xref: /openbmc/qemu/target/i386/tcg/translate.c (revision f28b958cbf08c4019f99091208e5c877b857b030)
1 /*
2  *  i386 translation
3  *
4  *  Copyright (c) 2003 Fabrice Bellard
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 
21 #include "qemu/host-utils.h"
22 #include "cpu.h"
23 #include "disas/disas.h"
24 #include "exec/exec-all.h"
25 #include "tcg/tcg-op.h"
26 #include "tcg/tcg-op-gvec.h"
27 #include "exec/cpu_ldst.h"
28 #include "exec/translator.h"
29 #include "fpu/softfloat.h"
30 
31 #include "exec/helper-proto.h"
32 #include "exec/helper-gen.h"
33 #include "helper-tcg.h"
34 
35 #include "exec/log.h"
36 
37 #define HELPER_H "helper.h"
38 #include "exec/helper-info.c.inc"
39 #undef  HELPER_H
40 
41 
42 #define PREFIX_REPZ   0x01
43 #define PREFIX_REPNZ  0x02
44 #define PREFIX_LOCK   0x04
45 #define PREFIX_DATA   0x08
46 #define PREFIX_ADR    0x10
47 #define PREFIX_VEX    0x20
48 #define PREFIX_REX    0x40
49 
50 #ifdef TARGET_X86_64
51 # define ctztl  ctz64
52 # define clztl  clz64
53 #else
54 # define ctztl  ctz32
55 # define clztl  clz32
56 #endif
57 
58 /* For a switch indexed by MODRM, match all memory operands for a given OP.  */
59 #define CASE_MODRM_MEM_OP(OP) \
60     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
61     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
62     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7
63 
64 #define CASE_MODRM_OP(OP) \
65     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
66     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
67     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7: \
68     case (3 << 6) | (OP << 3) | 0 ... (3 << 6) | (OP << 3) | 7
69 
70 //#define MACRO_TEST   1
71 
72 /* global register indexes */
73 static TCGv cpu_cc_dst, cpu_cc_src, cpu_cc_src2;
74 static TCGv cpu_eip;
75 static TCGv_i32 cpu_cc_op;
76 static TCGv cpu_regs[CPU_NB_REGS];
77 static TCGv cpu_seg_base[6];
78 static TCGv_i64 cpu_bndl[4];
79 static TCGv_i64 cpu_bndu[4];
80 
81 typedef struct DisasContext {
82     DisasContextBase base;
83 
84     target_ulong pc;       /* pc = eip + cs_base */
85     target_ulong cs_base;  /* base of CS segment */
86     target_ulong pc_save;
87 
88     MemOp aflag;
89     MemOp dflag;
90 
91     int8_t override; /* -1 if no override, else R_CS, R_DS, etc */
92     uint8_t prefix;
93 
94     bool has_modrm;
95     uint8_t modrm;
96 
97 #ifndef CONFIG_USER_ONLY
98     uint8_t cpl;   /* code priv level */
99     uint8_t iopl;  /* i/o priv level */
100 #endif
101     uint8_t vex_l;  /* vex vector length */
102     uint8_t vex_v;  /* vex vvvv register, without 1's complement.  */
103     uint8_t popl_esp_hack; /* for correct popl with esp base handling */
104     uint8_t rip_offset; /* only used in x86_64, but left for simplicity */
105 
106 #ifdef TARGET_X86_64
107     uint8_t rex_r;
108     uint8_t rex_x;
109     uint8_t rex_b;
110 #endif
111     bool vex_w; /* used by AVX even on 32-bit processors */
112     bool jmp_opt; /* use direct block chaining for direct jumps */
113     bool repz_opt; /* optimize jumps within repz instructions */
114     bool cc_op_dirty;
115 
116     CCOp cc_op;  /* current CC operation */
117     int mem_index; /* select memory access functions */
118     uint32_t flags; /* all execution flags */
119     int cpuid_features;
120     int cpuid_ext_features;
121     int cpuid_ext2_features;
122     int cpuid_ext3_features;
123     int cpuid_7_0_ebx_features;
124     int cpuid_7_0_ecx_features;
125     int cpuid_7_1_eax_features;
126     int cpuid_xsave_features;
127 
128     /* TCG local temps */
129     TCGv cc_srcT;
130     TCGv A0;
131     TCGv T0;
132     TCGv T1;
133 
134     /* TCG local register indexes (only used inside old micro ops) */
135     TCGv tmp0;
136     TCGv tmp4;
137     TCGv_i32 tmp2_i32;
138     TCGv_i32 tmp3_i32;
139     TCGv_i64 tmp1_i64;
140 
141     sigjmp_buf jmpbuf;
142     TCGOp *prev_insn_end;
143 } DisasContext;
144 
145 #define DISAS_EOB_ONLY         DISAS_TARGET_0
146 #define DISAS_EOB_NEXT         DISAS_TARGET_1
147 #define DISAS_EOB_INHIBIT_IRQ  DISAS_TARGET_2
148 #define DISAS_JUMP             DISAS_TARGET_3
149 
150 /* The environment in which user-only runs is constrained. */
151 #ifdef CONFIG_USER_ONLY
152 #define PE(S)     true
153 #define CPL(S)    3
154 #define IOPL(S)   0
155 #define SVME(S)   false
156 #define GUEST(S)  false
157 #else
158 #define PE(S)     (((S)->flags & HF_PE_MASK) != 0)
159 #define CPL(S)    ((S)->cpl)
160 #define IOPL(S)   ((S)->iopl)
161 #define SVME(S)   (((S)->flags & HF_SVME_MASK) != 0)
162 #define GUEST(S)  (((S)->flags & HF_GUEST_MASK) != 0)
163 #endif
164 #if defined(CONFIG_USER_ONLY) && defined(TARGET_X86_64)
165 #define VM86(S)   false
166 #define CODE32(S) true
167 #define SS32(S)   true
168 #define ADDSEG(S) false
169 #else
170 #define VM86(S)   (((S)->flags & HF_VM_MASK) != 0)
171 #define CODE32(S) (((S)->flags & HF_CS32_MASK) != 0)
172 #define SS32(S)   (((S)->flags & HF_SS32_MASK) != 0)
173 #define ADDSEG(S) (((S)->flags & HF_ADDSEG_MASK) != 0)
174 #endif
175 #if !defined(TARGET_X86_64)
176 #define CODE64(S) false
177 #elif defined(CONFIG_USER_ONLY)
178 #define CODE64(S) true
179 #else
180 #define CODE64(S) (((S)->flags & HF_CS64_MASK) != 0)
181 #endif
182 #if defined(CONFIG_USER_ONLY) || defined(TARGET_X86_64)
183 #define LMA(S)    (((S)->flags & HF_LMA_MASK) != 0)
184 #else
185 #define LMA(S)    false
186 #endif
187 
188 #ifdef TARGET_X86_64
189 #define REX_PREFIX(S)  (((S)->prefix & PREFIX_REX) != 0)
190 #define REX_W(S)       ((S)->vex_w)
191 #define REX_R(S)       ((S)->rex_r + 0)
192 #define REX_X(S)       ((S)->rex_x + 0)
193 #define REX_B(S)       ((S)->rex_b + 0)
194 #else
195 #define REX_PREFIX(S)  false
196 #define REX_W(S)       false
197 #define REX_R(S)       0
198 #define REX_X(S)       0
199 #define REX_B(S)       0
200 #endif
201 
202 /*
203  * Many sysemu-only helpers are not reachable for user-only.
204  * Define stub generators here, so that we need not either sprinkle
205  * ifdefs through the translator, nor provide the helper function.
206  */
207 #define STUB_HELPER(NAME, ...) \
208     static inline void gen_helper_##NAME(__VA_ARGS__) \
209     { qemu_build_not_reached(); }
210 
211 #ifdef CONFIG_USER_ONLY
212 STUB_HELPER(clgi, TCGv_env env)
213 STUB_HELPER(flush_page, TCGv_env env, TCGv addr)
214 STUB_HELPER(hlt, TCGv_env env, TCGv_i32 pc_ofs)
215 STUB_HELPER(inb, TCGv ret, TCGv_env env, TCGv_i32 port)
216 STUB_HELPER(inw, TCGv ret, TCGv_env env, TCGv_i32 port)
217 STUB_HELPER(inl, TCGv ret, TCGv_env env, TCGv_i32 port)
218 STUB_HELPER(monitor, TCGv_env env, TCGv addr)
219 STUB_HELPER(mwait, TCGv_env env, TCGv_i32 pc_ofs)
220 STUB_HELPER(outb, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
221 STUB_HELPER(outw, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
222 STUB_HELPER(outl, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
223 STUB_HELPER(rdmsr, TCGv_env env)
224 STUB_HELPER(read_crN, TCGv ret, TCGv_env env, TCGv_i32 reg)
225 STUB_HELPER(get_dr, TCGv ret, TCGv_env env, TCGv_i32 reg)
226 STUB_HELPER(set_dr, TCGv_env env, TCGv_i32 reg, TCGv val)
227 STUB_HELPER(stgi, TCGv_env env)
228 STUB_HELPER(svm_check_intercept, TCGv_env env, TCGv_i32 type)
229 STUB_HELPER(vmload, TCGv_env env, TCGv_i32 aflag)
230 STUB_HELPER(vmmcall, TCGv_env env)
231 STUB_HELPER(vmrun, TCGv_env env, TCGv_i32 aflag, TCGv_i32 pc_ofs)
232 STUB_HELPER(vmsave, TCGv_env env, TCGv_i32 aflag)
233 STUB_HELPER(write_crN, TCGv_env env, TCGv_i32 reg, TCGv val)
234 STUB_HELPER(wrmsr, TCGv_env env)
235 #endif
236 
237 static void gen_eob(DisasContext *s);
238 static void gen_jr(DisasContext *s);
239 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num);
240 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num);
241 static void gen_op(DisasContext *s1, int op, MemOp ot, int d);
242 static void gen_exception_gpf(DisasContext *s);
243 
244 /* i386 arith/logic operations */
245 enum {
246     OP_ADDL,
247     OP_ORL,
248     OP_ADCL,
249     OP_SBBL,
250     OP_ANDL,
251     OP_SUBL,
252     OP_XORL,
253     OP_CMPL,
254 };
255 
256 /* i386 shift ops */
257 enum {
258     OP_ROL,
259     OP_ROR,
260     OP_RCL,
261     OP_RCR,
262     OP_SHL,
263     OP_SHR,
264     OP_SHL1, /* undocumented */
265     OP_SAR = 7,
266 };
267 
268 enum {
269     JCC_O,
270     JCC_B,
271     JCC_Z,
272     JCC_BE,
273     JCC_S,
274     JCC_P,
275     JCC_L,
276     JCC_LE,
277 };
278 
279 enum {
280     /* I386 int registers */
281     OR_EAX,   /* MUST be even numbered */
282     OR_ECX,
283     OR_EDX,
284     OR_EBX,
285     OR_ESP,
286     OR_EBP,
287     OR_ESI,
288     OR_EDI,
289 
290     OR_TMP0 = 16,    /* temporary operand register */
291     OR_TMP1,
292     OR_A0, /* temporary register used when doing address evaluation */
293 };
294 
295 enum {
296     USES_CC_DST  = 1,
297     USES_CC_SRC  = 2,
298     USES_CC_SRC2 = 4,
299     USES_CC_SRCT = 8,
300 };
301 
302 /* Bit set if the global variable is live after setting CC_OP to X.  */
303 static const uint8_t cc_op_live[CC_OP_NB] = {
304     [CC_OP_DYNAMIC] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
305     [CC_OP_EFLAGS] = USES_CC_SRC,
306     [CC_OP_MULB ... CC_OP_MULQ] = USES_CC_DST | USES_CC_SRC,
307     [CC_OP_ADDB ... CC_OP_ADDQ] = USES_CC_DST | USES_CC_SRC,
308     [CC_OP_ADCB ... CC_OP_ADCQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
309     [CC_OP_SUBB ... CC_OP_SUBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRCT,
310     [CC_OP_SBBB ... CC_OP_SBBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
311     [CC_OP_LOGICB ... CC_OP_LOGICQ] = USES_CC_DST,
312     [CC_OP_INCB ... CC_OP_INCQ] = USES_CC_DST | USES_CC_SRC,
313     [CC_OP_DECB ... CC_OP_DECQ] = USES_CC_DST | USES_CC_SRC,
314     [CC_OP_SHLB ... CC_OP_SHLQ] = USES_CC_DST | USES_CC_SRC,
315     [CC_OP_SARB ... CC_OP_SARQ] = USES_CC_DST | USES_CC_SRC,
316     [CC_OP_BMILGB ... CC_OP_BMILGQ] = USES_CC_DST | USES_CC_SRC,
317     [CC_OP_ADCX] = USES_CC_DST | USES_CC_SRC,
318     [CC_OP_ADOX] = USES_CC_SRC | USES_CC_SRC2,
319     [CC_OP_ADCOX] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
320     [CC_OP_CLR] = 0,
321     [CC_OP_POPCNT] = USES_CC_SRC,
322 };
323 
324 static void set_cc_op(DisasContext *s, CCOp op)
325 {
326     int dead;
327 
328     if (s->cc_op == op) {
329         return;
330     }
331 
332     /* Discard CC computation that will no longer be used.  */
333     dead = cc_op_live[s->cc_op] & ~cc_op_live[op];
334     if (dead & USES_CC_DST) {
335         tcg_gen_discard_tl(cpu_cc_dst);
336     }
337     if (dead & USES_CC_SRC) {
338         tcg_gen_discard_tl(cpu_cc_src);
339     }
340     if (dead & USES_CC_SRC2) {
341         tcg_gen_discard_tl(cpu_cc_src2);
342     }
343     if (dead & USES_CC_SRCT) {
344         tcg_gen_discard_tl(s->cc_srcT);
345     }
346 
347     if (op == CC_OP_DYNAMIC) {
348         /* The DYNAMIC setting is translator only, and should never be
349            stored.  Thus we always consider it clean.  */
350         s->cc_op_dirty = false;
351     } else {
352         /* Discard any computed CC_OP value (see shifts).  */
353         if (s->cc_op == CC_OP_DYNAMIC) {
354             tcg_gen_discard_i32(cpu_cc_op);
355         }
356         s->cc_op_dirty = true;
357     }
358     s->cc_op = op;
359 }
360 
361 static void gen_update_cc_op(DisasContext *s)
362 {
363     if (s->cc_op_dirty) {
364         tcg_gen_movi_i32(cpu_cc_op, s->cc_op);
365         s->cc_op_dirty = false;
366     }
367 }
368 
369 #ifdef TARGET_X86_64
370 
371 #define NB_OP_SIZES 4
372 
373 #else /* !TARGET_X86_64 */
374 
375 #define NB_OP_SIZES 3
376 
377 #endif /* !TARGET_X86_64 */
378 
379 #if HOST_BIG_ENDIAN
380 #define REG_B_OFFSET (sizeof(target_ulong) - 1)
381 #define REG_H_OFFSET (sizeof(target_ulong) - 2)
382 #define REG_W_OFFSET (sizeof(target_ulong) - 2)
383 #define REG_L_OFFSET (sizeof(target_ulong) - 4)
384 #define REG_LH_OFFSET (sizeof(target_ulong) - 8)
385 #else
386 #define REG_B_OFFSET 0
387 #define REG_H_OFFSET 1
388 #define REG_W_OFFSET 0
389 #define REG_L_OFFSET 0
390 #define REG_LH_OFFSET 4
391 #endif
392 
393 /* In instruction encodings for byte register accesses the
394  * register number usually indicates "low 8 bits of register N";
395  * however there are some special cases where N 4..7 indicates
396  * [AH, CH, DH, BH], ie "bits 15..8 of register N-4". Return
397  * true for this special case, false otherwise.
398  */
399 static inline bool byte_reg_is_xH(DisasContext *s, int reg)
400 {
401     /* Any time the REX prefix is present, byte registers are uniform */
402     if (reg < 4 || REX_PREFIX(s)) {
403         return false;
404     }
405     return true;
406 }
407 
408 /* Select the size of a push/pop operation.  */
409 static inline MemOp mo_pushpop(DisasContext *s, MemOp ot)
410 {
411     if (CODE64(s)) {
412         return ot == MO_16 ? MO_16 : MO_64;
413     } else {
414         return ot;
415     }
416 }
417 
418 /* Select the size of the stack pointer.  */
419 static inline MemOp mo_stacksize(DisasContext *s)
420 {
421     return CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
422 }
423 
424 /* Select only size 64 else 32.  Used for SSE operand sizes.  */
425 static inline MemOp mo_64_32(MemOp ot)
426 {
427 #ifdef TARGET_X86_64
428     return ot == MO_64 ? MO_64 : MO_32;
429 #else
430     return MO_32;
431 #endif
432 }
433 
434 /* Select size 8 if lsb of B is clear, else OT.  Used for decoding
435    byte vs word opcodes.  */
436 static inline MemOp mo_b_d(int b, MemOp ot)
437 {
438     return b & 1 ? ot : MO_8;
439 }
440 
441 /* Select size 8 if lsb of B is clear, else OT capped at 32.
442    Used for decoding operand size of port opcodes.  */
443 static inline MemOp mo_b_d32(int b, MemOp ot)
444 {
445     return b & 1 ? (ot == MO_16 ? MO_16 : MO_32) : MO_8;
446 }
447 
448 /* Compute the result of writing t0 to the OT-sized register REG.
449  *
450  * If DEST is NULL, store the result into the register and return the
451  * register's TCGv.
452  *
453  * If DEST is not NULL, store the result into DEST and return the
454  * register's TCGv.
455  */
456 static TCGv gen_op_deposit_reg_v(DisasContext *s, MemOp ot, int reg, TCGv dest, TCGv t0)
457 {
458     switch(ot) {
459     case MO_8:
460         if (byte_reg_is_xH(s, reg)) {
461             dest = dest ? dest : cpu_regs[reg - 4];
462             tcg_gen_deposit_tl(dest, cpu_regs[reg - 4], t0, 8, 8);
463             return cpu_regs[reg - 4];
464         }
465         dest = dest ? dest : cpu_regs[reg];
466         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 8);
467         break;
468     case MO_16:
469         dest = dest ? dest : cpu_regs[reg];
470         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 16);
471         break;
472     case MO_32:
473         /* For x86_64, this sets the higher half of register to zero.
474            For i386, this is equivalent to a mov. */
475         dest = dest ? dest : cpu_regs[reg];
476         tcg_gen_ext32u_tl(dest, t0);
477         break;
478 #ifdef TARGET_X86_64
479     case MO_64:
480         dest = dest ? dest : cpu_regs[reg];
481         tcg_gen_mov_tl(dest, t0);
482         break;
483 #endif
484     default:
485         g_assert_not_reached();
486     }
487     return cpu_regs[reg];
488 }
489 
490 static void gen_op_mov_reg_v(DisasContext *s, MemOp ot, int reg, TCGv t0)
491 {
492     gen_op_deposit_reg_v(s, ot, reg, NULL, t0);
493 }
494 
495 static inline
496 void gen_op_mov_v_reg(DisasContext *s, MemOp ot, TCGv t0, int reg)
497 {
498     if (ot == MO_8 && byte_reg_is_xH(s, reg)) {
499         tcg_gen_extract_tl(t0, cpu_regs[reg - 4], 8, 8);
500     } else {
501         tcg_gen_mov_tl(t0, cpu_regs[reg]);
502     }
503 }
504 
505 static void gen_add_A0_im(DisasContext *s, int val)
506 {
507     tcg_gen_addi_tl(s->A0, s->A0, val);
508     if (!CODE64(s)) {
509         tcg_gen_ext32u_tl(s->A0, s->A0);
510     }
511 }
512 
513 static inline void gen_op_jmp_v(DisasContext *s, TCGv dest)
514 {
515     tcg_gen_mov_tl(cpu_eip, dest);
516     s->pc_save = -1;
517 }
518 
519 static inline
520 void gen_op_add_reg_im(DisasContext *s, MemOp size, int reg, int32_t val)
521 {
522     tcg_gen_addi_tl(s->tmp0, cpu_regs[reg], val);
523     gen_op_mov_reg_v(s, size, reg, s->tmp0);
524 }
525 
526 static inline void gen_op_add_reg(DisasContext *s, MemOp size, int reg, TCGv val)
527 {
528     tcg_gen_add_tl(s->tmp0, cpu_regs[reg], val);
529     gen_op_mov_reg_v(s, size, reg, s->tmp0);
530 }
531 
532 static inline void gen_op_ld_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
533 {
534     tcg_gen_qemu_ld_tl(t0, a0, s->mem_index, idx | MO_LE);
535 }
536 
537 static inline void gen_op_st_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
538 {
539     tcg_gen_qemu_st_tl(t0, a0, s->mem_index, idx | MO_LE);
540 }
541 
542 static inline void gen_op_st_rm_T0_A0(DisasContext *s, int idx, int d)
543 {
544     if (d == OR_TMP0) {
545         gen_op_st_v(s, idx, s->T0, s->A0);
546     } else {
547         gen_op_mov_reg_v(s, idx, d, s->T0);
548     }
549 }
550 
551 static void gen_update_eip_cur(DisasContext *s)
552 {
553     assert(s->pc_save != -1);
554     if (tb_cflags(s->base.tb) & CF_PCREL) {
555         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->base.pc_next - s->pc_save);
556     } else if (CODE64(s)) {
557         tcg_gen_movi_tl(cpu_eip, s->base.pc_next);
558     } else {
559         tcg_gen_movi_tl(cpu_eip, (uint32_t)(s->base.pc_next - s->cs_base));
560     }
561     s->pc_save = s->base.pc_next;
562 }
563 
564 static void gen_update_eip_next(DisasContext *s)
565 {
566     assert(s->pc_save != -1);
567     if (tb_cflags(s->base.tb) & CF_PCREL) {
568         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->pc - s->pc_save);
569     } else if (CODE64(s)) {
570         tcg_gen_movi_tl(cpu_eip, s->pc);
571     } else {
572         tcg_gen_movi_tl(cpu_eip, (uint32_t)(s->pc - s->cs_base));
573     }
574     s->pc_save = s->pc;
575 }
576 
577 static int cur_insn_len(DisasContext *s)
578 {
579     return s->pc - s->base.pc_next;
580 }
581 
582 static TCGv_i32 cur_insn_len_i32(DisasContext *s)
583 {
584     return tcg_constant_i32(cur_insn_len(s));
585 }
586 
587 static TCGv_i32 eip_next_i32(DisasContext *s)
588 {
589     assert(s->pc_save != -1);
590     /*
591      * This function has two users: lcall_real (always 16-bit mode), and
592      * iret_protected (16, 32, or 64-bit mode).  IRET only uses the value
593      * when EFLAGS.NT is set, which is illegal in 64-bit mode, which is
594      * why passing a 32-bit value isn't broken.  To avoid using this where
595      * we shouldn't, return -1 in 64-bit mode so that execution goes into
596      * the weeds quickly.
597      */
598     if (CODE64(s)) {
599         return tcg_constant_i32(-1);
600     }
601     if (tb_cflags(s->base.tb) & CF_PCREL) {
602         TCGv_i32 ret = tcg_temp_new_i32();
603         tcg_gen_trunc_tl_i32(ret, cpu_eip);
604         tcg_gen_addi_i32(ret, ret, s->pc - s->pc_save);
605         return ret;
606     } else {
607         return tcg_constant_i32(s->pc - s->cs_base);
608     }
609 }
610 
611 static TCGv eip_next_tl(DisasContext *s)
612 {
613     assert(s->pc_save != -1);
614     if (tb_cflags(s->base.tb) & CF_PCREL) {
615         TCGv ret = tcg_temp_new();
616         tcg_gen_addi_tl(ret, cpu_eip, s->pc - s->pc_save);
617         return ret;
618     } else if (CODE64(s)) {
619         return tcg_constant_tl(s->pc);
620     } else {
621         return tcg_constant_tl((uint32_t)(s->pc - s->cs_base));
622     }
623 }
624 
625 static TCGv eip_cur_tl(DisasContext *s)
626 {
627     assert(s->pc_save != -1);
628     if (tb_cflags(s->base.tb) & CF_PCREL) {
629         TCGv ret = tcg_temp_new();
630         tcg_gen_addi_tl(ret, cpu_eip, s->base.pc_next - s->pc_save);
631         return ret;
632     } else if (CODE64(s)) {
633         return tcg_constant_tl(s->base.pc_next);
634     } else {
635         return tcg_constant_tl((uint32_t)(s->base.pc_next - s->cs_base));
636     }
637 }
638 
639 /* Compute SEG:REG into DEST.  SEG is selected from the override segment
640    (OVR_SEG) and the default segment (DEF_SEG).  OVR_SEG may be -1 to
641    indicate no override.  */
642 static void gen_lea_v_seg_dest(DisasContext *s, MemOp aflag, TCGv dest, TCGv a0,
643                                int def_seg, int ovr_seg)
644 {
645     switch (aflag) {
646 #ifdef TARGET_X86_64
647     case MO_64:
648         if (ovr_seg < 0) {
649             tcg_gen_mov_tl(dest, a0);
650             return;
651         }
652         break;
653 #endif
654     case MO_32:
655         /* 32 bit address */
656         if (ovr_seg < 0 && ADDSEG(s)) {
657             ovr_seg = def_seg;
658         }
659         if (ovr_seg < 0) {
660             tcg_gen_ext32u_tl(dest, a0);
661             return;
662         }
663         break;
664     case MO_16:
665         /* 16 bit address */
666         tcg_gen_ext16u_tl(dest, a0);
667         a0 = dest;
668         if (ovr_seg < 0) {
669             if (ADDSEG(s)) {
670                 ovr_seg = def_seg;
671             } else {
672                 return;
673             }
674         }
675         break;
676     default:
677         g_assert_not_reached();
678     }
679 
680     if (ovr_seg >= 0) {
681         TCGv seg = cpu_seg_base[ovr_seg];
682 
683         if (aflag == MO_64) {
684             tcg_gen_add_tl(dest, a0, seg);
685         } else if (CODE64(s)) {
686             tcg_gen_ext32u_tl(dest, a0);
687             tcg_gen_add_tl(dest, dest, seg);
688         } else {
689             tcg_gen_add_tl(dest, a0, seg);
690             tcg_gen_ext32u_tl(dest, dest);
691         }
692     }
693 }
694 
695 static void gen_lea_v_seg(DisasContext *s, MemOp aflag, TCGv a0,
696                           int def_seg, int ovr_seg)
697 {
698     gen_lea_v_seg_dest(s, aflag, s->A0, a0, def_seg, ovr_seg);
699 }
700 
701 static inline void gen_string_movl_A0_ESI(DisasContext *s)
702 {
703     gen_lea_v_seg(s, s->aflag, cpu_regs[R_ESI], R_DS, s->override);
704 }
705 
706 static inline void gen_string_movl_A0_EDI(DisasContext *s)
707 {
708     gen_lea_v_seg(s, s->aflag, cpu_regs[R_EDI], R_ES, -1);
709 }
710 
711 static inline TCGv gen_compute_Dshift(DisasContext *s, MemOp ot)
712 {
713     TCGv dshift = tcg_temp_new();
714     tcg_gen_ld32s_tl(dshift, tcg_env, offsetof(CPUX86State, df));
715     tcg_gen_shli_tl(dshift, dshift, ot);
716     return dshift;
717 };
718 
719 static TCGv gen_ext_tl(TCGv dst, TCGv src, MemOp size, bool sign)
720 {
721     if (size == MO_TL) {
722         return src;
723     }
724     if (!dst) {
725         dst = tcg_temp_new();
726     }
727     tcg_gen_ext_tl(dst, src, size | (sign ? MO_SIGN : 0));
728     return dst;
729 }
730 
731 static void gen_extu(MemOp ot, TCGv reg)
732 {
733     gen_ext_tl(reg, reg, ot, false);
734 }
735 
736 static void gen_exts(MemOp ot, TCGv reg)
737 {
738     gen_ext_tl(reg, reg, ot, true);
739 }
740 
741 static void gen_op_j_ecx(DisasContext *s, TCGCond cond, TCGLabel *label1)
742 {
743     TCGv tmp = gen_ext_tl(NULL, cpu_regs[R_ECX], s->aflag, false);
744 
745     tcg_gen_brcondi_tl(cond, tmp, 0, label1);
746 }
747 
748 static inline void gen_op_jz_ecx(DisasContext *s, TCGLabel *label1)
749 {
750     gen_op_j_ecx(s, TCG_COND_EQ, label1);
751 }
752 
753 static inline void gen_op_jnz_ecx(DisasContext *s, TCGLabel *label1)
754 {
755     gen_op_j_ecx(s, TCG_COND_NE, label1);
756 }
757 
758 static void gen_helper_in_func(MemOp ot, TCGv v, TCGv_i32 n)
759 {
760     switch (ot) {
761     case MO_8:
762         gen_helper_inb(v, tcg_env, n);
763         break;
764     case MO_16:
765         gen_helper_inw(v, tcg_env, n);
766         break;
767     case MO_32:
768         gen_helper_inl(v, tcg_env, n);
769         break;
770     default:
771         g_assert_not_reached();
772     }
773 }
774 
775 static void gen_helper_out_func(MemOp ot, TCGv_i32 v, TCGv_i32 n)
776 {
777     switch (ot) {
778     case MO_8:
779         gen_helper_outb(tcg_env, v, n);
780         break;
781     case MO_16:
782         gen_helper_outw(tcg_env, v, n);
783         break;
784     case MO_32:
785         gen_helper_outl(tcg_env, v, n);
786         break;
787     default:
788         g_assert_not_reached();
789     }
790 }
791 
792 /*
793  * Validate that access to [port, port + 1<<ot) is allowed.
794  * Raise #GP, or VMM exit if not.
795  */
796 static bool gen_check_io(DisasContext *s, MemOp ot, TCGv_i32 port,
797                          uint32_t svm_flags)
798 {
799 #ifdef CONFIG_USER_ONLY
800     /*
801      * We do not implement the ioperm(2) syscall, so the TSS check
802      * will always fail.
