exceptions

P, U, O, Z, D, I, IS. Protected Mode Exceptions

  1. NM if either EM or TS in CR0 is set.

Real Address Mode Exceptions Interrupt 7 if either EM or TS in CR0 is set. Virtual 8086 Mode Exceptions

  1. NM if either EM or TS in CR0 is set.
Notes

If the operand in ST is negative, the invalid-operation exception is raised. The FYL2X instruction is designed with a built-in multiplication to optimize the calculation of logarithms with arbitrary positive base: logbx = (log2b) -1 * log2x The instructions FLDL2T and FLDL2E load the constants log210 and log2e, respectively.

FYL2XP1-Compute y * log2(x + 1)

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-------------------------------
|D9 F9     |FYL2XP1             |X|X|X|X|X|X|Replace ST(1) with ST(1) * log2
|          |                    | | | | | | |(ST+1.0) and pop ST
Description

FYL2XP1 computes the base-2 logarithm of (ST+1.0), multiples the logarithm by ST(1), and returns the resulting value to ST(1). It then pops ST. The operand in ST must be in the range -(1-(û2 / 2)) ó ST ó û2 -1

Operation
ST(1) ← ST(1) * log2(ST+1.0);
pop ST;
Numeric Exceptions

P, U, D, I, IS. Protected Mode Exceptions

  1. NM if either EM or TS in CR0 is set.

Real Address Mode Exceptions Interrupt 7 if either EM or TS in CR0 is set. Virtual 8086 Mode Exceptions

  1. NM if either EM or TS in CR0 is set.
Notes

If the operand in ST is outside the acceptable range, the result of FYL2XP1 is undefined. The FYL2XP1 instruction provides improved accuracy over FYL2X when computing the logarithms of numbers very close to 1. When î is small, more significant digits can be retained by providing î as an argument to FYL2XP1 than by providing 1+î as an argument to FYL2X.

HLT-Halt

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F4 HLT X X X X X X Halt
Description

The HLT instruction stops instruction processing and places the processor in a HALT state. An enabled interrupt, NMI, or a reset will resume execution. If an interrupt (including NMI) is used to resume execution after a HLT instruction, the saved CS:IP (or CS:EIP) value points to the instruction following the HLT instruction.

Operation

Enter Halt state;

Protected Mode Exceptions

The HLT instruction is a privileged instruction; #GP(0) if the current privilege level is not 0.

Virtual 8086 Mode Exceptions

#GP(0); the HLT instruction is a privileged instruction.

IDIV-Signed Divide

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /7 IDIV r/m8 X X X X X X Signed divide AX (where AH must contain sign-extension of AL) by r/m byte (results: AL=Quotient, AH=Remainder)
F7 /7 IDIV r/m16 X X X X X X Signed divide DX:AX (where DX must contain sign-extension of AX) by r/m word (results: AX=Quotient, DX=Remainder)
F7 /7 IDIV r/m32 X X X Signed divide EDX:EAX (where EDX must contain sign-extension of EAX) by r/m dword (results: EAX=Quotient, EDX=Remainder)
Description

The IDIV instruction performs a signed division. The dividend, quotient, and remainder are implicitly allocated to fixed registers. Only the divisor is given as an explicit r/m operand. The type of the divisor determines which registers to use as follows:

SIZE DIVIDEND DIVISOR QUOTIENT REMAINDER
byte AX r/m8 AL AH
word DX:AX r/m16 AX DX
dword EDX:EAX r/m32 EAX EDX

If the resulting quotient is too large to fit in the destination, or if the divisor is 0, an Interrupt 0 is generated. Nonintegral quotients are truncated toward 0. The remainder has the same sign as the dividend and the absolute value of the remainder is always less than the absolute value of the divisor.

Operation
temp ← dividend / divisor;
IF temp does not fit in quotient 
THEN Interrupt 0;
ELSE 
 quotient ← temp;
 remainder ← dividend MOD (r/m);
FI;

Note: Divisions are signed. The dividend must be sign-extended. The divisor is given by the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to the table under "Description."

Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|? |  |  |? |? |? |? |? |

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; #GP (0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

IMUL-Signed Multiply

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /5 IMUL r/m8 X X X X X X AX ← AL * r/m byte
F7 /5 IMUL r/m16 X X X X X X DX:AX ← AX * r/m word
F7 /5 IMUL r/m32 X X X EDX:EAX ← EAX * r/m dword
0F AF /r IMUL r16,r/m16 X X X r16 ← r16 * r/m word
0F AF /r IMUL r32,r/m32 X X X r32 ← r32 * r/m dword
6B /r ib IMUL r16,r/m16,imm8 X X X X X r16 ← r/m word * sign-extended immediate byte
6B /r ib IMUL r32,r/m32,imm8 X X X r32 ← r/m dword * sign-extended immediate byte
6B /r ib IMUL r16,imm8 X X X X X r16 ← r16 * sign-extended immediate byte
6B /r ib IMUL r32,imm8 X X X r32 ← r32 * sign-extended immediate byte
69 /r iw IMUL r16,r/m16,imm16 X X X X X r16 ← r/m word * immediate word
69 /r id IMUL r32,r/m32,imm32 X X X r32 ← r/m dword * immediate dword
69 /r iw IMUL r16,imm16 X X X X X r16 ← r16 * immediate word
69 /r id IMUL r32,imm32 X X X r32 ← r32 * immediate dword
Description

The IMUL instruction performs signed multiplication. Some forms of the instruction use implicit register operands. The operand combinations for all forms of the instruction are shown in the "Description" column above. The IMUL instruction clears the OF and CF flags under the following conditions (otherwise the CF and OF flags are set):

INSTRUCTION FORM CONDITION FOR CLEARING CR AND OF
r/m8 AL = sign-extend of AL to 16-bits
r/m16 AX = sign-extend of AX to 32-bits
r/m32 EDX:EAX = sign-extend of EAX to 32-bits
r16,r/m16 Result exactly fits within r16
r32,r/m32 Result exactly fits within r32
r16,r/m16,imm16 Result exactly fits within r16
r32,r/m32,imm32 Result exactly fits within r32
Operation
result ← multiplicand * multiplier; 
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|* |  |  |? |? |? |? |* |

The OF and CF flags as described in the table in the "Description" section above; the SF, ZF, AF, and PF flags are undefined.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

When using the accumulator forms (IMUL r/m8, IMUL rm16, or IMUL r/m32), the result of the multiplication is available even if the overflow flag is set because the result is twice the size of the multiplicand and multiplier. This is large enough to handle any possible result.

IN-Input from Port

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
E4 ib IN AL,imm8 X X X X X X Input byte from port imm8 into AL
E5 ib IN AX,imm8 X X X X X X Input word from port imm8 into AX
E5 ib IN EAX,imm8 X X X Input dword from port imm8 into EAX
EC IN AL,DX X X X X X X Input byte from port DX into AL
ED IN AX,DX X X X X X X Input word from port DX into AX
ED IN EAX,DX X X X Input dword from port DX into EAX
Description

The IN instruction transfers a data byte or data word from the port numbered by the second operand into the register (AL, AX, or EAX) specified by the first operand. Access any port from 0 to 65535 by placing the port number in the DX register and using an IN instruction with the DX register as the second parameter. These I/O instructions can be shortened by using an 8-bit port I/O in the instruction. The upper eight bits of the port address will be 0 when 8-bit port I/O is used.

Operation
IF (PE = 1) AND ((VM = 1) OR (CPL>IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL>IOPL *)
 IF NOT I-O-Permission (SRC, width(SRC))
 THEN #GP(0);
 FI;
FI;
DEST ← [SRC]; (* Reads from I/O address space *)
Protected Mode Exceptions
  1. GP(0) if the current privilege level is larger (has less privilege) than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1.
Virtual 8086 Mode Exceptions
  1. GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1.

INC-Increment by 1

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
FE /0 INC r/m8 X X X X X X Increment r/m byte by 1
FF /0 INC r/m16 X X X X X X Increment r/m word by 1
FF /0 INC r/m32 X X X Increment r/m dword by 1
40+rw INC r16 X X X X X X Increment word register by 1
40+rd INC r32 X X X Increment dword register by 1
Description

The INC instruction adds 1 to the operand. It does not change the CF flag. To affect the CF flag, use the ADD instruction with a second operand of 1.

Operation
DEST ← DEST + 1;
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
* |  |  |* |* |* |* |

The OF, SF, ZF, AF, and PF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

INS/INSB/INSW/INSD-Input from Port to String

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
6C INS r/m8,DX X X X X X Input byte from port DX into ES:[(E)DI]
6D INS r/m16,DX X X X X X Input word from port DX into ES:[(E)DI]
6D INS r/m32,DX X X X Input dword from port DX into ES:[(E)DI]
6C INSB X X X X X Input byte from port DX into ES:[(E)DI]
6D INSW X X X X X Input word from port DX into ES:[(E)DI]
6D INSD X X X Input dword from port DX into ES:[(E)DI]
Description

The INS instruction transfers data from the input port numbered by the DX register to the memory byte or word at ES:dest-index. The memory operand must be addressable from the ES register; no segment override is possible. The destination register is the DI register if the address-size attribute of the instruction is 16-bits, or the EDI register if the address-size attribute is 32-bits. The INS instruction does not allow the specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into the DX register before running the INS instruction. The destination address is determined by the contents of the destination index register. Load the correct index into the destination index register before running the INS instruction. After the transfer is made, the DI or EDI register advances automatically. If the DF flag is 0 (a CLD instruction was run), the DI or EDI register increments; if the DF flag is 1 (an STD instruction was run), the DI or EDI register decrements. The DI register increments or decrements by 1 if a byte is input, by 2 if a word is input, or by 4 if a doubleword is input. The INSB, INSW and INSD instructions are synonyms of the byte, word, and doubleword INS instructions. The INS instruction can be preceded by the REP prefix for block input of CX bytes or words. Refer to the REP instruction for details of this operation.

Operation
IF AddressSize = 16 
THEN use DI for dest-index;
ELSE (* AddressSize = 32 *)
 use EDI for dest-index;
FI;
IF (PE = 1) AND ((VM = 1) OR (CPL>IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL>IOPL *)
 IF NOT I-O-Permission (SRC, width(SRC))
 THEN #GP(0);
 FI;
FI;
IF byte type of instruction 
THEN 
 ES:[dest-index] ← [DX]; (* Reads byte at DX from I/O address space *)
 IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
FI;
IF OperandSize = 16 
THEN 
 ES:[dest-index] ← [DX]; (* Reads byte at DX from I/O address space *)
 IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
FI;
IF OperandSize = 32 
THEN 
 ES:[dest-index] ← [DX]; (* Reads dword at DX from I/O address space *)
 IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI; FI;
dest-index ← dest-index + IncDec;
Protected Mode Exceptions
  1. GP(0) if the current privilege level is numerically greater than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the ES, segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions
  1. GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

INT/INTO-Call to Interrupt Procedure

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
CC INT 3 X X X X X X Interrupt 3; Trap to debugger
CC INT 3 X X X X Interrupt 3; Protected Mode, same privilege
CC INT 3 X X X X Interrupt 3; Protected Mode, more privilege
CC INT 3 X X X Interrupt 3; from V86 mode to PL 0
CC INT 3 X X X X Interrupt 3; Protected Mode, via task gate
CC ib INT imm8 X X X X X X Interrupt numbered by immediate byte
CD ib INT imm8 X X X X Interrupt imm8; Protected Mode, same privilege
CD ib INT imm8 X X X X Interrupt imm8; Protected Mode, more privilege
CD ib INT imm8 X X X Interrupt imm8; from V86 mode to PL 0
CD ib INT imm8 X X X X Interrupt imm8; Protected Mode, via task gate
CE INTO X X X X X X Interrupt 4 if Overflow flag is 1
CE INTO X X X X Interrupt 4 if Overflow flag is 1; Protected Mode, same privilege
CE INTO X X X X Interrupt 4 if Overflow flag is 1; Protected Mode, more privilege
CE INTO X X X Interrupt 4 if Overflow flag is 1; from V86 mode to PL 0
CE INTO X X X X Interrupt 4 if Overflow flag is 1; Protected Mode, via task gate
Description

The INT n instruction generates a call to an interrupt handler. The immediate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table (IDT) of the interrupt routine to be called. In protected mode, the IDT consists of an array of eight-byte descriptors; the descriptor for the interrupt invoked must indicate an interrupt, trap, or task gate. In real-address mode, the IDT is an array of four byte-long pointers. In protected and real-address modes, the base linear address of the IDT is defined by the contents of the IDTR. The initial value of IDTR is zero upon reset into real-address mode. When the processor is running in virtual-8086 mode (VM=1), the IOPL determines whether the INT n causes a general protection exception (IOPL<3) or runs a protected mode interrupt to privilege level 0. The interrupt gate's DPL must be set to three and the target CPL of the interrupt service routine must be zero to run the protected mode interrupt to privilege level 0. The INTO conditional software instruction is identical to the INT n interrupt instruction except that the interrupt number is implicitly 4, and the interrupt is made only if the overflow flag is set. The first 32 interrupts are reserved by Intel for system use. Some of these interrupts are used for internally generated exceptions. The INT n instruction generally behaves like a far call except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags and return address from the stack. In Real Address Mode, the INT n instruction pushes the flags, the CS register, and the return IP onto the stack, in that order, then jumps to the long pointer indexed by the interrupt number.

Operation

Note: The following operational description applies not only to the above instructions but also to external interrupts and exceptions.

IF PE = 0 
THEN CALL REAL-ADDRESS-MODE;
ELSE 
 CALL PROTECTED-MODE;
 IF task gate 
 THEN CALL TASK-GATE;
 ELSE 
 CALL TRAP-OR-INT-GATE; (* PE=1, int/trap gate *)
 IF code segment is non-conforming AND DPL < CPL 
 THEN 
   IF VM=0
   THEN CALL INT-TO-INNER-PRIV; (*PE=1,int/trap gate,DPL<CPL,VM=0*)
   ELSE CALL INT-FROM-V86-MODE; (* PE=1, int/trap gate, DPL<CPL,
                 VM=1 *)
   FI;
   ELSE (* PE=1, int/trap gate, DPL ò CPL *)
     IF code segment is conforming OR code segment DPL = CPL 
   THEN CALL INT-TO-SAME-PRIV;
   ELSE #GP(CS selector + EXT); (* PE=1, int/trap gate, DPL>CPL *)
     FI;
     FI;
   FI;
FI;
END;
REAL-ADDRESS-MODE PROC 
 Push (FLAGS);
 IF ← 0; (* Clear interrupt flag *)
 TF ← 0; (* Clear trap flag *)
 Push(CS);
 Push(IP);
 (* No error codes are pushed *)
 CS ← IDT[Interrupt number * 4].selector;
 IP ← IDT[Interrupt number * 4].offset;
(* Start processing in real address mode *)
REAL-ADDRESS-MODE ENDPROC 
PROTECTED-MODE PROC 
 Interrupt vector must be within IDT table limits,
    else #GP(vector number * 8+2+EXT);
 Descriptor AR byte must indicate interrupt gate, trap gate, or task gate,
    else #GP(vector number * 8+2+EXT);
 IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *)
 THEN 
   IF gate descriptor DPL<CPL
   THEN #GP(vector number * 8+2+EXT); (* PE=1, DPL<CPL, software interrupt *)
   FI;
 FI;
 Gate must be present, else #NP(vector number * 8+2+EXT);
PROTECTED-MODE ENDPROC 
TRAP-OR-INT-GATE PROC 
 Examine CS selector and descriptor given in the gate descriptor;
 Selector must be non-null, else #GP (EXT);
 Selector must be within its descriptor table limits 
   ELSE #GP(selector+EXT);
 Descriptor AR byte must indicate code segment 
   ELSE #GP(selector + EXT);
 Segment must be present, else #NP(selector+EXT);
TRAP-OR-INT-GATE ENDPROC 
INT-TO-INNER-PRIV PROC 
 (* PE=1, DPL<CPL and non-conforming, (* PE=1, int/trap gate, DPL<CPL, VM=0 *)
 Check selector and descriptor for new stack in current TSS;
   Selector must be non-null, else #TS(EXT);
   Selector index must be within its descriptor table limits 
     ELSE #TS(SS selector+EXT);
   Selector's RPL must equal DPL of code segment, else #TS(SS
     selector+EXT);
   Stack segment DPL must equal DPL of code segment, else #TS(SS
     selector+EXT);
   Descriptor must indicate writable data segment, else #TS(SS
     selector+EXT);
   Segment must be present, else #SS (SS selector+EXT);
 If 32-bit gate 
 THEN New stack must have room for 20 bytes else #SS(0)
 ELSE New stack must have room for 10 bytes else #SS(0)
 FI;
 Instruction pointer must be within CS segment boundaries else #GP(0);
 Load new SS and eSP value from TSS;
 If 32-bit gate 
   THEN CS:EIP ← selector:offset from gate;
 ELSE CS:IP ← selector:offset from gate;
 FI;
 Load CS descriptor into invisible portion of CS register;
 Load SS descriptor into invisible portion of SS register;
 IF 32-bit gate 
THEN 
   Push (long pointer to old stack) (* 3 words padded to 4 *);
   Push (EFLAGS);
   Push (long pointer to return location) (* 3 words padded to 4 *);
ELSE 
   Push (long pointer to old stack) (* 2 words *);
   Push (FLAGS);
   Push (long pointer to return location) (* 2 words *);
 FI;
 Set CPL to new code segment DPL;
 Set RPL of CS to CPL;
 IF interrupt gate THEN IF ← 0 (* interrupt flag to 0 (disable) *); FI;
 TF ← 0;
 NT ← 0;
INT-FROM-INNER-PRIV ENDPROC 
INT-FROM-V86-MODE PROC 
 Check selector and descriptor for new stack in current TSS;
 Selector must be non-null, else #TS(EXT);
 Selector index must be within its descriptor table limits 
   ELSE #TS(SS selector+EXT);
 Selector's RPL must equal DPL of code segment, else #TS(SS
   selector+EXT);
 Stack segment DPL must equal DPL of code segment, else #TS(SS
   selector+EXT);
 Descriptor must indicate writable data segment, else #TS(SS
   selector+EXT);
 Segment must be present, else #SS(SS selector+EXT);
 IF 32-bit gate 
   THEN New stack must have room for 20 bytes else #SS(0)
   ELSE New stack must have room for 10 bytes else #SS(0)
 FI;
 Instruction pointer must be within CS segment boundaries else #GP(0);
 IF IOPL < 3 
 THEN 
   #GP(0); (*V86 monitor trap: PE=1,int/trap gate, DPL<CPL, VM=1, IOPL<3*)
 ELSE (* IOPL=3 *)
   IF GATE'S_DPL = 3 
   THEN 
     IF TARGET'S_CPL <> 0 
     THEN #GP(0);
     ELSE 
       TempEFlags ← EFLAGS;
       VM ← 0;
       TF ← 0;
       IF service through Interrupt Gate 
           THEN IF ← 0;
       FI;
       TempSS ← SS;
       TempESP ← ESP;
       SS ← TSS.SS0; (* Change to level 0 stack segment *)
   ESP ← TSS.ESP0; (* Change to level 0 stack pointer *)
   Push(GS); (* padded to two words *)
       Push(FS); (* padded to two words *)
   Push(DS); (* padded to two words *)
   Push(ES); (* padded to two words *)
   GS ← 0; (* segment registers nullified - invalid in 
      protected mode *)
       FS ← 0;
   DS ← 0;
   ES ← 0;
   Push(TempSS); (* Padded to two words *)
   Push(TempESP);
   Push(TempEFlags);
   Push(CS); (* Padded to two words *)
   Push(EIP);
       CS:EIP ← selector:offset from interrupt gate;
       (* Starts processing of new routine in Protected Mode *)
     FI;
  ELSE (* GATE'S_DPL <> 3 *)
     #GP(0);
   FI;
 FI;
INT-FROM-V86-MODE ENDPROC
INT-TO-SAME-PRIV PROC
   (* PE=1, DPL=CPL or conforming segment *)
 IF 32-bit gate
 THEN Current stack limits must allow pushing 10 bytes, else #SS(0);
 ELSE Current stack limits must allow pushing 6 bytes, else #SS(0);
 FI;
IF interrupt was caused by exception with error code
THEN Stack limits must allow push to two more bytes;
ELSE #SS(0);
FI;
Instruction pointer must be in CS limit, else #GP(0);
IF 32-bit gate 
THEN 
 Push (EFLAGS);
 Push (long pointer to return location); (* 3 words padded to 4 *)
 CS:EIP ← selector:offset from gate;
ELSE (* 16-bit gate *)
 Push (FLAGS);
 Push (long pointer to return location); (* 2 words *)
 CS:IP ← selector:offset from gate;
FI;
Load CS descriptor into invisible portion of CS register;
 Set the RPL field of CS to CPL;
 Push (error code); (* if any *)
 IF interrupt gate THEN IF ← 0; FI;
 TF ← 0;
 NT ← 0;
INT-TO-SAME-PRIV ENDPROC 
TASK-GATE PROC (* PE=1, task gate *)
 Examine selector to TSS, given in task gate descriptor;
   Must specify global in the local/global bit, else #TS(TSS selector);
   Index must be within GDT limits, else #TS(TSS selector);
   AR byte must specify available TSS (bottom bits 00001);
     else #TS(TSS selector);
   TSS must be present, else #NP(TSS selector);
 SWITCH-TASKS with nesting to TSS;
 IF interrupt was caused by fault with error code 
 THEN 
   Stack limits must allow push of two more bytes, else #SS(0);
   Push error code onto stack;
 FI;
 Instruction pointer must be in CS limit, else #GP(0);
TASK-GATE ENDPROC 
Decision Table

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table. Each Y in the lower section of the decision table represents a procedure defined above in the Operation section for this instruction (except #GP(0)) and the number following the Y indicates the order in which the procedure is run.

