podman

1
// Copyright 2014 The Go Authors.  All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
4

5
// Table-driven decoding of x86 instructions.
6

7
package x86asm
8

9
import (
10
	"encoding/binary"
11
	"errors"
12
	"fmt"
13
	"runtime"
14
)
15

16
// Set trace to true to cause the decoder to print the PC sequence
17
// of the executed instruction codes. This is typically only useful
18
// when you are running a test of a single input case.
19
const trace = false
20

21
// A decodeOp is a single instruction in the decoder bytecode program.
22
//
23
// The decodeOps correspond to consuming and conditionally branching
24
// on input bytes, consuming additional fields, and then interpreting
25
// consumed data as instruction arguments. The names of the xRead and xArg
26
// operations are taken from the Intel manual conventions, for example
27
// Volume 2, Section 3.1.1, page 487 of
28
// http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
29
//
30
// The actual decoding program is generated by ../x86map.
31
//
32
// TODO(rsc): We may be able to merge various of the memory operands
33
// since we don't care about, say, the distinction between m80dec and m80bcd.
34
// Similarly, mm and mm1 have identical meaning, as do xmm and xmm1.
35

36
type decodeOp uint16
37

38
const (
39
	xFail  decodeOp = iota // invalid instruction (return)
40
	xMatch                 // completed match
41
	xJump                  // jump to pc
42

43
	xCondByte     // switch on instruction byte value
44
	xCondSlashR   // read and switch on instruction /r value
45
	xCondPrefix   // switch on presence of instruction prefix
46
	xCondIs64     // switch on 64-bit processor mode
47
	xCondDataSize // switch on operand size
48
	xCondAddrSize // switch on address size
49
	xCondIsMem    // switch on memory vs register argument
50

51
	xSetOp // set instruction opcode
52

53
	xReadSlashR // read /r
54
	xReadIb     // read ib
55
	xReadIw     // read iw
56
	xReadId     // read id
57
	xReadIo     // read io
58
	xReadCb     // read cb
59
	xReadCw     // read cw
60
	xReadCd     // read cd
61
	xReadCp     // read cp
62
	xReadCm     // read cm
63

64
	xArg1            // arg 1
65
	xArg3            // arg 3
66
	xArgAL           // arg AL
67
	xArgAX           // arg AX
68
	xArgCL           // arg CL
69
	xArgCR0dashCR7   // arg CR0-CR7
70
	xArgCS           // arg CS
71
	xArgDR0dashDR7   // arg DR0-DR7
72
	xArgDS           // arg DS
73
	xArgDX           // arg DX
74
	xArgEAX          // arg EAX
75
	xArgEDX          // arg EDX
76
	xArgES           // arg ES
77
	xArgFS           // arg FS
78
	xArgGS           // arg GS
79
	xArgImm16        // arg imm16
80
	xArgImm32        // arg imm32
81
	xArgImm64        // arg imm64
82
	xArgImm8         // arg imm8
83
	xArgImm8u        // arg imm8 but record as unsigned
84
	xArgImm16u       // arg imm8 but record as unsigned
85
	xArgM            // arg m
86
	xArgM128         // arg m128
87
	xArgM256         // arg m256
88
	xArgM1428byte    // arg m14/28byte
89
	xArgM16          // arg m16
90
	xArgM16and16     // arg m16&16
91
	xArgM16and32     // arg m16&32
92
	xArgM16and64     // arg m16&64
93
	xArgM16colon16   // arg m16:16
94
	xArgM16colon32   // arg m16:32
95
	xArgM16colon64   // arg m16:64
96
	xArgM16int       // arg m16int
97
	xArgM2byte       // arg m2byte
98
	xArgM32          // arg m32
99
	xArgM32and32     // arg m32&32
100
	xArgM32fp        // arg m32fp
101
	xArgM32int       // arg m32int
102
	xArgM512byte     // arg m512byte
103
	xArgM64          // arg m64
104
	xArgM64fp        // arg m64fp
105
	xArgM64int       // arg m64int
106
	xArgM8           // arg m8
107
	xArgM80bcd       // arg m80bcd
108
	xArgM80dec       // arg m80dec
109
	xArgM80fp        // arg m80fp
110
	xArgM94108byte   // arg m94/108byte
111
	xArgMm           // arg mm
112
	xArgMm1          // arg mm1
113
	xArgMm2          // arg mm2
114
	xArgMm2M64       // arg mm2/m64
115
	xArgMmM32        // arg mm/m32
116
	xArgMmM64        // arg mm/m64
117
	xArgMem          // arg mem
118
	xArgMoffs16      // arg moffs16
119
	xArgMoffs32      // arg moffs32
120
	xArgMoffs64      // arg moffs64
121
	xArgMoffs8       // arg moffs8
122
	xArgPtr16colon16 // arg ptr16:16
123
	xArgPtr16colon32 // arg ptr16:32
124
	xArgR16          // arg r16
125
	xArgR16op        // arg r16 with +rw in opcode
126
	xArgR32          // arg r32
127
	xArgR32M16       // arg r32/m16
128
	xArgR32M8        // arg r32/m8
129
	xArgR32op        // arg r32 with +rd in opcode
130
	xArgR64          // arg r64
131
	xArgR64M16       // arg r64/m16
132
	xArgR64op        // arg r64 with +rd in opcode
133
	xArgR8           // arg r8
134
	xArgR8op         // arg r8 with +rb in opcode
135
	xArgRAX          // arg RAX
136
	xArgRDX          // arg RDX
137
	xArgRM           // arg r/m
138
	xArgRM16         // arg r/m16
139
	xArgRM32         // arg r/m32
140
	xArgRM64         // arg r/m64
141
	xArgRM8          // arg r/m8
142
	xArgReg          // arg reg
143
	xArgRegM16       // arg reg/m16
144
	xArgRegM32       // arg reg/m32
145
	xArgRegM8        // arg reg/m8
146
	xArgRel16        // arg rel16
147
	xArgRel32        // arg rel32
148
	xArgRel8         // arg rel8
149
	xArgSS           // arg SS
150
	xArgST           // arg ST, aka ST(0)
151
	xArgSTi          // arg ST(i) with +i in opcode
152
	xArgSreg         // arg Sreg
153
	xArgTR0dashTR7   // arg TR0-TR7
154
	xArgXmm          // arg xmm
155
	xArgXMM0         // arg <XMM0>
156
	xArgXmm1         // arg xmm1
157
	xArgXmm2         // arg xmm2
158
	xArgXmm2M128     // arg xmm2/m128
159
	xArgYmm2M256     // arg ymm2/m256
160
	xArgXmm2M16      // arg xmm2/m16
161
	xArgXmm2M32      // arg xmm2/m32
162
	xArgXmm2M64      // arg xmm2/m64
163
	xArgXmmM128      // arg xmm/m128
164
	xArgXmmM32       // arg xmm/m32
165
	xArgXmmM64       // arg xmm/m64
166
	xArgYmm1         // arg ymm1
167
	xArgRmf16        // arg r/m16 but force mod=3
168
	xArgRmf32        // arg r/m32 but force mod=3
169
	xArgRmf64        // arg r/m64 but force mod=3
170
)
171

172
// instPrefix returns an Inst describing just one prefix byte.
173
// It is only used if there is a prefix followed by an unintelligible
174
// or invalid instruction byte sequence.
175
func instPrefix(b byte, mode int) (Inst, error) {
176
	// When tracing it is useful to see what called instPrefix to report an error.
177
	if trace {
178
		_, file, line, _ := runtime.Caller(1)
179
		fmt.Printf("%s:%d\n", file, line)
180
	}
181
	p := Prefix(b)
182
	switch p {
183
	case PrefixDataSize:
184
		if mode == 16 {
185
			p = PrefixData32
186
		} else {
187
			p = PrefixData16
188
		}
189
	case PrefixAddrSize:
190
		if mode == 32 {
191
			p = PrefixAddr16
192
		} else {
193
			p = PrefixAddr32
194
		}
195
	}
196
	// Note: using composite literal with Prefix key confuses 'bundle' tool.
197
	inst := Inst{Len: 1}
198
	inst.Prefix = Prefixes{p}
199
	return inst, nil
200
}
201