803      */
804     gen_exception_gpf(s);
805     return false;
806 #else
807     if (PE(s) && (CPL(s) > IOPL(s) || VM86(s))) {
808         gen_helper_check_io(tcg_env, port, tcg_constant_i32(1 << ot));
809     }
810     if (GUEST(s)) {
811         gen_update_cc_op(s);
812         gen_update_eip_cur(s);
813         if (s->prefix & (PREFIX_REPZ | PREFIX_REPNZ)) {
814             svm_flags |= SVM_IOIO_REP_MASK;
815         }
816         svm_flags |= 1 << (SVM_IOIO_SIZE_SHIFT + ot);
817         gen_helper_svm_check_io(tcg_env, port,
818                                 tcg_constant_i32(svm_flags),
819                                 cur_insn_len_i32(s));
820     }
821     return true;
822 #endif
823 }
824 
825 static void gen_movs(DisasContext *s, MemOp ot)
826 {
827     TCGv dshift;
828 
829     gen_string_movl_A0_ESI(s);
830     gen_op_ld_v(s, ot, s->T0, s->A0);
831     gen_string_movl_A0_EDI(s);
832     gen_op_st_v(s, ot, s->T0, s->A0);
833 
834     dshift = gen_compute_Dshift(s, ot);
835     gen_op_add_reg(s, s->aflag, R_ESI, dshift);
836     gen_op_add_reg(s, s->aflag, R_EDI, dshift);
837 }
838 
839 static void gen_op_update1_cc(DisasContext *s)
840 {
841     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
842 }
843 
844 static void gen_op_update2_cc(DisasContext *s)
845 {
846     tcg_gen_mov_tl(cpu_cc_src, s->T1);
847     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
848 }
849 
850 static void gen_op_update3_cc(DisasContext *s, TCGv reg)
851 {
852     tcg_gen_mov_tl(cpu_cc_src2, reg);
853     tcg_gen_mov_tl(cpu_cc_src, s->T1);
854     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
855 }
856 
857 static inline void gen_op_testl_T0_T1_cc(DisasContext *s)
858 {
859     tcg_gen_and_tl(cpu_cc_dst, s->T0, s->T1);
860 }
861 
862 static void gen_op_update_neg_cc(DisasContext *s)
863 {
864     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
865     tcg_gen_neg_tl(cpu_cc_src, s->T0);
866     tcg_gen_movi_tl(s->cc_srcT, 0);
867 }
868 
869 /* compute all eflags to reg */
870 static void gen_mov_eflags(DisasContext *s, TCGv reg)
871 {
872     TCGv dst, src1, src2;
873     TCGv_i32 cc_op;
874     int live, dead;
875 
876     if (s->cc_op == CC_OP_EFLAGS) {
877         tcg_gen_mov_tl(reg, cpu_cc_src);
878         return;
879     }
880     if (s->cc_op == CC_OP_CLR) {
881         tcg_gen_movi_tl(reg, CC_Z | CC_P);
882         return;
883     }
884 
885     dst = cpu_cc_dst;
886     src1 = cpu_cc_src;
887     src2 = cpu_cc_src2;
888 
889     /* Take care to not read values that are not live.  */
890     live = cc_op_live[s->cc_op] & ~USES_CC_SRCT;
891     dead = live ^ (USES_CC_DST | USES_CC_SRC | USES_CC_SRC2);
892     if (dead) {
893         TCGv zero = tcg_constant_tl(0);
894         if (dead & USES_CC_DST) {
895             dst = zero;
896         }
897         if (dead & USES_CC_SRC) {
898             src1 = zero;
899         }
900         if (dead & USES_CC_SRC2) {
901             src2 = zero;
902         }
903     }
904 
905     if (s->cc_op != CC_OP_DYNAMIC) {
906         cc_op = tcg_constant_i32(s->cc_op);
907     } else {
908         cc_op = cpu_cc_op;
909     }
910     gen_helper_cc_compute_all(reg, dst, src1, src2, cc_op);
911 }
912 
913 /* compute all eflags to cc_src */
914 static void gen_compute_eflags(DisasContext *s)
915 {
916     gen_mov_eflags(s, cpu_cc_src);
917     set_cc_op(s, CC_OP_EFLAGS);
918 }
919 
920 typedef struct CCPrepare {
921     TCGCond cond;
922     TCGv reg;
923     TCGv reg2;
924     target_ulong imm;
925     target_ulong mask;
926     bool use_reg2;
927     bool no_setcond;
928 } CCPrepare;
929 
930 /* compute eflags.C to reg */
931 static CCPrepare gen_prepare_eflags_c(DisasContext *s, TCGv reg)
932 {
933     TCGv t0, t1;
934     int size, shift;
935 
936     switch (s->cc_op) {
937     case CC_OP_SUBB ... CC_OP_SUBQ:
938         /* (DATA_TYPE)CC_SRCT < (DATA_TYPE)CC_SRC */
939         size = s->cc_op - CC_OP_SUBB;
940         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
941         /* If no temporary was used, be careful not to alias t1 and t0.  */
942         t0 = t1 == cpu_cc_src ? s->tmp0 : reg;
943         tcg_gen_mov_tl(t0, s->cc_srcT);
944         gen_extu(size, t0);
945         goto add_sub;
946 
947     case CC_OP_ADDB ... CC_OP_ADDQ:
948         /* (DATA_TYPE)CC_DST < (DATA_TYPE)CC_SRC */
949         size = s->cc_op - CC_OP_ADDB;
950         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
951         t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
952     add_sub:
953         return (CCPrepare) { .cond = TCG_COND_LTU, .reg = t0,
954                              .reg2 = t1, .mask = -1, .use_reg2 = true };
955 
956     case CC_OP_LOGICB ... CC_OP_LOGICQ:
957     case CC_OP_CLR:
958     case CC_OP_POPCNT:
959         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
960 
961     case CC_OP_INCB ... CC_OP_INCQ:
962     case CC_OP_DECB ... CC_OP_DECQ:
963         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
964                              .mask = -1, .no_setcond = true };
965 
966     case CC_OP_SHLB ... CC_OP_SHLQ:
967         /* (CC_SRC >> (DATA_BITS - 1)) & 1 */
968         size = s->cc_op - CC_OP_SHLB;
969         shift = (8 << size) - 1;
970         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
971                              .mask = (target_ulong)1 << shift };
972 
973     case CC_OP_MULB ... CC_OP_MULQ:
974         return (CCPrepare) { .cond = TCG_COND_NE,
975                              .reg = cpu_cc_src, .mask = -1 };
976 
977     case CC_OP_BMILGB ... CC_OP_BMILGQ:
978         size = s->cc_op - CC_OP_BMILGB;
979         t0 = gen_ext_tl(reg, cpu_cc_src, size, false);
980         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
981 
982     case CC_OP_ADCX:
983     case CC_OP_ADCOX:
984         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_dst,
985                              .mask = -1, .no_setcond = true };
986 
987     case CC_OP_EFLAGS:
988     case CC_OP_SARB ... CC_OP_SARQ:
989         /* CC_SRC & 1 */
990         return (CCPrepare) { .cond = TCG_COND_NE,
991                              .reg = cpu_cc_src, .mask = CC_C };
992 
993     default:
994        /* The need to compute only C from CC_OP_DYNAMIC is important
995           in efficiently implementing e.g. INC at the start of a TB.  */
996        gen_update_cc_op(s);
997        gen_helper_cc_compute_c(reg, cpu_cc_dst, cpu_cc_src,
998                                cpu_cc_src2, cpu_cc_op);
999        return (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1000                             .mask = -1, .no_setcond = true };
1001     }
1002 }
1003 
1004 /* compute eflags.P to reg */
1005 static CCPrepare gen_prepare_eflags_p(DisasContext *s, TCGv reg)
1006 {
1007     gen_compute_eflags(s);
1008     return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1009                          .mask = CC_P };
1010 }
1011 
1012 /* compute eflags.S to reg */
1013 static CCPrepare gen_prepare_eflags_s(DisasContext *s, TCGv reg)
1014 {
1015     switch (s->cc_op) {
1016     case CC_OP_DYNAMIC:
1017         gen_compute_eflags(s);
1018         /* FALLTHRU */
1019     case CC_OP_EFLAGS:
1020     case CC_OP_ADCX:
1021     case CC_OP_ADOX:
1022     case CC_OP_ADCOX:
1023         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1024                              .mask = CC_S };
1025     case CC_OP_CLR:
1026     case CC_OP_POPCNT:
1027         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1028     default:
1029         {
1030             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1031             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, true);
1032             return (CCPrepare) { .cond = TCG_COND_LT, .reg = t0, .mask = -1 };
1033         }
1034     }
1035 }
1036 
1037 /* compute eflags.O to reg */
1038 static CCPrepare gen_prepare_eflags_o(DisasContext *s, TCGv reg)
1039 {
1040     switch (s->cc_op) {
1041     case CC_OP_ADOX:
1042     case CC_OP_ADCOX:
1043         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src2,
1044                              .mask = -1, .no_setcond = true };
1045     case CC_OP_CLR:
1046     case CC_OP_POPCNT:
1047         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1048     case CC_OP_MULB ... CC_OP_MULQ:
1049         return (CCPrepare) { .cond = TCG_COND_NE,
1050                              .reg = cpu_cc_src, .mask = -1 };
1051     default:
1052         gen_compute_eflags(s);
1053         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1054                              .mask = CC_O };
1055     }
1056 }
1057 
1058 /* compute eflags.Z to reg */
1059 static CCPrepare gen_prepare_eflags_z(DisasContext *s, TCGv reg)
1060 {
1061     switch (s->cc_op) {
1062     case CC_OP_DYNAMIC:
1063         gen_compute_eflags(s);
1064         /* FALLTHRU */
1065     case CC_OP_EFLAGS:
1066     case CC_OP_ADCX:
1067     case CC_OP_ADOX:
1068     case CC_OP_ADCOX:
1069         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1070                              .mask = CC_Z };
1071     case CC_OP_CLR:
1072         return (CCPrepare) { .cond = TCG_COND_ALWAYS, .mask = -1 };
1073     case CC_OP_POPCNT:
1074         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = cpu_cc_src,
1075                              .mask = -1 };
1076     default:
1077         {
1078             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1079             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
1080             return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
1081         }
1082     }
1083 }
1084 
1085 /* perform a conditional store into register 'reg' according to jump opcode
1086    value 'b'. In the fast case, T0 is guaranteed not to be used. */
1087 static CCPrepare gen_prepare_cc(DisasContext *s, int b, TCGv reg)
1088 {
1089     int inv, jcc_op, cond;
1090     MemOp size;
1091     CCPrepare cc;
1092     TCGv t0;
1093 
1094     inv = b & 1;
1095     jcc_op = (b >> 1) & 7;
1096 
1097     switch (s->cc_op) {
1098     case CC_OP_SUBB ... CC_OP_SUBQ:
1099         /* We optimize relational operators for the cmp/jcc case.  */
1100         size = s->cc_op - CC_OP_SUBB;
1101         switch (jcc_op) {
1102         case JCC_BE:
1103             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1104             gen_extu(size, s->tmp4);
1105             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
1106             cc = (CCPrepare) { .cond = TCG_COND_LEU, .reg = s->tmp4,
1107                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1108             break;
1109 
1110         case JCC_L:
1111             cond = TCG_COND_LT;
1112             goto fast_jcc_l;
1113         case JCC_LE:
1114             cond = TCG_COND_LE;
1115         fast_jcc_l:
1116             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1117             gen_exts(size, s->tmp4);
1118             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, true);
1119             cc = (CCPrepare) { .cond = cond, .reg = s->tmp4,
1120                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1121             break;
1122 
1123         default:
1124             goto slow_jcc;
1125         }
1126         break;
1127 
1128     default:
1129     slow_jcc:
1130         /* This actually generates good code for JC, JZ and JS.  */
1131         switch (jcc_op) {
1132         case JCC_O:
1133             cc = gen_prepare_eflags_o(s, reg);
1134             break;
1135         case JCC_B:
1136             cc = gen_prepare_eflags_c(s, reg);
1137             break;
1138         case JCC_Z:
1139             cc = gen_prepare_eflags_z(s, reg);
1140             break;
1141         case JCC_BE:
1142             gen_compute_eflags(s);
1143             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1144                                .mask = CC_Z | CC_C };
1145             break;
1146         case JCC_S:
1147             cc = gen_prepare_eflags_s(s, reg);
1148             break;
1149         case JCC_P:
1150             cc = gen_prepare_eflags_p(s, reg);
1151             break;
1152         case JCC_L:
1153             gen_compute_eflags(s);
1154             if (reg == cpu_cc_src) {
1155                 reg = s->tmp0;
1156             }
1157             tcg_gen_addi_tl(reg, cpu_cc_src, CC_O - CC_S);
1158             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1159                                .mask = CC_O };
1160             break;
1161         default:
1162         case JCC_LE:
1163             gen_compute_eflags(s);
1164             if (reg == cpu_cc_src) {
1165                 reg = s->tmp0;
1166             }
1167             tcg_gen_addi_tl(reg, cpu_cc_src, CC_O - CC_S);
1168             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1169                                .mask = CC_O | CC_Z };
1170             break;
1171         }
1172         break;
1173     }
1174 
1175     if (inv) {
1176         cc.cond = tcg_invert_cond(cc.cond);
1177     }
1178     return cc;
1179 }
1180 
1181 static void gen_setcc1(DisasContext *s, int b, TCGv reg)
1182 {
1183     CCPrepare cc = gen_prepare_cc(s, b, reg);
1184 
1185     if (cc.no_setcond) {
1186         if (cc.cond == TCG_COND_EQ) {
1187             tcg_gen_xori_tl(reg, cc.reg, 1);
1188         } else {
1189             tcg_gen_mov_tl(reg, cc.reg);
1190         }
1191         return;
1192     }
1193 
1194     if (cc.cond == TCG_COND_NE && !cc.use_reg2 && cc.imm == 0 &&
1195         cc.mask != 0 && (cc.mask & (cc.mask - 1)) == 0) {
1196         tcg_gen_shri_tl(reg, cc.reg, ctztl(cc.mask));
1197         tcg_gen_andi_tl(reg, reg, 1);
1198         return;
1199     }
1200     if (cc.mask != -1) {
1201         tcg_gen_andi_tl(reg, cc.reg, cc.mask);
1202         cc.reg = reg;
1203     }
1204     if (cc.use_reg2) {
1205         tcg_gen_setcond_tl(cc.cond, reg, cc.reg, cc.reg2);
1206     } else {
1207         tcg_gen_setcondi_tl(cc.cond, reg, cc.reg, cc.imm);
1208     }
1209 }
1210 
1211 static inline void gen_compute_eflags_c(DisasContext *s, TCGv reg)
1212 {
1213     gen_setcc1(s, JCC_B << 1, reg);
1214 }
1215 
1216 /* generate a conditional jump to label 'l1' according to jump opcode
1217    value 'b'. In the fast case, T0 is guaranteed not to be used. */
1218 static inline void gen_jcc1_noeob(DisasContext *s, int b, TCGLabel *l1)
1219 {
1220     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1221 
1222     if (cc.mask != -1) {
1223         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1224         cc.reg = s->T0;
1225     }
1226     if (cc.use_reg2) {
1227         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1228     } else {
1229         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1230     }
1231 }
1232 
1233 /* Generate a conditional jump to label 'l1' according to jump opcode
1234    value 'b'. In the fast case, T0 is guaranteed not to be used.
1235    A translation block must end soon.  */
1236 static inline void gen_jcc1(DisasContext *s, int b, TCGLabel *l1)
1237 {
1238     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1239 
1240     gen_update_cc_op(s);
1241     if (cc.mask != -1) {
1242         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1243         cc.reg = s->T0;
1244     }
1245     set_cc_op(s, CC_OP_DYNAMIC);
1246     if (cc.use_reg2) {
1247         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1248     } else {
1249         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1250     }
1251 }
1252 
1253 /* XXX: does not work with gdbstub "ice" single step - not a
1254    serious problem */
1255 static TCGLabel *gen_jz_ecx_string(DisasContext *s)
1256 {
1257     TCGLabel *l1 = gen_new_label();
1258     TCGLabel *l2 = gen_new_label();
1259     gen_op_jnz_ecx(s, l1);
1260     gen_set_label(l2);
1261     gen_jmp_rel_csize(s, 0, 1);
1262     gen_set_label(l1);
1263     return l2;
1264 }
1265 
1266 static void gen_stos(DisasContext *s, MemOp ot)
1267 {
1268     gen_string_movl_A0_EDI(s);
1269     gen_op_st_v(s, ot, s->T0, s->A0);
1270     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1271 }
1272 
1273 static void gen_lods(DisasContext *s, MemOp ot)
1274 {
1275     gen_string_movl_A0_ESI(s);
1276     gen_op_ld_v(s, ot, s->T0, s->A0);
1277     gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
1278     gen_op_add_reg(s, s->aflag, R_ESI, gen_compute_Dshift(s, ot));
1279 }
1280 
1281 static void gen_scas(DisasContext *s, MemOp ot)
1282 {
1283     gen_string_movl_A0_EDI(s);
1284     gen_op_ld_v(s, ot, s->T1, s->A0);
1285     tcg_gen_mov_tl(cpu_cc_src, s->T1);
1286     tcg_gen_mov_tl(s->cc_srcT, s->T0);
1287     tcg_gen_sub_tl(cpu_cc_dst, s->T0, s->T1);
1288     set_cc_op(s, CC_OP_SUBB + ot);
1289 
1290     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1291 }
1292 
1293 static void gen_cmps(DisasContext *s, MemOp ot)
1294 {
1295     TCGv dshift;
1296 
1297     gen_string_movl_A0_EDI(s);
1298     gen_op_ld_v(s, ot, s->T1, s->A0);
1299     gen_string_movl_A0_ESI(s);
1300     gen_op(s, OP_CMPL, ot, OR_TMP0);
1301 
1302     dshift = gen_compute_Dshift(s, ot);
1303     gen_op_add_reg(s, s->aflag, R_ESI, dshift);
1304     gen_op_add_reg(s, s->aflag, R_EDI, dshift);
1305 }
1306 
1307 static void gen_bpt_io(DisasContext *s, TCGv_i32 t_port, int ot)
1308 {
1309     if (s->flags & HF_IOBPT_MASK) {
1310 #ifdef CONFIG_USER_ONLY
1311         /* user-mode cpu should not be in IOBPT mode */
1312         g_assert_not_reached();
1313 #else
1314         TCGv_i32 t_size = tcg_constant_i32(1 << ot);
1315         TCGv t_next = eip_next_tl(s);
1316         gen_helper_bpt_io(tcg_env, t_port, t_size, t_next);
1317 #endif /* CONFIG_USER_ONLY */
1318     }
1319 }
1320 
1321 static void gen_ins(DisasContext *s, MemOp ot)
1322 {
1323     gen_string_movl_A0_EDI(s);
1324     /* Note: we must do this dummy write first to be restartable in
1325        case of page fault. */
1326     tcg_gen_movi_tl(s->T0, 0);
1327     gen_op_st_v(s, ot, s->T0, s->A0);
1328     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1329     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1330     gen_helper_in_func(ot, s->T0, s->tmp2_i32);
1331     gen_op_st_v(s, ot, s->T0, s->A0);
1332     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1333     gen_bpt_io(s, s->tmp2_i32, ot);
1334 }
1335 
1336 static void gen_outs(DisasContext *s, MemOp ot)
1337 {
1338     gen_string_movl_A0_ESI(s);
1339     gen_op_ld_v(s, ot, s->T0, s->A0);
1340 
1341     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1342     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1343     tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T0);
1344     gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
1345     gen_op_add_reg(s, s->aflag, R_ESI, gen_compute_Dshift(s, ot));
1346     gen_bpt_io(s, s->tmp2_i32, ot);
1347 }
1348 
1349 /* Generate jumps to current or next instruction */
1350 static void gen_repz(DisasContext *s, MemOp ot,
1351                      void (*fn)(DisasContext *s, MemOp ot))
1352 {
1353     TCGLabel *l2;
1354     gen_update_cc_op(s);
1355     l2 = gen_jz_ecx_string(s);
1356     fn(s, ot);
1357     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1358     /*
1359      * A loop would cause two single step exceptions if ECX = 1
1360      * before rep string_insn
1361      */
1362     if (s->repz_opt) {
1363         gen_op_jz_ecx(s, l2);
1364     }
1365     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1366 }
1367 
1368 #define GEN_REPZ(op) \
1369     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot) \
1370     { gen_repz(s, ot, gen_##op); }
1371 
1372 static void gen_repz2(DisasContext *s, MemOp ot, int nz,
1373                       void (*fn)(DisasContext *s, MemOp ot))
1374 {
1375     TCGLabel *l2;
1376     gen_update_cc_op(s);
1377     l2 = gen_jz_ecx_string(s);
1378     fn(s, ot);
1379     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1380     gen_update_cc_op(s);
1381     gen_jcc1(s, (JCC_Z << 1) | (nz ^ 1), l2);
1382     if (s->repz_opt) {
1383         gen_op_jz_ecx(s, l2);
1384     }
1385     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1386 }
1387 
1388 #define GEN_REPZ2(op) \
1389     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot, int nz) \
1390     { gen_repz2(s, ot, nz, gen_##op); }
1391 
1392 GEN_REPZ(movs)
1393 GEN_REPZ(stos)
1394 GEN_REPZ(lods)
1395 GEN_REPZ(ins)
1396 GEN_REPZ(outs)
1397 GEN_REPZ2(scas)
1398 GEN_REPZ2(cmps)
1399 
1400 static void gen_helper_fp_arith_ST0_FT0(int op)
1401 {
1402     switch (op) {
1403     case 0:
1404         gen_helper_fadd_ST0_FT0(tcg_env);
1405         break;
1406     case 1:
1407         gen_helper_fmul_ST0_FT0(tcg_env);
1408         break;
1409     case 2:
1410         gen_helper_fcom_ST0_FT0(tcg_env);
1411         break;
1412     case 3:
1413         gen_helper_fcom_ST0_FT0(tcg_env);
1414         break;
1415     case 4:
1416         gen_helper_fsub_ST0_FT0(tcg_env);
1417         break;
1418     case 5:
1419         gen_helper_fsubr_ST0_FT0(tcg_env);
1420         break;
1421     case 6:
1422         gen_helper_fdiv_ST0_FT0(tcg_env);
1423         break;
1424     case 7:
1425         gen_helper_fdivr_ST0_FT0(tcg_env);
1426         break;
1427     }
1428 }
1429 
1430 /* NOTE the exception in "r" op ordering */
1431 static void gen_helper_fp_arith_STN_ST0(int op, int opreg)
1432 {
1433     TCGv_i32 tmp = tcg_constant_i32(opreg);
1434     switch (op) {
1435     case 0:
1436         gen_helper_fadd_STN_ST0(tcg_env, tmp);
1437         break;
1438     case 1:
1439         gen_helper_fmul_STN_ST0(tcg_env, tmp);
1440         break;
1441     case 4:
1442         gen_helper_fsubr_STN_ST0(tcg_env, tmp);
1443         break;
1444     case 5:
1445         gen_helper_fsub_STN_ST0(tcg_env, tmp);
1446         break;
1447     case 6:
1448         gen_helper_fdivr_STN_ST0(tcg_env, tmp);
1449         break;
1450     case 7:
1451         gen_helper_fdiv_STN_ST0(tcg_env, tmp);
1452         break;
1453     }
1454 }
1455 
1456 static void gen_exception(DisasContext *s, int trapno)
1457 {
1458     gen_update_cc_op(s);
1459     gen_update_eip_cur(s);
1460     gen_helper_raise_exception(tcg_env, tcg_constant_i32(trapno));
1461     s->base.is_jmp = DISAS_NORETURN;
1462 }
1463 
1464 /* Generate #UD for the current instruction.  The assumption here is that
1465    the instruction is known, but it isn't allowed in the current cpu mode.  */
1466 static void gen_illegal_opcode(DisasContext *s)
1467 {
1468     gen_exception(s, EXCP06_ILLOP);
1469 }
1470 
1471 /* Generate #GP for the current instruction. */
1472 static void gen_exception_gpf(DisasContext *s)
1473 {
1474     gen_exception(s, EXCP0D_GPF);
1475 }
1476 
1477 /* Check for cpl == 0; if not, raise #GP and return false. */
1478 static bool check_cpl0(DisasContext *s)
1479 {
1480     if (CPL(s) == 0) {
1481         return true;
1482     }
1483     gen_exception_gpf(s);
1484     return false;
1485 }
1486 
1487 /* If vm86, check for iopl == 3; if not, raise #GP and return false. */
1488 static bool check_vm86_iopl(DisasContext *s)
1489 {
1490     if (!VM86(s) || IOPL(s) == 3) {
1491         return true;
1492     }
1493     gen_exception_gpf(s);
1494     return false;
1495 }
1496 
1497 /* Check for iopl allowing access; if not, raise #GP and return false. */
1498 static bool check_iopl(DisasContext *s)
1499 {
1500     if (VM86(s) ? IOPL(s) == 3 : CPL(s) <= IOPL(s)) {
1501         return true;
1502     }
1503     gen_exception_gpf(s);
1504     return false;
1505 }
1506 
1507 /* if d == OR_TMP0, it means memory operand (address in A0) */
1508 static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
1509 {
1510     /* Invalid lock prefix when destination is not memory or OP_CMPL. */
1511     if ((d != OR_TMP0 || op == OP_CMPL) && s1->prefix & PREFIX_LOCK) {
1512         gen_illegal_opcode(s1);
1513         return;
1514     }
1515 
1516     if (d != OR_TMP0) {
1517         gen_op_mov_v_reg(s1, ot, s1->T0, d);
1518     } else if (!(s1->prefix & PREFIX_LOCK)) {
1519         gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1520     }
1521     switch(op) {
1522     case OP_ADCL:
1523         gen_compute_eflags_c(s1, s1->tmp4);
1524         if (s1->prefix & PREFIX_LOCK) {
1525             tcg_gen_add_tl(s1->T0, s1->tmp4, s1->T1);
1526             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1527                                         s1->mem_index, ot | MO_LE);
1528         } else {
1529             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1530             tcg_gen_add_tl(s1->T0, s1->T0, s1->tmp4);
1531             gen_op_st_rm_T0_A0(s1, ot, d);
1532         }
1533         gen_op_update3_cc(s1, s1->tmp4);
1534         set_cc_op(s1, CC_OP_ADCB + ot);
1535         break;
1536     case OP_SBBL:
1537         gen_compute_eflags_c(s1, s1->tmp4);
1538         if (s1->prefix & PREFIX_LOCK) {
1539             tcg_gen_add_tl(s1->T0, s1->T1, s1->tmp4);
1540             tcg_gen_neg_tl(s1->T0, s1->T0);
1541             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1542                                         s1->mem_index, ot | MO_LE);
1543         } else {
1544             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1545             tcg_gen_sub_tl(s1->T0, s1->T0, s1->tmp4);
1546             gen_op_st_rm_T0_A0(s1, ot, d);
1547         }
1548         gen_op_update3_cc(s1, s1->tmp4);
1549         set_cc_op(s1, CC_OP_SBBB + ot);
1550         break;
1551     case OP_ADDL:
1552         if (s1->prefix & PREFIX_LOCK) {
1553             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T1,
1554                                         s1->mem_index, ot | MO_LE);
1555         } else {
1556             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1557             gen_op_st_rm_T0_A0(s1, ot, d);
1558         }
1559         gen_op_update2_cc(s1);
1560         set_cc_op(s1, CC_OP_ADDB + ot);
1561         break;
1562     case OP_SUBL:
1563         if (s1->prefix & PREFIX_LOCK) {
1564             tcg_gen_neg_tl(s1->T0, s1->T1);
1565             tcg_gen_atomic_fetch_add_tl(s1->cc_srcT, s1->A0, s1->T0,
1566                                         s1->mem_index, ot | MO_LE);
1567             tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1);
1568         } else {
1569             tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1570             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1571             gen_op_st_rm_T0_A0(s1, ot, d);
1572         }
1573         gen_op_update2_cc(s1);
1574         set_cc_op(s1, CC_OP_SUBB + ot);
1575         break;
1576     default:
1577     case OP_ANDL:
1578         if (s1->prefix & PREFIX_LOCK) {
1579             tcg_gen_atomic_and_fetch_tl(s1->T0, s1->A0, s1->T1,
1580                                         s1->mem_index, ot | MO_LE);
1581         } else {
1582             tcg_gen_and_tl(s1->T0, s1->T0, s1->T1);
1583             gen_op_st_rm_T0_A0(s1, ot, d);
1584         }
1585         gen_op_update1_cc(s1);
1586         set_cc_op(s1, CC_OP_LOGICB + ot);
1587         break;
1588     case OP_ORL:
1589         if (s1->prefix & PREFIX_LOCK) {
1590             tcg_gen_atomic_or_fetch_tl(s1->T0, s1->A0, s1->T1,
1591                                        s1->mem_index, ot | MO_LE);
1592         } else {
1593             tcg_gen_or_tl(s1->T0, s1->T0, s1->T1);
1594             gen_op_st_rm_T0_A0(s1, ot, d);
1595         }
1596         gen_op_update1_cc(s1);
1597         set_cc_op(s1, CC_OP_LOGICB + ot);
1598         break;
1599     case OP_XORL:
1600         if (s1->prefix & PREFIX_LOCK) {
1601             tcg_gen_atomic_xor_fetch_tl(s1->T0, s1->A0, s1->T1,
1602                                         s1->mem_index, ot | MO_LE);
1603         } else {
1604             tcg_gen_xor_tl(s1->T0, s1->T0, s1->T1);
1605             gen_op_st_rm_T0_A0(s1, ot, d);
1606         }
1607         gen_op_update1_cc(s1);
1608         set_cc_op(s1, CC_OP_LOGICB + ot);
1609         break;
1610     case OP_CMPL:
1611         tcg_gen_mov_tl(cpu_cc_src, s1->T1);
1612         tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1613         tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1);
1614         set_cc_op(s1, CC_OP_SUBB + ot);
1615         break;
1616     }
1617 }
1618 
1619 /* if d == OR_TMP0, it means memory operand (address in A0) */
1620 static void gen_inc(DisasContext *s1, MemOp ot, int d, int c)
1621 {
1622     if (s1->prefix & PREFIX_LOCK) {
1623         if (d != OR_TMP0) {
1624             /* Lock prefix when destination is not memory */
1625             gen_illegal_opcode(s1);
1626             return;
1627         }
1628         tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);
1629         tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1630                                     s1->mem_index, ot | MO_LE);
1631     } else {
1632         if (d != OR_TMP0) {
1633             gen_op_mov_v_reg(s1, ot, s1->T0, d);
1634         } else {
1635             gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1636         }
1637         tcg_gen_addi_tl(s1->T0, s1->T0, (c > 0 ? 1 : -1));
1638         gen_op_st_rm_T0_A0(s1, ot, d);
1639     }
1640 
1641     gen_compute_eflags_c(s1, cpu_cc_src);
1642     tcg_gen_mov_tl(cpu_cc_dst, s1->T0);
1643     set_cc_op(s1, (c > 0 ? CC_OP_INCB : CC_OP_DECB) + ot);
1644 }
1645 
1646 static void gen_shift_flags(DisasContext *s, MemOp ot, TCGv result,
1647                             TCGv shm1, TCGv count, bool is_right)
1648 {
1649     TCGv_i32 z32, s32, oldop;
1650     TCGv z_tl;
1651 
1652     /* Store the results into the CC variables.  If we know that the
1653        variable must be dead, store unconditionally.  Otherwise we'll
1654        need to not disrupt the current contents.  */
1655     z_tl = tcg_constant_tl(0);
1656     if (cc_op_live[s->cc_op] & USES_CC_DST) {
1657         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_dst, count, z_tl,
1658                            result, cpu_cc_dst);
1659     } else {
1660         tcg_gen_mov_tl(cpu_cc_dst, result);
1661     }
1662     if (cc_op_live[s->cc_op] & USES_CC_SRC) {
1663         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_src, count, z_tl,
1664                            shm1, cpu_cc_src);
1665     } else {
1666         tcg_gen_mov_tl(cpu_cc_src, shm1);
1667     }
1668 
1669     /* Get the two potential CC_OP values into temporaries.  */
1670     tcg_gen_movi_i32(s->tmp2_i32, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1671     if (s->cc_op == CC_OP_DYNAMIC) {
1672         oldop = cpu_cc_op;
1673     } else {
1674         tcg_gen_movi_i32(s->tmp3_i32, s->cc_op);
1675         oldop = s->tmp3_i32;
1676     }
1677 
1678     /* Conditionally store the CC_OP value.  */
1679     z32 = tcg_constant_i32(0);
1680     s32 = tcg_temp_new_i32();
1681     tcg_gen_trunc_tl_i32(s32, count);
1682     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, s32, z32, s->tmp2_i32, oldop);
1683 
1684     /* The CC_OP value is no longer predictable.  */
1685     set_cc_op(s, CC_OP_DYNAMIC);
1686 }
1687 
1688 static void gen_shift_rm_T1(DisasContext *s, MemOp ot, int op1,
1689                             int is_right, int is_arith)
1690 {
1691     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1692 
1693     /* load */
1694     if (op1 == OR_TMP0) {
1695         gen_op_ld_v(s, ot, s->T0, s->A0);
1696     } else {
1697         gen_op_mov_v_reg(s, ot, s->T0, op1);
1698     }
1699 
1700     tcg_gen_andi_tl(s->T1, s->T1, mask);
1701     tcg_gen_subi_tl(s->tmp0, s->T1, 1);
1702 
1703     if (is_right) {
1704         if (is_arith) {
1705             gen_exts(ot, s->T0);
1706             tcg_gen_sar_tl(s->tmp0, s->T0, s->tmp0);
1707             tcg_gen_sar_tl(s->T0, s->T0, s->T1);
1708         } else {
1709             gen_extu(ot, s->T0);
1710             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
1711             tcg_gen_shr_tl(s->T0, s->T0, s->T1);
1712         }
1713     } else {
1714         tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
1715         tcg_gen_shl_tl(s->T0, s->T0, s->T1);
1716     }
1717 
1718     /* store */
1719     gen_op_st_rm_T0_A0(s, ot, op1);
1720 
1721     gen_shift_flags(s, ot, s->T0, s->tmp0, s->T1, is_right);
1722 }
1723 
1724 static void gen_shift_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1725                             int is_right, int is_arith)
1726 {
1727     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1728 
1729     /* load */
1730     if (op1 == OR_TMP0)
1731         gen_op_ld_v(s, ot, s->T0, s->A0);
1732     else
1733         gen_op_mov_v_reg(s, ot, s->T0, op1);
1734 
1735     op2 &= mask;
1736     if (op2 != 0) {
1737         if (is_right) {
1738             if (is_arith) {
1739                 gen_exts(ot, s->T0);
1740                 tcg_gen_sari_tl(s->tmp4, s->T0, op2 - 1);
1741                 tcg_gen_sari_tl(s->T0, s->T0, op2);
1742             } else {
1743                 gen_extu(ot, s->T0);
1744                 tcg_gen_shri_tl(s->tmp4, s->T0, op2 - 1);
1745                 tcg_gen_shri_tl(s->T0, s->T0, op2);
1746             }
1747         } else {
1748             tcg_gen_shli_tl(s->tmp4, s->T0, op2 - 1);
1749             tcg_gen_shli_tl(s->T0, s->T0, op2);
1750         }
1751     }
1752 
1753     /* store */
1754     gen_op_st_rm_T0_A0(s, ot, op1);
1755 
1756     /* update eflags if non zero shift */
1757     if (op2 != 0) {
1758         tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
1759         tcg_gen_mov_tl(cpu_cc_dst, s->T0);
1760         set_cc_op(s, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1761     }
1762 }
1763 
1764 static void gen_rot_rm_T1(DisasContext *s, MemOp ot, int op1, int is_right)
1765 {
1766     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1767     TCGv_i32 t0, t1;
1768 
1769     /* load */
1770     if (op1 == OR_TMP0) {
1771         gen_op_ld_v(s, ot, s->T0, s->A0);
1772     } else {
1773         gen_op_mov_v_reg(s, ot, s->T0, op1);
1774     }
1775 
1776     tcg_gen_andi_tl(s->T1, s->T1, mask);
1777 
1778     switch (ot) {
1779     case MO_8:
1780         /* Replicate the 8-bit input so that a 32-bit rotate works.  */
1781         tcg_gen_ext8u_tl(s->T0, s->T0);
1782         tcg_gen_muli_tl(s->T0, s->T0, 0x01010101);
1783         goto do_long;
1784     case MO_16:
1785         /* Replicate the 16-bit input so that a 32-bit rotate works.  */
1786         tcg_gen_deposit_tl(s->T0, s->T0, s->T0, 16, 16);
1787         goto do_long;
1788     do_long:
1789 #ifdef TARGET_X86_64
1790     case MO_32:
1791         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1792         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
1793         if (is_right) {
1794             tcg_gen_rotr_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1795         } else {
1796             tcg_gen_rotl_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1797         }
1798         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1799         break;
1800 #endif
1801     default:
1802         if (is_right) {
1803             tcg_gen_rotr_tl(s->T0, s->T0, s->T1);
1804         } else {
1805             tcg_gen_rotl_tl(s->T0, s->T0, s->T1);
1806         }
1807         break;
1808     }
1809 
1810     /* store */
1811     gen_op_st_rm_T0_A0(s, ot, op1);
1812 
1813     /* We'll need the flags computed into CC_SRC.  */
1814     gen_compute_eflags(s);
1815 
1816     /* The value that was "rotated out" is now present at the other end
1817        of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1818        since we've computed the flags into CC_SRC, these variables are
1819        currently dead.  */
1820     if (is_right) {
1821         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1822         tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1823         tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1824     } else {
1825         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1826         tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1827     }
1828     tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1829     tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1830 
1831     /* Now conditionally store the new CC_OP value.  If the shift count
1832        is 0 we keep the CC_OP_EFLAGS setting so that only CC_SRC is live.
