No longer builds, but this is a good intermediate save point.
[akaros.git] / kern / arch / x86 / emulate.c
1 /******************************************************************************
2  * x86_emulate.c
3  *
4  * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5  *
6  * Copyright (c) 2005 Keir Fraser
7  *
8  * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9  * privieged instructions:
10  *
11  * Copyright (C) 2006 Qumranet
12  *
13  *   Avi Kivity <avi@qumranet.com>
14  *   Yaniv Kamay <yaniv@qumranet.com>
15  *
16  * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
17  */
18
19 #define DEBUG
20 #include <kmalloc.h>
21 #include <string.h>
22 #include <stdio.h>
23 #include <assert.h>
24 #include <error.h>
25 #include <pmap.h>
26 #include <sys/queue.h>
27 #include <smp.h>
28 #include <kref.h>
29 #include <atomic.h>
30 #include <alarm.h>
31 #include <event.h>
32 #include <umem.h>
33 #include <devalarm.h>
34 #include <arch/types.h>
35 #include <arch/vm.h>
36 #include <arch/emulate.h>
37 #include <arch/vmdebug.h>
38
39 /*
40  * Opcode effective-address decode tables.
41  * Note that we only emulate instructions that have at least one memory
42  * operand (excluding implicit stack references). We assume that stack
43  * references and instruction fetches will never occur in special memory
44  * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
45  * not be handled.
46  */
47
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp      (1<<0)      /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1)      /* Implicit in opcode. No generic decode. */
52 #define DstReg      (2<<1)      /* Register operand. */
53 #define DstMem      (3<<1)      /* Memory operand. */
54 #define DstMask     (3<<1)
55 /* Source operand type. */
56 #define SrcNone     (0<<3)      /* No source operand. */
57 #define SrcImplicit (0<<3)      /* Source operand is implicit in the opcode. */
58 #define SrcReg      (1<<3)      /* Register operand. */
59 #define SrcMem      (2<<3)      /* Memory operand. */
60 #define SrcMem16    (3<<3)      /* Memory operand (16-bit). */
61 #define SrcMem32    (4<<3)      /* Memory operand (32-bit). */
62 #define SrcImm      (5<<3)      /* Immediate operand. */
63 #define SrcImmByte  (6<<3)      /* 8-bit sign-extended immediate operand. */
64 #define SrcMask     (7<<3)
65 /* Generic ModRM decode. */
66 #define ModRM       (1<<6)
67 /* Destination is only written; never read. */
68 #define Mov         (1<<7)
69
70 static uint8_t opcode_table[256] = {
71         /* 0x00 - 0x07 */
72         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
73         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
74         0, 0, 0, 0,
75         /* 0x08 - 0x0F */
76         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
77         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
78         0, 0, 0, 0,
79         /* 0x10 - 0x17 */
80         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
81         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
82         0, 0, 0, 0,
83         /* 0x18 - 0x1F */
84         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
85         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
86         0, 0, 0, 0,
87         /* 0x20 - 0x27 */
88         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
89         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
90         0, 0, 0, 0,
91         /* 0x28 - 0x2F */
92         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
93         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
94         0, 0, 0, 0,
95         /* 0x30 - 0x37 */
96         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
97         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
98         0, 0, 0, 0,
99         /* 0x38 - 0x3F */
100         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
101         ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
102         0, 0, 0, 0,
103         /* 0x40 - 0x4F */
104         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
105         /* 0x50 - 0x5F */
106         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
107         /* 0x60 - 0x6F */
108         0, 0, 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
109         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
110         /* 0x70 - 0x7F */
111         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
112         /* 0x80 - 0x87 */
113         ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
114         ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
115         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
116         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
117         /* 0x88 - 0x8F */
118         ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
119         ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
120         0, 0, 0, DstMem | SrcNone | ModRM | Mov,
121         /* 0x90 - 0x9F */
122         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
123         /* 0xA0 - 0xA7 */
124         ByteOp | DstReg | SrcMem | Mov, DstReg | SrcMem | Mov,
125         ByteOp | DstMem | SrcReg | Mov, DstMem | SrcReg | Mov,
126         ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
127         ByteOp | ImplicitOps, ImplicitOps,
128         /* 0xA8 - 0xAF */
129         0, 0, ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
130         ByteOp | ImplicitOps | Mov, ImplicitOps | Mov,
131         ByteOp | ImplicitOps, ImplicitOps,
132         /* 0xB0 - 0xBF */
133         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
134         /* 0xC0 - 0xC7 */
135         ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM, 0, 0,
136         0, 0, ByteOp | DstMem | SrcImm | ModRM | Mov,
137         DstMem | SrcImm | ModRM | Mov,
138         /* 0xC8 - 0xCF */
139         0, 0, 0, 0, 0, 0, 0, 0,
140         /* 0xD0 - 0xD7 */
141         ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
142         ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
143         0, 0, 0, 0,
144         /* 0xD8 - 0xDF */
145         0, 0, 0, 0, 0, 0, 0, 0,
146         /* 0xE0 - 0xEF */
147         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
148         /* 0xF0 - 0xF7 */
149         0, 0, 0, 0,
150         0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
151         /* 0xF8 - 0xFF */
152         0, 0, 0, 0,
153         0, 0, ByteOp | DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM
154 };
155
156 static uint8_t twobyte_table[256] = {
157         /* 0x00 - 0x0F */
158         0, SrcMem | ModRM | DstReg | Mov, 0, 0, 0, 0, 0, 0,
159         0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0,
160         /* 0x10 - 0x1F */
161         0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
162         /* 0x20 - 0x2F */
163         ImplicitOps, 0, ImplicitOps, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
164         /* 0x30 - 0x3F */
165         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
166         /* 0x40 - 0x47 */
167         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
168         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
169         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
170         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
171         /* 0x48 - 0x4F */
172         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
173         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
174         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
175         DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
176         /* 0x50 - 0x5F */
177         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
178         /* 0x60 - 0x6F */
179         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
180         /* 0x70 - 0x7F */
181         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
182         /* 0x80 - 0x8F */
183         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
184         /* 0x90 - 0x9F */
185         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
186         /* 0xA0 - 0xA7 */
187         0, 0, 0, DstMem | SrcReg | ModRM, 0, 0, 0, 0,
188         /* 0xA8 - 0xAF */
189         0, 0, 0, DstMem | SrcReg | ModRM, 0, 0, 0, 0,
190         /* 0xB0 - 0xB7 */
191         ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM, 0,
192         DstMem | SrcReg | ModRM,
193         0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
194         DstReg | SrcMem16 | ModRM | Mov,
195         /* 0xB8 - 0xBF */
196         0, 0, DstMem | SrcImmByte | ModRM, DstMem | SrcReg | ModRM,
197         0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
198         DstReg | SrcMem16 | ModRM | Mov,
199         /* 0xC0 - 0xCF */
200         0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0, 0,
201         /* 0xD0 - 0xDF */
202         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
203         /* 0xE0 - 0xEF */
204         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
205         /* 0xF0 - 0xFF */
206         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
207 };
208
209 /* Type, address-of, and value of an instruction's operand. */
210 struct operand {
211         enum { OP_REG, OP_MEM, OP_IMM } type;
212         unsigned int bytes;
213         unsigned long val, orig_val, *ptr;
214 };
215
216 /* EFLAGS bit definitions. */
217 #define EFLG_OF (1<<11)
218 #define EFLG_DF (1<<10)
219 #define EFLG_SF (1<<7)
220 #define EFLG_ZF (1<<6)
221 #define EFLG_AF (1<<4)
222 #define EFLG_PF (1<<2)
223 #define EFLG_CF (1<<0)
224
225 /*
226  * Instruction emulation:
227  * Most instructions are emulated directly via a fragment of inline assembly
228  * code. This allows us to save/restore EFLAGS and thus very easily pick up
229  * any modified flags.