202
// truncated reports a truncated instruction.
203
// For now we use instPrefix but perhaps later we will return
204
// a specific error here.
205
func truncated(src []byte, mode int) (Inst, error) {
206
	if len(src) == 0 {
207
		return Inst{}, ErrTruncated
208
	}
209
	return instPrefix(src[0], mode) // too long
210
}
211

212
// These are the errors returned by Decode.
213
var (
214
	ErrInvalidMode  = errors.New("invalid x86 mode in Decode")
215
	ErrTruncated    = errors.New("truncated instruction")
216
	ErrUnrecognized = errors.New("unrecognized instruction")
217
)
218

219
// decoderCover records coverage information for which parts
220
// of the byte code have been executed.
221
var decoderCover []bool
222

223
// Decode decodes the leading bytes in src as a single instruction.
224
// The mode arguments specifies the assumed processor mode:
225
// 16, 32, or 64 for 16-, 32-, and 64-bit execution modes.
226
func Decode(src []byte, mode int) (inst Inst, err error) {
227
	return decode1(src, mode, false)
228
}
229

230
// decode1 is the implementation of Decode but takes an extra
231
// gnuCompat flag to cause it to change its behavior to mimic
232
// bugs (or at least unique features) of GNU libopcodes as used
233
// by objdump. We don't believe that logic is the right thing to do
234
// in general, but when testing against libopcodes it simplifies the
235
// comparison if we adjust a few small pieces of logic.
236
// The affected logic is in the conditional branch for "mandatory" prefixes,
237
// case xCondPrefix.
238
func decode1(src []byte, mode int, gnuCompat bool) (Inst, error) {
239
	switch mode {
240
	case 16, 32, 64:
241
		// ok
242
		// TODO(rsc): 64-bit mode not tested, probably not working.
243
	default:
244
		return Inst{}, ErrInvalidMode
245
	}
246

247
	// Maximum instruction size is 15 bytes.
248
	// If we need to read more, return 'truncated instruction.
249
	if len(src) > 15 {
250
		src = src[:15]
251
	}
252

253
	var (
254
		// prefix decoding information
255
		pos           = 0    // position reading src
256
		nprefix       = 0    // number of prefixes
257
		lockIndex     = -1   // index of LOCK prefix in src and inst.Prefix
258
		repIndex      = -1   // index of REP/REPN prefix in src and inst.Prefix
259
		segIndex      = -1   // index of Group 2 prefix in src and inst.Prefix
260
		dataSizeIndex = -1   // index of Group 3 prefix in src and inst.Prefix
261
		addrSizeIndex = -1   // index of Group 4 prefix in src and inst.Prefix
262
		rex           Prefix // rex byte if present (or 0)
263
		rexUsed       Prefix // bits used in rex byte
264
		rexIndex      = -1   // index of rex byte
265
		vex           Prefix // use vex encoding
266
		vexIndex      = -1   // index of vex prefix
267

268
		addrMode = mode // address mode (width in bits)
269
		dataMode = mode // operand mode (width in bits)
270

271
		// decoded ModR/M fields
272
		haveModrm bool
273
		modrm     int
274
		mod       int
275
		regop     int
276
		rm        int
277

278
		// if ModR/M is memory reference, Mem form
279
		mem     Mem
280
		haveMem bool
281

282
		// decoded SIB fields
283
		haveSIB bool
284
		sib     int
285
		scale   int
286
		index   int
287
		base    int
288
		displen int
289
		dispoff int
290

291
		// decoded immediate values
292
		imm     int64
293
		imm8    int8
294
		immc    int64
295
		immcpos int
296

297
		// output
298
		opshift int
299
		inst    Inst
300
		narg    int // number of arguments written to inst
301
	)
302

303
	if mode == 64 {
304
		dataMode = 32
305
	}
306

307
	// Prefixes are certainly the most complex and underspecified part of
308
	// decoding x86 instructions. Although the manuals say things like
309
	// up to four prefixes, one from each group, nearly everyone seems to
310
	// agree that in practice as many prefixes as possible, including multiple
311
	// from a particular group or repetitions of a given prefix, can be used on
312
	// an instruction, provided the total instruction length including prefixes
313
	// does not exceed the agreed-upon maximum of 15 bytes.
314
	// Everyone also agrees that if one of these prefixes is the LOCK prefix
315
	// and the instruction is not one of the instructions that can be used with
316
	// the LOCK prefix or if the destination is not a memory operand,
317
	// then the instruction is invalid and produces the #UD exception.
318
	// However, that is the end of any semblance of agreement.
319
	//
320
	// What happens if prefixes are given that conflict with other prefixes?
321
	// For example, the memory segment overrides CS, DS, ES, FS, GS, SS
322
	// conflict with each other: only one segment can be in effect.
323
	// Disassemblers seem to agree that later prefixes take priority over
324
	// earlier ones. I have not taken the time to write assembly programs
325
	// to check to see if the hardware agrees.
326
	//
327
	// What happens if prefixes are given that have no meaning for the
328
	// specific instruction to which they are attached? It depends.
329
	// If they really have no meaning, they are ignored. However, a future
330
	// processor may assign a different meaning. As a disassembler, we
331
	// don't really know whether we're seeing a meaningless prefix or one
332
	// whose meaning we simply haven't been told yet.
333
	//
334
	// Combining the two questions, what happens when conflicting
335
	// extension prefixes are given? No one seems to know for sure.
336
	// For example, MOVQ is 66 0F D6 /r, MOVDQ2Q is F2 0F D6 /r,
337
	// and MOVQ2DQ is F3 0F D6 /r. What is '66 F2 F3 0F D6 /r'?
338
	// Which prefix wins? See the xCondPrefix prefix for more.
339
	//
340
	// Writing assembly test cases to divine which interpretation the
341
	// CPU uses might clarify the situation, but more likely it would
342
	// make the situation even less clear.
343

344
	// Read non-REX prefixes.
345
ReadPrefixes:
346
	for ; pos < len(src); pos++ {
347
		p := Prefix(src[pos])
348
		switch p {
349
		default:
350
			nprefix = pos
351
			break ReadPrefixes
352

353
		// Group 1 - lock and repeat prefixes
354
		// According to Intel, there should only be one from this set,
355
		// but according to AMD both can be present.
356
		case 0xF0:
357
			if lockIndex >= 0 {
358
				inst.Prefix[lockIndex] |= PrefixIgnored
359
			}
360
			lockIndex = pos
361
		case 0xF2, 0xF3:
362
			if repIndex >= 0 {
363
				inst.Prefix[repIndex] |= PrefixIgnored
364
			}
365
			repIndex = pos
366

367
		// Group 2 - segment override / branch hints
368
		case 0x26, 0x2E, 0x36, 0x3E:
369
			if mode == 64 {
370
				p |= PrefixIgnored
371
				break
372
			}
373
			fallthrough
374
		case 0x64, 0x65:
375
			if segIndex >= 0 {
376
				inst.Prefix[segIndex] |= PrefixIgnored
377
			}
378
			segIndex = pos
379

380
		// Group 3 - operand size override
381
		case 0x66:
382
			if mode == 16 {
383
				dataMode = 32
384
				p = PrefixData32
385
			} else {
386
				dataMode = 16
387
				p = PrefixData16
388
			}
389
			if dataSizeIndex >= 0 {
390
				inst.Prefix[dataSizeIndex] |= PrefixIgnored
391
			}
392
			dataSizeIndex = pos
393

394
		// Group 4 - address size override
395
		case 0x67:
396
			if mode == 32 {
397
				addrMode = 16
398
				p = PrefixAddr16
399
			} else {
400
				addrMode = 32
401
				p = PrefixAddr32
402
			}
403
			if addrSizeIndex >= 0 {
404
				inst.Prefix[addrSizeIndex] |= PrefixIgnored
405
			}
406
			addrSizeIndex = pos
407