1833        Otherwise reuse CC_OP_ADCOX which have the C and O flags split out
1834        exactly as we computed above.  */
1835     t0 = tcg_constant_i32(0);
1836     t1 = tcg_temp_new_i32();
1837     tcg_gen_trunc_tl_i32(t1, s->T1);
1838     tcg_gen_movi_i32(s->tmp2_i32, CC_OP_ADCOX);
1839     tcg_gen_movi_i32(s->tmp3_i32, CC_OP_EFLAGS);
1840     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, t1, t0,
1841                         s->tmp2_i32, s->tmp3_i32);
1842 
1843     /* The CC_OP value is no longer predictable.  */
1844     set_cc_op(s, CC_OP_DYNAMIC);
1845 }
1846 
1847 static void gen_rot_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1848                           int is_right)
1849 {
1850     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1851     int shift;
1852 
1853     /* load */
1854     if (op1 == OR_TMP0) {
1855         gen_op_ld_v(s, ot, s->T0, s->A0);
1856     } else {
1857         gen_op_mov_v_reg(s, ot, s->T0, op1);
1858     }
1859 
1860     op2 &= mask;
1861     if (op2 != 0) {
1862         switch (ot) {
1863 #ifdef TARGET_X86_64
1864         case MO_32:
1865             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1866             if (is_right) {
1867                 tcg_gen_rotri_i32(s->tmp2_i32, s->tmp2_i32, op2);
1868             } else {
1869                 tcg_gen_rotli_i32(s->tmp2_i32, s->tmp2_i32, op2);
1870             }
1871             tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1872             break;
1873 #endif
1874         default:
1875             if (is_right) {
1876                 tcg_gen_rotri_tl(s->T0, s->T0, op2);
1877             } else {
1878                 tcg_gen_rotli_tl(s->T0, s->T0, op2);
1879             }
1880             break;
1881         case MO_8:
1882             mask = 7;
1883             goto do_shifts;
1884         case MO_16:
1885             mask = 15;
1886         do_shifts:
1887             shift = op2 & mask;
1888             if (is_right) {
1889                 shift = mask + 1 - shift;
1890             }
1891             gen_extu(ot, s->T0);
1892             tcg_gen_shli_tl(s->tmp0, s->T0, shift);
1893             tcg_gen_shri_tl(s->T0, s->T0, mask + 1 - shift);
1894             tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
1895             break;
1896         }
1897     }
1898 
1899     /* store */
1900     gen_op_st_rm_T0_A0(s, ot, op1);
1901 
1902     if (op2 != 0) {
1903         /* Compute the flags into CC_SRC.  */
1904         gen_compute_eflags(s);
1905 
1906         /* The value that was "rotated out" is now present at the other end
1907            of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1908            since we've computed the flags into CC_SRC, these variables are
1909            currently dead.  */
1910         if (is_right) {
1911             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1912             tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1913             tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1914         } else {
1915             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1916             tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1917         }
1918         tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1919         tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1920         set_cc_op(s, CC_OP_ADCOX);
1921     }
1922 }
1923 
1924 /* XXX: add faster immediate = 1 case */
1925 static void gen_rotc_rm_T1(DisasContext *s, MemOp ot, int op1,
1926                            int is_right)
1927 {
1928     gen_compute_eflags(s);
1929     assert(s->cc_op == CC_OP_EFLAGS);
1930 
1931     /* load */
1932     if (op1 == OR_TMP0)
1933         gen_op_ld_v(s, ot, s->T0, s->A0);
1934     else
1935         gen_op_mov_v_reg(s, ot, s->T0, op1);
1936 
1937     if (is_right) {
1938         switch (ot) {
1939         case MO_8:
1940             gen_helper_rcrb(s->T0, tcg_env, s->T0, s->T1);
1941             break;
1942         case MO_16:
1943             gen_helper_rcrw(s->T0, tcg_env, s->T0, s->T1);
1944             break;
1945         case MO_32:
1946             gen_helper_rcrl(s->T0, tcg_env, s->T0, s->T1);
1947             break;
1948 #ifdef TARGET_X86_64
1949         case MO_64:
1950             gen_helper_rcrq(s->T0, tcg_env, s->T0, s->T1);
1951             break;
1952 #endif
1953         default:
1954             g_assert_not_reached();
1955         }
1956     } else {
1957         switch (ot) {
1958         case MO_8:
1959             gen_helper_rclb(s->T0, tcg_env, s->T0, s->T1);
1960             break;
1961         case MO_16:
1962             gen_helper_rclw(s->T0, tcg_env, s->T0, s->T1);
1963             break;
1964         case MO_32:
1965             gen_helper_rcll(s->T0, tcg_env, s->T0, s->T1);
1966             break;
1967 #ifdef TARGET_X86_64
1968         case MO_64:
1969             gen_helper_rclq(s->T0, tcg_env, s->T0, s->T1);
1970             break;
1971 #endif
1972         default:
1973             g_assert_not_reached();
1974         }
1975     }
1976     /* store */
1977     gen_op_st_rm_T0_A0(s, ot, op1);
1978 }
1979 
1980 /* XXX: add faster immediate case */
1981 static void gen_shiftd_rm_T1(DisasContext *s, MemOp ot, int op1,
1982                              bool is_right, TCGv count_in)
1983 {
1984     target_ulong mask = (ot == MO_64 ? 63 : 31);
1985     TCGv count;
1986 
1987     /* load */
1988     if (op1 == OR_TMP0) {
1989         gen_op_ld_v(s, ot, s->T0, s->A0);
1990     } else {
1991         gen_op_mov_v_reg(s, ot, s->T0, op1);
1992     }
1993 
1994     count = tcg_temp_new();
1995     tcg_gen_andi_tl(count, count_in, mask);
1996 
1997     switch (ot) {
1998     case MO_16:
1999         /* Note: we implement the Intel behaviour for shift count > 16.
2000            This means "shrdw C, B, A" shifts A:B:A >> C.  Build the B:A
2001            portion by constructing it as a 32-bit value.  */
2002         if (is_right) {
2003             tcg_gen_deposit_tl(s->tmp0, s->T0, s->T1, 16, 16);
2004             tcg_gen_mov_tl(s->T1, s->T0);
2005             tcg_gen_mov_tl(s->T0, s->tmp0);
2006         } else {
2007             tcg_gen_deposit_tl(s->T1, s->T0, s->T1, 16, 16);
2008         }
2009         /*
2010          * If TARGET_X86_64 defined then fall through into MO_32 case,
2011          * otherwise fall through default case.
2012          */
2013     case MO_32:
2014 #ifdef TARGET_X86_64
2015         /* Concatenate the two 32-bit values and use a 64-bit shift.  */
2016         tcg_gen_subi_tl(s->tmp0, count, 1);
2017         if (is_right) {
2018             tcg_gen_concat_tl_i64(s->T0, s->T0, s->T1);
2019             tcg_gen_shr_i64(s->tmp0, s->T0, s->tmp0);
2020             tcg_gen_shr_i64(s->T0, s->T0, count);
2021         } else {
2022             tcg_gen_concat_tl_i64(s->T0, s->T1, s->T0);
2023             tcg_gen_shl_i64(s->tmp0, s->T0, s->tmp0);
2024             tcg_gen_shl_i64(s->T0, s->T0, count);
2025             tcg_gen_shri_i64(s->tmp0, s->tmp0, 32);
2026             tcg_gen_shri_i64(s->T0, s->T0, 32);
2027         }
2028         break;
2029 #endif
2030     default:
2031         tcg_gen_subi_tl(s->tmp0, count, 1);
2032         if (is_right) {
2033             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
2034 
2035             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2036             tcg_gen_shr_tl(s->T0, s->T0, count);
2037             tcg_gen_shl_tl(s->T1, s->T1, s->tmp4);
2038         } else {
2039             tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
2040             if (ot == MO_16) {
2041                 /* Only needed if count > 16, for Intel behaviour.  */
2042                 tcg_gen_subfi_tl(s->tmp4, 33, count);
2043                 tcg_gen_shr_tl(s->tmp4, s->T1, s->tmp4);
2044                 tcg_gen_or_tl(s->tmp0, s->tmp0, s->tmp4);
2045             }
2046 
2047             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2048             tcg_gen_shl_tl(s->T0, s->T0, count);
2049             tcg_gen_shr_tl(s->T1, s->T1, s->tmp4);
2050         }
2051         tcg_gen_movi_tl(s->tmp4, 0);
2052         tcg_gen_movcond_tl(TCG_COND_EQ, s->T1, count, s->tmp4,
2053                            s->tmp4, s->T1);
2054         tcg_gen_or_tl(s->T0, s->T0, s->T1);
2055         break;
2056     }
2057 
2058     /* store */
2059     gen_op_st_rm_T0_A0(s, ot, op1);
2060 
2061     gen_shift_flags(s, ot, s->T0, s->tmp0, count, is_right);
2062 }
2063 
2064 static void gen_shift(DisasContext *s1, int op, MemOp ot, int d, int s)
2065 {
2066     if (s != OR_TMP1)
2067         gen_op_mov_v_reg(s1, ot, s1->T1, s);
2068     switch(op) {
2069     case OP_ROL:
2070         gen_rot_rm_T1(s1, ot, d, 0);
2071         break;
2072     case OP_ROR:
2073         gen_rot_rm_T1(s1, ot, d, 1);
2074         break;
2075     case OP_SHL:
2076     case OP_SHL1:
2077         gen_shift_rm_T1(s1, ot, d, 0, 0);
2078         break;
2079     case OP_SHR:
2080         gen_shift_rm_T1(s1, ot, d, 1, 0);
2081         break;
2082     case OP_SAR:
2083         gen_shift_rm_T1(s1, ot, d, 1, 1);
2084         break;
2085     case OP_RCL:
2086         gen_rotc_rm_T1(s1, ot, d, 0);
2087         break;
2088     case OP_RCR:
2089         gen_rotc_rm_T1(s1, ot, d, 1);
2090         break;
2091     }
2092 }
2093 
2094 static void gen_shifti(DisasContext *s1, int op, MemOp ot, int d, int c)
2095 {
2096     switch(op) {
2097     case OP_ROL:
2098         gen_rot_rm_im(s1, ot, d, c, 0);
2099         break;
2100     case OP_ROR:
2101         gen_rot_rm_im(s1, ot, d, c, 1);
2102         break;
2103     case OP_SHL:
2104     case OP_SHL1:
2105         gen_shift_rm_im(s1, ot, d, c, 0, 0);
2106         break;
2107     case OP_SHR:
2108         gen_shift_rm_im(s1, ot, d, c, 1, 0);
2109         break;
2110     case OP_SAR:
2111         gen_shift_rm_im(s1, ot, d, c, 1, 1);
2112         break;
2113     default:
2114         /* currently not optimized */
2115         tcg_gen_movi_tl(s1->T1, c);
2116         gen_shift(s1, op, ot, d, OR_TMP1);
2117         break;
2118     }
2119 }
2120 
2121 #define X86_MAX_INSN_LENGTH 15
2122 
2123 static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
2124 {
2125     uint64_t pc = s->pc;
2126 
2127     /* This is a subsequent insn that crosses a page boundary.  */
2128     if (s->base.num_insns > 1 &&
2129         !is_same_page(&s->base, s->pc + num_bytes - 1)) {
2130         siglongjmp(s->jmpbuf, 2);
2131     }
2132 
2133     s->pc += num_bytes;
2134     if (unlikely(cur_insn_len(s) > X86_MAX_INSN_LENGTH)) {
2135         /* If the instruction's 16th byte is on a different page than the 1st, a
2136          * page fault on the second page wins over the general protection fault
2137          * caused by the instruction being too long.
2138          * This can happen even if the operand is only one byte long!
2139          */
2140         if (((s->pc - 1) ^ (pc - 1)) & TARGET_PAGE_MASK) {
2141             volatile uint8_t unused =
2142                 cpu_ldub_code(env, (s->pc - 1) & TARGET_PAGE_MASK);
2143             (void) unused;
2144         }
2145         siglongjmp(s->jmpbuf, 1);
2146     }
2147 
2148     return pc;
2149 }
2150 
2151 static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
2152 {
2153     return translator_ldub(env, &s->base, advance_pc(env, s, 1));
2154 }
2155 
2156 static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
2157 {
2158     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2159 }
2160 
2161 static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
2162 {
2163     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2164 }
2165 
2166 static inline uint32_t x86_ldl_code(CPUX86State *env, DisasContext *s)
2167 {
2168     return translator_ldl(env, &s->base, advance_pc(env, s, 4));
2169 }
2170 
2171 #ifdef TARGET_X86_64
2172 static inline uint64_t x86_ldq_code(CPUX86State *env, DisasContext *s)
2173 {
2174     return translator_ldq(env, &s->base, advance_pc(env, s, 8));
2175 }
2176 #endif
2177 
2178 /* Decompose an address.  */
2179 
2180 typedef struct AddressParts {
2181     int def_seg;
2182     int base;
2183     int index;
2184     int scale;
2185     target_long disp;
2186 } AddressParts;
2187 
2188 static AddressParts gen_lea_modrm_0(CPUX86State *env, DisasContext *s,
2189                                     int modrm)
2190 {
2191     int def_seg, base, index, scale, mod, rm;
2192     target_long disp;
2193     bool havesib;
2194 
2195     def_seg = R_DS;
2196     index = -1;
2197     scale = 0;
2198     disp = 0;
2199 
2200     mod = (modrm >> 6) & 3;
2201     rm = modrm & 7;
2202     base = rm | REX_B(s);
2203 
2204     if (mod == 3) {
2205         /* Normally filtered out earlier, but including this path
2206            simplifies multi-byte nop, as well as bndcl, bndcu, bndcn.  */
2207         goto done;
2208     }
2209 
2210     switch (s->aflag) {
2211     case MO_64:
2212     case MO_32:
2213         havesib = 0;
2214         if (rm == 4) {
2215             int code = x86_ldub_code(env, s);
2216             scale = (code >> 6) & 3;
2217             index = ((code >> 3) & 7) | REX_X(s);
2218             if (index == 4) {
2219                 index = -1;  /* no index */
2220             }
2221             base = (code & 7) | REX_B(s);
2222             havesib = 1;
2223         }
2224 
2225         switch (mod) {
2226         case 0:
2227             if ((base & 7) == 5) {
2228                 base = -1;
2229                 disp = (int32_t)x86_ldl_code(env, s);
2230                 if (CODE64(s) && !havesib) {
2231                     base = -2;
2232                     disp += s->pc + s->rip_offset;
2233                 }
2234             }
2235             break;
2236         case 1:
2237             disp = (int8_t)x86_ldub_code(env, s);
2238             break;
2239         default:
2240         case 2:
2241             disp = (int32_t)x86_ldl_code(env, s);
2242             break;
2243         }
2244 
2245         /* For correct popl handling with esp.  */
2246         if (base == R_ESP && s->popl_esp_hack) {
2247             disp += s->popl_esp_hack;
2248         }
2249         if (base == R_EBP || base == R_ESP) {
2250             def_seg = R_SS;
2251         }
2252         break;
2253 
2254     case MO_16:
2255         if (mod == 0) {
2256             if (rm == 6) {
2257                 base = -1;
2258                 disp = x86_lduw_code(env, s);
2259                 break;
2260             }
2261         } else if (mod == 1) {
2262             disp = (int8_t)x86_ldub_code(env, s);
2263         } else {
2264             disp = (int16_t)x86_lduw_code(env, s);
2265         }
2266 
2267         switch (rm) {
2268         case 0:
2269             base = R_EBX;
2270             index = R_ESI;
2271             break;
2272         case 1:
2273             base = R_EBX;
2274             index = R_EDI;
2275             break;
2276         case 2:
2277             base = R_EBP;
2278             index = R_ESI;
2279             def_seg = R_SS;
2280             break;
2281         case 3:
2282             base = R_EBP;
2283             index = R_EDI;
2284             def_seg = R_SS;
2285             break;
2286         case 4:
2287             base = R_ESI;
2288             break;
2289         case 5:
2290             base = R_EDI;
2291             break;
2292         case 6:
2293             base = R_EBP;
2294             def_seg = R_SS;
2295             break;
2296         default:
2297         case 7:
2298             base = R_EBX;
2299             break;
2300         }
2301         break;
2302 
2303     default:
2304         g_assert_not_reached();
2305     }
2306 
2307  done:
2308     return (AddressParts){ def_seg, base, index, scale, disp };
2309 }
2310 
2311 /* Compute the address, with a minimum number of TCG ops.  */
2312 static TCGv gen_lea_modrm_1(DisasContext *s, AddressParts a, bool is_vsib)
2313 {
2314     TCGv ea = NULL;
2315 
2316     if (a.index >= 0 && !is_vsib) {
2317         if (a.scale == 0) {
2318             ea = cpu_regs[a.index];
2319         } else {
2320             tcg_gen_shli_tl(s->A0, cpu_regs[a.index], a.scale);
2321             ea = s->A0;
2322         }
2323         if (a.base >= 0) {
2324             tcg_gen_add_tl(s->A0, ea, cpu_regs[a.base]);
2325             ea = s->A0;
2326         }
2327     } else if (a.base >= 0) {
2328         ea = cpu_regs[a.base];
2329     }
2330     if (!ea) {
2331         if (tb_cflags(s->base.tb) & CF_PCREL && a.base == -2) {
2332             /* With cpu_eip ~= pc_save, the expression is pc-relative. */
2333             tcg_gen_addi_tl(s->A0, cpu_eip, a.disp - s->pc_save);
2334         } else {
2335             tcg_gen_movi_tl(s->A0, a.disp);
2336         }
2337         ea = s->A0;
2338     } else if (a.disp != 0) {
2339         tcg_gen_addi_tl(s->A0, ea, a.disp);
2340         ea = s->A0;
2341     }
2342 
2343     return ea;
2344 }
2345 
2346 static void gen_lea_modrm(CPUX86State *env, DisasContext *s, int modrm)
2347 {
2348     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2349     TCGv ea = gen_lea_modrm_1(s, a, false);
2350     gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
2351 }
2352 
2353 static void gen_nop_modrm(CPUX86State *env, DisasContext *s, int modrm)
2354 {
2355     (void)gen_lea_modrm_0(env, s, modrm);
2356 }
2357 
2358 /* Used for BNDCL, BNDCU, BNDCN.  */
2359 static void gen_bndck(CPUX86State *env, DisasContext *s, int modrm,
2360                       TCGCond cond, TCGv_i64 bndv)
2361 {
2362     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2363     TCGv ea = gen_lea_modrm_1(s, a, false);
2364 
2365     tcg_gen_extu_tl_i64(s->tmp1_i64, ea);
2366     if (!CODE64(s)) {
2367         tcg_gen_ext32u_i64(s->tmp1_i64, s->tmp1_i64);
2368     }
2369     tcg_gen_setcond_i64(cond, s->tmp1_i64, s->tmp1_i64, bndv);
2370     tcg_gen_extrl_i64_i32(s->tmp2_i32, s->tmp1_i64);
2371     gen_helper_bndck(tcg_env, s->tmp2_i32);
2372 }
2373 
2374 /* used for LEA and MOV AX, mem */
2375 static void gen_add_A0_ds_seg(DisasContext *s)
2376 {
2377     gen_lea_v_seg(s, s->aflag, s->A0, R_DS, s->override);
2378 }
2379 
2380 /* generate modrm memory load or store of 'reg'. TMP0 is used if reg ==
2381    OR_TMP0 */
2382 static void gen_ldst_modrm(CPUX86State *env, DisasContext *s, int modrm,
2383                            MemOp ot, int reg, int is_store)
2384 {
2385     int mod, rm;
2386 
2387     mod = (modrm >> 6) & 3;
2388     rm = (modrm & 7) | REX_B(s);
2389     if (mod == 3) {
2390         if (is_store) {
2391             if (reg != OR_TMP0)
2392                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2393             gen_op_mov_reg_v(s, ot, rm, s->T0);
2394         } else {
2395             gen_op_mov_v_reg(s, ot, s->T0, rm);
2396             if (reg != OR_TMP0)
2397                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2398         }
2399     } else {
2400         gen_lea_modrm(env, s, modrm);
2401         if (is_store) {
2402             if (reg != OR_TMP0)
2403                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2404             gen_op_st_v(s, ot, s->T0, s->A0);
2405         } else {
2406             gen_op_ld_v(s, ot, s->T0, s->A0);
2407             if (reg != OR_TMP0)
2408                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2409         }
2410     }
2411 }
2412 
2413 static target_ulong insn_get_addr(CPUX86State *env, DisasContext *s, MemOp ot)
2414 {
2415     target_ulong ret;
2416 
2417     switch (ot) {
2418     case MO_8:
2419         ret = x86_ldub_code(env, s);
2420         break;
2421     case MO_16:
2422         ret = x86_lduw_code(env, s);
2423         break;
2424     case MO_32:
2425         ret = x86_ldl_code(env, s);
2426         break;
2427 #ifdef TARGET_X86_64
2428     case MO_64:
2429         ret = x86_ldq_code(env, s);
2430         break;
2431 #endif
2432     default:
2433         g_assert_not_reached();
2434     }
2435     return ret;
2436 }
2437 
2438 static inline uint32_t insn_get(CPUX86State *env, DisasContext *s, MemOp ot)
2439 {
2440     uint32_t ret;
2441 
2442     switch (ot) {
2443     case MO_8:
2444         ret = x86_ldub_code(env, s);
2445         break;
2446     case MO_16:
2447         ret = x86_lduw_code(env, s);
2448         break;
2449     case MO_32:
2450 #ifdef TARGET_X86_64
2451     case MO_64:
2452 #endif
2453         ret = x86_ldl_code(env, s);
2454         break;
2455     default:
2456         g_assert_not_reached();
2457     }
2458     return ret;
2459 }
2460 
2461 static target_long insn_get_signed(CPUX86State *env, DisasContext *s, MemOp ot)
2462 {
2463     target_long ret;
2464 
2465     switch (ot) {
2466     case MO_8:
2467         ret = (int8_t) x86_ldub_code(env, s);
2468         break;
2469     case MO_16:
2470         ret = (int16_t) x86_lduw_code(env, s);
2471         break;
2472     case MO_32:
2473         ret = (int32_t) x86_ldl_code(env, s);
2474         break;
2475 #ifdef TARGET_X86_64
2476     case MO_64:
2477         ret = x86_ldq_code(env, s);
2478         break;
2479 #endif
2480     default:
2481         g_assert_not_reached();
2482     }
2483     return ret;
2484 }
2485 
2486 static inline int insn_const_size(MemOp ot)
2487 {
2488     if (ot <= MO_32) {
2489         return 1 << ot;
2490     } else {
2491         return 4;
2492     }
2493 }
2494 
2495 static void gen_jcc(DisasContext *s, int b, int diff)
2496 {
2497     TCGLabel *l1 = gen_new_label();
2498 
2499     gen_jcc1(s, b, l1);
2500     gen_jmp_rel_csize(s, 0, 1);
2501     gen_set_label(l1);
2502     gen_jmp_rel(s, s->dflag, diff, 0);
2503 }
2504 
2505 static void gen_cmovcc1(DisasContext *s, int b, TCGv dest, TCGv src)
2506 {
2507     CCPrepare cc = gen_prepare_cc(s, b, s->T1);
2508 
2509     if (cc.mask != -1) {
2510         TCGv t0 = tcg_temp_new();
2511         tcg_gen_andi_tl(t0, cc.reg, cc.mask);
2512         cc.reg = t0;
2513     }
2514     if (!cc.use_reg2) {
2515         cc.reg2 = tcg_constant_tl(cc.imm);
2516     }
2517 
2518     tcg_gen_movcond_tl(cc.cond, dest, cc.reg, cc.reg2, src, dest);
2519 }
2520 
2521 static inline void gen_op_movl_T0_seg(DisasContext *s, X86Seg seg_reg)
2522 {
2523     tcg_gen_ld32u_tl(s->T0, tcg_env,
2524                      offsetof(CPUX86State,segs[seg_reg].selector));
2525 }
2526 
2527 static inline void gen_op_movl_seg_T0_vm(DisasContext *s, X86Seg seg_reg)
2528 {
2529     tcg_gen_ext16u_tl(s->T0, s->T0);
2530     tcg_gen_st32_tl(s->T0, tcg_env,
2531                     offsetof(CPUX86State,segs[seg_reg].selector));
2532     tcg_gen_shli_tl(cpu_seg_base[seg_reg], s->T0, 4);
2533 }
2534 
2535 /* move T0 to seg_reg and compute if the CPU state may change. Never
2536    call this function with seg_reg == R_CS */
2537 static void gen_movl_seg_T0(DisasContext *s, X86Seg seg_reg)
2538 {
2539     if (PE(s) && !VM86(s)) {
2540         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
2541         gen_helper_load_seg(tcg_env, tcg_constant_i32(seg_reg), s->tmp2_i32);
2542         /* abort translation because the addseg value may change or
2543            because ss32 may change. For R_SS, translation must always
2544            stop as a special handling must be done to disable hardware
2545            interrupts for the next instruction */
2546         if (seg_reg == R_SS) {
2547             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2548         } else if (CODE32(s) && seg_reg < R_FS) {
2549             s->base.is_jmp = DISAS_EOB_NEXT;
2550         }
2551     } else {
2552         gen_op_movl_seg_T0_vm(s, seg_reg);
2553         if (seg_reg == R_SS) {
2554             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2555         }
2556     }
2557 }
2558 
2559 static void gen_svm_check_intercept(DisasContext *s, uint32_t type)
2560 {
2561     /* no SVM activated; fast case */
2562     if (likely(!GUEST(s))) {
2563         return;
2564     }
2565     gen_helper_svm_check_intercept(tcg_env, tcg_constant_i32(type));
2566 }
2567 
2568 static inline void gen_stack_update(DisasContext *s, int addend)
2569 {
2570     gen_op_add_reg_im(s, mo_stacksize(s), R_ESP, addend);
2571 }
2572 
2573 /* Generate a push. It depends on ss32, addseg and dflag.  */
2574 static void gen_push_v(DisasContext *s, TCGv val)
2575 {
2576     MemOp d_ot = mo_pushpop(s, s->dflag);
2577     MemOp a_ot = mo_stacksize(s);
2578     int size = 1 << d_ot;
2579     TCGv new_esp = s->A0;
2580 
2581     tcg_gen_subi_tl(s->A0, cpu_regs[R_ESP], size);
2582 
2583     if (!CODE64(s)) {
2584         if (ADDSEG(s)) {
2585             new_esp = tcg_temp_new();
2586             tcg_gen_mov_tl(new_esp, s->A0);
2587         }
2588         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2589     }
2590 
2591     gen_op_st_v(s, d_ot, val, s->A0);
2592     gen_op_mov_reg_v(s, a_ot, R_ESP, new_esp);
2593 }
2594 
2595 /* two step pop is necessary for precise exceptions */
2596 static MemOp gen_pop_T0(DisasContext *s)
2597 {
2598     MemOp d_ot = mo_pushpop(s, s->dflag);
2599 
2600     gen_lea_v_seg_dest(s, mo_stacksize(s), s->T0, cpu_regs[R_ESP], R_SS, -1);
2601     gen_op_ld_v(s, d_ot, s->T0, s->T0);
2602 
2603     return d_ot;
2604 }
2605 
2606 static inline void gen_pop_update(DisasContext *s, MemOp ot)
2607 {
2608     gen_stack_update(s, 1 << ot);
2609 }
2610 
2611 static inline void gen_stack_A0(DisasContext *s)
2612 {
2613     gen_lea_v_seg(s, SS32(s) ? MO_32 : MO_16, cpu_regs[R_ESP], R_SS, -1);
2614 }
2615 
2616 static void gen_pusha(DisasContext *s)
2617 {
2618     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2619     MemOp d_ot = s->dflag;
2620     int size = 1 << d_ot;
2621     int i;
2622 
2623     for (i = 0; i < 8; i++) {
2624         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], (i - 8) * size);
2625         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2626         gen_op_st_v(s, d_ot, cpu_regs[7 - i], s->A0);
2627     }
2628 
2629     gen_stack_update(s, -8 * size);
2630 }
2631 
2632 static void gen_popa(DisasContext *s)
2633 {
2634     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2635     MemOp d_ot = s->dflag;
2636     int size = 1 << d_ot;
2637     int i;
2638 
2639     for (i = 0; i < 8; i++) {
2640         /* ESP is not reloaded */
2641         if (7 - i == R_ESP) {
2642             continue;
2643         }
2644         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], i * size);
2645         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2646         gen_op_ld_v(s, d_ot, s->T0, s->A0);
2647         gen_op_mov_reg_v(s, d_ot, 7 - i, s->T0);
2648     }
2649 
2650     gen_stack_update(s, 8 * size);
2651 }
2652 
2653 static void gen_enter(DisasContext *s, int esp_addend, int level)
2654 {
2655     MemOp d_ot = mo_pushpop(s, s->dflag);
2656     MemOp a_ot = CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
2657     int size = 1 << d_ot;
2658 
2659     /* Push BP; compute FrameTemp into T1.  */
2660     tcg_gen_subi_tl(s->T1, cpu_regs[R_ESP], size);
2661     gen_lea_v_seg(s, a_ot, s->T1, R_SS, -1);
2662     gen_op_st_v(s, d_ot, cpu_regs[R_EBP], s->A0);
2663 
2664     level &= 31;
2665     if (level != 0) {
2666         int i;
2667 
2668         /* Copy level-1 pointers from the previous frame.  */
2669         for (i = 1; i < level; ++i) {
2670             tcg_gen_subi_tl(s->A0, cpu_regs[R_EBP], size * i);
2671             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2672             gen_op_ld_v(s, d_ot, s->tmp0, s->A0);
2673 
2674             tcg_gen_subi_tl(s->A0, s->T1, size * i);
2675             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2676             gen_op_st_v(s, d_ot, s->tmp0, s->A0);
2677         }
2678 
2679         /* Push the current FrameTemp as the last level.  */
2680         tcg_gen_subi_tl(s->A0, s->T1, size * level);
2681         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2682         gen_op_st_v(s, d_ot, s->T1, s->A0);
2683     }
2684 
2685     /* Copy the FrameTemp value to EBP.  */
2686     gen_op_mov_reg_v(s, a_ot, R_EBP, s->T1);
2687 
2688     /* Compute the final value of ESP.  */
2689     tcg_gen_subi_tl(s->T1, s->T1, esp_addend + size * level);
2690     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2691 }
2692 
2693 static void gen_leave(DisasContext *s)
2694 {
2695     MemOp d_ot = mo_pushpop(s, s->dflag);
2696     MemOp a_ot = mo_stacksize(s);
2697 
2698     gen_lea_v_seg(s, a_ot, cpu_regs[R_EBP], R_SS, -1);
2699     gen_op_ld_v(s, d_ot, s->T0, s->A0);
2700 
2701     tcg_gen_addi_tl(s->T1, cpu_regs[R_EBP], 1 << d_ot);
2702 
2703     gen_op_mov_reg_v(s, d_ot, R_EBP, s->T0);
2704     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2705 }
2706 
2707 /* Similarly, except that the assumption here is that we don't decode
2708    the instruction at all -- either a missing opcode, an unimplemented
2709    feature, or just a bogus instruction stream.  */
2710 static void gen_unknown_opcode(CPUX86State *env, DisasContext *s)
2711 {
2712     gen_illegal_opcode(s);
2713 
2714     if (qemu_loglevel_mask(LOG_UNIMP)) {
2715         FILE *logfile = qemu_log_trylock();
2716         if (logfile) {
2717             target_ulong pc = s->base.pc_next, end = s->pc;
2718 
2719             fprintf(logfile, "ILLOPC: " TARGET_FMT_lx ":", pc);
2720             for (; pc < end; ++pc) {
2721                 fprintf(logfile, " %02x", cpu_ldub_code(env, pc));
2722             }
2723             fprintf(logfile, "\n");
2724             qemu_log_unlock(logfile);
2725         }
2726     }
2727 }
2728 
2729 /* an interrupt is different from an exception because of the
2730    privilege checks */
2731 static void gen_interrupt(DisasContext *s, int intno)
2732 {
2733     gen_update_cc_op(s);
2734     gen_update_eip_cur(s);
2735     gen_helper_raise_interrupt(tcg_env, tcg_constant_i32(intno),
2736                                cur_insn_len_i32(s));
2737     s->base.is_jmp = DISAS_NORETURN;
2738 }
2739 
2740 static void gen_set_hflag(DisasContext *s, uint32_t mask)
2741 {
2742     if ((s->flags & mask) == 0) {
2743         TCGv_i32 t = tcg_temp_new_i32();
2744         tcg_gen_ld_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2745         tcg_gen_ori_i32(t, t, mask);
2746         tcg_gen_st_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2747         s->flags |= mask;
2748     }
2749 }
2750 
2751 static void gen_reset_hflag(DisasContext *s, uint32_t mask)
2752 {
2753     if (s->flags & mask) {
2754         TCGv_i32 t = tcg_temp_new_i32();
2755         tcg_gen_ld_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2756         tcg_gen_andi_i32(t, t, ~mask);
2757         tcg_gen_st_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2758         s->flags &= ~mask;
2759     }
2760 }
2761 
2762 static void gen_set_eflags(DisasContext *s, target_ulong mask)
2763 {
2764     TCGv t = tcg_temp_new();
2765 
2766     tcg_gen_ld_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2767     tcg_gen_ori_tl(t, t, mask);
2768     tcg_gen_st_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2769 }
2770 
2771 static void gen_reset_eflags(DisasContext *s, target_ulong mask)
2772 {
2773     TCGv t = tcg_temp_new();
2774 
2775     tcg_gen_ld_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2776     tcg_gen_andi_tl(t, t, ~mask);
2777     tcg_gen_st_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2778 }
2779 
2780 /* Clear BND registers during legacy branches.  */
2781 static void gen_bnd_jmp(DisasContext *s)
2782 {
2783     /* Clear the registers only if BND prefix is missing, MPX is enabled,
2784        and if the BNDREGs are known to be in use (non-zero) already.