PE 0 1 1 1 1 1 1 1
VM - - - - - 0 1 1
IOPL - - - - - - <3 =3
DPL/CPL RELATIONSHIP - DPL < CPL - DPL > CPL DPL = CPL or C DPL < CPL & NC - -
INTERRUPT TYPE - S/W - - - - - -
GATE TYPE - - Task or Int Trap or Int Trap or Int Trap or Int Trap or Int Trap or Int
REAL-ADDRESS-MODE Y
PROTECTED-MODE Y1 Y1 Y1 Y1 Y1 Y1 Y1
TRAP-OR-INT-GATE Y2 Y2 Y2 Y2 Y2
INT-TO-INNER-PRIV Y3
INT-TO-SAME-PRIV Y3
INT-FROM-V86-MODE Y3
TASK-GATE Y2
#GP Y2 Y3 Y3

Notes: - Don't Care Yx Yes, Action Taken, x = the order of processing Blank Action Not Taken

Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
  |  |0 |  |  |  |  |  

None

Protected Mode Exceptions
  1. GP, #NP, #SS, and #TS as indicated under "Operation" above.
Real Address Mode Exceptions

None; if the SP or ESP register is 1, 3, or 5 before running the INT or INTO instruction, the processor will shut down due to insufficient stack space.

Virtual 8086 Mode Exceptions
  1. GP(0) fault if IOPL is less than 3, for the INT n instruction only, to permit emulation; Interrupt 3 (0CCH) generates a breakpoint exception; the INTO instruction generates an overflow exception if the OF flag is set.

INVD-Invalidate Cache

Details Table
|Encoding |Instruction |0|1|2|3|4|5|Description
|---------+------------+-+-+-+-+-+-+-----------------------
|0F 08    |INVD        | | | | |X|X|Invalidate entire cache
Description

The internal cache is invalidated, and a special-function bus cycle is issued which indicates that external caches should also be invalidated. Data held in write-back external caches is not instructed to be written back.

Operation
INVALIDATE INTERNAL CACHE
SIGNAL EXTERNAL CACHE TO INVALIDATE
Protected Mode Exceptions

The INVD instruction is a privileged instruction; #GP(0) if the current privilege level is not 0.

Virtual 8086 Mode Exceptions

#GP(0); the INVD instruction is a privileged instruction.

Notes

INVD should be used with care. It does not write back modified cache lines; therefore, it can cause the data cache to become inconsistent with other memories in the system. Unless there is a specific requirement or benefit to invalidate a cache without writing back the modified lines (i.e., testing or fault recovery where cache coherency with main memory is not a concern), software should use the WBINVD instruction. This instruction is implementation-dependent; its function may be implemented differently on future Intel processors. This instruction does not wait for the external cache to complete its invalidation before the processor proceeds. It is the responsibility of hardware to respond to the external cache invalidation indication. This instruction is not supported on Intel386 processors. See the Intel documentation for CPUID detection at runtime. See the WBINVD description to write back dirty data to memory. See the Intel documentation for information on disabling the cache.

INVLPG-Invalidate TLB Entry

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 01 /7 INVLPG m X X Invalidate TLB entry
Description

The INVLPG instruction is used to ensure there are no invalid entries in the TLB, the cache used for page table entries. If the TLB contains a valid entry, which maps the address of the memory operand, all of the relevant TLB entries are marked invalid.

Operation
INVALIDATE RELEVANT TLB ENTRY(S)
Protected Mode Exceptions

The INVLPG instruction is a privileged instruction; #GP(0) if the current privilege level is not 0. An invalid-opcode exception is generated when used with a register operand. Virtual 8086 Mode Exceptions An invalid-opcode exception is generated when used with a register operand. #GP(0); the INVLPG instruction is a privileged instruction.

Notes

This instruction is not supported on Intel386 processors. See the Intel documentation for information on detecting the processor type at runtime. See the Intel documentation for information on disabling the cache.

IRET/IRETD-Interrupt Return

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
CF IRET X X X X X X Interrupt return (far return and pop flags)
CF IRET X X X X Interrupt return to lesser privilege
CF IRET X X X X Interrupt return, different task (NT=1)
CF IRET X X X Interrupt return from Real or V86 mode
CF IRETD X X X Interrupt return (far return and pop flags)
CF IRETD X X X Interrupt return to lesser privilege
CF IRETD X X X Interrupt return, different task (NT=1)
Description

In Real Address Mode, the IRET instruction pops the instruction pointer, the CS register, and the flags register from the stack and resumes the interrupted routine. In Protected Mode, the action of the IRET instruction depends on the setting of the nested task flag (NT) bit in the flag register. When the new flag image is popped from the stack, the IOPL bits in the flag register are changed only when CPL equals 0. If the NT flag is cleared, the IRET instruction returns from an interrupt procedure without a task switch. The code returned to must be equally or less privileged than the interrupt routine (as indicated by the RPL bits of the CS selector popped from the stack). If the destination code is less privileged, the IRET instruction also pops the stack pointer and SS from the stack. If the NT flag is set, the IRET instruction reverses the operation of a CALL or INT that caused a task switch. The updated state of the task running the IRET instruction is saved in its task state segment. If the task is reentered later, the code that follows the IRET instruction is run.

Operation
IF PE = 0 
 THEN GOTO REAL_ADDRESS_MODE:;
 ELSE GOTO PROTECTED_MODE;
FI;

REAL_ADDRESS_MODE;
 IF OperandSize = 32 (* Instruction = IRETD *)
 THEN EIP ← Pop ();
 ELSE (* Instruction = IRET *)
 IP ← Pop();
 FI;
 CS ← Pop ();
 IF OperandSize = 32 (* Instruction = IRETD *)
 THEN Pop(); EFLAGS ← Pop();
 ELSE (* Instruction = IRET *)
 FLAGS ← Pop();
 FI;
 END;

PROTECTED_MODE:
 IF VM = 1 (* Virtual mode:PE=1, VM=1 *)
 THEN GOTO STACK_RETURN_FROM_V86; (* PE=1, VM=1 *)
 ELSE 
 IF NT=1
 THEN GOTO TASK_RETURN; (* PE=1, VM=1, NT=1 *)
 ELSE 
   IF VM=1 in flags image on stack 
     THEN GOTO STACK_RETURN_TO_V86; (* PE=1, VM=1 in flags 
                    inage *)
     ELSE GOTO STACK_RETURN; (* PE=1, VM=0 in flags image *)
   FI;
 FI;
FI;

STACK_RETURN_FROM_V86:
 IF IOPL=3 (* Virtual mode: PE=1, VM=1, IOPL=3 *)
 THEN 
   IF OperandSize = 16 
      IP ← Pop();(* 16-bit pops *)
      CS ← Pop();
      FLAGS ←Pop();
   ELSE (* OperandSize = 32 *)
      EIP ← Pop(); (* 32-bit pops *)
      CS ← Pop();
      EFLAGS ←Pop(); (*VM,IOPL,VIP,and VIF EFLAG bits are not modified by IRETD*)
   FI;
 ELSE #GP(0); (* trap to virtual-8086 monitor: PE=1, VM=1, IOPL<3 *)
 FI;
END;

STACK_RETURN_TO_V86: (* Interrupted procedure was in V86 mode:
PE=1, VM=1 in flags image *)
 IF top 36 bytes of stack not within limits 
 THEN #SS(0);
 FI;
 IF instruction pointer not within code segment limit  THEN #GP(0);
 FI;
 EFLAGS ← SS:[ESP + 8]; (* Sets VM in interrupted routine *)
 EIP ← Pop();
 CS ← Pop(); (* CS behaves as in 8086, due to VM=1 *)
 throwaway ← Pop(); (* pop away EFLAGS already read *)
 TempESP ← Pop();
 TempSS ← Pop();
 ES ← Pop(); (* pop 2 words; throw away high-order word *)
 DS ← Pop(); (* pop 2 words; throw away high-order word *)
 FS ← Pop(); (* pop 2 words; throw away high-order word *)
 GS ← Pop(); (* pop 2 words; throw away high-order word *)
  SS:ESP ← TempSS:TempESP;
 (* Resume processing in Virtual 8086 mode *)
 END;

TASK-RETURN: (* PE=1, VM=1, NT=1 *)
 Examine Back Link Selector in TSS addressed by the current task 
   register:
   Must specify global in the local/global bit, else #TS(new TSS selector);
   Index must be within GDT limits, else #TS(new TSS selector);
   AR byte must specify TSS, else #TS(new TSS selector);
   New TSS must be busy, else #TS(new TSS selector);
   TSS must be present, else #NP(new TSS selector);
 SWITCH-TASKS without nesting to TSS specified by back link selector;
 Mark the task just abandoned as NOT BUSY;
 Instruction pointer must be within code segment limit ELSE #GP(0);
 END;
STACK-RETURN: (* PE=1, VM=0 in flags image *)
 IF OperandSize=32
 THEN Third word on stack must be within stack limits, else #SS(0);
 ELSE Second word on stack must be within stack limits, else #SS(0);
 FI;
 Return CS selector RPL must be ò CPL, else #GP(Return selector);
 IF return selector RPL = CPL 
 THEN GOTO RETURN-SAME-LEVEL;
 ELSE GOTO RETURN-OTHER-LEVEL;
 FI;
RETURN-SAME-LEVEL: (* PE=1, VM=0 in flags image, RPL=CPL *)
 IF OperandSize=32
 THEN 
   Top 12 bytes on stack must be within limits, else #SS(0);
   Return CS selector (at eSP+4) must be non-null, else #GP(0);
 ELSE 
   Top 6 bytes on stack must be within limits, else #SS(0);
   Return CS selector (at eSP+2) must be non-null, else #GP(0);
 FI;
 Selector index must be within its descriptor table limits, else #GP
   (Return selector);
 AR byte must indicate code segment, else #GP(Return selector);
 IF non-conforming
 THEN code segment DPL must = CPL;
 ELSE #GP(Return selector); (* PE=1, VM=0 in flags image,
 RPL=CPL,non-conforming,DPL<> CPL *)
 FI;
 IF conforming 
   THEN IF DPL>CPL
     #GP(Return selector); (* PE=1, VM=0 in flags image,
     RPL=CPL,conforming,DPL>CPL *)
 Segment must be present, else #NP(Return selector);
 Instruction pointer must be within code segment boundaries, else #GP(0);
 FI;
 IF OperandSize=32 put comments here 
 THEN 
   Load CS:EIP from stack;
   Load CS-register with new code segment descriptor;
   Load EFLAGS with third doubleword from stack;
   Increment eSP by 12;
 ELSE 
   Load CS-register with new code segment descriptor;
   Load FLAGS with third word on stack;
   Increment eSP by 6;
 FI;
 END;
RETURN-OUTER-LEVEL:
IF OperandSize=32
 THEN Top 20 bytes on stack must be within limits, else #SS(0);
 ELSE Top 10 bytes on stack must be within limits, else #SS(0);
FI;
Examine return CS selector and associated descriptor:
 Selector must be non-null, ELSE #GP(0);
 Selector index must be within its descriptor table limits;
   ELSE #GP(Return selector);
 AR byte must indicate code segment, else #GP(Return selector);
IF non-conforming
 THEN code segment DPL must = CS selector RPL;
 ELSE #GP(Return selector);
 FI;
IF conforming 
 THEN code segment DPL must be > CPL;
 ELSE #GP(Return selector);
 FI;
 Segment must be present, else #NP(Return selector);
Examine return SS selector and associated descriptor:
 Selector must be non-null, else #GP(0);
 Selector index must be within its descriptor table limits 
   ELSE #GP(SS selector);
 Selector RPL must equal the RPL of the return CS selector 
   ELSE #GP(SS selector);
 AR byte must indicate a writable data segment, else #GP(SS selector);
 Stack segment DPL must equal the RPL of the return CS selector 
   ELSE #GP(SS selector);
 SS must be present, else #NP(SS selector);
Instruction pointer must be within code segment limit ELSE #GP(0);
 IF OperandSize=32
 THEN 
   Load CS:EIP from stack;
   Load EFLAGS with values at (eSP+8);
 ELSE 
   Load CS:IP from stack;
   Load FLAGS with values at (eSP+4);
 FI;
 Load SS:eSP from stack;
 Set CPL to the RPL of the return CS selector;
 Load the CS register with the CS descriptor;
 Load the SS register with the SS descriptor;
 FOR each of ES, FS, GS, and DS 
 DO;
   IF the current value of the register is not valid for the outer level;
   THEN zero the register and clear the valid flag;
   FI;
   To be valid, the register setting must satisfy the following properties:
     Selector index must be within descriptor table limits;
     AR byte must indicate data or readable code segment;
     IF segment is data or non-conforming code,
     THEN DPL must be > CPL, or DPL must be < RPL;
 OD;
 END:
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * * * *

All flags are affected; the flags register is popped from stack.

Protected Mode Exceptions
  1. GP, #NP, or #SS, as indicated under "Operation" above; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand being popped lies beyond address 0FFFFH.

Virtual 8086 Mode Exceptions
  1. GP(0) fault occurs if the I/O privilege level is less than 3, to permit emulation; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Jcc - Jump if Condition is Met

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
77 cb JA rel8 X X X X X X Jump short if above (CF=0 and ZF=0)
73 cb JAE rel8 X X X X X X Jump short if above or equal (CF=0)
72 cb JB rel8 X X X X X X Jump short if below (CF=1)
76 cb JBE rel8 X X X X X X Jump short if below or equal (CF=1 or ZF=1)
72 cb JC rel8 X X X X X X Jump short if carry (CF=1)
E3 cb JCXZ rel8 X X X X X X Jump short if CX register is 0
E3 cb JECXZ rel8 X X X Jump short if ECX register is 0
74 cb JE rel8 X X X X X X Jump short if equal (ZF=1)
74 cb JG rel8 X X X X X X Jump short if zero (ZF=1)
7D cb JGE rel8 X X X X X X Jump short if greater or equal (SF=OF)
7C cb JL rel8 X X X X X X Jump short if less (SF<>OF)
7E cb JLE rel8 X X X X X X Jump short if less or equal (ZF=1 and SF<>OF)
76 cb JNA rel8 X X X X X X Jump short if not above (CF=1 or ZF=1)
72 cb JNAE rel8 X X X X X X Jump short if not above or equal (CF=1)
73 cb JNB rel8 X X X X X X Jump short if not below (CF=0)
77 cb JNBE rel8 X X X X X X Jump short if not below or equal (CF=0 and ZF=0)
73 cb JNC rel8 X X X X X X Jump short if not carry (CF=0)
75 cb JNE rel8 X X X X X X Jump short if not equal (ZF=0)
7E cb JNG rel8 X X X X X X Jump short if not greater (ZF=1 or SF<>OF)
7C cb JNGE rel8 X X X X X X Jump short if not greater or equal (SF<>OF)
7D cb JNL rel8 X X X X X X Jump short if not less (SF=OF)
7F cb JNLE rel8 X X X X X X Jump short if not less or equal (ZF=0 and SF=OF)
71 cb JNO rel8 X X X X X X Jump short if not overflow (OF=0)
7B cb JNP rel8 X X X X X X Jump short if not parity (PF=0)
79 cb JNS rel8 X X X X X X Jump short if not sign (SF=0)
75 cb JNZ rel8 X X X X X X Jump short if not zero (ZF=0)
70 cb JO rel8 X X X X X X Jump short if overflow (OF=1)
7A cb JP rel8 X X X X X X Jump short if parity (PF=1)
7A cb JPE rel8 X X X X X X Jump short if parity even (PF=1)
7B cb JPO rel8 X X X X X X Jump short if parity odd (PF=0)
78 cb JS rel8 X X X X X X Jump short if sign (SF=1)
74 cb JZ rel8 X X X X X X Jump short if zero (ZF=1)
0F 87

cw/cd

JA rel16/rel32 X X X Jump near if above (CF=0 and ZF=0)
0F 83

cw/cd

JAE rel16/rel32 X X X Jump near if above or equal (CF=0)
0F 82

cw/cd

JB rel16/rel32 X X X Jump near if below (CF=1)
0F 86

cw/cd

JBE rel16/rel32 X X X Jump near if below or equal (CF=1 or ZF=1)
0F 82

cw/cd

JC rel16/rel32 X X X Jump near if carry (CF=1)
0F 84

cw/cd

JE rel16/rel32 X X X Jump near if equal (ZF=1)
0F 8F

cw/cd

JG rel16/rel32 X X X Jump near if zero (ZF=1)
0F 8D

cw/cd

JGE rel16/rel32 X X X Jump near if greater or equal (SF=OF)
0F 8C

cw/cd

JL rel16/rel32 X X X Jump near if less (SF<>OF)
0F 8E

cw/cd

JLE rel16/rel32 X X X Jump near if less or equal (ZF=1 and SF<>OF)
0F 86

cw/cd

JNA rel16/rel32 X X X Jump near if not above (CF=1 or ZF=1)
0F 82

cw/cd

JNAE rel16/rel32 X X X Jump near if not above or equal (CF=1)
0F 83

cw/cd

JNB rel16/rel32 X X X Jump near if not below (CF=0)
0F 87

cw/cd

JNBE rel16/rel32 X X X Jump near if not below or equal (CF=0 and ZF=0)
0F 83

cw/cd

JNC rel16/rel32 X X X Jump near if not carry (CF=0)
0F 85

cw/cd

JNE rel16/rel32 X X X Jump near if not equal (ZF=0)
0F 8E

cw/cd

JNG rel16/rel32 X X X Jump near if not greater (ZF=1 or SF<>OF)
0F 8C

cw/cd

JNGE rel16/rel32 X X X Jump near if not greater or equal (SF<>OF)
0F 8D

cw/cd

JNL rel16/rel32 X X X Jump near if not less (SF=OF)
0F 8F

cw/cd

JNLE rel16/rel32 X X X Jump near if not less or equal (ZF=0 and SF=OF)
0F 81

cw/cd

JNO rel16/rel32 X X X Jump near if not overflow (OF=0)
0F 8B

cw/cd

JNP rel16/rel32 X X X Jump near if not parity (PF=0)
0F 89

cw/cd

JNS rel16/rel32 X X X Jump near if not sign (SF=0)
0F 85

cw/cd

JNZ rel16/rel32 X X X Jump near if not zero (ZF=0)
0F 80

cw/cd

JO rel16/rel32 X X X Jump near if overflow (OF=1)
0F 8A

cw/cd

JP rel16/rel32 X X X Jump near if parity (PF=1)
0F 8A

cw/cd

JPE rel16/rel32 X X X Jump near if parity even (PF=1)
0F 8B

cw/cd

JPO rel16/rel32 X X X Jump near if parity odd (PF=0)
0F 88

cw/cd

JS rel16/rel32 X X X Jump near if sign (SF=1)
0F 84

cw/cd

JZ rel16/rel32 X X X Jump near if zero (ZF=1)
Description

Conditional jumps (except the JCXZ instruction) test the flags that have been set by a previous instruction. The conditions for each mnemonic are given in parentheses after each description above. The terms "less" and "greater"; are used for comparisons of signed integers; "above" and "below" are used for unsigned integers. If the given condition is true, a jump is made to the location provided as the operand. Instruction coding is most efficient when the target for the conditional jump is in the current code segment and within -128 to +127 bytes of the next instruction's first byte. The jump can also target -32768 thru +32767 (segment size attribute 16) or -231 thru +231 - 1 (segment size attribute 32) relative to the next instruction's first byte. When the target for the conditional jump is in a different segment, use the opposite case of the jump instruction (i.e., the JE and JNE instructions), and then access the target with an unconditional far jump to the other segment. For example, you cannot code

   JZ FARLABEL 

You must instead code

   JNZ BEYOND 
   JMP FARLABEL 
BEYOND:

Because there can be several ways to interpret a particular state of the flags, ASM386 provides more than one mnemonic for most of the conditional jump opcodes. For example, if you compared two characters in AX and want to jump if they are equal, use the JE instructions; or, if you ANDed the AX register with a bit field mask and only want to jump if the result is 0, use the JZ instruction, a synonym for the JE instruction. The JCXZ instruction differs from other conditional jumps because it tests the contents of the CX or ECX register for 0, not the flags. The JCXZ instruction is useful at the beginning of a conditional loop that terminates with a conditional loop instruction (such as LOOPNE TARGET LABEL. The JCXZ instruction prevents entering the loop with the CX or ECX register equal to zero, which would cause the loop to run 64K or 23ý times instead of zero times.

Operation
IF condition 
THEN 
  EIP ← EIP + SignExtend(rel8/16/32);
  IF OperandSize = 16 
  THEN EIP ← EIP AND 0000FFFFH;
  FI;
FI;
Protected Mode Exceptions
#GP(0) if the offset jumped to is beyond the limits of the code segment.
Notes

The JCXZ instruction takes longer to run than a two-instruction sequence, which compares the count register to zero and jumps if the count is zero. All branches are converted into 16-byte code fetches regardless of jump address or cacheability.

