This appendix provides a complete list of the machine instructions which
NASM will assemble, and a short description of the function of each one.
It is not intended to be exhaustive documentation on the fine details of
the instructions' function, such as which exceptions they can trigger: for
such documentation, you should go to Intel's Web site,
http://developer.intel.com/design/Pentium4/manuals/.
Instead, this appendix is intended primarily to provide documentation on
the way the instructions may be used within NASM. For example, looking up
LOOP will tell you that NASM allows
CX or ECX to be
specified as an optional second argument to the
LOOP instruction, to enforce which of the two
possible counter registers should be used if the default is not the one
desired.
The instructions are not quite listed in alphabetical order, since
groups of instructions with similar functions are lumped together in the
same entry. Most of them don't move very far from their alphabetic position
because of this.
The instruction descriptions in this appendix specify their operands
using the following notation:
Registers: reg8 denotes an 8-bit general
purpose register, reg16 denotes a 16-bit general
purpose register, and reg32 a 32-bit one.
fpureg denotes one of the eight FPU stack
registers, mmxreg denotes one of the eight 64-bit
MMX registers, and segreg denotes a segment
register. In addition, some registers (such as
AL, DX or
ECX) may be specified explicitly.
Immediate operands: imm denotes a generic
immediate operand. imm8,
imm16 and imm32 are
used when the operand is intended to be a specific size. For some of these
instructions, NASM needs an explicit specifier: for example,
ADD ESP,16 could be interpreted as either
ADD r/m32,imm32 or
ADD r/m32,imm8. NASM chooses the former by
default, and so you must specify ADD ESP,BYTE 16
for the latter.
Memory references: mem denotes a generic
memory reference; mem8,
mem16, mem32,
mem64 and mem80 are
used when the operand needs to be a specific size. Again, a specifier is
needed in some cases: DEC [address] is ambiguous
and will be rejected by NASM. You must specify
DEC BYTE [address],
DEC WORD [address] or
DEC DWORD [address] instead.
Restricted memory references: one form of the
MOV instruction allows a memory address to be
specified without allowing the normal range of register
combinations and effective address processing. This is denoted by
memoffs8, memoffs16 and
memoffs32.
Register or memory choices: many instructions can accept either a
register or a memory reference as an operand.
r/m8 is a shorthand for
reg8/mem8; similarly
r/m16 and r/m32.
r/m64 is MMX-related, and is a shorthand for
mmxreg/mem64.
This appendix also provides the opcodes which NASM will generate for
each form of each instruction. The opcodes are listed in the following way:
A hex number, such as 3F, indicates a fixed
byte containing that number.
A hex number followed by +r, such as
C8+r, indicates that one of the operands to the
instruction is a register, and the `register value' of that register should
be added to the hex number to produce the generated byte. For example, EDX
has register value 2, so the code C8+r, when the
register operand is EDX, generates the hex byte
CA. Register values for specific registers are
given in section B.2.1.
A hex number followed by +cc, such as
40+cc, indicates that the instruction name has a
condition code suffix, and the numeric representation of the condition code
should be added to the hex number to produce the generated byte. For
example, the code 40+cc, when the instruction
contains the NE condition, generates the hex byte
45. Condition codes and their numeric
representations are given in section B.2.2.
A slash followed by a digit, such as /2,
indicates that one of the operands to the instruction is a memory address
or register (denoted mem or
r/m, with an optional size). This is to be
encoded as an effective address, with a ModR/M byte, an optional SIB byte,
and an optional displacement, and the spare (register) field of the ModR/M
byte should be the digit given (which will be from 0 to 7, so it fits in
three bits). The encoding of effective addresses is given in
section B.2.5.
The code /r combines the above two: it
indicates that one of the operands is a memory address or
r/m, and another is a register, and that an
effective address should be generated with the spare (register) field in
the ModR/M byte being equal to the `register value' of the register
operand. The encoding of effective addresses is given in
section B.2.5; register values are given in
section B.2.1.
The codes ib, iw
and id indicate that one of the operands to the
instruction is an immediate value, and that this is to be encoded as a
byte, little-endian word or little-endian doubleword respectively.
The codes rb, rw
and rd indicate that one of the operands to the
instruction is an immediate value, and that the difference between
this value and the address of the end of the instruction is to be encoded
as a byte, word or doubleword respectively. Where the form
rw/rd appears, it indicates that either
rw or rd should be used
according to whether assembly is being performed in
BITS 16 or BITS 32
state respectively.
The codes ow and od
indicate that one of the operands to the instruction is a reference to the
contents of a memory address specified as an immediate value: this encoding
is used in some forms of the MOV instruction in
place of the standard effective-address mechanism. The displacement is
encoded as a word or doubleword. Again, ow/od
denotes that ow or od
should be chosen according to the BITS setting.
The codes o16 and
o32 indicate that the given form of the
instruction should be assembled with operand size 16 or 32 bits. In other
words, o16 indicates a
66 prefix in BITS 32
state, but generates no code in BITS 16 state;
and o32 indicates a 66
prefix in BITS 16 state but generates nothing in
BITS 32.
The codes a16 and
a32, similarly to o16
and o32, indicate the address size of the given
form of the instruction. Where this does not match the
BITS setting, a 67
prefix is required.
Where an instruction requires a register value, it is already implicit
in the encoding of the rest of the instruction what type of register is
intended: an 8-bit general-purpose register, a segment register, a debug
register, an MMX register, or whatever. Therefore there is no problem with
registers of different types sharing an encoding value.
The encodings for the various classes of register are:
8-bit general registers: AL is 0,
CL is 1, DL is 2,
BL is 3, AH is 4,
CH is 5, DH is 6, and
BH is 7.
16-bit general registers: AX is 0,
CX is 1, DX is 2,
BX is 3, SP is 4,
BP is 5, SI is 6, and
DI is 7.
32-bit general registers: EAX is 0,
ECX is 1, EDX is 2,
EBX is 3, ESP is 4,
EBP is 5, ESI is 6, and
EDI is 7.
Segment registers: ES is 0,
CS is 1, SS is 2,
DS is 3, FS is 4, and
GS is 5.
Floating-point registers: ST0 is 0,
ST1 is 1, ST2 is 2,
ST3 is 3, ST4 is 4,
ST5 is 5, ST6 is 6, and
ST7 is 7.
64-bit MMX registers: MM0 is 0,
MM1 is 1, MM2 is 2,
MM3 is 3, MM4 is 4,
MM5 is 5, MM6 is 6, and
MM7 is 7.
Control registers: CR0 is 0,
CR2 is 2, CR3 is 3, and
CR4 is 4.
Debug registers: DR0 is 0,
DR1 is 1, DR2 is 2,
DR3 is 3, DR6 is 6, and
DR7 is 7.
Test registers: TR3 is 3,
TR4 is 4, TR5 is 5,
TR6 is 6, and TR7 is 7.
(Note that wherever a register name contains a number, that number is
also the register value for that register.)
The available condition codes are given here, along with their numeric
representations as part of opcodes. Many of these condition codes have
synonyms, so several will be listed at a time.
In the following descriptions, the word `either', when applied to two
possible trigger conditions, is used to mean `either or both'. If `either
but not both' is meant, the phrase `exactly one of' is used.
O is 0 (trigger if the overflow flag is set);
NO is 1.
B, C and
NAE are 2 (trigger if the carry flag is set);
AE, NB and
NC are 3.
E and Z are 4
(trigger if the zero flag is set); NE and
NZ are 5.
BE and NA are 6
(trigger if either of the carry or zero flags is set);
A and NBE are 7.
S is 8 (trigger if the sign flag is set);
NS is 9.
P and PE are 10
(trigger if the parity flag is set); NP and
PO are 11.
L and NGE are 12
(trigger if exactly one of the sign and overflow flags is set);
GE and NL are 13.
LE and NG are 14
(trigger if either the zero flag is set, or exactly one of the sign and
overflow flags is set); G and
NLE are 15.
Note that in all cases, the sense of a condition code may be reversed by
changing the low bit of the numeric representation.
For details of when an instruction sets each of the status flags, see
the individual instruction, plus the Status Flags reference in
section B.2.4
The condition predicates for SSE comparison instructions are the codes
used as part of the opcode, to determine what form of comparison is being
carried out. In each case, the imm8 value is the final byte of the opcode
encoding, and the predicate is the code used as part of the mnemonic for
the instruction (equivalent to the "cc" in an integer instruction that used
a condition code). The instructions that use this will give details of what
the various mnemonics are, this table is used to help you work out details
of what is happening.
Predi- imm8 Description Relation where: Emula- Result QNaN
cate Encod- A Is 1st Operand tion if NaN Signal
ing B Is 2nd Operand Operand Invalid
EQ 000B equal A = B False No
LT 001B less-than A < B False Yes
LE 010B less-than- A <= B False Yes
or-equal
--- ---- greater A > B Swap False Yes
than Operands,
Use LT
--- ---- greater- A >= B Swap False Yes
than-or-equal Operands,
Use LE
UNORD 011B unordered A, B = Unordered True No
NEQ 100B not-equal A != B True No
NLT 101B not-less- NOT(A < B) True Yes
than
NLE 110B not-less- NOT(A <= B) True Yes
than-or-
equal
--- ---- not-greater NOT(A > B) Swap True Yes
than Operands,
Use NLT
--- ---- not-greater NOT(A >= B) Swap True Yes
than- Operands,
or-equal Use NLE
ORD 111B ordered A , B = Ordered False No
The unordered relationship is true when at least one of the two values
being compared is a NaN or in an unsupported format.
Note that the comparisons which are listed as not having a predicate or
encoding can only be achieved through software emulation, as described in
the "emulation" column. Note in particular that an instruction such as
greater-than is not the same as
NLE, as, unlike with the
CMP instruction, it has to take into account the
possibility of one operand containing a NaN or an unsupported numeric
format.
The status flags provide some information about the result of the
arithmetic instructions. This information can be used by conditional
instructions (such a Jcc and
CMOVcc) as well as by some of the other
instructions (such as ADC and
INTO).
There are 6 status flags:
CF - Carry flag.
Set if an arithmetic operation generates a carry or a borrow out of the
most-significant bit of the result; cleared otherwise. This flag indicates
an overflow condition for unsigned-integer arithmetic. It is also used in
multiple-precision arithmetic.
PF - Parity flag.
Set if the least-significant byte of the result contains an even number
of 1 bits; cleared otherwise.
AF - Adjust flag.
Set if an arithmetic operation generates a carry or a borrow out of bit
3 of the result; cleared otherwise. This flag is used in binary-coded
decimal (BCD) arithmetic.
ZF - Zero flag.
Set if the result is zero; cleared otherwise.
SF - Sign flag.
Set equal to the most-significant bit of the result, which is the sign
bit of a signed integer. (0 indicates a positive value and 1 indicates a
negative value.)
OF - Overflow flag.
Set if the integer result is too large a positive number or too small a
negative number (excluding the sign-bit) to fit in the destination operand;
cleared otherwise. This flag indicates an overflow condition for
signed-integer (two's complement) arithmetic.
An effective address is encoded in up to three parts: a ModR/M byte, an
optional SIB byte, and an optional byte, word or doubleword displacement
field.
The ModR/M byte consists of three fields: the
mod field, ranging from 0 to 3, in the upper two
bits of the byte, the r/m field, ranging from 0
to 7, in the lower three bits, and the spare (register) field in the middle
(bit 3 to bit 5). The spare field is not relevant to the effective address
being encoded, and either contains an extension to the instruction opcode
or the register value of another operand.
The ModR/M system can be used to encode a direct register reference
rather than a memory access. This is always done by setting the
mod field to 3 and the
r/m field to the register value of the register
in question (it must be a general-purpose register, and the size of the
register must already be implicit in the encoding of the rest of the
instruction). In this case, the SIB byte and displacement field are both
absent.
In 16-bit addressing mode (either BITS 16 with
no 67 prefix, or
BITS 32 with a 67
prefix), the SIB byte is never used. The general rules for
mod and r/m (there is
an exception, given below) are:
The mod field gives the length of the
displacement field: 0 means no displacement, 1 means one byte, and 2 means
two bytes.
The r/m field encodes the combination of
registers to be added to the displacement to give the accessed address: 0
means BX+SI, 1 means
BX+DI, 2 means BP+SI, 3
means BP+DI, 4 means SI
only, 5 means DI only, 6 means
BP only, and 7 means BX
only.
However, there is a special case:
If mod is 0 and r/m
is 6, the effective address encoded is not [BP]
as the above rules would suggest, but instead
[disp16]: the displacement field is present and
is two bytes long, and no registers are added to the displacement.
Therefore the effective address [BP] cannot be
encoded as efficiently as [BX]; so if you code
[BP] in a program, NASM adds a notional 8-bit
zero displacement, and sets mod to 1,
r/m to 6, and the one-byte displacement field to
0.
In 32-bit addressing mode (either BITS 16 with
a 67 prefix, or BITS 32
with no 67 prefix) the general rules (again,
there are exceptions) for mod and
r/m are:
The mod field gives the length of the
displacement field: 0 means no displacement, 1 means one byte, and 2 means
four bytes.
If only one register is to be added to the displacement, and it is not
ESP, the r/m field
gives its register value, and the SIB byte is absent. If the
r/m field is 4 (which would encode
ESP), the SIB byte is present and gives the
combination and scaling of registers to be added to the displacement.
If the SIB byte is present, it describes the combination of registers
(an optional base register, and an optional index register scaled by
multiplication by 1, 2, 4 or 8) to be added to the displacement. The SIB
byte is divided into the scale field, in the top
two bits, the index field in the next three, and
the base field in the bottom three. The general
rules are:
The base field encodes the register value of
the base register.
The index field encodes the register value of
the index register, unless it is 4, in which case no index register is used
(so ESP cannot be used as an index register).
The scale field encodes the multiplier by
which the index register is scaled before adding it to the base and
displacement: 0 encodes a multiplier of 1, 1 encodes 2, 2 encodes 4 and 3
encodes 8.
The exceptions to the 32-bit encoding rules are:
If mod is 0 and r/m
is 5, the effective address encoded is not [EBP]
as the above rules would suggest, but instead
[disp32]: the displacement field is present and
is four bytes long, and no registers are added to the displacement.
If mod is 0, r/m is
4 (meaning the SIB byte is present) and base is
4, the effective address encoded is not
[EBP+index] as the above rules would suggest, but
instead [disp32+index]: the displacement field is
present and is four bytes long, and there is no base register (but the
index register is still processed in the normal way).
Given along with each instruction in this appendix is a set of flags,
denoting the type of the instruction. The types are as follows:
8086, 186,
286, 386,
486, PENT and
P6 denote the lowest processor type that supports
the instruction. Most instructions run on all processors above the given
type; those that do not are documented. The Pentium II contains no
additional instructions beyond the P6 (Pentium Pro); from the point of view
of its instruction set, it can be thought of as a P6 with MMX capability.
3DNOW indicates that the instruction is a
3DNow! one, and will run on the AMD K6-2 and later processors. ATHLON
extensions to the 3DNow! instruction set are documented as such.
CYRIX indicates that the instruction is
specific to Cyrix processors, for example the extra MMX instructions in the
Cyrix extended MMX instruction set.
FPU indicates that the instruction is a
floating-point one, and will only run on machines with a coprocessor
(automatically including 486DX, Pentium and above).
KATMAI indicates that the instruction was
introduced as part of the Katmai New Instruction set. These instructions
are available on the Pentium III and later processors. Those which are not
specifically SSE instructions are also available on the AMD Athlon.
MMX indicates that the instruction is an MMX
one, and will run on MMX-capable Pentium processors and the Pentium II.
PRIV indicates that the instruction is a
protected-mode management instruction. Many of these may only be used in
protected mode, or only at privilege level zero.
SSE and SSE2
indicate that the instruction is a Streaming SIMD Extension instruction.
These instructions operate on multiple values in a single operation. SSE
was introduced with the Pentium III and SSE2 was introduced with the
Pentium 4.
UNDOC indicates that the instruction is an
undocumented one, and not part of the official Intel Architecture; it may
or may not be supported on any given machine.
WILLAMETTE indicates that the instruction was
introduced as part of the new instruction set in the Pentium 4 and Intel
Xeon processors. These instructions are also known as SSE2 instructions.
These instructions are used in conjunction with the add, subtract,
multiply and divide instructions to perform binary-coded decimal arithmetic
in unpacked (one BCD digit per byte - easy to translate to and
from ASCII, hence the instruction names) form.
There are also packed BCD instructions DAA and
DAS: see section
B.4.57.
AAA (ASCII Adjust After Addition) should be
used after a one-byte ADD instruction whose
destination was the AL register: by means of
examining the value in the low nibble of AL and
also the auxiliary carry flag AF, it determines
whether the addition has overflowed, and adjusts it (and sets the carry
flag) if so. You can add long BCD strings together by doing
ADD/AAA on the low
digits, then doing
ADC/AAA on each
subsequent digit.