408
		//Group 5 - Vex encoding
409
		case 0xC5:
410
			if pos == 0 && pos+1 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
411
				vex = p
412
				vexIndex = pos
413
				inst.Prefix[pos] = p
414
				inst.Prefix[pos+1] = Prefix(src[pos+1])
415
				pos += 1
416
				continue
417
			} else {
418
				nprefix = pos
419
				break ReadPrefixes
420
			}
421
		case 0xC4:
422
			if pos == 0 && pos+2 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
423
				vex = p
424
				vexIndex = pos
425
				inst.Prefix[pos] = p
426
				inst.Prefix[pos+1] = Prefix(src[pos+1])
427
				inst.Prefix[pos+2] = Prefix(src[pos+2])
428
				pos += 2
429
				continue
430
			} else {
431
				nprefix = pos
432
				break ReadPrefixes
433
			}
434
		}
435

436
		if pos >= len(inst.Prefix) {
437
			return instPrefix(src[0], mode) // too long
438
		}
439

440
		inst.Prefix[pos] = p
441
	}
442

443
	// Read REX prefix.
444
	if pos < len(src) && mode == 64 && Prefix(src[pos]).IsREX() && vex == 0 {
445
		rex = Prefix(src[pos])
446
		rexIndex = pos
447
		if pos >= len(inst.Prefix) {
448
			return instPrefix(src[0], mode) // too long
449
		}
450
		inst.Prefix[pos] = rex
451
		pos++
452
		if rex&PrefixREXW != 0 {
453
			dataMode = 64
454
			if dataSizeIndex >= 0 {
455
				inst.Prefix[dataSizeIndex] |= PrefixIgnored
456
			}
457
		}
458
	}
459

460
	// Decode instruction stream, interpreting decoding instructions.
461
	// opshift gives the shift to use when saving the next
462
	// opcode byte into inst.Opcode.
463
	opshift = 24
464

465
	// Decode loop, executing decoder program.
466
	var oldPC, prevPC int
467
Decode:
468
	for pc := 1; ; { // TODO uint
469
		oldPC = prevPC
470
		prevPC = pc
471
		if trace {
472
			println("run", pc)
473
		}
474
		x := decoder[pc]
475
		if decoderCover != nil {
476
			decoderCover[pc] = true
477
		}
478
		pc++
479

480
		// Read and decode ModR/M if needed by opcode.
481
		switch decodeOp(x) {
482
		case xCondSlashR, xReadSlashR:
483
			if haveModrm {
484
				return Inst{Len: pos}, errInternal
485
			}
486
			haveModrm = true
487
			if pos >= len(src) {
488
				return truncated(src, mode)
489
			}
490
			modrm = int(src[pos])
491
			pos++
492
			if opshift >= 0 {
493
				inst.Opcode |= uint32(modrm) << uint(opshift)
494
				opshift -= 8
495
			}
496
			mod = modrm >> 6
497
			regop = (modrm >> 3) & 07
498
			rm = modrm & 07
499
			if rex&PrefixREXR != 0 {
500
				rexUsed |= PrefixREXR
501
				regop |= 8
502
			}
503
			if addrMode == 16 {
504
				// 16-bit modrm form
505
				if mod != 3 {
506
					haveMem = true
507
					mem = addr16[rm]
508
					if rm == 6 && mod == 0 {
509
						mem.Base = 0
510
					}
511

512
					// Consume disp16 if present.
513
					if mod == 0 && rm == 6 || mod == 2 {
514
						if pos+2 > len(src) {
515
							return truncated(src, mode)
516
						}
517
						mem.Disp = int64(binary.LittleEndian.Uint16(src[pos:]))
518
						pos += 2
519
					}
520

521
					// Consume disp8 if present.
522
					if mod == 1 {
523
						if pos >= len(src) {
524
							return truncated(src, mode)
525
						}
526
						mem.Disp = int64(int8(src[pos]))
527
						pos++
528
					}
529
				}
530
			} else {
531
				haveMem = mod != 3
532

533
				// 32-bit or 64-bit form
534
				// Consume SIB encoding if present.
535
				if rm == 4 && mod != 3 {
536
					haveSIB = true
537
					if pos >= len(src) {
538
						return truncated(src, mode)
539
					}
540
					sib = int(src[pos])
541
					pos++
542
					if opshift >= 0 {
543
						inst.Opcode |= uint32(sib) << uint(opshift)
544
						opshift -= 8
545
					}
546
					scale = sib >> 6
547
					index = (sib >> 3) & 07
548
					base = sib & 07
549
					if rex&PrefixREXB != 0 || vex == 0xC4 && inst.Prefix[vexIndex+1]&0x20 == 0 {
550
						rexUsed |= PrefixREXB
551
						base |= 8
552
					}
553
					if rex&PrefixREXX != 0 || vex == 0xC4 && inst.Prefix[vexIndex+1]&0x40 == 0 {
554
						rexUsed |= PrefixREXX
555
						index |= 8
556
					}
557

558
					mem.Scale = 1 << uint(scale)
559
					if index == 4 {
560
						// no mem.Index
561
					} else {
562
						mem.Index = baseRegForBits(addrMode) + Reg(index)
563
					}
564
					if base&7 == 5 && mod == 0 {
565
						// no mem.Base
566
					} else {
567
						mem.Base = baseRegForBits(addrMode) + Reg(base)
568
					}
569
				} else {
570
					if rex&PrefixREXB != 0 {
571
						rexUsed |= PrefixREXB
572
						rm |= 8
573
					}
574
					if mod == 0 && rm&7 == 5 || rm&7 == 4 {
575
						// base omitted
576
					} else if mod != 3 {
577
						mem.Base = baseRegForBits(addrMode) + Reg(rm)
578
					}
579
				}
580

581
				// Consume disp32 if present.
582
				if mod == 0 && (rm&7 == 5 || haveSIB && base&7 == 5) || mod == 2 {
583
					if pos+4 > len(src) {
584
						return truncated(src, mode)
585
					}
586
					dispoff = pos
587
					displen = 4
588
					mem.Disp = int64(binary.LittleEndian.Uint32(src[pos:]))
589
					pos += 4
590
				}
591

592
				// Consume disp8 if present.
593
				if mod == 1 {
594
					if pos >= len(src) {
595
						return truncated(src, mode)
596
					}
597
					dispoff = pos
598
					displen = 1
599
					mem.Disp = int64(int8(src[pos]))
600
					pos++
601
				}
602

603
				// In 64-bit, mod=0 rm=5 is PC-relative instead of just disp.
604
				// See Vol 2A. Table 2-7.
605
				if mode == 64 && mod == 0 && rm&7 == 5 {
606
					if addrMode == 32 {
607
						mem.Base = EIP
608
					} else {
609
						mem.Base = RIP
610
					}
611
				}
612
			}
613

614
			if segIndex >= 0 {
615
				mem.Segment = prefixToSegment(inst.Prefix[segIndex])
616
			}
617
		}
618

619
		// Execute single opcode.
620
		switch decodeOp(x) {
621
		default:
622
			println("bad op", x, "at", pc-1, "from", oldPC)
623
			return Inst{Len: pos}, errInternal
624

625
		case xFail:
626
			inst.Op = 0
627
			break Decode
628

629
		case xMatch:
630
			break Decode
631

632
		case xJump:
633
			pc = int(decoder[pc])
634

635
		// Conditional branches.
636

637
		case xCondByte:
638
			if pos >= len(src) {
639
				return truncated(src, mode)
640
			}
641
			b := src[pos]
642
			n := int(decoder[pc])
643
			pc++
644
			for i := 0; i < n; i++ {
645
				xb, xpc := decoder[pc], int(decoder[pc+1])
646
				pc += 2
647
				if b == byte(xb) {
648
					pc = xpc
649
					pos++
650
					if opshift >= 0 {
651
						inst.Opcode |= uint32(b) << uint(opshift)
652
						opshift -= 8
653
					}
654
					continue Decode
655
				}
656
			}
657
			// xCondByte is the only conditional with a fall through,
658
			// so that it can be used to pick off special cases before
659
			// an xCondSlash. If the fallthrough instruction is xFail,
660
			// advance the position so that the decoded instruction
661
			// size includes the byte we just compared against.
662
			if decodeOp(decoder[pc]) == xJump {
663
				pc = int(decoder[pc+1])
664
			}
665
			if decodeOp(decoder[pc]) == xFail {
666
				pos++
667
			}
668

669
		case xCondIs64:
670
			if mode == 64 {
671
				pc = int(decoder[pc+1])
672
			} else {
673
				pc = int(decoder[pc])
674
			}
675