JMP - Jump

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
EB cb JMP rel8 X X X X X X Jump short, displacement relative to next instruction
E9 cw JMP rel16 X X X X X X Jump near, displacement relative

to next instruction

FF /4 JMP r/m16 X X X X X X Jump near indirect
EA cd JMP ptr16:16 X X X X X X Jump intersegment, 4-byte immediate address
EA cd JMP ptr16:16 X X X X Jump to call gate, same privilege
EA cd JMP ptr16:16 X X X X Jump via task state segment
EA cd JMP ptr16:16 X X X X Jump via task gate
FF /5 JMP m16:16 X X X X X X Jump intersegment, dword address at r/m word
FF /5 JMP m16:16 X X X X Jump to call gate, same privilege
FF /5 JMP m16:16 X X X X Jump via task state segment
FF /5 JMP m16:16 X X X X Jump via task gate
E9 cd JMP rel32 X X X Jump near, displacement relative to next instruction
FF /4 JMP r/m32 X X X Jump near indirect
EA cp JMP ptr16:32 X X X Jump intersegment, 6-byte immediate address
EA cp JMP ptr16:32 X X X Jump to call gate, same privilege
EA cp JMP ptr16:32 X X X Jump via task state segment
EA cp JMP ptr16:32 X X X Jump via task gate
FF /5 JMP m16:32 X X X Jump intersegment, fword address at r/m dword
FF /5 JMP m16:32 X X X Jump to call gate, same privilege
FF /5 JMP m16:32 X X X Jump via task state segment
FF /5 JMP m16:32 X X X Jump via task gate
Description

The JMP instruction transfers control to a different point in the instruction stream without recording return information. The action of the various forms of the instruction are shown below. Jumps with destinations of type r/m16, r/m32, rel16,, and rel32 are near jumps and do not involve changing the segment register value. The JMP rel16 and JMP rel32 forms of the instruction add an offset to the address of the instruction following the JMP to determine the destination. The rel16 form is used when the instruction's operand-size attribute is 16- bits (segment size attribute 16 only); rel32 is used when the operand-size attribute is 32-bits (segment size attribute 32 only). The result is stored in the 32-bit EIP register. With rel16, the upper 16-bits of the EIP register are cleared, which results in an offset whose value does not exceed 16-bits. The JMP r/m16 and JMP r/m32 forms specify a register or memory location from which the absolute offset from the procedure is fetched. The offset fetched from r/m is 32-bits for an operand-size attribute of 32-bits (r/m32 ), or 16-bits for an operand-size attribute of 16-bits (r/m16). The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte or six-byte operand as a long pointer to the destination. The JMP m16:16 and m16:32 forms fetch the long pointer from the memory location specified ( indirection). In Real Address Mode or Virtual 8086 Mode, the long pointer provides 16-bits for the CS register and 16 or 32-bits for the EIP register (depending on the operand-size attribute). In Protected Mode, both long pointer forms consult the Access Rights (AR) byte in the descriptor indexed by the selector part of the long pointer. Depending on the value of the AR byte, the jump will perform one of the following types of control transfers :

  • A jump to a code segment at the same privilege level
  • A task switch

For more information on protected mode control transfers, refer to the Intel documentation.

Operation
IF instruction = relative JMP  (* i.e. operand is rel8, rel16, or rel32 *)
THEN 
 EIP ← EIP + rel18/16/32;
 IF OperandSize = 16 
 THEN EIP ← EIP AND 0000FFFFH;
 FI;
FI;

IF instruction = near indirect JMP 
 (* i.e. operand is r/m16 or r/m32 *)
THEN 
 IF OperandSize = 16 
 THEN 
   EIP ← [r/m16] AND 0000FFFFH;
 ELSE (* OperandSize = 32 *)
   EIP ← [r/m32;
 FI;
FI;

IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *)
 AND instruction = far JMP 
 (* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *)
THEN GOTO REAL-OR-V86-MODE;
 IF operand type = m16:16 or m16:32
 THEN (* indirect *)
  IF OperandSize = 16 
  THEN
    CS:IP ← [m16:16];
    EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *)
  ELSE (* OperandSize = 32 *)
    CS:EIP ← [m16:32];
  FI;
 FI;
 IF operand type = ptr16:16 or ptr16:32
 THEN 
   IF OperandSize = 16 
   THEN 
     CS:IP ← ptr16:16;
     EIP ← EIP AND 0000FFFFH; (* clear upper 16 bits *)
   ELSE (* OperandSize = 32 *)
     CS:EIP ← ptr16:32;
   FI;
 FI;
FI;
IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
 AND instruction = far JMP 
THEN 
 IF operand type = m16:16 or m16:32
 THEN (* indirect *)
   check access of EA dword;
   #GP(0) or #SS(0) IF limit violation;
 FI;
 Destination selector is not null ELSE #GP(0)
 Destination selector index is within its descriptor table limits ELSE #GP(selector)
 Depending on AR byte of destination descriptor;
   GOTO CONFORMING-CODE-SEGMENT;
   GOTO NONCONFORMING-CODE-SEGMENT;
   GOTO CALL-GATE;
   GOTO TASK-GATE;
   GOTO TASK-STATE-SEGMENT;
 ELSE #GP(selector); (* illegal AR byte in descriptor *)
FI;
CONFORMING-CODE-SEGMENT:
 Descriptor DPL must be ó CPL ELSE #GP(selector);
 Segment must be present ELSE #NP(selector);
 Instruction pointer must be within code-segment limit ELSE #GP(0);
 IF OperandSize = 32 
 THEN Load CS:EIP from destination pointer;
 ELSE Load CS:IP from destination pointer;
 FI;
 Load CS register with new segment descriptor;
NONCONFORMING-CODE-SEGMENT:
 RPL of destination selector must be ò CPL ELSE #GP(selector);
 Descriptor DPL must be = CPL ELSE #GP(selector);
 Segment must be present ELSE #NP(selector);
 Instruction pointer must be within code-segment limit ELSE #GP(0);
 IF OperandSize = 32 
 THEN Load CS:EIP from destination pointer;
 ELSE Load CS:IP from destination pointer;
 FI;
 Load CS register with new segment descriptor;
 Set RPL field of CS register to CPL;
CALL-GATE:
 Descriptor DPL must be ò CPL ELSE #GP(gate selector);
 Descriptor DPL must be ò gate selector RPL ELSE #GP(gate selector);
 Gate must be present ELSE #NP(gate selector);
 Examine selector to code segment given in call gate descriptor:
   Selector must not be null ELSE #GP(0);
   Selector must be within its descriptor table limits ELSE 
     #GP(CS selector);
   Descriptor AR byte must indicate code segment 
     ELSE #GP(CS selector);
   IF non-conforming
   THEN code-segment descriptor DPL must = CPL 
   ELSE #GP(CS selector);
   FI;
   IF conforming 
   THEN code-segment descriptor DPL must be ó CPL;
   ELSE #GP(CS selector);
   Code segment must be present ELSE #NP(CS selector);
   Instruction pointer must be within code-segment limit ELSE #GP(0);
   IF OperandSize = 32 
   THEN Load CS:EIP from call gate;
   ELSE Load CS:IP from call gate;
   FI;
 Load CS register with new code-segment descriptor;
 Set RPL of CS to CPL 
TASK-GATE:
 Gate descriptor DPL must be ò CPL ELSE #GP(gate selector);
 Gate descriptor DPL must be ò gate selector RPL ELSE #GP(gate selector);
 Task Gate must be present ELSE #NP(gate selector);
 Examine selector to TSS, given in Task Gate descriptor:
   Must specify global in the local/global bit ELSE #GP(TSS selector);
   Index must be within GDT limits ELSE #GP(TSS selector);
   Descriptor AR byte must specify available TSS (bottom bits 00001);
     ELSE #GP(TSS selector);
   Task State Segment must be present ELSE #NP(TSS selector);
 SWITCH-TASKS (without nesting) to TSS;
 Instruction pointer must be within code-segment limit ELSE #GP(0);
TASK-STATE-SEGMENT:
 TSS DPL must be ò CPL ELSE #GP(TSS selector);
 TSS DPL must be ò TSS selector RPL ELSE #GP(TSS selector);
 Descriptor AR byte must specify available TSS (bottom bits 00001)
   ELSE #GP(TSS selector);
 Task State Segment must be present ELSE #NP(TSS selector);
 SWITCH-TASKS (without nesting) to TSS;
 Instruction pointer must be within code-segment limit ELSE #GP(0);
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |  |

All if a task switch takes place; none if no task switch occurs.

Protected Mode Exceptions

Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above. Near direct jumps: #GP(0) if procedure location is beyond the code segment limits; #AC for unaligned memory reference if the current privilege level is 3. Near indirect jumps: #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #GP if the indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would be outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as under Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

All branches are converted into 16-byte code fetches regardless of jump address or cacheability.

LAHF - Load Flags into AH Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9F LAHF X X X X X X AH ← flags (SF,ZF,xx,AF,xx,PF,xx,CF)
Description

The LAHF instruction transfers the low byte of the flags word to the AH register. The bits, from MSB to LSB, are sign, zero, indeterminate, auxiliary, carry, indeterminate, parity, indeterminate, and carry.

Operation
AH ← SF:ZF:xx:AF:xx:PF:xx:CF;
Related Information

LAR-Load Access Rights Byte

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 02 /r LAR r16,r/m16 X X X X r16 ← r/m16 masked by FF00
0F 02 /r LAR r32,r/m32 X X X r32 ← r/m32 masked by 00F?FF00
Description

The LAR instruction stores a marked form of the second doubleword of the descriptor for the source selector if the selector is visible at the current privilege level (modified by the selector's RPL) and is a valid descriptor type within the descriptor limits. The destination register is loaded with the high-order doubleword of the descriptor masked by 00FxFF00, and the ZF flag is set. The x indicates that the four bits corresponding to the upper four bits of the limit are undefined in the value loaded by the LAR instruction. If the selector is invisible or of the wrong type, the ZF flag is cleared. If the 32-bit operand size is specified, the entire 32-bit value is loaded into the 32-bit destination register. If the 16-bit operand size is specified, the lower 16-bits of this value are stored in the 16-bit destination register. All code and data segment descriptors are valid for the LAR instruction. The valid special segment and gate descriptor types for the LAR instruction are given in the following table:

TYPE NAME VALID/INVALID
0 Invalid Invalid
1 Available 16-bit TSS Valid
2 LDT Valid
3 Busy 16-bit TSS Valid
4 16-bit call gate Valid
5 16-bit/32-bit task gate Valid
6 16-bit trap gate Invalid
7 16-bit interrupt gate Invalid
8 Invalid Invalid
9 Available 32-bit TSS Valid
A Invalid Invalid
B Busy 32-bit TSS Valid
C 32-bit call gate Valid
D Invalid Invalid
E 32-bit trap gate Invalid
F 32-bit interrupt gate Invalid
Flags Affected
OF DF IF SF ZF AF PF CF
*

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the ZF flag is cleared.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 6; the LAR instruction is unrecognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode.

LDS/LES/LFS/LGS/LSS-Load Full Pointer

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
C5 /r LDS r16,m16:16 X X X X X X DS:r16 ← pointer from memory dword
C5 /r LDS r32,m16:32 X X X DS:r32 ← pointer from memory fword
C4 /r LES r16,m16:16 X X X X X X ES:r16 ← pointer from memory dword
C4 /r LES r32,m16:32 X X X ES:r32 ← pointer from memory fword
0F B4 /r LFS r16,m16:16 X X X FS:r16 ← pointer from memory dword
0F B4 /r LFS r32,m16:32 X X X FS:r32 ← pointer from memory fword
0F B5 /r LGS r16,m16:16 X X X GS:r16 ← pointer from memory dword
0F B5 /r LGS r32,m16:32 X X X GS:r32 ← pointer from memory fword
0F B2 /r LSS r16,m16:16 X X X SS:r16 ← pointer from memory dword
0F B2 /r LSS r32,m16:32 X X X SS:r32 ← pointer from memory fword
Description

The LGS, LSS, LDS, LES, and LFS instructions read a full pointer from memory and store it in the selected segment register:register pair. The full pointer loads 16-bits into the segment register SS, DS, ES, FS, or GS. The other register loads 32-bits if the operand-size attribute is 32-bits, or loads 16-bits if the operand-size attribute is 16-bits. The other 16- or 32-bit register to be loaded is determined by the r16 or r32 register operand specified. When an assignment is made to one of the segment registers, the descriptor is also loaded into the segment register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into DS, ES, FS, or GS registers without causing a protection exception. (Any subsequent reference to a segment whose corresponding segment register is loaded with a null selector to address memory causes a #GP(0) exception. No memory reference to the segement occurs.) The following is a listing of the Protected Mode checks and actions taken in the loading of a segment register:

IF SS is loaded;
 IF selector is null THEN #GP(0); FI;
 Selector index must be within its descriptor table limits ELSE 
   #GP(selector);
 Selector's RPL must equal CPL ELSE #GP(selector);
 AR byte must indicate a writable data segment ELSE #GP(selector);
 DPL in the AR byte must equal CPL ELSE #GP(selector);
 Segment must be marked present ELSE #SS(selector);
 Load SS with selector;
 Load SS with descriptor;
IF DS, ES, FS, or GS is loaded with non-null selector:
 Selector index must be within its descriptor table limits ELSE 
   #GP(selector);
 AR byte must indicate data or readable code segment ELSE 
   #GP(selector);
 IF data or nonconforming code 
 THEN both the RPL and the CPL must be less than or equal to DPL in 
   AR byte;
 ELSE #GP(selector);
 Segment must be marked present ELSE #NP(selector);
Load segment register with selector and RPL bits;
Load segment register with descriptor;
IF DS, ES, FS or GS is loaded with a null selector:
 Load segment register with selector;
 Clear descriptor valid bit;
Operation
CASE instruction OF 
 LSS: Sreg is SS; (* Load SS register *)
 LDS: Sreg is DS; (* Load DS register *)
 LES: Sreg is ES; (* Load ES register *)
 LFS: Sreg is FS; (* Load FS register *)
 LGS: Sreg is DS; (* Load GS register *)
ESAC;
IF (OperandSize = 16)
THEN 
 r16 ← [Effective Address]; (* 16-bit transfer *)
 Sreg ← [Effective Address + 2]; (* 16-bit transfer *)
 (* In Protected Mode, load the descriptor into the segment register *)
ELSE (* OperandSize = 32 *)
 r32 ← [Effective Address]; (* 32-bit transfer *)
 Sreg ← [Effective Address + 4]; (* 16-bit transfer *)
 (* In Protected Mode, load the descriptor into the segment register *)
FI;
Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; the second operand must be a memory operand, not a register-if a register then #UD Fault; #GP(0) if a null selector is loaded into SS; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

The second operand must be a memory operand, not a register, Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

LEA-Load Effective Address

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
8D /r LEA r16,m X X X X X X r16 ← effective address for m
8D /r LEA r32,m X X X r32 ← effective address for m
Description

The LEA instruction calculates the effective address (offset part) and stores it in the specified register. The operand-size attribute of the instruction (represented by OperandSize in the algorithm under "Operation" above) is determined by the chosen register. The address-size attribute ( represented by AddressSize) is determined by the attribute of the code segment. (See Operand-Size and Address-Size Attributes.) The address-size and operand-size attributes affect the action performed by the LEA instruction, as follows:

OPERAND SIZE ADDRESS SIZE ACTION PERFORMED
16 16 16-bit effective address is calculated and stored in requested 16-bit register destination.
16 32 32-bit effective address is calculated. The lower 16-bits of the address are stored in the requested 16-bit register destination.
32 16 16-bit effective address is calculated. The 16-bit address is zero-extended and stored in the requested 32-bit register destination.
32 32 32-bit effective address is calculated and stored in the requested 32-bit register destination.
Operation
IF OperandSize = 16 AND AddressSize = 16 
THEN r16 ← Addr(m);
ELSE 
  IF OperandSize = 16 AND AddressSize = 32 
  THEN 
    r16 ← Truncate_to_16bits(Addr(m));  (* 32-bit address *)
  ELSE 
    IF OperandSize = 32 AND AddressSize = 16 
    THEN 
      r32 ← Truncate_to_16bits(Addr(m)) and zero extend;
    ELSE 
      IF OperandSize = 32 AND AddressSize = 32 
      THEN  r32 ← Addr(m);
      FI;
    FI;
  FI;
FI;
Protected Mode Exceptions
#UD if the second operand is a register.
Real Address Mode Exceptions
Interrupt 6 if the second operand is a register.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode.
Notes

Different assemblers may use different algorithms based on the size attribute and symbolic reference of the second operand.

LEAVE-High Level Procedure Exit

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
C9 LEAVE X X X X X Set SP to BP, then pop BP
C9 LEAVE X X X Set ESP to EBP, then pop EBP
Description

The LEAVE instruction reverses the actions of the ENTER instruction. By copying the frame pointer to the stack pointer, the LEAVE instruction releases the stack space used by a procedure for its local variables. The old frame pointer is popped into the BP or EBP register, restoring the caller's frame. A subsequent RET nn instruction removes any arguments pushed onto the stack of the exiting procedure.

Operation
IF StackAddrSize = 16 
THEN 
  SP ← BP;
ELSE (* StackAddrSize = 32 *)
  ESP ← EBP;
FI;
IF OperandSize = 16 
THEN 
  BP ← Pop();
ELSE (* OperandSize = 32 *)
  EBP ← Pop();
FI;
Protected Mode Exceptions
#SS(0) if the BP register does not point to a location within the limits of the current stack segment.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.
Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode.

LES-Load Full Pointer

See entry for LDS/LES/LFS/LGS/LSS.

LFS-Load Full Pointer

See entry for LDS/LES/LFS/LGS/LSS.

LGDT/LIDT-Load Global/Interrupt Descriptor Table Register

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-----------------------------
|0F 01 /2  |LGDT m16&32         | | |X|X|X|X|GDTR ← memory fword (6 bytes)
|----------+--------------------+-+-+-+-+-+-+-----------------------------
|0F 01 /3  |LIDT m16&32         | | |X|X|X|X|IDTR ← memory fword (6 bytes)
Description

The LGDT and LIDT instructions load a linear base address and limit value from a six-byte data operand in memory into the GDTR or IDTR, respectively. If a 16-bit operand is used with the LGDT or LIDT instruction, the register is loaded with a 16-bit limit and a 24-bit base, and the high-order eight bits of the six-byte data operand are not used. If a 32-bit operand is used , a 16-bit limit and a 32-bit base is loaded; the high-order eight bits of the six-byte operand are used as high-order base address bits. The SGDT and SIDT instructions always store into all 48 bits of the six- byte data operand. With the 16-bit processors, the upper eight bits are undefined after the SGDT or SIDT instruction is run. With the 32-bit processors, the upper right eight bits are written with the high-order eight address bits, for both a 16-bit operand and a 32-bit operand. If the LGDT or LIDT instruction is used with a 16-bit operand to load the register stored by the SGDT or SIDT instruction, the upper eight bits are stored as zeros. The LGDT and LIDT instructions appear in operating system software; they are not used in application programs. They are the only instructions that directly load a linear address (i.e., not a segment relative address) in Protected Mode.

Operation
IF instruction = LIDT 
THEN 
  IF OperandSize = 16 
  THEN IDTR.Limit:Base ← m16:24 (* 24-bits of base loaded *)
  ELSE IDTR.Limit:Base ← m16:32
  FI;
ELSE (* instruction = LGDT *)
  IF OperandSize = 16 
  THEN GDTR.Limit:Base ← m16:24 (* 24-bits of base loaded *)
  ELSE GDTR.Limit:Base ← m16:32;
  FI;
FI;
Protected Mode Exceptions
#GP(0) if the current privilege level is not 0; #UD if the source operand is a register; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
Real Address Mode Exceptions
Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH; Interrupt 6 if the source operand is a register.

Note: These instructions are valid in Real Address Mode to allow power-up initialization for Protected Mode.

Virtual 8086 Mode Exceptions
Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.

LGS-Load Full Pointer

See entry for LDS/LES/LFS/LGS/LSS.

LLDT-Load Local Descriptor Table Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 00 /2 LLDT r/m16 X X X X LDTR ← r/m16 selector
Description

The LLDT instruction loads the Local Descriptor Table register (LDTR). The word operand (memory or register) to the LLDT instruction should contain a selector to the Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If so, then the LDTR is loaded from the entry. The descriptor registers DS, ES, SS, FS, GS, and CS are not affected. The LDT field in the task state segment does not change. The selector operand can be 0; if so, the LDTR is marked invalid. All descriptor references (except by the LAR, VERR, VERW or LSL instructions) cause a #GP fault. The LLDT instruction is used in operating system software; it is not used in application programs.

Operation
LDTR ← SRC;
Protected Mode Exceptions
  1. GP(0) if the current privilege level is not 0; #GP(selector) if the selector operand does not point into the Global Descriptor Table, or if the entry in the GDT is not a Local Descriptor Table; #NP(selector) if the LDT descriptor is not present; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
Real Address Mode Exceptions

Interrupt 6; the LLDT instruction is not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference).

Note

The operand-size attribute has no effect on this instruction.

LIDT - Load Interrupt Descriptor Table Register

See entry for LGDT/LIDT-Load Global Descriptor Table Register/Load Interrupt Descriptor Table Register.