2785        The helper itself will check BNDPRESERVE at runtime.  */
2786     if ((s->prefix & PREFIX_REPNZ) == 0
2787         && (s->flags & HF_MPX_EN_MASK) != 0
2788         && (s->flags & HF_MPX_IU_MASK) != 0) {
2789         gen_helper_bnd_jmp(tcg_env);
2790     }
2791 }
2792 
2793 /* Generate an end of block. Trace exception is also generated if needed.
2794    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.
2795    If RECHECK_TF, emit a rechecking helper for #DB, ignoring the state of
2796    S->TF.  This is used by the syscall/sysret insns.  */
2797 static void
2798 do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
2799 {
2800     gen_update_cc_op(s);
2801 
2802     /* If several instructions disable interrupts, only the first does it.  */
2803     if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
2804         gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
2805     } else {
2806         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
2807     }
2808 
2809     if (s->base.tb->flags & HF_RF_MASK) {
2810         gen_reset_eflags(s, RF_MASK);
2811     }
2812     if (recheck_tf) {
2813         gen_helper_rechecking_single_step(tcg_env);
2814         tcg_gen_exit_tb(NULL, 0);
2815     } else if (s->flags & HF_TF_MASK) {
2816         gen_helper_single_step(tcg_env);
2817     } else if (jr) {
2818         tcg_gen_lookup_and_goto_ptr();
2819     } else {
2820         tcg_gen_exit_tb(NULL, 0);
2821     }
2822     s->base.is_jmp = DISAS_NORETURN;
2823 }
2824 
2825 static inline void
2826 gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf)
2827 {
2828     do_gen_eob_worker(s, inhibit, recheck_tf, false);
2829 }
2830 
2831 /* End of block.
2832    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.  */
2833 static void gen_eob_inhibit_irq(DisasContext *s, bool inhibit)
2834 {
2835     gen_eob_worker(s, inhibit, false);
2836 }
2837 
2838 /* End of block, resetting the inhibit irq flag.  */
2839 static void gen_eob(DisasContext *s)
2840 {
2841     gen_eob_worker(s, false, false);
2842 }
2843 
2844 /* Jump to register */
2845 static void gen_jr(DisasContext *s)
2846 {
2847     do_gen_eob_worker(s, false, false, true);
2848 }
2849 
2850 /* Jump to eip+diff, truncating the result to OT. */
2851 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num)
2852 {
2853     bool use_goto_tb = s->jmp_opt;
2854     target_ulong mask = -1;
2855     target_ulong new_pc = s->pc + diff;
2856     target_ulong new_eip = new_pc - s->cs_base;
2857 
2858     /* In 64-bit mode, operand size is fixed at 64 bits. */
2859     if (!CODE64(s)) {
2860         if (ot == MO_16) {
2861             mask = 0xffff;
2862             if (tb_cflags(s->base.tb) & CF_PCREL && CODE32(s)) {
2863                 use_goto_tb = false;
2864             }
2865         } else {
2866             mask = 0xffffffff;
2867         }
2868     }
2869     new_eip &= mask;
2870 
2871     gen_update_cc_op(s);
2872     set_cc_op(s, CC_OP_DYNAMIC);
2873 
2874     if (tb_cflags(s->base.tb) & CF_PCREL) {
2875         tcg_gen_addi_tl(cpu_eip, cpu_eip, new_pc - s->pc_save);
2876         /*
2877          * If we can prove the branch does not leave the page and we have
2878          * no extra masking to apply (data16 branch in code32, see above),
2879          * then we have also proven that the addition does not wrap.
2880          */
2881         if (!use_goto_tb || !is_same_page(&s->base, new_pc)) {
2882             tcg_gen_andi_tl(cpu_eip, cpu_eip, mask);
2883             use_goto_tb = false;
2884         }
2885     } else if (!CODE64(s)) {
2886         new_pc = (uint32_t)(new_eip + s->cs_base);
2887     }
2888 
2889     if (use_goto_tb && translator_use_goto_tb(&s->base, new_pc)) {
2890         /* jump to same page: we can use a direct jump */
2891         tcg_gen_goto_tb(tb_num);
2892         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2893             tcg_gen_movi_tl(cpu_eip, new_eip);
2894         }
2895         tcg_gen_exit_tb(s->base.tb, tb_num);
2896         s->base.is_jmp = DISAS_NORETURN;
2897     } else {
2898         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2899             tcg_gen_movi_tl(cpu_eip, new_eip);
2900         }
2901         if (s->jmp_opt) {
2902             gen_jr(s);   /* jump to another page */
2903         } else {
2904             gen_eob(s);  /* exit to main loop */
2905         }
2906     }
2907 }
2908 
2909 /* Jump to eip+diff, truncating to the current code size. */
2910 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num)
2911 {
2912     /* CODE64 ignores the OT argument, so we need not consider it. */
2913     gen_jmp_rel(s, CODE32(s) ? MO_32 : MO_16, diff, tb_num);
2914 }
2915 
2916 static inline void gen_ldq_env_A0(DisasContext *s, int offset)
2917 {
2918     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2919     tcg_gen_st_i64(s->tmp1_i64, tcg_env, offset);
2920 }
2921 
2922 static inline void gen_stq_env_A0(DisasContext *s, int offset)
2923 {
2924     tcg_gen_ld_i64(s->tmp1_i64, tcg_env, offset);
2925     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2926 }
2927 
2928 static inline void gen_ldo_env_A0(DisasContext *s, int offset, bool align)
2929 {
2930     MemOp atom = (s->cpuid_ext_features & CPUID_EXT_AVX
2931                   ? MO_ATOM_IFALIGN : MO_ATOM_IFALIGN_PAIR);
2932     MemOp mop = MO_128 | MO_LE | atom | (align ? MO_ALIGN_16 : 0);
2933     int mem_index = s->mem_index;
2934     TCGv_i128 t = tcg_temp_new_i128();
2935 
2936     tcg_gen_qemu_ld_i128(t, s->A0, mem_index, mop);
2937     tcg_gen_st_i128(t, tcg_env, offset);
2938 }
2939 
2940 static inline void gen_sto_env_A0(DisasContext *s, int offset, bool align)
2941 {
2942     MemOp atom = (s->cpuid_ext_features & CPUID_EXT_AVX
2943                   ? MO_ATOM_IFALIGN : MO_ATOM_IFALIGN_PAIR);
2944     MemOp mop = MO_128 | MO_LE | atom | (align ? MO_ALIGN_16 : 0);
2945     int mem_index = s->mem_index;
2946     TCGv_i128 t = tcg_temp_new_i128();
2947 
2948     tcg_gen_ld_i128(t, tcg_env, offset);
2949     tcg_gen_qemu_st_i128(t, s->A0, mem_index, mop);
2950 }
2951 
2952 static void gen_ldy_env_A0(DisasContext *s, int offset, bool align)
2953 {
2954     MemOp mop = MO_128 | MO_LE | MO_ATOM_IFALIGN_PAIR;
2955     int mem_index = s->mem_index;
2956     TCGv_i128 t0 = tcg_temp_new_i128();
2957     TCGv_i128 t1 = tcg_temp_new_i128();
2958 
2959     tcg_gen_qemu_ld_i128(t0, s->A0, mem_index, mop | (align ? MO_ALIGN_32 : 0));
2960     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2961     tcg_gen_qemu_ld_i128(t1, s->tmp0, mem_index, mop);
2962 
2963     tcg_gen_st_i128(t0, tcg_env, offset + offsetof(YMMReg, YMM_X(0)));
2964     tcg_gen_st_i128(t1, tcg_env, offset + offsetof(YMMReg, YMM_X(1)));
2965 }
2966 
2967 static void gen_sty_env_A0(DisasContext *s, int offset, bool align)
2968 {
2969     MemOp mop = MO_128 | MO_LE | MO_ATOM_IFALIGN_PAIR;
2970     int mem_index = s->mem_index;
2971     TCGv_i128 t = tcg_temp_new_i128();
2972 
2973     tcg_gen_ld_i128(t, tcg_env, offset + offsetof(YMMReg, YMM_X(0)));
2974     tcg_gen_qemu_st_i128(t, s->A0, mem_index, mop | (align ? MO_ALIGN_32 : 0));
2975     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2976     tcg_gen_ld_i128(t, tcg_env, offset + offsetof(YMMReg, YMM_X(1)));
2977     tcg_gen_qemu_st_i128(t, s->tmp0, mem_index, mop);
2978 }
2979 
2980 #include "decode-new.h"
2981 #include "emit.c.inc"
2982 #include "decode-new.c.inc"
2983 
2984 static void gen_cmpxchg8b(DisasContext *s, CPUX86State *env, int modrm)
2985 {
2986     TCGv_i64 cmp, val, old;
2987     TCGv Z;
2988 
2989     gen_lea_modrm(env, s, modrm);
2990 
2991     cmp = tcg_temp_new_i64();
2992     val = tcg_temp_new_i64();
2993     old = tcg_temp_new_i64();
2994 
2995     /* Construct the comparison values from the register pair. */
2996     tcg_gen_concat_tl_i64(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
2997     tcg_gen_concat_tl_i64(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
2998 
2999     /* Only require atomic with LOCK; non-parallel handled in generator. */
3000     if (s->prefix & PREFIX_LOCK) {
3001         tcg_gen_atomic_cmpxchg_i64(old, s->A0, cmp, val, s->mem_index, MO_TEUQ);
3002     } else {
3003         tcg_gen_nonatomic_cmpxchg_i64(old, s->A0, cmp, val,
3004                                       s->mem_index, MO_TEUQ);
3005     }
3006 
3007     /* Set tmp0 to match the required value of Z. */
3008     tcg_gen_setcond_i64(TCG_COND_EQ, cmp, old, cmp);
3009     Z = tcg_temp_new();
3010     tcg_gen_trunc_i64_tl(Z, cmp);
3011 
3012     /*
3013      * Extract the result values for the register pair.
3014      * For 32-bit, we may do this unconditionally, because on success (Z=1),
3015      * the old value matches the previous value in EDX:EAX.  For x86_64,
3016      * the store must be conditional, because we must leave the source
3017      * registers unchanged on success, and zero-extend the writeback
3018      * on failure (Z=0).
3019      */
3020     if (TARGET_LONG_BITS == 32) {
3021         tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], old);
3022     } else {
3023         TCGv zero = tcg_constant_tl(0);
3024 
3025         tcg_gen_extr_i64_tl(s->T0, s->T1, old);
3026         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EAX], Z, zero,
3027                            s->T0, cpu_regs[R_EAX]);
3028         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EDX], Z, zero,
3029                            s->T1, cpu_regs[R_EDX]);
3030     }
3031 
3032     /* Update Z. */
3033     gen_compute_eflags(s);
3034     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, Z, ctz32(CC_Z), 1);
3035 }
3036 
3037 #ifdef TARGET_X86_64
3038 static void gen_cmpxchg16b(DisasContext *s, CPUX86State *env, int modrm)
3039 {
3040     MemOp mop = MO_TE | MO_128 | MO_ALIGN;
3041     TCGv_i64 t0, t1;
3042     TCGv_i128 cmp, val;
3043 
3044     gen_lea_modrm(env, s, modrm);
3045 
3046     cmp = tcg_temp_new_i128();
3047     val = tcg_temp_new_i128();
3048     tcg_gen_concat_i64_i128(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
3049     tcg_gen_concat_i64_i128(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
3050 
3051     /* Only require atomic with LOCK; non-parallel handled in generator. */
3052     if (s->prefix & PREFIX_LOCK) {
3053         tcg_gen_atomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3054     } else {
3055         tcg_gen_nonatomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3056     }
3057 
3058     tcg_gen_extr_i128_i64(s->T0, s->T1, val);
3059 
3060     /* Determine success after the fact. */
3061     t0 = tcg_temp_new_i64();
3062     t1 = tcg_temp_new_i64();
3063     tcg_gen_xor_i64(t0, s->T0, cpu_regs[R_EAX]);
3064     tcg_gen_xor_i64(t1, s->T1, cpu_regs[R_EDX]);
3065     tcg_gen_or_i64(t0, t0, t1);
3066 
3067     /* Update Z. */
3068     gen_compute_eflags(s);
3069     tcg_gen_setcondi_i64(TCG_COND_EQ, t0, t0, 0);
3070     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, t0, ctz32(CC_Z), 1);
3071 
3072     /*
3073      * Extract the result values for the register pair.  We may do this
3074      * unconditionally, because on success (Z=1), the old value matches
3075      * the previous value in RDX:RAX.
3076      */
3077     tcg_gen_mov_i64(cpu_regs[R_EAX], s->T0);
3078     tcg_gen_mov_i64(cpu_regs[R_EDX], s->T1);
3079 }
3080 #endif
3081 
3082 /* convert one instruction. s->base.is_jmp is set if the translation must
3083    be stopped. Return the next pc value */
3084 static bool disas_insn(DisasContext *s, CPUState *cpu)
3085 {
3086     CPUX86State *env = cpu_env(cpu);
3087     int b, prefixes;
3088     int shift;
3089     MemOp ot, aflag, dflag;
3090     int modrm, reg, rm, mod, op, opreg, val;
3091     bool orig_cc_op_dirty = s->cc_op_dirty;
3092     CCOp orig_cc_op = s->cc_op;
3093     target_ulong orig_pc_save = s->pc_save;
3094 
3095     s->pc = s->base.pc_next;
3096     s->override = -1;
3097 #ifdef TARGET_X86_64
3098     s->rex_r = 0;
3099     s->rex_x = 0;
3100     s->rex_b = 0;
3101 #endif
3102     s->rip_offset = 0; /* for relative ip address */
3103     s->vex_l = 0;
3104     s->vex_v = 0;
3105     s->vex_w = false;
3106     switch (sigsetjmp(s->jmpbuf, 0)) {
3107     case 0:
3108         break;
3109     case 1:
3110         gen_exception_gpf(s);
3111         return true;
3112     case 2:
3113         /* Restore state that may affect the next instruction. */
3114         s->pc = s->base.pc_next;
3115         /*
3116          * TODO: These save/restore can be removed after the table-based
3117          * decoder is complete; we will be decoding the insn completely
3118          * before any code generation that might affect these variables.
3119          */
3120         s->cc_op_dirty = orig_cc_op_dirty;
3121         s->cc_op = orig_cc_op;
3122         s->pc_save = orig_pc_save;
3123         /* END TODO */
3124         s->base.num_insns--;
3125         tcg_remove_ops_after(s->prev_insn_end);
3126         s->base.is_jmp = DISAS_TOO_MANY;
3127         return false;
3128     default:
3129         g_assert_not_reached();
3130     }
3131 
3132     prefixes = 0;
3133 
3134  next_byte:
3135     s->prefix = prefixes;
3136     b = x86_ldub_code(env, s);
3137     /* Collect prefixes.  */
3138     switch (b) {
3139     default:
3140         break;
3141     case 0x0f:
3142         b = x86_ldub_code(env, s) + 0x100;
3143         break;
3144     case 0xf3:
3145         prefixes |= PREFIX_REPZ;
3146         prefixes &= ~PREFIX_REPNZ;
3147         goto next_byte;
3148     case 0xf2:
3149         prefixes |= PREFIX_REPNZ;
3150         prefixes &= ~PREFIX_REPZ;
3151         goto next_byte;
3152     case 0xf0:
3153         prefixes |= PREFIX_LOCK;
3154         goto next_byte;
3155     case 0x2e:
3156         s->override = R_CS;
3157         goto next_byte;
3158     case 0x36:
3159         s->override = R_SS;
3160         goto next_byte;
3161     case 0x3e:
3162         s->override = R_DS;
3163         goto next_byte;
3164     case 0x26:
3165         s->override = R_ES;
3166         goto next_byte;
3167     case 0x64:
3168         s->override = R_FS;
3169         goto next_byte;
3170     case 0x65:
3171         s->override = R_GS;
3172         goto next_byte;
3173     case 0x66:
3174         prefixes |= PREFIX_DATA;
3175         goto next_byte;
3176     case 0x67:
3177         prefixes |= PREFIX_ADR;
3178         goto next_byte;
3179 #ifdef TARGET_X86_64
3180     case 0x40 ... 0x4f:
3181         if (CODE64(s)) {
3182             /* REX prefix */
3183             prefixes |= PREFIX_REX;
3184             s->vex_w = (b >> 3) & 1;
3185             s->rex_r = (b & 0x4) << 1;
3186             s->rex_x = (b & 0x2) << 2;
3187             s->rex_b = (b & 0x1) << 3;
3188             goto next_byte;
3189         }
3190         break;
3191 #endif
3192     case 0xc5: /* 2-byte VEX */
3193     case 0xc4: /* 3-byte VEX */
3194         if (CODE32(s) && !VM86(s)) {
3195             int vex2 = x86_ldub_code(env, s);
3196             s->pc--; /* rewind the advance_pc() x86_ldub_code() did */
3197 
3198             if (!CODE64(s) && (vex2 & 0xc0) != 0xc0) {
3199                 /* 4.1.4.6: In 32-bit mode, bits [7:6] must be 11b,
3200                    otherwise the instruction is LES or LDS.  */
3201                 break;
3202             }
3203             disas_insn_new(s, cpu, b);
3204             return s->pc;
3205         }
3206         break;
3207     }
3208 
3209     /* Post-process prefixes.  */
3210     if (CODE64(s)) {
3211         /* In 64-bit mode, the default data size is 32-bit.  Select 64-bit
3212            data with rex_w, and 16-bit data with 0x66; rex_w takes precedence
3213            over 0x66 if both are present.  */
3214         dflag = (REX_W(s) ? MO_64 : prefixes & PREFIX_DATA ? MO_16 : MO_32);
3215         /* In 64-bit mode, 0x67 selects 32-bit addressing.  */
3216         aflag = (prefixes & PREFIX_ADR ? MO_32 : MO_64);
3217     } else {
3218         /* In 16/32-bit mode, 0x66 selects the opposite data size.  */
3219         if (CODE32(s) ^ ((prefixes & PREFIX_DATA) != 0)) {
3220             dflag = MO_32;
3221         } else {
3222             dflag = MO_16;
3223         }
3224         /* In 16/32-bit mode, 0x67 selects the opposite addressing.  */
3225         if (CODE32(s) ^ ((prefixes & PREFIX_ADR) != 0)) {
3226             aflag = MO_32;
3227         }  else {
3228             aflag = MO_16;
3229         }
3230     }
3231 
3232     s->prefix = prefixes;
3233     s->aflag = aflag;
3234     s->dflag = dflag;
3235 
3236     /* now check op code */
3237     switch (b) {
3238         /**************************/
3239         /* arith & logic */
3240     case 0x00 ... 0x05:
3241     case 0x08 ... 0x0d:
3242     case 0x10 ... 0x15:
3243     case 0x18 ... 0x1d:
3244     case 0x20 ... 0x25:
3245     case 0x28 ... 0x2d:
3246     case 0x30 ... 0x35:
3247     case 0x38 ... 0x3d:
3248         {
3249             int f;
3250             op = (b >> 3) & 7;
3251             f = (b >> 1) & 3;
3252 
3253             ot = mo_b_d(b, dflag);
3254 
3255             switch(f) {
3256             case 0: /* OP Ev, Gv */
3257                 modrm = x86_ldub_code(env, s);
3258                 reg = ((modrm >> 3) & 7) | REX_R(s);
3259                 mod = (modrm >> 6) & 3;
3260                 rm = (modrm & 7) | REX_B(s);
3261                 if (mod != 3) {
3262                     gen_lea_modrm(env, s, modrm);
3263                     opreg = OR_TMP0;
3264                 } else if (op == OP_XORL && rm == reg) {
3265                 xor_zero:
3266                     /* xor reg, reg optimisation */
3267                     set_cc_op(s, CC_OP_CLR);
3268                     tcg_gen_movi_tl(s->T0, 0);
3269                     gen_op_mov_reg_v(s, ot, reg, s->T0);
3270                     break;
3271                 } else {
3272                     opreg = rm;
3273                 }
3274                 gen_op_mov_v_reg(s, ot, s->T1, reg);
3275                 gen_op(s, op, ot, opreg);
3276                 break;
3277             case 1: /* OP Gv, Ev */
3278                 modrm = x86_ldub_code(env, s);
3279                 mod = (modrm >> 6) & 3;
3280                 reg = ((modrm >> 3) & 7) | REX_R(s);
3281                 rm = (modrm & 7) | REX_B(s);
3282                 if (mod != 3) {
3283                     gen_lea_modrm(env, s, modrm);
3284                     gen_op_ld_v(s, ot, s->T1, s->A0);
3285                 } else if (op == OP_XORL && rm == reg) {
3286                     goto xor_zero;
3287                 } else {
3288                     gen_op_mov_v_reg(s, ot, s->T1, rm);
3289                 }
3290                 gen_op(s, op, ot, reg);
3291                 break;
3292             case 2: /* OP A, Iv */
3293                 val = insn_get(env, s, ot);
3294                 tcg_gen_movi_tl(s->T1, val);
3295                 gen_op(s, op, ot, OR_EAX);
3296                 break;
3297             }
3298         }
3299         break;
3300 
3301     case 0x82:
3302         if (CODE64(s))
3303             goto illegal_op;
3304         /* fall through */
3305     case 0x80: /* GRP1 */
3306     case 0x81:
3307     case 0x83:
3308         {
3309             ot = mo_b_d(b, dflag);
3310 
3311             modrm = x86_ldub_code(env, s);
3312             mod = (modrm >> 6) & 3;
3313             rm = (modrm & 7) | REX_B(s);
3314             op = (modrm >> 3) & 7;
3315 
3316             if (mod != 3) {
3317                 if (b == 0x83)
3318                     s->rip_offset = 1;
3319                 else
3320                     s->rip_offset = insn_const_size(ot);
3321                 gen_lea_modrm(env, s, modrm);
3322                 opreg = OR_TMP0;
3323             } else {
3324                 opreg = rm;
3325             }
3326 
3327             switch(b) {
3328             default:
3329             case 0x80:
3330             case 0x81:
3331             case 0x82:
3332                 val = insn_get(env, s, ot);
3333                 break;
3334             case 0x83:
3335                 val = (int8_t)insn_get(env, s, MO_8);
3336                 break;
3337             }
3338             tcg_gen_movi_tl(s->T1, val);
3339             gen_op(s, op, ot, opreg);
3340         }
3341         break;
3342 
3343         /**************************/
3344         /* inc, dec, and other misc arith */
3345     case 0x40 ... 0x47: /* inc Gv */
3346         ot = dflag;
3347         gen_inc(s, ot, OR_EAX + (b & 7), 1);
3348         break;
3349     case 0x48 ... 0x4f: /* dec Gv */
3350         ot = dflag;
3351         gen_inc(s, ot, OR_EAX + (b & 7), -1);
3352         break;
3353     case 0xf6: /* GRP3 */
3354     case 0xf7:
3355         ot = mo_b_d(b, dflag);
3356 
3357         modrm = x86_ldub_code(env, s);
3358         mod = (modrm >> 6) & 3;
3359         rm = (modrm & 7) | REX_B(s);
3360         op = (modrm >> 3) & 7;
3361         if (mod != 3) {
3362             if (op == 0) {
3363                 s->rip_offset = insn_const_size(ot);
3364             }
3365             gen_lea_modrm(env, s, modrm);
3366             /* For those below that handle locked memory, don't load here.  */
3367             if (!(s->prefix & PREFIX_LOCK)
3368                 || op != 2) {
3369                 gen_op_ld_v(s, ot, s->T0, s->A0);
3370             }
3371         } else {
3372             gen_op_mov_v_reg(s, ot, s->T0, rm);
3373         }
3374 
3375         switch(op) {
3376         case 0: /* test */
3377             val = insn_get(env, s, ot);
3378             tcg_gen_movi_tl(s->T1, val);
3379             gen_op_testl_T0_T1_cc(s);
3380             set_cc_op(s, CC_OP_LOGICB + ot);
3381             break;
3382         case 2: /* not */
3383             if (s->prefix & PREFIX_LOCK) {
3384                 if (mod == 3) {
3385                     goto illegal_op;
3386                 }
3387                 tcg_gen_movi_tl(s->T0, ~0);
3388                 tcg_gen_atomic_xor_fetch_tl(s->T0, s->A0, s->T0,
3389                                             s->mem_index, ot | MO_LE);
3390             } else {
3391                 tcg_gen_not_tl(s->T0, s->T0);
3392                 if (mod != 3) {
3393                     gen_op_st_v(s, ot, s->T0, s->A0);
3394                 } else {
3395                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3396                 }
3397             }
3398             break;
3399         case 3: /* neg */
3400             if (s->prefix & PREFIX_LOCK) {
3401                 TCGLabel *label1;
3402                 TCGv a0, t0, t1, t2;
3403 
3404                 if (mod == 3) {
3405                     goto illegal_op;
3406                 }
3407                 a0 = s->A0;
3408                 t0 = s->T0;
3409                 label1 = gen_new_label();
3410 
3411                 gen_set_label(label1);
3412                 t1 = tcg_temp_new();
3413                 t2 = tcg_temp_new();
3414                 tcg_gen_mov_tl(t2, t0);
3415                 tcg_gen_neg_tl(t1, t0);
3416                 tcg_gen_atomic_cmpxchg_tl(t0, a0, t0, t1,
3417                                           s->mem_index, ot | MO_LE);
3418                 tcg_gen_brcond_tl(TCG_COND_NE, t0, t2, label1);
3419 
3420                 tcg_gen_neg_tl(s->T0, t0);
3421             } else {
3422                 tcg_gen_neg_tl(s->T0, s->T0);
3423                 if (mod != 3) {
3424                     gen_op_st_v(s, ot, s->T0, s->A0);
3425                 } else {
3426                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3427                 }
3428             }
3429             gen_op_update_neg_cc(s);
3430             set_cc_op(s, CC_OP_SUBB + ot);
3431             break;
3432         case 4: /* mul */
3433             switch(ot) {
3434             case MO_8:
3435                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3436                 tcg_gen_ext8u_tl(s->T0, s->T0);
3437                 tcg_gen_ext8u_tl(s->T1, s->T1);
3438                 /* XXX: use 32 bit mul which could be faster */
3439                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3440                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3441                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3442                 tcg_gen_andi_tl(cpu_cc_src, s->T0, 0xff00);
3443                 set_cc_op(s, CC_OP_MULB);
3444                 break;
3445             case MO_16:
3446                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3447                 tcg_gen_ext16u_tl(s->T0, s->T0);
3448                 tcg_gen_ext16u_tl(s->T1, s->T1);
3449                 /* XXX: use 32 bit mul which could be faster */
3450                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3451                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3452                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3453                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3454                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3455                 tcg_gen_mov_tl(cpu_cc_src, s->T0);
3456                 set_cc_op(s, CC_OP_MULW);
3457                 break;
3458             default:
3459             case MO_32:
3460                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3461                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3462                 tcg_gen_mulu2_i32(s->tmp2_i32, s->tmp3_i32,
3463                                   s->tmp2_i32, s->tmp3_i32);
3464                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3465                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3466                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3467                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3468                 set_cc_op(s, CC_OP_MULL);
3469                 break;
3470 #ifdef TARGET_X86_64
3471             case MO_64:
3472                 tcg_gen_mulu2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3473                                   s->T0, cpu_regs[R_EAX]);
3474                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3475                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3476                 set_cc_op(s, CC_OP_MULQ);
3477                 break;
3478 #endif
3479             }
3480             break;
3481         case 5: /* imul */
3482             switch(ot) {
3483             case MO_8:
3484                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3485                 tcg_gen_ext8s_tl(s->T0, s->T0);
3486                 tcg_gen_ext8s_tl(s->T1, s->T1);
3487                 /* XXX: use 32 bit mul which could be faster */
3488                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3489                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3490                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3491                 tcg_gen_ext8s_tl(s->tmp0, s->T0);
3492                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3493                 set_cc_op(s, CC_OP_MULB);
3494                 break;
3495             case MO_16:
3496                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3497                 tcg_gen_ext16s_tl(s->T0, s->T0);
3498                 tcg_gen_ext16s_tl(s->T1, s->T1);
3499                 /* XXX: use 32 bit mul which could be faster */
3500                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3501                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3502                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3503                 tcg_gen_ext16s_tl(s->tmp0, s->T0);
3504                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3505                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3506                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3507                 set_cc_op(s, CC_OP_MULW);
3508                 break;
3509             default:
3510             case MO_32:
3511                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3512                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3513                 tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3514                                   s->tmp2_i32, s->tmp3_i32);
3515                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3516                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3517                 tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3518                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3519                 tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3520                 tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3521                 set_cc_op(s, CC_OP_MULL);
3522                 break;
3523 #ifdef TARGET_X86_64
3524             case MO_64:
3525                 tcg_gen_muls2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3526                                   s->T0, cpu_regs[R_EAX]);
3527                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3528                 tcg_gen_sari_tl(cpu_cc_src, cpu_regs[R_EAX], 63);
3529                 tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, cpu_regs[R_EDX]);
3530                 set_cc_op(s, CC_OP_MULQ);
3531                 break;
3532 #endif
3533             }
3534             break;
3535         case 6: /* div */
3536             switch(ot) {
3537             case MO_8:
3538                 gen_helper_divb_AL(tcg_env, s->T0);
3539                 break;
3540             case MO_16:
3541                 gen_helper_divw_AX(tcg_env, s->T0);
3542                 break;
3543             default:
3544             case MO_32:
3545                 gen_helper_divl_EAX(tcg_env, s->T0);
3546                 break;
3547 #ifdef TARGET_X86_64
3548             case MO_64:
3549                 gen_helper_divq_EAX(tcg_env, s->T0);
3550                 break;
3551 #endif
3552             }
3553             break;
3554         case 7: /* idiv */
3555             switch(ot) {
3556             case MO_8:
3557                 gen_helper_idivb_AL(tcg_env, s->T0);
3558                 break;
3559             case MO_16:
3560                 gen_helper_idivw_AX(tcg_env, s->T0);
3561                 break;
3562             default:
3563             case MO_32:
3564                 gen_helper_idivl_EAX(tcg_env, s->T0);
3565                 break;
3566 #ifdef TARGET_X86_64
3567             case MO_64:
3568                 gen_helper_idivq_EAX(tcg_env, s->T0);
3569                 break;
3570 #endif
3571             }
3572             break;
3573         default:
3574             goto unknown_op;
3575         }
3576         break;
3577 
3578     case 0xfe: /* GRP4 */
3579     case 0xff: /* GRP5 */
3580         ot = mo_b_d(b, dflag);
3581 
3582         modrm = x86_ldub_code(env, s);
3583         mod = (modrm >> 6) & 3;
3584         rm = (modrm & 7) | REX_B(s);
3585         op = (modrm >> 3) & 7;
3586         if (op >= 2 && b == 0xfe) {
3587             goto unknown_op;
3588         }
3589         if (CODE64(s)) {
3590             if (op == 2 || op == 4) {
3591                 /* operand size for jumps is 64 bit */
3592                 ot = MO_64;
3593             } else if (op == 3 || op == 5) {
3594                 ot = dflag != MO_16 ? MO_32 + REX_W(s) : MO_16;
3595             } else if (op == 6) {
3596                 /* default push size is 64 bit */
3597                 ot = mo_pushpop(s, dflag);
3598             }
3599         }
3600         if (mod != 3) {
3601             gen_lea_modrm(env, s, modrm);
3602             if (op >= 2 && op != 3 && op != 5)
3603                 gen_op_ld_v(s, ot, s->T0, s->A0);
3604         } else {
3605             gen_op_mov_v_reg(s, ot, s->T0, rm);
3606         }
3607 
3608         switch(op) {
3609         case 0: /* inc Ev */
3610             if (mod != 3)
3611                 opreg = OR_TMP0;
3612             else
3613                 opreg = rm;
3614             gen_inc(s, ot, opreg, 1);
3615             break;
3616         case 1: /* dec Ev */
3617             if (mod != 3)
3618                 opreg = OR_TMP0;
3619             else
3620                 opreg = rm;
3621             gen_inc(s, ot, opreg, -1);
3622             break;
3623         case 2: /* call Ev */
3624             /* XXX: optimize if memory (no 'and' is necessary) */
3625             if (dflag == MO_16) {
3626                 tcg_gen_ext16u_tl(s->T0, s->T0);
3627             }
3628             gen_push_v(s, eip_next_tl(s));
3629             gen_op_jmp_v(s, s->T0);
3630             gen_bnd_jmp(s);
3631             s->base.is_jmp = DISAS_JUMP;
3632             break;
3633         case 3: /* lcall Ev */
3634             if (mod == 3) {
3635                 goto illegal_op;
3636             }
3637             gen_op_ld_v(s, ot, s->T1, s->A0);
3638             gen_add_A0_im(s, 1 << ot);
3639             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3640         do_lcall:
3641             if (PE(s) && !VM86(s)) {
3642                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3643                 gen_helper_lcall_protected(tcg_env, s->tmp2_i32, s->T1,
3644                                            tcg_constant_i32(dflag - 1),
3645                                            eip_next_tl(s));
3646             } else {
3647                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3648                 tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3649                 gen_helper_lcall_real(tcg_env, s->tmp2_i32, s->tmp3_i32,