676
		case xCondIsMem:
677
			mem := haveMem
678
			if !haveModrm {
679
				if pos >= len(src) {
680
					return instPrefix(src[0], mode) // too long
681
				}
682
				mem = src[pos]>>6 != 3
683
			}
684
			if mem {
685
				pc = int(decoder[pc+1])
686
			} else {
687
				pc = int(decoder[pc])
688
			}
689

690
		case xCondDataSize:
691
			switch dataMode {
692
			case 16:
693
				if dataSizeIndex >= 0 {
694
					inst.Prefix[dataSizeIndex] |= PrefixImplicit
695
				}
696
				pc = int(decoder[pc])
697
			case 32:
698
				if dataSizeIndex >= 0 {
699
					inst.Prefix[dataSizeIndex] |= PrefixImplicit
700
				}
701
				pc = int(decoder[pc+1])
702
			case 64:
703
				rexUsed |= PrefixREXW
704
				pc = int(decoder[pc+2])
705
			}
706

707
		case xCondAddrSize:
708
			switch addrMode {
709
			case 16:
710
				if addrSizeIndex >= 0 {
711
					inst.Prefix[addrSizeIndex] |= PrefixImplicit
712
				}
713
				pc = int(decoder[pc])
714
			case 32:
715
				if addrSizeIndex >= 0 {
716
					inst.Prefix[addrSizeIndex] |= PrefixImplicit
717
				}
718
				pc = int(decoder[pc+1])
719
			case 64:
720
				pc = int(decoder[pc+2])
721
			}
722

723
		case xCondPrefix:
724
			// Conditional branch based on presence or absence of prefixes.
725
			// The conflict cases here are completely undocumented and
726
			// differ significantly between GNU libopcodes and Intel xed.
727
			// I have not written assembly code to divine what various CPUs
728
			// do, but it wouldn't surprise me if they are not consistent either.
729
			//
730
			// The basic idea is to switch on the presence of a prefix, so that
731
			// for example:
732
			//
733
			//	xCondPrefix, 4
734
			//	0xF3, 123,
735
			//	0xF2, 234,
736
			//	0x66, 345,
737
			//	0, 456
738
			//
739
			// branch to 123 if the F3 prefix is present, 234 if the F2 prefix
740
			// is present, 66 if the 345 prefix is present, and 456 otherwise.
741
			// The prefixes are given in descending order so that the 0 will be last.
742
			//
743
			// It is unclear what should happen if multiple conditions are
744
			// satisfied: what if F2 and F3 are both present, or if 66 and F2
745
			// are present, or if all three are present? The one chosen becomes
746
			// part of the opcode and the others do not. Perhaps the answer
747
			// depends on the specific opcodes in question.
748
			//
749
			// The only clear example is that CRC32 is F2 0F 38 F1 /r, and
750
			// it comes in 16-bit and 32-bit forms based on the 66 prefix,
751
			// so 66 F2 0F 38 F1 /r should be treated as F2 taking priority,
752
			// with the 66 being only an operand size override, and probably
753
			// F2 66 0F 38 F1 /r should be treated the same.
754
			// Perhaps that rule is specific to the case of CRC32, since no
755
			// 66 0F 38 F1 instruction is defined (today) (that we know of).
756
			// However, both libopcodes and xed seem to generalize this
757
			// example and choose F2/F3 in preference to 66, and we
758
			// do the same.
759
			//
760
			// Next, what if both F2 and F3 are present? Which wins?
761
			// The Intel xed rule, and ours, is that the one that occurs last wins.
762
			// The GNU libopcodes rule, which we implement only in gnuCompat mode,
763
			// is that F3 beats F2 unless F3 has no special meaning, in which
764
			// case F3 can be a modified on an F2 special meaning.
765
			//
766
			// Concretely,
767
			//	66 0F D6 /r is MOVQ
768
			//	F2 0F D6 /r is MOVDQ2Q
769
			//	F3 0F D6 /r is MOVQ2DQ.
770
			//
771
			//	F2 66 0F D6 /r is 66 + MOVDQ2Q always.
772
			//	66 F2 0F D6 /r is 66 + MOVDQ2Q always.
773
			//	F3 66 0F D6 /r is 66 + MOVQ2DQ always.
774
			//	66 F3 0F D6 /r is 66 + MOVQ2DQ always.
775
			//	F2 F3 0F D6 /r is F2 + MOVQ2DQ always.
776
			//	F3 F2 0F D6 /r is F3 + MOVQ2DQ in Intel xed, but F2 + MOVQ2DQ in GNU libopcodes.
777
			//	Adding 66 anywhere in the prefix section of the
778
			//	last two cases does not change the outcome.
779
			//
780
			// Finally, what if there is a variant in which 66 is a mandatory
781
			// prefix rather than an operand size override, but we know of
782
			// no corresponding F2/F3 form, and we see both F2/F3 and 66.
783
			// Does F2/F3 still take priority, so that the result is an unknown
784
			// instruction, or does the 66 take priority, so that the extended
785
			// 66 instruction should be interpreted as having a REP/REPN prefix?
786
			// Intel xed does the former and GNU libopcodes does the latter.
787
			// We side with Intel xed, unless we are trying to match libopcodes
788
			// more closely during the comparison-based test suite.
789
			//
790
			// In 64-bit mode REX.W is another valid prefix to test for, but
791
			// there is less ambiguity about that. When present, REX.W is
792
			// always the first entry in the table.
793
			n := int(decoder[pc])
794
			pc++
795
			sawF3 := false
796
			for j := 0; j < n; j++ {
797
				prefix := Prefix(decoder[pc+2*j])
798
				if prefix.IsREX() {
799
					rexUsed |= prefix
800
					if rex&prefix == prefix {
801
						pc = int(decoder[pc+2*j+1])
802
						continue Decode
803
					}
804
					continue
805
				}
806
				ok := false
807
				if prefix == 0 {
808
					ok = true
809
				} else if prefix.IsREX() {
810
					rexUsed |= prefix
811
					if rex&prefix == prefix {
812
						ok = true
813
					}
814
				} else if prefix == 0xC5 || prefix == 0xC4 {
815
					if vex == prefix {
816
						ok = true
817
					}
818
				} else if vex != 0 && (prefix == 0x0F || prefix == 0x0F38 || prefix == 0x0F3A ||
819
					prefix == 0x66 || prefix == 0xF2 || prefix == 0xF3) {
820
					var vexM, vexP Prefix
821
					if vex == 0xC5 {
822
						vexM = 1 // 2 byte vex always implies 0F
823
						vexP = inst.Prefix[vexIndex+1]
824
					} else {
825
						vexM = inst.Prefix[vexIndex+1]
826
						vexP = inst.Prefix[vexIndex+2]
827
					}
828
					switch prefix {
829
					case 0x66:
830
						ok = vexP&3 == 1
831
					case 0xF3:
832
						ok = vexP&3 == 2
833
					case 0xF2:
834
						ok = vexP&3 == 3
835
					case 0x0F:
836
						ok = vexM&3 == 1
837
					case 0x0F38:
838
						ok = vexM&3 == 2
839
					case 0x0F3A:
840
						ok = vexM&3 == 3
841
					}
842
				} else {
843
					if prefix == 0xF3 {
844
						sawF3 = true
845
					}
846
					switch prefix {
847
					case PrefixLOCK:
848
						if lockIndex >= 0 {
849
							inst.Prefix[lockIndex] |= PrefixImplicit
850
							ok = true
851
						}
852
					case PrefixREP, PrefixREPN:
853
						if repIndex >= 0 && inst.Prefix[repIndex]&0xFF == prefix {
854
							inst.Prefix[repIndex] |= PrefixImplicit
855
							ok = true
856
						}
857
						if gnuCompat && !ok && prefix == 0xF3 && repIndex >= 0 && (j+1 >= n || decoder[pc+2*(j+1)] != 0xF2) {
858
							// Check to see if earlier prefix F3 is present.
859
							for i := repIndex - 1; i >= 0; i-- {
860
								if inst.Prefix[i]&0xFF == prefix {
861
									inst.Prefix[i] |= PrefixImplicit
862
									ok = true
863
								}
864
							}
865
						}
866
						if gnuCompat && !ok && prefix == 0xF2 && repIndex >= 0 && !sawF3 && inst.Prefix[repIndex]&0xFF == 0xF3 {
867
							// Check to see if earlier prefix F2 is present.
868
							for i := repIndex - 1; i >= 0; i-- {
869
								if inst.Prefix[i]&0xFF == prefix {
870
									inst.Prefix[i] |= PrefixImplicit
871
									ok = true
872
								}
873
							}
874
						}
875
					case PrefixCS, PrefixDS, PrefixES, PrefixFS, PrefixGS, PrefixSS:
876
						if segIndex >= 0 && inst.Prefix[segIndex]&0xFF == prefix {
877
							inst.Prefix[segIndex] |= PrefixImplicit
878
							ok = true
879
						}
880
					case PrefixDataSize:
881
						// Looking for 66 mandatory prefix.
882
						// The F2/F3 mandatory prefixes take priority when both are present.
883
						// If we got this far in the xCondPrefix table and an F2/F3 is present,
884
						// it means the table didn't have any entry for that prefix. But if 66 has
885
						// special meaning, perhaps F2/F3 have special meaning that we don't know.
886
						// Intel xed works this way, treating the F2/F3 as inhibiting the 66.
887
						// GNU libopcodes allows the 66 to match. We do what Intel xed does
888
						// except in gnuCompat mode.
889
						if repIndex >= 0 && !gnuCompat {
890
							inst.Op = 0
891
							break Decode
892
						}
893
						if dataSizeIndex >= 0 {
894
							inst.Prefix[dataSizeIndex] |= PrefixImplicit
895
							ok = true
896
						}
897
					case PrefixAddrSize:
898
						if addrSizeIndex >= 0 {
899
							inst.Prefix[addrSizeIndex] |= PrefixImplicit
900
							ok = true
901
						}
902
					}
903
				}
904
				if ok {
905
					pc = int(decoder[pc+2*j+1])
906
					continue Decode
907
				}
908
			}
909
			inst.Op = 0
910
			break Decode
911