LMSW - Load Machine Status Word

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 01 /6 LMSW r/m16 X X X X Load r/m16 into machine status word
Description

The LMSW instruction loads the machine status word (part of the CR0 register) from the source operand. This instruction can be used to switch to Protected Mode; if so, it must be followed by an intrasegment jump to flush the instruction queue. The LMSW instruction will not switch back to Real Address Mode. The LMSW instruction is used only in operating system software. It is not used in application programs.

Operation
MSW ← r/m16; 

(* 16 bits is stored in the machine status word *)

Protected Mode Exceptions
  1. GP(0) if the current privilege level is not 0; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Protected Mode.

Notes

The operand-size attribute has no effect on this instruction. This instruction is provided for compatibility with the Intel286 processor; programs for the Intel386, Intel486, and Pentium processors should use the MOV CR0, ... instruction instead. The LMSW instruction does not affect the PG, ET, or NE bits, and it cannot be used to clear the PE bit.

LOCK - Assert LOCK# Signal Prefix

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F0 LOCK X X X X X X Assert LOCK# signal for next instruction
Description

The LOCK prefix causes the LOCK# signal of the processor to be asserted during processing of the instruction that follows it. In a multiprocessor environment, this signal can be used to ensure that the processor has exclusive use of any shared memory while LOCK# is asserted. The read-modify -write sequence typically used to implement test-and-set on the Pentium processor is the BTS instruction. The LOCK prefix functions only with the following instructions:

BTS, BTR, BTC mem, reg/imm
XCHG reg, mem
XCHG mem, reg
ADD, OR, ADC, SBB, AND, SUB, XOR mem, reg/imm
NOT, NEG, INC, DEC mem
CMPXCHG, XADD

An undefined opcode trap will be generated if a LOCK prefix is used with any instruction not listed above. The XCHG instruction always asserts LOCK# regardless of the presence or absence of the LOCK prefix. The integrity of the LOCK prefix is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields.

Protected Mode Exceptions

'#UD if the LOCK prefix is used with an instruction not listed in the "Description"; section above; other exceptions can be generated by the subsequent (locked) instruction.

Real Address Mode Exceptions

Interrupt 6 if the LOCK prefix is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction.

Virtual 8086 Mode Exceptions

'#UD if the LOCK prefix is used with an instruction not listed in the "Description" section above; exceptions can still be generated by the subsequent (locked) instruction.

LODS/LODSB/LODSW/LODSD-Load String Operand

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
AC LODS m8 X X X X X X AL ← byte at [(E)SI]
AD LODS m16 X X X X X X AX ← word at [(E)SI]
AD LODS m32 X X X EAX ← dword at [(E)SI]
AC LODSB X X X X X X AL ← byte at DS:[(E)SI]
AD LODSW X X X X X X AX ← word at DS:[(E)SI]
AD LODSD X X X EAX ← dword at DS:[(E)SI]
Description

The LODS instruction loads the AL, AX, or EAX register with the memory byte, word, or doubleword at the location pointed to by the source-index register. After the transfer is made, the source-index register is automatically advanced. If the DF flag is 0 (the CLD instruction was run), the source index increments; if the DF flag is 1 (the STD instruction was run), it decrements. The increment or decrement is 1 if a byte is loaded, 2 if a word is loaded, or 4 if a doubleword is loaded. If the address-size attribute for this instruction is 16-bits, the SI register is used for the source-index register; otherwise the address-size attribute is 32-bits, and the ESI register is used. The address of the source data is determined solely by the contents of the ESI or SI register. Load the correct index value into the SI register before running the LODS instruction. The LODSB, LODSW, and LODSD instructions are synonyms for the byte, word, and doubleword LODS instructions. The LODS instruction can be preceded by the REP prefix; however, the LODS instruction is used more typically within a LOOP construct, because further processing of the data moved into the EAX, AX, or AL register is usually necessary.

Operation
AddressSize = 16
THEN use SI for source-index
ELSE (* AddressSize = 32 *)
 use ESI for source-index;
FI;
IF byte type of instruction
THEN
 AL ←[source-index]; (* byte load *)
 IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
ELSE 
 IF OperandSize = 16 
 THEN
   AX ← [source-index]; (* word load *)
   IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
 ELSE (* OperandSize = 32 *)
   FAX ← [source-index]; (* dword load *)
   IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI;
 FI;
FI;
source-index ← source-index + IncDec
Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

LOOP/LOOPcond-Loop Control with CX Counter

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
E2 cb LOOP rel8 X X X X X X DEC (E)CX; jump if (E)CX <> 0
E2 cb LOOPW rel8 X X X DEC CX; jump if CX <> 0
E2 cb LOOPD rel8 X X X DEC ECX; jump if ECX <> 0
E1 cb LOOPE rel8 X X X X X X DEC (E)CX, jump if (E)CX <> 0 and ZF=1
E1 cb LOOPEW rel8 X X X DEC CX, jump if CX <> 0 and ZF=1
E1 cb LOOPED rel8 X X X DEC ECX; jump if ECX <> 0 and ZF=1
E1 cb LOOPZ rel8 X X X X X X DEC (E)CX; jump if (E)CX <> 0 and ZF=1
E1 cb LOOPZW rel8 X X X DEC CX; jump if CX <> 0 and ZF=1
E1 cb LOOPZD rel8 X X X DEC ECX; jump if ECX <> 0 and ZF=1
E0 cb LOOPNE rel8 X X X X X X DEC (E)CX; jump if (E)CX <> 0 and ZF=0
E0 cb LOOPNEW rel8 X X X DEC CX; jump if CX <> 0 and ZF=0
E0 cb LOOPNED rel8 X X X DEC ECX; jump if ECX <> 0 and ZF=0
E0 cb LOOPNZ rel8 X X X X X X DEC (E)CX; jump if (E)CX <> 0 and ZF=0
E0 cb LOOPNZW rel8 X X X DEC CX; jump if CX <> 0 and ZF=0
E0 cb LOOPNZD rel8 X X X DEC ECX; jump if ECX <> 0 and ZF=0
Description

The LOOP instruction decrements the count register without changing any of the flags. Conditions are then checked for the form of the LOOP instruction being used. If the conditions are met, a short jump is made to the label given by the operand to the LOOP instruction. If the address-size attribute is 16-bits, the CX register is used as the count register; otherwise the ECX register is used. The operand of the LOOP instruction must be in the range from 128 (decimal) bytes before the instruction to 127 bytes ahead of the instruction. The LOOP instructions provide iteration control and combine loop index management with conditional branching. Use the LOOP instruction by loading an unsigned iteration count into the count register, then code the LOOP instruction at the end of a series of instructions to be iterated. The destination of the LOOP instruction is a label that points to the beginning of the iteration.

Operation
IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI;
CountReg ← CountReg - 1;

IF instruction<> LOOP 
THEN 
   IF (instruction = LOOPE) OR (instruction = LOOPZ)
   THEN BranchCond ← (ZF = 1) AND (CountReg <> 0);
   FI;
   IF (instruction = LOOPNE) OR (instruction = LOOPNZ)
   THEN BranchCond ← (ZF = 0) AND (CountReg <> 0);
   FI;
FI;

IF BranchCond 
THEN 
   IF OperandSize = 16 
   THEN
     IP ← IP + SignExtend(rel8);
   ELSE (* OperandSize = 32 *)
     EIP ← EIP + SignExtend(rel8);
   FI;
FI;
Protected Mode Exceptions
  1. GP(0) if the offset jumped to is beyond the limits of the current code segment.
Notes

The unconditional LOOP instruction takes longer to run than a two- instruction sequence, which decrements the counter register and jumps if the count does not equal zero. All branches are converted into 16-byte code fetches regardless of jump address or cacheability.

LSL - Load Segment Limit

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 03 /r LSL r16,r/m16 X X X X r16 ← byte granular segment limit for selector r/m16
0F 03 /r LSL r32,r/m32 X X X r32 ← byte granular segment limit for selector r/m32
0F 03 /r LSL r16,r/m16 X X X X r16 ← page granular segment limit for selector r/m16
0F 03 /r LSL r32,r/m32 X X X r32 ← page granular segment limit for selector r/m32
Description

The LSL instruction loads a register with an unscrambled segment limit, and sets the ZF flag, provided that the source selector is visible at the current privilege level and RPL, within the descriptor table, and that the descriptor is a type accepted by the LSL instruction. Otherwise, the ZF flag is cleared, and the destination register is unchanged. The segment limit is loaded as a byte granular value. If the descriptor has a page granular segment limit, the LSL instruction will translate it to a byte limit before loading it in the destination register (shift left 12 the 20- bit "raw" limit from descriptor, then OR with 00000FFFH). The 32-bit forms of the LSL instruction store the 32-bit byte granular limit in the 32-bit destination register. For 16-bit operand sizes, the limit is computed to form a valid 32-bit limit. However, the upper 16 bits are chopped and only the low-order 16 bits are loaded into the destination operand. Code and data segment descriptors are valid for the LSL instruction. The valid special segment and gate descriptor types for the LSL instruction are given in the following table:

TYPE NAME VALID/INVALID
0 Invalid Invalid
1 Available 16-bit TSS Valid
2 LDT Valid
3 Busy 16-bit TSS Valid
4 16-bit call gate Invalid
5 16-bit/32-bit task gate Invalid
6 16-bit trap gate Invalid
7 16-bit interrupt gate Invalid
8 Invalid Invalid
9 Available 32-bit TSS Valid
A Invalid Invalid
B Busy 32-bit TSS Valid
C 32-bit call gate Invalid
D Invalid Invalid
E 32-bit trap gate Invalid
F 32-bit interrupt gate Invalid
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|  |  |  |  |* |  |  |

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the ZF flag is cleared.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 6; the LSL instruction is not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference).

LSS-Load Full Pointer

See entry for LDS/LES/LFS/LGS/LSS.

LTR-Load Task Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 00 /3 LTR r/m16 X X X X Load EA word into task register
Description

The LTR instruction loads the task register with a selector from the source register or memory location specified by the operand. The loaded TSS is marked busy. A task switch does not occur. The LTR instruction is used only in operating system software; it is not used in application programs.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the current privilege level is not 0; #GP(selector) if the object named by the source selector is not a TSS or is already busy; #NP(selector) if the TSS is marked "not present;" #PF(fault-code) for a page fault.
Real Address Mode Exceptions

Interrupt 6; the LTR instruction is not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode.

Notes

The operand-size attribute has no effect on this instruction.

MOV - Move Data

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
88 /r MOV r/m8,r8 X X X X X X Move byte register to r/m byte
89 /r MOV r/m16,r16 X X X X X X Move word register to r/m word
89 /r MOV r/m32,r32 X X X Move dword register to r/m dword
8A /r MOV r8,r/m8 X X X X X X Move r/m byte to byte register
8B /r MOV r16,r/m16 X X X X X X Move r/m word to word register
8B /r MOV r32,r/m32 X X X Move r/m dword to dword register
8C /r MOV r/m16,Sreg X X X X X X Move segment register to r/m word
8E /r MOV Sreg,r/m16 X X X X X X Move r/m word to segment register
A0 MOV AL,moffs8 X X X X X X Move byte at (seg:offset) to AL
A1 MOV AX,moffs16 X X X X X X Move word at (seg:offset) to AX
A1 MOV EAX,moffs32 X X X Move dword at (seg:offset) to EAX
A2 MOV moffs8,AL X X X X X X Move AL to (seg:offset)
A3 MOV moffs16,AX X X X X X X Move AX to (seg:offset)
A3 MOV moffs32,EAX X X X Move EAX to (seg:offset)
B0+rb MOV r8,imm8 X X X X X X Move immediate byte to byte register
B8+rw MOV r16,imm16 X X X X X X Move immediate word to word register
B8+rd MOV r32,imm32 X X X Move immediate dword to dword register
C6 /0 MOV r/m8,imm8 X X X X X X Move immediate byte to r/m byte
C7 /0 MOV r/m16,imm16 X X X X X X Move immediate word to r/m word
C7 /0 MOV r/m32,imm32 X X X Move immediate dword to r/m dword
Description

The MOV instruction copies the second operand to the first operand. If the destination operand is a segment register (DS, ES, SS, etc.), then data from a descriptor is also loaded into the shadow portion of the register. The data for the register is obtained from the descriptor table entry for the selector given. A null selector (values 0000-0003) can be loaded into the DS, ES, FS, and GS registers without causing an exception; however, use of these registers causes a #GP(0) exception, and no memory reference occurs. A MOV into SS instruction inhibits all interrupts until after the processing of the next instruction (which should be a MOV into ESP instruction). Loading a segment register under Protected Mode results in special checks and actions, as described in the following listing:

IF SS is loaded;
THEN 
   IF selector is null THEN #GP(0);
   Selector index must be within its descriptor table limits else #GP(selector);
   Selector's RPL must equal CPL else #GP(selector);
   AR byte must indicate a writable data segment else #GP(selector);
   DPL in the AR byte must equal CPL else #GP(selector);
   Segment must be marked present else #SS(selector);
   Load SS with selector;
   Load SS with descriptor.
FI;
IF DS, ES, FS or GS is loaded with non-null selector;
THEN 
   Selector index must be within its descriptor table limits 
      else #GP(selector);
   AR byte must indicate data or readable code segment else #GP(selector);
   IF data or nonconforming code segment 
   THEN both the RPL and the CPL must be less than or equal to DPL in AR byte;
   ELSE #GP(selector);
   FI;
   Segment must be marked present else #NP(selector);
   Load segment register with selector;
   Load segment register with descriptor;
FI;
IF DS, ES, FS or GS is loaded with a null selector;
THEN 
   Load segment register with selector;
   Clear descriptor valid bit;
FI;
Operation
DEST ← SRC;
Protected Mode Exceptions
  1. GP, #SS, and #NP if a segment register is being loaded; otherwise, #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

MOV - Move to/from Control Registers

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 22 /r MOV CR0,r32 X X X Move r32 to control register 0
0F 22 /r MOV CR2,r32 X X X Move r32 to control register 2
0F 22 /r MOV CR3,r32 X X X Move r32 to control register 3
0F 22 /r MOV CR4,r32 X Move r32 to control register 4
0F 20 /r MOV r32,CR0 X X X Move control register 0 to r32
0F 20 /r MOV r32,CR2 X X X Move control register 2 to r32
0F 20 /r MOV r32,CR3 X X X Move control register 3 to r32
0F 20 /r MOV r32,CR4 X Move control register 4 to r32
Description

The above forms of the MOV instruction store or load CR0, CR2, CR3, and CR4 to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute. Operation

DEST ← SRC;

Flags Affected
OF DF IF SF ZF AF PF CF
? ? ? ? ? ?

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions
  1. GP(0) if the current privilege level is not 0. #GP(0) if an attempt is made to write a 1 to any reserved bits of CR4.
Real Address Mode Exceptions

Interrupt 13 if an attempt is made to write a 1 to any reserved bits of CR4.

Virtual 8086 Mode Exceptions
  1. GP(0) if instruction processing is attempted.
Notes

The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.

MOV-Move to/from Debug Registers

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 21 /r MOV r32,DR0-3 X X X Move debug register (0,1,2, or 3) to r32
0F 21 /r MOV r32,DR4/DR5 X Move debug register (4 or 5) to r32
0F 21 /r MOV r32,DR6/DR7 X X X Move debug register (6 or 7) to r32
0F 23 /r MOV DR0-DR3,r32 X X X Move r32 to debug register (0,1,2, or 3)
0F 23 /r MOV DR4/DR5,r32 X Move r32 to debug register (4 or 5)
0F 23 /r MOV DR6/DR7,r32 X X X Move r32 to debug register (6 or 7)
Description

The above forms of the MOV instruction store or load the DR0, DR1, DR2, DR3 , DR6 and DR7 debug resisters to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute. When the DE (Debug Extension) bit in CR4 is clear, MOV instructions using debug registers operate in a manner that is compatible with Intel386 and Intel486 CPUs. References to DR4 and DR5 refer to DR6 and DR7, respectively. When the DE bit in CR4 is set, attempts to run MOV instructions using DR4 and DR5 result in an Undefined Opcode (#UD) exception.

Operation
IF ((DE = 1) and (SRC or DEST = DR4 or DR5))
THEN 
  #UD;
ELSE 
  DEST ← SRC;
Flags Affected
OF DF IF SF ZF AF PF CF
? ? ? ? ? ?

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions
  1. GP(0) if the current privilege level is not 0. #UD if the DE (Debug Extensions) bit of CR4 is set and a MOV instruction is run using DR4 or DR5.
Real Address Mode Exceptions
  1. GP(0) if an attempt is made to write a 1 to any reserved bits of CR4. #UD if the DE (Debug Extensions) bit of CR4 is set and a MOV instruction is run using DR4 or DR5.
Virtual 8086 Mode Exceptions
  1. GP(0) if instruction processing is attempted.
Notes

The instructions must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be raised. The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.

MOV-Move to/from Test Registers

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 24 /r MOV r32,TR3 X Move test register (3) to r32
0F 24 /r MOV r32,TR4/TR5 X Move test register (4 or 5) to r32
0F 24 /r MOV r32,TR6/TR7 X X Move test register (6 or 7) to r32
0F 26 /r MOV TR3,r32 X Move r32 to test register (3)
0F 26 /r MOV TR4/TR5,r32 X Move r32 to test register (4 or 5)
0F 26 /r MOV TR6/TR7,r32 X X Move r32 to test register (6 or 7)
Description

The above forms of the MOV instruction store or load TR3, TR4, TR5, TR6, and TR7 to or from a general purpose register. Thirty-two bit operands are always used with these instructions, regardless of the operand-size attribute.

Operation
DEST ← SRC;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|? |  |  |? |? |? |? |?

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions
  1. GP(0) if the current privilege level is not 0. #GP(0) if an attempt is made to write a 1 to any reserved bits of CR4.
Real Address Mode Exceptions

Interrupt 13 if an attempt is made to write a 1 to any reserved bits of CR4.

Virtual 8086 Mode Exceptions
  1. GP(0) if instruction processing is attempted.
Notes

The instructions must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be raised. The reg field within the ModR/M byte specifies which of the special registers in each category is involved. The two bits in the mod field are always 11. The r/m field specifies the general register involved. Always set undefined or reserved bits to the value previously read.

MOVS/MOVSB/MOVSW/MOVSD - Move Data from String to String

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
A4 MOVS m8,m8 X X X X X X Move byte [(E)SI] to ES:[(E)DI]
A5 MOVS m16,m16 X X X X X X Move word [(E)SI] to ES:[(E)DI]
A5 MOVS m32,m32 X X X Move dword [(E)SI] to ES:[(E)DI]
A4 MOVSB X X X X X X Move byte DS:[(E)SI] to ES:[(E)DI]
A5 MOVSW X X X X X X Move word DS:[(E)SI] to ES:[(E)DI]
A5 MOVSD X X X Move dword DS:[(E)SI] to ES:[(E)DI]
Description

The MOVS instruction copies the byte or word at [(E)SI] to the byte or word at ES:[(E)DI]. The destination operand must be addressable from the ES register; no segment override is possible for the destination. A segment override can be used for the source operand; the default is the DS register. The addresses of the source and destination are determined solely by the contents of the (E)SI and (E)DI registers. Load the correct index values into the (E)SI and (E)DI registers before running the MOVS instruction. The MOVSB, MOVSW, and MOVSD instructions are synonyms for the byte, word, and doubleword MOVS instructions. After the data is moved, both the (E)SI and (E)DI registers are advanced automatically. If the DF flag is 0 (the CLD instruction was run), the registers are incremented; if the DF flag is 1 (the STD instruction was run ), the registers are decremented. The registers are incremented or decremented by 1 if a byte was moved, 2 if a word was moved, or 4 if a doubleword was moved. The MOVS instruction can be preceded by the REP prefix for block movement of ECX bytes or words. Refer to the REP instruction for details of this operation.

Operation

IF (instruction = MOVSD) OR (instruction has doubleword operands)
THEN OperandSize ← 32;
ELSE OperandSize ← 16;
IF AddressSize = 16 
THEN use SI for source-index and DI for destination-index;
ELSE (* AddressSize = 32 *)
  use ESI for source-index and EDI for destination-index;
FI;
IF byte type of instruction 
THEN 
  [destination-index] ← [source-index]; (* byte assignment *)
  IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
ELSE 
  IF OperandSize = 16 
  THEN
     [destination-index] ← [source-index]; (* word assignment *)
     IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
  ELSE (* OperandSize = 32 *)
     [destination-index] ← [source-index]; (* doubleword assignment *)
     IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI;
  FI;
FI;
source-index ← source-index + IncDec;
destination-index ← destination-index + IncDec;

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

MOVSX - Move with Sign-Extend

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F BE /r MOVSX r16,r/m8 X X X r16 ← sign-extended r/m byte
0F BE /r MOVSX r32,r/m8 X X X r32 ← sign-extended r/m byte
0F BF /r MOVSX r32,r/m16 X X X r32 ← sign-extended r/m word
Description

The MOVSX instruction reads the contents of the effective address or register as a byte or a word, sign-extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register.