3650                                       tcg_constant_i32(dflag - 1),
3651                                       eip_next_i32(s));
3652             }
3653             s->base.is_jmp = DISAS_JUMP;
3654             break;
3655         case 4: /* jmp Ev */
3656             if (dflag == MO_16) {
3657                 tcg_gen_ext16u_tl(s->T0, s->T0);
3658             }
3659             gen_op_jmp_v(s, s->T0);
3660             gen_bnd_jmp(s);
3661             s->base.is_jmp = DISAS_JUMP;
3662             break;
3663         case 5: /* ljmp Ev */
3664             if (mod == 3) {
3665                 goto illegal_op;
3666             }
3667             gen_op_ld_v(s, ot, s->T1, s->A0);
3668             gen_add_A0_im(s, 1 << ot);
3669             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3670         do_ljmp:
3671             if (PE(s) && !VM86(s)) {
3672                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3673                 gen_helper_ljmp_protected(tcg_env, s->tmp2_i32, s->T1,
3674                                           eip_next_tl(s));
3675             } else {
3676                 gen_op_movl_seg_T0_vm(s, R_CS);
3677                 gen_op_jmp_v(s, s->T1);
3678             }
3679             s->base.is_jmp = DISAS_JUMP;
3680             break;
3681         case 6: /* push Ev */
3682             gen_push_v(s, s->T0);
3683             break;
3684         default:
3685             goto unknown_op;
3686         }
3687         break;
3688 
3689     case 0x84: /* test Ev, Gv */
3690     case 0x85:
3691         ot = mo_b_d(b, dflag);
3692 
3693         modrm = x86_ldub_code(env, s);
3694         reg = ((modrm >> 3) & 7) | REX_R(s);
3695 
3696         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3697         gen_op_mov_v_reg(s, ot, s->T1, reg);
3698         gen_op_testl_T0_T1_cc(s);
3699         set_cc_op(s, CC_OP_LOGICB + ot);
3700         break;
3701 
3702     case 0xa8: /* test eAX, Iv */
3703     case 0xa9:
3704         ot = mo_b_d(b, dflag);
3705         val = insn_get(env, s, ot);
3706 
3707         gen_op_mov_v_reg(s, ot, s->T0, OR_EAX);
3708         tcg_gen_movi_tl(s->T1, val);
3709         gen_op_testl_T0_T1_cc(s);
3710         set_cc_op(s, CC_OP_LOGICB + ot);
3711         break;
3712 
3713     case 0x98: /* CWDE/CBW */
3714         switch (dflag) {
3715 #ifdef TARGET_X86_64
3716         case MO_64:
3717             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3718             tcg_gen_ext32s_tl(s->T0, s->T0);
3719             gen_op_mov_reg_v(s, MO_64, R_EAX, s->T0);
3720             break;
3721 #endif
3722         case MO_32:
3723             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3724             tcg_gen_ext16s_tl(s->T0, s->T0);
3725             gen_op_mov_reg_v(s, MO_32, R_EAX, s->T0);
3726             break;
3727         case MO_16:
3728             gen_op_mov_v_reg(s, MO_8, s->T0, R_EAX);
3729             tcg_gen_ext8s_tl(s->T0, s->T0);
3730             gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3731             break;
3732         default:
3733             g_assert_not_reached();
3734         }
3735         break;
3736     case 0x99: /* CDQ/CWD */
3737         switch (dflag) {
3738 #ifdef TARGET_X86_64
3739         case MO_64:
3740             gen_op_mov_v_reg(s, MO_64, s->T0, R_EAX);
3741             tcg_gen_sari_tl(s->T0, s->T0, 63);
3742             gen_op_mov_reg_v(s, MO_64, R_EDX, s->T0);
3743             break;
3744 #endif
3745         case MO_32:
3746             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3747             tcg_gen_ext32s_tl(s->T0, s->T0);
3748             tcg_gen_sari_tl(s->T0, s->T0, 31);
3749             gen_op_mov_reg_v(s, MO_32, R_EDX, s->T0);
3750             break;
3751         case MO_16:
3752             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3753             tcg_gen_ext16s_tl(s->T0, s->T0);
3754             tcg_gen_sari_tl(s->T0, s->T0, 15);
3755             gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3756             break;
3757         default:
3758             g_assert_not_reached();
3759         }
3760         break;
3761     case 0x1af: /* imul Gv, Ev */
3762     case 0x69: /* imul Gv, Ev, I */
3763     case 0x6b:
3764         ot = dflag;
3765         modrm = x86_ldub_code(env, s);
3766         reg = ((modrm >> 3) & 7) | REX_R(s);
3767         if (b == 0x69)
3768             s->rip_offset = insn_const_size(ot);
3769         else if (b == 0x6b)
3770             s->rip_offset = 1;
3771         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3772         if (b == 0x69) {
3773             val = insn_get(env, s, ot);
3774             tcg_gen_movi_tl(s->T1, val);
3775         } else if (b == 0x6b) {
3776             val = (int8_t)insn_get(env, s, MO_8);
3777             tcg_gen_movi_tl(s->T1, val);
3778         } else {
3779             gen_op_mov_v_reg(s, ot, s->T1, reg);
3780         }
3781         switch (ot) {
3782 #ifdef TARGET_X86_64
3783         case MO_64:
3784             tcg_gen_muls2_i64(cpu_regs[reg], s->T1, s->T0, s->T1);
3785             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3786             tcg_gen_sari_tl(cpu_cc_src, cpu_cc_dst, 63);
3787             tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, s->T1);
3788             break;
3789 #endif
3790         case MO_32:
3791             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3792             tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3793             tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3794                               s->tmp2_i32, s->tmp3_i32);
3795             tcg_gen_extu_i32_tl(cpu_regs[reg], s->tmp2_i32);
3796             tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3797             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3798             tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3799             tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3800             break;
3801         default:
3802             tcg_gen_ext16s_tl(s->T0, s->T0);
3803             tcg_gen_ext16s_tl(s->T1, s->T1);
3804             /* XXX: use 32 bit mul which could be faster */
3805             tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3806             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3807             tcg_gen_ext16s_tl(s->tmp0, s->T0);
3808             tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3809             gen_op_mov_reg_v(s, ot, reg, s->T0);
3810             break;
3811         }
3812         set_cc_op(s, CC_OP_MULB + ot);
3813         break;
3814     case 0x1c0:
3815     case 0x1c1: /* xadd Ev, Gv */
3816         ot = mo_b_d(b, dflag);
3817         modrm = x86_ldub_code(env, s);
3818         reg = ((modrm >> 3) & 7) | REX_R(s);
3819         mod = (modrm >> 6) & 3;
3820         gen_op_mov_v_reg(s, ot, s->T0, reg);
3821         if (mod == 3) {
3822             rm = (modrm & 7) | REX_B(s);
3823             gen_op_mov_v_reg(s, ot, s->T1, rm);
3824             tcg_gen_add_tl(s->T0, s->T0, s->T1);
3825             gen_op_mov_reg_v(s, ot, reg, s->T1);
3826             gen_op_mov_reg_v(s, ot, rm, s->T0);
3827         } else {
3828             gen_lea_modrm(env, s, modrm);
3829             if (s->prefix & PREFIX_LOCK) {
3830                 tcg_gen_atomic_fetch_add_tl(s->T1, s->A0, s->T0,
3831                                             s->mem_index, ot | MO_LE);
3832                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3833             } else {
3834                 gen_op_ld_v(s, ot, s->T1, s->A0);
3835                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3836                 gen_op_st_v(s, ot, s->T0, s->A0);
3837             }
3838             gen_op_mov_reg_v(s, ot, reg, s->T1);
3839         }
3840         gen_op_update2_cc(s);
3841         set_cc_op(s, CC_OP_ADDB + ot);
3842         break;
3843     case 0x1b0:
3844     case 0x1b1: /* cmpxchg Ev, Gv */
3845         {
3846             TCGv oldv, newv, cmpv, dest;
3847 
3848             ot = mo_b_d(b, dflag);
3849             modrm = x86_ldub_code(env, s);
3850             reg = ((modrm >> 3) & 7) | REX_R(s);
3851             mod = (modrm >> 6) & 3;
3852             oldv = tcg_temp_new();
3853             newv = tcg_temp_new();
3854             cmpv = tcg_temp_new();
3855             gen_op_mov_v_reg(s, ot, newv, reg);
3856             tcg_gen_mov_tl(cmpv, cpu_regs[R_EAX]);
3857             gen_extu(ot, cmpv);
3858             if (s->prefix & PREFIX_LOCK) {
3859                 if (mod == 3) {
3860                     goto illegal_op;
3861                 }
3862                 gen_lea_modrm(env, s, modrm);
3863                 tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv,
3864                                           s->mem_index, ot | MO_LE);
3865             } else {
3866                 if (mod == 3) {
3867                     rm = (modrm & 7) | REX_B(s);
3868                     gen_op_mov_v_reg(s, ot, oldv, rm);
3869                     gen_extu(ot, oldv);
3870 
3871                     /*
3872                      * Unlike the memory case, where "the destination operand receives
3873                      * a write cycle without regard to the result of the comparison",
3874                      * rm must not be touched altogether if the write fails, including
3875                      * not zero-extending it on 64-bit processors.  So, precompute
3876                      * the result of a successful writeback and perform the movcond
3877                      * directly on cpu_regs.  Also need to write accumulator first, in
3878                      * case rm is part of RAX too.
3879                      */
3880                     dest = gen_op_deposit_reg_v(s, ot, rm, newv, newv);
3881                     tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, newv, dest);
3882                 } else {
3883                     gen_lea_modrm(env, s, modrm);
3884                     gen_op_ld_v(s, ot, oldv, s->A0);
3885 
3886                     /*
3887                      * Perform an unconditional store cycle like physical cpu;
3888                      * must be before changing accumulator to ensure
3889                      * idempotency if the store faults and the instruction
3890                      * is restarted
3891                      */
3892                     tcg_gen_movcond_tl(TCG_COND_EQ, newv, oldv, cmpv, newv, oldv);
3893                     gen_op_st_v(s, ot, newv, s->A0);
3894                 }
3895             }
3896 	    /*
3897 	     * Write EAX only if the cmpxchg fails; reuse newv as the destination,
3898 	     * since it's dead here.
3899 	     */
3900             dest = gen_op_deposit_reg_v(s, ot, R_EAX, newv, oldv);
3901             tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, dest, newv);
3902             tcg_gen_mov_tl(cpu_cc_src, oldv);
3903             tcg_gen_mov_tl(s->cc_srcT, cmpv);
3904             tcg_gen_sub_tl(cpu_cc_dst, cmpv, oldv);
3905             set_cc_op(s, CC_OP_SUBB + ot);
3906         }
3907         break;
3908     case 0x1c7: /* cmpxchg8b */
3909         modrm = x86_ldub_code(env, s);
3910         mod = (modrm >> 6) & 3;
3911         switch ((modrm >> 3) & 7) {
3912         case 1: /* CMPXCHG8, CMPXCHG16 */
3913             if (mod == 3) {
3914                 goto illegal_op;
3915             }
3916 #ifdef TARGET_X86_64
3917             if (dflag == MO_64) {
3918                 if (!(s->cpuid_ext_features & CPUID_EXT_CX16)) {
3919                     goto illegal_op;
3920                 }
3921                 gen_cmpxchg16b(s, env, modrm);
3922                 break;
3923             }
3924 #endif
3925             if (!(s->cpuid_features & CPUID_CX8)) {
3926                 goto illegal_op;
3927             }
3928             gen_cmpxchg8b(s, env, modrm);
3929             break;
3930 
3931         case 7: /* RDSEED, RDPID with f3 prefix */
3932             if (mod != 3 ||
3933                 (s->prefix & (PREFIX_LOCK | PREFIX_REPNZ))) {
3934                 goto illegal_op;
3935             }
3936             if (s->prefix & PREFIX_REPZ) {
3937                 if (!(s->cpuid_ext_features & CPUID_7_0_ECX_RDPID)) {
3938                     goto illegal_op;
3939                 }
3940                 gen_helper_rdpid(s->T0, tcg_env);
3941                 rm = (modrm & 7) | REX_B(s);
3942                 gen_op_mov_reg_v(s, dflag, rm, s->T0);
3943                 break;
3944             } else {
3945                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_RDSEED)) {
3946                     goto illegal_op;
3947                 }
3948                 goto do_rdrand;
3949             }
3950 
3951         case 6: /* RDRAND */
3952             if (mod != 3 ||
3953                 (s->prefix & (PREFIX_LOCK | PREFIX_REPZ | PREFIX_REPNZ)) ||
3954                 !(s->cpuid_ext_features & CPUID_EXT_RDRAND)) {
3955                 goto illegal_op;
3956             }
3957         do_rdrand:
3958             translator_io_start(&s->base);
3959             gen_helper_rdrand(s->T0, tcg_env);
3960             rm = (modrm & 7) | REX_B(s);
3961             gen_op_mov_reg_v(s, dflag, rm, s->T0);
3962             set_cc_op(s, CC_OP_EFLAGS);
3963             break;
3964 
3965         default:
3966             goto illegal_op;
3967         }
3968         break;
3969 
3970         /**************************/
3971         /* push/pop */
3972     case 0x50 ... 0x57: /* push */
3973         gen_op_mov_v_reg(s, MO_32, s->T0, (b & 7) | REX_B(s));
3974         gen_push_v(s, s->T0);
3975         break;
3976     case 0x58 ... 0x5f: /* pop */
3977         ot = gen_pop_T0(s);
3978         /* NOTE: order is important for pop %sp */
3979         gen_pop_update(s, ot);
3980         gen_op_mov_reg_v(s, ot, (b & 7) | REX_B(s), s->T0);
3981         break;
3982     case 0x60: /* pusha */
3983         if (CODE64(s))
3984             goto illegal_op;
3985         gen_pusha(s);
3986         break;
3987     case 0x61: /* popa */
3988         if (CODE64(s))
3989             goto illegal_op;
3990         gen_popa(s);
3991         break;
3992     case 0x68: /* push Iv */
3993     case 0x6a:
3994         ot = mo_pushpop(s, dflag);
3995         if (b == 0x68)
3996             val = insn_get(env, s, ot);
3997         else
3998             val = (int8_t)insn_get(env, s, MO_8);
3999         tcg_gen_movi_tl(s->T0, val);
4000         gen_push_v(s, s->T0);
4001         break;
4002     case 0x8f: /* pop Ev */
4003         modrm = x86_ldub_code(env, s);
4004         mod = (modrm >> 6) & 3;
4005         ot = gen_pop_T0(s);
4006         if (mod == 3) {
4007             /* NOTE: order is important for pop %sp */
4008             gen_pop_update(s, ot);
4009             rm = (modrm & 7) | REX_B(s);
4010             gen_op_mov_reg_v(s, ot, rm, s->T0);
4011         } else {
4012             /* NOTE: order is important too for MMU exceptions */
4013             s->popl_esp_hack = 1 << ot;
4014             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
4015             s->popl_esp_hack = 0;
4016             gen_pop_update(s, ot);
4017         }
4018         break;
4019     case 0xc8: /* enter */
4020         {
4021             int level;
4022             val = x86_lduw_code(env, s);
4023             level = x86_ldub_code(env, s);
4024             gen_enter(s, val, level);
4025         }
4026         break;
4027     case 0xc9: /* leave */
4028         gen_leave(s);
4029         break;
4030     case 0x06: /* push es */
4031     case 0x0e: /* push cs */
4032     case 0x16: /* push ss */
4033     case 0x1e: /* push ds */
4034         if (CODE64(s))
4035             goto illegal_op;
4036         gen_op_movl_T0_seg(s, b >> 3);
4037         gen_push_v(s, s->T0);
4038         break;
4039     case 0x1a0: /* push fs */
4040     case 0x1a8: /* push gs */
4041         gen_op_movl_T0_seg(s, (b >> 3) & 7);
4042         gen_push_v(s, s->T0);
4043         break;
4044     case 0x07: /* pop es */
4045     case 0x17: /* pop ss */
4046     case 0x1f: /* pop ds */
4047         if (CODE64(s))
4048             goto illegal_op;
4049         reg = b >> 3;
4050         ot = gen_pop_T0(s);
4051         gen_movl_seg_T0(s, reg);
4052         gen_pop_update(s, ot);
4053         break;
4054     case 0x1a1: /* pop fs */
4055     case 0x1a9: /* pop gs */
4056         ot = gen_pop_T0(s);
4057         gen_movl_seg_T0(s, (b >> 3) & 7);
4058         gen_pop_update(s, ot);
4059         break;
4060 
4061         /**************************/
4062         /* mov */
4063     case 0x88:
4064     case 0x89: /* mov Gv, Ev */
4065         ot = mo_b_d(b, dflag);
4066         modrm = x86_ldub_code(env, s);
4067         reg = ((modrm >> 3) & 7) | REX_R(s);
4068 
4069         /* generate a generic store */
4070         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
4071         break;
4072     case 0xc6:
4073     case 0xc7: /* mov Ev, Iv */
4074         ot = mo_b_d(b, dflag);
4075         modrm = x86_ldub_code(env, s);
4076         mod = (modrm >> 6) & 3;
4077         if (mod != 3) {
4078             s->rip_offset = insn_const_size(ot);
4079             gen_lea_modrm(env, s, modrm);
4080         }
4081         val = insn_get(env, s, ot);
4082         tcg_gen_movi_tl(s->T0, val);
4083         if (mod != 3) {
4084             gen_op_st_v(s, ot, s->T0, s->A0);
4085         } else {
4086             gen_op_mov_reg_v(s, ot, (modrm & 7) | REX_B(s), s->T0);
4087         }
4088         break;
4089     case 0x8a:
4090     case 0x8b: /* mov Ev, Gv */
4091         ot = mo_b_d(b, dflag);
4092         modrm = x86_ldub_code(env, s);
4093         reg = ((modrm >> 3) & 7) | REX_R(s);
4094 
4095         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
4096         gen_op_mov_reg_v(s, ot, reg, s->T0);
4097         break;
4098     case 0x8e: /* mov seg, Gv */
4099         modrm = x86_ldub_code(env, s);
4100         reg = (modrm >> 3) & 7;
4101         if (reg >= 6 || reg == R_CS)
4102             goto illegal_op;
4103         gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
4104         gen_movl_seg_T0(s, reg);
4105         break;
4106     case 0x8c: /* mov Gv, seg */
4107         modrm = x86_ldub_code(env, s);
4108         reg = (modrm >> 3) & 7;
4109         mod = (modrm >> 6) & 3;
4110         if (reg >= 6)
4111             goto illegal_op;
4112         gen_op_movl_T0_seg(s, reg);
4113         ot = mod == 3 ? dflag : MO_16;
4114         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
4115         break;
4116 
4117     case 0x1b6: /* movzbS Gv, Eb */
4118     case 0x1b7: /* movzwS Gv, Eb */
4119     case 0x1be: /* movsbS Gv, Eb */
4120     case 0x1bf: /* movswS Gv, Eb */
4121         {
4122             MemOp d_ot;
4123             MemOp s_ot;
4124 
4125             /* d_ot is the size of destination */
4126             d_ot = dflag;
4127             /* ot is the size of source */
4128             ot = (b & 1) + MO_8;
4129             /* s_ot is the sign+size of source */
4130             s_ot = b & 8 ? MO_SIGN | ot : ot;
4131 
4132             modrm = x86_ldub_code(env, s);
4133             reg = ((modrm >> 3) & 7) | REX_R(s);
4134             mod = (modrm >> 6) & 3;
4135             rm = (modrm & 7) | REX_B(s);
4136 
4137             if (mod == 3) {
4138                 if (s_ot == MO_SB && byte_reg_is_xH(s, rm)) {
4139                     tcg_gen_sextract_tl(s->T0, cpu_regs[rm - 4], 8, 8);
4140                 } else {
4141                     gen_op_mov_v_reg(s, ot, s->T0, rm);
4142                     switch (s_ot) {
4143                     case MO_UB:
4144                         tcg_gen_ext8u_tl(s->T0, s->T0);
4145                         break;
4146                     case MO_SB:
4147                         tcg_gen_ext8s_tl(s->T0, s->T0);
4148                         break;
4149                     case MO_UW:
4150                         tcg_gen_ext16u_tl(s->T0, s->T0);
4151                         break;
4152                     default:
4153                     case MO_SW:
4154                         tcg_gen_ext16s_tl(s->T0, s->T0);
4155                         break;
4156                     }
4157                 }
4158                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4159             } else {
4160                 gen_lea_modrm(env, s, modrm);
4161                 gen_op_ld_v(s, s_ot, s->T0, s->A0);
4162                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4163             }
4164         }
4165         break;
4166 
4167     case 0x8d: /* lea */
4168         modrm = x86_ldub_code(env, s);
4169         mod = (modrm >> 6) & 3;
4170         if (mod == 3)
4171             goto illegal_op;
4172         reg = ((modrm >> 3) & 7) | REX_R(s);
4173         {
4174             AddressParts a = gen_lea_modrm_0(env, s, modrm);
4175             TCGv ea = gen_lea_modrm_1(s, a, false);
4176             gen_lea_v_seg(s, s->aflag, ea, -1, -1);
4177             gen_op_mov_reg_v(s, dflag, reg, s->A0);
4178         }
4179         break;
4180 
4181     case 0xa0: /* mov EAX, Ov */
4182     case 0xa1:
4183     case 0xa2: /* mov Ov, EAX */
4184     case 0xa3:
4185         {
4186             target_ulong offset_addr;
4187 
4188             ot = mo_b_d(b, dflag);
4189             offset_addr = insn_get_addr(env, s, s->aflag);
4190             tcg_gen_movi_tl(s->A0, offset_addr);
4191             gen_add_A0_ds_seg(s);
4192             if ((b & 2) == 0) {
4193                 gen_op_ld_v(s, ot, s->T0, s->A0);
4194                 gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
4195             } else {
4196                 gen_op_mov_v_reg(s, ot, s->T0, R_EAX);
4197                 gen_op_st_v(s, ot, s->T0, s->A0);
4198             }
4199         }
4200         break;
4201     case 0xd7: /* xlat */
4202         tcg_gen_mov_tl(s->A0, cpu_regs[R_EBX]);
4203         tcg_gen_ext8u_tl(s->T0, cpu_regs[R_EAX]);
4204         tcg_gen_add_tl(s->A0, s->A0, s->T0);
4205         gen_add_A0_ds_seg(s);
4206         gen_op_ld_v(s, MO_8, s->T0, s->A0);
4207         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
4208         break;
4209     case 0xb0 ... 0xb7: /* mov R, Ib */
4210         val = insn_get(env, s, MO_8);
4211         tcg_gen_movi_tl(s->T0, val);
4212         gen_op_mov_reg_v(s, MO_8, (b & 7) | REX_B(s), s->T0);
4213         break;
4214     case 0xb8 ... 0xbf: /* mov R, Iv */
4215 #ifdef TARGET_X86_64
4216         if (dflag == MO_64) {
4217             uint64_t tmp;
4218             /* 64 bit case */
4219             tmp = x86_ldq_code(env, s);
4220             reg = (b & 7) | REX_B(s);
4221             tcg_gen_movi_tl(s->T0, tmp);
4222             gen_op_mov_reg_v(s, MO_64, reg, s->T0);
4223         } else
4224 #endif
4225         {
4226             ot = dflag;
4227             val = insn_get(env, s, ot);
4228             reg = (b & 7) | REX_B(s);
4229             tcg_gen_movi_tl(s->T0, val);
4230             gen_op_mov_reg_v(s, ot, reg, s->T0);
4231         }
4232         break;
4233 
4234     case 0x91 ... 0x97: /* xchg R, EAX */
4235     do_xchg_reg_eax:
4236         ot = dflag;
4237         reg = (b & 7) | REX_B(s);
4238         rm = R_EAX;
4239         goto do_xchg_reg;
4240     case 0x86:
4241     case 0x87: /* xchg Ev, Gv */
4242         ot = mo_b_d(b, dflag);
4243         modrm = x86_ldub_code(env, s);
4244         reg = ((modrm >> 3) & 7) | REX_R(s);
4245         mod = (modrm >> 6) & 3;
4246         if (mod == 3) {
4247             rm = (modrm & 7) | REX_B(s);
4248         do_xchg_reg:
4249             gen_op_mov_v_reg(s, ot, s->T0, reg);
4250             gen_op_mov_v_reg(s, ot, s->T1, rm);
4251             gen_op_mov_reg_v(s, ot, rm, s->T0);
4252             gen_op_mov_reg_v(s, ot, reg, s->T1);
4253         } else {
4254             gen_lea_modrm(env, s, modrm);
4255             gen_op_mov_v_reg(s, ot, s->T0, reg);
4256             /* for xchg, lock is implicit */
4257             tcg_gen_atomic_xchg_tl(s->T1, s->A0, s->T0,
4258                                    s->mem_index, ot | MO_LE);
4259             gen_op_mov_reg_v(s, ot, reg, s->T1);
4260         }
4261         break;
4262     case 0xc4: /* les Gv */
4263         /* In CODE64 this is VEX3; see above.  */
4264         op = R_ES;
4265         goto do_lxx;
4266     case 0xc5: /* lds Gv */
4267         /* In CODE64 this is VEX2; see above.  */
4268         op = R_DS;
4269         goto do_lxx;
4270     case 0x1b2: /* lss Gv */
4271         op = R_SS;
4272         goto do_lxx;
4273     case 0x1b4: /* lfs Gv */
4274         op = R_FS;
4275         goto do_lxx;
4276     case 0x1b5: /* lgs Gv */
4277         op = R_GS;
4278     do_lxx:
4279         ot = dflag != MO_16 ? MO_32 : MO_16;
4280         modrm = x86_ldub_code(env, s);
4281         reg = ((modrm >> 3) & 7) | REX_R(s);
4282         mod = (modrm >> 6) & 3;
4283         if (mod == 3)
4284             goto illegal_op;
4285         gen_lea_modrm(env, s, modrm);
4286         gen_op_ld_v(s, ot, s->T1, s->A0);
4287         gen_add_A0_im(s, 1 << ot);
4288         /* load the segment first to handle exceptions properly */
4289         gen_op_ld_v(s, MO_16, s->T0, s->A0);
4290         gen_movl_seg_T0(s, op);
4291         /* then put the data */
4292         gen_op_mov_reg_v(s, ot, reg, s->T1);
4293         break;
4294 
4295         /************************/
4296         /* shifts */
4297     case 0xc0:
4298     case 0xc1:
4299         /* shift Ev,Ib */
4300         shift = 2;
4301     grp2:
4302         {
4303             ot = mo_b_d(b, dflag);
4304             modrm = x86_ldub_code(env, s);
4305             mod = (modrm >> 6) & 3;
4306             op = (modrm >> 3) & 7;
4307 
4308             if (mod != 3) {
4309                 if (shift == 2) {
4310                     s->rip_offset = 1;
4311                 }
4312                 gen_lea_modrm(env, s, modrm);
4313                 opreg = OR_TMP0;
4314             } else {
4315                 opreg = (modrm & 7) | REX_B(s);
4316             }
4317 
4318             /* simpler op */
4319             if (shift == 0) {
4320                 gen_shift(s, op, ot, opreg, OR_ECX);
4321             } else {
4322                 if (shift == 2) {
4323                     shift = x86_ldub_code(env, s);
4324                 }
4325                 gen_shifti(s, op, ot, opreg, shift);
4326             }
4327         }
4328         break;
4329     case 0xd0:
4330     case 0xd1:
4331         /* shift Ev,1 */
4332         shift = 1;
4333         goto grp2;
4334     case 0xd2:
4335     case 0xd3:
4336         /* shift Ev,cl */
4337         shift = 0;
4338         goto grp2;
4339 
4340     case 0x1a4: /* shld imm */
4341         op = 0;
4342         shift = 1;
4343         goto do_shiftd;
4344     case 0x1a5: /* shld cl */
4345         op = 0;
4346         shift = 0;
4347         goto do_shiftd;
4348     case 0x1ac: /* shrd imm */
4349         op = 1;
4350         shift = 1;
4351         goto do_shiftd;
4352     case 0x1ad: /* shrd cl */
4353         op = 1;
4354         shift = 0;
4355     do_shiftd:
4356         ot = dflag;
4357         modrm = x86_ldub_code(env, s);
4358         mod = (modrm >> 6) & 3;
4359         rm = (modrm & 7) | REX_B(s);
4360         reg = ((modrm >> 3) & 7) | REX_R(s);
4361         if (mod != 3) {
4362             gen_lea_modrm(env, s, modrm);
4363             opreg = OR_TMP0;
4364         } else {
4365             opreg = rm;
4366         }
4367         gen_op_mov_v_reg(s, ot, s->T1, reg);
4368 
4369         if (shift) {
4370             TCGv imm = tcg_constant_tl(x86_ldub_code(env, s));
4371             gen_shiftd_rm_T1(s, ot, opreg, op, imm);
4372         } else {
4373             gen_shiftd_rm_T1(s, ot, opreg, op, cpu_regs[R_ECX]);
4374         }
4375         break;
4376 
4377         /************************/
4378         /* floats */
4379     case 0xd8 ... 0xdf:
4380         {
4381             bool update_fip = true;
4382 
4383             if (s->flags & (HF_EM_MASK | HF_TS_MASK)) {
4384                 /* if CR0.EM or CR0.TS are set, generate an FPU exception */
4385                 /* XXX: what to do if illegal op ? */
4386                 gen_exception(s, EXCP07_PREX);
4387                 break;
4388             }
4389             modrm = x86_ldub_code(env, s);
4390             mod = (modrm >> 6) & 3;
4391             rm = modrm & 7;
4392             op = ((b & 7) << 3) | ((modrm >> 3) & 7);
4393             if (mod != 3) {
4394                 /* memory op */
4395                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
4396                 TCGv ea = gen_lea_modrm_1(s, a, false);
4397                 TCGv last_addr = tcg_temp_new();
4398                 bool update_fdp = true;
4399 
4400                 tcg_gen_mov_tl(last_addr, ea);
4401                 gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
4402 
4403                 switch (op) {
4404                 case 0x00 ... 0x07: /* fxxxs */
4405                 case 0x10 ... 0x17: /* fixxxl */
4406                 case 0x20 ... 0x27: /* fxxxl */
4407                 case 0x30 ... 0x37: /* fixxx */
4408                     {
4409                         int op1;
4410                         op1 = op & 7;
4411 
4412                         switch (op >> 4) {
4413                         case 0:
4414                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4415                                                 s->mem_index, MO_LEUL);
4416                             gen_helper_flds_FT0(tcg_env, s->tmp2_i32);
4417                             break;
4418                         case 1:
4419                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4420                                                 s->mem_index, MO_LEUL);
4421                             gen_helper_fildl_FT0(tcg_env, s->tmp2_i32);
4422                             break;
4423                         case 2:
4424                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4425                                                 s->mem_index, MO_LEUQ);
4426                             gen_helper_fldl_FT0(tcg_env, s->tmp1_i64);
4427                             break;
4428                         case 3:
4429                         default:
4430                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4431                                                 s->mem_index, MO_LESW);
4432                             gen_helper_fildl_FT0(tcg_env, s->tmp2_i32);
4433                             break;
4434                         }
4435 
4436                         gen_helper_fp_arith_ST0_FT0(op1);
4437                         if (op1 == 3) {
4438                             /* fcomp needs pop */
4439                             gen_helper_fpop(tcg_env);
4440                         }
4441                     }
4442                     break;
4443                 case 0x08: /* flds */
4444                 case 0x0a: /* fsts */
4445                 case 0x0b: /* fstps */
4446                 case 0x18 ... 0x1b: /* fildl, fisttpl, fistl, fistpl */
4447                 case 0x28 ... 0x2b: /* fldl, fisttpll, fstl, fstpl */
4448                 case 0x38 ... 0x3b: /* filds, fisttps, fists, fistps */
4449                     switch (op & 7) {
4450                     case 0:
4451                         switch (op >> 4) {
4452                         case 0:
4453                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4454                                                 s->mem_index, MO_LEUL);
4455                             gen_helper_flds_ST0(tcg_env, s->tmp2_i32);
4456                             break;
4457                         case 1:
4458                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4459                                                 s->mem_index, MO_LEUL);
4460                             gen_helper_fildl_ST0(tcg_env, s->tmp2_i32);
4461                             break;
4462                         case 2:
4463                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4464                                                 s->mem_index, MO_LEUQ);
4465                             gen_helper_fldl_ST0(tcg_env, s->tmp1_i64);
4466                             break;
4467                         case 3:
4468                         default:
4469                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4470                                                 s->mem_index, MO_LESW);
4471                             gen_helper_fildl_ST0(tcg_env, s->tmp2_i32);
4472                             break;
4473                         }
4474                         break;
4475                     case 1:
4476                         /* XXX: the corresponding CPUID bit must be tested ! */
4477                         switch (op >> 4) {
4478                         case 1:
4479                             gen_helper_fisttl_ST0(s->tmp2_i32, tcg_env);
4480                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4481                                                 s->mem_index, MO_LEUL);
4482                             break;
4483                         case 2:
4484                             gen_helper_fisttll_ST0(s->tmp1_i64, tcg_env);
4485                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4486                                                 s->mem_index, MO_LEUQ);
4487                             break;
4488                         case 3:
4489                         default:
4490                             gen_helper_fistt_ST0(s->tmp2_i32, tcg_env);