912
		case xCondSlashR:
913
			pc = int(decoder[pc+regop&7])
914

915
		// Input.
916

917
		case xReadSlashR:
918
			// done above
919

920
		case xReadIb:
921
			if pos >= len(src) {
922
				return truncated(src, mode)
923
			}
924
			imm8 = int8(src[pos])
925
			pos++
926

927
		case xReadIw:
928
			if pos+2 > len(src) {
929
				return truncated(src, mode)
930
			}
931
			imm = int64(binary.LittleEndian.Uint16(src[pos:]))
932
			pos += 2
933

934
		case xReadId:
935
			if pos+4 > len(src) {
936
				return truncated(src, mode)
937
			}
938
			imm = int64(binary.LittleEndian.Uint32(src[pos:]))
939
			pos += 4
940

941
		case xReadIo:
942
			if pos+8 > len(src) {
943
				return truncated(src, mode)
944
			}
945
			imm = int64(binary.LittleEndian.Uint64(src[pos:]))
946
			pos += 8
947

948
		case xReadCb:
949
			if pos >= len(src) {
950
				return truncated(src, mode)
951
			}
952
			immcpos = pos
953
			immc = int64(src[pos])
954
			pos++
955

956
		case xReadCw:
957
			if pos+2 > len(src) {
958
				return truncated(src, mode)
959
			}
960
			immcpos = pos
961
			immc = int64(binary.LittleEndian.Uint16(src[pos:]))
962
			pos += 2
963

964
		case xReadCm:
965
			immcpos = pos
966
			if addrMode == 16 {
967
				if pos+2 > len(src) {
968
					return truncated(src, mode)
969
				}
970
				immc = int64(binary.LittleEndian.Uint16(src[pos:]))
971
				pos += 2
972
			} else if addrMode == 32 {
973
				if pos+4 > len(src) {
974
					return truncated(src, mode)
975
				}
976
				immc = int64(binary.LittleEndian.Uint32(src[pos:]))
977
				pos += 4
978
			} else {
979
				if pos+8 > len(src) {
980
					return truncated(src, mode)
981
				}
982
				immc = int64(binary.LittleEndian.Uint64(src[pos:]))
983
				pos += 8
984
			}
985
		case xReadCd:
986
			immcpos = pos
987
			if pos+4 > len(src) {
988
				return truncated(src, mode)
989
			}
990
			immc = int64(binary.LittleEndian.Uint32(src[pos:]))
991
			pos += 4
992

993
		case xReadCp:
994
			immcpos = pos
995
			if pos+6 > len(src) {
996
				return truncated(src, mode)
997
			}
998
			w := binary.LittleEndian.Uint32(src[pos:])
999
			w2 := binary.LittleEndian.Uint16(src[pos+4:])
1000
			immc = int64(w2)<<32 | int64(w)
1001
			pos += 6
1002

1003
		// Output.
1004

1005
		case xSetOp:
1006
			inst.Op = Op(decoder[pc])
1007
			pc++
1008

1009
		case xArg1,
1010
			xArg3,
1011
			xArgAL,
1012
			xArgAX,
1013
			xArgCL,
1014
			xArgCS,
1015
			xArgDS,
1016
			xArgDX,
1017
			xArgEAX,
1018
			xArgEDX,
1019
			xArgES,
1020
			xArgFS,
1021
			xArgGS,
1022
			xArgRAX,
1023
			xArgRDX,
1024
			xArgSS,
1025
			xArgST,
1026
			xArgXMM0:
1027
			inst.Args[narg] = fixedArg[x]
1028
			narg++
1029

1030
		case xArgImm8:
1031
			inst.Args[narg] = Imm(imm8)
1032
			narg++
1033

1034
		case xArgImm8u:
1035
			inst.Args[narg] = Imm(uint8(imm8))
1036
			narg++
1037

1038
		case xArgImm16:
1039
			inst.Args[narg] = Imm(int16(imm))
1040
			narg++
1041

1042
		case xArgImm16u:
1043
			inst.Args[narg] = Imm(uint16(imm))
1044
			narg++
1045

1046
		case xArgImm32:
1047
			inst.Args[narg] = Imm(int32(imm))
1048
			narg++
1049

1050
		case xArgImm64:
1051
			inst.Args[narg] = Imm(imm)
1052
			narg++
1053

1054
		case xArgM,
1055
			xArgM128,
1056
			xArgM256,
1057
			xArgM1428byte,
1058
			xArgM16,
1059
			xArgM16and16,
1060
			xArgM16and32,
1061
			xArgM16and64,
1062
			xArgM16colon16,
1063
			xArgM16colon32,
1064
			xArgM16colon64,
1065
			xArgM16int,
1066
			xArgM2byte,
1067
			xArgM32,
1068
			xArgM32and32,
1069
			xArgM32fp,
1070
			xArgM32int,
1071
			xArgM512byte,
1072
			xArgM64,
1073
			xArgM64fp,
1074
			xArgM64int,
1075
			xArgM8,
1076
			xArgM80bcd,
1077
			xArgM80dec,
1078
			xArgM80fp,
1079
			xArgM94108byte,
1080
			xArgMem:
1081
			if !haveMem {
1082
				inst.Op = 0
1083
				break Decode
1084
			}
1085
			inst.Args[narg] = mem
1086
			inst.MemBytes = int(memBytes[decodeOp(x)])
1087
			if mem.Base == RIP {
1088
				inst.PCRel = displen
1089
				inst.PCRelOff = dispoff
1090
			}
1091
			narg++
1092

1093
		case xArgPtr16colon16:
1094
			inst.Args[narg] = Imm(immc >> 16)
1095
			inst.Args[narg+1] = Imm(immc & (1<<16 - 1))
1096
			narg += 2
1097

1098
		case xArgPtr16colon32:
1099
			inst.Args[narg] = Imm(immc >> 32)
1100
			inst.Args[narg+1] = Imm(immc & (1<<32 - 1))
1101
			narg += 2
1102