Operation
DEST ← SignExtend(SRC);
Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

MOVZX - Move with Zero-Extend

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F B6 /r MOVZX r16,r/m8 X X X r16 ← zero-extended r/m byte
0F B6 /r MOVZX r32,r/m8 X X X r32 ← zero-extended r/m byte
0F B7 /r MOVZX r32,r/m16 X X X r32 ← zero-extended r/m word
Description

The MOVZX instruction reads the contents of the effective address or register as a byte or a word, zero extends the value to the operand-size attribute of the instruction (16 or 32 bits), and stores the result in the destination register.

Operation
DEST ←ZeroExtend(SRC);
Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same Exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

MUL - Unsigned Multiplication of AL, AX, or EAX

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /r MUL r/m8 X X X X X X Unsigned multiply (AX ← AL * r/m byte)
F7 /4 MUL r/m16 X X X X X X Unsigned multiply (DX:AX ← AX * r/m word)
F7 /4 MUL r/m32 X X X Unsigned multiply (EDX:EAX ← EAX * r/m dword)
Description

The MUL instruction performs unsigned multiplication. Its actions depend on the size of its operand, as follows:

  • A byte operand is multiplied by the AL value; the result is left in the AX register. The CF and OF flags are cleared if the AH value is 0; otherwise, they are set.
  • A word operand is multiplied by the AX value; the result is left in the DX :AX register pair. The DX register contains the high-order 16-bits of the product. The CF and OF flags are cleared if the DX value is 0; otherwise, they are set.
  • A doubleword operand is multiplied by the EAX value and the result is left in the EDX:EAX register. The EDX register contains the high-order 32-bits of the product. The CF and OF flags are cleared if the EDX value is 0; otherwise, they are set.
Operation
IF byte-size operation 
THEN AX ← AL * r/m8
ELSE (* word or doubleword operation *)
   IF OperandSize = 16 
   THEN DX:AX ← AX * r/m16
   ELSE (* OperandSize = 32 *)
      EDX:EAX ← EAX * r/m32
   FI;
FI;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |? |? |? |? |*

The OF and CF flags are cleared if the upper half of the result is 0; otherwise they are set; the SF, ZF, AF, and PF flags are undefined.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

NEG-Two's Complement Negation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /3 NEG r/m8 X X X X X X Two's complement negate r/m byte
F7 /3 NEG r/m16 X X X X X X Two's complement negate r/m word
F7 /3 NEG r/m32 X X X Two's complement negate r/m dword
Description

The NEG instruction replaces the value of a register or memory operand with its two's complement. The operand is subtracted from zero, and the result is placed in the operand. The CF flag is set, unless the operand is zero, in which case the CF flag is cleared.

Operation
IF r/m = 0 THEN CF ← 0 ELSE CF ← 1; FI;
r/m ← - r/m
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
* |  |  |* |* |* |* |*

The CF flag is set unless the operand is zero, in which case the CF flag is cleared; the OF, SF, ZF, and PF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

NOP - No Operation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
90 NOP X X X X X X No operation
Description

The NOP instruction performs no operation. The NOP instruction is a one- byte instruction that takes up space but affects none of the machine context except the (E)IP register. The NOP instruction is an alias mnemonic for the XCHG (E)AX, (E)AX instruction.

NOT - One's Complement Negation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F6 /2 NOT r/m8 X X X X X X Reverse each bit of r/m byte
F7 /2 NOT r/m16 X X X X X X Reverse each bit of r/m word
F7 /2 NOT r/m32 X X X Reverse each bit of r/m dword
Description

The NOT instruction inverts the operand; every 1 becomes a 0, and vice versa.

Operation
r/m ← NOT r/m
Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

OR-Logical Inclusive OR

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0C ib OR AL,imm8 X X X X X X OR immediate byte to AL
0D iw OR AX,imm16 X X X X X X OR immediate word to AX
0D id OR EAX,imm32 X X X OR immediate dword to EAX
80 /1 ib OR r/m8,imm8 X X X X X X OR immediate byte to r/m byte
81 /1 iw OR r/m16,imm16 X X X X X X OR immediate word to r/m word
81 /1 id OR r/m32,imm32 X X X OR immediate dword to r/m dword
83 /1 ib OR r/m16,imm8 X X X OR sign-extended immediate byte with r/m word
81 /1 ib OR r/m32,imm8 X X X OR sign-extended immediate byte with r/m dword
08 /r OR r/m8,r8 X X X X X X OR byte register to r/m byte
09 /r OR r/m16,r16 X X X X X X OR word register to r/m word
09 /r OR r/m32,r32 X X X OR dword register to r/m dword
0A /r OR r8,r/m8 X X X X X X OR byte register to r/m byte
0B /r OR r16,r/m16 X X X X X X OR word register to r/m word
0B /r OR r32,r/m32 X X X OR dword register to r/m dword
Description

The OR instruction computes the inclusive OR of its two operands and places the result in the first operand. Each bit of the result if 0 if both corresponding bits of the operands are 0; otherwise, each bit is 1.

Operation
DEST ← DEST OR SRC;
CF ← 0;
OF ← 0
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF
--+--+--+--+--+--+--+--
0 |  |  |* |* |? |* |0

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result; the AF flag is undefined.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

OUT - Output to Port

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
E6 ib OUT imm8,AL X X X X X X Output byte from AL to port imm8
E7 ib OUT imm8,AX X X X X X X Output word from AX to port imm8
E7 ib OUT imm8,EAX X X X Output dword from EAX to port imm8
EE OUT DX,AL X X X X X X Output byte from AL to port number in DX
EF OUT DX,AX X X X X X X Output word from AX to port number in DX
EF OUT DX,EAX X X X Output dword from EAX to port number in DX
Description

The OUT instruction transfers a data byte or data word from the register (AL, AX, or EAX) given as the second operand to the output port numbered by the first operand. Output to any port from 0 to 65535 is performed by placing the port number in the DX register and then using an OUT instruction with the DX register as the first operand. If the instruction contains an eight-bit port ID, that value is zero-extended to 16-bits.

Operation
IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
  IF NOT I-O-Permission (DEST, width(DEST))
  THEN #GP(0);
  FI;
FI;
[DEST] ← SRC; (* I/O address space used *)
Protected Mode Exceptions
  1. GP(0) if the current privilege level is higher (has less privilege) than the I/O privilege level and any of the corresponding I/O permission bits in the TSS equals 1.
Virtual 8086 Mode Exceptions
  1. GP(0) fault if any of the corresponding I/O permission bits in the TSS equals 1.
Notes

After the OUT or OUTS instructions are run, the Pentium processor ensures that the EWBE# has been sampled active before beginning to run the next instruction. Note that the instruction may be prefetched if EWBE# is not active, but it will not run until EWBE# is sampled active.

OUTS/OUTSB/OUTSW/OUTSD - Output String to Port

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
6E OUTS DX,r/m8 X X X X X Output byte [(E)SI] to port in DX
6F OUTS DX,r/m16 X X X X X Output word [(E)SI] to port in DX
6F OUTS DX,r/m32 X X X Output dword [(E)SI] to port in DX
6E OUTSB X X X X X Output byte [DS:(E)SI] to port in DX
6F OUTSW X X X X X Output word [DS:(E)SI] to port in DX
6F OUTSD X X X Output dword [DS:(E)SI] to port in DX
Description

The OUTS instruction transfers data from the memory byte, word, or doubleword at the source-index register to the output port addressed by the DX register. If the address-size attribute for this instruction is 16-bits, the SI register is used for the source-index register; otherwise, the address-size attribute is 32-bits, and the ESI register is used for the source-index register. The OUTS instruction does not allow specification of the port number as an immediate value. The port must be addressed through the DX register value. Load the correct value into the DX register before running the OUTS instruction. The address of the source data is determined by the contents of source- index register. Load the correct index value into the SI or ESI register before running the OUTS instruction. After the transfer, source-index register is advanced automatically. If the DF flag is 0 (the CLD instruction was run), the source-index register is incremented; if the DF flag is 1 (the STD instruction was run), it is decremented. The amount of the increment or decrement is 1 if a byte is output, 2 if a word is output, or 4 if a doubleword is output. The OUTSB, OUTSW, and OUTSD instructions are synonyms for the byte, word, and doubleword OUTS instructions. The OUTS instruction can be preceded by the REP prefix for block output of ECX bytes or words. Refer to the REP instruction for details on this operation.

Operation
IF AddressSize = 16 
THEN use SI for source-index;
ELSE (* AddressSize = 32 *)
   use ESI for source-index;
FI;

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL))
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *)
   IF NOT I-O-Permission (DEST, width(DEST))
   THEN #GP(0);
   FI;
FI;
IF byte type of instruction 
THEN 
   [DX] ← [source-index]; (* Write byte at DX I/O address *)
   IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
FI;
IF OperandSize = 16 
THEN 
   [DX] ← [source-index]; (* Write word at DX I/O address *)
   IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
FI;
IF OperandSize = 32 
THEN 
   [DX] ← [source-index]; (* Write dword at DX I/O address *)
   IF DF = THEN IncDec ← 4 ELSE IncDec ← -4; FI;
   FI;
FI;
source-index ← source-index + IncDec;
Protected Mode Exceptions
#GP(0) if the current privilege level is greater than the I/O privilege level and any of the corresponding I/O permission bits in TSS equals 1; #GP (0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions
  1. GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Notes

After the OUT or OUTS instructions are run, the Pentium processor ensures that the EWBE# has been sampled active before beginning to run the next instruction. Note that the instruction may be prefetched if EWBE# is not active, but it will not run until EWBE# is sampled active.

POP - Pop a Word from the Stack

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
58+rw POP r16 X X X X X X Pop top of stack into word register
58+rd POP r32 X X X Pop top of stack into dword register
8F /0 POP m16 X X X X X X Pop top of stack into memory word
8F /0 POP m32 X X X Pop top of stack into memory dword
1F POP DS X X X X X X Pop top of stack into DS
07 POP ES X X X X X X Pop top of stack into ES
0F A1 POP FS X X X Pop top of stack into FS
0F A9 POP GS X X X Pop top of stack into GS
17 POP SS X X X X X X Pop top of stack into SS
Description

The POP instruction replaces the previous contents of the memory, the register, or the segment register operand with the word on the top of the processor stack, addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP (address-size attribute of 32 bits). The stack pointer SP is incremented by 2 for an operand-size of 16 bits or by 4 for an operand-size of 32 bits. It then points to the new top of stack. The POP CS instruction is not a processor instruction. Popping from the stack into the CS register is accomplished with a RET instruction. If the destination operand is a segment register (DS, ES, FS, GS, or SS), the value popped must be a selector. In protected mode, loading the selector initiates automatic loading of the descriptor information associated with that selector into the hidden part of the segment register; loading also initiates validation of both the selector and the descriptor information. A null value (0000-0003) may be popped into the DS, ES, FS, or GS register without causing a protection exception. An attempt to reference a segment whose corresponding segment register is loaded with a null value causes a # GP(0) exception. No memory reference occurs. The saved value of the segment register is null. A POP SS instruction inhibits all interrupts, including NMI, until after processing of the next instruction. This allows sequential processing of POP SS and MOV eSP, eBP instructions without danger of having an invalid stack during an interrupt. However, use of the LSS instruction is the preferred method of loading the SS and eSP registers. A POP-to-memory instruction, which uses the stack pointer (ESP) as a base register, references memory after the POP. The base used is the value of the ESP after the instruction runs. Loading a segment register while in protected mode results in special checks and actions, as described in the following listing:

IF SS is loaded:
   IF selector is null THEN #GP(0);
   Selector index must be within its descriptor table limits ELSE 
      #GP(selector);
   Selector's RPL must equal CPL ELSE #GP(selector);
   AR byte must indicate a writable data segment ELSE #GP(selector);
   DPL in the AR byte must equal CPL ELSE #GP(selector);
   Segment must be marked present ELSE #SS(selector);
   Load SS register with selector;
   Load SS register with descriptor;

IF DS, ES, FS or GS is loaded with non-null selector:
   AR byte must indicate data or readable code segment ELSE 
      #GP(selector);
   IF data or nonconforming code 
   THEN both the RPL and the CPL must be less than or equal to DPL in 
   AR byte 
   ELSE #GP(selector);
   FI;
   Segment must be marked present ELSE #NP(selector);
   Load segment register with selector;
   Load segment register with descriptor;

IF DS, ES, FS, or GS is loaded with a null selector:
   Load segment register with selector 
   Clear valid bit in invisible portion of register 
Operation
IF StackAddrSize = 16 
THEN 
   IF OperandSize = 16 
   THEN
      DEST ← (SS:SP); (* copy a word *)
      SP ← SP + 2;
   ELSE (* OperandSize = 32 *)
      DEST ← (SS:SP); (* copy a dword *)
      SP ← SP + 4;
   FI;
ELSE (* StackAddrSize = 32 *)
   IF OperandSize = 16 
   THEN
      DEST ← (SS:ESP); (* copy a word *)
      ESP ← ESP + 2;
   ELSE (* OperandSize = 32 *)
      DEST ← (SS:ESP); (* copy a dword *)
      ESP ← ESP + 4;
   FI;
FI;
Protected Mode Exceptions
  1. GP, #SS, and #NP if a segment register is being loaded, #SS(0) if the current top of stack is not within the stack segment; #GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

Back-to-back PUSH/POP instruction sequences are allowed without incurring an additional clock. The stack segment descriptor's B bit will determine the size of Stack Addr Size. Pop ESP instructions increments the stack pointer (ESP) before data at the old top of stack is written into the destination.

POPA/POPAD-Pop all General Registers

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
61 POPA X X X X X Pop DI, SI, BP, BX, DX, CX, and AX
61 POPAD X X X Pop EDI, ESI, EBP, EBX, EDX, ECX, and EAX
Description

The POPA instruction pops the eight 16-bit general registers. However, the SP value is discarded instead of loaded into the SP register. The POPA instruction reverses a previous PUSHA instruction, restoring the general registers to their values before the PUSHA instruction was run. The first register popped is the DI register. The POPAD instruction pops the eight 32-bit general registers. The ESP value is discarded instead of loaded into the ESP register. The POPAD instruction reverses the previous PUSHAD instruction, restoring the general registers to their values before the PUSHAD instruction was run. The first register popped is the EDI register.

Operation
IF OperandSize = 16 (* instruction = POPA *)
THEN 
  DI ← Pop();
  SI ← Pop();
  BP ← Pop();
  increment SP by 2 (* skip next 2 bytes of stack *)
  BX ← Pop();
  DX ← Pop();
  CX ← Pop();
  AX ← Pop();
ELSE (* OperandSize = 32, instruction = POPAD *)
  EDI ← Pop();
  ESI ← Pop();
  EBP ← Pop();
  increment SP by 4 (* skip next 4 bytes of stack *)
  EBX ← Pop();
  EDX ← Pop();
  ECX ← Pop();
  EAX ← Pop();
FI;
Protected Mode Exceptions
  1. SS(0) if the starting or ending stack address is not within the stack segment; #PF(fault-code) for a page fault.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault.

POPF/POPFD - Pop Stack into FLAGS or EFLAGS Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9D POPF X X X X X X Pop top of stack into FLAGS
9D POPFD X X X Pop top of stack into EFLAGS
Description

The POPF and POPFD instructions pop the word or doubleword on the top of the stack and store the value in the FLAGS register. If the operand-size attribute of the instruction is 16 bits, then a word is popped and the value is stored in the FLAGS register. If the operand-size attribute is 32 bits, then a doubleword is popped and the value is stored in the EFLAGS register. When the IOPL is less than 3 in virtual-8086 mode, the POPF instruction causes a general protection exception. When the IOPL is equal to 3 while running in virtual-8086 mode, POPF pops a word into the FLAGS register. Refer to the Intel documentation for information about the FLAGS and EFLAGS registers. Note that bits 16 and 17 of the EFLAGS register, called the VM and RF flags, respectively, are not affected by the POPF or POPFD instruction. The I/O privilege level is altered only when running at privilege level 0. The interrupt flag is altered only when running at a level at least as privileged as the I/O privilege level. (Real-address mode is equivalent to privilege level 0.) If a POPF instruction is run with insufficient privilege, an exception does not occur, but the privileged bits do not change.

Operation
IF VM=0 (* Not in Virtual-8086 Mode *)
THEN 
   IF OperandSize=32;
   THEN EFLAGS ← Pop() AND 277FD7H;
   ELSE FLAGE ← Pop();
   FI;
ELSE (* In Virtual-8086 Mode *)
   IF IOPL=3
   THEN
      IF OperandSize=32
      THEN 
         TempEflags ← Pop();
         EFLAGS ← ((EFLAGS AND 1B3000H) OR (TempEflags AND ~ 1B3000H))
                            (* VM, RF, IOPL, VIP, and VIF of EGLAGS bits are 
                               not modified by POPFD *)
      ELSE 
        FLAGS ← Pop()
      FI;
   ELSE
      #GP(0); (* trap to virtual-8086 monitor *)
   FI;
FI;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |* |* |* |* |* |* |*

All flags except the VM, RF, IOPL, VIF and VIP flags.

Protected Mode Exceptions
  1. SS(0) if the top of stack is not within the stack segment.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions
  1. GP(0) fault if the I/O privilege level is less than 3 in order to permit emulation. #GP(0) if an attempt is made to run POPF with an operand-size override prefix.

PUSH - Push Operand onto the Stack

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
50+rw PUSH r16 X X X X X X Push register word
50+rd PUSH r32 X X X Push register dword
FF /6 PUSH m16 X X X X X X Push memory word
FF /6 PUSH m32 X X X Push memory dword
6A PUSH imm8 X X X X X Push immediate byte
68 PUSH imm16 X X X X X Push immediate word
68 PUSH imm32 X X X Push immediate dword
0E PUSH CS X X X X X X Push CS
1E PUSH DS X X X X X X Push DS
06 PUSH ES X X X X X X Push ES
0F A0 PUSH FS X X X Push FS
0F A8 PUSH GS X X X Push GS
16 PUSH SS X X X X X X Push SS
Description

The PUSH instruction decrements the stack pointer by 2 if the operand-size attribute of the instruction is 16 bits; otherwise, it decrements the stack pointer by 4. The PUSH instruction then places the operand on the new top of stack, which is pointed to by the stack pointer. The PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction. This differs from the 8086, where the PUSH SP instruction pushes the new value (decremented by 2). Likewise, a PUSH-from-memory instruction, which uses the stack pointer (ESP ) as a base register, references memory before the PUSH. The base used is the value of the ESP before the instruction runs.

Operation
IF StackAddrSize = 16 
THEN 
   IF OperandSize = 16 THEN 
      SP ← SP - 2;
      (SS:SP) ← (SOURCE); (* word assignment *)
   ELSE
      SP ← SP - 4;
      (SS:SP) ← (SOURCE); (* dword assignment *)
   FI;
ELSE (* StackAddrSize = 32 *)
   IF OperandSize = 16 
   THEN
      ESP ← ESP -2;
      (SS:ESP) ← (SOURCE); (* word assignment *)
   ELSE
      ESP ← ESP -4;
      (SS:ESP) ← (SOURCE); (* dword assignment *)
  FI;
FI;
Protected Mode Exceptions
  1. SS(0) if the new value of the SP or ESP register is outside the stack segment limit; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

None; if the SO or ESP register is 1, the processor shuts down due to a lack of stack space.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

When used with an operand in memory, the PUSH instruction takes longer to run than a two-instruction sequence, which moves the operand through a register. Back-to-back PUSH/POP instruction sequences are allowed without incurring an additional clock. Selective pushes write only the top of the stack.

PUSHA/PUSHAD - Push all General Registers

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
60 PUSHA X X X X Push AX, CX, DX, BX, SP, BP, SI, and DI
60 PUSHAD X X X Push EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI
Description

The PUSHA and PUSHAD instructions save the 16-bit or 32-bit general registers, respectively, on the processor stack. The PUSHA instruction decrements the stack pointer (SP) by 16 to hold the eight word values. The PUSHAD instruction decrements the stack pointer (ESP) by 32 to hold the eight doubleword values. Because the registers are pushed onto the stack in the order in which they were given, they appear in the 16 or 32 new stack bytes in reverse order. The last register pushed is the DI or EDI register.

Operation
IF OperandSize = 16 (* PUSHA instruction *)
THEN   Temp ← (SP);
  Push(AX);
  Push(CX);
  Push(DX);
  Push(BX);
  Push(Temp);
  Push(BP);
  Push(SI);
  Push(DI);
ELSE (* OperandSize = 31, PUSHAD instruction *)
  Temp ← (ESP);
  Push(EAX);
  Push(ECX);
  Push(EDX);
  Push(EBX);
  Push(Temp);
  Push(EPS);
  Push(ESI);
  Push(EDI);
FI;
Protected Mode Exceptions
  1. SS(0) if the starting or ending stack address is outside the stack segment limit; #PF(fault-code) for a page fault.
Real Address Mode Exceptions

Before running the PUSHA or PUSHAD instruction, the Pentium processor shuts down if the SP or ESP register equals 1, 3, or 5; if the SP or ESP register equals 7, 9, 11, 13, or 15, exception 13 occurs.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault.

PUSHF/PUSHFD-Push Flags Register onto the Stack

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9C PUSHF X X X X X X Push FLAGS
9C PUSHFD X X X Push EFLAGS
Description

The PUSHF instruction decrements the stack pointer by 2 and copies the FLAGS register to the new top of stack; the PUSHFD instruction decrements the stack pointer by 4, and the EFLAGS register is copied to the new top of stack, which is pointed to by SS:ESP. Refer to the Intel documentation for information on the EFLAGS register.