230  */
231
232 #if defined(__x86_64__)
233 #define _LO32 "k"       /* force 32-bit operand */
234 #define _STK  "%%rsp"   /* stack pointer */
235 #elif defined(__i386__)
236 #define _LO32 ""        /* force 32-bit operand */
237 #define _STK  "%%esp"   /* stack pointer */
238 #endif
239
240 /*
241  * These EFLAGS bits are restored from saved value during emulation, and
242  * any changes are written back to the saved value after emulation.
243  */
244 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
245
246 /* Before executing instruction: restore necessary bits in EFLAGS. */
247 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
248         /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); */        \
249         "push %"_sav"; "                                        \
250         "movl %"_msk",%"_LO32 _tmp"; "                          \
251         "andl %"_LO32 _tmp",("_STK"); "                         \
252         "pushf; "                                               \
253         "notl %"_LO32 _tmp"; "                                  \
254         "andl %"_LO32 _tmp",("_STK"); "                         \
255         "pop  %"_tmp"; "                                        \
256         "orl  %"_LO32 _tmp",("_STK"); "                         \
257         "popf; "                                                \
258         /* _sav &= ~msk; */                                     \
259         "movl %"_msk",%"_LO32 _tmp"; "                          \
260         "notl %"_LO32 _tmp"; "                                  \
261         "andl %"_LO32 _tmp",%"_sav"; "
262
263 /* After executing instruction: write-back necessary bits in EFLAGS. */
264 #define _POST_EFLAGS(_sav, _msk, _tmp) \
265         /* _sav |= EFLAGS & _msk; */            \
266         "pushf; "                               \
267         "pop  %"_tmp"; "                        \
268         "andl %"_msk",%"_LO32 _tmp"; "          \
269         "orl  %"_LO32 _tmp",%"_sav"; "
270
271 /* Raw emulation: instruction has two explicit operands. */
272 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
273         do {                                                                \
274                 unsigned long _tmp;                                         \
275                                                                             \
276                 switch ((_dst).bytes) {                                     \
277                 case 2:                                                     \
278                         __asm__ __volatile__ (                              \
279                                 _PRE_EFLAGS("0","4","2")                    \
280                                 _op"w %"_wx"3,%1; "                         \
281                                 _POST_EFLAGS("0","4","2")                   \
282                                 : "=m" (_eflags), "=m" ((_dst).val),        \
283                                   "=&r" (_tmp)                              \
284                                 : _wy ((_src).val), "i" (EFLAGS_MASK) );    \
285                         break;                                              \
286                 case 4:                                                     \
287                         __asm__ __volatile__ (                              \
288                                 _PRE_EFLAGS("0","4","2")                    \
289                                 _op"l %"_lx"3,%1; "                         \
290                                 _POST_EFLAGS("0","4","2")                   \
291                                 : "=m" (_eflags), "=m" ((_dst).val),        \
292                                   "=&r" (_tmp)                              \
293                                 : _ly ((_src).val), "i" (EFLAGS_MASK) );    \
294                         break;                                              \
295                 case 8:                                                     \
296                         __emulate_2op_8byte(_op, _src, _dst,                \
297                                             _eflags, _qx, _qy);             \
298                         break;                                              \
299                 }                                                           \
300         } while (0)
301
302 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
303         do {                                                                 \
304                 unsigned long _tmp;                                          \
305                 switch ( (_dst).bytes )                                      \
306                 {                                                            \
307                 case 1:                                                      \
308                         __asm__ __volatile__ (                               \
309                                 _PRE_EFLAGS("0","4","2")                     \
310                                 _op"b %"_bx"3,%1; "                          \
311                                 _POST_EFLAGS("0","4","2")                    \
312                                 : "=m" (_eflags), "=m" ((_dst).val),         \
313                                   "=&r" (_tmp)                               \
314                                 : _by ((_src).val), "i" (EFLAGS_MASK) );     \
315                         break;                                               \
316                 default:                                                     \
317                         __emulate_2op_nobyte(_op, _src, _dst, _eflags,       \
318                                              _wx, _wy, _lx, _ly, _qx, _qy);  \
319                         break;                                               \
320                 }                                                            \
321         } while (0)
322
323 /* Source operand is byte-sized and may be restricted to just %cl. */
324 #define emulate_2op_SrcB(_op, _src, _dst, _eflags)                      \
325         __emulate_2op(_op, _src, _dst, _eflags,                         \
326                       "b", "c", "b", "c", "b", "c", "b", "c")
327
328 /* Source operand is byte, word, long or quad sized. */
329 #define emulate_2op_SrcV(_op, _src, _dst, _eflags)                      \
330         __emulate_2op(_op, _src, _dst, _eflags,                         \
331                       "b", "q", "w", "r", _LO32, "r", "", "r")
332
333 /* Source operand is word, long or quad sized. */
334 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags)               \
335         __emulate_2op_nobyte(_op, _src, _dst, _eflags,                  \
336                              "w", "r", _LO32, "r", "", "r")
337
338 /* Instruction has only one explicit operand (no source operand). */
339 #define emulate_1op(_op, _dst, _eflags)                                    \
340         do {                                                            \
341                 unsigned long _tmp;                                     \
342                                                                         \
343                 switch ( (_dst).bytes )                                 \
344                 {                                                       \
345                 case 1:                                                 \
346                         __asm__ __volatile__ (                          \
347                                 _PRE_EFLAGS("0","3","2")                \
348                                 _op"b %1; "                             \
349                                 _POST_EFLAGS("0","3","2")               \
350                                 : "=m" (_eflags), "=m" ((_dst).val),    \
351                                   "=&r" (_tmp)                          \
352                                 : "i" (EFLAGS_MASK) );                  \
353                         break;                                          \
354                 case 2:                                                 \
355                         __asm__ __volatile__ (                          \
356                                 _PRE_EFLAGS("0","3","2")                \
357                                 _op"w %1; "                             \
358                                 _POST_EFLAGS("0","3","2")               \
359                                 : "=m" (_eflags), "=m" ((_dst).val),    \
360                                   "=&r" (_tmp)                          \
361                                 : "i" (EFLAGS_MASK) );                  \
362                         break;                                          \
363                 case 4:                                                 \
364                         __asm__ __volatile__ (                          \
365                                 _PRE_EFLAGS("0","3","2")                \
366                                 _op"l %1; "                             \
367                                 _POST_EFLAGS("0","3","2")               \
368                                 : "=m" (_eflags), "=m" ((_dst).val),    \
369                                   "=&r" (_tmp)                          \
370                                 : "i" (EFLAGS_MASK) );                  \
371                         break;                                          \
372                 case 8:                                                 \
373                         __emulate_1op_8byte(_op, _dst, _eflags);        \
374                         break;                                          \
375                 }                                                       \