1103
		case xArgMoffs8, xArgMoffs16, xArgMoffs32, xArgMoffs64:
1104
			// TODO(rsc): Can address be 64 bits?
1105
			mem = Mem{Disp: int64(immc)}
1106
			if segIndex >= 0 {
1107
				mem.Segment = prefixToSegment(inst.Prefix[segIndex])
1108
				inst.Prefix[segIndex] |= PrefixImplicit
1109
			}
1110
			inst.Args[narg] = mem
1111
			inst.MemBytes = int(memBytes[decodeOp(x)])
1112
			if mem.Base == RIP {
1113
				inst.PCRel = displen
1114
				inst.PCRelOff = dispoff
1115
			}
1116
			narg++
1117

1118
		case xArgYmm1:
1119
			base := baseReg[x]
1120
			index := Reg(regop)
1121
			if inst.Prefix[vexIndex+1]&0x80 == 0 {
1122
				index += 8
1123
			}
1124
			inst.Args[narg] = base + index
1125
			narg++
1126

1127
		case xArgR8, xArgR16, xArgR32, xArgR64, xArgXmm, xArgXmm1, xArgDR0dashDR7:
1128
			base := baseReg[x]
1129
			index := Reg(regop)
1130
			if rex != 0 && base == AL && index >= 4 {
1131
				rexUsed |= PrefixREX
1132
				index -= 4
1133
				base = SPB
1134
			}
1135
			inst.Args[narg] = base + index
1136
			narg++
1137

1138
		case xArgMm, xArgMm1, xArgTR0dashTR7:
1139
			inst.Args[narg] = baseReg[x] + Reg(regop&7)
1140
			narg++
1141

1142
		case xArgCR0dashCR7:
1143
			// AMD documents an extension that the LOCK prefix
1144
			// can be used in place of a REX prefix in order to access
1145
			// CR8 from 32-bit mode. The LOCK prefix is allowed in
1146
			// all modes, provided the corresponding CPUID bit is set.
1147
			if lockIndex >= 0 {
1148
				inst.Prefix[lockIndex] |= PrefixImplicit
1149
				regop += 8
1150
			}
1151
			inst.Args[narg] = CR0 + Reg(regop)
1152
			narg++
1153

1154
		case xArgSreg:
1155
			regop &= 7
1156
			if regop >= 6 {
1157
				inst.Op = 0
1158
				break Decode
1159
			}
1160
			inst.Args[narg] = ES + Reg(regop)
1161
			narg++
1162

1163
		case xArgRmf16, xArgRmf32, xArgRmf64:
1164
			base := baseReg[x]
1165
			index := Reg(modrm & 07)
1166
			if rex&PrefixREXB != 0 {
1167
				rexUsed |= PrefixREXB
1168
				index += 8
1169
			}
1170
			inst.Args[narg] = base + index
1171
			narg++
1172

1173
		case xArgR8op, xArgR16op, xArgR32op, xArgR64op, xArgSTi:
1174
			n := inst.Opcode >> uint(opshift+8) & 07
1175
			base := baseReg[x]
1176
			index := Reg(n)
1177
			if rex&PrefixREXB != 0 && decodeOp(x) != xArgSTi {
1178
				rexUsed |= PrefixREXB
1179
				index += 8
1180
			}
1181
			if rex != 0 && base == AL && index >= 4 {
1182
				rexUsed |= PrefixREX
1183
				index -= 4
1184
				base = SPB
1185
			}
1186
			inst.Args[narg] = base + index
1187
			narg++
1188
		case xArgRM8, xArgRM16, xArgRM32, xArgRM64, xArgR32M16, xArgR32M8, xArgR64M16,
1189
			xArgMmM32, xArgMmM64, xArgMm2M64,
1190
			xArgXmm2M16, xArgXmm2M32, xArgXmm2M64, xArgXmmM64, xArgXmmM128, xArgXmmM32, xArgXmm2M128,
1191
			xArgYmm2M256:
1192
			if haveMem {
1193
				inst.Args[narg] = mem
1194
				inst.MemBytes = int(memBytes[decodeOp(x)])
1195
				if mem.Base == RIP {
1196
					inst.PCRel = displen
1197
					inst.PCRelOff = dispoff
1198
				}
1199
			} else {
1200
				base := baseReg[x]
1201
				index := Reg(rm)
1202
				switch decodeOp(x) {
1203
				case xArgMmM32, xArgMmM64, xArgMm2M64:
1204
					// There are only 8 MMX registers, so these ignore the REX.X bit.
1205
					index &= 7
1206
				case xArgRM8:
1207
					if rex != 0 && index >= 4 {
1208
						rexUsed |= PrefixREX
1209
						index -= 4
1210
						base = SPB
1211
					}
1212
				case xArgYmm2M256:
1213
					if vex == 0xC4 && inst.Prefix[vexIndex+1]&0x40 == 0x40 {
1214
						index += 8
1215
					}
1216
				}
1217
				inst.Args[narg] = base + index
1218
			}
1219
			narg++
1220

1221
		case xArgMm2: // register only; TODO(rsc): Handle with tag modrm_regonly tag
1222
			if haveMem {
1223
				inst.Op = 0
1224
				break Decode
1225
			}
1226
			inst.Args[narg] = baseReg[x] + Reg(rm&7)
1227
			narg++
1228

1229
		case xArgXmm2: // register only; TODO(rsc): Handle with tag modrm_regonly tag
1230
			if haveMem {
1231
				inst.Op = 0
1232
				break Decode
1233
			}
1234
			inst.Args[narg] = baseReg[x] + Reg(rm)
1235
			narg++
1236

1237
		case xArgRel8:
1238
			inst.PCRelOff = immcpos
1239
			inst.PCRel = 1
1240
			inst.Args[narg] = Rel(int8(immc))
1241
			narg++
1242

1243
		case xArgRel16:
1244
			inst.PCRelOff = immcpos
1245
			inst.PCRel = 2
1246
			inst.Args[narg] = Rel(int16(immc))
1247
			narg++
1248

1249
		case xArgRel32:
1250
			inst.PCRelOff = immcpos
1251
			inst.PCRel = 4
1252
			inst.Args[narg] = Rel(int32(immc))
1253
			narg++
1254
		}
1255
	}
1256

1257
	if inst.Op == 0 {
1258
		// Invalid instruction.
1259
		if nprefix > 0 {
1260
			return instPrefix(src[0], mode) // invalid instruction
1261
		}
1262
		return Inst{Len: pos}, ErrUnrecognized
1263
	}
1264

1265
	// Matched! Hooray!
1266

1267
	// 90 decodes as XCHG EAX, EAX but is NOP.
1268
	// 66 90 decodes as XCHG AX, AX and is NOP too.
1269
	// 48 90 decodes as XCHG RAX, RAX and is NOP too.
1270
	// 43 90 decodes as XCHG R8D, EAX and is *not* NOP.
1271
	// F3 90 decodes as REP XCHG EAX, EAX but is PAUSE.
1272
	// It's all too special to handle in the decoding tables, at least for now.
1273
	if inst.Op == XCHG && inst.Opcode>>24 == 0x90 {
1274
		if inst.Args[0] == RAX || inst.Args[0] == EAX || inst.Args[0] == AX {
1275
			inst.Op = NOP
1276
			if dataSizeIndex >= 0 {
1277
				inst.Prefix[dataSizeIndex] &^= PrefixImplicit
1278
			}
1279
			inst.Args[0] = nil
1280
			inst.Args[1] = nil
1281
		}
1282
		if repIndex >= 0 && inst.Prefix[repIndex] == 0xF3 {
1283
			inst.Prefix[repIndex] |= PrefixImplicit
1284
			inst.Op = PAUSE
1285
			inst.Args[0] = nil
1286
			inst.Args[1] = nil
1287
		} else if gnuCompat {
1288
			for i := nprefix - 1; i >= 0; i-- {
1289
				if inst.Prefix[i]&0xFF == 0xF3 {
1290
					inst.Prefix[i] |= PrefixImplicit
1291
					inst.Op = PAUSE
1292
					inst.Args[0] = nil
1293
					inst.Args[1] = nil
1294
					break
1295
				}
1296
			}
1297
		}
1298
	}
1299

1300
	// defaultSeg returns the default segment for an implicit
1301
	// memory reference: the final override if present, or else DS.
1302
	defaultSeg := func() Reg {
1303
		if segIndex >= 0 {
1304
			inst.Prefix[segIndex] |= PrefixImplicit
1305
			return prefixToSegment(inst.Prefix[segIndex])
1306
		}
1307
		return DS
1308
	}
1309