Operation
IF VM=0 (* Not in Virtual-8086 Mode *)
THEN 
   IF OperandSize = 32 
   THEN push(EFLAGS AND 0FCFFFFH); (* VM and RF EFLAG bits are cleared *)
   ELSE push(FLAGS);
   FI;
ELSE (* In Virtual-8086 Mode *)
   IF IOPL=3
   THEN
      IF OperandSize = 32 
      THEN push(EFLAGS AND 0FCFFFFH); (* VM and RF EFLAGS bits are cleared *)
      ELSE push(FLAGS);
      FI;
   ELSE
      #GP(0); (* Trap to virtual-8086 monitor *)
   FI;
FI;
Protected Mode Exceptions
  1. SS(0) if the new value of the ESP register is outside the stack segment boundaries.
Real Address Mode Exceptions

None; the processor shuts down due to a lack of stack space.

Virtual 8086 Mode Exceptions
  1. GP(0) fault if the I/O privilege level is less than 3, to permit emulation.

RCL/RCR/ROL/ROR - Rotate

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D0 /2 RCL r/m8,1 X X X X X X Rotate 9 bits (CF, r/m byte) left once
D2 /2 RCL r/m8,CL X X X X X X Rotate 9 bits (CF, r/m byte) left CL times
C0 /2 ib RCL r/m8,imm8 X X X X X Rotate 9 bits (CF, r/m byte) left imm8 times
D1 /2 RCL r/m16,1 X X X X X X Rotate 17 bits (CF, r/m word) left once
D3 /2 RCL r/m16,CL X X X X X X Rotate 17 bits (CF, r/m word) left CL times
C1 /2 ib RCL r/m16,imm8 X X X X X Rotate 17 bits (CF, r/m word) left imm8 times
D1 /2 RCL r/m32,1 X X X Rotate 33 bits (CF, r/m dword) left once
D3 /2 RCL r/m32,CL X X X Rotate 33 bits (CF, r/m dword) left CL times
C1 /2 ib RCL r/m32,imm8 X X X Rotate 33 bits (CF, r/m dword) left imm8 times
D0 /3 RCR r/m8,1 X X X X X X Rotate 9 bits (CF, r/m byte) right once
D2 /3 RCR r/m8,CL X X X X X X Rotate 9 bits (CF, r/m byte) right CL times
C0 /3 ib RCR r/m8,imm8 X X X X X Rotate 9 bits (CF, r/m byte) right imm8 times
D1 /3 RCR r/m16,1 X X X X X X Rotate 17 bits (CF, r/m word) right once
D3 /3 RCR r/m16,CL X X X X X X Rotate 17 bits (CF, r/m word) right CL times
C1 /3 ib RCR r/m16,imm8 X X X X X Rotate 17 bits (CF, r/m word) right imm8 times
D1 /3 RCR r/m32,1 X X X Rotate 33 bits (CF, r/m dword) right once
D3 /3 RCR r/m32,CL X X X Rotate 33 bits (CF, r/m dword) right CL times
C1 /3 ib RCR r/m32,imm8 X X X Rotate 33 bits (CF, r/m dword) right imm8 times
D0 /0 ROL r/m8,1 X X X X X X Rotate 8 bits (r/m byte) left once
D2 /0 ROL r/m8,CL X X X X X X Rotate 8 bits (r/m byte) left CL times
C0 /0 ib ROL r/m8,imm8 X X X X X Rotate 8 bits (r/m byte) left imm8 times
D1 /0 ROL r/m16,1 X X X X X X Rotate 16 bits (r/m word) left once
D3 /0 ROL r/m16,CL X X X X X X Rotate 16 bits (r/m word) left CL times
C1 /0 ib ROL r/m16,imm8 X X X X X Rotate 16 bits (r/m word) left imm8 times
D1 /0 ROL r/m32,1 X X X Rotate 32 bits (r/m dword) left once
D3 /0 ROL r/m32,CL X X X Rotate 32 bits (r/m dword) left CL times
C1 /0 ib ROL r/m32,imm8 X X X Rotate 32 bits (r/m dword) left imm8 times
D0 /1 ROR r/m8,1 X X X X X X Rotate 8 bits (r/m byte) right once
D2 /1 ROR r/m8,CL X X X X X X Rotate 8 bits (r/m byte) right CL times
C0 /1 ib ROR r/m8,imm8 X X X X X Rotate 8 bits (r/m byte) right imm8 times
D1 /1 ROR r/m16,1 X X X X X X Rotate 16 bits (r/m word) right once
D3 /1 ROR r/m16,CL X X X X X X Rotate 16 bits (r/m word) right CL times
C1 /1 ib ROR r/m16,imm8 X X X X X Rotate 16 bits (r/m word) right imm8 times
D1 /1 ROR r/m32,1 X X X Rotate 32 bits (r/m dword) right once
D3 /1 ROR r/m32,CL X X X Rotate 32 bits (r/m dword) right CL times
C1 /1 ib ROR r/m32,imm8 X X X Rotate 32 bits (r/m dword) right imm8 times
Description

Each rotate instruction shifts the bits of the register or memory operand given. The left rotate instructions shift all the bits upward, except for the top bit, which is returned to the bottom. The right rotate instructions do the reverse: the bits shift downward until the bottom bit arrives at the top. For the RCL and RCR instructions, the CF flag is part of the rotated quantity. The RCL instruction shifts the CF flag into the bottom bit and shifts the top bit into the CF flag; the RCR instruction shifts the CF flag into the top bit and shifts the bottom bit into the CF flag. For the ROL and ROR instructions, the original value of the CF flag is not a part of the result, but the CF flag receives a copy of the bit that was shifted from one end to the other. The rotate is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum instruction processing time, the Pentium processor does not allow rotation counts greater than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the rotation are used. The 8086 does not mask rotation counts. The Pentium processor in Virtual 8086 Mode does mask rotation counts. The OF flags is defined only for the single-rotate forms of the instructions (second operand is a 1). It is undefined in all other cases. For left shifts/rotates, the CF bit after the shift is XORed with the high- order result bit. For right shifts/rotates, the high-order two bits of the result are XORed to get the OF flag.

Operation

(* ROL - Rotate Left *) temp ← COUNT; WHILE (temp <> 0) DO

  tmpcf ← high-order bit of (r/m);
  r/m ← r/m * 2 + (tmpcf);
  temp ← temp - 1;

OD; IF COUNT = 1 THEN

  IF high-order bit of r/m <> CF 
  THEN OF ← 1;
  ELSE OF ← 0;
  FI;

ELSE OF ← undefined; FI; (* ROR - Rotate Right *) temp ← COUNT; WHILE (temp <> 0) DO

  tmpcf ← low-order bit of (r/m);
  r/m ← r/m / 2 + (tmpcf * 2widty(r/m));
  temp ← temp - 1;

DO; IF COUNT = 1 THEN

  IF (high-order bit of r/m) <> (bit next to high-order bit of r/m)
  THEN OF ← 1;
  ELSE OF ← 0;
  FI;

ELSE OF ← undefined; FI;

Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |  |  |  |  |*

The OF flag is affected only for single-bit rotates; the OF flag is undefined for multi-bit rotates; the CF flag contains the value of the bit shifted into it; the SF, ZF, AF, and PF flags are not affected.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

RDMSR - Read from Model Specific Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 32 RDMSR X Read Model Specific Register indicated by ECX into EDX:EAX
Description

The value in ECX specifies one of the 64-bit Model Specific Registers of the Pentium processor. The content of that Model-Specific Register is copied into EDX:EAX. EDX is loaded with the high-order 32 bits, and EAX is loaded with the low-order 32 bits. The following values are used to select model specific registers on the Pentium processor.

VALUE REGISTER NAME DESCRIPTION
00H Machine Check Address Stores address of cycle causing the exception
01H Machine Check Type Stores type of cycle causing the exception

For other values used to perform cache, TLB, and BTB testing and performance monitoring, see the Intel documentation.

Operation
EDX:EAX ← MSR[ECX];
Protected Mode Exceptions
  1. GP(0) if either the current privilege level is not 0 or the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.
Real Address Mode Exceptions
  1. GP if the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.
Virtual 8086 Mode Exceptions
  1. GP(0) if instruction processing is attempted.
Notes

This instruction must be run at privilege level 0 or in real-address mode; otherwise, a protection exception will be generated. If less than 64 bits are implemented in a model specific register, the value returned to EDX:EAX, in the locations corresponding to the unimplemented bits, is unpredictable. RDMSR is used to read the content of Model-Specific Registers that control functions for testability, execution tracing, performance monitoring and machine check errors. Refer to the Pentium(TM) Processor Data Book for more information. The values 3H, 0FH, and values above 13H are reserved. Do not run RDMSR with reserved values in ECX.

RDTSC - Read Time Stamp Counter

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 31 RDTSC X Read Time Stamp Counter int EDX:EAX
Description
Operation
Protected Mode Exceptions
Real Address Mode Exceptions
Virtual 8086 Mode Exceptions

REP/REPE/REPZ/REPNE/REPNZ - Repeat Following String Operation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
F3 6C REP INS r/m8,DX X X X X X Input (E)CX bytes from port DX into ES:[(E)DI]
F3 6D REP INS r/m16,DX X X X X X Input (E)CX words from port DX into ES:[(E)DI]
F3 6D REP INS r/m32,DX X X X Input (E)CX dwords from port DX into ES:[(E)DI]
F3 AC REP LODS AL X X X X X X Load (E)CX bytes from [(E)SI] to EDX
F3 AD REP LODS AX X X X X X X Load (E)CX words from [(E)SI] to EDX
F3 AD REP LODS EAX X X X Load (E)CX dwords from [(E)SI] to EDX
F3 A4 REP MOVS m8,m8 X X X X X X Move (E)CX bytes from [(E)SI] to ES:[(E)DI]
F3 A5 REP MOVS m16,m16 X X X X X X Move (E)CX words from [(E)SI] to ES:[(E)DI]
F3 A5 REP MOVS m32,m32 X X X Move (E)CX dwords from [(E)SI] to ES:[(E)DI]
F3 6E REP OUTS DX,r/m8 X X X X X Output (E)CX bytes from [(E)SI] to port DX
F3 6F REP OUTS DX,r/m16 X X X X X Output (E)CX words from [(E)SI] to port DX
F3 6F REP OUTS DX,r/m32 X X X Output (E)CX dwords from [(E)SI] to port DX
F3 AA REP STOS m8 X X X X X X Store (E)CX bytes at ES:[(E)DI] from AL
F3 AB REP STOS m16 X X X X X X Store (E)CX words at ES:[(E)DI] from AX
F3 AB REP STOS m32 X X X Store (E)CX dwords at ES:[(E)DI] from EAX
F3 A6 REPE CMPS m8,m8 X X X X X X Find nonmatching bytes in ES:[(E)DI] and [(E)SI]
F3 A7 REPE CMPS m16,m16 X X X X X X Find nonmatching words in ES:[(E)DI] and [(E)SI]
F3 A7 REPE CMPS m32,m32 X X X Find nonmatching dwords in ES:[(E)DI] and [(E)SI]
F3 AE REPE SCAS m8,m8 X X X X X X Find non-AL byte starting at ES:[(E)DI]
F3 AF REPE SCAS m16,m16 X X X X X X Find non-AX word starting at ES:[(E)DI]
F3 AF REPE SCAS m32,m32 X X X Find non-EAX dword starting at ES:[(E)DI]
F2 A6 REPNE CMPS m8,m8 X X X X X X Find matching bytes in ES:[(E)DI] and [(E)SI]
F2 A7 REPNE CMPS m16,m16 X X X X X X Find matching words in ES:[(E)DI] and [(E)SI]
F2 A7 REPNE CMPS m32,m32 X X X Find matching dwords in ES:[(E)DI] and [(E)SI]
F2 AE REPNE SCAS m8,m8 X X X X X X Find AL, starting at ES:[(E)DI]
F2 AF REPNE SCAS m16,m16 X X X X X X Find AX, starting at ES:[(E)DI]
F2 AF REPNE SCAS m32,m32 X X X Find EAX, starting at ES:[(E)DI]
Description

The REP, REPE (repeat while equal), and REPNE (repeat while not equal) prefixes are applied to string operation. Each prefix causes the string instruction that follows to be repeated the number of times indicated in the count register or (for the REPE and REPNE prefixes) until the indicated condition in the ZF flag is no longer met. Synonymous forms of the REPE and REPNE prefixes are the REPZ and REPNZ prefixes, respectively. The REP prefixes apply only to one string instruction at a time. To repeat a block of instructions, use the LOOP instruction or another looping construct. The precise action for each iteration is as follows:

  1. If the address-size attribute is 16 bits, use the CX register for the count register; if the address-size attribute is 32 bits, use the ECX register for the count register.
  2. Check the count register. If it is zero, exit the iteration, and move to the next instruction.
  3. Acknowledge any pending interrupts.
  4. Perform the string operation once.
  5. Decrement the CX or count register by one; no flags are modified.
  6. Check the ZF flag is the string operation is a SCAS or CMPS instruction. If the repeat condition does not hold, exit the iteration and move to the next instruction. Exit the iteration if the prefix if REPE and the ZF flag is 0 (the last comparison was not equal), or if the prefix is REPNE and the ZF flag is one (the last comparison was equal).
  7. Return to step 2 for the next iteration.

Repeated CMPS and SCAS instructions can be exited if the count is exhausted or if the ZF flag fails the repeat condition. These two cases can be distinguished by using either the JCXZ instruction, or by using the conditional jumps that test the ZF flag (the JZ, JNZ, and JNE instructions).

Operation
IF AddressSize = 16 
THEN use CX for CountReg;
ELSE (* AddressSize = 32 *) use ECX for CountReg;
FI;
WHILE CountReg <> 0 
DO 
  service pending interrupts (if any);
  perform primitive string instruction;
  CountReg ← CountReg -1;
  IF primitive operation is CMPSB, CMPSW, CMPSD, SCASB,
  SCASW, or SCASD 
  THEN
     IF (instruction is REP/REPE/REPZ) AND (ZF=0)
     THEN exit WHILE loop 
     ELSE 
        IF (instruction if REPNZ or REPNE) AND (ZF=1)
        THEN exit WHILE loop;
        FI;
     FI;
 FO;
OD;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |* |  |  |  |

The ZF flag is affected by the REP CMPS and REP SCAS as described above.

Notes

Not all I/O ports can handle the rate at which the REP INS and REP OUTS instructions run. Do not use the REP prefix with the LOOP instruction. Proper LOOP operation is not guaranteed when used with the REP prefix and the effect of this combination is unpredictable. The behavior of the REP prefix is undefined when used with non-string instructions. When a page fault occurs during CMPS or SCAS instructions that are prefixed with REPNE, the EFLAGS value is restored to the state prior to the processing of the instruction. Because SCAS and CMPS do not use EFLAGS as an input, the processor can resume the instruction after the page fault handler.

RET - Return from Procedure

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
C3 RET/RETN X X X X X X Return (near) to caller
CB RET/RETF X X X X X X Return (far) to caller, same privilege
CB RET/RETF X X X X Return (far), lesser privilege, switch stacks
C2 iw RET/RETN imm16 X X X X X X Return (near), pop imm16 bytes
CA iw RET/RETF imm16 X X X X X X Return (far), same privilege, pop imm16 bytes
CA iw RET/RETF imm16 X X X X Return (far), lesser privilege, pop imm16 bytes
Description

The RET instruction transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction. The optional numeric parameter to the RET instruction gives the number of stack bytes (OperandMode=16) or words (OperandMode=32) to be released after the return address is popped. These items are typically used as input parameters to the procedure called. For the intrasegment (near) return, the address on the stack is a segment offset, which is popped into the instruction pointer. The CS register is unchanged. For the intersegment (far) return, the address on the stack is a long pointer. The offset is popped first, followed by the selector. In real mode, the CS and IP registers are loaded directly. In Protected Mode, an intersegment return causes the processor to check the descriptor addressed by the return selector. The AR byte of the descriptor must indicate a code segment of equal or lesser privilege (or greater or equal numeric value) than the current privilege level. Returns to a lesser privilege level cause the stack to be reloaded from the value saved beyond the parameter block. The DS, ES, FS, and GS segment registers can be cleared by the RET instruction during an interlevel transfer. If there registers refer to segments that cannot be used by the new privilege level, they are cleared to prevent unauthorized access from the new privilege level.

Operation
IF instruction = near RET 
THEN;
  IF OperandSize = 16 
  THEN
     IP ← Pop();
     EIP ← EIP AND 0000FFFFH;
  ELSE (* OperandSize = 32 *)
     EIP ← Pop();
 FI;
 IF instruction has immediate operand THEN eSP ← eSP + imm16; FI;
 FI;
IF (PE = 0 OR (PE = 1 AND VM = 1))
  (* real mode or virtual 8086 mode *)
  AND instruction = far RET 
THEN;
  IF OperandSize = 16 
  THEN
     IP ← Pop();
     EIP ← EIP AND 0000FFFFH;
     CS ← Pop(); (* 16-bit pop *)
  ELSE (* OperandSize = 32 *)
     EIP ← Pop ();
     CS ← Pop(); (* 32-bit pop, high-order 16-bits discarded *)
  FI;
  IF instruction has immediate operand THEN eSP ← eSP + imm16; FI;
FI;
IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *)
  AND instruction = far RET 
THEN 
  IF OperandSize=32
  THEN Third word on stack must be within stack limits else #SS(0);
  ELSE Second word on stack must be within stack limits else #SS(0);
  FI;
  Return selector RPL must be ó CPL ELSE #GP(return selector)
  IF return selector RPL = CPL 
  THEN GOTO SAME-LEVEL;
  ELSE GOTO OUTER-PRIVILEGE-LEVEL;
  FI;
FI;
SAME-LEVEL:
  Return selector must be non-null ELSE #GP(0)
  Selector index must be within its descriptor table limits ELSE 
     #GP(selector)
  Descriptor AR byte must indicate code segment ELSE #GP(selector)
  IF non-conforming
  THEN code segment DPL must equal CPL;
  ELSE #GP(selector);
  FI;
  IF conforming 
  THEN code segment DPL must be ó CPL;
  ELSE #GP(selector);
  FI;
  Code segment must be present ELSE #NP(selector);
  Top word on stack must be within stack limits ELSE #SS(0);
  IP must be in code segment limit ELSE #GP(0);
  IF OperandSize=32
  THEN
     Load CS:EIP from stack 
     Load CS register with descriptor 
     Increment eSP by 8 plus the immediate offset if it exists 
  ELSE (* OperandSize=16 *)
     Load CS:IP from stack 
     Load CS register with descriptor 
     Increment eSP by 4 plus the immediate offset if it exists 
  FI;
OUTER-PRIVILEGE-LEVEL:
  IF OperandSize=32
  THEN Top (16+immediate) bytes on stack must be within stack limits 
     ELSE #SS(0);
  ELSE Top (8+immmediate) bytes on stack must be within stack limits ELSE 
     #SS(0);
  FI;
  Examine return CS selector and associated descriptor:
     Selector must be non-null ELSE #GP(0);
     Selector index must be within its descriptor table limits ELSE 
        #GP(selector)
     Descriptor AR byte must indicate code segment ELSE #GP(selector);
     IF non-conforming
     THEN code segment DPL must equal return selector RPL 
     ELSE #GP(selector);
     FI;
     IF conforming 
     THEN code segment DPL must be ó return selector RPL;
     ELSE #GP(selector);
     FI;
     Segment must be present ELSE #NP(selector)
  Examine return SS selector and associated descriptor:
     Selector must be non-null ELSE #GP(0);
     Selector index must be within its descriptor table limits 
        ELSE #GP(selector);
     Selector RPL must equal the RPL of the return CS selector ELSE 
        #GP(selector);
     Descriptor AR byte must indicate a writable data segment ELSE 
        #GP(selector);
     Descriptor DPL must equal the RPL of the return CS selector ELSE 
        #GP(selector);
     Segment must be present ELSE #NP(selector);
  IP must be in code segment limit ELSE #GP(0);
  Set CPL to the RPL of the return CS selector;
  IF OperandSize=32
  THEN
     Load CS:EIP from stack;
     Set CS RPL to CPL;
     Increment eSP by 8 plus the immediate offset if it exists;
     Load SS:eSP from stack;
  ELSE (* OperandSize=16 *)
     Load CS:IP from stack;
     Set CS RPL to CPL;
     Increment eSP by 4 plus the immediate offset if it exists;
     Load SS:eSP from stack;
  FI;
  Load the CS register with the return CS descriptor;
  Load the SS register with the return SS descriptor;
  For each of ES, FS, GS, and DS 
  DO
     IF the current register setting is not valid for the outer level,
        set the register to null (selector ← AR ← 0);
     To be valid, the register setting must satisfy the following properties:
        Selector index must be within descriptor table limits;
        Descriptor AR byte must indicate data or readable code segment;
        IF segment is data or non-conforming code, THEN 
           DPL must be ò CPL, or DPL must be ò RPL;
        FI;
  OD;
Protected Mode Exceptions

#GP, #NP, or #SS, as described under "Operation" above; #PF(fault-code) for a page fault.

Real Address Mode Exceptions

Interrupt 13 if any part of the operand would be outside the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.