376         } while (0)
377
378 /* Emulate an instruction with quadword operands (x86/64 only). */
379 #if defined(__x86_64__)
380 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)           \
381         do {                                                              \
382                 __asm__ __volatile__ (                                    \
383                         _PRE_EFLAGS("0","4","2")                          \
384                         _op"q %"_qx"3,%1; "                               \
385                         _POST_EFLAGS("0","4","2")                         \
386                         : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
387                         : _qy ((_src).val), "i" (EFLAGS_MASK) );          \
388         } while (0)
389
390 #define __emulate_1op_8byte(_op, _dst, _eflags)                           \
391         do {                                                              \
392                 __asm__ __volatile__ (                                    \
393                         _PRE_EFLAGS("0","3","2")                          \
394                         _op"q %1; "                                       \
395                         _POST_EFLAGS("0","3","2")                         \
396                         : "=m" (_eflags), "=m" ((_dst).val), "=&r" (_tmp) \
397                         : "i" (EFLAGS_MASK) );                            \
398         } while (0)
399
400 #elif defined(__i386__)
401 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
402 #define __emulate_1op_8byte(_op, _dst, _eflags)
403 #endif /* __i386__ */
404
405 /* Fetch next part of the instruction being emulated. */
406 #define insn_fetch(_type, _size, _eip)                                  \
407 ({      unsigned long _x;                                               \
408         rc = ops->read_std((unsigned long)(_eip) + ctxt->cs_base, &_x,  \
409                                                   (_size), ctxt);       \
410         if ( rc != 0 )                                                  \
411                 goto done;                                              \
412         (_eip) += (_size);                                              \
413         (_type)_x;                                                      \
414 })
415
416 /* Access/update address held in a register, based on addressing mode. */
417 #define register_address(base, reg)                                     \
418         ((base) + ((ad_bytes == sizeof(unsigned long)) ? (reg) :        \
419                    ((reg) & ((1UL << (ad_bytes << 3)) - 1))))
420
421 #define register_address_increment(reg, inc)                            \
422         do {                                                            \
423                 /* signed type ensures sign extension to long */        \
424                 int _inc = (inc);                                       \
425                 if ( ad_bytes == sizeof(unsigned long) )                \
426                         (reg) += _inc;                                  \
427                 else                                                    \
428                         (reg) = ((reg) & ~((1UL << (ad_bytes << 3)) - 1)) | \
429                            (((reg) + _inc) & ((1UL << (ad_bytes << 3)) - 1)); \
430         } while (0)
431
432 void *decode_register(uint8_t modrm_reg, unsigned long *regs, int highbyte_regs)
433 {
434         void *p;
435
436         p = &regs[modrm_reg];
437         if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
438                 p = (unsigned char *)&regs[modrm_reg & 3] + 1;
439         return p;
440 }
441
442 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
443                                                    struct x86_emulate_ops *ops,
444                                                    void *ptr,
445                                                    uint16_t * size, unsigned long *address,
446                                                    int op_bytes)
447 {
448         int rc;
449
450         if (op_bytes == 2)
451                 op_bytes = 3;
452         *address = 0;
453         rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2, ctxt);
454         if (rc)
455                 return rc;
456         rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes, ctxt);
457         return rc;
458 }
459
460 int
461 x86_emulate_memop(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
462 {
463         uint8_t b, d, sib, twobyte = 0, rex_prefix = 0;
464         uint8_t modrm, modrm_mod = 0, modrm_reg = 0, modrm_rm = 0;
465         unsigned long *override_base = NULL;
466         unsigned int op_bytes, ad_bytes, lock_prefix = 0, rep_prefix = 0, i;
467         int rc = 0;
468         struct operand src, dst;
469         unsigned long cr2 = ctxt->cr2;
470         int mode = ctxt->mode;
471         unsigned long modrm_ea;
472         int use_modrm_ea, index_reg = 0, base_reg = 0, scale, rip_relative = 0;
473
474         /* Shadow copy of register state. Committed on successful emulation. */
475         unsigned long _regs[NR_VCPU_REGS];
476         unsigned long _eip = ctxt->vcpu->rip, _eflags = ctxt->eflags;
477         unsigned long modrm_val = 0;
478
479         memcpy(_regs, ctxt->vcpu->regs, sizeof _regs);
480
481         switch (mode) {
482                 case X86EMUL_MODE_REAL:
483                 case X86EMUL_MODE_PROT16:
484                         op_bytes = ad_bytes = 2;
485                         break;
486                 case X86EMUL_MODE_PROT32:
487                         op_bytes = ad_bytes = 4;
488                         break;
489 #ifdef __x86_64__
490                 case X86EMUL_MODE_PROT64:
491                         op_bytes = 4;
492                         ad_bytes = 8;
493                         break;
494 #endif
495                 default:
496                         return -1;
497         }
498
499         /* Legacy prefixes. */
500         for (i = 0; i < 8; i++) {
501                 switch (b = insn_fetch(uint8_t, 1, _eip)) {
502                         case 0x66:      /* operand-size override */
503                                 op_bytes ^= 6;  /* switch between 2/4 bytes */
504                                 break;
505                         case 0x67:      /* address-size override */
506                                 if (mode == X86EMUL_MODE_PROT64)
507                                         ad_bytes ^= 12; /* switch between 4/8 bytes */
508                                 else
509                                         ad_bytes ^= 6;  /* switch between 2/4 bytes */
510                                 break;
511                         case 0x2e:      /* CS override */
512                                 override_base = &ctxt->cs_base;
513                                 break;
514                         case 0x3e:      /* DS override */
515                                 override_base = &ctxt->ds_base;
516                                 break;
517                         case 0x26:      /* ES override */
518                                 override_base = &ctxt->es_base;
519                                 break;
520                         case 0x64:      /* FS override */
521                                 override_base = &ctxt->fs_base;
522                                 break;
523                         case 0x65:      /* GS override */
524                                 override_base = &ctxt->gs_base;
525                                 break;
526                         case 0x36:      /* SS override */
527                                 override_base = &ctxt->ss_base;
528                                 break;
529                         case 0xf0:      /* LOCK */
530                                 lock_prefix = 1;
531                                 break;
532                         case 0xf3:      /* REP/REPE/REPZ */
533                                 rep_prefix = 1;
534                                 break;
535                         case 0xf2:      /* REPNE/REPNZ */
536                                 break;
537                         default:
538                                 goto done_prefixes;
539                 }
540         }
541
542 done_prefixes:
543
544         /* REX prefix. */
545         if ((mode == X86EMUL_MODE_PROT64) && ((b & 0xf0) == 0x40)) {
546                 rex_prefix = b;
547                 if (b & 8)
548                         op_bytes = 8;   /* REX.W */
549                 modrm_reg = (b & 4) << 1;       /* REX.R */
550                 index_reg = (b & 2) << 2;       /* REX.X */
551                 modrm_rm = base_reg = (b & 1) << 3;     /* REG.B */
552                 b = insn_fetch(uint8_t, 1, _eip);
553         }
554
555         /* Opcode byte(s). */
556         d = opcode_table[b];
557         if (d == 0) {
558                 /* Two-byte opcode? */
559                 if (b == 0x0f) {
560                         twobyte = 1;
561                         b = insn_fetch(uint8_t, 1, _eip);
562                         d = twobyte_table[b];
563                 }
564
565                 /* Unrecognised? */
566                 if (d == 0)
567                         goto cannot_emulate;
568         }
569
570         /* ModRM and SIB bytes. */
571         if (d & ModRM) {
572                 modrm = insn_fetch(uint8_t, 1, _eip);
573                 modrm_mod |= (modrm & 0xc0) >> 6;
574                 modrm_reg |= (modrm & 0x38) >> 3;
575                 modrm_rm |= (modrm & 0x07);
576                 modrm_ea = 0;
577                 use_modrm_ea = 1;
578
579                 if (modrm_mod == 3) {