4491                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4492                                                 s->mem_index, MO_LEUW);
4493                             break;
4494                         }
4495                         gen_helper_fpop(tcg_env);
4496                         break;
4497                     default:
4498                         switch (op >> 4) {
4499                         case 0:
4500                             gen_helper_fsts_ST0(s->tmp2_i32, tcg_env);
4501                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4502                                                 s->mem_index, MO_LEUL);
4503                             break;
4504                         case 1:
4505                             gen_helper_fistl_ST0(s->tmp2_i32, tcg_env);
4506                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4507                                                 s->mem_index, MO_LEUL);
4508                             break;
4509                         case 2:
4510                             gen_helper_fstl_ST0(s->tmp1_i64, tcg_env);
4511                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4512                                                 s->mem_index, MO_LEUQ);
4513                             break;
4514                         case 3:
4515                         default:
4516                             gen_helper_fist_ST0(s->tmp2_i32, tcg_env);
4517                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4518                                                 s->mem_index, MO_LEUW);
4519                             break;
4520                         }
4521                         if ((op & 7) == 3) {
4522                             gen_helper_fpop(tcg_env);
4523                         }
4524                         break;
4525                     }
4526                     break;
4527                 case 0x0c: /* fldenv mem */
4528                     gen_helper_fldenv(tcg_env, s->A0,
4529                                       tcg_constant_i32(dflag - 1));
4530                     update_fip = update_fdp = false;
4531                     break;
4532                 case 0x0d: /* fldcw mem */
4533                     tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4534                                         s->mem_index, MO_LEUW);
4535                     gen_helper_fldcw(tcg_env, s->tmp2_i32);
4536                     update_fip = update_fdp = false;
4537                     break;
4538                 case 0x0e: /* fnstenv mem */
4539                     gen_helper_fstenv(tcg_env, s->A0,
4540                                       tcg_constant_i32(dflag - 1));
4541                     update_fip = update_fdp = false;
4542                     break;
4543                 case 0x0f: /* fnstcw mem */
4544                     gen_helper_fnstcw(s->tmp2_i32, tcg_env);
4545                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4546                                         s->mem_index, MO_LEUW);
4547                     update_fip = update_fdp = false;
4548                     break;
4549                 case 0x1d: /* fldt mem */
4550                     gen_helper_fldt_ST0(tcg_env, s->A0);
4551                     break;
4552                 case 0x1f: /* fstpt mem */
4553                     gen_helper_fstt_ST0(tcg_env, s->A0);
4554                     gen_helper_fpop(tcg_env);
4555                     break;
4556                 case 0x2c: /* frstor mem */
4557                     gen_helper_frstor(tcg_env, s->A0,
4558                                       tcg_constant_i32(dflag - 1));
4559                     update_fip = update_fdp = false;
4560                     break;
4561                 case 0x2e: /* fnsave mem */
4562                     gen_helper_fsave(tcg_env, s->A0,
4563                                      tcg_constant_i32(dflag - 1));
4564                     update_fip = update_fdp = false;
4565                     break;
4566                 case 0x2f: /* fnstsw mem */
4567                     gen_helper_fnstsw(s->tmp2_i32, tcg_env);
4568                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4569                                         s->mem_index, MO_LEUW);
4570                     update_fip = update_fdp = false;
4571                     break;
4572                 case 0x3c: /* fbld */
4573                     gen_helper_fbld_ST0(tcg_env, s->A0);
4574                     break;
4575                 case 0x3e: /* fbstp */
4576                     gen_helper_fbst_ST0(tcg_env, s->A0);
4577                     gen_helper_fpop(tcg_env);
4578                     break;
4579                 case 0x3d: /* fildll */
4580                     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4581                                         s->mem_index, MO_LEUQ);
4582                     gen_helper_fildll_ST0(tcg_env, s->tmp1_i64);
4583                     break;
4584                 case 0x3f: /* fistpll */
4585                     gen_helper_fistll_ST0(s->tmp1_i64, tcg_env);
4586                     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4587                                         s->mem_index, MO_LEUQ);
4588                     gen_helper_fpop(tcg_env);
4589                     break;
4590                 default:
4591                     goto unknown_op;
4592                 }
4593 
4594                 if (update_fdp) {
4595                     int last_seg = s->override >= 0 ? s->override : a.def_seg;
4596 
4597                     tcg_gen_ld_i32(s->tmp2_i32, tcg_env,
4598                                    offsetof(CPUX86State,
4599                                             segs[last_seg].selector));
4600                     tcg_gen_st16_i32(s->tmp2_i32, tcg_env,
4601                                      offsetof(CPUX86State, fpds));
4602                     tcg_gen_st_tl(last_addr, tcg_env,
4603                                   offsetof(CPUX86State, fpdp));
4604                 }
4605             } else {
4606                 /* register float ops */
4607                 opreg = rm;
4608 
4609                 switch (op) {
4610                 case 0x08: /* fld sti */
4611                     gen_helper_fpush(tcg_env);
4612                     gen_helper_fmov_ST0_STN(tcg_env,
4613                                             tcg_constant_i32((opreg + 1) & 7));
4614                     break;
4615                 case 0x09: /* fxchg sti */
4616                 case 0x29: /* fxchg4 sti, undocumented op */
4617                 case 0x39: /* fxchg7 sti, undocumented op */
4618                     gen_helper_fxchg_ST0_STN(tcg_env, tcg_constant_i32(opreg));
4619                     break;
4620                 case 0x0a: /* grp d9/2 */
4621                     switch (rm) {
4622                     case 0: /* fnop */
4623                         /*
4624                          * check exceptions (FreeBSD FPU probe)
4625                          * needs to be treated as I/O because of ferr_irq
4626                          */
4627                         translator_io_start(&s->base);
4628                         gen_helper_fwait(tcg_env);
4629                         update_fip = false;
4630                         break;
4631                     default:
4632                         goto unknown_op;
4633                     }
4634                     break;
4635                 case 0x0c: /* grp d9/4 */
4636                     switch (rm) {
4637                     case 0: /* fchs */
4638                         gen_helper_fchs_ST0(tcg_env);
4639                         break;
4640                     case 1: /* fabs */
4641                         gen_helper_fabs_ST0(tcg_env);
4642                         break;
4643                     case 4: /* ftst */
4644                         gen_helper_fldz_FT0(tcg_env);
4645                         gen_helper_fcom_ST0_FT0(tcg_env);
4646                         break;
4647                     case 5: /* fxam */
4648                         gen_helper_fxam_ST0(tcg_env);
4649                         break;
4650                     default:
4651                         goto unknown_op;
4652                     }
4653                     break;
4654                 case 0x0d: /* grp d9/5 */
4655                     {
4656                         switch (rm) {
4657                         case 0:
4658                             gen_helper_fpush(tcg_env);
4659                             gen_helper_fld1_ST0(tcg_env);
4660                             break;
4661                         case 1:
4662                             gen_helper_fpush(tcg_env);
4663                             gen_helper_fldl2t_ST0(tcg_env);
4664                             break;
4665                         case 2:
4666                             gen_helper_fpush(tcg_env);
4667                             gen_helper_fldl2e_ST0(tcg_env);
4668                             break;
4669                         case 3:
4670                             gen_helper_fpush(tcg_env);
4671                             gen_helper_fldpi_ST0(tcg_env);
4672                             break;
4673                         case 4:
4674                             gen_helper_fpush(tcg_env);
4675                             gen_helper_fldlg2_ST0(tcg_env);
4676                             break;
4677                         case 5:
4678                             gen_helper_fpush(tcg_env);
4679                             gen_helper_fldln2_ST0(tcg_env);
4680                             break;
4681                         case 6:
4682                             gen_helper_fpush(tcg_env);
4683                             gen_helper_fldz_ST0(tcg_env);
4684                             break;
4685                         default:
4686                             goto unknown_op;
4687                         }
4688                     }
4689                     break;
4690                 case 0x0e: /* grp d9/6 */
4691                     switch (rm) {
4692                     case 0: /* f2xm1 */
4693                         gen_helper_f2xm1(tcg_env);
4694                         break;
4695                     case 1: /* fyl2x */
4696                         gen_helper_fyl2x(tcg_env);
4697                         break;
4698                     case 2: /* fptan */
4699                         gen_helper_fptan(tcg_env);
4700                         break;
4701                     case 3: /* fpatan */
4702                         gen_helper_fpatan(tcg_env);
4703                         break;
4704                     case 4: /* fxtract */
4705                         gen_helper_fxtract(tcg_env);
4706                         break;
4707                     case 5: /* fprem1 */
4708                         gen_helper_fprem1(tcg_env);
4709                         break;
4710                     case 6: /* fdecstp */
4711                         gen_helper_fdecstp(tcg_env);
4712                         break;
4713                     default:
4714                     case 7: /* fincstp */
4715                         gen_helper_fincstp(tcg_env);
4716                         break;
4717                     }
4718                     break;
4719                 case 0x0f: /* grp d9/7 */
4720                     switch (rm) {
4721                     case 0: /* fprem */
4722                         gen_helper_fprem(tcg_env);
4723                         break;
4724                     case 1: /* fyl2xp1 */
4725                         gen_helper_fyl2xp1(tcg_env);
4726                         break;
4727                     case 2: /* fsqrt */
4728                         gen_helper_fsqrt(tcg_env);
4729                         break;
4730                     case 3: /* fsincos */
4731                         gen_helper_fsincos(tcg_env);
4732                         break;
4733                     case 5: /* fscale */
4734                         gen_helper_fscale(tcg_env);
4735                         break;
4736                     case 4: /* frndint */
4737                         gen_helper_frndint(tcg_env);
4738                         break;
4739                     case 6: /* fsin */
4740                         gen_helper_fsin(tcg_env);
4741                         break;
4742                     default:
4743                     case 7: /* fcos */
4744                         gen_helper_fcos(tcg_env);
4745                         break;
4746                     }
4747                     break;
4748                 case 0x00: case 0x01: case 0x04 ... 0x07: /* fxxx st, sti */
4749                 case 0x20: case 0x21: case 0x24 ... 0x27: /* fxxx sti, st */
4750                 case 0x30: case 0x31: case 0x34 ... 0x37: /* fxxxp sti, st */
4751                     {
4752                         int op1;
4753 
4754                         op1 = op & 7;
4755                         if (op >= 0x20) {
4756                             gen_helper_fp_arith_STN_ST0(op1, opreg);
4757                             if (op >= 0x30) {
4758                                 gen_helper_fpop(tcg_env);
4759                             }
4760                         } else {
4761                             gen_helper_fmov_FT0_STN(tcg_env,
4762                                                     tcg_constant_i32(opreg));
4763                             gen_helper_fp_arith_ST0_FT0(op1);
4764                         }
4765                     }
4766                     break;
4767                 case 0x02: /* fcom */
4768                 case 0x22: /* fcom2, undocumented op */
4769                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4770                     gen_helper_fcom_ST0_FT0(tcg_env);
4771                     break;
4772                 case 0x03: /* fcomp */
4773                 case 0x23: /* fcomp3, undocumented op */
4774                 case 0x32: /* fcomp5, undocumented op */
4775                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4776                     gen_helper_fcom_ST0_FT0(tcg_env);
4777                     gen_helper_fpop(tcg_env);
4778                     break;
4779                 case 0x15: /* da/5 */
4780                     switch (rm) {
4781                     case 1: /* fucompp */
4782                         gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(1));
4783                         gen_helper_fucom_ST0_FT0(tcg_env);
4784                         gen_helper_fpop(tcg_env);
4785                         gen_helper_fpop(tcg_env);
4786                         break;
4787                     default:
4788                         goto unknown_op;
4789                     }
4790                     break;
4791                 case 0x1c:
4792                     switch (rm) {
4793                     case 0: /* feni (287 only, just do nop here) */
4794                         break;
4795                     case 1: /* fdisi (287 only, just do nop here) */
4796                         break;
4797                     case 2: /* fclex */
4798                         gen_helper_fclex(tcg_env);
4799                         update_fip = false;
4800                         break;
4801                     case 3: /* fninit */
4802                         gen_helper_fninit(tcg_env);
4803                         update_fip = false;
4804                         break;
4805                     case 4: /* fsetpm (287 only, just do nop here) */
4806                         break;
4807                     default:
4808                         goto unknown_op;
4809                     }
4810                     break;
4811                 case 0x1d: /* fucomi */
4812                     if (!(s->cpuid_features & CPUID_CMOV)) {
4813                         goto illegal_op;
4814                     }
4815                     gen_update_cc_op(s);
4816                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4817                     gen_helper_fucomi_ST0_FT0(tcg_env);
4818                     set_cc_op(s, CC_OP_EFLAGS);
4819                     break;
4820                 case 0x1e: /* fcomi */
4821                     if (!(s->cpuid_features & CPUID_CMOV)) {
4822                         goto illegal_op;
4823                     }
4824                     gen_update_cc_op(s);
4825                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4826                     gen_helper_fcomi_ST0_FT0(tcg_env);
4827                     set_cc_op(s, CC_OP_EFLAGS);
4828                     break;
4829                 case 0x28: /* ffree sti */
4830                     gen_helper_ffree_STN(tcg_env, tcg_constant_i32(opreg));
4831                     break;
4832                 case 0x2a: /* fst sti */
4833                     gen_helper_fmov_STN_ST0(tcg_env, tcg_constant_i32(opreg));
4834                     break;
4835                 case 0x2b: /* fstp sti */
4836                 case 0x0b: /* fstp1 sti, undocumented op */
4837                 case 0x3a: /* fstp8 sti, undocumented op */
4838                 case 0x3b: /* fstp9 sti, undocumented op */
4839                     gen_helper_fmov_STN_ST0(tcg_env, tcg_constant_i32(opreg));
4840                     gen_helper_fpop(tcg_env);
4841                     break;
4842                 case 0x2c: /* fucom st(i) */
4843                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4844                     gen_helper_fucom_ST0_FT0(tcg_env);
4845                     break;
4846                 case 0x2d: /* fucomp st(i) */
4847                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4848                     gen_helper_fucom_ST0_FT0(tcg_env);
4849                     gen_helper_fpop(tcg_env);
4850                     break;
4851                 case 0x33: /* de/3 */
4852                     switch (rm) {
4853                     case 1: /* fcompp */
4854                         gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(1));
4855                         gen_helper_fcom_ST0_FT0(tcg_env);
4856                         gen_helper_fpop(tcg_env);
4857                         gen_helper_fpop(tcg_env);
4858                         break;
4859                     default:
4860                         goto unknown_op;
4861                     }
4862                     break;
4863                 case 0x38: /* ffreep sti, undocumented op */
4864                     gen_helper_ffree_STN(tcg_env, tcg_constant_i32(opreg));
4865                     gen_helper_fpop(tcg_env);
4866                     break;
4867                 case 0x3c: /* df/4 */
4868                     switch (rm) {
4869                     case 0:
4870                         gen_helper_fnstsw(s->tmp2_i32, tcg_env);
4871                         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
4872                         gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
4873                         break;
4874                     default:
4875                         goto unknown_op;
4876                     }
4877                     break;
4878                 case 0x3d: /* fucomip */
4879                     if (!(s->cpuid_features & CPUID_CMOV)) {
4880                         goto illegal_op;
4881                     }
4882                     gen_update_cc_op(s);
4883                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4884                     gen_helper_fucomi_ST0_FT0(tcg_env);
4885                     gen_helper_fpop(tcg_env);
4886                     set_cc_op(s, CC_OP_EFLAGS);
4887                     break;
4888                 case 0x3e: /* fcomip */
4889                     if (!(s->cpuid_features & CPUID_CMOV)) {
4890                         goto illegal_op;
4891                     }
4892                     gen_update_cc_op(s);
4893                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4894                     gen_helper_fcomi_ST0_FT0(tcg_env);
4895                     gen_helper_fpop(tcg_env);
4896                     set_cc_op(s, CC_OP_EFLAGS);
4897                     break;
4898                 case 0x10 ... 0x13: /* fcmovxx */
4899                 case 0x18 ... 0x1b:
4900                     {
4901                         int op1;
4902                         TCGLabel *l1;
4903                         static const uint8_t fcmov_cc[8] = {
4904                             (JCC_B << 1),
4905                             (JCC_Z << 1),
4906                             (JCC_BE << 1),
4907                             (JCC_P << 1),
4908                         };
4909 
4910                         if (!(s->cpuid_features & CPUID_CMOV)) {
4911                             goto illegal_op;
4912                         }
4913                         op1 = fcmov_cc[op & 3] | (((op >> 3) & 1) ^ 1);
4914                         l1 = gen_new_label();
4915                         gen_jcc1_noeob(s, op1, l1);
4916                         gen_helper_fmov_ST0_STN(tcg_env,
4917                                                 tcg_constant_i32(opreg));
4918                         gen_set_label(l1);
4919                     }
4920                     break;
4921                 default:
4922                     goto unknown_op;
4923                 }
4924             }
4925 
4926             if (update_fip) {
4927                 tcg_gen_ld_i32(s->tmp2_i32, tcg_env,
4928                                offsetof(CPUX86State, segs[R_CS].selector));
4929                 tcg_gen_st16_i32(s->tmp2_i32, tcg_env,
4930                                  offsetof(CPUX86State, fpcs));
4931                 tcg_gen_st_tl(eip_cur_tl(s),
4932                               tcg_env, offsetof(CPUX86State, fpip));
4933             }
4934         }
4935         break;
4936         /************************/
4937         /* string ops */
4938 
4939     case 0xa4: /* movsS */
4940     case 0xa5:
4941         ot = mo_b_d(b, dflag);
4942         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4943             gen_repz_movs(s, ot);
4944         } else {
4945             gen_movs(s, ot);
4946         }
4947         break;
4948 
4949     case 0xaa: /* stosS */
4950     case 0xab:
4951         ot = mo_b_d(b, dflag);
4952         gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
4953         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4954             gen_repz_stos(s, ot);
4955         } else {
4956             gen_stos(s, ot);
4957         }
4958         break;
4959     case 0xac: /* lodsS */
4960     case 0xad:
4961         ot = mo_b_d(b, dflag);
4962         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4963             gen_repz_lods(s, ot);
4964         } else {
4965             gen_lods(s, ot);
4966         }
4967         break;
4968     case 0xae: /* scasS */
4969     case 0xaf:
4970         ot = mo_b_d(b, dflag);
4971         gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
4972         if (prefixes & PREFIX_REPNZ) {
4973             gen_repz_scas(s, ot, 1);
4974         } else if (prefixes & PREFIX_REPZ) {
4975             gen_repz_scas(s, ot, 0);
4976         } else {
4977             gen_scas(s, ot);
4978         }
4979         break;
4980 
4981     case 0xa6: /* cmpsS */
4982     case 0xa7:
4983         ot = mo_b_d(b, dflag);
4984         if (prefixes & PREFIX_REPNZ) {
4985             gen_repz_cmps(s, ot, 1);
4986         } else if (prefixes & PREFIX_REPZ) {
4987             gen_repz_cmps(s, ot, 0);
4988         } else {
4989             gen_cmps(s, ot);
4990         }
4991         break;
4992     case 0x6c: /* insS */
4993     case 0x6d:
4994         ot = mo_b_d32(b, dflag);
4995         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
4996         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
4997         if (!gen_check_io(s, ot, s->tmp2_i32,
4998                           SVM_IOIO_TYPE_MASK | SVM_IOIO_STR_MASK)) {
4999             break;
5000         }
5001         translator_io_start(&s->base);
5002         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
5003             gen_repz_ins(s, ot);
5004         } else {
5005             gen_ins(s, ot);
5006         }
5007         break;
5008     case 0x6e: /* outsS */
5009     case 0x6f:
5010         ot = mo_b_d32(b, dflag);
5011         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5012         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5013         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_STR_MASK)) {
5014             break;
5015         }
5016         translator_io_start(&s->base);
5017         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
5018             gen_repz_outs(s, ot);
5019         } else {
5020             gen_outs(s, ot);
5021         }
5022         break;
5023 
5024         /************************/
5025         /* port I/O */
5026 
5027     case 0xe4:
5028     case 0xe5:
5029         ot = mo_b_d32(b, dflag);
5030         val = x86_ldub_code(env, s);
5031         tcg_gen_movi_i32(s->tmp2_i32, val);
5032         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5033             break;
5034         }
5035         translator_io_start(&s->base);
5036         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5037         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5038         gen_bpt_io(s, s->tmp2_i32, ot);
5039         break;
5040     case 0xe6:
5041     case 0xe7:
5042         ot = mo_b_d32(b, dflag);
5043         val = x86_ldub_code(env, s);
5044         tcg_gen_movi_i32(s->tmp2_i32, val);
5045         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5046             break;
5047         }
5048         translator_io_start(&s->base);
5049         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5050         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5051         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5052         gen_bpt_io(s, s->tmp2_i32, ot);
5053         break;
5054     case 0xec:
5055     case 0xed:
5056         ot = mo_b_d32(b, dflag);
5057         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5058         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5059         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5060             break;
5061         }
5062         translator_io_start(&s->base);
5063         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5064         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5065         gen_bpt_io(s, s->tmp2_i32, ot);
5066         break;
5067     case 0xee:
5068     case 0xef:
5069         ot = mo_b_d32(b, dflag);
5070         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5071         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5072         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5073             break;
5074         }
5075         translator_io_start(&s->base);
5076         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5077         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5078         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5079         gen_bpt_io(s, s->tmp2_i32, ot);
5080         break;
5081 
5082         /************************/
5083         /* control */
5084     case 0xc2: /* ret im */
5085         val = x86_ldsw_code(env, s);
5086         ot = gen_pop_T0(s);
5087         gen_stack_update(s, val + (1 << ot));
5088         /* Note that gen_pop_T0 uses a zero-extending load.  */
5089         gen_op_jmp_v(s, s->T0);
5090         gen_bnd_jmp(s);
5091         s->base.is_jmp = DISAS_JUMP;
5092         break;
5093     case 0xc3: /* ret */
5094         ot = gen_pop_T0(s);
5095         gen_pop_update(s, ot);
5096         /* Note that gen_pop_T0 uses a zero-extending load.  */
5097         gen_op_jmp_v(s, s->T0);
5098         gen_bnd_jmp(s);
5099         s->base.is_jmp = DISAS_JUMP;
5100         break;
5101     case 0xca: /* lret im */
5102         val = x86_ldsw_code(env, s);
5103     do_lret:
5104         if (PE(s) && !VM86(s)) {
5105             gen_update_cc_op(s);
5106             gen_update_eip_cur(s);
5107             gen_helper_lret_protected(tcg_env, tcg_constant_i32(dflag - 1),
5108                                       tcg_constant_i32(val));
5109         } else {
5110             gen_stack_A0(s);
5111             /* pop offset */
5112             gen_op_ld_v(s, dflag, s->T0, s->A0);
5113             /* NOTE: keeping EIP updated is not a problem in case of
5114                exception */
5115             gen_op_jmp_v(s, s->T0);
5116             /* pop selector */
5117             gen_add_A0_im(s, 1 << dflag);
5118             gen_op_ld_v(s, dflag, s->T0, s->A0);
5119             gen_op_movl_seg_T0_vm(s, R_CS);
5120             /* add stack offset */
5121             gen_stack_update(s, val + (2 << dflag));
5122         }
5123         s->base.is_jmp = DISAS_EOB_ONLY;
5124         break;
5125     case 0xcb: /* lret */
5126         val = 0;
5127         goto do_lret;
5128     case 0xcf: /* iret */
5129         gen_svm_check_intercept(s, SVM_EXIT_IRET);
5130         if (!PE(s) || VM86(s)) {
5131             /* real mode or vm86 mode */
5132             if (!check_vm86_iopl(s)) {
5133                 break;
5134             }
5135             gen_helper_iret_real(tcg_env, tcg_constant_i32(dflag - 1));
5136         } else {
5137             gen_helper_iret_protected(tcg_env, tcg_constant_i32(dflag - 1),
5138                                       eip_next_i32(s));
5139         }
5140         set_cc_op(s, CC_OP_EFLAGS);
5141         s->base.is_jmp = DISAS_EOB_ONLY;
5142         break;
5143     case 0xe8: /* call im */
5144         {
5145             int diff = (dflag != MO_16
5146                         ? (int32_t)insn_get(env, s, MO_32)
5147                         : (int16_t)insn_get(env, s, MO_16));
5148             gen_push_v(s, eip_next_tl(s));
5149             gen_bnd_jmp(s);
5150             gen_jmp_rel(s, dflag, diff, 0);
5151         }
5152         break;
5153     case 0x9a: /* lcall im */
5154         {
5155             unsigned int selector, offset;
5156 
5157             if (CODE64(s))
5158                 goto illegal_op;
5159             ot = dflag;
5160             offset = insn_get(env, s, ot);
5161             selector = insn_get(env, s, MO_16);
5162 
5163             tcg_gen_movi_tl(s->T0, selector);
5164             tcg_gen_movi_tl(s->T1, offset);
5165         }
5166         goto do_lcall;
5167     case 0xe9: /* jmp im */
5168         {
5169             int diff = (dflag != MO_16
5170                         ? (int32_t)insn_get(env, s, MO_32)
5171                         : (int16_t)insn_get(env, s, MO_16));
5172             gen_bnd_jmp(s);
5173             gen_jmp_rel(s, dflag, diff, 0);
5174         }
5175         break;
5176     case 0xea: /* ljmp im */
5177         {
5178             unsigned int selector, offset;
5179 
5180             if (CODE64(s))
5181                 goto illegal_op;
5182             ot = dflag;
5183             offset = insn_get(env, s, ot);
5184             selector = insn_get(env, s, MO_16);
5185 
5186             tcg_gen_movi_tl(s->T0, selector);
5187             tcg_gen_movi_tl(s->T1, offset);
5188         }
5189         goto do_ljmp;
5190     case 0xeb: /* jmp Jb */
5191         {
5192             int diff = (int8_t)insn_get(env, s, MO_8);
5193             gen_jmp_rel(s, dflag, diff, 0);
5194         }
5195         break;
5196     case 0x70 ... 0x7f: /* jcc Jb */
5197         {
5198             int diff = (int8_t)insn_get(env, s, MO_8);
5199             gen_bnd_jmp(s);
5200             gen_jcc(s, b, diff);
5201         }
5202         break;
5203     case 0x180 ... 0x18f: /* jcc Jv */
5204         {
5205             int diff = (dflag != MO_16
5206                         ? (int32_t)insn_get(env, s, MO_32)
5207                         : (int16_t)insn_get(env, s, MO_16));
5208             gen_bnd_jmp(s);
5209             gen_jcc(s, b, diff);
5210         }
5211         break;
5212 
5213     case 0x190 ... 0x19f: /* setcc Gv */
5214         modrm = x86_ldub_code(env, s);
5215         gen_setcc1(s, b, s->T0);
5216         gen_ldst_modrm(env, s, modrm, MO_8, OR_TMP0, 1);
5217         break;
5218     case 0x140 ... 0x14f: /* cmov Gv, Ev */
5219         if (!(s->cpuid_features & CPUID_CMOV)) {
5220             goto illegal_op;
5221         }
5222         ot = dflag;
5223         modrm = x86_ldub_code(env, s);
5224         reg = ((modrm >> 3) & 7) | REX_R(s);
5225         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
5226         gen_cmovcc1(s, b ^ 1, s->T0, cpu_regs[reg]);
5227         gen_op_mov_reg_v(s, ot, reg, s->T0);
5228         break;
5229 
5230         /************************/
5231         /* flags */
5232     case 0x9c: /* pushf */
5233         gen_svm_check_intercept(s, SVM_EXIT_PUSHF);
5234         if (check_vm86_iopl(s)) {
5235             gen_update_cc_op(s);
5236             gen_helper_read_eflags(s->T0, tcg_env);
5237             gen_push_v(s, s->T0);
5238         }
5239         break;
5240     case 0x9d: /* popf */
5241         gen_svm_check_intercept(s, SVM_EXIT_POPF);
5242         if (check_vm86_iopl(s)) {
5243             int mask = TF_MASK | AC_MASK | ID_MASK | NT_MASK;
5244 
5245             if (CPL(s) == 0) {
5246                 mask |= IF_MASK | IOPL_MASK;
5247             } else if (CPL(s) <= IOPL(s)) {
5248                 mask |= IF_MASK;
5249             }
5250             if (dflag == MO_16) {
5251                 mask &= 0xffff;
5252             }
5253 
5254             ot = gen_pop_T0(s);
5255             gen_helper_write_eflags(tcg_env, s->T0, tcg_constant_i32(mask));