ROL/ROR - Rotate

See entry for RCL/RCR/ROL/ROR.

RSM - Resume from System Management Mode

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F AA RSM X Resume operation of interrupted program
Description

The processor state is restored from the dump created upon entrance to SMM. Note, however, that the contents of the model-specific registers are not affected. The processor leaves SMM and returns control to the interrupted application or operating system. If the processor detects any invalid state information, it enters the shutdown state. This happens in any of the following situations:

  • The value stored in the State Dump Base field is not a 32Kbyte aligned address.
  • Any reserved bit of CR4 is set to 1.
  • Any combination of bits in CR0 is illegal; namely, (PG=1 and PE=0) or (NW= 1 and CD=0).
Operation

Resume operation of a program interrupted by a System Management Mode interrupt.

Flags Affected

OF DF IF SF ZF AF PF CF
* * * * * * * *

All

Protected Mode Exceptions
  1. UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
Real Address Mode Exceptions
  1. UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
Virtual 8086 Mode Exceptions
  1. UD if an attempt is made to run this instruction when the processor is not in System Management Mode.
Notes

Refer to the Intel documentation for more information about System Management Mode and the behavior of the RSM instruction.

SAHF - Store AH into Flags

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
9E SAHF X X X X X X Store AH into flags (SF, ZF, xx, AF, xx, PF, xx, CF)

Description The SAHF instruction loads the SF, ZF, AF, PF,A and CF flags with values from the AH register, from bits 7, 6, 4, 2, and 0, respectively.

Operation
SF:ZF:xx:AF:xx:PF:xx:CF← AH;
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * *

The SF, ZF, AF, PF, and CF flags are loaded with values from the AH register.

SAL/SAR/SHL/SHR - Shift Instructions

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D0 /4 SAL r/m8,1 X X X X X X Multiply r/m byte by 2, once
D2 /4 SAL r/m8,CL X X X X X X Multiply r/m byte by 2, CL times
C0 /5 ib SAL r/m8,imm8 X X X X X Multiply r/m byte by 2, imm8 times
D1 /4 SAL r/m16,1 X X X X X X Multiply r/m word by 2, once
D1 /4 SAL r/m32,1 X X X Multiply r/m dword by 2, once
D3 /4 SAL r/m16,CL X X X X X X Multiply r/m word by 2, CL times
D3 /4 SAL r/m32,CL X X X Multiply r/m dword by 2, CL times
C1 /4 ib SAL r/m16,imm8 X X X X X Multiply r/m word by 2, imm8 times
C1 /4 ib SAL r/m32,imm8 X X X Multiply r/m dword by 2, imm8 times
D0 /7 SAR r/m8,1 X X X X X X Signed divide r/m byte by 2, once
D2 /7 SAR r/m8,CL X X X X X X Signed divide r/m byte by 2, CL times
C0 /7 ib SAR r/m8,imm8 X X X X X Signed divide r/m byte by 2, imm8 times
D1 /7 SAR r/m16,1 X X X X X X Signed divide r/m word by 2, once
D1 /7 SAR r/m32,1 X X X Signed divide r/m dword by 2, once
D3 /7 SAR r/m16,CL X X X X X X Signed divide r/m word by 2, CL times
D3 /7 SAR r/m32,CL X X X Signed divide r/m dword by 2, CL times
C1 /7 ib SAR r/m16,imm8 X X X X X Signed divide r/m word by 2, imm8 times
C1 /7 ib SAR r/m32,imm8 X X X Signed divide r/m dword by 2, imm8 times
D0 /4 SHL r/m8,1 X X X X X X Multiply r/m byte by 2, once
D0 /4 SHL r/m8,CL X X X X X X Multiply r/m byte by 2, CL times
C0 /4 ib SHL r/m8,imm8 X X X X X Multiply r/m byte by 2, imm8 times
D1 /4 SHL r/m16,1 X X X X X X Multiply r/m word by 2, once
D1 /4 SHL r/m32,1 X X X Multiply r/m dword by 2, once
D3 /4 SHL r/m16,CL X X X X X X Multiply r/m word by 2, CL times
D3 /4 SHL r/m32,CL X X X Multiply r/m dword by 2, CL times
C1 /4 ib SHL r/m16,imm8 X X X X X Multiply r/m word by 2, imm8 times
C1 /4 ib SHL r/m32,imm8 X X X Multiply r/m dword by 2, imm8 times
D0 /5 SHR r/m8,1 X X X X X X Signed divide r/m byte by 2, once
D2 /5 SHR r/m8,CL X X X X X X Signed divide r/m byte by 2, CL times
C0 /5 ib SHR r/m8,imm8 X X X X X Signed divide r/m byte by 2, imm8 times
D1 /5 SHR r/m16,1 X X X X X X Signed divide r/m word by 2, once
D1 /5 SHR r/m32,1 X X X Signed divide r/m dword by 2, once
D3 /5 SHR r/m16,CL X X X X X X Signed divide r/m word by 2, CL times
D3 /5 SHR r/m32,CL X X X Signed divide r/m dword by 2, CL times
C1 /5 ib SHR r/m16,imm8 X X X X X Signed divide r/m word by 2, imm8 times
C1 /5 ib SHR r/m32,imm8 X X X Signed divide r/m dword by 2, imm8 times

Description The SAL instruction (or its synonym, SHL) shifts the bits of the operand upward. The high-order bit is shifted into the CF flag, and the low-order bit is cleared. The SAR and SHR instructions shift the bits of the operand downward. The low-order bit is shifted into the CF flag. The effect is to divide the operand by two. The SAR instruction performs a signed divide with rounding toward negative infinity (not the same as the IDIV instruction); the high-order bit remains the same. The SHR instruction performs an unsigned divide ; the high-order bit is cleared. The shift is repeated the number of times indicated by the second operand, which is either an immediate number or the contents of the CL register. To reduce the maximum processing time, the Pentium processor does not allow shift counts greater than 31. If a shift count greater than 31 is attempted , only the bottom five bits of the shift count are used. (The 8086 uses all eight bits of the shift count.) The OF flag is affected only if the single-shift forms of the instructions are used. For left shifts, the OF flag is cleared if the high bit of the answer is the same as the result of the CF flag (i.e., the top two bits of the original operand were the same); the OF flag is set if they are different. For the SAR instruction, the OF flag is cleared for all single shifts. For the SHR instruction, the OF flag is set for the high-order bit of the original operand.

Operation

(* COUNT is the second parameter *)

(temp) ← COUNT;
WHILE (temp<> 0)
DO 
  IF instruction is SAL or SHL 
  THEN CF ← high-order bit of r/m;
  FI;
  IF instruction is SAR or SHR 
  THEN CF ← low-order bit of r/m;
  FI;
  IF instruction = SAL or SHL 
  THEN r/m ← r/m * 2;
  FI;
  IF instruction = SAR 
  THEN r/m ← r/m ;2 (*Signed divide, rounding toward negative infinity*);
  FI;
  IF instruction = SHR 
  THEN r/m ← r/m / 2; (* Unsigned divide *);
  FI;
  temp ← temp - 1;
OD;
  • Determine overflow for the various instructions *)
IF COUNT = 1 
THEN 
  IF instruction is SAL or SHL 
  THEN OF ← high-order bit of r/m <> (CF);
  FI;
  IF instruction is SAR 
  THEN OF ← 0;
  FI;
  IF instruction is SHR 
  THEN OF ← high-order bit of operand;
  FI;
ELSE OF ← undefined;
FI;

Flags Affected

|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |* |* |? |* |*

If count = 0, the flags are not affected. The CF flag contains the value of the last bit shifted out. The CF flag is undefined for SHL and SHR instructions in which the shift lengths are greater than or equal to the size of the operand to be shifted. The OF flag is affected for single shifts; the OF flag is undefined for multiple shifts; the CF, ZF, PF, and SF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

SBB - Integer Subtraction with Borrow

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
1C ib SBB AL,imm8 X X X X X X Subtract with borrow, immediate byte from AL
1D iw SBB AX,imm16 X X X X X X Subtract with borrow, immediate word AX
1D id SBB EAX,imm32 X X X Subtract with borrow, immediate dword from EAX
80 /3 ib SBB r/m8,imm8 X X X X X X Subtract with borrow, immediate byte from r/m byte
81 /3 iw SBB r/m16,imm16 X X X X X X Subtract with borrow, immediate word from r/m word
81 /3 id SBB r/m32,imm32 X X X Subtract with borrow, immediate dword from r/m dword
83 /3 ib SBB r/m16,imm8 X X X X X X Subtract with borrow, sign-extended immediate byte from r/m word
83 /3 ib SBB r/m32,imm8 X X X Subtract with borrow, sign-extended immediate byte from r/m dword
18 /r SBB r/m8,r8 X X X X X X Subtract with borrow, byte register from r/m byte
19 /r SBB r/m16,r16 X X X X X X Subtract with borrow, word register from r/m word
19 /r SBB r/m32,r32 X X X Subtract with borrow, dword register from r/m dword
1A /r SBB r8,r/m8 X X X X X X Subtract with borrow, r/m byte from byte register
1B /r SBB r16,r/m16 X X X X X X Subtract with borrow, r/m word from word register
1B /r SBB r32,r/m32 X X X Subtract with borrow, r/m dword from dword register
Description

The SBB instruction adds the second operand (SRC) to the CF flag and subtracts the result from the first operand (DEST). The result of the subtraction is assigned to the first operand (DEST), and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended.

Operation
F SRC is a byte and DEST is a word or dword 
THEN DEST = DEST - (SignExtend(SRC) + CF)
ELSE DEST ← DEST - (SRC + CF);
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |* |* |* |* |* 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

SCAS/SCASB/SCASW/SCASD - Compare String Data

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
AE SCAS m8 X X X X X X Compare AL with byte at ES:[(E)DI], update [(E)DI]
AF SCAS m16 X X X X X X Compare AX with word at ES:[(E)DI], update [(E)DI]
AF SCAS m32 X X X Compare EAX with dword at ES:[(E)DI], update [(E)DI]
AE SCASB X X X X X X Compare AL with byte at ES:[(E)DI], update [(E)DI]
AF SCASW X X X X X X Compare AX with word at ES:[(E)DI], update [(E)DI]
AF SCASD X X X Compare EAX with dword at ES:[(E)DI], update [(E)DI]
Description

The SCAS instruction subtracts the memory byte or word at the destination register from the AL, AX or EAX register. The result is discarded; only the flags are set. The operand must be addressable from the ES segment; no segment override is possible. If the address-size attribute for this instruction is 16 bits, the DI register is used as the destination register, otherwise, the address-size attribute is 32 bits and the EDI register is used. The address of the memory data being compared is determined solely by the contents of the destination register, not by the operand to the SCAS instruction. The operand validates ES segment addressability and determines the data type. Load the correct index value into the DI or EDI register before running the SCAS instruction. After the comparison is made, the destination register is automatically updated. If the direction flag is 0 (the CLD instruction was run), the destination register is incremented; if the direction flag is 1 (the STD instruction was run), it is decremented. The increments or decrements are by 1 if bytes are compared, by 2 if words are compared, or by 4 if doublewords are compared. The SCASB, SCASW, and SCASD instructions are synonyms for the byre, word and doubleword SCAS instructions that don't require operands. They are simpler to code, but provide no type or segment checking. The SCAS instruction can be preceded by the REPE or REPNE prefix for a block search of CX or ECX bytes or words. Refer to the REP instruction for further details.

Operation
IF AddressSize = 16THEN use DI for dest-index;ELS
E (* AddressSize = 32 *) use EDI for dest-index;
FI;
If byte type of instruction 
THEN 
  AL - [dest-index]; (* Compare byte in AL and dest *)
  IF DF = 0 THEN IncDec ← 1 ELSE IncDec ← -1; FI;
ELSE 
  IF OperandSize = 16 
  THEN
     AX - [dest-index]; (* compare word in AL and dest *)
     IF DF = 0 THEN IncDec ← 2 ELSE IncDec ← -2; FI;
  ELSE (* OperandSize = 32 *)
     EAX - [dest-index];(* compare dword in EAX and dest *)
     IF DF = 0 THEN IncDec ← 4 ELSE IncDec ← -4; FI;
  FI;
FI;
dest-index = dest-index + IncDec 
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF
|--+--+--+--+--+--+--+--
|* |  |  |* |* |* |* |*

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the ES segment; # PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

SETcc-Byte Set on Condition

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 97 SETA r/m8 X X X Set byte if above (CF=0 and ZF=0)
0F 93 SETAE r/m8 X X X Set byte if above or equal (CF=0)
0F 92 SETB r/m8 X X X Set byte if below (CF=1)
0F 96 SETBE r/m8 X X X Set byte if below or equal (CF=1 or ZF=1)
0F 92 SETC r/m8 X X X Set byte if carry (CF=1)
0F 94 SETE r/m8 X X X Set byte if equal (ZF=1)
0F 9F SETG r/m8 X X X Set byte if greater (ZF=0 or SF=OF)
0F 9D SETGE r/m8 X X X Set byte if greater or equal (SF=OF)
0F 9C SETL r/m8 X X X Set byte if less (SF<>OF)
0F 9E SETLE r/m8 X X X Set byte if less or equal (ZF=1 and SF<>OF)
0F 96 SETNA r/m8 X X X Set byte if not above (CF=1)
0F 92 SETNAE r/m8 X X X Set byte if not above or equal (CF=1)
0F 93 SETNB r/m8 X X X Set byte if not below (CF=0)
0F 97 SETNBE r/m8 X X X Set byte if not below or equal (CF=0 and ZF=0)
0F 93 SETNC r/m8 X X X Set byte if not carry (CF=0)
0F 95 SETNE r/m8 X X X Set byte if not equal (ZF=0)
0F 9E SETNG r/m8 X X X Set byte if not greater (ZF=1 or SF<>OF)
0F 9C SETNGE r/m8 X X X Set byte if not greater or equal (SF<>OF)
0F 9D SETNL r/m8 X X X Set byte if not less (SF=OF)
0F 9F SETNLE r/m8 X X X Set byte if not less or equal (ZF=1 and SF<>OF)
0F 91 SETNO r/m8 X X X Set byte if not overflow (OF=0)
0F 9B SETNP r/m8 X X X Set byte if not parity (PF=0)
0F 99 SETNS r/m8 X X X Set byte if not sign (SF=0)
0F 95 SETNZ r/m8 X X X Set byte if not zero (ZF=0)
0F 90 SETO r/m8 X X X Set byte if overflow (OF=1)
0F 9A SETP r/m8 X X X Set byte if parity (PF=1)
0F 9A SETPE r/m8 X X X Set byte if parity even (PF=1)
0F 9B SETPO r/m8 X X X Set byte if parity odd (PF=0)
0F 98 SETS r/m8 X X X Set byte if sign (SF=1)
0F 94 SETZ r/m8 X X X Set byte if zero (ZF=1)
Description

The SETcc instruction stores a 1 byte at the destination specified by the effective address or register if the condition is met, or a 0 byte if the condition is not met.

Operation
IF condition THEN r/m8 ← 1 ELSE r/m8 ← 0; FI;
Protected Mode Exceptions
  1. GP(0) if the result is in a non-writable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault.

SGDT/SIDT - Store Global/Interrupt Descriptor Table Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 01 /0 SGDT m X X X X Store GDTR to m (6 bytes)
0F 01 /1 SIDT m X X X X Store IDTR to m (6 bytes)
Description

The SGDT and SIDT instructions copy the contents of the descriptor table register to the six bytes of memory indicated by the operand. The LIMIT field of the register is assigned to the first word at the effective address. If the operand-size attribute is 16 bits, the next three bytes are assigned the BASE field of the register, and the fourth byte is undefined. Otherwise, if the operand-size attribute is 32 bits, the next four bytes are assigned the 32-bit BASE field of the register. The SGDT and SIDT instructions are used only in operating system software; they are not used in application programs.

Operation
DEST ← 48-bit BASE/LIMIT register contents;
Protected Mode Exceptions

Interrupt 6 if the destination operand is a register; #GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions

Interrupt 6 if the destination operand is a register; Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Compatibility Note

The 16-bit forms of the SGDT and SIDT instruction are compatible with the Intel 286 processor, if the value in the upper eight bits is not referenced. The Intel 286 processor stores 1's in these upper bits, whereas the 32- bit processors store 0's if the operand-size attribute is 16 bits. These bits were specified as undefined by the SGDT and SIDT instructions in the 80286 Programming Reference Manual (Intel Order No. 210498).

SHL/SHR - Shift Instruction

See entry for SAL/SAR/SHL/SHR.

SHLD - Double Precision Shift Left

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F A4 SHLD r/m16,r16,imm8 X X X r/m16 ← SHL or r/m16 concatenated with r16
0F A4 SHLD r/m32,r32,imm8 X X X r/m32 ← SHL of r/m32 concatenated with r32
0F A5 SHLD r/m16,r16,CL X X X r/m16 ← SHL of r/m16 concatenated with r16
0F A5 SHLD r/m32,r32,CL X X X r/m32 ← SHL of r/m32 concatenated with r32
Description

The SHLD instruction shifts the first operand provided by the r/m field to the left as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the right (starting with bit 0). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified registers, the operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. The CF flag is set to the value of the last bit shifted out. The OF and AF flags are left undefined.

Operation
(* count is an unsigned integer corresponding to the last operand of the instruction, 
   either an immediate byte or the byte in register CL *)
ShiftAmt ← count MOD 32;
inBits ← register; (* Allow overlapped operands *)
IF ShiftAmt = 0 
THEN no operation
ELSE
 IF ShiftAmt ò OperandSize
 THEN (* Bad parameters *)
   r/m ← UNDEFINED;
   CF, OF, SF, ZF, AF, PF ← UNDEFINED;
 ELSE (* Perform the shift *)
   CF ← BIT[Base, OperandSize - ShiftAmt];
     (* Last bit shifted out on exit *)
   FOR i ← OperandSize - 1 DOWNTO ShiftAmt 
   DO 
     BIT[Base, i] ← BIT[Base, i - ShiftAmt];
   OF;
   FOR i ← ShiftAmt - 1 DOWNTO 0 
   DO 
     BIT[Base, i] ← BIT[inBits, i - ShiftAmt + OperandSize];
   OD;
   Set SF, ZF, PF (r/m);
     (* SF, ZF, PF are set according to the value of the result *)
   AF ← UNDEFINED;
 FI;
FI;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|? |  |  |* |* |? |* |* |

If count = 0, the flags are not affected. The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign change occurred, otherwise it is cleared; after a shift of more than one bit position, the OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which does not affect any flags.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

SHRD - Double Precision Shift Right

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F AC SHRD r/m16,r16,imm8 X X X r/m16 ← SHR of r/m16 concatenated with r16
0F AC SHRD r/m32,r32,imm8 X X X r/m32 ← SHR of r/m32 concatenated with r32
0F AD SHRD r/m16,r16,CL X X X r/m16 ← SHR of r/m16 concatenated with r16
0F AD SHRD r/m32,r32,CL X X X r/m32 ← SHR of r/m32 concatenated with r32
Description

The SHRD instruction shifts the first operand provided by the r/m field to the right as many bits as specified by the count operand. The second operand (r16 or r32) provides the bits to shift in from the left (starting with bit 31). The result is stored back into the r/m operand. The register remains unaltered. The count operand is provided by either an immediate byte or the contents of the CL register. These operands are taken MODULO 32 to provide a number between 0 and 31 by which to shift. Because the bits to shift are provided by the specified register, the operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags are set according to the value of the result. The CF flag is set to the value of the last bit shifted out. The OF and AF flags are left undefined.

Operation

(* count is an unsigned integer corresponding to the last operand of the instruction, either an immediate byte or the byte in register CL *)

ShiftAmt ← count MOD 32;
inBits ← register; (* Allow overlapped operands *)
IF ShiftAmt = 0 
THEN no operation 
ELSE 
 IF ShiftAmt ò OperandSize 
 THEN (* Bad parameters *)
   r/m ← UNDEFINED;
   CF, OF, SF, ZF, AF, PF ← UNDEFINED;
 ELSE (* Perform the shift *)
   CF ← BIT[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *)
   FOR i ← 0 TO OperandSize - 1 - ShiftAmt 
   DO 
     BIT[r/m, i] ← BIT[r/m, i - ShiftAmt];
   OD;
   FOR i ← OperandSize - ShiftAmt TO OperandSize-1
   DO 
     BIT[r/m,i] ← BIT[inBits,i+ShiftAmt - OperandSize];
   OD;
     (* SF, ZF, PF are set according to the value of the result *)
   Set SF, ZF, PF (r/m);
   AF ←UNDEFINED;
 FI;
FI;

Flags Affected

OF DF IF SF ZF AF PF CF
? * * ? * *

If count = 0, the flags are not affected. The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign change occurred, otherwise it is cleared; after a shift of more than one bit position, the OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which does not affect any flags. Protected Mode Exceptions

  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the current privilege level is 3.

SIDT - Store Interrupt Descriptor Table Register

See entry for SGDT/SIDT.

SLDT - Store Local Descriptor Table Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 00 /0 SLDT r/m16 X X X X Store LDTR to EA word
Description

The SLDT instruction stores the Local Descriptor Table Register (LDTR) in the two-byte register or memory location indicated by the effective address operand. This register is a selector that points into the Global Descriptor Table. The SLDT instruction is used only in operating system software. It is not used in application programs.