AAS (ASCII Adjust AL After Subtraction) works
similarly to AAA, but is for use after
SUB instructions rather than
ADD.
AAM (ASCII Adjust AX After Multiply) is for
use after you have multiplied two decimal digits together and left the
result in AL: it divides
AL by ten and stores the quotient in
AH, leaving the remainder in
AL. The divisor 10 can be changed by specifying
an operand to the instruction: a particularly handy use of this is
AAM 16, causing the two nibbles in
AL to be separated into
AH and AL.
AAD (ASCII Adjust AX Before Division)
performs the inverse operation to AAM: it
multiplies AH by ten, adds it to
AL, and sets AH to
zero. Again, the multiplier 10 can be changed.
ADC performs integer addition: it adds its two
operands together, plus the value of the carry flag, and leaves the result
in its destination (first) operand. The destination operand can be a
register or a memory location. The source operand can be a register, a
memory location or an immediate value.
The flags are set according to the result of the operation: in
particular, the carry flag is affected and can be used by a subsequent
ADC instruction.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
To add two numbers without also adding the contents of the carry flag,
use ADD (section
B.4.3).
ADD performs integer addition: it adds its two
operands together, and leaves the result in its destination (first)
operand. The destination operand can be a register or a memory location.
The source operand can be a register, a memory location or an immediate
value.
The flags are set according to the result of the operation: in
particular, the carry flag is affected and can be used by a subsequent
ADC instruction.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
ADDSD adds the low double-precision FP values
from the source and destination operands and stores the double-precision FP
result in the destination operand.
ADDSS adds the low single-precision FP values
from the source and destination operands and stores the single-precision FP
result in the destination operand.
AND r/m8,reg8 ; 20 /r [8086]
AND r/m16,reg16 ; o16 21 /r [8086]
AND r/m32,reg32 ; o32 21 /r [386]
AND reg8,r/m8 ; 22 /r [8086]
AND reg16,r/m16 ; o16 23 /r [8086]
AND reg32,r/m32 ; o32 23 /r [386]
AND r/m8,imm8 ; 80 /4 ib [8086]
AND r/m16,imm16 ; o16 81 /4 iw [8086]
AND r/m32,imm32 ; o32 81 /4 id [386]
AND r/m16,imm8 ; o16 83 /4 ib [8086]
AND r/m32,imm8 ; o32 83 /4 ib [386]
AND AL,imm8 ; 24 ib [8086]
AND AX,imm16 ; o16 25 iw [8086]
AND EAX,imm32 ; o32 25 id [386]
AND performs a bitwise AND operation between
its two operands (i.e. each bit of the result is 1 if and only if the
corresponding bits of the two inputs were both 1), and stores the result in
the destination (first) operand. The destination operand can be a register
or a memory location. The source operand can be a register, a memory
location or an immediate value.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
The MMX instruction
PAND (see section
B.4.202) performs the same operation on the 64-bit
MMX registers.
ANDNPD inverts the bits of the two
double-precision floating-point values in the destination register, and
then performs a logical AND between the two double-precision floating-point
values in the source operand and the temporary inverted result, storing the
result in the destination register.
dst[0-63] := src[0-63] AND NOT dst[0-63],
dst[64-127] := src[64-127] AND NOT dst[64-127].
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
ANDNPS inverts the bits of the four
single-precision floating-point values in the destination register, and
then performs a logical AND between the four single-precision
floating-point values in the source operand and the temporary inverted
result, storing the result in the destination register.
dst[0-31] := src[0-31] AND NOT dst[0-31],
dst[32-63] := src[32-63] AND NOT dst[32-63],
dst[64-95] := src[64-95] AND NOT dst[64-95],
dst[96-127] := src[96-127] AND NOT dst[96-127].
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
ANDPD performs a bitwise logical AND of the
two double-precision floating point values in the source and destination
operand, and stores the result in the destination register.
dst[0-63] := src[0-63] AND dst[0-63],
dst[64-127] := src[64-127] AND dst[64-127].
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
ANDPS performs a bitwise logical AND of the
four single-precision floating point values in the source and destination
operand, and stores the result in the destination register.
dst[0-31] := src[0-31] AND dst[0-31],
dst[32-63] := src[32-63] AND dst[32-63],
dst[64-95] := src[64-95] AND dst[64-95],
dst[96-127] := src[96-127] AND dst[96-127].
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
ARPL expects its two word operands to be
segment selectors. It adjusts the RPL (requested
privilege level - stored in the bottom two bits of the selector) field of
the destination (first) operand to ensure that it is no less (i.e. no more
privileged than) the RPL field of the source
operand. The zero flag is set if and only if a change had to be made.
BOUND expects its second operand to point to
an area of memory containing two signed values of the same size as its
first operand (i.e. two words for the 16-bit form; two doublewords for the
32-bit form). It performs two signed comparisons: if the value in the
register passed as its first operand is less than the first of the
in-memory values, or is greater than or equal to the second, it throws a
BR exception. Otherwise, it does nothing.
BSF searches for the least significant set
bit in its source (second) operand, and if it finds one, stores the index
in its destination (first) operand. If no set bit is found, the contents of
the destination operand are undefined. If the source operand is zero, the
zero flag is set.
BSR performs the same function, but searches
from the top instead, so it finds the most significant set bit.
Bit indices are from 0 (least significant) to 15 or 31 (most
significant). The destination operand can only be a register. The source
operand can be a register or a memory location.
BSWAP swaps the order of the four bytes of a
32-bit register: bits 0-7 exchange places with bits 24-31, and bits 8-15
swap with bits 16-23. There is no explicit 16-bit equivalent: to byte-swap
AX, BX,
CX or DX,
XCHG can be used. When
BSWAP is used with a 16-bit register, the result
is undefined.
BTS r/m16,reg16 ; o16 0F AB /r [386]
BTS r/m32,reg32 ; o32 0F AB /r [386]
BTS r/m16,imm ; o16 0F BA /5 ib [386]
BTS r/m32,imm ; o32 0F BA /5 ib [386]
These instructions all test one bit of their first operand, whose index
is given by the second operand, and store the value of that bit into the
carry flag. Bit indices are from 0 (least significant) to 15 or 31 (most
significant).
In addition to storing the original value of the bit into the carry
flag, BTR also resets (clears) the bit in the
operand itself. BTS sets the bit, and
BTC complements the bit.
BT does not modify its operands.
The destination can be a register or a memory location. The source can
be a register or an immediate value.
If the destination operand is a register, the bit offset should be in
the range 0-15 (for 16-bit operands) or 0-31 (for 32-bit operands). An
immediate value outside these ranges will be taken modulo 16/32 by the
processor.
If the destination operand is a memory location, then an immediate bit
offset follows the same rules as for a register. If the bit offset is in a
register, then it can be anything within the signed range of the register
used (ie, for a 32-bit operand, it can be (-2^31) to (2^31 - 1)
CALL calls a subroutine, by means of pushing
the current instruction pointer (IP) and
optionally CS as well on the stack, and then
jumping to a given address.
CS is pushed as well as
IP if and only if the call is a far call, i.e. a
destination segment address is specified in the instruction. The forms
involving two colon-separated arguments are far calls; so are the
CALL FAR mem forms.
The immediate near call takes one of two forms
(call imm16/imm32, determined by the current
segment size limit. For 16-bit operands, you would use
CALL 0x1234, and for 32-bit operands you would
use CALL 0x12345678. The value passed as an
operand is a relative offset.
You can choose between the two immediate far call forms
(CALL imm:imm) by the use of the
WORD and DWORD
keywords: CALL WORD 0x1234:0x5678) or
CALL DWORD 0x1234:0x56789abc.
The CALL FAR mem forms execute a far call by
loading the destination address out of memory. The address loaded consists
of 16 or 32 bits of offset (depending on the operand size), and 16 bits of
segment. The operand size may be overridden using
CALL WORD FAR mem or
CALL DWORD FAR mem.
The CALL r/m forms execute a near call (within
the same segment), loading the destination address out of memory or out of
a register. The keyword NEAR may be specified,
for clarity, in these forms, but is not necessary. Again, operand size can
be overridden using CALL WORD mem or
CALL DWORD mem.
As a convenience, NASM does not require you to call a far procedure
symbol by coding the cumbersome
CALL SEG routine:routine, but instead allows the
easier synonym CALL FAR routine.
The CALL r/m forms given above are near calls;
NASM will accept the NEAR keyword (e.g.
CALL NEAR [address]), even though it is not
strictly necessary.
All these instructions sign-extend a short value into a longer one, by
replicating the top bit of the original value to fill the extended one.
CBW extends AL into
AX by repeating the top bit of
AL in every bit of AH.
CWDE extends AX into
EAX. CWD extends
AX into DX:AX by
repeating the top bit of AX throughout
DX, and CDQ extends
EAX into EDX:EAX.
CLC ; F8 [8086]
CLD ; FC [8086]
CLI ; FA [8086]
CLTS ; 0F 06 [286,PRIV]
These instructions clear various flags. CLC
clears the carry flag; CLD clears the direction
flag; CLI clears the interrupt flag (thus
disabling interrupts); and CLTS clears the
task-switched (TS) flag in
CR0.
To set the carry, direction, or interrupt flags, use the
STC, STD and
STI instructions
(section B.4.301). To invert the carry flag,
use CMC (section
B.4.22).
CLFLUSH invalidates the cache line that
contains the linear address specified by the source operand from all levels
of the processor cache hierarchy (data and instruction). If, at any level
of the cache hierarchy, the line is inconsistent with memory (dirty) it is
written to memory before invalidation. The source operand points to a
byte-sized memory location.
Although CLFLUSH is flagged
SSE2 and above, it may not be present on all
processors which have SSE2 support, and it may be
supported on other processors; the CPUID
instruction (section B.4.34) will return a
bit which indicates support for the CLFLUSH
instruction.
Although the CMOV instructions are flagged
P6 and above, they may not be supported by all
Pentium Pro processors; the CPUID instruction
(section B.4.34) will return a bit which
indicates whether conditional moves are supported.
CMP AL,imm8 ; 3C ib [8086]
CMP AX,imm16 ; o16 3D iw [8086]
CMP EAX,imm32 ; o32 3D id [386]
CMP performs a `mental' subtraction of its
second operand from its first operand, and affects the flags as if the
subtraction had taken place, but does not store the result of the
subtraction anywhere.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
The destination operand can be a register or a memory location. The
source can be a register, memory location or an immediate value of the same
size as the destination.
The CMPccPD instructions compare the two
packed double-precision FP values in the source and destination operands,
and returns the result of the comparison in the destination register. The
result of each comparison is a quadword mask of all 1s (comparison true) or
all 0s (comparison false).
The destination is an XMM register. The source
can be either an XMM register or a 128-bit memory
location.
The third operand is an 8-bit immediate value, of which the low 3 bits
define the type of comparison. For ease of programming, the 8 two-operand
pseudo-instructions are provided, with the third operand already filled in.
The Condition Predicates are:
EQ 0 Equal
LT 1 Less-than
LE 2 Less-than-or-equal
UNORD 3 Unordered
NE 4 Not-equal
NLT 5 Not-less-than
NLE 6 Not-less-than-or-equal
ORD 7 Ordered
For more details of the comparison predicates, and details of how to
emulate the "greater-than" equivalents, see
section B.2.3
The CMPccPS instructions compare the two
packed single-precision FP values in the source and destination operands,
and returns the result of the comparison in the destination register. The
result of each comparison is a doubleword mask of all 1s (comparison true)
or all 0s (comparison false).
The destination is an XMM register. The source
can be either an XMM register or a 128-bit memory
location.
The third operand is an 8-bit immediate value, of which the low 3 bits
define the type of comparison. For ease of programming, the 8 two-operand
pseudo-instructions are provided, with the third operand already filled in.
The Condition Predicates are:
EQ 0 Equal
LT 1 Less-than
LE 2 Less-than-or-equal
UNORD 3 Unordered
NE 4 Not-equal
NLT 5 Not-less-than
NLE 6 Not-less-than-or-equal
ORD 7 Ordered
For more details of the comparison predicates, and details of how to
emulate the "greater-than" equivalents, see
section B.2.3
CMPSB compares the byte at
[DS:SI] or [DS:ESI]
with the byte at [ES:DI] or
[ES:EDI], and sets the flags accordingly. It then
increments or decrements (depending on the direction flag: increments if
the flag is clear, decrements if it is set) SI
and DI (or ESI and
EDI).
The registers used are SI and
DI if the address size is 16 bits, and
ESI and EDI if it is 32
bits. If you need to use an address size not equal to the current
BITS setting, you can use an explicit
a16 or a32 prefix.
The segment register used to load from [SI] or
[ESI] can be overridden by using a segment
register name as a prefix (for example,
ES CMPSB). The use of
ES for the load from
[DI] or [EDI] cannot be
overridden.
CMPSW and CMPSD work
in the same way, but they compare a word or a doubleword instead of a byte,
and increment or decrement the addressing registers by 2 or 4 instead of 1.
The REPE and REPNE
prefixes (equivalently, REPZ and
REPNZ) may be used to repeat the instruction up
to CX (or ECX - again,
the address size chooses which) times until the first unequal or equal byte
is found.
The CMPccSD instructions compare the low-order
double-precision FP values in the source and destination operands, and
returns the result of the comparison in the destination register. The
result of each comparison is a quadword mask of all 1s (comparison true) or
all 0s (comparison false).
The destination is an XMM register. The source
can be either an XMM register or a 128-bit memory
location.
The third operand is an 8-bit immediate value, of which the low 3 bits
define the type of comparison. For ease of programming, the 8 two-operand
pseudo-instructions are provided, with the third operand already filled in.
The Condition Predicates are:
EQ 0 Equal
LT 1 Less-than
LE 2 Less-than-or-equal
UNORD 3 Unordered
NE 4 Not-equal
NLT 5 Not-less-than
NLE 6 Not-less-than-or-equal
ORD 7 Ordered
For more details of the comparison predicates, and details of how to
emulate the "greater-than" equivalents, see
section B.2.3
The CMPccSS instructions compare the low-order
single-precision FP values in the source and destination operands, and
returns the result of the comparison in the destination register. The
result of each comparison is a doubleword mask of all 1s (comparison true)
or all 0s (comparison false).
The destination is an XMM register. The source
can be either an XMM register or a 128-bit memory
location.
The third operand is an 8-bit immediate value, of which the low 3 bits
define the type of comparison. For ease of programming, the 8 two-operand
pseudo-instructions are provided, with the third operand already filled in.
The Condition Predicates are:
EQ 0 Equal
LT 1 Less-than
LE 2 Less-than-or-equal
UNORD 3 Unordered
NE 4 Not-equal
NLT 5 Not-less-than
NLE 6 Not-less-than-or-equal
ORD 7 Ordered
For more details of the comparison predicates, and details of how to
emulate the "greater-than" equivalents, see
section B.2.3
These two instructions perform exactly the same operation; however,
apparently some (not all) 486 processors support it under a non-standard
opcode, so NASM provides the undocumented
CMPXCHG486 form to generate the non-standard
opcode.
CMPXCHG compares its destination (first)
operand to the value in AL,
AX or EAX (depending on
the operand size of the instruction). If they are equal, it copies its
source (second) operand into the destination and sets the zero flag.
Otherwise, it clears the zero flag and copies the destination register to
AL, AX or EAX.
The destination can be either a register or a memory location. The
source is a register.
CMPXCHG is intended to be used for atomic
operations in multitasking or multiprocessor environments. To safely update
a value in shared memory, for example, you might load the value into
EAX, load the updated value into
EBX, and then execute the instruction
LOCK CMPXCHG [value],EBX. If
value has not changed since being loaded, it is
updated with your desired new value, and the zero flag is set to let you
know it has worked. (The LOCK prefix prevents
another processor doing anything in the middle of this operation: it
guarantees atomicity.) However, if another processor has modified the value
in between your load and your attempted store, the store does not happen,
and you are notified of the failure by a cleared zero flag, so you can go
round and try again.
This is a larger and more unwieldy version of
CMPXCHG: it compares the 64-bit (eight-byte)
value stored at [mem] with the value in
EDX:EAX. If they are equal, it sets the zero flag
and stores ECX:EBX into the memory area. If they
are unequal, it clears the zero flag and stores the memory contents into
EDX:EAX.
CMPXCHG8B can be used with the
LOCK prefix, to allow atomic execution. This is
useful in multi-processor and multi-tasking environments.
COMISD compares the low-order double-precision
FP value in the two source operands. ZF, PF and CF are set according to the
result. OF, AF and AF are cleared. The unordered result is returned if
either source is a NaN (QNaN or SNaN).