580                         modrm_val = *(unsigned long *)
581                                 decode_register(modrm_rm, _regs, d & ByteOp);
582                         goto modrm_done;
583                 }
584
585                 if (ad_bytes == 2) {
586                         unsigned bx = _regs[VCPU_REGS_RBX];
587                         unsigned bp = _regs[VCPU_REGS_RBP];
588                         unsigned si = _regs[VCPU_REGS_RSI];
589                         unsigned di = _regs[VCPU_REGS_RDI];
590
591                         /* 16-bit ModR/M decode. */
592                         switch (modrm_mod) {
593                                 case 0:
594                                         if (modrm_rm == 6)
595                                                 modrm_ea += insn_fetch(uint16_t, 2, _eip);
596                                         break;
597                                 case 1:
598                                         modrm_ea += insn_fetch(int8_t, 1, _eip);
599                                         break;
600                                 case 2:
601                                         modrm_ea += insn_fetch(uint16_t, 2, _eip);
602                                         break;
603                         }
604                         switch (modrm_rm) {
605                                 case 0:
606                                         modrm_ea += bx + si;
607                                         break;
608                                 case 1:
609                                         modrm_ea += bx + di;
610                                         break;
611                                 case 2:
612                                         modrm_ea += bp + si;
613                                         break;
614                                 case 3:
615                                         modrm_ea += bp + di;
616                                         break;
617                                 case 4:
618                                         modrm_ea += si;
619                                         break;
620                                 case 5:
621                                         modrm_ea += di;
622                                         break;
623                                 case 6:
624                                         if (modrm_mod != 0)
625                                                 modrm_ea += bp;
626                                         break;
627                                 case 7:
628                                         modrm_ea += bx;
629                                         break;
630                         }
631                         if (modrm_rm == 2 || modrm_rm == 3 ||
632                                 (modrm_rm == 6 && modrm_mod != 0))
633                                 if (!override_base)
634                                         override_base = &ctxt->ss_base;
635                         modrm_ea = (uint16_t) modrm_ea;
636                 } else {
637                         /* 32/64-bit ModR/M decode. */
638                         switch (modrm_rm) {
639                                 case 4:
640                                 case 12:
641                                         sib = insn_fetch(uint8_t, 1, _eip);
642                                         index_reg |= (sib >> 3) & 7;
643                                         base_reg |= sib & 7;
644                                         scale = sib >> 6;
645
646                                         switch (base_reg) {
647                                                 case 5:
648                                                         if (modrm_mod != 0)
649                                                                 modrm_ea += _regs[base_reg];
650                                                         else
651                                                                 modrm_ea += insn_fetch(int32_t, 4, _eip);
652                                                         break;
653                                                 default:
654                                                         modrm_ea += _regs[base_reg];
655                                         }
656                                         switch (index_reg) {
657                                                 case 4:
658                                                         break;
659                                                 default:
660                                                         modrm_ea += _regs[index_reg] << scale;
661
662                                         }
663                                         break;
664                                 case 5:
665                                         if (modrm_mod != 0)
666                                                 modrm_ea += _regs[modrm_rm];
667                                         else if (mode == X86EMUL_MODE_PROT64)
668                                                 rip_relative = 1;
669                                         break;
670                                 default:
671                                         modrm_ea += _regs[modrm_rm];
672                                         break;
673                         }
674                         switch (modrm_mod) {
675                                 case 0:
676                                         if (modrm_rm == 5)
677                                                 modrm_ea += insn_fetch(int32_t, 4, _eip);
678                                         break;
679                                 case 1:
680                                         modrm_ea += insn_fetch(int8_t, 1, _eip);
681                                         break;
682                                 case 2:
683                                         modrm_ea += insn_fetch(int32_t, 4, _eip);
684                                         break;
685                         }
686                 }
687                 if (!override_base)
688                         override_base = &ctxt->ds_base;
689                 if (mode == X86EMUL_MODE_PROT64 &&
690                         override_base != &ctxt->fs_base && override_base != &ctxt->gs_base)
691                         override_base = 0;
692
693                 if (override_base)
694                         modrm_ea += *override_base;
695
696                 if (rip_relative) {
697                         modrm_ea += _eip;
698                         switch (d & SrcMask) {
699                                 case SrcImmByte:
700                                         modrm_ea += 1;
701                                         break;
702                                 case SrcImm:
703                                         if (d & ByteOp)
704                                                 modrm_ea += 1;
705                                         else if (op_bytes == 8)
706                                                 modrm_ea += 4;
707                                         else
708                                                 modrm_ea += op_bytes;
709                         }
710                 }
711                 if (ad_bytes != 8)
712                         modrm_ea = (uint32_t) modrm_ea;
713                 cr2 = modrm_ea;
714 modrm_done:
715                 ;
716         }
717
718         /* Decode and fetch the destination operand: register or memory. */
719         switch (d & DstMask) {
720                 case ImplicitOps:
721                         /* Special instructions do their own operand decoding. */
722                         goto special_insn;
723                 case DstReg:
724                         dst.type = OP_REG;
725                         if ((d & ByteOp)
726                                 && !(twobyte && (b == 0xb6 || b == 0xb7))) {
727                                 dst.ptr = decode_register(modrm_reg, _regs, (rex_prefix == 0));
728                                 dst.val = *(uint8_t *) dst.ptr;
729                                 dst.bytes = 1;
730                         } else {
731                                 dst.ptr = decode_register(modrm_reg, _regs, 0);
732                                 switch ((dst.bytes = op_bytes)) {
733                                         case 2:
734                                                 dst.val = *(uint16_t *) dst.ptr;
735                                                 break;
736                                         case 4:
737                                                 dst.val = *(uint32_t *) dst.ptr;
738                                                 break;
739                                         case 8:
740                                                 dst.val = *(uint64_t *) dst.ptr;
741                                                 break;
742                                 }
743                         }
744                         break;
745                 case DstMem:
746                         dst.type = OP_MEM;
747                         dst.ptr = (unsigned long *)cr2;
748                         dst.bytes = (d & ByteOp) ? 1 : op_bytes;
749                         if (!(d & Mov) &&       /* optimisation - avoid slow emulated read */
750                                 ((rc = ops->read_emulated((unsigned long)dst.ptr,
751                                                                                   &dst.val, dst.bytes, ctxt)) != 0))
752                                 goto done;
753                         break;
754         }
755         dst.orig_val = dst.val;
756
757         /*
758          * Decode and fetch the source operand: register, memory
759          * or immediate.