5256             gen_pop_update(s, ot);
5257             set_cc_op(s, CC_OP_EFLAGS);
5258             /* abort translation because TF/AC flag may change */
5259             s->base.is_jmp = DISAS_EOB_NEXT;
5260         }
5261         break;
5262     case 0x9e: /* sahf */
5263         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5264             goto illegal_op;
5265         tcg_gen_shri_tl(s->T0, cpu_regs[R_EAX], 8);
5266         gen_compute_eflags(s);
5267         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, CC_O);
5268         tcg_gen_andi_tl(s->T0, s->T0, CC_S | CC_Z | CC_A | CC_P | CC_C);
5269         tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, s->T0);
5270         break;
5271     case 0x9f: /* lahf */
5272         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5273             goto illegal_op;
5274         gen_compute_eflags(s);
5275         /* Note: gen_compute_eflags() only gives the condition codes */
5276         tcg_gen_ori_tl(s->T0, cpu_cc_src, 0x02);
5277         tcg_gen_deposit_tl(cpu_regs[R_EAX], cpu_regs[R_EAX], s->T0, 8, 8);
5278         break;
5279     case 0xf5: /* cmc */
5280         gen_compute_eflags(s);
5281         tcg_gen_xori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5282         break;
5283     case 0xf8: /* clc */
5284         gen_compute_eflags(s);
5285         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_C);
5286         break;
5287     case 0xf9: /* stc */
5288         gen_compute_eflags(s);
5289         tcg_gen_ori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5290         break;
5291     case 0xfc: /* cld */
5292         tcg_gen_movi_i32(s->tmp2_i32, 1);
5293         tcg_gen_st_i32(s->tmp2_i32, tcg_env, offsetof(CPUX86State, df));
5294         break;
5295     case 0xfd: /* std */
5296         tcg_gen_movi_i32(s->tmp2_i32, -1);
5297         tcg_gen_st_i32(s->tmp2_i32, tcg_env, offsetof(CPUX86State, df));
5298         break;
5299 
5300         /************************/
5301         /* bit operations */
5302     case 0x1ba: /* bt/bts/btr/btc Gv, im */
5303         ot = dflag;
5304         modrm = x86_ldub_code(env, s);
5305         op = (modrm >> 3) & 7;
5306         mod = (modrm >> 6) & 3;
5307         rm = (modrm & 7) | REX_B(s);
5308         if (mod != 3) {
5309             s->rip_offset = 1;
5310             gen_lea_modrm(env, s, modrm);
5311             if (!(s->prefix & PREFIX_LOCK)) {
5312                 gen_op_ld_v(s, ot, s->T0, s->A0);
5313             }
5314         } else {
5315             gen_op_mov_v_reg(s, ot, s->T0, rm);
5316         }
5317         /* load shift */
5318         val = x86_ldub_code(env, s);
5319         tcg_gen_movi_tl(s->T1, val);
5320         if (op < 4)
5321             goto unknown_op;
5322         op -= 4;
5323         goto bt_op;
5324     case 0x1a3: /* bt Gv, Ev */
5325         op = 0;
5326         goto do_btx;
5327     case 0x1ab: /* bts */
5328         op = 1;
5329         goto do_btx;
5330     case 0x1b3: /* btr */
5331         op = 2;
5332         goto do_btx;
5333     case 0x1bb: /* btc */
5334         op = 3;
5335     do_btx:
5336         ot = dflag;
5337         modrm = x86_ldub_code(env, s);
5338         reg = ((modrm >> 3) & 7) | REX_R(s);
5339         mod = (modrm >> 6) & 3;
5340         rm = (modrm & 7) | REX_B(s);
5341         gen_op_mov_v_reg(s, MO_32, s->T1, reg);
5342         if (mod != 3) {
5343             AddressParts a = gen_lea_modrm_0(env, s, modrm);
5344             /* specific case: we need to add a displacement */
5345             gen_exts(ot, s->T1);
5346             tcg_gen_sari_tl(s->tmp0, s->T1, 3 + ot);
5347             tcg_gen_shli_tl(s->tmp0, s->tmp0, ot);
5348             tcg_gen_add_tl(s->A0, gen_lea_modrm_1(s, a, false), s->tmp0);
5349             gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
5350             if (!(s->prefix & PREFIX_LOCK)) {
5351                 gen_op_ld_v(s, ot, s->T0, s->A0);
5352             }
5353         } else {
5354             gen_op_mov_v_reg(s, ot, s->T0, rm);
5355         }
5356     bt_op:
5357         tcg_gen_andi_tl(s->T1, s->T1, (1 << (3 + ot)) - 1);
5358         tcg_gen_movi_tl(s->tmp0, 1);
5359         tcg_gen_shl_tl(s->tmp0, s->tmp0, s->T1);
5360         if (s->prefix & PREFIX_LOCK) {
5361             switch (op) {
5362             case 0: /* bt */
5363                 /* Needs no atomic ops; we suppressed the normal
5364                    memory load for LOCK above so do it now.  */
5365                 gen_op_ld_v(s, ot, s->T0, s->A0);
5366                 break;
5367             case 1: /* bts */
5368                 tcg_gen_atomic_fetch_or_tl(s->T0, s->A0, s->tmp0,
5369                                            s->mem_index, ot | MO_LE);
5370                 break;
5371             case 2: /* btr */
5372                 tcg_gen_not_tl(s->tmp0, s->tmp0);
5373                 tcg_gen_atomic_fetch_and_tl(s->T0, s->A0, s->tmp0,
5374                                             s->mem_index, ot | MO_LE);
5375                 break;
5376             default:
5377             case 3: /* btc */
5378                 tcg_gen_atomic_fetch_xor_tl(s->T0, s->A0, s->tmp0,
5379                                             s->mem_index, ot | MO_LE);
5380                 break;
5381             }
5382             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5383         } else {
5384             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5385             switch (op) {
5386             case 0: /* bt */
5387                 /* Data already loaded; nothing to do.  */
5388                 break;
5389             case 1: /* bts */
5390                 tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
5391                 break;
5392             case 2: /* btr */
5393                 tcg_gen_andc_tl(s->T0, s->T0, s->tmp0);
5394                 break;
5395             default:
5396             case 3: /* btc */
5397                 tcg_gen_xor_tl(s->T0, s->T0, s->tmp0);
5398                 break;
5399             }
5400             if (op != 0) {
5401                 if (mod != 3) {
5402                     gen_op_st_v(s, ot, s->T0, s->A0);
5403                 } else {
5404                     gen_op_mov_reg_v(s, ot, rm, s->T0);
5405                 }
5406             }
5407         }
5408 
5409         /* Delay all CC updates until after the store above.  Note that
5410            C is the result of the test, Z is unchanged, and the others
5411            are all undefined.  */
5412         switch (s->cc_op) {
5413         case CC_OP_MULB ... CC_OP_MULQ:
5414         case CC_OP_ADDB ... CC_OP_ADDQ:
5415         case CC_OP_ADCB ... CC_OP_ADCQ:
5416         case CC_OP_SUBB ... CC_OP_SUBQ:
5417         case CC_OP_SBBB ... CC_OP_SBBQ:
5418         case CC_OP_LOGICB ... CC_OP_LOGICQ:
5419         case CC_OP_INCB ... CC_OP_INCQ:
5420         case CC_OP_DECB ... CC_OP_DECQ:
5421         case CC_OP_SHLB ... CC_OP_SHLQ:
5422         case CC_OP_SARB ... CC_OP_SARQ:
5423         case CC_OP_BMILGB ... CC_OP_BMILGQ:
5424             /* Z was going to be computed from the non-zero status of CC_DST.
5425                We can get that same Z value (and the new C value) by leaving
5426                CC_DST alone, setting CC_SRC, and using a CC_OP_SAR of the
5427                same width.  */
5428             tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
5429             set_cc_op(s, ((s->cc_op - CC_OP_MULB) & 3) + CC_OP_SARB);
5430             break;
5431         default:
5432             /* Otherwise, generate EFLAGS and replace the C bit.  */
5433             gen_compute_eflags(s);
5434             tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, s->tmp4,
5435                                ctz32(CC_C), 1);
5436             break;
5437         }
5438         break;
5439     case 0x1bc: /* bsf / tzcnt */
5440     case 0x1bd: /* bsr / lzcnt */
5441         ot = dflag;
5442         modrm = x86_ldub_code(env, s);
5443         reg = ((modrm >> 3) & 7) | REX_R(s);
5444         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
5445         gen_extu(ot, s->T0);
5446 
5447         /* Note that lzcnt and tzcnt are in different extensions.  */
5448         if ((prefixes & PREFIX_REPZ)
5449             && (b & 1
5450                 ? s->cpuid_ext3_features & CPUID_EXT3_ABM
5451                 : s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_BMI1)) {
5452             int size = 8 << ot;
5453             /* For lzcnt/tzcnt, C bit is defined related to the input. */
5454             tcg_gen_mov_tl(cpu_cc_src, s->T0);
5455             if (b & 1) {
5456                 /* For lzcnt, reduce the target_ulong result by the
5457                    number of zeros that we expect to find at the top.  */
5458                 tcg_gen_clzi_tl(s->T0, s->T0, TARGET_LONG_BITS);
5459                 tcg_gen_subi_tl(s->T0, s->T0, TARGET_LONG_BITS - size);
5460             } else {
5461                 /* For tzcnt, a zero input must return the operand size.  */
5462                 tcg_gen_ctzi_tl(s->T0, s->T0, size);
5463             }
5464             /* For lzcnt/tzcnt, Z bit is defined related to the result.  */
5465             gen_op_update1_cc(s);
5466             set_cc_op(s, CC_OP_BMILGB + ot);
5467         } else {
5468             /* For bsr/bsf, only the Z bit is defined and it is related
5469                to the input and not the result.  */
5470             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
5471             set_cc_op(s, CC_OP_LOGICB + ot);
5472 
5473             /* ??? The manual says that the output is undefined when the
5474                input is zero, but real hardware leaves it unchanged, and
5475                real programs appear to depend on that.  Accomplish this
5476                by passing the output as the value to return upon zero.  */
5477             if (b & 1) {
5478                 /* For bsr, return the bit index of the first 1 bit,
5479                    not the count of leading zeros.  */
5480                 tcg_gen_xori_tl(s->T1, cpu_regs[reg], TARGET_LONG_BITS - 1);
5481                 tcg_gen_clz_tl(s->T0, s->T0, s->T1);
5482                 tcg_gen_xori_tl(s->T0, s->T0, TARGET_LONG_BITS - 1);
5483             } else {
5484                 tcg_gen_ctz_tl(s->T0, s->T0, cpu_regs[reg]);
5485             }
5486         }
5487         gen_op_mov_reg_v(s, ot, reg, s->T0);
5488         break;
5489         /************************/
5490         /* bcd */
5491     case 0x27: /* daa */
5492         if (CODE64(s))
5493             goto illegal_op;
5494         gen_update_cc_op(s);
5495         gen_helper_daa(tcg_env);
5496         set_cc_op(s, CC_OP_EFLAGS);
5497         break;
5498     case 0x2f: /* das */
5499         if (CODE64(s))
5500             goto illegal_op;
5501         gen_update_cc_op(s);
5502         gen_helper_das(tcg_env);
5503         set_cc_op(s, CC_OP_EFLAGS);
5504         break;
5505     case 0x37: /* aaa */
5506         if (CODE64(s))
5507             goto illegal_op;
5508         gen_update_cc_op(s);
5509         gen_helper_aaa(tcg_env);
5510         set_cc_op(s, CC_OP_EFLAGS);
5511         break;
5512     case 0x3f: /* aas */
5513         if (CODE64(s))
5514             goto illegal_op;
5515         gen_update_cc_op(s);
5516         gen_helper_aas(tcg_env);
5517         set_cc_op(s, CC_OP_EFLAGS);
5518         break;
5519     case 0xd4: /* aam */
5520         if (CODE64(s))
5521             goto illegal_op;
5522         val = x86_ldub_code(env, s);
5523         if (val == 0) {
5524             gen_exception(s, EXCP00_DIVZ);
5525         } else {
5526             gen_helper_aam(tcg_env, tcg_constant_i32(val));
5527             set_cc_op(s, CC_OP_LOGICB);
5528         }
5529         break;
5530     case 0xd5: /* aad */
5531         if (CODE64(s))
5532             goto illegal_op;
5533         val = x86_ldub_code(env, s);
5534         gen_helper_aad(tcg_env, tcg_constant_i32(val));
5535         set_cc_op(s, CC_OP_LOGICB);
5536         break;
5537         /************************/
5538         /* misc */
5539     case 0x90: /* nop */
5540         /* XXX: correct lock test for all insn */
5541         if (prefixes & PREFIX_LOCK) {
5542             goto illegal_op;
5543         }
5544         /* If REX_B is set, then this is xchg eax, r8d, not a nop.  */
5545         if (REX_B(s)) {
5546             goto do_xchg_reg_eax;
5547         }
5548         if (prefixes & PREFIX_REPZ) {
5549             gen_update_cc_op(s);
5550             gen_update_eip_cur(s);
5551             gen_helper_pause(tcg_env, cur_insn_len_i32(s));
5552             s->base.is_jmp = DISAS_NORETURN;
5553         }
5554         break;
5555     case 0x9b: /* fwait */
5556         if ((s->flags & (HF_MP_MASK | HF_TS_MASK)) ==
5557             (HF_MP_MASK | HF_TS_MASK)) {
5558             gen_exception(s, EXCP07_PREX);
5559         } else {
5560             /* needs to be treated as I/O because of ferr_irq */
5561             translator_io_start(&s->base);
5562             gen_helper_fwait(tcg_env);
5563         }
5564         break;
5565     case 0xcc: /* int3 */
5566         gen_interrupt(s, EXCP03_INT3);
5567         break;
5568     case 0xcd: /* int N */
5569         val = x86_ldub_code(env, s);
5570         if (check_vm86_iopl(s)) {
5571             gen_interrupt(s, val);
5572         }
5573         break;
5574     case 0xce: /* into */
5575         if (CODE64(s))
5576             goto illegal_op;
5577         gen_update_cc_op(s);
5578         gen_update_eip_cur(s);
5579         gen_helper_into(tcg_env, cur_insn_len_i32(s));
5580         break;
5581 #ifdef WANT_ICEBP
5582     case 0xf1: /* icebp (undocumented, exits to external debugger) */
5583         gen_svm_check_intercept(s, SVM_EXIT_ICEBP);
5584         gen_debug(s);
5585         break;
5586 #endif
5587     case 0xfa: /* cli */
5588         if (check_iopl(s)) {
5589             gen_reset_eflags(s, IF_MASK);
5590         }
5591         break;
5592     case 0xfb: /* sti */
5593         if (check_iopl(s)) {
5594             gen_set_eflags(s, IF_MASK);
5595             /* interruptions are enabled only the first insn after sti */
5596             gen_update_eip_next(s);
5597             gen_eob_inhibit_irq(s, true);
5598         }
5599         break;
5600     case 0x62: /* bound */
5601         if (CODE64(s))
5602             goto illegal_op;
5603         ot = dflag;
5604         modrm = x86_ldub_code(env, s);
5605         reg = (modrm >> 3) & 7;
5606         mod = (modrm >> 6) & 3;
5607         if (mod == 3)
5608             goto illegal_op;
5609         gen_op_mov_v_reg(s, ot, s->T0, reg);
5610         gen_lea_modrm(env, s, modrm);
5611         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5612         if (ot == MO_16) {
5613             gen_helper_boundw(tcg_env, s->A0, s->tmp2_i32);
5614         } else {
5615             gen_helper_boundl(tcg_env, s->A0, s->tmp2_i32);
5616         }
5617         break;
5618     case 0x1c8 ... 0x1cf: /* bswap reg */
5619         reg = (b & 7) | REX_B(s);
5620 #ifdef TARGET_X86_64
5621         if (dflag == MO_64) {
5622             tcg_gen_bswap64_i64(cpu_regs[reg], cpu_regs[reg]);
5623             break;
5624         }
5625 #endif
5626         tcg_gen_bswap32_tl(cpu_regs[reg], cpu_regs[reg], TCG_BSWAP_OZ);
5627         break;
5628     case 0xd6: /* salc */
5629         if (CODE64(s))
5630             goto illegal_op;
5631         gen_compute_eflags_c(s, s->T0);
5632         tcg_gen_neg_tl(s->T0, s->T0);
5633         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
5634         break;
5635     case 0xe0: /* loopnz */
5636     case 0xe1: /* loopz */
5637     case 0xe2: /* loop */
5638     case 0xe3: /* jecxz */
5639         {
5640             TCGLabel *l1, *l2;
5641             int diff = (int8_t)insn_get(env, s, MO_8);
5642 
5643             l1 = gen_new_label();
5644             l2 = gen_new_label();
5645             gen_update_cc_op(s);
5646             b &= 3;
5647             switch(b) {
5648             case 0: /* loopnz */
5649             case 1: /* loopz */
5650                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5651                 gen_op_jz_ecx(s, l2);
5652                 gen_jcc1(s, (JCC_Z << 1) | (b ^ 1), l1);
5653                 break;
5654             case 2: /* loop */
5655                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5656                 gen_op_jnz_ecx(s, l1);
5657                 break;
5658             default:
5659             case 3: /* jcxz */
5660                 gen_op_jz_ecx(s, l1);
5661                 break;
5662             }
5663 
5664             gen_set_label(l2);
5665             gen_jmp_rel_csize(s, 0, 1);
5666 
5667             gen_set_label(l1);
5668             gen_jmp_rel(s, dflag, diff, 0);
5669         }
5670         break;
5671     case 0x130: /* wrmsr */
5672     case 0x132: /* rdmsr */
5673         if (check_cpl0(s)) {
5674             gen_update_cc_op(s);
5675             gen_update_eip_cur(s);
5676             if (b & 2) {
5677                 gen_helper_rdmsr(tcg_env);
5678             } else {
5679                 gen_helper_wrmsr(tcg_env);
5680                 s->base.is_jmp = DISAS_EOB_NEXT;
5681             }
5682         }
5683         break;
5684     case 0x131: /* rdtsc */
5685         gen_update_cc_op(s);
5686         gen_update_eip_cur(s);
5687         translator_io_start(&s->base);
5688         gen_helper_rdtsc(tcg_env);
5689         break;
5690     case 0x133: /* rdpmc */
5691         gen_update_cc_op(s);
5692         gen_update_eip_cur(s);
5693         gen_helper_rdpmc(tcg_env);
5694         s->base.is_jmp = DISAS_NORETURN;
5695         break;
5696     case 0x134: /* sysenter */
5697         /* For AMD SYSENTER is not valid in long mode */
5698         if (LMA(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1) {
5699             goto illegal_op;
5700         }
5701         if (!PE(s)) {
5702             gen_exception_gpf(s);
5703         } else {
5704             gen_helper_sysenter(tcg_env);
5705             s->base.is_jmp = DISAS_EOB_ONLY;
5706         }
5707         break;
5708     case 0x135: /* sysexit */
5709         /* For AMD SYSEXIT is not valid in long mode */
5710         if (LMA(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1) {
5711             goto illegal_op;
5712         }
5713         if (!PE(s) || CPL(s) != 0) {
5714             gen_exception_gpf(s);
5715         } else {
5716             gen_helper_sysexit(tcg_env, tcg_constant_i32(dflag - 1));
5717             s->base.is_jmp = DISAS_EOB_ONLY;
5718         }
5719         break;
5720     case 0x105: /* syscall */
5721         /* For Intel SYSCALL is only valid in long mode */
5722         if (!LMA(s) && env->cpuid_vendor1 == CPUID_VENDOR_INTEL_1) {
5723             goto illegal_op;
5724         }
5725         gen_update_cc_op(s);
5726         gen_update_eip_cur(s);
5727         gen_helper_syscall(tcg_env, cur_insn_len_i32(s));
5728         /* TF handling for the syscall insn is different. The TF bit is  checked
5729            after the syscall insn completes. This allows #DB to not be
5730            generated after one has entered CPL0 if TF is set in FMASK.  */
5731         gen_eob_worker(s, false, true);
5732         break;
5733     case 0x107: /* sysret */
5734         /* For Intel SYSRET is only valid in long mode */
5735         if (!LMA(s) && env->cpuid_vendor1 == CPUID_VENDOR_INTEL_1) {
5736             goto illegal_op;
5737         }
5738         if (!PE(s) || CPL(s) != 0) {
5739             gen_exception_gpf(s);
5740         } else {
5741             gen_helper_sysret(tcg_env, tcg_constant_i32(dflag - 1));
5742             /* condition codes are modified only in long mode */
5743             if (LMA(s)) {
5744                 set_cc_op(s, CC_OP_EFLAGS);
5745             }
5746             /* TF handling for the sysret insn is different. The TF bit is
5747                checked after the sysret insn completes. This allows #DB to be
5748                generated "as if" the syscall insn in userspace has just
5749                completed.  */
5750             gen_eob_worker(s, false, true);
5751         }
5752         break;
5753     case 0x1a2: /* cpuid */
5754         gen_update_cc_op(s);
5755         gen_update_eip_cur(s);
5756         gen_helper_cpuid(tcg_env);
5757         break;
5758     case 0xf4: /* hlt */
5759         if (check_cpl0(s)) {
5760             gen_update_cc_op(s);
5761             gen_update_eip_cur(s);
5762             gen_helper_hlt(tcg_env, cur_insn_len_i32(s));
5763             s->base.is_jmp = DISAS_NORETURN;
5764         }
5765         break;
5766     case 0x100:
5767         modrm = x86_ldub_code(env, s);
5768         mod = (modrm >> 6) & 3;
5769         op = (modrm >> 3) & 7;
5770         switch(op) {
5771         case 0: /* sldt */
5772             if (!PE(s) || VM86(s))
5773                 goto illegal_op;
5774             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5775                 break;
5776             }
5777             gen_svm_check_intercept(s, SVM_EXIT_LDTR_READ);
5778             tcg_gen_ld32u_tl(s->T0, tcg_env,
5779                              offsetof(CPUX86State, ldt.selector));
5780             ot = mod == 3 ? dflag : MO_16;
5781             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5782             break;
5783         case 2: /* lldt */
5784             if (!PE(s) || VM86(s))
5785                 goto illegal_op;
5786             if (check_cpl0(s)) {
5787                 gen_svm_check_intercept(s, SVM_EXIT_LDTR_WRITE);
5788                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5789                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5790                 gen_helper_lldt(tcg_env, s->tmp2_i32);
5791             }
5792             break;
5793         case 1: /* str */
5794             if (!PE(s) || VM86(s))
5795                 goto illegal_op;
5796             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5797                 break;
5798             }
5799             gen_svm_check_intercept(s, SVM_EXIT_TR_READ);
5800             tcg_gen_ld32u_tl(s->T0, tcg_env,
5801                              offsetof(CPUX86State, tr.selector));
5802             ot = mod == 3 ? dflag : MO_16;
5803             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5804             break;
5805         case 3: /* ltr */
5806             if (!PE(s) || VM86(s))
5807                 goto illegal_op;
5808             if (check_cpl0(s)) {
5809                 gen_svm_check_intercept(s, SVM_EXIT_TR_WRITE);
5810                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5811                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5812                 gen_helper_ltr(tcg_env, s->tmp2_i32);
5813             }
5814             break;
5815         case 4: /* verr */
5816         case 5: /* verw */
5817             if (!PE(s) || VM86(s))
5818                 goto illegal_op;
5819             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5820             gen_update_cc_op(s);
5821             if (op == 4) {
5822                 gen_helper_verr(tcg_env, s->T0);
5823             } else {
5824                 gen_helper_verw(tcg_env, s->T0);
5825             }
5826             set_cc_op(s, CC_OP_EFLAGS);
5827             break;
5828         default:
5829             goto unknown_op;
5830         }
5831         break;
5832 
5833     case 0x101:
5834         modrm = x86_ldub_code(env, s);
5835         switch (modrm) {
5836         CASE_MODRM_MEM_OP(0): /* sgdt */
5837             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5838                 break;
5839             }
5840             gen_svm_check_intercept(s, SVM_EXIT_GDTR_READ);
5841             gen_lea_modrm(env, s, modrm);
5842             tcg_gen_ld32u_tl(s->T0,
5843                              tcg_env, offsetof(CPUX86State, gdt.limit));
5844             gen_op_st_v(s, MO_16, s->T0, s->A0);
5845             gen_add_A0_im(s, 2);
5846             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, gdt.base));
5847             if (dflag == MO_16) {
5848                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
5849             }
5850             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5851             break;
5852 
5853         case 0xc8: /* monitor */
5854             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5855                 goto illegal_op;
5856             }
5857             gen_update_cc_op(s);
5858             gen_update_eip_cur(s);
5859             tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
5860             gen_add_A0_ds_seg(s);
5861             gen_helper_monitor(tcg_env, s->A0);
5862             break;
5863 
5864         case 0xc9: /* mwait */
5865             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5866                 goto illegal_op;
5867             }
5868             gen_update_cc_op(s);
5869             gen_update_eip_cur(s);
5870             gen_helper_mwait(tcg_env, cur_insn_len_i32(s));
5871             s->base.is_jmp = DISAS_NORETURN;
5872             break;
5873 
5874         case 0xca: /* clac */
5875             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5876                 || CPL(s) != 0) {
5877                 goto illegal_op;
5878             }
5879             gen_reset_eflags(s, AC_MASK);
5880             s->base.is_jmp = DISAS_EOB_NEXT;
5881             break;
5882 
5883         case 0xcb: /* stac */
5884             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5885                 || CPL(s) != 0) {
5886                 goto illegal_op;
5887             }
5888             gen_set_eflags(s, AC_MASK);
5889             s->base.is_jmp = DISAS_EOB_NEXT;
5890             break;
5891 
5892         CASE_MODRM_MEM_OP(1): /* sidt */
5893             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5894                 break;
5895             }
5896             gen_svm_check_intercept(s, SVM_EXIT_IDTR_READ);
5897             gen_lea_modrm(env, s, modrm);
5898             tcg_gen_ld32u_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.limit));
5899             gen_op_st_v(s, MO_16, s->T0, s->A0);
5900             gen_add_A0_im(s, 2);
5901             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.base));
5902             if (dflag == MO_16) {
5903                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
5904             }
5905             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5906             break;
5907 
5908         case 0xd0: /* xgetbv */
5909             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5910                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5911                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5912                 goto illegal_op;
5913             }
5914             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5915             gen_helper_xgetbv(s->tmp1_i64, tcg_env, s->tmp2_i32);
5916             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
5917             break;
5918 
5919         case 0xd1: /* xsetbv */
5920             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5921                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5922                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5923                 goto illegal_op;
5924             }
5925             gen_svm_check_intercept(s, SVM_EXIT_XSETBV);
5926             if (!check_cpl0(s)) {
5927                 break;
5928             }
5929             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
5930                                   cpu_regs[R_EDX]);
5931             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5932             gen_helper_xsetbv(tcg_env, s->tmp2_i32, s->tmp1_i64);
5933             /* End TB because translation flags may change.  */
5934             s->base.is_jmp = DISAS_EOB_NEXT;
5935             break;
5936 
5937         case 0xd8: /* VMRUN */
5938             if (!SVME(s) || !PE(s)) {
5939                 goto illegal_op;
5940             }
5941             if (!check_cpl0(s)) {
5942                 break;
5943             }
5944             gen_update_cc_op(s);
5945             gen_update_eip_cur(s);
5946             gen_helper_vmrun(tcg_env, tcg_constant_i32(s->aflag - 1),
5947                              cur_insn_len_i32(s));
5948             tcg_gen_exit_tb(NULL, 0);
5949             s->base.is_jmp = DISAS_NORETURN;
5950             break;
5951 
5952         case 0xd9: /* VMMCALL */
5953             if (!SVME(s)) {
5954                 goto illegal_op;
5955             }
5956             gen_update_cc_op(s);
5957             gen_update_eip_cur(s);
5958             gen_helper_vmmcall(tcg_env);
5959             break;
5960 
5961         case 0xda: /* VMLOAD */
5962             if (!SVME(s) || !PE(s)) {
5963                 goto illegal_op;
5964             }
5965             if (!check_cpl0(s)) {
5966                 break;
5967             }
5968             gen_update_cc_op(s);
5969             gen_update_eip_cur(s);
5970             gen_helper_vmload(tcg_env, tcg_constant_i32(s->aflag - 1));
5971             break;
5972 
5973         case 0xdb: /* VMSAVE */
5974             if (!SVME(s) || !PE(s)) {
5975                 goto illegal_op;
5976             }
5977             if (!check_cpl0(s)) {
5978                 break;
5979             }
5980             gen_update_cc_op(s);
5981             gen_update_eip_cur(s);
5982             gen_helper_vmsave(tcg_env, tcg_constant_i32(s->aflag - 1));
5983             break;
5984 
5985         case 0xdc: /* STGI */
5986             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
5987                 || !PE(s)) {
5988                 goto illegal_op;
5989             }
5990             if (!check_cpl0(s)) {
5991                 break;
5992             }
5993             gen_update_cc_op(s);
5994             gen_helper_stgi(tcg_env);
5995             s->base.is_jmp = DISAS_EOB_NEXT;
5996             break;
5997 
5998         case 0xdd: /* CLGI */
5999             if (!SVME(s) || !PE(s)) {
6000                 goto illegal_op;
6001             }
6002             if (!check_cpl0(s)) {
6003                 break;
6004             }
6005             gen_update_cc_op(s);
6006             gen_update_eip_cur(s);
6007             gen_helper_clgi(tcg_env);
6008             break;
6009 
6010         case 0xde: /* SKINIT */
6011             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
6012                 || !PE(s)) {
6013                 goto illegal_op;
6014             }
6015             gen_svm_check_intercept(s, SVM_EXIT_SKINIT);
6016             /* If not intercepted, not implemented -- raise #UD. */
6017             goto illegal_op;
6018 
6019         case 0xdf: /* INVLPGA */
6020             if (!SVME(s) || !PE(s)) {
6021                 goto illegal_op;
6022             }
6023             if (!check_cpl0(s)) {
6024                 break;
6025             }
6026             gen_svm_check_intercept(s, SVM_EXIT_INVLPGA);
6027             if (s->aflag == MO_64) {
6028                 tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
6029             } else {
6030                 tcg_gen_ext32u_tl(s->A0, cpu_regs[R_EAX]);
6031             }
6032             gen_helper_flush_page(tcg_env, s->A0);
6033             s->base.is_jmp = DISAS_EOB_NEXT;
6034             break;
6035 
6036         CASE_MODRM_MEM_OP(2): /* lgdt */
6037             if (!check_cpl0(s)) {
6038                 break;
6039             }
6040             gen_svm_check_intercept(s, SVM_EXIT_GDTR_WRITE);
6041             gen_lea_modrm(env, s, modrm);
6042             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6043             gen_add_A0_im(s, 2);
6044             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6045             if (dflag == MO_16) {
6046                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6047             }
6048             tcg_gen_st_tl(s->T0, tcg_env, offsetof(CPUX86State, gdt.base));
6049             tcg_gen_st32_tl(s->T1, tcg_env, offsetof(CPUX86State, gdt.limit));
6050             break;
6051 
6052         CASE_MODRM_MEM_OP(3): /* lidt */
6053             if (!check_cpl0(s)) {
6054                 break;
6055             }
6056             gen_svm_check_intercept(s, SVM_EXIT_IDTR_WRITE);
6057             gen_lea_modrm(env, s, modrm);
6058             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6059             gen_add_A0_im(s, 2);
6060             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6061             if (dflag == MO_16) {
6062                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6063             }
6064             tcg_gen_st_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.base));
6065             tcg_gen_st32_tl(s->T1, tcg_env, offsetof(CPUX86State, idt.limit));
6066             break;
6067 
6068         CASE_MODRM_OP(4): /* smsw */
6069             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
6070                 break;
6071             }
6072             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0);
6073             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, cr[0]));
6074             /*
6075              * In 32-bit mode, the higher 16 bits of the destination
6076              * register are undefined.  In practice CR0[31:0] is stored
6077              * just like in 64-bit mode.