The destination operand is an XMM register.
The source can be either an XMM register or a
memory location.
The flags are set according to the following rules:
COMISS compares the low-order single-precision
FP value in the two source operands. ZF, PF and CF are set according to the
result. OF, AF and AF are cleared. The unordered result is returned if
either source is a NaN (QNaN or SNaN).
The destination operand is an XMM register.
The source can be either an XMM register or a
memory location.
The flags are set according to the following rules:
CPUID returns various information about the
processor it is being executed on. It fills the four registers
EAX, EBX,
ECX and EDX with
information, which varies depending on the input contents of
EAX.
CPUID also acts as a barrier to serialise
instruction execution: executing the CPUID
instruction guarantees that all the effects (memory modification, flag
modification, register modification) of previous instructions have been
completed before the next instruction gets fetched.
The information returned is as follows:
If EAX is zero on input,
EAX on output holds the maximum acceptable input
value of EAX, and
EBX:EDX:ECX contain the string
"GenuineIntel" (or not, if you have a clone
processor). That is to say, EBX contains
"Genu" (in NASM's own sense of character
constants, described in section
3.4.2), EDX contains
"ineI" and ECX contains
"ntel".
If EAX is one on input,
EAX on output contains version information about
the processor, and EDX contains a set of feature
flags, showing the presence and absence of various features. For example,
bit 8 is set if the CMPXCHG8B instruction
(section B.4.31) is supported, bit 15 is set
if the conditional move instructions (section
B.4.23 and section B.4.72) are supported,
and bit 23 is set if MMX instructions are
supported.
If EAX is two on input,
EAX, EBX,
ECX and EDX all contain
information about caches and TLBs (Translation Lookahead Buffers).
For more information on the data returned from
CPUID, see the documentation from Intel and other
processor manufacturers.
CVTDQ2PD converts two packed signed
doublewords from the source operand to two packed double-precision FP
values in the destination operand.
The destination operand is an XMM register.
The source can be either an XMM register or a
64-bit memory location. If the source is a register, the packed integers
are in the low quadword.
CVTPD2DQ converts two packed double-precision
FP values from the source operand to two packed signed doublewords in the
low quadword of the destination operand. The high quadword of the
destination is set to all 0s.
The destination operand is an XMM register.
The source can be either an XMM register or a
128-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTPD2PS converts two packed double-precision
FP values from the source operand to two packed single-precision FP values
in the low quadword of the destination operand. The high quadword of the
destination is set to all 0s.
The destination operand is an XMM register.
The source can be either an XMM register or a
128-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTPI2PS converts two packed signed
doublewords from the source operand to two packed single-precision FP
values in the low quadword of the destination operand. The high quadword of
the destination remains unchanged.
The destination operand is an XMM register.
The source can be either an MMX register or a
64-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTPS2PD converts two packed single-precision
FP values from the source operand to two packed double-precision FP values
in the destination operand.
The destination operand is an XMM register.
The source can be either an XMM register or a
64-bit memory location. If the source is a register, the input values are
in the low quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTPS2PI converts two packed single-precision
FP values from the source operand to two packed signed doublewords in the
destination operand.
The destination operand is an MMX register.
The source can be either an XMM register or a
64-bit memory location. If the source is a register, the input values are
in the low quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTSD2SI converts a double-precision FP value
from the source operand to a signed doubleword in the destination operand.
The destination operand is a general purpose register. The source can be
either an XMM register or a 64-bit memory
location. If the source is a register, the input value is in the low
quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTSD2SS converts a double-precision FP value
from the source operand to a single-precision FP value in the low
doubleword of the destination operand. The upper 3 doublewords are left
unchanged.
The destination operand is an XMM register.
The source can be either an XMM register or a
64-bit memory location. If the source is a register, the input value is in
the low quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTSI2SD converts a signed doubleword from the
source operand to a double-precision FP value in the low quadword of the
destination operand. The high quadword is left unchanged.
The destination operand is an XMM register.
The source can be either a general purpose register or a 32-bit memory
location.
For more details of this instruction, see the Intel Processor manuals.
CVTSI2SS converts a signed doubleword from the
source operand to a single-precision FP value in the low doubleword of the
destination operand. The upper 3 doublewords are left unchanged.
The destination operand is an XMM register.
The source can be either a general purpose register or a 32-bit memory
location.
For more details of this instruction, see the Intel Processor manuals.
CVTSS2SD converts a single-precision FP value
from the source operand to a double-precision FP value in the low quadword
of the destination operand. The upper quadword is left unchanged.
The destination operand is an XMM register.
The source can be either an XMM register or a
32-bit memory location. If the source is a register, the input value is
contained in the low doubleword.
For more details of this instruction, see the Intel Processor manuals.
CVTSS2SI converts a single-precision FP value
from the source operand to a signed doubleword in the destination operand.
The destination operand is a general purpose register. The source can be
either an XMM register or a 32-bit memory
location. If the source is a register, the input value is in the low
doubleword.
For more details of this instruction, see the Intel Processor manuals.
CVTTPD2DQ converts two packed double-precision
FP values in the source operand to two packed single-precision FP values in
the destination operand. If the result is inexact, it is truncated (rounded
toward zero). The high quadword is set to all 0s.
The destination operand is an XMM register.
The source can be either an XMM register or a
128-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTTPD2PI converts two packed double-precision
FP values in the source operand to two packed single-precision FP values in
the destination operand. If the result is inexact, it is truncated (rounded
toward zero).
The destination operand is an MMX register.
The source can be either an XMM register or a
128-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTTPS2DQ converts four packed
single-precision FP values in the source operand to four packed signed
doublewords in the destination operand. If the result is inexact, it is
truncated (rounded toward zero).
The destination operand is an XMM register.
The source can be either an XMM register or a
128-bit memory location.
For more details of this instruction, see the Intel Processor manuals.
CVTTPS2PI converts two packed single-precision
FP values in the source operand to two packed signed doublewords in the
destination operand. If the result is inexact, it is truncated (rounded
toward zero). If the source is a register, the input values are in the low
quadword.
The destination operand is an MMX register.
The source can be either an XMM register or a
64-bit memory location. If the source is a register, the input value is in
the low quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTTSD2SI converts a double-precision FP value
in the source operand to a signed doubleword in the destination operand. If
the result is inexact, it is truncated (rounded toward zero).
The destination operand is a general purpose register. The source can be
either an XMM register or a 64-bit memory
location. If the source is a register, the input value is in the low
quadword.
For more details of this instruction, see the Intel Processor manuals.
CVTTSS2SI converts a single-precision FP value
in the source operand to a signed doubleword in the destination operand. If
the result is inexact, it is truncated (rounded toward zero).
The destination operand is a general purpose register. The source can be
either an XMM register or a 32-bit memory
location. If the source is a register, the input value is in the low
doubleword.
For more details of this instruction, see the Intel Processor manuals.
These instructions are used in conjunction with the add and subtract
instructions to perform binary-coded decimal arithmetic in packed
(one BCD digit per nibble) form. For the unpacked equivalents, see
section B.4.1.
DAA should be used after a one-byte
ADD instruction whose destination was the
AL register: by means of examining the value in
the AL and also the auxiliary carry flag
AF, it determines whether either digit of the
addition has overflowed, and adjusts it (and sets the carry and
auxiliary-carry flags) if so. You can add long BCD strings together by
doing ADD/DAA on the
low two digits, then doing
ADC/DAA on each
subsequent pair of digits.
DAS works similarly to
DAA, but is for use after
SUB instructions rather than
ADD.
DEC reg16 ; o16 48+r [8086]
DEC reg32 ; o32 48+r [386]
DEC r/m8 ; FE /1 [8086]
DEC r/m16 ; o16 FF /1 [8086]
DEC r/m32 ; o32 FF /1 [386]
DEC subtracts 1 from its operand. It does
not affect the carry flag: to affect the carry flag, use
SUB something,1 (see
section B.4.305).
DEC affects all the other flags according to the
result.
This instruction can be used with a LOCK
prefix to allow atomic execution.
DIV r/m8 ; F6 /6 [8086]
DIV r/m16 ; o16 F7 /6 [8086]
DIV r/m32 ; o32 F7 /6 [386]
DIV performs unsigned integer division. The
explicit operand provided is the divisor; the dividend and destination
operands are implicit, in the following way:
For DIV r/m8, AX is
divided by the given operand; the quotient is stored in
AL and the remainder in
AH.
For DIV r/m16,
DX:AX is divided by the given operand; the
quotient is stored in AX and the remainder in
DX.
For DIV r/m32,
EDX:EAX is divided by the given operand; the
quotient is stored in EAX and the remainder in
EDX.
Signed integer division is performed by the
IDIV instruction: see
section B.4.117.
DIVPD xmm1,xmm2/mem128 ; 66 0F 5E /r [WILLAMETTE,SSE2]
DIVPD divides the two packed double-precision
FP values in the destination operand by the two packed double-precision FP
values in the source operand, and stores the packed double-precision
results in the destination register.
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
DIVPS divides the four packed single-precision
FP values in the destination operand by the four packed single-precision FP
values in the source operand, and stores the packed single-precision
results in the destination register.
The destination is an XMM register. The source
operand can be either an XMM register or a
128-bit memory location.
DIVSD xmm1,xmm2/mem64 ; F2 0F 5E /r [WILLAMETTE,SSE2]
DIVSD divides the low-order double-precision
FP value in the destination operand by the low-order double-precision FP
value in the source operand, and stores the double-precision result in the
destination register.
The destination is an XMM register. The source
operand can be either an XMM register or a 64-bit
memory location.
DIVSS divides the low-order single-precision
FP value in the destination operand by the low-order single-precision FP
value in the source operand, and stores the single-precision result in the
destination register.
The destination is an XMM register. The source
operand can be either an XMM register or a 32-bit
memory location.
EMMS sets the FPU tag word (marking which
floating-point registers are available) to all ones, meaning all registers
are available for the FPU to use. It should be used after executing
MMX instructions and before executing any
subsequent floating-point operations.
ENTER constructs a
stack frame for a high-level language procedure
call. The first operand (the iw in the opcode
definition above refers to the first operand) gives the amount of stack
space to allocate for local variables; the second (the
ib above) gives the nesting level of the
procedure (for languages like Pascal, with nested procedures).
The function of ENTER, with a nesting level of
zero, is equivalent to
PUSH EBP ; or PUSH BP in 16 bits
MOV EBP,ESP ; or MOV BP,SP in 16 bits
SUB ESP,operand1 ; or SUB SP,operand1 in 16 bits
This creates a stack frame with the procedure parameters accessible
upwards from EBP, and local variables accessible
downwards from EBP.
With a nesting level of one, the stack frame created is 4 (or 2) bytes
bigger, and the value of the final frame pointer
EBP is accessible in memory at
[EBP-4].
This allows ENTER, when called with a nesting
level of two, to look at the stack frame described by the previous
value of EBP, find the frame pointer at offset -4
from that, and push it along with its new frame pointer, so that when a
level-two procedure is called from within a level-one procedure,
[EBP-4] holds the frame pointer of the most
recent level-one procedure call and [EBP-8] holds
that of the most recent level-two call. And so on, for nesting levels up to
31.
Stack frames created by ENTER can be destroyed
by the LEAVE instruction: see
section B.4.136.
F2XM1 raises 2 to the power of
ST0, subtracts one, and stores the result back
into ST0. The initial contents of
ST0 must be a number in the range -1.0 to +1.0.
FADD TO fpureg ; DC C0+r [8086,FPU]
FADD fpureg,ST0 ; DC C0+r [8086,FPU]
FADDP fpureg ; DE C0+r [8086,FPU]
FADDP fpureg,ST0 ; DE C0+r [8086,FPU]
FADD, given one operand, adds the operand to
ST0 and stores the result back in
ST0. If the operand has the
TO modifier, the result is stored in the register
given rather than in ST0.
FADDP performs the same function as
FADD TO, but pops the register stack after
storing the result.
The given two-operand forms are synonyms for the one-operand forms.
To add an integer value to ST0, use the
c{FIADD} instruction (section B.4.80)
FBLD loads an 80-bit (ten-byte) packed
binary-coded decimal number from the given memory address, converts it to a
real, and pushes it on the register stack. FBSTP
stores the value of ST0, in packed BCD, at the
given address and then pops the register stack.
FCLEX ; 9B DB E2 [8086,FPU]
FNCLEX ; DB E2 [8086,FPU]
FCLEX clears any floating-point exceptions
which may be pending. FNCLEX does the same thing
but doesn't wait for previous floating-point operations (including the
handling of pending exceptions) to finish first.
FCMOVB fpureg ; DA C0+r [P6,FPU]
FCMOVB ST0,fpureg ; DA C0+r [P6,FPU]
FCMOVE fpureg ; DA C8+r [P6,FPU]
FCMOVE ST0,fpureg ; DA C8+r [P6,FPU]
FCMOVBE fpureg ; DA D0+r [P6,FPU]
FCMOVBE ST0,fpureg ; DA D0+r [P6,FPU]
FCMOVU fpureg ; DA D8+r [P6,FPU]
FCMOVU ST0,fpureg ; DA D8+r [P6,FPU]
FCMOVNB fpureg ; DB C0+r [P6,FPU]
FCMOVNB ST0,fpureg ; DB C0+r [P6,FPU]
FCMOVNE fpureg ; DB C8+r [P6,FPU]
FCMOVNE ST0,fpureg ; DB C8+r [P6,FPU]
FCMOVNBE fpureg ; DB D0+r [P6,FPU]
FCMOVNBE ST0,fpureg ; DB D0+r [P6,FPU]
FCMOVNU fpureg ; DB D8+r [P6,FPU]
FCMOVNU ST0,fpureg ; DB D8+r [P6,FPU]
The FCMOV instructions perform conditional
move operations: each of them moves the contents of the given register into
ST0 if its condition is satisfied, and does
nothing if not.
The conditions are not the same as the standard condition codes used
with conditional jump instructions. The conditions
B, BE,
NB, NBE,
E and NE are exactly as
normal, but none of the other standard ones are supported. Instead, the
condition U and its counterpart
NU are provided; the U
condition is satisfied if the last two floating-point numbers compared were
unordered, i.e. they were not equal but neither one could be said
to be greater than the other, for example if they were NaNs. (The flag
state which signals this is the setting of the parity flag: so the
U condition is notionally equivalent to
PE, and NU is
equivalent to PO.)
The FCMOV conditions test the main processor's
status flags, not the FPU status flags, so using
FCMOV directly after
FCOM will not work. Instead, you should either
use FCOMI which writes directly to the main CPU
flags word, or use FSTSW to extract the FPU
flags.
Although the FCMOV instructions are flagged
P6 above, they may not be supported by all
Pentium Pro processors; the CPUID instruction
(section B.4.34) will return a bit which
indicates whether conditional moves are supported.
FCOM compares ST0
with the given operand, and sets the FPU flags accordingly.
ST0 is treated as the left-hand side of the
comparison, so that the carry flag is set (for a `less-than' result) if
ST0 is less than the given operand.
FCOMP does the same as
FCOM, but pops the register stack afterwards.
FCOMPP compares ST0
with ST1 and then pops the register stack twice.
FCOMI and FCOMIP
work like the corresponding forms of FCOM and
FCOMP, but write their results directly to the
CPU flags register rather than the FPU status word, so they can be
immediately followed by conditional jump or conditional move instructions.
The FCOM instructions differ from the
FUCOM instructions
(section B.4.108) only in the way they
handle quiet NaNs: FUCOM will handle them
silently and set the condition code flags to an `unordered' result, whereas
FCOM will generate an exception.
FDECSTP decrements the `top' field in the
floating-point status word. This has the effect of rotating the FPU
register stack by one, as if the contents of ST7
had been pushed on the stack. See also FINCSTP
(section B.4.85).
FDISI ; 9B DB E1 [8086,FPU]
FNDISI ; DB E1 [8086,FPU]
FENI ; 9B DB E0 [8086,FPU]
FNENI ; DB E0 [8086,FPU]
FDISI and FENI
disable and enable floating-point interrupts. These instructions are only
meaningful on original 8087 processors: the 287 and above treat them as
no-operation instructions.
FNDISI and FNENI do
the same thing as FDISI and
FENI respectively, but without waiting for the
floating-point processor to finish what it was doing first.
FDIVR TO fpureg ; DC F0+r [8086,FPU]
FDIVR fpureg,ST0 ; DC F0+r [8086,FPU]
FDIVP fpureg ; DE F8+r [8086,FPU]
FDIVP fpureg,ST0 ; DE F8+r [8086,FPU]
FDIVRP fpureg ; DE F0+r [8086,FPU]
FDIVRP fpureg,ST0 ; DE F0+r [8086,FPU]
FDIV divides ST0 by
the given operand and stores the result back in
ST0, unless the TO
qualifier is given, in which case it divides the given operand by
ST0 and stores the result in the operand.