760          */
761         switch (d & SrcMask) {
762                 case SrcNone:
763                         break;
764                 case SrcReg:
765                         src.type = OP_REG;
766                         if (d & ByteOp) {
767                                 src.ptr = decode_register(modrm_reg, _regs, (rex_prefix == 0));
768                                 src.val = src.orig_val = *(uint8_t *) src.ptr;
769                                 src.bytes = 1;
770                         } else {
771                                 src.ptr = decode_register(modrm_reg, _regs, 0);
772                                 switch ((src.bytes = op_bytes)) {
773                                         case 2:
774                                                 src.val = src.orig_val = *(uint16_t *) src.ptr;
775                                                 break;
776                                         case 4:
777                                                 src.val = src.orig_val = *(uint32_t *) src.ptr;
778                                                 break;
779                                         case 8:
780                                                 src.val = src.orig_val = *(uint64_t *) src.ptr;
781                                                 break;
782                                 }
783                         }
784                         break;
785                 case SrcMem16:
786                         src.bytes = 2;
787                         goto srcmem_common;
788                 case SrcMem32:
789                         src.bytes = 4;
790                         goto srcmem_common;
791                 case SrcMem:
792                         src.bytes = (d & ByteOp) ? 1 : op_bytes;
793 srcmem_common:
794                         src.type = OP_MEM;
795                         src.ptr = (unsigned long *)cr2;
796                         if ((rc = ops->read_emulated((unsigned long)src.ptr,
797                                                                                  &src.val, src.bytes, ctxt)) != 0)
798                                 goto done;
799                         src.orig_val = src.val;
800                         break;
801                 case SrcImm:
802                         src.type = OP_IMM;
803                         src.ptr = (unsigned long *)_eip;
804                         src.bytes = (d & ByteOp) ? 1 : op_bytes;
805                         if (src.bytes == 8)
806                                 src.bytes = 4;
807                         /* NB. Immediates are sign-extended as necessary. */
808                         switch (src.bytes) {
809                                 case 1:
810                                         src.val = insn_fetch(int8_t, 1, _eip);
811                                         break;
812                                 case 2:
813                                         src.val = insn_fetch(int16_t, 2, _eip);
814                                         break;
815                                 case 4:
816                                         src.val = insn_fetch(int32_t, 4, _eip);
817                                         break;
818                         }
819                         break;
820                 case SrcImmByte:
821                         src.type = OP_IMM;
822                         src.ptr = (unsigned long *)_eip;
823                         src.bytes = 1;
824                         src.val = insn_fetch(int8_t, 1, _eip);
825                         break;
826         }
827
828         if (twobyte)
829                 goto twobyte_insn;
830
831         switch (b) {
832                 case 0x00 ... 0x05:
833 add:    /* add */
834                         emulate_2op_SrcV("add", src, dst, _eflags);
835                         break;
836                 case 0x08 ... 0x0d:
837 or:     /* or */
838                         emulate_2op_SrcV("or", src, dst, _eflags);
839                         break;
840                 case 0x10 ... 0x15:
841 adc:    /* adc */
842                         emulate_2op_SrcV("adc", src, dst, _eflags);
843                         break;
844                 case 0x18 ... 0x1d:
845 sbb:    /* sbb */
846                         emulate_2op_SrcV("sbb", src, dst, _eflags);
847                         break;
848                 case 0x20 ... 0x25:
849 and:    /* and */
850                         emulate_2op_SrcV("and", src, dst, _eflags);
851                         break;
852                 case 0x28 ... 0x2d:
853 sub:    /* sub */
854                         emulate_2op_SrcV("sub", src, dst, _eflags);
855                         break;
856                 case 0x30 ... 0x35:
857 xor:    /* xor */
858                         emulate_2op_SrcV("xor", src, dst, _eflags);
859                         break;
860                 case 0x38 ... 0x3d:
861 cmp:    /* cmp */
862                         emulate_2op_SrcV("cmp", src, dst, _eflags);
863                         break;
864                 case 0x63:      /* movsxd */
865                         if (mode != X86EMUL_MODE_PROT64)
866                                 goto cannot_emulate;
867                         dst.val = (int32_t) src.val;
868                         break;
869                 case 0x80 ... 0x83:     /* Grp1 */
870                         switch (modrm_reg) {
871                                 case 0:
872                                         goto add;
873                                 case 1:
874                                         goto or;
875                                 case 2:
876                                         goto adc;
877                                 case 3:
878                                         goto sbb;
879                                 case 4:
880                                         goto and;
881                                 case 5:
882                                         goto sub;
883                                 case 6:
884                                         goto xor;
885                                 case 7:
886                                         goto cmp;
887                         }
888                         break;
889                 case 0x84 ... 0x85:
890 test:   /* test */
891                         emulate_2op_SrcV("test", src, dst, _eflags);
892                         break;
893                 case 0x86 ... 0x87:     /* xchg */
894                         /* Write back the register source. */
895                         switch (dst.bytes) {
896                                 case 1:
897                                         *(uint8_t *) src.ptr = (uint8_t) dst.val;
898                                         break;
899                                 case 2:
900                                         *(uint16_t *) src.ptr = (uint16_t) dst.val;
901                                         break;
902                                 case 4:
903                                         *src.ptr = (uint32_t) dst.val;
904                                         break;  /* 64b reg: zero-extend */
905                                 case 8:
906                                         *src.ptr = dst.val;
907                                         break;
908                         }
909                         /*
910                          * Write back the memory destination with implicit LOCK
911                          * prefix.