1310
	// Add implicit arguments not present in the tables.
1311
	// Normally we shy away from making implicit arguments explicit,
1312
	// following the Intel manuals, but adding the arguments seems
1313
	// the best way to express the effect of the segment override prefixes.
1314
	// TODO(rsc): Perhaps add these to the tables and
1315
	// create bytecode instructions for them.
1316
	usedAddrSize := false
1317
	switch inst.Op {
1318
	case INSB, INSW, INSD:
1319
		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
1320
		inst.Args[1] = DX
1321
		usedAddrSize = true
1322

1323
	case OUTSB, OUTSW, OUTSD:
1324
		inst.Args[0] = DX
1325
		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
1326
		usedAddrSize = true
1327

1328
	case MOVSB, MOVSW, MOVSD, MOVSQ:
1329
		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
1330
		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
1331
		usedAddrSize = true
1332

1333
	case CMPSB, CMPSW, CMPSD, CMPSQ:
1334
		inst.Args[0] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
1335
		inst.Args[1] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
1336
		usedAddrSize = true
1337

1338
	case LODSB, LODSW, LODSD, LODSQ:
1339
		switch inst.Op {
1340
		case LODSB:
1341
			inst.Args[0] = AL
1342
		case LODSW:
1343
			inst.Args[0] = AX
1344
		case LODSD:
1345
			inst.Args[0] = EAX
1346
		case LODSQ:
1347
			inst.Args[0] = RAX
1348
		}
1349
		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
1350
		usedAddrSize = true
1351

1352
	case STOSB, STOSW, STOSD, STOSQ:
1353
		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
1354
		switch inst.Op {
1355
		case STOSB:
1356
			inst.Args[1] = AL
1357
		case STOSW:
1358
			inst.Args[1] = AX
1359
		case STOSD:
1360
			inst.Args[1] = EAX
1361
		case STOSQ:
1362
			inst.Args[1] = RAX
1363
		}
1364
		usedAddrSize = true
1365

1366
	case SCASB, SCASW, SCASD, SCASQ:
1367
		inst.Args[1] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
1368
		switch inst.Op {
1369
		case SCASB:
1370
			inst.Args[0] = AL
1371
		case SCASW:
1372
			inst.Args[0] = AX
1373
		case SCASD:
1374
			inst.Args[0] = EAX
1375
		case SCASQ:
1376
			inst.Args[0] = RAX
1377
		}
1378
		usedAddrSize = true
1379

1380
	case XLATB:
1381
		inst.Args[0] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + BX - AX}
1382
		usedAddrSize = true
1383
	}
1384

1385
	// If we used the address size annotation to construct the
1386
	// argument list, mark that prefix as implicit: it doesn't need
1387
	// to be shown when printing the instruction.
1388
	if haveMem || usedAddrSize {
1389
		if addrSizeIndex >= 0 {
1390
			inst.Prefix[addrSizeIndex] |= PrefixImplicit
1391
		}
1392
	}
1393

1394
	// Similarly, if there's some memory operand, the segment
1395
	// will be shown there and doesn't need to be shown as an
1396
	// explicit prefix.
1397
	if haveMem {
1398
		if segIndex >= 0 {
1399
			inst.Prefix[segIndex] |= PrefixImplicit
1400
		}
1401
	}
1402

1403
	// Branch predict prefixes are overloaded segment prefixes,
1404
	// since segment prefixes don't make sense on conditional jumps.
1405
	// Rewrite final instance to prediction prefix.
1406
	// The set of instructions to which the prefixes apply (other then the
1407
	// Jcc conditional jumps) is not 100% clear from the manuals, but
1408
	// the disassemblers seem to agree about the LOOP and JCXZ instructions,
1409
	// so we'll follow along.
1410
	// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
1411
	if isCondJmp[inst.Op] || isLoop[inst.Op] || inst.Op == JCXZ || inst.Op == JECXZ || inst.Op == JRCXZ {
1412
	PredictLoop:
1413
		for i := nprefix - 1; i >= 0; i-- {
1414
			p := inst.Prefix[i]
1415
			switch p & 0xFF {
1416
			case PrefixCS:
1417
				inst.Prefix[i] = PrefixPN
1418
				break PredictLoop
1419
			case PrefixDS:
1420
				inst.Prefix[i] = PrefixPT
1421
				break PredictLoop
1422
			}
1423
		}
1424
	}
1425

1426
	// The BND prefix is part of the Intel Memory Protection Extensions (MPX).
1427
	// A REPN applied to certain control transfers is a BND prefix to bound
1428
	// the range of possible destinations. There's surprisingly little documentation
1429
	// about this, so we just do what libopcodes and xed agree on.
1430
	// In particular, it's unclear why a REPN applied to LOOP or JCXZ instructions
1431
	// does not turn into a BND.
1432
	// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
1433
	if isCondJmp[inst.Op] || inst.Op == JMP || inst.Op == CALL || inst.Op == RET {
1434
		for i := nprefix - 1; i >= 0; i-- {
1435
			p := inst.Prefix[i]
1436
			if p&^PrefixIgnored == PrefixREPN {
1437
				inst.Prefix[i] = PrefixBND
1438
				break
1439
			}
1440
		}
1441
	}
1442

1443
	// The LOCK prefix only applies to certain instructions, and then only
1444
	// to instances of the instruction with a memory destination.
1445
	// Other uses of LOCK are invalid and cause a processor exception,
1446
	// in contrast to the "just ignore it" spirit applied to all other prefixes.
1447
	// Mark invalid lock prefixes.
1448
	hasLock := false
1449
	if lockIndex >= 0 && inst.Prefix[lockIndex]&PrefixImplicit == 0 {
1450
		switch inst.Op {
1451
		// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
1452
		case ADD, ADC, AND, BTC, BTR, BTS, CMPXCHG, CMPXCHG8B, CMPXCHG16B, DEC, INC, NEG, NOT, OR, SBB, SUB, XOR, XADD, XCHG:
1453
			if isMem(inst.Args[0]) {
1454
				hasLock = true
1455
				break
1456
			}
1457
			fallthrough
1458
		default:
1459
			inst.Prefix[lockIndex] |= PrefixInvalid
1460
		}
1461
	}
1462

1463
	// In certain cases, all of which require a memory destination,
1464
	// the REPN and REP prefixes are interpreted as XACQUIRE and XRELEASE
1465
	// from the Intel Transactional Synchroniation Extensions (TSX).
1466
	//
1467
	// The specific rules are:
1468
	// (1) Any instruction with a valid LOCK prefix can have XACQUIRE or XRELEASE.
1469
	// (2) Any XCHG, which always has an implicit LOCK, can have XACQUIRE or XRELEASE.
1470
	// (3) Any 0x88-, 0x89-, 0xC6-, or 0xC7-opcode MOV can have XRELEASE.
1471
	if isMem(inst.Args[0]) {
1472
		if inst.Op == XCHG {
1473
			hasLock = true
1474
		}
1475

1476
		for i := len(inst.Prefix) - 1; i >= 0; i-- {
1477
			p := inst.Prefix[i] &^ PrefixIgnored
1478
			switch p {
1479
			case PrefixREPN:
1480
				if hasLock {
1481
					inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXACQUIRE
1482
				}
1483

1484
			case PrefixREP:
1485
				if hasLock {
1486
					inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXRELEASE
1487
				}
1488

1489
				if inst.Op == MOV {
1490
					op := (inst.Opcode >> 24) &^ 1
1491
					if op == 0x88 || op == 0xC6 {
1492
						inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXRELEASE
1493
					}
1494
				}
1495
			}
1496
		}
1497
	}
1498