FDIVR does the same thing, but does the
division the other way up: so if TO is not given,
it divides the given operand by ST0 and stores
the result in ST0, whereas if
TO is given it divides
ST0 by its operand and stores the result in the
operand.
FDIVP operates like
FDIV TO, but pops the register stack once it has
finished.
FDIVRP operates like
FDIVR TO, but pops the register stack once it has
finished.
FEMMS can be used in place of the
EMMS instruction on processors which support the
3DNow! instruction set. Following execution of
FEMMS, the state of the
MMX/FP registers is undefined, and this allows a
faster context switch between FP and
MMX instructions. The
FEMMS instruction can also be used
before executing MMX instructions
FICOM mem16 ; DE /2 [8086,FPU]
FICOM mem32 ; DA /2 [8086,FPU]
FICOMP mem16 ; DE /3 [8086,FPU]
FICOMP mem32 ; DA /3 [8086,FPU]
FICOM compares ST0
with the 16-bit or 32-bit integer stored in the given memory location, and
sets the FPU flags accordingly. FICOMP does the
same, but pops the register stack afterwards.
FIDIV mem16 ; DE /6 [8086,FPU]
FIDIV mem32 ; DA /6 [8086,FPU]
FIDIVR mem16 ; DE /7 [8086,FPU]
FIDIVR mem32 ; DA /7 [8086,FPU]
FIDIV divides ST0 by
the 16-bit or 32-bit integer stored in the given memory location, and
stores the result in ST0.
FIDIVR does the division the other way up: it
divides the integer by ST0, but still stores the
result in ST0.
FILD loads an integer out of a memory
location, converts it to a real, and pushes it on the FPU register stack.
FIST converts ST0 to an
integer and stores that in memory; FISTP does the
same as FIST, but pops the register stack
afterwards.
FINCSTP increments the `top' field in the
floating-point status word. This has the effect of rotating the FPU
register stack by one, as if the register stack had been popped; however,
unlike the popping of the stack performed by many FPU instructions, it does
not flag the new ST7 (previously
ST0) as empty. See also
FDECSTP (section
B.4.75).
FINIT ; 9B DB E3 [8086,FPU]
FNINIT ; DB E3 [8086,FPU]
FINIT initialises the FPU to its default
state. It flags all registers as empty, without actually change their
values, clears the top of stack pointer. FNINIT
does the same, without first waiting for pending exceptions to clear.
FISUB mem16 ; DE /4 [8086,FPU]
FISUB mem32 ; DA /4 [8086,FPU]
FISUBR mem16 ; DE /5 [8086,FPU]
FISUBR mem32 ; DA /5 [8086,FPU]
FISUB subtracts the 16-bit or 32-bit integer
stored in the given memory location from ST0, and
stores the result in ST0.
FISUBR does the subtraction the other way round,
i.e. it subtracts ST0 from the given integer, but
still stores the result in ST0.
FLDCW loads a 16-bit value out of memory and
stores it into the FPU control word (governing things like the rounding
mode, the precision, and the exception masks). See also
FSTCW (section
B.4.103). If exceptions are enabled and you don't want to generate one,
use FCLEX or FNCLEX
(section B.4.71) before loading the new
control word.
FLDENV loads the FPU operating environment
(control word, status word, tag word, instruction pointer, data pointer and
last opcode) from memory. The memory area is 14 or 28 bytes long, depending
on the CPU mode at the time. See also FSTENV
(section B.4.104).
FMUL TO fpureg ; DC C8+r [8086,FPU]
FMUL fpureg,ST0 ; DC C8+r [8086,FPU]
FMULP fpureg ; DE C8+r [8086,FPU]
FMULP fpureg,ST0 ; DE C8+r [8086,FPU]
FMUL multiplies ST0
by the given operand, and stores the result in
ST0, unless the TO
qualifier is used in which case it stores the result in the operand.
FMULP performs the same operation as
FMUL TO, and then pops the register stack.
FPATAN computes the arctangent, in radians, of
the result of dividing ST1 by
ST0, stores the result in
ST1, and pops the register stack. It works like
the C atan2 function, in that changing the sign
of both ST0 and ST1
changes the output value by pi (so it performs true rectangular-to-polar
coordinate conversion, with ST1 being the Y
coordinate and ST0 being the X coordinate, not
merely an arctangent).
FPTAN computes the tangent of the value in
ST0 (in radians), and stores the result back into
ST0.
The absolute value of ST0 must be less than
2**63.
These instructions both produce the remainder obtained by dividing
ST0 by ST1. This is
calculated, notionally, by dividing ST0 by
ST1, rounding the result to an integer,
multiplying by ST1 again, and computing the value
which would need to be added back on to the result to get back to the
original value in ST0.
The two instructions differ in the way the notional round-to-integer
operation is performed. FPREM does it by rounding
towards zero, so that the remainder it returns always has the same sign as
the original value in ST0;
FPREM1 does it by rounding to the nearest
integer, so that the remainder always has at most half the magnitude of
ST1.
Both instructions calculate partial remainders, meaning that
they may not manage to provide the final result, but might leave
intermediate results in ST0 instead. If this
happens, they will set the C2 flag in the FPU status word; therefore, to
calculate a remainder, you should repeatedly execute
FPREM or FPREM1 until
C2 becomes clear.
FRNDINT rounds the contents of
ST0 to an integer, according to the current
rounding mode set in the FPU control word, and stores the result back in
ST0.
FSAVE mem ; 9B DD /6 [8086,FPU]
FNSAVE mem ; DD /6 [8086,FPU]
FRSTOR mem ; DD /4 [8086,FPU]
FSAVE saves the entire floating-point unit
state, including all the information saved by
FSTENV (section
B.4.104) plus the contents of all the registers, to a 94 or 108 byte
area of memory (depending on the CPU mode).
FRSTOR restores the floating-point state from the
same area of memory.
FNSAVE does the same as
FSAVE, without first waiting for pending
floating-point exceptions to clear.
FSCALE scales a number by a power of two: it
rounds ST1 towards zero to obtain an integer,
then multiplies ST0 by two to the power of that
integer, and stores the result in ST0.
This instruction initialises protected mode on the 287 floating-point
coprocessor. It is only meaningful on that processor: the 387 and above
treat the instruction as a no-operation.
FSIN calculates the sine of
ST0 (in radians) and stores the result in
ST0. FSINCOS does the
same, but then pushes the cosine of the same value on the register stack,
so that the sine ends up in ST1 and the cosine in
ST0. FSINCOS is faster
than executing FSIN and
FCOS (see section
B.4.74) in succession.
The absolute value of ST0 must be less than
2**63.
FSTCW stores the FPU
control word (governing things like the rounding mode, the precision, and
the exception masks) into a 2-byte memory area. See also
FLDCW (section
B.4.90).
FNSTCW does the same thing as
FSTCW, without first waiting for pending
floating-point exceptions to clear.
FSTENV mem ; 9B D9 /6 [8086,FPU]
FNSTENV mem ; D9 /6 [8086,FPU]
FSTENV stores the
FPU operating environment (control word, status
word, tag word, instruction pointer, data pointer and last opcode) into
memory. The memory area is 14 or 28 bytes long, depending on the CPU mode
at the time. See also FLDENV
(section B.4.91).
FNSTENV does the same thing as
FSTENV, without first waiting for pending
floating-point exceptions to clear.
FSUBR TO fpureg ; DC E0+r [8086,FPU]
FSUBR fpureg,ST0 ; DC E0+r [8086,FPU]
FSUBP fpureg ; DE E8+r [8086,FPU]
FSUBP fpureg,ST0 ; DE E8+r [8086,FPU]
FSUBRP fpureg ; DE E0+r [8086,FPU]
FSUBRP fpureg,ST0 ; DE E0+r [8086,FPU]
FSUB subtracts the given operand from
ST0 and stores the result back in
ST0, unless the TO
qualifier is given, in which case it subtracts
ST0 from the given operand and stores the result
in the operand.
FSUBR does the same thing, but does the
subtraction the other way up: so if TO is not
given, it subtracts ST0 from the given operand
and stores the result in ST0, whereas if
TO is given it subtracts its operand from
ST0 and stores the result in the operand.
FSUBP operates like
FSUB TO, but pops the register stack once it has
finished.
FSUBRP operates like
FSUBR TO, but pops the register stack once it has
finished.
FTST compares ST0
with zero and sets the FPU flags accordingly. ST0
is treated as the left-hand side of the comparison, so that a `less-than'
result is generated if ST0 is negative.
FUCOM compares ST0
with the given operand, and sets the FPU flags accordingly.
ST0 is treated as the left-hand side of the
comparison, so that the carry flag is set (for a `less-than' result) if
ST0 is less than the given operand.
FUCOMP does the same as
FUCOM, but pops the register stack afterwards.
FUCOMPP compares ST0
with ST1 and then pops the register stack twice.
FUCOMI and FUCOMIP
work like the corresponding forms of FUCOM and
FUCOMP, but write their results directly to the
CPU flags register rather than the FPU status word, so they can be
immediately followed by conditional jump or conditional move instructions.
The FUCOM instructions differ from the
FCOM instructions
(section B.4.73) only in the way they handle
quiet NaNs: FUCOM will handle them silently and
set the condition code flags to an `unordered' result, whereas
FCOM will generate an exception.
The FXRSTOR instruction reloads the
FPU, MMX and
SSE state (environment and registers), from the
512 byte memory area defined by the source operand. This data should have
been written by a previous FXSAVE.
FXSAVEThe FXSAVE instruction writes the
current FPU, MMX and
SSE technology states (environment and
registers), to the 512 byte memory area defined by the destination operand.
It does this without checking for pending unmasked floating-point
exceptions (similar to the operation of FNSAVE).
Unlike the FSAVE/FNSAVE instructions, the
processor retains the contents of the FPU,
MMX and SSE state in
the processor after the state has been saved. This instruction has been
optimised to maximize floating-point save performance.
FXTRACT separates the number in
ST0 into its exponent and significand (mantissa),
stores the exponent back into ST0, and then
pushes the significand on the register stack (so that the significand ends
up in ST0, and the exponent in
ST1).
FYL2X ; D9 F1 [8086,FPU]
FYL2XP1 ; D9 F9 [8086,FPU]
FYL2X multiplies ST1
by the base-2 logarithm of ST0, stores the result
in ST1, and pops the register stack (so that the
result ends up in ST0).
ST0 must be non-zero and positive.
FYL2XP1 works the same way, but replacing the
base-2 log of ST0 with that of
ST0 plus one. This time,
ST0 must have magnitude no greater than 1 minus
half the square root of two.
Writes a bit string from the source operand to the destination.
CL indicates the number of bits to be copied,
from the low bits of the source. (E)AX indicates
the low order bit offset in the destination that is written to. For
example, if CL is set to 4 and
AX (for 16-bit code) is set to 5, bits 0-3 of
src will be copied to bits 5-8 of
dst. This instruction is very poorly documented,
and I have been unable to find any official source of documentation on it.
IBTS is supported only on the early Intel
386s, and conflicts with the opcodes for
CMPXCHG486 (on early Intel 486s). NASM supports
it only for completeness. Its counterpart is XBTS
(see section B.4.332).
IDIV performs signed integer division. The
explicit operand provided is the divisor; the dividend and destination
operands are implicit, in the following way:
For IDIV r/m8, AX
is divided by the given operand; the quotient is stored in
AL and the remainder in
AH.
For IDIV r/m16,
DX:AX is divided by the given operand; the
quotient is stored in AX and the remainder in
DX.
For IDIV r/m32,
EDX:EAX is divided by the given operand; the
quotient is stored in EAX and the remainder in
EDX.
Unsigned integer division is performed by the
DIV instruction: see
section B.4.59.
IMUL performs signed integer multiplication.
For the single-operand form, the other operand and destination are
implicit, in the following way:
For IMUL r/m8, AL
is multiplied by the given operand; the product is stored in
AX.
For IMUL r/m16, AX
is multiplied by the given operand; the product is stored in
DX:AX.
For IMUL r/m32, EAX
is multiplied by the given operand; the product is stored in
EDX:EAX.
The two-operand form multiplies its two operands and stores the result
in the destination (first) operand. The three-operand form multiplies its
last two operands and stores the result in the first operand.
The two-operand form with an immediate second operand is in fact a
shorthand for the three-operand form, as can be seen by examining the
opcode descriptions: in the two-operand form, the code
/r takes both its register and
r/m parts from the same operand (the first one).
In the forms with an 8-bit immediate operand and another longer source
operand, the immediate operand is considered to be signed, and is
sign-extended to the length of the other source operand. In these cases,
the BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
Unsigned integer multiplication is performed by the
MUL instruction: see
section B.4.184.
IN AL,imm8 ; E4 ib [8086]
IN AX,imm8 ; o16 E5 ib [8086]
IN EAX,imm8 ; o32 E5 ib [386]
IN AL,DX ; EC [8086]
IN AX,DX ; o16 ED [8086]
IN EAX,DX ; o32 ED [386]
IN reads a byte, word or doubleword from the
specified I/O port, and stores it in the given destination register. The
port number may be specified as an immediate value if it is between 0 and
255, and otherwise must be stored in DX. See also
OUT (section
B.4.194).
INC adds 1 to its operand. It does
not affect the carry flag: to affect the carry flag, use
ADD something,1 (see
section B.4.3). INC
affects all the other flags according to the result.
This instruction can be used with a LOCK
prefix to allow atomic execution.
INSB inputs a byte from the I/O port specified
in DX and stores it at
[ES:DI] or [ES:EDI]. It
then increments or decrements (depending on the direction flag: increments
if the flag is clear, decrements if it is set) DI
or EDI.
The register used is DI if the address size is
16 bits, and EDI if it is 32 bits. If you need to
use an address size not equal to the current BITS
setting, you can use an explicit a16 or
a32 prefix.
Segment override prefixes have no effect for this instruction: the use
of ES for the load from
[DI] or [EDI] cannot be
overridden.
INSW and INSD work
in the same way, but they input a word or a doubleword instead of a byte,
and increment or decrement the addressing register by 2 or 4 instead of 1.
The REP prefix may be used to repeat the
instruction CX (or ECX
- again, the address size chooses which) times.
INT causes a software interrupt through a
specified vector number from 0 to 255.
The code generated by the INT instruction is
always two bytes long: although there are short forms for some
INT instructions, NASM does not generate them
when it sees the INT mnemonic. In order to
generate single-byte breakpoint instructions, use the
INT3 or INT1
instructions (see section B.4.123) instead.
INT1 and INT3 are
short one-byte forms of the instructions INT 1
and INT 3 (see section
B.4.122). They perform a similar function to their longer counterparts,
but take up less code space. They are used as breakpoints by debuggers.
INT1, and its alternative synonyms
INT01 and ICEBP, is an
instruction used by in-circuit emulators (ICEs). It is present, though not
documented, on some processors down to the 286, but is only documented for
the Pentium Pro. INT3 is the instruction normally
used as a breakpoint by debuggers.
INT3, and its synonym
INT03, is not precisely equivalent to
INT 3: the short form, since it is designed to be
used as a breakpoint, bypasses the normal IOPL
checks in virtual-8086 mode, and also does not go through interrupt
redirection.
INVD invalidates and empties the processor's
internal caches, and causes the processor to instruct external caches to do
the same. It does not write the contents of the caches back to memory
first: any modified data held in the caches will be lost. To write the data
back first, use WBINVD
(section B.4.328).
IRET returns from an interrupt (hardware or
software) by means of popping IP (or
EIP), CS and the flags
off the stack and then continuing execution from the new
CS:IP.
IRETW pops IP,
CS and the flags as 2 bytes each, taking 6 bytes
off the stack in total. IRETD pops
EIP as 4 bytes, pops a further 4 bytes of which
the top two are discarded and the bottom two go into
CS, and pops the flags as 4 bytes as well, taking
12 bytes off the stack.
IRET is a shorthand for either
IRETW or IRETD,
depending on the default BITS setting at the
time.
The conditional jump instructions execute a near (same segment) jump if
and only if their conditions are satisfied. For example,
JNZ jumps only if the zero flag is not set.
The ordinary form of the instructions has only a 128-byte range; the
NEAR form is a 386 extension to the instruction
set, and can span the full size of a segment. NASM will not override your
choice of jump instruction: if you want Jcc NEAR,
you have to use the NEAR keyword.
The SHORT keyword is allowed on the first form
of the instruction, for clarity, but is not necessary.
For details of the condition codes, see section
B.2.2.
JCXZ performs a short jump (with maximum range
128 bytes) if and only if the contents of the CX
register is 0. JECXZ does the same thing, but
with ECX.