Operation
r/m16 ← LDTR;
Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 6; the SLDT instruction is not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode (because the instruction is not recognized, it will not run or perform a memory reference).

Notes

When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.

SMSW - Store Machine Status Word

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 01 /4 SMSW r/m16 X X X X Store machine status word to EA word
Description

The SMSW instruction stores the machine status word (part of the CR0 register) in the two-byte register or memory location indicated by the effective address operand.

Operation
r/m16 ← MSW;
Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode, #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

This instruction is provided for compatibility with the Intel 286 processor; programs for the Pentium processor should use the MOV ..., CR0 instruction. When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.

STC - Set Carry Flag

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+--------------
|F9        |STC                 |X|X|X|X|X|X|Set carry flag
Description
The STC instruction sets the CF flag.
Operation
CF ← 1;
Flags Affected
|OF|DF|IF|SF|ZF|AF|PF|CF|
|--+--+--+--+--+--+--+--|
|  |  |  |  |  |  |  |1 |

The CF flag is set.

STD - Set Direction Flag

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
FD STD X X X X X X Set direction flag so that [(E)SI] and/or [(E)DI] decrement
Description

The STD instruction sets the direction flag, causing all subsequent string operations to decrement the index registers, (E)SI and/or (E)DI, on which they operate.

Operation
DF ← 1;
Flags Affected
OF DF IF SF ZF AF PF CF
1

The DF flag is set.

STI - Set Interrupt Flag

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
FB STI X X X X X X Set interrupt flag
Description

The STI instruction sets the IF. The processor then responds to external interrupts after running the next instruction if the next instruction allows the IF flag to remain enabled. If external interrupts are disabled and the STI instruction is followed by the RET instruction (such as at the end of a subroutine), the RET instruction is allowed to run before external interrupts are recognized. Also, if external interrupts are disabled and the STI instruction is followed by a CLI instruction, which clears the IF flag, then external interrupts are not recognized because the CLI instruction clears the IF flag during its processing.

Operation
IF PE=0 (* Running in real-address mode *)
THEN 
 IF ← 1; (* Set Interrupt Flag *)
ELSE (* Running in protected mode or virtual-8086 mode *)
 IF VM=0 (* Running in protected mode *)
 THEN 
   IF IOPL=3
   THEN IF ← 1; (* Set Interrupt Flag *)
   ELSE IF CPL òIOPL
     THEN IF ← 1;
     ELSE #GP(0);
     FI;
   FI;
 ELSE (* Running in Virtual-8086 mode *)
   #GP(0); (* Trap to virtual-8086 monitor *)
 FI;
FI;
Decision Table

The following decision table indicates which action in the lower portion of the table is taken given the conditions in the upper portion of the table.

PE = 0 1 1 1
VM = - 0 0 1
CPL - ò IOPL > IOPL = 3
IOPL - - - = 3
IF ← 1 Y Y Y
#GP(0) Y

Notes: - Don't care Blank Action not taken Y Action in Column 1 taken

Flags Affected
OF DF IF SF ZF AF PF CF
1

The IF flag is set.

Protected Mode Exceptions
  1. GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege level.
Virtual 8086 Mode Exceptions
  1. GP(0) as for protected mode.
Notes

In case of an NMI, trap, or fault following STI the interrupt will be taken before running the next sequential instruction in the code. For information on this instruction when using virtual mode extensions, see the Intel documentation.

STOS/STOSB/STOSW/STOSD - Store String Data

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
AA STOS m8 X X X X X X Store AL in byte at ES:[(E)DI], update [(E)DI]
AB STOS m16 X X X X X X Store AX in word at ES:[(E)DI], update [(E)DI]
AB STOS m32 X X X Store EAX in dword at ES:[(E)DI], update [(E)DI]
AA STOSB X X X X X X Store AL in byte at ES:[(E)DI], update [(E)DI]
AB STOSW X X X X X X Store AX in word at ES:[(E)DI], update [(E)DI]
AB STOSD X X X Store EAX in dword at ES:[(E)DI], update [(E)DI]
Description

The STOS instruction transfers the contents of the AL, AX, or EAX register to the memory byte or word given by the destination register relative to the ES segment. The destination register is the DI register for an address- size attribute of 16 bits or the EDI register for an address-size attribute of 32 bits. The destination operand must be addressable from the ES register. A segment override is not possible. The address of the destination is determined by the contents of the destination register, not by the explicit operand of the STOS instruction. This operand is used only to validate ES segment addressability and to determine the data type. Load the correct index value into the destination register before running the STOS instruction. After the transfer is made, the (E)DI register is automatically updated. If the DF flag is 0 (the CLD instruction was run), the (E)DI register is incremented; if the DF flag is 1 (the STD instruction was executed), the (E )DI register is decremented. The (E)DI register is incremented or decremented by 1 if a byte is stored, by 2 if a word is stored, or by 4 if a doubleword is stored. The STOSB, STOSW, and STOSD instructions are synonyms for the byte, word, and doubleword STOS instructions, that do not require an operand. They are simpler to use, but provide no type or segment checking. The STOS instruction can be preceded by the REP prefix for a block fill of CX or ECX bytes, words, or doublewords. Refer to the REP instruction for further details.

Operation
IF AddressSize = 16 
THEN use ES:DI for DestReg 
ELSE (* AddressSize = 32 *) use ES:EDI for DestReg;
FI;
IF byte type of instruction 
THEN 
  (ES:DestReg) ← AL;
  IF DF = 0 
  THEN DestReg ← DestReg + 1;
  ELSE DestReg ← DestReg - 1;
  FI;
ELSE IF OperandSize = 16 
  THEN 
    (ES:DestReg) ← AX;
    IF DF = 0 
    THEN DestReg ← DestReg + 2;
    ELSE DestReg ← DestReg - 2;
    FI;
  ELSE (* OperandSize = 32 *)
    (ES:DestReg) ← EAX;
    IF DF = 0 
    THEN DestReg ← DestReg + 4;
    ELSE DestReg ← DestReg - 4;
    FI;
  FI;
FI;

Protected Mode Exceptions

  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the ES segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

STR - Store Task Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 00 /1 STR r/m16 X X X X Store task register to EA word
Description

The contents of the task register are copied to the two-byte register or memory location indicated by the effective address operand. The STR instruction is used only in operating system software. It is not used in application programs.

Operation
r/m ← task register;
Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Real Address Mode Exceptions Interrupt 6; the STR instruction is not recognized in Real Address Mode. Virtual 8086 Mode Exceptions Same exceptions as in Real Address Mode.

Notes

When the destination is a 32-bit register, the 16-bit source operand is copied into the lower 16 bits of the destination register, and the upper 16 bits of the register are undefined. With a 16-bit register operand, only the lower 16 bits of the destination are affected (the upper 16 bits remain unchanged). With a memory operand, the source is written to memory as a 16- bit quantity, regardless of operand size. As a result, 32-bit software should always treat the destination as 16-bits and mask bits 16-31, if necessary.

SUB - Integer Subtraction

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
2C ib SUB AL,imm8 X X X X X X AL < AL - immediate byte
2D iw SUB AX,imm16 X X X X X X AX < AX - immediate word
2D id SUB EAX,imm32 X X X EAX < EAX - immediate dword
80 /5 ib SUB r/m8,imm8 X X X X X X r/m8 < r/m8 - immediate byte
81 /5 iw SUB r/m16,imm16 X X X X X X r/m16 < r/m16 - immediate word
81 /5 id SUB r/m32,imm32 X X X r/m32 < r/m32 - immediate dword
83 /5 ib SUB r/m16,imm8 X X X X X X r/m16 < r/m16 - sign-extended immediate byte
83 /5 ib SUB r/m32,imm8 X X X r/m32 < r/m32 - sign-extended immediate byte
28 /r SUB r/m8,r8 X X X X X X r/m8 < r/m8 - byte register
29 /r SUB r/m16,r16 X X X X X X r/m16 < r/m16 - word register
29 /r SUB r/m32,r32 X X X r/m32 < r/m32 - dword register
2A /r SUB r8,r/m8 X X X X X X r8 < r8 - r/m byte
2B /r SUB r16,r/m16 X X X X X X r16 < r16 - r/m word
2B /r SUB r32,r/m32 X X X r32 < r32 - r/m dword
Description

The SUB instruction subtracts the second operand (SRC) from the first operand (DEST). The first operand is assigned the result of the subtraction, and the flags are set accordingly. When an immediate byte value is subtracted from a word operand, the immediate value is first sign-extended to the size of the destination operand.

Operation
IF SRC is a byte and DEST is a word or dword 
THEN DEST = DEST - SignExtend(SRC);
ELSE DEST ← DEST - SRC;
FI;
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * *

The OF, SF, ZF, AF, PF, and CF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

TEST - Logical Compare

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
A8 ib TEST AL,imm8 X X X X X X AND immediate byte with AL
A9 iw TEST AX,imm16 X X X X X X AND immediate word with AX
A9 id TEST EAX,imm32 X X X AND immediate dword with EAX
F6 /0 ib TEST r/m8,imm8 X X X X X X AND immediate byte with r/m byte
F7 /0 iw TEST r/m16,imm16 X X X X X X AND immediate word with r/m word
F7 /0 id TEST r/m32,imm32 X X X AND immediate dword with r/m dword
84 /r TEST r/m8,r8 X X X X X X AND byte register with r/m byte
85 /r TEST r/m16,r16 X X X X X X AND word register with r/m word
85 /r TEST r/m32,r32 X X X AND dword register with r/m dword
Description

The TEST instruction computes the bit-wise logical AND of its two operands. Each bit of the result is 1 if both of the corresponding bits of the operands are 1; otherwise, each bit is 0. The result of the operation is discarded and only the flags are modified.

Operation
DEST : = LeftSRC AND RightSRC;
CF ← 0;
OF ← 0;
Flags Affected
OF DF IF SF ZF AF PF CF
0 * * ? * 0

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result.

Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

VERR, VERW - Verify a Segment for Reading or Writing

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 00 /4 VERR r/m16 X X X X Set ZF=1 if segment can be read, selector in r/m16
0F 00 /5 VERW r/m16 X X X X Set ZF=1 if segment can be written, selector in r/m16
Description

The two-byte register or memory operand of the VERR and VERW instructions contains the value of a selector. The VERR and VERW instructions determine whether the segment denoted by the selector is reachable from the current privilege level and whether the segment is readable (VERR) or writeable (VERW). If the segment is accessible, the ZF flag is set; if the segment is not accessible, the ZF flag is cleared. To set the ZF flag, the following conditions must be met:

  • The selector must denote a descriptor within the bounds of the table (GDT or LDT); the selector must be "defined."
  • The selector must denote the descriptor of a code or data segment (not that of a task state segment, LDT, or a gate).
  • For the VERR instruction, the segment must be readable. For the VERW instruction, the segment must be a writeable data segment.
  • If the code segment is readable and conforming, the descriptor privilege level (DPL) can be any value for the VERR instruction. Otherwise, the DPL must be greater than or equal to (have less or the same privilege as) both the current privilege level and the selector's RPL.

The validation performed is the same as if the segment were loaded into the DS, ES, FS, or GS register, and the indicated access (read or write) were performed. The ZF flag receives the result of the validation. The selector' s value cannot result in a protection exception, enabling the software to anticipate possible segment access problems.

Operation
IF segment with selector at (r/m) is accessible 
 with current protection level 
 AND ((segment is readable for VERR) OR 
   (segment is writable for VERW))
THEN ZF ← 1;
ELSE ZF ← 0;
FI;
Flags Affected
OF|DF|IF|SF|ZF|AF|PF|CF 
  |  |  |  |* |  |  |

The ZF flag is set if the segment is accessible, cleared if it is not.

Protected Mode Exceptions

Faults generated by illegal addressing of the memory operand that contains the selector; the selector is not loaded into any segment register, and no faults attributable to the selector operand are generated.

  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments;
  2. SS(0) for an illegal address in the SS segment; #PF( fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 6; the VERR and VERW instructions are not recognized in Real Address Mode.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the current privilege level is 3.

WAIT - Wait

Details Table
|Encoding  |Instruction         |0|1|2|3|4|5|Description
|----------+--------------------+-+-+-+-+-+-+-----------------------------
|9B        |WAIT                |X|X|X|X|X|X|Causes processor to check for
|          |                    | | | | | | |numeric exceptions
Description

WAIT causes the processor to check for pending unmasked numeric exceptions before proceeding. Protected Mode Exceptions

  1. NM if both MP and TS in CR0 are set.
Real Address Mode Exceptions

Interrupt 7 if both MP and TS is CR0 are set.

Virtual 8086 Mode Exceptions
  1. NM if both MP and TS in CR0 are set.
Notes

Coding WAIT after an ESC instruction ensures that any unmasked floating- point exceptions the instruction may cause are handled before the processor has a chance to modify the instruction's results. FWAIT is an alternate mnemonic for WAIT. Refer to the Intel documentation for more information about when to use WAIT (FWAIT).

WBINVD - Write-Back and Invalidate Cache

Details Table
|Encoding  |Instruction   |0|1|2|3|4|5|Description
|----------+--------------+-+-+-+-+-+-+--------------------------------------
|0F 09     |WBINVD        | | | | |X|X|Write-back and invalidate entire cache
Description

The internal cache is flushed, and a special-function bus cycle is issued, which indicates that external cache should write-back its contents to main memory. Another special-function bus cycle follows, directing the external cache to flush itself.

Operation
FLUSH INTERNAL CACHE 
SIGNAL EXTERNAL CACHE TO WRITE-BACK
SIGNAL EXTERNAL CACHE TO FLUSH 
Protected Mode Exceptions

The WBINVD instruction is a privileged instruction; #GP(0) if the current privilege level is not 0.

Virtual 8086 Mode Exceptions
  1. GP(0); the WBINVD instruction is a privileged instruction.
Notes

INVD should be used with care. It does not write back modified cache lines; therefore, it can cause the data cache to become inconsistent with other memories in the system. Unless there is a specific requirement or benefit to invalidate a cache without writing back the modified lines (i.e., testing or fault recovery where cache coherency with main memory is not a concern), software should use the WBINVD instruction. This instruction is implementation-dependent; its function may be implemented differently on future Intel processors. It is the responsibility of hardware to respond to the external cache write -back and flush indications. This instruction is not supported on Intel386 processors. See the Intel documentation for information on detecting the processor type at runtime. See the Intel documentation for information on disabling the cache.

WRMSR - Write to Model Specific Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F 30 WRMSR X Write the value in EDX:EAX to Model Specific Register indicated by ECX
Description

The value in ECX specifies one of the 64-bit Model Specific Registers of the Pentium processor. The contents of EDX:EAX is copied into that Model-Specific Register. The high-order 32 bits are copied from EDX and the low-order 32 bits are copied from EAX. The following values are used to select model specific registers on the Pentium processor:

VALUE REGISTER NAME DESCRIPTION
00H Machine Check Address Stores address of cycle causing the exception
01H Machine Check Type Stores cycle type of cycle causing the exception

For other values used to perform cache, TLB, and BTB testing and performance monitoring, see the Intel documentation.

Operation
MSR[ECX] ← EDX:EAX;
Protected Mode Exceptions
  1. GP(0) if either the current privilege level is not 0 or the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor.
Real Address Mode Exceptions
  1. GP(0) if the value in ECX does not specify a Model-Specific Register that is implemented in the Pentium processor. No error code is pushed.
Virtual 8086 Mode Exceptions
  1. GP(0) if instruction execution is attempted.
Notes

Always set undefined or reserved bits to the value previously read. WRMSR is used to write the content of Model-Specific Registers that control functions for testability, execution tracing, performance monitoring, and machine check errors. Refer to the Pentium(TM) Processor Data Book for more information. The values 3H, 0FH, and values above 13H are reserved. Do not execute WRMSR with reserved values in ECX.

XADD - Exchange and Add

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
0F C0 /r XADD r/m8,r8 X X Exchange byte register and r/m byte; load sum into r/m byte
0F C1 /r XADD r/m16,r16 X X Exchange word register and r/m word; load sum into r/m word
0F C1 /r XADD r/m32,r32 X X Exchange dword register and r/m dword; load sum into r/m dword
Description

The XADD instruction loads DEST into SRC, and then loads the sum of DEST and the original value of SRC into DEST.

Operation
TEMP ← SRC + DEST 
SRC ← DEST 
DEST ← TEMP 
Flags Affected
OF DF IF SF ZF AF PF CF
* * * * * *

The CF, PF, AF, SF, ZF, and OF flags are affected as if an ADD instruction had been executed.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CR0 is set, #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Notes

This instruction can be used with a LOCK prefix. The Intel386 DX microprocessor does not implement this instruction. If this instruction is used, you should provide an equivalent code sequence that runs on an Intel386 DX processor as well. See the Intel documentation for details on how to detect a particular processor at runtime.

XCHG - Exchange Register/Memory with Register

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
90+rw XCHG AX,r16 X X X X X X Exchange word register with AX
90+rd XCHG EAX,r32 X X X Exchange dword register with EAX
90+rw XCHG r16,AX X X X X X X Exchange word register with AX
90+rd XCHG r32,EAX X X X Exchange dword register with EAX
86 /r XCHG r/m8,r8 X X X X X X Exchange byte register with EA byte
86 /r XCHG r8,r/m8 X X X X X X Exchange byte register with EA byte
87 /r XCHG r/m16,r16 X X X X X X Exchange word register with EA word
87 /r XCHG r/m32,r32 X X X Exchange dword register with EA dword
87 /r XCHG r16,r/m16 X X X X X X Exchange word register with EA word
87 /r XCHG r32,r/m32 X X X Exchange dword register with EA dword
Description

The XCHG instruction exchanges two operands. The operands can be in either order. If a memory operand is involved, the LOCK# signal is asserted for the duration of the exchange, regardless of the presence or absence of the LOCK prefix or of the value of the IOPL.

Operation
temp ← DEST 
DEST ← SRC 
SRC ← temp 
Protected Mode Exceptions
  1. GP(0) if either operand is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

Note

XCHG can be used for BSWAP for 16-bit data.

XLAT/XLATB - Table Look-up Translation

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
D7 XLAT m8 X X X X X X Set AL to memory byte DS:[(E)BX + unsigned AL]
D7 XLATB X X X X X X Set AL to memory byte DS:[(E)BX + unsigned AL]
Description

The XLAT instruction changes the AL register from the table index to the table entry. The AL register should be the unsigned index into a table addressed by the DS:BX register pair (for an address-size attribute of 16 bits) or the DS:EBX register pair (for an address-size attribute of 32 bits ). The operand to the XLAT instruction allows for the possibility of a segment override. The XLAT instruction uses the contents of the BX register even if they differ from the offset of the operand. The offset of the operand should have been moved into the BX or EBX register with a previous instruction. The no-operand form, the XLATB instruction, can be used if the BX or EBX table will always reside in the DS segment.

Operation
IF AddressSize = 16 
THEN 
 AL ← (BX + ZeroExtend(AL))
ELSE (* AddressSize = 32 *)
 AL ← (EBX + ZeroExtend(AL));
FI;
Protected Mode Exceptions
  1. GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.

XOR - Logical Exclusive OR

Details Table
Encoding Instruction 0 1 2 3 4 5 Description
34 ib XOR AL,imm8 X X X X X X Exclusive-OR immediate byte to AL
35 iw XOR AX,imm16 X X X X X X Exclusive-OR immediate word to AX
35 id XOR EAX,imm32 X X X Exclusive-OR immediate dword to EAX
80 /6 ib XOR r/m8,imm8 X X X X X X Exclusive-OR immediate byte to r/m byte
81 /6 iw XOR r/m16,imm16 X X X X X X Exclusive-OR immediate word to r/mword
81 /6 id XOR r/m32,imm32 X X X Exclusive-OR immediate dword to r/m dword
83 /6 ib XOR r/m16,imm8 X X X XOR sign-extended immediate byte to r/m word
83 /6 ib XOR r/m32,imm8 X X X XOR sign-extended immediate byte with r/m dword
30 /r XOR r/m8,r8 X X X X X X Exclusive-OR byte register to r/m byte
31 /r XOR r/m16,r16 X X X X X X Exclusive-OR word register to r/m word
31 /r XOR r/m32,r32 X X X Exclusive-OR dword register to r/m dword
32 /r XOR r8,r/m8 X X X X X X Exclusive-OR r/m byte to byte register
33 /r XOR r16,r/m16 X X X X X X Exclusive-OR r/m word to word register
33 /r XOR r32,r/m32 X X X Exclusive-OR r/m dword to dword register
Description

The XOR instruction computes the exclusive OR of the two operands. Each bit of the result is 1 if the corresponding bits of the operands are different; each bit is 0 if the corresponding bits are the same. The answer replaces the first operand.

Operation
DEST ← LeftSRC XOR RightSRC 
CF ← 0 
OF ← 0 
Flags Affected
OF DF IF SF ZF AF PF CF
0 * * ? * 0

The CF and OF flags are cleared; the SF, ZF, and PF flags are set according to the result; the AF flag is undefined.

Protected Mode Exceptions
  1. GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS (0) for an illegal address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.
Real Address Mode Exceptions

Interrupt 13 if any part of the operand would lie outside of the effective address space from 0 to 0FFFFH.

Virtual 8086 Mode Exceptions

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for unaligned memory reference if the current privilege level is 3.