1499
	// If REP is used on a non-REP-able instruction, mark the prefix as ignored.
1500
	if repIndex >= 0 {
1501
		switch inst.Prefix[repIndex] {
1502
		case PrefixREP, PrefixREPN:
1503
			switch inst.Op {
1504
			// According to the manuals, the REP/REPE prefix applies to all of these,
1505
			// while the REPN applies only to some of them. However, both libopcodes
1506
			// and xed show both prefixes explicitly for all instructions, so we do the same.
1507
			// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
1508
			case INSB, INSW, INSD,
1509
				MOVSB, MOVSW, MOVSD, MOVSQ,
1510
				OUTSB, OUTSW, OUTSD,
1511
				LODSB, LODSW, LODSD, LODSQ,
1512
				CMPSB, CMPSW, CMPSD, CMPSQ,
1513
				SCASB, SCASW, SCASD, SCASQ,
1514
				STOSB, STOSW, STOSD, STOSQ:
1515
				// ok
1516
			default:
1517
				inst.Prefix[repIndex] |= PrefixIgnored
1518
			}
1519
		}
1520
	}
1521

1522
	// If REX was present, mark implicit if all the 1 bits were consumed.
1523
	if rexIndex >= 0 {
1524
		if rexUsed != 0 {
1525
			rexUsed |= PrefixREX
1526
		}
1527
		if rex&^rexUsed == 0 {
1528
			inst.Prefix[rexIndex] |= PrefixImplicit
1529
		}
1530
	}
1531

1532
	inst.DataSize = dataMode
1533
	inst.AddrSize = addrMode
1534
	inst.Mode = mode
1535
	inst.Len = pos
1536
	return inst, nil
1537
}
1538

1539
var errInternal = errors.New("internal error")
1540

1541
// addr16 records the eight 16-bit addressing modes.
1542
var addr16 = [8]Mem{
1543
	{Base: BX, Scale: 1, Index: SI},
1544
	{Base: BX, Scale: 1, Index: DI},
1545
	{Base: BP, Scale: 1, Index: SI},
1546
	{Base: BP, Scale: 1, Index: DI},
1547
	{Base: SI},
1548
	{Base: DI},
1549
	{Base: BP},
1550
	{Base: BX},
1551
}
1552

1553
// baseRegForBits returns the base register for a given register size in bits.
1554
func baseRegForBits(bits int) Reg {
1555
	switch bits {
1556
	case 8:
1557
		return AL
1558
	case 16:
1559
		return AX
1560
	case 32:
1561
		return EAX
1562
	case 64:
1563
		return RAX
1564
	}
1565
	return 0
1566
}
1567

1568
// baseReg records the base register for argument types that specify
1569
// a range of registers indexed by op, regop, or rm.
1570
var baseReg = [...]Reg{
1571
	xArgDR0dashDR7: DR0,
1572
	xArgMm1:        M0,
1573
	xArgMm2:        M0,
1574
	xArgMm2M64:     M0,
1575
	xArgMm:         M0,
1576
	xArgMmM32:      M0,
1577
	xArgMmM64:      M0,
1578
	xArgR16:        AX,
1579
	xArgR16op:      AX,
1580
	xArgR32:        EAX,
1581
	xArgR32M16:     EAX,
1582
	xArgR32M8:      EAX,
1583
	xArgR32op:      EAX,
1584
	xArgR64:        RAX,
1585
	xArgR64M16:     RAX,
1586
	xArgR64op:      RAX,
1587
	xArgR8:         AL,
1588
	xArgR8op:       AL,
1589
	xArgRM16:       AX,
1590
	xArgRM32:       EAX,
1591
	xArgRM64:       RAX,
1592
	xArgRM8:        AL,
1593
	xArgRmf16:      AX,
1594
	xArgRmf32:      EAX,
1595
	xArgRmf64:      RAX,
1596
	xArgSTi:        F0,
1597
	xArgTR0dashTR7: TR0,
1598
	xArgXmm1:       X0,
1599
	xArgYmm1:       X0,
1600
	xArgXmm2:       X0,
1601
	xArgXmm2M128:   X0,
1602
	xArgYmm2M256:   X0,
1603
	xArgXmm2M16:    X0,
1604
	xArgXmm2M32:    X0,
1605
	xArgXmm2M64:    X0,
1606
	xArgXmm:        X0,
1607
	xArgXmmM128:    X0,
1608
	xArgXmmM32:     X0,
1609
	xArgXmmM64:     X0,
1610
}
1611

1612
// prefixToSegment returns the segment register
1613
// corresponding to a particular segment prefix.
1614
func prefixToSegment(p Prefix) Reg {
1615
	switch p &^ PrefixImplicit {
1616
	case PrefixCS:
1617
		return CS
1618
	case PrefixDS:
1619
		return DS
1620
	case PrefixES:
1621
		return ES
1622
	case PrefixFS:
1623
		return FS
1624
	case PrefixGS:
1625
		return GS
1626
	case PrefixSS:
1627
		return SS
1628
	}
1629
	return 0
1630
}
1631

1632
// fixedArg records the fixed arguments corresponding to the given bytecodes.
1633
var fixedArg = [...]Arg{
1634
	xArg1:    Imm(1),
1635
	xArg3:    Imm(3),
1636
	xArgAL:   AL,
1637
	xArgAX:   AX,
1638
	xArgDX:   DX,
1639
	xArgEAX:  EAX,
1640
	xArgEDX:  EDX,
1641
	xArgRAX:  RAX,
1642
	xArgRDX:  RDX,
1643
	xArgCL:   CL,
1644
	xArgCS:   CS,
1645
	xArgDS:   DS,
1646
	xArgES:   ES,
1647
	xArgFS:   FS,
1648
	xArgGS:   GS,
1649
	xArgSS:   SS,
1650
	xArgST:   F0,
1651
	xArgXMM0: X0,
1652
}
1653

1654
// memBytes records the size of the memory pointed at
1655
// by a memory argument of the given form.
1656
var memBytes = [...]int8{
1657
	xArgM128:       128 / 8,
1658
	xArgM256:       256 / 8,
1659
	xArgM16:        16 / 8,
1660
	xArgM16and16:   (16 + 16) / 8,
1661
	xArgM16colon16: (16 + 16) / 8,
1662
	xArgM16colon32: (16 + 32) / 8,
1663
	xArgM16int:     16 / 8,
1664
	xArgM2byte:     2,
1665
	xArgM32:        32 / 8,
1666
	xArgM32and32:   (32 + 32) / 8,
1667
	xArgM32fp:      32 / 8,
1668
	xArgM32int:     32 / 8,
1669
	xArgM64:        64 / 8,
1670
	xArgM64fp:      64 / 8,
1671
	xArgM64int:     64 / 8,
1672
	xArgMm2M64:     64 / 8,
1673
	xArgMmM32:      32 / 8,
1674
	xArgMmM64:      64 / 8,
1675
	xArgMoffs16:    16 / 8,
1676
	xArgMoffs32:    32 / 8,
1677
	xArgMoffs64:    64 / 8,
1678
	xArgMoffs8:     8 / 8,
1679
	xArgR32M16:     16 / 8,
1680
	xArgR32M8:      8 / 8,
1681
	xArgR64M16:     16 / 8,
1682
	xArgRM16:       16 / 8,
1683
	xArgRM32:       32 / 8,
1684
	xArgRM64:       64 / 8,
1685
	xArgRM8:        8 / 8,
1686
	xArgXmm2M128:   128 / 8,
1687
	xArgYmm2M256:   256 / 8,
1688
	xArgXmm2M16:    16 / 8,
1689
	xArgXmm2M32:    32 / 8,
1690
	xArgXmm2M64:    64 / 8,
1691
	xArgXmm:        128 / 8,
1692
	xArgXmmM128:    128 / 8,
1693
	xArgXmmM32:     32 / 8,
1694
	xArgXmmM64:     64 / 8,
1695
}
1696

1697
// isCondJmp records the conditional jumps.
1698
var isCondJmp = [maxOp + 1]bool{
1699
	JA:  true,
1700
	JAE: true,
1701
	JB:  true,
1702
	JBE: true,
1703
	JE:  true,
1704
	JG:  true,
1705
	JGE: true,
1706
	JL:  true,
1707
	JLE: true,
1708
	JNE: true,
1709
	JNO: true,
1710
	JNP: true,
1711
	JNS: true,
1712
	JO:  true,
1713
	JP:  true,
1714
	JS:  true,
1715
}
1716

1717
// isLoop records the loop operators.
1718
var isLoop = [maxOp + 1]bool{
1719
	LOOP:   true,
1720
	LOOPE:  true,
1721
	LOOPNE: true,
1722
	JECXZ:  true,
1723
	JRCXZ:  true,
1724
}
1725