JMP imm ; E9 rw/rd [8086]
JMP SHORT imm ; EB rb [8086]
JMP imm:imm16 ; o16 EA iw iw [8086]
JMP imm:imm32 ; o32 EA id iw [386]
JMP FAR mem ; o16 FF /5 [8086]
JMP FAR mem32 ; o32 FF /5 [386]
JMP r/m16 ; o16 FF /4 [8086]
JMP r/m32 ; o32 FF /4 [386]
JMP jumps to a given address. The address may
be specified as an absolute segment and offset, or as a relative jump
within the current segment.
JMP SHORT imm has a maximum range of 128
bytes, since the displacement is specified as only 8 bits, but takes up
less code space. NASM does not choose when to generate
JMP SHORT for you: you must explicitly code
SHORT every time you want a short jump.
You can choose between the two immediate far jump forms
(JMP imm:imm) by the use of the
WORD and DWORD
keywords: JMP WORD 0x1234:0x5678) or
JMP DWORD 0x1234:0x56789abc.
The JMP FAR mem forms execute a far jump by
loading the destination address out of memory. The address loaded consists
of 16 or 32 bits of offset (depending on the operand size), and 16 bits of
segment. The operand size may be overridden using
JMP WORD FAR mem or
JMP DWORD FAR mem.
The JMP r/m forms execute a near jump (within
the same segment), loading the destination address out of memory or out of
a register. The keyword NEAR may be specified,
for clarity, in these forms, but is not necessary. Again, operand size can
be overridden using JMP WORD mem or
JMP DWORD mem.
As a convenience, NASM does not require you to jump to a far symbol by
coding the cumbersome JMP SEG routine:routine,
but instead allows the easier synonym
JMP FAR routine.
The CALL r/m forms given above are near calls;
NASM will accept the NEAR keyword (e.g.
CALL NEAR [address]), even though it is not
strictly necessary.
LAR reg16,r/m16 ; o16 0F 02 /r [286,PRIV]
LAR reg32,r/m32 ; o32 0F 02 /r [286,PRIV]
LAR takes the segment selector specified by
its source (second) operand, finds the corresponding segment descriptor in
the GDT or LDT, and loads the access-rights byte of the descriptor into its
destination (first) operand.
LDMXCSR loads 32-bits of data from the
specified memory location into the MXCSR
control/status register. MXCSR is used to enable
masked/unmasked exception handling, to set rounding modes, to set
flush-to-zero mode, and to view exception status flags.
For details of the MXCSR register, see the
Intel processor docs.
These instructions load an entire far pointer (16 or 32 bits of offset,
plus 16 bits of segment) out of memory in one go.
LDS, for example, loads 16 or 32 bits from the
given memory address into the given register (depending on the size of the
register), then loads the next 16 bits from memory into
DS. LES,
LFS, LGS and
LSS work in the same way but use the other
segment registers.
LEA, despite its syntax, does not access
memory. It calculates the effective address specified by its second operand
as if it were going to load or store data from it, but instead it stores
the calculated address into the register specified by its first operand.
This can be used to perform quite complex calculations (e.g.
LEA EAX,[EBX+ECX*4+100]) in one instruction.
LEA, despite being a purely arithmetic
instruction which accesses no memory, still requires square brackets around
its second operand, as if it were a memory reference.
The size of the calculation is the current address size, and
the size that the result is stored as is the current operand size.
If the address and operand size are not the same, then if the addressing
mode was 32-bits, the low 16-bits are stored, and if the address was
16-bits, it is zero-extended to 32-bits before storing.
LEAVE destroys a stack frame of the form
created by the ENTER instruction (see
section B.4.65). It is functionally
equivalent to MOV ESP,EBP followed by
POP EBP (or MOV SP,BP
followed by POP BP in 16-bit mode).
LFENCE performs a serialising operation on all
loads from memory that were issued before the
LFENCE instruction. This guarantees that all
memory reads before the LFENCE instruction are
visible before any reads after the LFENCE
instruction.
LFENCE is ordered respective to other
LFENCE instruction,
MFENCE, any memory read and any other serialising
instruction (such as CPUID).
Weakly ordered memory types can be used to achieve higher processor
performance through such techniques as out-of-order issue and speculative
reads. The degree to which a consumer of data recognizes or knows that the
data is weakly ordered varies among applications and may be unknown to the
producer of this data. The LFENCE instruction
provides a performance-efficient way of ensuring load ordering between
routines that produce weakly-ordered results and routines that consume that
data.
LGDT mem ; 0F 01 /2 [286,PRIV]
LIDT mem ; 0F 01 /3 [286,PRIV]
LLDT r/m16 ; 0F 00 /2 [286,PRIV]
LGDT and LIDT both
take a 6-byte memory area as an operand: they load a 32-bit linear address
and a 16-bit size limit from that area (in the opposite order) into the
GDTR (global descriptor table register) or
IDTR (interrupt descriptor table register). These
are the only instructions which directly use linear addresses,
rather than segment/offset pairs.
LLDT takes a segment selector as an operand.
The processor looks up that selector in the GDT and stores the limit and
base address given there into the LDTR (local
descriptor table register).
LMSW loads the bottom four bits of the source
operand into the bottom four bits of the CR0
control register (or the Machine Status Word, on 286 processors). See also
SMSW (section
B.4.296).
This instruction, in its two different-opcode forms, is apparently
supported on most 286 processors, some 386 and possibly some 486. The
opcode differs between the 286 and the 386.
The function of the instruction is to load all information relating to
the state of the processor out of a block of memory: on the 286, this block
is located implicitly at absolute address 0x800,
and on the 386 and 486 it is at [ES:EDI].
LODSB ; AC [8086]
LODSW ; o16 AD [8086]
LODSD ; o32 AD [386]
LODSB loads a byte from
[DS:SI] or [DS:ESI]
into AL. It then increments or decrements
(depending on the direction flag: increments if the flag is clear,
decrements if it is set) SI or
ESI.
The register used is SI if the address size is
16 bits, and ESI if it is 32 bits. If you need to
use an address size not equal to the current BITS
setting, you can use an explicit a16 or
a32 prefix.
The segment register used to load from [SI] or
[ESI] can be overridden by using a segment
register name as a prefix (for example,
ES LODSB).
LODSW and LODSD work
in the same way, but they load a word or a doubleword instead of a byte,
and increment or decrement the addressing registers by 2 or 4 instead of 1.
LOOP decrements its counter register (either
CX or ECX - if one is
not specified explicitly, the BITS setting
dictates which is used) by one, and if the counter does not become zero as
a result of this operation, it jumps to the given label. The jump has a
range of 128 bytes.
LOOPE (or its synonym
LOOPZ) adds the additional condition that it only
jumps if the counter is nonzero and the zero flag is set.
Similarly, LOOPNE (and
LOOPNZ) jumps only if the counter is nonzero and
the zero flag is clear.
LSL is given a segment selector in its source
(second) operand; it computes the segment limit value by loading the
segment limit field from the associated segment descriptor in the
GDT or LDT. (This
involves shifting left by 12 bits if the segment limit is page-granular,
and not if it is byte-granular; so you end up with a byte limit in either
case.) The segment limit obtained is then loaded into the destination
(first) operand.
LTR looks up the segment base and limit in the
GDT or LDT descriptor specified by the segment selector given as its
operand, and loads them into the Task Register.
MASKMOVDQU stores data from xmm1 to the
location specified by ES:(E)DI. The size of the
store depends on the address-size attribute. The most significant bit in
each byte of the mask register xmm2 is used to selectively write the data
(0 = no write, 1 = write) on a per-byte basis.
MASKMOVQ stores data from mm1 to the location
specified by ES:(E)DI. The size of the store
depends on the address-size attribute. The most significant bit in each
byte of the mask register mm2 is used to selectively write the data (0 = no
write, 1 = write) on a per-byte basis.
MAXPD performs a SIMD compare of the packed
double-precision FP numbers from xmm1 and xmm2/mem, and stores the maximum
values of each pair of values in xmm1. If the values being compared are
both zeroes, source2 (xmm2/m128) would be returned. If source2 (xmm2/m128)
is an SNaN, this SNaN is forwarded unchanged to the destination (i.e., a
QNaN version of the SNaN is not returned).
MAXPS performs a SIMD compare of the packed
single-precision FP numbers from xmm1 and xmm2/mem, and stores the maximum
values of each pair of values in xmm1. If the values being compared are
both zeroes, source2 (xmm2/m128) would be returned. If source2 (xmm2/m128)
is an SNaN, this SNaN is forwarded unchanged to the destination (i.e., a
QNaN version of the SNaN is not returned).
MAXSD compares the low-order double-precision
FP numbers from xmm1 and xmm2/mem, and stores the maximum value in xmm1. If
the values being compared are both zeroes, source2 (xmm2/m64) would be
returned. If source2 (xmm2/m64) is an SNaN, this SNaN is forwarded
unchanged to the destination (i.e., a QNaN version of the SNaN is not
returned). The high quadword of the destination is left unchanged.
MAXSS compares the low-order single-precision
FP numbers from xmm1 and xmm2/mem, and stores the maximum value in xmm1. If
the values being compared are both zeroes, source2 (xmm2/m32) would be
returned. If source2 (xmm2/m32) is an SNaN, this SNaN is forwarded
unchanged to the destination (i.e., a QNaN version of the SNaN is not
returned). The high three doublewords of the destination are left
unchanged.
MFENCE performs a serialising operation on all
loads from memory and writes to memory that were issued before the
MFENCE instruction. This guarantees that all
memory reads and writes before the MFENCE
instruction are completed before any reads and writes after the
MFENCE instruction.
MFENCE is ordered respective to other
MFENCE instructions,
LFENCE, SFENCE, any
memory read and any other serialising instruction (such as
CPUID).
Weakly ordered memory types can be used to achieve higher processor
performance through such techniques as out-of-order issue, speculative
reads, write-combining, and write-collapsing. The degree to which a
consumer of data recognizes or knows that the data is weakly ordered varies
among applications and may be unknown to the producer of this data. The
MFENCE instruction provides a
performance-efficient way of ensuring load and store ordering between
routines that produce weakly-ordered results and routines that consume that
data.
MINPD performs a SIMD compare of the packed
double-precision FP numbers from xmm1 and xmm2/mem, and stores the minimum
values of each pair of values in xmm1. If the values being compared are
both zeroes, source2 (xmm2/m128) would be returned. If source2 (xmm2/m128)
is an SNaN, this SNaN is forwarded unchanged to the destination (i.e., a
QNaN version of the SNaN is not returned).
MINPS performs a SIMD compare of the packed
single-precision FP numbers from xmm1 and xmm2/mem, and stores the minimum
values of each pair of values in xmm1. If the values being compared are
both zeroes, source2 (xmm2/m128) would be returned. If source2 (xmm2/m128)
is an SNaN, this SNaN is forwarded unchanged to the destination (i.e., a
QNaN version of the SNaN is not returned).
MINSD compares the low-order double-precision
FP numbers from xmm1 and xmm2/mem, and stores the minimum value in xmm1. If
the values being compared are both zeroes, source2 (xmm2/m64) would be
returned. If source2 (xmm2/m64) is an SNaN, this SNaN is forwarded
unchanged to the destination (i.e., a QNaN version of the SNaN is not
returned). The high quadword of the destination is left unchanged.
MINSS compares the low-order single-precision
FP numbers from xmm1 and xmm2/mem, and stores the minimum value in xmm1. If
the values being compared are both zeroes, source2 (xmm2/m32) would be
returned. If source2 (xmm2/m32) is an SNaN, this SNaN is forwarded
unchanged to the destination (i.e., a QNaN version of the SNaN is not
returned). The high three doublewords of the destination are left
unchanged.
MOV copies the contents of its source (second)
operand into its destination (first) operand.
In all forms of the MOV instruction, the two
operands are the same size, except for moving between a segment register
and an r/m32 operand. These instructions are
treated exactly like the corresponding 16-bit equivalent (so that, for
example, MOV DS,EAX functions identically to
MOV DS,AX but saves a prefix when in 32-bit
mode), except that when a segment register is moved into a 32-bit
destination, the top two bytes of the result are undefined.
MOV may not use CS
as a destination.
CR4 is only a supported register on the
Pentium and above.
Test registers are supported on 386/486 processors and on some non-Intel
Pentium class processors.
MOVAPD moves a double quadword containing 2
packed double-precision FP values from the source operand to the
destination. When the source or destination operand is a memory location,
it must be aligned on a 16-byte boundary.
To move data in and out of memory locations that are not known to be on
16-byte boundaries, use the MOVUPD instruction
(section B.4.182).
MOVAPS moves a double quadword containing 4
packed single-precision FP values from the source operand to the
destination. When the source or destination operand is a memory location,
it must be aligned on a 16-byte boundary.
To move data in and out of memory locations that are not known to be on
16-byte boundaries, use the MOVUPS instruction
(section B.4.183).
MOVD mm,r/m32 ; 0F 6E /r [PENT,MMX]
MOVD r/m32,mm ; 0F 7E /r [PENT,MMX]
MOVD xmm,r/m32 ; 66 0F 6E /r [WILLAMETTE,SSE2]
MOVD r/m32,xmm ; 66 0F 7E /r [WILLAMETTE,SSE2]
MOVD copies 32 bits from its source (second)
operand into its destination (first) operand. When the destination is a
64-bit MMX register or a 128-bit
XMM register, the input value is zero-extended to
fill the destination register.
MOVDQA xmm1,xmm2/m128 ; 66 OF 6F /r [WILLAMETTE,SSE2]
MOVDQA xmm1/m128,xmm2 ; 66 OF 7F /r [WILLAMETTE,SSE2]
MOVDQA moves a double quadword from the source
operand to the destination operand. When the source or destination operand
is a memory location, it must be aligned to a 16-byte boundary.
To move a double quadword to or from unaligned memory locations, use the
MOVDQU instruction
(section B.4.162).
MOVDQU xmm1,xmm2/m128 ; F3 OF 6F /r [WILLAMETTE,SSE2]
MOVDQU xmm1/m128,xmm2 ; F3 OF 7F /r [WILLAMETTE,SSE2]
MOVDQU moves a double quadword from the source
operand to the destination operand. When the source or destination operand
is a memory location, the memory may be unaligned.
To move a double quadword to or from known aligned memory locations, use
the MOVDQA instruction
(section B.4.161).
MOVHLPS moves the two packed single-precision
FP values from the high quadword of the source register xmm2 to the low
quadword of the destination register, xmm2. The upper quadword of xmm1 is
left unchanged.
MOVHPD xmm,m64 ; 66 OF 16 /r [WILLAMETTE,SSE2]
MOVHPD m64,xmm ; 66 OF 17 /r [WILLAMETTE,SSE2]
MOVHPD moves a double-precision FP value
between the source and destination operands. One of the operands is a
64-bit memory location, the other is the high quadword of an
XMM register.
MOVHPS moves two packed single-precision FP
values between the source and destination operands. One of the operands is
a 64-bit memory location, the other is the high quadword of an
XMM register.
MOVLHPS moves the two packed single-precision
FP values from the low quadword of the source register xmm2 to the high
quadword of the destination register, xmm2. The low quadword of xmm1 is
left unchanged.
MOVLPD xmm,m64 ; 66 OF 12 /r [WILLAMETTE,SSE2]
MOVLPD m64,xmm ; 66 OF 13 /r [WILLAMETTE,SSE2]
MOVLPD moves a double-precision FP value
between the source and destination operands. One of the operands is a
64-bit memory location, the other is the low quadword of an
XMM register.
MOVLPS xmm,m64 ; OF 12 /r [KATMAI,SSE]
MOVLPS m64,xmm ; OF 13 /r [KATMAI,SSE]
MOVLPS moves two packed single-precision FP
values between the source and destination operands. One of the operands is
a 64-bit memory location, the other is the low quadword of an
XMM register.
MOVNTDQ moves the double quadword from the
XMM source register to the destination memory
location, using a non-temporal hint. This store instruction minimizes cache
pollution.
MOVNTI moves the doubleword in the source
register to the destination memory location, using a non-temporal hint.
This store instruction minimizes cache pollution.
MOVNTPD moves the double quadword from the
XMM source register to the destination memory
location, using a non-temporal hint. This store instruction minimizes cache
pollution. The memory location must be aligned to a 16-byte boundary.
MOVNTPS moves the double quadword from the
XMM source register to the destination memory
location, using a non-temporal hint. This store instruction minimizes cache
pollution. The memory location must be aligned to a 16-byte boundary.
MOVNTQ moves the quadword in the
MMX source register to the destination memory
location, using a non-temporal hint. This store instruction minimizes cache
pollution.
MOVQ copies 64 bits from its source (second)
operand into its destination (first) operand. When the source is an
XMM register, the low quadword is moved. When the
destination is an XMM register, the destination
is the low quadword, and the high quadword is cleared.