912                          */
913                         dst.val = src.val;
914                         lock_prefix = 1;
915                         break;
916                 case 0xa0 ... 0xa1:     /* mov */
917                         dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
918                         dst.val = src.val;
919                         _eip += ad_bytes;       /* skip src displacement */
920                         break;
921                 case 0xa2 ... 0xa3:     /* mov */
922                         dst.val = (unsigned long)_regs[VCPU_REGS_RAX];
923                         _eip += ad_bytes;       /* skip dst displacement */
924                         break;
925                 case 0x88 ... 0x8b:     /* mov */
926                 case 0xc6 ... 0xc7:     /* mov (sole member of Grp11) */
927                         dst.val = src.val;
928                         break;
929                 case 0x8f:      /* pop (sole member of Grp1a) */
930                         /* 64-bit mode: POP always pops a 64-bit operand. */
931                         if (mode == X86EMUL_MODE_PROT64)
932                                 dst.bytes = 8;
933                         if ((rc = ops->read_std(register_address(ctxt->ss_base,
934                                                                                                          _regs[VCPU_REGS_RSP]),
935                                                                         &dst.val, dst.bytes, ctxt)) != 0)
936                                 goto done;
937                         register_address_increment(_regs[VCPU_REGS_RSP], dst.bytes);
938                         break;
939                 case 0xc0 ... 0xc1:
940 grp2:   /* Grp2 */
941                         switch (modrm_reg) {
942                                 case 0: /* rol */
943                                         emulate_2op_SrcB("rol", src, dst, _eflags);
944                                         break;
945                                 case 1: /* ror */
946                                         emulate_2op_SrcB("ror", src, dst, _eflags);
947                                         break;
948                                 case 2: /* rcl */
949                                         emulate_2op_SrcB("rcl", src, dst, _eflags);
950                                         break;
951                                 case 3: /* rcr */
952                                         emulate_2op_SrcB("rcr", src, dst, _eflags);
953                                         break;
954                                 case 4: /* sal/shl */
955                                 case 6: /* sal/shl */
956                                         emulate_2op_SrcB("sal", src, dst, _eflags);
957                                         break;
958                                 case 5: /* shr */
959                                         emulate_2op_SrcB("shr", src, dst, _eflags);
960                                         break;
961                                 case 7: /* sar */
962                                         emulate_2op_SrcB("sar", src, dst, _eflags);
963                                         break;
964                         }
965                         break;
966                 case 0xd0 ... 0xd1:     /* Grp2 */
967                         src.val = 1;
968                         goto grp2;
969                 case 0xd2 ... 0xd3:     /* Grp2 */
970                         src.val = _regs[VCPU_REGS_RCX];
971                         goto grp2;
972                 case 0xf6 ... 0xf7:     /* Grp3 */
973                         switch (modrm_reg) {
974                                 case 0 ... 1:   /* test */
975                                         /*
976                                          * Special case in Grp3: test has an immediate
977                                          * source operand.
978                                          */
979                                         src.type = OP_IMM;
980                                         src.ptr = (unsigned long *)_eip;
981                                         src.bytes = (d & ByteOp) ? 1 : op_bytes;
982                                         if (src.bytes == 8)
983                                                 src.bytes = 4;
984                                         switch (src.bytes) {
985                                                 case 1:
986                                                         src.val = insn_fetch(int8_t, 1, _eip);
987                                                         break;
988                                                 case 2:
989                                                         src.val = insn_fetch(int16_t, 2, _eip);
990                                                         break;
991                                                 case 4:
992                                                         src.val = insn_fetch(int32_t, 4, _eip);
993                                                         break;
994                                         }
995                                         goto test;
996                                 case 2: /* not */
997                                         dst.val = ~dst.val;
998                                         break;
999                                 case 3: /* neg */
1000                                         emulate_1op("neg", dst, _eflags);
1001                                         break;
1002                                 default:
1003                                         goto cannot_emulate;
1004                         }
1005                         break;
1006                 case 0xfe ... 0xff:     /* Grp4/Grp5 */
1007                         switch (modrm_reg) {
1008                                 case 0: /* inc */
1009                                         emulate_1op("inc", dst, _eflags);
1010                                         break;
1011                                 case 1: /* dec */
1012                                         emulate_1op("dec", dst, _eflags);
1013                                         break;
1014                                 case 6: /* push */
1015                                         /* 64-bit mode: PUSH always pushes a 64-bit operand. */
1016                                         if (mode == X86EMUL_MODE_PROT64) {
1017                                                 dst.bytes = 8;
1018                                                 if ((rc = ops->read_std((unsigned long)dst.ptr,
1019                                                                                                 &dst.val, 8, ctxt)) != 0)
1020                                                         goto done;
1021                                         }
1022                                         register_address_increment(_regs[VCPU_REGS_RSP],
1023                                                                                            -dst.bytes);
1024                                         if ((rc = ops->write_std(register_address(ctxt->ss_base,
1025                                                                                                                           _regs
1026                                                                                                                           [VCPU_REGS_RSP]),
1027                                                                                          dst.val, dst.bytes, ctxt)) != 0)
1028                                                 goto done;
1029                                         dst.val = dst.orig_val; /* skanky: disable writeback */
1030                                         break;
1031                                 default:
1032                                         goto cannot_emulate;
1033                         }
1034                         break;
1035         }
1036
1037 writeback:
1038         if ((d & Mov) || (dst.orig_val != dst.val)) {
1039                 switch (dst.type) {
1040                         case OP_REG:
1041                                 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1042                                 switch (dst.bytes) {
1043                                         case 1:
1044                                                 *(uint8_t *) dst.ptr = (uint8_t) dst.val;
1045                                                 break;
1046                                         case 2:
1047                                                 *(uint16_t *) dst.ptr = (uint16_t) dst.val;
1048                                                 break;
1049                                         case 4:
1050                                                 *dst.ptr = (uint32_t) dst.val;
1051                                                 break;  /* 64b: zero-ext */
1052                                         case 8:
1053                                                 *dst.ptr = dst.val;
1054                                                 break;
1055                                 }
1056                                 break;
1057                         case OP_MEM:
1058                                 if (lock_prefix)
1059                                         rc = ops->cmpxchg_emulated((unsigned long)dst.ptr,
1060                                                                                            dst.orig_val, dst.val, dst.bytes,
1061                                                                                            ctxt);
1062                                 else
1063                                         rc = ops->write_emulated((unsigned long)dst.ptr,
1064                                                                                          dst.val, dst.bytes, ctxt);
1065                                 if (rc != 0)
1066                                         goto done;
1067                         default:
1068                                 break;
1069                 }
1070         }
1071
1072         /* Commit shadow register state. */
1073         memcpy(ctxt->vcpu->regs, _regs, sizeof _regs);
1074         ctxt->eflags = _eflags;
1075         ctxt->vcpu->rip = _eip;
1076
1077 done:
1078         return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1079
1080 special_insn:
1081         if (twobyte)
1082                 goto twobyte_special_insn;
1083         if (rep_prefix) {
1084                 if (_regs[VCPU_REGS_RCX] == 0) {
1085                         ctxt->vcpu->rip = _eip;
1086                         goto done;
1087                 }
1088                 _regs[VCPU_REGS_RCX]--;
1089                 _eip = ctxt->vcpu->rip;
1090         }
1091         switch (b) {
1092                 case 0xa4 ... 0xa5:     /* movs */
1093                         dst.type = OP_MEM;
1094                         dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1095                         dst.ptr = (unsigned long *)register_address(ctxt->es_base,
1096                                                                                                                 _regs[VCPU_REGS_RDI]);
1097                         if ((rc =
1098                                  ops->
1099                                  read_emulated(register_address
1100                                                            (override_base ? *override_base : ctxt->ds_base,
1101                                                                 _regs[VCPU_REGS_RSI]), &dst.val, dst.bytes,
1102                                                            ctxt)) != 0)
1103                                 goto done;
1104                         register_address_increment(_regs[VCPU_REGS_RSI],
1105                                                                            (_eflags & EFLG_DF) ? -dst.bytes : dst.
1106                                                                            bytes);
1107                         register_address_increment(_regs[VCPU_REGS_RDI],
1108                                                                            (_eflags & EFLG_DF) ? -dst.bytes : dst.
1109                                                                            bytes);
1110                         break;
1111                 case 0xa6 ... 0xa7:     /* cmps */
1112                         DPRINTF("Urk! I don't handle CMPS.\n");
1113                         goto cannot_emulate;
1114                 case 0xaa ... 0xab:     /* stos */
1115                         dst.type = OP_MEM;
1116                         dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1117                         dst.ptr = (unsigned long *)cr2;
1118                         dst.val = _regs[VCPU_REGS_RAX];
1119                         register_address_increment(_regs[VCPU_REGS_RDI],
1120                                                                            (_eflags & EFLG_DF) ? -dst.bytes : dst.
1121                                                                            bytes);
1122                         break;
1123                 case 0xac ... 0xad:     /* lods */
1124                         dst.type = OP_REG;
1125                         dst.bytes = (d & ByteOp) ? 1 : op_bytes;
1126                         dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1127                         if ((rc = ops->read_emulated(cr2, &dst.val, dst.bytes, ctxt)) != 0)
1128                                 goto done;
1129                         register_address_increment(_regs[VCPU_REGS_RSI],
1130                                                                            (_eflags & EFLG_DF) ? -dst.bytes : dst.
1131                                                                            bytes);
1132                         break;
1133                 case 0xae ... 0xaf:     /* scas */
1134                         DPRINTF("Urk! I don't handle SCAS.\n");
1135                         goto cannot_emulate;
1136         }
1137         goto writeback;
1138
1139 twobyte_insn:
1140         switch (b) {
1141                 case 0x01:      /* lgdt, lidt, lmsw */
1142                         switch (modrm_reg) {
1143                                         uint16_t size;
1144                                         unsigned long address;
1145
1146                                 case 2: /* lgdt */
1147                                         rc = read_descriptor(ctxt, ops, src.ptr,
1148                                                                                  &size, &address, op_bytes);
1149                                         if (rc)
1150                                                 goto done;
1151 #warning "implement realmode_lgdt"
1152                                         //realmode_lgdt(ctxt->vcpu, size, address);
1153                                         break;
1154                                 case 3: /* lidt */
1155                                         rc = read_descriptor(ctxt, ops, src.ptr,
1156                                                                                  &size, &address, op_bytes);
1157                                         if (rc)
1158                                                 goto done;
1159 #warning "implement realmode_lidt"
1160                                         //realmode_lidt(ctxt->vcpu, size, address);
1161                                         break;
1162                                 case 6: /* lmsw */
1163 #warning "implement realmod_lmsw"
1164                                         //realmode_lmsw(ctxt->vcpu, (uint16_t)modrm_val, &_eflags);
1165                                         break;
1166                                 default:
1167                                         goto cannot_emulate;
1168                         }
1169                         break;
1170                 case 0x40 ... 0x4f:     /* cmov */
1171                         dst.val = dst.orig_val = src.val;
1172                         d &= ~Mov;      /* default to no move */
1173                         /*
1174                          * First, assume we're decoding an even cmov opcode
1175                          * (lsb == 0).
1176                          */
1177                         switch ((b & 15) >> 1) {
1178                                 case 0: /* cmovo */
1179                                         d |= (_eflags & EFLG_OF) ? Mov : 0;
1180                                         break;
1181                                 case 1: /* cmovb/cmovc/cmovnae */
1182                                         d |= (_eflags & EFLG_CF) ? Mov : 0;
1183                                         break;
1184                                 case 2: /* cmovz/cmove */
1185                                         d |= (_eflags & EFLG_ZF) ? Mov : 0;
1186                                         break;
1187                                 case 3: /* cmovbe/cmovna */
1188                                         d |= (_eflags & (EFLG_CF | EFLG_ZF)) ? Mov : 0;
1189                                         break;
1190                                 case 4: /* cmovs */
1191                                         d |= (_eflags & EFLG_SF) ? Mov : 0;
1192                                         break;
1193                                 case 5: /* cmovp/cmovpe */
1194                                         d |= (_eflags & EFLG_PF) ? Mov : 0;
1195                                         break;
1196                                 case 7: /* cmovle/cmovng */
1197                                         d |= (_eflags & EFLG_ZF) ? Mov : 0;
1198                                         /* fall through */
1199                                 case 6: /* cmovl/cmovnge */
1200                                         d |= (!(_eflags & EFLG_SF) !=
1201                                                   !(_eflags & EFLG_OF)) ? Mov : 0;
1202                                         break;
1203                         }
1204                         /* Odd cmov opcodes (lsb == 1) have inverted sense. */
1205                         d ^= (b & 1) ? Mov : 0;
1206                         break;
1207                 case 0xb0 ... 0xb1:     /* cmpxchg */
1208                         /*
1209                          * Save real source value, then compare EAX against
1210                          * destination.