MOVSB copies the byte at
[DS:SI] or [DS:ESI] to
[ES:DI] or [ES:EDI]. It
then increments or decrements (depending on the direction flag: increments
if the flag is clear, decrements if it is set) SI
and DI (or ESI and
EDI).
The registers used are SI and
DI if the address size is 16 bits, and
ESI and EDI if it is 32
bits. If you need to use an address size not equal to the current
BITS setting, you can use an explicit
a16 or a32 prefix.
The segment register used to load from [SI] or
[ESI] can be overridden by using a segment
register name as a prefix (for example,
es movsb). The use of
ES for the store to
[DI] or [EDI] cannot be
overridden.
MOVSW and MOVSD work
in the same way, but they copy a word or a doubleword instead of a byte,
and increment or decrement the addressing registers by 2 or 4 instead of 1.
The REP prefix may be used to repeat the
instruction CX (or ECX
- again, the address size chooses which) times.
MOVSD moves a double-precision FP value from
the source operand to the destination operand. When the source or
destination is a register, the low-order FP value is read or written.
MOVSS moves a single-precision FP value from
the source operand to the destination operand. When the source or
destination is a register, the low-order FP value is read or written.
MOVSX sign-extends its source (second) operand
to the length of its destination (first) operand, and copies the result
into the destination operand. MOVZX does the
same, but zero-extends rather than sign-extending.
MOVUPD moves a double quadword containing 2
packed double-precision FP values from the source operand to the
destination. This instruction makes no assumptions about alignment of
memory operands.
To move data in and out of memory locations that are known to be on
16-byte boundaries, use the MOVAPD instruction
(section B.4.157).
MOVUPS moves a double quadword containing 4
packed single-precision FP values from the source operand to the
destination. This instruction makes no assumptions about alignment of
memory operands.
To move data in and out of memory locations that are known to be on
16-byte boundaries, use the MOVAPS instruction
(section B.4.158).
MUL r/m8 ; F6 /4 [8086]
MUL r/m16 ; o16 F7 /4 [8086]
MUL r/m32 ; o32 F7 /4 [386]
MUL performs unsigned integer multiplication.
The other operand to the multiplication, and the destination operand, are
implicit, in the following way:
For MUL r/m8, AL is
multiplied by the given operand; the product is stored in
AX.
For MUL r/m16, AX
is multiplied by the given operand; the product is stored in
DX:AX.
For MUL r/m32, EAX
is multiplied by the given operand; the product is stored in
EDX:EAX.
Signed integer multiplication is performed by the
IMUL instruction: see
section B.4.118.
NOT r/m8 ; F6 /2 [8086]
NOT r/m16 ; o16 F7 /2 [8086]
NOT r/m32 ; o32 F7 /2 [386]
NEG replaces the contents of its operand by
the two's complement negation (invert all the bits and then add one) of the
original value. NOT, similarly, performs one's
complement (inverts all the bits).
NOP performs no operation. Its opcode is the
same as that generated by XCHG AX,AX or
XCHG EAX,EAX (depending on the processor mode;
see section B.4.333).
OR r/m8,reg8 ; 08 /r [8086]
OR r/m16,reg16 ; o16 09 /r [8086]
OR r/m32,reg32 ; o32 09 /r [386]
OR reg8,r/m8 ; 0A /r [8086]
OR reg16,r/m16 ; o16 0B /r [8086]
OR reg32,r/m32 ; o32 0B /r [386]
OR r/m8,imm8 ; 80 /1 ib [8086]
OR r/m16,imm16 ; o16 81 /1 iw [8086]
OR r/m32,imm32 ; o32 81 /1 id [386]
OR r/m16,imm8 ; o16 83 /1 ib [8086]
OR r/m32,imm8 ; o32 83 /1 ib [386]
OR AL,imm8 ; 0C ib [8086]
OR AX,imm16 ; o16 0D iw [8086]
OR EAX,imm32 ; o32 0D id [386]
OR performs a bitwise OR operation between its
two operands (i.e. each bit of the result is 1 if and only if at least one
of the corresponding bits of the two inputs was 1), and stores the result
in the destination (first) operand.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
The MMX instruction POR (see
section B.4.247) performs the same operation
on the 64-bit MMX registers.
ORPD return a bit-wise logical OR between xmm1
and xmm2/mem, and stores the result in xmm1. If the source operand is a
memory location, it must be aligned to a 16-byte boundary.
ORPS return a bit-wise logical OR between xmm1
and xmm2/mem, and stores the result in xmm1. If the source operand is a
memory location, it must be aligned to a 16-byte boundary.
OUT imm8,AL ; E6 ib [8086]
OUT imm8,AX ; o16 E7 ib [8086]
OUT imm8,EAX ; o32 E7 ib [386]
OUT DX,AL ; EE [8086]
OUT DX,AX ; o16 EF [8086]
OUT DX,EAX ; o32 EF [386]
OUT writes the contents of the given source
register to the specified I/O port. The port number may be specified as an
immediate value if it is between 0 and 255, and otherwise must be stored in
DX. See also IN
(section B.4.119).
OUTSB loads a byte from
[DS:SI] or [DS:ESI] and
writes it to the I/O port specified in DX. It
then increments or decrements (depending on the direction flag: increments
if the flag is clear, decrements if it is set) SI
or ESI.
The register used is SI if the address size is
16 bits, and ESI if it is 32 bits. If you need to
use an address size not equal to the current BITS
setting, you can use an explicit a16 or
a32 prefix.
The segment register used to load from [SI] or
[ESI] can be overridden by using a segment
register name as a prefix (for example,
es outsb).
OUTSW and OUTSD work
in the same way, but they output a word or a doubleword instead of a byte,
and increment or decrement the addressing registers by 2 or 4 instead of 1.
The REP prefix may be used to repeat the
instruction CX (or ECX
- again, the address size chooses which) times.
All these instructions start by combining the source and destination
operands, and then splitting the result in smaller sections which it then
packs into the destination register. The MMX
versions pack two 64-bit operands into one 64-bit register, while the
SSE versions pack two 128-bit operands into one
128-bit register.
PACKSSWB splits the combined value into
words, and then reduces the words to bytes, using signed saturation. It
then packs the bytes into the destination register in the same order the
words were in.
PACKSSDW performs the same operation as
PACKSSWB, except that it reduces doublewords to
words, then packs them into the destination register.
PACKUSWB performs the same operation as
PACKSSWB, except that it uses unsigned saturation
when reducing the size of the elements.
To perform signed saturation on a number, it is replaced by the largest
signed number (7FFFh or
7Fh) that will fit, and if it is too
small it is replaced by the smallest signed number
(8000h or 80h) that
will fit. To perform unsigned saturation, the input is treated as unsigned,
and the input is replaced by the largest unsigned number that will fit.
PADDSx performs packed addition of the two
operands, storing the result in the destination (first) operand.
PADDSB treats the operands as packed bytes, and
adds each byte individually; and PADDSW treats
the operands as packed words.
When an individual result is too large to fit in its destination, a
saturated value is stored. The resulting value is the value with the
largest magnitude of the same sign as the result which will fit in the
available space.
PADDSIW, specific to the Cyrix extensions to
the MMX instruction set, performs the same function as
PADDSW, except that the result is placed in an
implied register.
To work out the implied register, invert the lowest bit in the register
number. So PADDSIW MM0,MM2 would put the result
in MM1, but
PADDSIW MM1,MM2 would put the result in
MM0.
PADDUSx performs packed addition of the two
operands, storing the result in the destination (first) operand.
PADDUSB treats the operands as packed bytes, and
adds each byte individually; and PADDUSW treats
the operands as packed words.
When an individual result is too large to fit in its destination, a
saturated value is stored. The resulting value is the maximum value that
will fit in the available space.
PAND performs a bitwise AND operation between
its two operands (i.e. each bit of the result is 1 if and only if the
corresponding bits of the two inputs were both 1), and stores the result in
the destination (first) operand.
PANDN performs the same operation, but
performs a one's complement operation on the destination (first) operand
first.
PAUSE provides a hint to the processor that
the following code is a spin loop. This improves processor performance by
bypassing possible memory order violations. On older processors, this
instruction operates as a NOP.
PAVEB, specific to the Cyrix MMX extensions,
treats its two operands as vectors of eight unsigned bytes, and calculates
the average of the corresponding bytes in the operands. The resulting
vector of eight averages is stored in the first operand.
This opcode maps to MOVMSKPS r32, xmm on
processors that support the SSE instruction set.
PAVGB and PAVGW add
the unsigned data elements of the source operand to the unsigned data
elements of the destination register, then adds 1 to the temporary results.
The results of the add are then each independently right-shifted by one bit
position. The high order bits of each element are filled with the carry
bits of the corresponding sum.
PAVGUSB adds the unsigned data elements of the
source operand to the unsigned data elements of the destination register,
then adds 1 to the temporary results. The results of the add are then each
independently right-shifted by one bit position. The high order bits of
each element are filled with the carry bits of the corresponding sum.
This instruction performs exactly the same operations as the
PAVGBMMX instruction
(section B.4.205).
The PCMPxx instructions all treat their
operands as vectors of bytes, words, or doublewords; corresponding elements
of the source and destination are compared, and the corresponding element
of the destination (first) operand is set to all zeros or all ones
depending on the result of the comparison.
PCMPxxB treats the operands as vectors of
bytes;
PCMPxxW treats the operands as vectors of
words;
PCMPxxD treats the operands as vectors of
doublewords;
PCMPEQx sets the corresponding element of the
destination operand to all ones if the two elements compared are equal;
PCMPGTx sets the destination element to all
ones if the element of the first (destination) operand is greater (treated
as a signed integer) than that of the second (source) operand.
PDISTIB, specific to the Cyrix MMX extensions,
treats its two input operands as vectors of eight unsigned bytes. For each
byte position, it finds the absolute difference between the bytes in that
position in the two input operands, and adds that value to the byte in the
same position in the implied output register. The addition is saturated to
an unsigned byte in the same way as PADDUSB.
To work out the implied register, invert the lowest bit in the register
number. So PDISTIB MM0,M64 would put the result
in MM1, but
PDISTIB MM1,M64 would put the result in
MM0.
Note that PDISTIB cannot take a register as
its second source operand.
PEXTRW moves the word in the source register
(second operand) that is pointed to by the count operand (third operand),
into the lower half of a 32-bit general purpose register. The upper half of
the register is cleared to all 0s.
When the source operand is an MMX register,
the two least significant bits of the count specify the source word. When
it is an SSE register, the three least
significant bits specify the word location.
PF2ID converts two single-precision FP values
in the source operand to signed 32-bit integers, using truncation, and
stores them in the destination operand. Source values that are outside the
range supported by the destination are saturated to the largest absolute
value of the same sign.
PF2IW converts two single-precision FP values
in the source operand to signed 16-bit integers, using truncation, and
stores them in the destination operand. Source values that are outside the
range supported by the destination are saturated to the largest absolute
value of the same sign.
In the K6-2 and K6-III, the 16-bit value is zero-extended to 32-bits
before storing.
In the K6-2+, K6-III+ and Athlon processors, the value is sign-extended
to 32-bits before storing.
PFACC adds the two single-precision FP values
from the destination operand together, then adds the two single-precision
FP values from the source operand, and places the results in the low and
high doublewords of the destination operand.
The PFCMPxx instructions compare the packed
single-point FP values in the source and destination operands, and set the
destination according to the result. If the condition is true, the
destination is set to all 1s, otherwise it's set to all 0s.
PFNACC performs a negative accumulate of the
two single-precision FP values in the source and destination registers. The
result of the accumulate from the destination register is stored in the low
doubleword of the destination, and the result of the source accumulate is
stored in the high doubleword of the destination register.
PFPNACC performs a positive accumulate of the
two single-precision FP values in the source register and a negative
accumulate of the destination register. The result of the accumulate from
the destination register is stored in the low doubleword of the
destination, and the result of the source accumulate is stored in the high
doubleword of the destination register.
PFRCP performs a low precision estimate of the
reciprocal of the low-order single-precision FP value in the source
operand, storing the result in both halves of the destination register. The
result is accurate to 14 bits.
For higher precision reciprocals, this instruction should be followed by
two more instructions: PFRCPIT1
(section B.4.221) and
PFRCPIT2 (section
B.4.221). This will result in a 24-bit accuracy. For more details, see
the AMD 3DNow! technology manual.
PFRCPIT1 performs the first intermediate step
in the calculation of the reciprocal of a single-precision FP value. The
first source value (mm1 is the original value,
and the second source value (mm2/m64 is the
result of a PFRCP instruction.
For the final step in a reciprocal, returning the full 24-bit accuracy
of a single-precision FP value, see PFRCPIT2
(section B.4.222). For more details, see the
AMD 3DNow! technology manual.
PFRCPIT2 performs the second and final
intermediate step in the calculation of a reciprocal or reciprocal square
root, refining the values returned by the PFRCP
and PFRSQRT instructions, respectively.
The first source value (mm1) is the output of
either a PFRCPIT1 or a
PFRSQIT1 instruction, and the second source is
the output of either the PFRCP or the
PFRSQRT instruction. For more details, see the
AMD 3DNow! technology manual.
PFRSQIT1 performs the first intermediate step
in the calculation of the reciprocal square root of a single-precision FP
value. The first source value (mm1 is the square
of the result of a PFRSQRT instruction, and the
second source value (mm2/m64 is the original
value.
For the final step in a calculation, returning the full 24-bit accuracy
of a single-precision FP value, see PFRCPIT2
(section B.4.222). For more details, see the
AMD 3DNow! technology manual.
PFRSQRT performs a low precision estimate of
the reciprocal square root of the low-order single-precision FP value in
the source operand, storing the result in both halves of the destination
register. The result is accurate to 15 bits.
For higher precision reciprocals, this instruction should be followed by
two more instructions: PFRSQIT1
(section B.4.223) and
PFRCPIT2 (section
B.4.221). This will result in a 24-bit accuracy. For more details, see
the AMD 3DNow! technology manual.
PF2ID converts two signed 32-bit integers in
the source operand to single-precision FP values, using truncation of
significant digits, and stores them in the destination operand.
PF2IW converts two signed 16-bit integers in
the source operand to single-precision FP values, and stores them in the
destination operand. The input values are in the low word of each
doubleword.
PINSRW loads a word from a 16-bit register (or
the low half of a 32-bit register), or from memory, and loads it to the
word position in the destination register, pointed at by the count operand
(third operand). If the destination is an MMX
register, the low two bits of the count byte are used, if it is an
XMM register the low 3 bits are used. The
insertion is done in such a way that the other words from the destination
register are left untouched.
PMACHRIW takes two packed 16-bit integer
inputs, multiplies the values in the inputs, rounds on bit 15 of each
result, then adds bits 15-30 of each result to the corresponding position
of the implied destination register.
PMADDWD treats its two inputs as vectors of
signed words. It multiplies corresponding elements of the two operands,
giving doubleword results. These are then added together in pairs and
stored in the destination operand.
PMAGW, specific to the Cyrix MMX extensions,
treats both its operands as vectors of four signed words. It compares the
absolute values of the words in corresponding positions, and sets each word
of the destination (first) operand to whichever of the two words in that
position had the larger absolute value.
PMOVMSKB returns an 8-bit or 16-bit mask
formed of the most significant bits of each byte of source operand (8-bits
for an MMX register, 16-bits for an
XMM register).
These instructions take two packed 16-bit integer inputs, multiply the
values in the inputs, round on bit 15 of each result, then store bits 15-30
of each result to the corresponding position of the destination register.
For PMULHRWC, the destination is the first
source operand.
For PMULHRIW, the destination is an implied
register (worked out as described for PADDSIW
(section B.4.200)).
PMULHRWA takes two packed 16-bit integer
inputs, multiplies the values in the inputs, rounds on bit 16 of each
result, then stores bits 16-31 of each result to the corresponding position
of the destination register.
PMULHUW takes two packed unsigned 16-bit
integer inputs, multiplies the values in the inputs, then stores bits 16-31
of each result to the corresponding position of the destination register.
PMULUDQ takes two packed unsigned 32-bit
integer inputs, and multiplies the values in the inputs, forming quadword
results. The source is either an unsigned doubleword in the low doubleword
of a 64-bit operand, or it's two unsigned doublewords in the first and
third doublewords of a 128-bit operand. This produces either one or two
64-bit results, which are stored in the respective quadword locations of
the destination register.
These instructions, specific to the Cyrix MMX extensions, perform
parallel conditional moves. The two input operands are treated as vectors
of eight bytes. Each byte of the destination (first) operand is either
written from the corresponding byte of the source (second) operand, or left
alone, depending on the value of the byte in the implied operand
(specified in the same way as PADDSIW, in
section B.4.200).