1211                          */
1212                         src.orig_val = src.val;
1213                         src.val = _regs[VCPU_REGS_RAX];
1214                         emulate_2op_SrcV("cmp", src, dst, _eflags);
1215                         /* Always write back. The question is: where to? */
1216                         d |= Mov;
1217                         if (_eflags & EFLG_ZF) {
1218                                 /* Success: write back to memory. */
1219                                 dst.val = src.orig_val;
1220                         } else {
1221                                 /* Failure: write the value we saw to EAX. */
1222                                 dst.type = OP_REG;
1223                                 dst.ptr = (unsigned long *)&_regs[VCPU_REGS_RAX];
1224                         }
1225                         break;
1226                 case 0xa3:
1227 bt:     /* bt */
1228                         src.val &= (dst.bytes << 3) - 1;        /* only subword offset */
1229                         emulate_2op_SrcV_nobyte("bt", src, dst, _eflags);
1230                         break;
1231                 case 0xb3:
1232 btr:    /* btr */
1233                         src.val &= (dst.bytes << 3) - 1;        /* only subword offset */
1234                         emulate_2op_SrcV_nobyte("btr", src, dst, _eflags);
1235                         break;
1236                 case 0xab:
1237 bts:    /* bts */
1238                         src.val &= (dst.bytes << 3) - 1;        /* only subword offset */
1239                         emulate_2op_SrcV_nobyte("bts", src, dst, _eflags);
1240                         break;
1241                 case 0xb6 ... 0xb7:     /* movzx */
1242                         dst.bytes = op_bytes;
1243                         dst.val = (d & ByteOp) ? (uint8_t) src.val : (uint16_t) src.val;
1244                         break;
1245                 case 0xbb:
1246 btc:    /* btc */
1247                         src.val &= (dst.bytes << 3) - 1;        /* only subword offset */
1248                         emulate_2op_SrcV_nobyte("btc", src, dst, _eflags);
1249                         break;
1250                 case 0xba:      /* Grp8 */
1251                         switch (modrm_reg & 3) {
1252                                 case 0:
1253                                         goto bt;
1254                                 case 1:
1255                                         goto bts;
1256                                 case 2:
1257                                         goto btr;
1258                                 case 3:
1259                                         goto btc;
1260                         }
1261                         break;
1262                 case 0xbe ... 0xbf:     /* movsx */
1263                         dst.bytes = op_bytes;
1264                         dst.val = (d & ByteOp) ? (int8_t) src.val : (int16_t) src.val;
1265                         break;
1266         }
1267         goto writeback;
1268
1269 twobyte_special_insn:
1270         /* Disable writeback. */
1271         dst.orig_val = dst.val;
1272         switch (b) {
1273                 case 0x0d:      /* GrpP (prefetch) */
1274                 case 0x18:      /* Grp16 (prefetch/nop) */
1275                         break;
1276                 case 0x20:      /* mov cr, reg */
1277                         b = insn_fetch(uint8_t, 1, _eip);
1278                         if ((b & 0xc0) != 0xc0)
1279                                 goto cannot_emulate;
1280 #warning "implement realmode_get_cr"
1281                         //_regs[(b >> 3) & 7] = realmode_get_cr(ctxt->vcpu, b & 7);
1282                         break;
1283                 case 0x22:      /* mov reg, cr */
1284                         b = insn_fetch(uint8_t, 1, _eip);
1285                         if ((b & 0xc0) != 0xc0)
1286                                 goto cannot_emulate;
1287 #warning "implement realmod_set_cr"
1288                         //realmode_set_cr(ctxt->vcpu, b & 7, _regs[(b >> 3) & 7] & -1u,
1289                         //      &_eflags);
1290                         break;
1291                 case 0xc7:      /* Grp9 (cmpxchg8b) */
1292 #if defined(__i386__)
1293                         {
1294                                 unsigned long old_lo, old_hi;
1295                                 if (((rc = ops->read_emulated(cr2 + 0, &old_lo, 4, ctxt)) != 0)
1296                                         || ((rc = ops->read_emulated(cr2 + 4, &old_hi, 4,
1297                                                                                                  ctxt)) != 0))
1298                                         goto done;
1299                                 if ((old_lo != _regs[VCPU_REGS_RAX])
1300                                         || (old_hi != _regs[VCPU_REGS_RDI])) {
1301                                         _regs[VCPU_REGS_RAX] = old_lo;
1302                                         _regs[VCPU_REGS_RDX] = old_hi;
1303                                         _eflags &= ~EFLG_ZF;
1304                                 } else if (ops->cmpxchg8b_emulated == NULL) {
1305                                         rc = X86EMUL_UNHANDLEABLE;
1306                                         goto done;
1307                                 } else {
1308                                         if ((rc = ops->cmpxchg8b_emulated(cr2, old_lo,
1309                                                                                                           old_hi,
1310                                                                                                           _regs[VCPU_REGS_RBX],
1311                                                                                                           _regs[VCPU_REGS_RCX],
1312                                                                                                           ctxt)) != 0)
1313                                                 goto done;
1314                                         _eflags |= EFLG_ZF;
1315                                 }
1316                                 break;
1317                         }
1318 #elif defined(__x86_64__)
1319                         {
1320                                 unsigned long old, new;
1321                                 if ((rc = ops->read_emulated(cr2, &old, 8, ctxt)) != 0)
1322                                         goto done;
1323                                 if (((uint32_t) (old >> 0) != (uint32_t) _regs[VCPU_REGS_RAX])
1324                                         || ((uint32_t) (old >> 32) !=
1325                                                 (uint32_t) _regs[VCPU_REGS_RDX])) {
1326                                         _regs[VCPU_REGS_RAX] = (uint32_t) (old >> 0);
1327                                         _regs[VCPU_REGS_RDX] = (uint32_t) (old >> 32);
1328                                         _eflags &= ~EFLG_ZF;
1329                                 } else {
1330                                         new =
1331                                                 (_regs[VCPU_REGS_RCX] << 32) | (uint32_t)
1332                                                 _regs[VCPU_REGS_RBX];
1333                                         if ((rc =
1334                                                  ops->cmpxchg_emulated(cr2, old, new, 8, ctxt)) != 0)
1335                                                 goto done;
1336                                         _eflags |= EFLG_ZF;
1337                                 }
1338                                 break;
1339                         }
1340 #endif
1341         }
1342         goto writeback;
1343
1344 cannot_emulate:
1345         printd("Cannot emulate %02x\n", b);
1346         return -1;
1347 }