PMVZB performs each move if the corresponding
byte in the implied operand is zero;
PMVNZB moves if the byte is non-zero;
PMVLZB moves if the byte is less than zero;
PMVGEZB moves if the byte is greater than or
equal to zero.
Note that these instructions cannot take a register as their second
source operand.
POP reg16 ; o16 58+r [8086]
POP reg32 ; o32 58+r [386]
POP r/m16 ; o16 8F /0 [8086]
POP r/m32 ; o32 8F /0 [386]
POP CS ; 0F [8086,UNDOC]
POP DS ; 1F [8086]
POP ES ; 07 [8086]
POP SS ; 17 [8086]
POP FS ; 0F A1 [386]
POP GS ; 0F A9 [386]
POP loads a value from the stack (from
[SS:SP] or [SS:ESP])
and then increments the stack pointer.
The address-size attribute of the instruction determines whether
SP or ESP is used as
the stack pointer: to deliberately override the default given by the
BITS setting, you can use an
a16 or a32 prefix.
The operand-size attribute of the instruction determines whether the
stack pointer is incremented by 2 or 4: this means that segment register
pops in BITS 32 mode will pop 4 bytes off the
stack and discard the upper two of them. If you need to override that, you
can use an o16 or o32
prefix.
The above opcode listings give two forms for general-purpose register
pop instructions: for example, POP BX has the two
forms 5B and 8F C3.
NASM will always generate the shorter form when given
POP BX. NDISASM will disassemble both.
POP CS is not a documented instruction, and is
not supported on any processor above the 8086 (since they use
0Fh as an opcode prefix for instruction set
extensions). However, at least some 8086 processors do support it, and so
NASM generates it for completeness.
POPAW pops a word from the stack into each
of, successively, DI,
SI, BP, nothing (it
discards a word from the stack which was a placeholder for
SP), BX,
DX, CX and
AX. It is intended to reverse the operation of
PUSHAW (see section
B.4.264), but it ignores the value for SP
that was pushed on the stack by PUSHAW.
POPAD pops twice as much data, and places the
results in EDI, ESI,
EBP, nothing (placeholder for
ESP), EBX,
EDX, ECX and
EAX. It reverses the operation of
PUSHAD.
POPA is an alias mnemonic for either
POPAW or POPAD,
depending on the current BITS setting.
Note that the registers are popped in reverse order of their numeric
values in opcodes (see section B.2.1).
POR mm1,mm2/m64 ; 0F EB /r [PENT,MMX]
POR xmm1,xmm2/m128 ; 66 0F EB /r [WILLAMETTE,SSE2]
POR performs a bitwise OR operation between
its two operands (i.e. each bit of the result is 1 if and only if at least
one of the corresponding bits of the two inputs was 1), and stores the
result in the destination (first) operand.
PREFETCH and
PREFETCHW fetch the line of data from memory that
contains the specified byte. PREFETCHW performs
differently on the Athlon to earlier processors.
For more details, see the 3DNow! Technology Manual.
The PREFETCHh instructions fetch the line of
data from memory that contains the specified byte. It is placed in the
cache according to rules specified by locality hints
h:
The hints are:
T0 (temporal data) - prefetch data into all
levels of the cache hierarchy.
T1 (temporal data with respect to first level
cache) - prefetch data into level 2 cache and higher.
T2 (temporal data with respect to second
level cache) - prefetch data into level 2 cache and higher.
NTA (non-temporal data with respect to all
cache levels) - prefetch data into non-temporal cache structure and into a
location close to the processor, minimizing cache pollution.
Note that this group of instructions doesn't provide a guarantee that
the data will be in the cache when it is needed. For more details, see the
Intel IA32 Software Developer Manual, Volume 2.
PSADBW The PSADBW instruction computes the
absolute value of the difference of the packed unsigned bytes in the two
source operands. These differences are then summed to produce a word result
in the lower 16-bit field of the destination register; the rest of the
register is cleared. The destination operand is an
MMX or an XMM register.
The source operand can either be a register or a memory operand.
PSHUFD shuffles the doublewords in the source
(second) operand according to the encoding specified by imm8, and stores
the result in the destination (first) operand.
Bits 0 and 1 of imm8 encode the source position of the doubleword to be
copied to position 0 in the destination operand. Bits 2 and 3 encode for
position 1, bits 4 and 5 encode for position 2, and bits 6 and 7 encode for
position 3. For example, an encoding of 10 in bits 0 and 1 of imm8
indicates that the doubleword at bits 64-95 of the source operand will be
copied to bits 0-31 of the destination.
PSHUFW shuffles the words in the high quadword
of the source (second) operand according to the encoding specified by imm8,
and stores the result in the high quadword of the destination (first)
operand.
The operation of this instruction is similar to the
PSHUFW instruction, except that the source and
destination are the top quadword of a 128-bit operand, instead of being
64-bit operands. The low quadword is copied from the source to the
destination without any changes.
PSHUFLW shuffles the words in the low quadword
of the source (second) operand according to the encoding specified by imm8,
and stores the result in the low quadword of the destination (first)
operand.
The operation of this instruction is similar to the
PSHUFW instruction, except that the source and
destination are the low quadword of a 128-bit operand, instead of being
64-bit operands. The high quadword is copied from the source to the
destination without any changes.
PSHUFW shuffles the words in the source
(second) operand according to the encoding specified by imm8, and stores
the result in the destination (first) operand.
Bits 0 and 1 of imm8 encode the source position of the word to be copied
to position 0 in the destination operand. Bits 2 and 3 encode for position
1, bits 4 and 5 encode for position 2, and bits 6 and 7 encode for position
3. For example, an encoding of 10 in bits 0 and 1 of imm8 indicates that
the word at bits 32-47 of the source operand will be copied to bits 0-15 of
the destination.
PSLLx performs logical left shifts of the data
elements in the destination (first) operand, moving each bit in the
separate elements left by the number of bits specified in the source
(second) operand, clearing the low-order bits as they are vacated.
PSLLDQ shifts bytes, not bits.
PSRAx performs arithmetic right shifts of the
data elements in the destination (first) operand, moving each bit in the
separate elements right by the number of bits specified in the source
(second) operand, setting the high-order bits to the value of the original
sign bit.
PSRLx performs logical right shifts of the
data elements in the destination (first) operand, moving each bit in the
separate elements right by the number of bits specified in the source
(second) operand, clearing the high-order bits as they are vacated.
PSRLDQ shifts bytes, not bits.
PSUBx subtracts packed integers in the source
operand from those in the destination operand. It doesn't differentiate
between signed and unsigned integers, and doesn't set any of the flags.
PSUBSx and PSUBUSx
subtracts packed integers in the source operand from those in the
destination operand, and use saturation for results that are outside the
range supported by the destination operand.
PSUBSB operates on signed bytes, and uses
signed saturation on the results.
PSUBSW operates on signed words, and uses
signed saturation on the results.
PSUBUSB operates on unsigned bytes, and uses
signed saturation on the results.
PSUBUSW operates on unsigned words, and uses
signed saturation on the results.
PSUBSIW, specific to the Cyrix extensions to
the MMX instruction set, performs the same function as
PSUBSW, except that the result is not placed in
the register specified by the first operand, but instead in the implied
destination register, specified as for PADDSIW
(section B.4.200).
PSWAPD swaps the packed doublewords in the
source operand, and stores the result in the destination operand.
In the K6-2 and
K6-III processors, this opcode uses the mnemonic
PSWAPW, and it swaps the order of words when
copying from the source to the destination.
The operation in the K6-2 and
K6-III processors is
PUNPCKxx all treat their operands as vectors,
and produce a new vector generated by interleaving elements from the two
inputs. The PUNPCKHxx instructions start by
throwing away the bottom half of each input operand, and the
PUNPCKLxx instructions throw away the top half.
The remaining elements, are then interleaved into the destination,
alternating elements from the second (source) operand and the first
(destination) operand: so the leftmost part of each element in the result
always comes from the second operand, and the rightmost from the
destination.
PUNPCKxBW works a byte at a time, producing
word sized output elements.
PUNPCKxWD works a word at a time, producing
doubleword sized output elements.
PUNPCKxDQ works a doubleword at a time,
producing quadword sized output elements.
PUNPCKxQDQ works a quadword at a time,
producing double quadword sized output elements.
So, for example, for MMX operands, if the
first operand held 0x7A6A5A4A3A2A1A0A and the
second held 0x7B6B5B4B3B2B1B0B, then:
PUSH decrements the stack pointer
(SP or ESP) by 2 or 4,
and then stores the given value at [SS:SP] or
[SS:ESP].
The address-size attribute of the instruction determines whether
SP or ESP is used as
the stack pointer: to deliberately override the default given by the
BITS setting, you can use an
a16 or a32 prefix.
The operand-size attribute of the instruction determines whether the
stack pointer is decremented by 2 or 4: this means that segment register
pushes in BITS 32 mode will push 4 bytes on the
stack, of which the upper two are undefined. If you need to override that,
you can use an o16 or
o32 prefix.
The above opcode listings give two forms for general-purpose register
push instructions: for example, PUSH BX has the
two forms 53 and FF F3.
NASM will always generate the shorter form when given
PUSH BX. NDISASM will disassemble both.
Unlike the undocumented and barely supported
POP CS, PUSH CS is a
perfectly valid and sensible instruction, supported on all processors.
The instruction PUSH SP may be used to
distinguish an 8086 from later processors: on an 8086, the value of
SP stored is the value it has after the
push instruction, whereas on later processors it is the value
before the push instruction.
PXOR mm1,mm2/m64 ; 0F EF /r [PENT,MMX]
PXOR xmm1,xmm2/m128 ; 66 0F EF /r [WILLAMETTE,SSE2]
PXOR performs a bitwise XOR operation between
its two operands (i.e. each bit of the result is 1 if and only if exactly
one of the corresponding bits of the two inputs was 1), and stores the
result in the destination (first) operand.
RCL and RCR perform
a 9-bit, 17-bit or 33-bit bitwise rotation operation, involving the given
source/destination (first) operand and the carry bit. Thus, for example, in
the operation RCL AL,1, a 9-bit rotation is
performed in which AL is shifted left by 1, the
top bit of AL moves into the carry flag, and the
original value of the carry flag is placed in the low bit of
AL.
The number of bits to rotate by is given by the second operand. Only the
bottom five bits of the rotation count are considered by processors above
the 8086.
You can force the longer (286 and upwards, beginning with a
C1 byte) form of
RCL foo,1 by using a
BYTE prefix:
RCL foo,BYTE 1. Similarly with
RCR.
RCPPS returns an approximation of the
reciprocal of the packed single-precision FP values from xmm2/m128. The
maximum error for this approximation is: |Error| <= 1.5 x 2^-12
RCPSS returns an approximation of the
reciprocal of the lower single-precision FP value from xmm2/m32; the upper
three fields are passed through from xmm1. The maximum error for this
approximation is: |Error| <= 1.5 x 2^-12
RDMSR reads the processor Model-Specific
Register (MSR) whose index is stored in ECX, and
stores the result in EDX:EAX. See also
WRMSR (section
B.4.329).
RDSHR reads the contents of the SMM header
pointer register and saves it to the destination operand, which can be
either a 32 bit memory location or a 32 bit register.
RET, and its exact synonym
RETN, pop IP or
EIP from the stack and transfer control to the
new address. Optionally, if a numeric second operand is provided, they
increment the stack pointer by a further imm16
bytes after popping the return address.
RETF executes a far return: after popping
IP/EIP, it then pops
CS, and then increments the stack
pointer by the optional argument if present.
ROL and ROR perform
a bitwise rotation operation on the given source/destination (first)
operand. Thus, for example, in the operation
ROL AL,1, an 8-bit rotation is performed in which
AL is shifted left by 1 and the original top bit
of AL moves round into the low bit.
The number of bits to rotate by is given by the second operand. Only the
bottom five bits of the rotation count are considered by processors above
the 8086.
You can force the longer (286 and upwards, beginning with a
C1 byte) form of
ROL foo,1 by using a
BYTE prefix:
ROL foo,BYTE 1. Similarly with
ROR.
RSQRTPS computes the approximate reciprocals
of the square roots of the packed single-precision floating-point values in
the source and stores the results in xmm1. The maximum error for this
approximation is: |Error| <= 1.5 x 2^-12
RSQRTSS returns an approximation of the
reciprocal of the square root of the lowest order single-precision FP value
from the source, and stores it in the low doubleword of the destination
register. The upper three fields of xmm1 are preserved. The maximum error
for this approximation is: |Error| <= 1.5 x 2^-12
SAL r/m8,1 ; D0 /4 [8086]
SAL r/m8,CL ; D2 /4 [8086]
SAL r/m8,imm8 ; C0 /4 ib [186]
SAL r/m16,1 ; o16 D1 /4 [8086]
SAL r/m16,CL ; o16 D3 /4 [8086]
SAL r/m16,imm8 ; o16 C1 /4 ib [186]
SAL r/m32,1 ; o32 D1 /4 [386]
SAL r/m32,CL ; o32 D3 /4 [386]
SAL r/m32,imm8 ; o32 C1 /4 ib [386]
SAR r/m8,1 ; D0 /7 [8086]
SAR r/m8,CL ; D2 /7 [8086]
SAR r/m8,imm8 ; C0 /7 ib [186]
SAR r/m16,1 ; o16 D1 /7 [8086]
SAR r/m16,CL ; o16 D3 /7 [8086]
SAR r/m16,imm8 ; o16 C1 /7 ib [186]
SAR r/m32,1 ; o32 D1 /7 [386]
SAR r/m32,CL ; o32 D3 /7 [386]
SAR r/m32,imm8 ; o32 C1 /7 ib [386]
SAL and SAR perform
an arithmetic shift operation on the given source/destination (first)
operand. The vacated bits are filled with zero for
SAL, and with copies of the original high bit of
the source operand for SAR.
SAL is a synonym for
SHL (see section
B.4.290). NASM will assemble either one to the same code, but NDISASM
will always disassemble that code as SHL.
The number of bits to shift by is given by the second operand. Only the
bottom five bits of the shift count are considered by processors above the
8086.
You can force the longer (286 and upwards, beginning with a
C1 byte) form of
SAL foo,1 by using a
BYTE prefix:
SAL foo,BYTE 1. Similarly with
SAR.
SALC is an early undocumented instruction
similar in concept to SETcc
(section B.4.287). Its function is to set
AL to zero if the carry flag is clear, or to
0xFF if it is set.
SBB performs integer subtraction: it subtracts
its second operand, plus the value of the carry flag, from its first, and
leaves the result in its destination (first) operand. The flags are set
according to the result of the operation: in particular, the carry flag is
affected and can be used by a subsequent SBB
instruction.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
To subtract one number from another without also subtracting the
contents of the carry flag, use SUB
(section B.4.305).
SCASB ; AE [8086]
SCASW ; o16 AF [8086]
SCASD ; o32 AF [386]
SCASB compares the byte in
AL with the byte at
[ES:DI] or [ES:EDI],
and sets the flags accordingly. It then increments or decrements (depending
on the direction flag: increments if the flag is clear, decrements if it is
set) DI (or EDI).
The register used is DI if the address size is
16 bits, and EDI if it is 32 bits. If you need to
use an address size not equal to the current BITS
setting, you can use an explicit a16 or
a32 prefix.
Segment override prefixes have no effect for this instruction: the use
of ES for the load from
[DI] or [EDI] cannot be
overridden.
SCASW and SCASD work
in the same way, but they compare a word to AX or
a doubleword to EAX instead of a byte to
AL, and increment or decrement the addressing
registers by 2 or 4 instead of 1.
The REPE and REPNE
prefixes (equivalently, REPZ and
REPNZ) may be used to repeat the instruction up
to CX (or ECX - again,
the address size chooses which) times until the first unequal or equal byte
is found.
SFENCE performs a serialising operation on all
writes to memory that were issued before the
SFENCE instruction. This guarantees that all
memory writes before the SFENCE instruction are
visible before any writes after the SFENCE
instruction.
SFENCE is ordered respective to other
SFENCE instruction,
MFENCE, any memory write and any other
serialising instruction (such as CPUID).
Weakly ordered memory types can be used to achieve higher processor
performance through such techniques as out-of-order issue, write-combining,
and write-collapsing. The degree to which a consumer of data recognizes or
knows that the data is weakly ordered varies among applications and may be
unknown to the producer of this data. The SFENCE
instruction provides a performance-efficient way of insuring store ordering
between routines that produce weakly-ordered results and routines that
consume this data.
SGDT and SIDT both
take a 6-byte memory area as an operand: they store the contents of the
GDTR (global descriptor table register) or IDTR (interrupt descriptor table
register) into that area as a 32-bit linear address and a 16-bit size limit
from that area (in that order). These are the only instructions which
directly use linear addresses, rather than segment/offset pairs.
SLDT stores the segment selector corresponding
to the LDT (local descriptor table) into the given operand.
SHL and SHR perform
a logical shift operation on the given source/destination (first) operand.
The vacated bits are filled with zero.
A synonym for SHL is
SAL (see section
B.4.283). NASM will assemble either one to the same code, but NDISASM
will always disassemble that code as SHL.
The number of bits to shift by is given by the second operand. Only the
bottom five bits of the shift count are considered by processors above the
8086.
You can force the longer (286 and upwards, beginning with a
C1 byte) form of
SHL foo,1 by using a
BYTE prefix:
SHL foo,BYTE 1. Similarly with
SHR.
SHRD r/m16,reg16,imm8 ; o16 0F AC /r ib [386]
SHRD r/m32,reg32,imm8 ; o32 0F AC /r ib [386]
SHRD r/m16,reg16,CL ; o16 0F AD /r [386]
SHRD r/m32,reg32,CL ; o32 0F AD /r [386]
SHLD performs a double-precision left shift.
It notionally places its second operand to the right of its first, then
shifts the entire bit string thus generated to the left by a number of bits
specified in the third operand. It then updates only the first
operand according to the result of this. The second operand is not
modified.
SHRD performs the corresponding right shift:
it notionally places the second operand to the left of the first,
shifts the whole bit string right, and updates only the first operand.
For example, if EAX holds
0x01234567 and EBX
holds 0x89ABCDEF, then the instruction
SHLD EAX,EBX,4 would update
EAX to hold 0x12345678.
Under the same conditions, SHRD EAX,EBX,4 would
update EAX to hold
0xF0123456.
The number of bits to shift by is given by the third operand. Only the
bottom five bits of the shift count are considered.
SHUFPD moves one of the packed
double-precision FP values from the destination operand into the low
quadword of the destination operand; the upper quadword is generated by
moving one of the double-precision FP values from the source operand into
the destination. The select (third) operand selects which of the values are
moved to the destination register.
The select operand is an 8-bit immediate: bit 0 selects which value is
moved from the destination operand to the result (where 0 selects the low
quadword and 1 selects the high quadword) and bit 1 selects which value is
moved from the source operand to the result. Bits 2 through 7 of the
shuffle operand are reserved.
SHUFPS moves two of the packed
single-precision FP values from the destination operand into the low
quadword of the destination operand; the upper quadword is generated by
moving two of the single-precision FP values from the source operand into
the destination. The select (third) operand selects which of the values are
moved to the destination register.
The select operand is an 8-bit immediate: bits 0 and 1 select the value
to be moved from the destination operand the low doubleword of the result,
bits 2 and 3 select the value to be moved from the destination operand the
second doubleword of the result, bits 4 and 5 select the value to be moved
from the source operand the third doubleword of the result, and bits 6 and
7 select the value to be moved from the source operand to the high
doubleword of the result.
SMI puts some AMD processors into SMM mode. It
is available on some 386 and 486 processors, and is only available when DR7
bit 12 is set, otherwise it generates an Int 1.
SMINT ; 0F 38 [PENT,CYRIX]
SMINTOLD ; 0F 7E [486,CYRIX]
SMINT puts the processor into SMM mode. The
CPU state information is saved in the SMM memory header, and then execution
begins at the SMM base address.
SMINTOLD is the same as
SMINT, but was the opcode used on the 486.
This pair of opcodes are specific to the Cyrix and compatible range of
processors (Cyrix, IBM, Via).
SMSW stores the bottom half of the
CR0 control register (or the Machine Status Word,
on 286 processors) into the destination operand. See also
LMSW (section
B.4.139).
For 32-bit code, this would use the low 16-bits of the specified
register (or a 16bit memory location), without needing an operand size
override byte.
SQRTPD calculates the square root of the
packed double-precision FP value from the source operand, and stores the
double-precision results in the destination register.
SQRTPS calculates the square root of the
packed single-precision FP value from the source operand, and stores the
single-precision results in the destination register.
SQRTSD calculates the square root of the
low-order double-precision FP value from the source operand, and stores the
double-precision result in the destination register. The high-quadword
remains unchanged.
SQRTSS calculates the square root of the
low-order single-precision FP value from the source operand, and stores the
single-precision result in the destination register. The three high
doublewords remain unchanged.
These instructions set various flags. STC sets
the carry flag; STD sets the direction flag; and
STI sets the interrupt flag (thus enabling
interrupts).
To clear the carry, direction, or interrupt flags, use the
CLC, CLD and
CLI instructions
(section B.4.20). To invert the carry flag,
use CMC (section
B.4.22).
STMXCSR stores the contents of the
MXCSR control/status register to the specified
memory location. MXCSR is used to enable
masked/unmasked exception handling, to set rounding modes, to set
flush-to-zero mode, and to view exception status flags. The reserved bits
in the MXCSR register are stored as 0s.
For details of the MXCSR register, see the
Intel processor docs.
STOSB ; AA [8086]
STOSW ; o16 AB [8086]
STOSD ; o32 AB [386]
STOSB stores the byte in
AL at [ES:DI] or
[ES:EDI], and sets the flags accordingly. It then
increments or decrements (depending on the direction flag: increments if
the flag is clear, decrements if it is set) DI
(or EDI).
The register used is DI if the address size is
16 bits, and EDI if it is 32 bits. If you need to
use an address size not equal to the current BITS
setting, you can use an explicit a16 or
a32 prefix.
Segment override prefixes have no effect for this instruction: the use
of ES for the store to
[DI] or [EDI] cannot be
overridden.
STOSW and STOSD work
in the same way, but they store the word in AX or
the doubleword in EAX instead of the byte in
AL, and increment or decrement the addressing
registers by 2 or 4 instead of 1.
The REP prefix may be used to repeat the
instruction CX (or ECX
- again, the address size chooses which) times.
STR stores the segment selector corresponding
to the contents of the Task Register into its operand. When the operand
size is a 16-bit register, the upper 16-bits are cleared to 0s. When the
destination operand is a memory location, 16 bits are written regardless of
the operand size.
SUB r/m8,reg8 ; 28 /r [8086]
SUB r/m16,reg16 ; o16 29 /r [8086]
SUB r/m32,reg32 ; o32 29 /r [386]
SUB reg8,r/m8 ; 2A /r [8086]
SUB reg16,r/m16 ; o16 2B /r [8086]
SUB reg32,r/m32 ; o32 2B /r [386]
SUB r/m8,imm8 ; 80 /5 ib [8086]
SUB r/m16,imm16 ; o16 81 /5 iw [8086]
SUB r/m32,imm32 ; o32 81 /5 id [386]
SUB r/m16,imm8 ; o16 83 /5 ib [8086]
SUB r/m32,imm8 ; o32 83 /5 ib [386]
SUB AL,imm8 ; 2C ib [8086]
SUB AX,imm16 ; o16 2D iw [8086]
SUB EAX,imm32 ; o32 2D id [386]
SUB performs integer subtraction: it subtracts
its second operand from its first, and leaves the result in its destination
(first) operand. The flags are set according to the result of the
operation: in particular, the carry flag is affected and can be used by a
subsequent SBB instruction
(section B.4.285).
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
SUBPD subtracts the packed double-precision FP
values of the source operand from those of the destination operand, and
stores the result in the destination operation.
SUBPS subtracts the packed single-precision FP
values of the source operand from those of the destination operand, and
stores the result in the destination operation.
SUBSD subtracts the low-order double-precision
FP value of the source operand from that of the destination operand, and
stores the result in the destination operation. The high quadword is
unchanged.
SUBSS subtracts the low-order single-precision
FP value of the source operand from that of the destination operand, and
stores the result in the destination operation. The three high doublewords
are unchanged.
SYSCALL provides a fast method of transferring
control to a fixed entry point in an operating system.
The EIP register is copied into the
ECX register.
Bits [31-0] of the 64-bit SYSCALL/SYSRET Target Address Register
(STAR) are copied into the
EIP register.
Bits [47-32] of the STAR register specify the
selector that is copied into the CS register.
Bits [47-32]+1000b of the STAR register
specify the selector that is copied into the SS register.
The CS and SS
registers should not be modified by the operating system between the
execution of the SYSCALL instruction and its
corresponding SYSRET instruction.
For more information, see the
SYSCALL and SYSRET Instruction Specification (AMD
document number 21086.pdf).
SYSENTER executes a fast call to a level 0
system procedure or routine. Before using this instruction, various MSRs
need to be set up:
SYSENTER_CS_MSR contains the 32-bit segment
selector for the privilege level 0 code segment. (This value is also used
to compute the segment selector of the privilege level 0 stack segment.)
SYSENTER_EIP_MSR contains the 32-bit offset
into the privilege level 0 code segment to the first instruction of the
selected operating procedure or routine.
SYSENTER_ESP_MSR contains the 32-bit stack
pointer for the privilege level 0 stack.
SYSENTER performs the following sequence of
operations:
Loads the segment selector from the
SYSENTER_CS_MSR into the
CS register.
Loads the instruction pointer from the
SYSENTER_EIP_MSR into the
EIP register.
Adds 8 to the value in SYSENTER_CS_MSR and
loads it into the SS register.
Loads the stack pointer from the
SYSENTER_ESP_MSR into the
ESP register.
Switches to privilege level 0.
Clears the VM flag in the
EFLAGS register, if the flag is set.
Begins executing the selected system procedure.
In particular, note that this instruction des not save the values of
CS or (E)IP. If you
need to return to the calling code, you need to write your code to cater
for this.
For more information, see the Intel Architecture Software Developer's
Manual, Volume 2.
SYSEXIT executes a fast return to privilege
level 3 user code. This instruction is a companion instruction to the
SYSENTER instruction, and can only be executed by
privilege level 0 code. Various registers need to be set up before calling
this instruction:
SYSENTER_CS_MSR contains the 32-bit segment
selector for the privilege level 0 code segment in which the processor is
currently executing. (This value is used to compute the segment selectors
for the privilege level 3 code and stack segments.)
EDX contains the 32-bit offset into the
privilege level 3 code segment to the first instruction to be executed in
the user code.
ECX contains the 32-bit stack pointer for the
privilege level 3 stack.
SYSEXIT performs the following sequence of
operations:
Adds 16 to the value in SYSENTER_CS_MSR and
loads the sum into the CS selector register.
Loads the instruction pointer from the EDX
register into the EIP register.
Adds 24 to the value in SYSENTER_CS_MSR and
loads the sum into the SS selector register.
Loads the stack pointer from the ECX register
into the ESP register.
Switches to privilege level 3.
Begins executing the user code at the EIP
address.
For more information on the use of the
SYSENTER and SYSEXIT
instructions, see the Intel Architecture Software Developer's Manual,
Volume 2.
SYSRET is the return instruction used in
conjunction with the SYSCALL instruction to
provide fast entry/exit to an operating system.
The ECX register, which points to the next
sequential instruction after the corresponding
SYSCALL instruction, is copied into the
EIP register.
Bits [63-48] of the STAR register specify the
selector that is copied into the CS register.
Bits [63-48]+1000b of the STAR register
specify the selector that is copied into the SS
register.
Bits [1-0] of the SS register are set to 11b
(RPL of 3) regardless of the value of bits [49-48] of the
STAR register.
The CS and SS
registers should not be modified by the operating system between the
execution of the SYSCALL instruction and its
corresponding SYSRET instruction.
For more information, see the
SYSCALL and SYSRET Instruction Specification (AMD
document number 21086.pdf).
TEST r/m8,reg8 ; 84 /r [8086]
TEST r/m16,reg16 ; o16 85 /r [8086]
TEST r/m32,reg32 ; o32 85 /r [386]
TEST r/m8,imm8 ; F6 /0 ib [8086]
TEST r/m16,imm16 ; o16 F7 /0 iw [8086]
TEST r/m32,imm32 ; o32 F7 /0 id [386]
TEST AL,imm8 ; A8 ib [8086]
TEST AX,imm16 ; o16 A9 iw [8086]
TEST EAX,imm32 ; o32 A9 id [386]
TEST performs a `mental' bitwise AND of its
two operands, and affects the flags as if the operation had taken place,
but does not store the result of the operation anywhere.
UCOMISD xmm1,xmm2/m128 ; 66 0F 2E /r [WILLAMETTE,SSE2]
UCOMISD compares the low-order
double-precision FP numbers in the two operands, and sets the
ZF, PF and
CF bits in the EFLAGS
register. In addition, the OF,
SF and AF bits in the
EFLAGS register are zeroed out. The unordered
predicate (ZF, PF and
CF all set) is returned if either source operand
is a NaN (qNaN or
sNaN).
UCOMISS compares the low-order
single-precision FP numbers in the two operands, and sets the
ZF, PF and
CF bits in the EFLAGS
register. In addition, the OF,
SF and AF bits in the
EFLAGS register are zeroed out. The unordered
predicate (ZF, PF and
CF all set) is returned if either source operand
is a NaN (qNaN or
sNaN).
UDx can be used to generate an invalid opcode
exception, for testing purposes.
UD0 is specifically documented by AMD as being
reserved for this purpose.
UD1 is documented by Intel as being available
for this purpose.
UD2 is specifically documented by Intel as
being reserved for this purpose. Intel document this as the preferred
method of generating an invalid opcode exception.
All these opcodes can be used to generate invalid opcode exceptions on
all currently available processors.
This undocumented instruction is used by in-circuit emulators to access
user memory (as opposed to host memory). It is used just like an ordinary
memory/register or register/register MOV
instruction, but accesses user space.
This instruction is only available on some AMD and IBM 386 and 486
processors.
UNPCKHPD performs an interleaved unpack of the
high-order data elements of the source and destination operands, saving the
result in xmm1. It ignores the lower half of the
sources.
UNPCKHPS performs an interleaved unpack of the
high-order data elements of the source and destination operands, saving the
result in xmm1. It ignores the lower half of the
sources.
UNPCKLPD performs an interleaved unpack of the
low-order data elements of the source and destination operands, saving the
result in xmm1. It ignores the lower half of the
sources.
UNPCKLPS performs an interleaved unpack of the
low-order data elements of the source and destination operands, saving the
result in xmm1. It ignores the lower half of the
sources.
VERR sets the zero flag if the segment
specified by the selector in its operand can be read from at the current
privilege level. Otherwise it is cleared.
VERW sets the zero flag if the segment can be
written.
WAIT, on 8086 systems with a separate 8087
FPU, waits for the FPU to have finished any operation it is engaged in
before continuing main processor operations, so that (for example) an FPU
store to main memory can be guaranteed to have completed before the CPU
tries to read the result back out.
On higher processors, WAIT is unnecessary for
this purpose, and it has the alternative purpose of ensuring that any
pending unmasked FPU exceptions have happened before execution continues.
WBINVD invalidates and empties the processor's
internal caches, and causes the processor to instruct external caches to do
the same. It writes the contents of the caches back to memory first, so no
data is lost. To flush the caches quickly without bothering to write the
data back first, use INVD
(section B.4.125).
XADD exchanges the values in its two operands,
and then adds them together and writes the result into the destination
(first) operand. This instruction can be used with a
LOCK prefix for multi-processor synchronisation
purposes.
Writes a bit string from the source operand to the destination.
CL indicates the number of bits to be copied, and
(E)AX indicates the low order bit offset in the
source. The bits are written to the low order bits of the destination
register. For example, if CL is set to 4 and
AX (for 16-bit code) is set to 5, bits 5-8 of
src will be copied to bits 0-3 of
dst. This instruction is very poorly documented,
and I have been unable to find any official source of documentation on it.
XBTS is supported only on the early Intel
386s, and conflicts with the opcodes for
CMPXCHG486 (on early Intel 486s). NASM supports
it only for completeness. Its counterpart is IBTS
(see section B.4.116).
XLATB adds the value in
AL, treated as an unsigned byte, to
BX or EBX, and loads
the byte from the resulting address (in the segment specified by
DS) back into AL.
The base register used is BX if the address
size is 16 bits, and EBX if it is 32 bits. If you
need to use an address size not equal to the current
BITS setting, you can use an explicit
a16 or a32 prefix.
The segment register used to load from [BX+AL]
or [EBX+AL] can be overridden by using a segment
register name as a prefix (for example,
es xlatb).
XOR performs a bitwise XOR operation between
its two operands (i.e. each bit of the result is 1 if and only if exactly
one of the corresponding bits of the two inputs was 1), and stores the
result in the destination (first) operand.
In the forms with an 8-bit immediate second operand and a longer first
operand, the second operand is considered to be signed, and is
sign-extended to the length of the first operand. In these cases, the
BYTE qualifier is necessary to force NASM to
generate this form of the instruction.
The MMX instruction
PXOR (see section
B.4.266) performs the same operation on the 64-bit
MMX registers.