6078              */
6079             mod = (modrm >> 6) & 3;
6080             ot = (mod != 3 ? MO_16 : s->dflag);
6081             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
6082             break;
6083         case 0xee: /* rdpkru */
6084             if (prefixes & PREFIX_LOCK) {
6085                 goto illegal_op;
6086             }
6087             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6088             gen_helper_rdpkru(s->tmp1_i64, tcg_env, s->tmp2_i32);
6089             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
6090             break;
6091         case 0xef: /* wrpkru */
6092             if (prefixes & PREFIX_LOCK) {
6093                 goto illegal_op;
6094             }
6095             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6096                                   cpu_regs[R_EDX]);
6097             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6098             gen_helper_wrpkru(tcg_env, s->tmp2_i32, s->tmp1_i64);
6099             break;
6100 
6101         CASE_MODRM_OP(6): /* lmsw */
6102             if (!check_cpl0(s)) {
6103                 break;
6104             }
6105             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6106             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6107             /*
6108              * Only the 4 lower bits of CR0 are modified.
6109              * PE cannot be set to zero if already set to one.
6110              */
6111             tcg_gen_ld_tl(s->T1, tcg_env, offsetof(CPUX86State, cr[0]));
6112             tcg_gen_andi_tl(s->T0, s->T0, 0xf);
6113             tcg_gen_andi_tl(s->T1, s->T1, ~0xe);
6114             tcg_gen_or_tl(s->T0, s->T0, s->T1);
6115             gen_helper_write_crN(tcg_env, tcg_constant_i32(0), s->T0);
6116             s->base.is_jmp = DISAS_EOB_NEXT;
6117             break;
6118 
6119         CASE_MODRM_MEM_OP(7): /* invlpg */
6120             if (!check_cpl0(s)) {
6121                 break;
6122             }
6123             gen_svm_check_intercept(s, SVM_EXIT_INVLPG);
6124             gen_lea_modrm(env, s, modrm);
6125             gen_helper_flush_page(tcg_env, s->A0);
6126             s->base.is_jmp = DISAS_EOB_NEXT;
6127             break;
6128 
6129         case 0xf8: /* swapgs */
6130 #ifdef TARGET_X86_64
6131             if (CODE64(s)) {
6132                 if (check_cpl0(s)) {
6133                     tcg_gen_mov_tl(s->T0, cpu_seg_base[R_GS]);
6134                     tcg_gen_ld_tl(cpu_seg_base[R_GS], tcg_env,
6135                                   offsetof(CPUX86State, kernelgsbase));
6136                     tcg_gen_st_tl(s->T0, tcg_env,
6137                                   offsetof(CPUX86State, kernelgsbase));
6138                 }
6139                 break;
6140             }
6141 #endif
6142             goto illegal_op;
6143 
6144         case 0xf9: /* rdtscp */
6145             if (!(s->cpuid_ext2_features & CPUID_EXT2_RDTSCP)) {
6146                 goto illegal_op;
6147             }
6148             gen_update_cc_op(s);
6149             gen_update_eip_cur(s);
6150             translator_io_start(&s->base);
6151             gen_helper_rdtsc(tcg_env);
6152             gen_helper_rdpid(s->T0, tcg_env);
6153             gen_op_mov_reg_v(s, dflag, R_ECX, s->T0);
6154             break;
6155 
6156         default:
6157             goto unknown_op;
6158         }
6159         break;
6160 
6161     case 0x108: /* invd */
6162     case 0x109: /* wbinvd; wbnoinvd with REPZ prefix */
6163         if (check_cpl0(s)) {
6164             gen_svm_check_intercept(s, (b & 1) ? SVM_EXIT_WBINVD : SVM_EXIT_INVD);
6165             /* nothing to do */
6166         }
6167         break;
6168     case 0x63: /* arpl or movslS (x86_64) */
6169 #ifdef TARGET_X86_64
6170         if (CODE64(s)) {
6171             int d_ot;
6172             /* d_ot is the size of destination */
6173             d_ot = dflag;
6174 
6175             modrm = x86_ldub_code(env, s);
6176             reg = ((modrm >> 3) & 7) | REX_R(s);
6177             mod = (modrm >> 6) & 3;
6178             rm = (modrm & 7) | REX_B(s);
6179 
6180             if (mod == 3) {
6181                 gen_op_mov_v_reg(s, MO_32, s->T0, rm);
6182                 /* sign extend */
6183                 if (d_ot == MO_64) {
6184                     tcg_gen_ext32s_tl(s->T0, s->T0);
6185                 }
6186                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6187             } else {
6188                 gen_lea_modrm(env, s, modrm);
6189                 gen_op_ld_v(s, MO_32 | MO_SIGN, s->T0, s->A0);
6190                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6191             }
6192         } else
6193 #endif
6194         {
6195             TCGLabel *label1;
6196             TCGv t0, t1, t2;
6197 
6198             if (!PE(s) || VM86(s))
6199                 goto illegal_op;
6200             t0 = tcg_temp_new();
6201             t1 = tcg_temp_new();
6202             t2 = tcg_temp_new();
6203             ot = MO_16;
6204             modrm = x86_ldub_code(env, s);
6205             reg = (modrm >> 3) & 7;
6206             mod = (modrm >> 6) & 3;
6207             rm = modrm & 7;
6208             if (mod != 3) {
6209                 gen_lea_modrm(env, s, modrm);
6210                 gen_op_ld_v(s, ot, t0, s->A0);
6211             } else {
6212                 gen_op_mov_v_reg(s, ot, t0, rm);
6213             }
6214             gen_op_mov_v_reg(s, ot, t1, reg);
6215             tcg_gen_andi_tl(s->tmp0, t0, 3);
6216             tcg_gen_andi_tl(t1, t1, 3);
6217             tcg_gen_movi_tl(t2, 0);
6218             label1 = gen_new_label();
6219             tcg_gen_brcond_tl(TCG_COND_GE, s->tmp0, t1, label1);
6220             tcg_gen_andi_tl(t0, t0, ~3);
6221             tcg_gen_or_tl(t0, t0, t1);
6222             tcg_gen_movi_tl(t2, CC_Z);
6223             gen_set_label(label1);
6224             if (mod != 3) {
6225                 gen_op_st_v(s, ot, t0, s->A0);
6226            } else {
6227                 gen_op_mov_reg_v(s, ot, rm, t0);
6228             }
6229             gen_compute_eflags(s);
6230             tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_Z);
6231             tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, t2);
6232         }
6233         break;
6234     case 0x102: /* lar */
6235     case 0x103: /* lsl */
6236         {
6237             TCGLabel *label1;
6238             TCGv t0;
6239             if (!PE(s) || VM86(s))
6240                 goto illegal_op;
6241             ot = dflag != MO_16 ? MO_32 : MO_16;
6242             modrm = x86_ldub_code(env, s);
6243             reg = ((modrm >> 3) & 7) | REX_R(s);
6244             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6245             t0 = tcg_temp_new();
6246             gen_update_cc_op(s);
6247             if (b == 0x102) {
6248                 gen_helper_lar(t0, tcg_env, s->T0);
6249             } else {
6250                 gen_helper_lsl(t0, tcg_env, s->T0);
6251             }
6252             tcg_gen_andi_tl(s->tmp0, cpu_cc_src, CC_Z);
6253             label1 = gen_new_label();
6254             tcg_gen_brcondi_tl(TCG_COND_EQ, s->tmp0, 0, label1);
6255             gen_op_mov_reg_v(s, ot, reg, t0);
6256             gen_set_label(label1);
6257             set_cc_op(s, CC_OP_EFLAGS);
6258         }
6259         break;
6260     case 0x118:
6261         modrm = x86_ldub_code(env, s);
6262         mod = (modrm >> 6) & 3;
6263         op = (modrm >> 3) & 7;
6264         switch(op) {
6265         case 0: /* prefetchnta */
6266         case 1: /* prefetchnt0 */
6267         case 2: /* prefetchnt0 */
6268         case 3: /* prefetchnt0 */
6269             if (mod == 3)
6270                 goto illegal_op;
6271             gen_nop_modrm(env, s, modrm);
6272             /* nothing more to do */
6273             break;
6274         default: /* nop (multi byte) */
6275             gen_nop_modrm(env, s, modrm);
6276             break;
6277         }
6278         break;
6279     case 0x11a:
6280         modrm = x86_ldub_code(env, s);
6281         if (s->flags & HF_MPX_EN_MASK) {
6282             mod = (modrm >> 6) & 3;
6283             reg = ((modrm >> 3) & 7) | REX_R(s);
6284             if (prefixes & PREFIX_REPZ) {
6285                 /* bndcl */
6286                 if (reg >= 4
6287                     || (prefixes & PREFIX_LOCK)
6288                     || s->aflag == MO_16) {
6289                     goto illegal_op;
6290                 }
6291                 gen_bndck(env, s, modrm, TCG_COND_LTU, cpu_bndl[reg]);
6292             } else if (prefixes & PREFIX_REPNZ) {
6293                 /* bndcu */
6294                 if (reg >= 4
6295                     || (prefixes & PREFIX_LOCK)
6296                     || s->aflag == MO_16) {
6297                     goto illegal_op;
6298                 }
6299                 TCGv_i64 notu = tcg_temp_new_i64();
6300                 tcg_gen_not_i64(notu, cpu_bndu[reg]);
6301                 gen_bndck(env, s, modrm, TCG_COND_GTU, notu);
6302             } else if (prefixes & PREFIX_DATA) {
6303                 /* bndmov -- from reg/mem */
6304                 if (reg >= 4 || s->aflag == MO_16) {
6305                     goto illegal_op;
6306                 }
6307                 if (mod == 3) {
6308                     int reg2 = (modrm & 7) | REX_B(s);
6309                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6310                         goto illegal_op;
6311                     }
6312                     if (s->flags & HF_MPX_IU_MASK) {
6313                         tcg_gen_mov_i64(cpu_bndl[reg], cpu_bndl[reg2]);
6314                         tcg_gen_mov_i64(cpu_bndu[reg], cpu_bndu[reg2]);
6315                     }
6316                 } else {
6317                     gen_lea_modrm(env, s, modrm);
6318                     if (CODE64(s)) {
6319                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6320                                             s->mem_index, MO_LEUQ);
6321                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6322                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6323                                             s->mem_index, MO_LEUQ);
6324                     } else {
6325                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6326                                             s->mem_index, MO_LEUL);
6327                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6328                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6329                                             s->mem_index, MO_LEUL);
6330                     }
6331                     /* bnd registers are now in-use */
6332                     gen_set_hflag(s, HF_MPX_IU_MASK);
6333                 }
6334             } else if (mod != 3) {
6335                 /* bndldx */
6336                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6337                 if (reg >= 4
6338                     || (prefixes & PREFIX_LOCK)
6339                     || s->aflag == MO_16
6340                     || a.base < -1) {
6341                     goto illegal_op;
6342                 }
6343                 if (a.base >= 0) {
6344                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6345                 } else {
6346                     tcg_gen_movi_tl(s->A0, 0);
6347                 }
6348                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6349                 if (a.index >= 0) {
6350                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6351                 } else {
6352                     tcg_gen_movi_tl(s->T0, 0);
6353                 }
6354                 if (CODE64(s)) {
6355                     gen_helper_bndldx64(cpu_bndl[reg], tcg_env, s->A0, s->T0);
6356                     tcg_gen_ld_i64(cpu_bndu[reg], tcg_env,
6357                                    offsetof(CPUX86State, mmx_t0.MMX_Q(0)));
6358                 } else {
6359                     gen_helper_bndldx32(cpu_bndu[reg], tcg_env, s->A0, s->T0);
6360                     tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndu[reg]);
6361                     tcg_gen_shri_i64(cpu_bndu[reg], cpu_bndu[reg], 32);
6362                 }
6363                 gen_set_hflag(s, HF_MPX_IU_MASK);
6364             }
6365         }
6366         gen_nop_modrm(env, s, modrm);
6367         break;
6368     case 0x11b:
6369         modrm = x86_ldub_code(env, s);
6370         if (s->flags & HF_MPX_EN_MASK) {
6371             mod = (modrm >> 6) & 3;
6372             reg = ((modrm >> 3) & 7) | REX_R(s);
6373             if (mod != 3 && (prefixes & PREFIX_REPZ)) {
6374                 /* bndmk */
6375                 if (reg >= 4
6376                     || (prefixes & PREFIX_LOCK)
6377                     || s->aflag == MO_16) {
6378                     goto illegal_op;
6379                 }
6380                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6381                 if (a.base >= 0) {
6382                     tcg_gen_extu_tl_i64(cpu_bndl[reg], cpu_regs[a.base]);
6383                     if (!CODE64(s)) {
6384                         tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndl[reg]);
6385                     }
6386                 } else if (a.base == -1) {
6387                     /* no base register has lower bound of 0 */
6388                     tcg_gen_movi_i64(cpu_bndl[reg], 0);
6389                 } else {
6390                     /* rip-relative generates #ud */
6391                     goto illegal_op;
6392                 }
6393                 tcg_gen_not_tl(s->A0, gen_lea_modrm_1(s, a, false));
6394                 if (!CODE64(s)) {
6395                     tcg_gen_ext32u_tl(s->A0, s->A0);
6396                 }
6397                 tcg_gen_extu_tl_i64(cpu_bndu[reg], s->A0);
6398                 /* bnd registers are now in-use */
6399                 gen_set_hflag(s, HF_MPX_IU_MASK);
6400                 break;
6401             } else if (prefixes & PREFIX_REPNZ) {
6402                 /* bndcn */
6403                 if (reg >= 4
6404                     || (prefixes & PREFIX_LOCK)
6405                     || s->aflag == MO_16) {
6406                     goto illegal_op;
6407                 }
6408                 gen_bndck(env, s, modrm, TCG_COND_GTU, cpu_bndu[reg]);
6409             } else if (prefixes & PREFIX_DATA) {
6410                 /* bndmov -- to reg/mem */
6411                 if (reg >= 4 || s->aflag == MO_16) {
6412                     goto illegal_op;
6413                 }
6414                 if (mod == 3) {
6415                     int reg2 = (modrm & 7) | REX_B(s);
6416                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6417                         goto illegal_op;
6418                     }
6419                     if (s->flags & HF_MPX_IU_MASK) {
6420                         tcg_gen_mov_i64(cpu_bndl[reg2], cpu_bndl[reg]);
6421                         tcg_gen_mov_i64(cpu_bndu[reg2], cpu_bndu[reg]);
6422                     }
6423                 } else {
6424                     gen_lea_modrm(env, s, modrm);
6425                     if (CODE64(s)) {
6426                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6427                                             s->mem_index, MO_LEUQ);
6428                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6429                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6430                                             s->mem_index, MO_LEUQ);
6431                     } else {
6432                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6433                                             s->mem_index, MO_LEUL);
6434                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6435                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6436                                             s->mem_index, MO_LEUL);
6437                     }
6438                 }
6439             } else if (mod != 3) {
6440                 /* bndstx */
6441                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6442                 if (reg >= 4
6443                     || (prefixes & PREFIX_LOCK)
6444                     || s->aflag == MO_16
6445                     || a.base < -1) {
6446                     goto illegal_op;
6447                 }
6448                 if (a.base >= 0) {
6449                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6450                 } else {
6451                     tcg_gen_movi_tl(s->A0, 0);
6452                 }
6453                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6454                 if (a.index >= 0) {
6455                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6456                 } else {
6457                     tcg_gen_movi_tl(s->T0, 0);
6458                 }
6459                 if (CODE64(s)) {
6460                     gen_helper_bndstx64(tcg_env, s->A0, s->T0,
6461                                         cpu_bndl[reg], cpu_bndu[reg]);
6462                 } else {
6463                     gen_helper_bndstx32(tcg_env, s->A0, s->T0,
6464                                         cpu_bndl[reg], cpu_bndu[reg]);
6465                 }
6466             }
6467         }
6468         gen_nop_modrm(env, s, modrm);
6469         break;
6470     case 0x119: case 0x11c ... 0x11f: /* nop (multi byte) */
6471         modrm = x86_ldub_code(env, s);
6472         gen_nop_modrm(env, s, modrm);
6473         break;
6474 
6475     case 0x120: /* mov reg, crN */
6476     case 0x122: /* mov crN, reg */
6477         if (!check_cpl0(s)) {
6478             break;
6479         }
6480         modrm = x86_ldub_code(env, s);
6481         /*
6482          * Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6483          * AMD documentation (24594.pdf) and testing of Intel 386 and 486
6484          * processors all show that the mod bits are assumed to be 1's,
6485          * regardless of actual values.
6486          */
6487         rm = (modrm & 7) | REX_B(s);
6488         reg = ((modrm >> 3) & 7) | REX_R(s);
6489         switch (reg) {
6490         case 0:
6491             if ((prefixes & PREFIX_LOCK) &&
6492                 (s->cpuid_ext3_features & CPUID_EXT3_CR8LEG)) {
6493                 reg = 8;
6494             }
6495             break;
6496         case 2:
6497         case 3:
6498         case 4:
6499         case 8:
6500             break;
6501         default:
6502             goto unknown_op;
6503         }
6504         ot  = (CODE64(s) ? MO_64 : MO_32);
6505 
6506         translator_io_start(&s->base);
6507         if (b & 2) {
6508             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0 + reg);
6509             gen_op_mov_v_reg(s, ot, s->T0, rm);
6510             gen_helper_write_crN(tcg_env, tcg_constant_i32(reg), s->T0);
6511             s->base.is_jmp = DISAS_EOB_NEXT;
6512         } else {
6513             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0 + reg);
6514             gen_helper_read_crN(s->T0, tcg_env, tcg_constant_i32(reg));
6515             gen_op_mov_reg_v(s, ot, rm, s->T0);
6516         }
6517         break;
6518 
6519     case 0x121: /* mov reg, drN */
6520     case 0x123: /* mov drN, reg */
6521         if (check_cpl0(s)) {
6522             modrm = x86_ldub_code(env, s);
6523             /* Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6524              * AMD documentation (24594.pdf) and testing of
6525              * intel 386 and 486 processors all show that the mod bits
6526              * are assumed to be 1's, regardless of actual values.
6527              */
6528             rm = (modrm & 7) | REX_B(s);
6529             reg = ((modrm >> 3) & 7) | REX_R(s);
6530             if (CODE64(s))
6531                 ot = MO_64;
6532             else
6533                 ot = MO_32;
6534             if (reg >= 8) {
6535                 goto illegal_op;
6536             }
6537             if (b & 2) {
6538                 gen_svm_check_intercept(s, SVM_EXIT_WRITE_DR0 + reg);
6539                 gen_op_mov_v_reg(s, ot, s->T0, rm);
6540                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6541                 gen_helper_set_dr(tcg_env, s->tmp2_i32, s->T0);
6542                 s->base.is_jmp = DISAS_EOB_NEXT;
6543             } else {
6544                 gen_svm_check_intercept(s, SVM_EXIT_READ_DR0 + reg);
6545                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6546                 gen_helper_get_dr(s->T0, tcg_env, s->tmp2_i32);
6547                 gen_op_mov_reg_v(s, ot, rm, s->T0);
6548             }
6549         }
6550         break;
6551     case 0x106: /* clts */
6552         if (check_cpl0(s)) {
6553             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6554             gen_helper_clts(tcg_env);
6555             /* abort block because static cpu state changed */
6556             s->base.is_jmp = DISAS_EOB_NEXT;
6557         }
6558         break;
6559     /* MMX/3DNow!/SSE/SSE2/SSE3/SSSE3/SSE4 support */
6560     case 0x1c3: /* MOVNTI reg, mem */
6561         if (!(s->cpuid_features & CPUID_SSE2))
6562             goto illegal_op;
6563         ot = mo_64_32(dflag);
6564         modrm = x86_ldub_code(env, s);
6565         mod = (modrm >> 6) & 3;
6566         if (mod == 3)
6567             goto illegal_op;
6568         reg = ((modrm >> 3) & 7) | REX_R(s);
6569         /* generate a generic store */
6570         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
6571         break;
6572     case 0x1ae:
6573         modrm = x86_ldub_code(env, s);
6574         switch (modrm) {
6575         CASE_MODRM_MEM_OP(0): /* fxsave */
6576             if (!(s->cpuid_features & CPUID_FXSR)
6577                 || (prefixes & PREFIX_LOCK)) {
6578                 goto illegal_op;
6579             }
6580             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6581                 gen_exception(s, EXCP07_PREX);
6582                 break;
6583             }
6584             gen_lea_modrm(env, s, modrm);
6585             gen_helper_fxsave(tcg_env, s->A0);
6586             break;
6587 
6588         CASE_MODRM_MEM_OP(1): /* fxrstor */
6589             if (!(s->cpuid_features & CPUID_FXSR)
6590                 || (prefixes & PREFIX_LOCK)) {
6591                 goto illegal_op;
6592             }
6593             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6594                 gen_exception(s, EXCP07_PREX);
6595                 break;
6596             }
6597             gen_lea_modrm(env, s, modrm);
6598             gen_helper_fxrstor(tcg_env, s->A0);
6599             break;
6600 
6601         CASE_MODRM_MEM_OP(2): /* ldmxcsr */
6602             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6603                 goto illegal_op;
6604             }
6605             if (s->flags & HF_TS_MASK) {
6606                 gen_exception(s, EXCP07_PREX);
6607                 break;
6608             }
6609             gen_lea_modrm(env, s, modrm);
6610             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0, s->mem_index, MO_LEUL);
6611             gen_helper_ldmxcsr(tcg_env, s->tmp2_i32);
6612             break;
6613 
6614         CASE_MODRM_MEM_OP(3): /* stmxcsr */
6615             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6616                 goto illegal_op;
6617             }
6618             if (s->flags & HF_TS_MASK) {
6619                 gen_exception(s, EXCP07_PREX);
6620                 break;
6621             }
6622             gen_helper_update_mxcsr(tcg_env);
6623             gen_lea_modrm(env, s, modrm);
6624             tcg_gen_ld32u_tl(s->T0, tcg_env, offsetof(CPUX86State, mxcsr));
6625             gen_op_st_v(s, MO_32, s->T0, s->A0);
6626             break;
6627 
6628         CASE_MODRM_MEM_OP(4): /* xsave */
6629             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6630                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6631                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6632                 goto illegal_op;
6633             }
6634             gen_lea_modrm(env, s, modrm);
6635             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6636                                   cpu_regs[R_EDX]);
6637             gen_helper_xsave(tcg_env, s->A0, s->tmp1_i64);
6638             break;
6639 
6640         CASE_MODRM_MEM_OP(5): /* xrstor */
6641             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6642                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6643                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6644                 goto illegal_op;
6645             }
6646             gen_lea_modrm(env, s, modrm);
6647             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6648                                   cpu_regs[R_EDX]);
6649             gen_helper_xrstor(tcg_env, s->A0, s->tmp1_i64);
6650             /* XRSTOR is how MPX is enabled, which changes how
6651                we translate.  Thus we need to end the TB.  */
6652             s->base.is_jmp = DISAS_EOB_NEXT;
6653             break;
6654 
6655         CASE_MODRM_MEM_OP(6): /* xsaveopt / clwb */
6656             if (prefixes & PREFIX_LOCK) {
6657                 goto illegal_op;
6658             }
6659             if (prefixes & PREFIX_DATA) {
6660                 /* clwb */
6661                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLWB)) {
6662                     goto illegal_op;
6663                 }
6664                 gen_nop_modrm(env, s, modrm);
6665             } else {
6666                 /* xsaveopt */
6667                 if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6668                     || (s->cpuid_xsave_features & CPUID_XSAVE_XSAVEOPT) == 0
6669                     || (prefixes & (PREFIX_REPZ | PREFIX_REPNZ))) {
6670                     goto illegal_op;
6671                 }
6672                 gen_lea_modrm(env, s, modrm);
6673                 tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6674                                       cpu_regs[R_EDX]);
6675                 gen_helper_xsaveopt(tcg_env, s->A0, s->tmp1_i64);
6676             }
6677             break;
6678 
6679         CASE_MODRM_MEM_OP(7): /* clflush / clflushopt */
6680             if (prefixes & PREFIX_LOCK) {
6681                 goto illegal_op;
6682             }
6683             if (prefixes & PREFIX_DATA) {
6684                 /* clflushopt */
6685                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLFLUSHOPT)) {
6686                     goto illegal_op;
6687                 }
6688             } else {
6689                 /* clflush */
6690                 if ((s->prefix & (PREFIX_REPZ | PREFIX_REPNZ))
6691                     || !(s->cpuid_features & CPUID_CLFLUSH)) {
6692                     goto illegal_op;
6693                 }
6694             }
6695             gen_nop_modrm(env, s, modrm);
6696             break;
6697 
6698         case 0xc0 ... 0xc7: /* rdfsbase (f3 0f ae /0) */
6699         case 0xc8 ... 0xcf: /* rdgsbase (f3 0f ae /1) */
6700         case 0xd0 ... 0xd7: /* wrfsbase (f3 0f ae /2) */
6701         case 0xd8 ... 0xdf: /* wrgsbase (f3 0f ae /3) */
6702             if (CODE64(s)
6703                 && (prefixes & PREFIX_REPZ)
6704                 && !(prefixes & PREFIX_LOCK)
6705                 && (s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_FSGSBASE)) {
6706                 TCGv base, treg, src, dst;
6707 
6708                 /* Preserve hflags bits by testing CR4 at runtime.  */
6709                 tcg_gen_movi_i32(s->tmp2_i32, CR4_FSGSBASE_MASK);
6710                 gen_helper_cr4_testbit(tcg_env, s->tmp2_i32);
6711 
6712                 base = cpu_seg_base[modrm & 8 ? R_GS : R_FS];
6713                 treg = cpu_regs[(modrm & 7) | REX_B(s)];
6714 
6715                 if (modrm & 0x10) {
6716                     /* wr*base */
6717                     dst = base, src = treg;
6718                 } else {
6719                     /* rd*base */
6720                     dst = treg, src = base;
6721                 }
6722 
6723                 if (s->dflag == MO_32) {
6724                     tcg_gen_ext32u_tl(dst, src);
6725                 } else {
6726                     tcg_gen_mov_tl(dst, src);
6727                 }
6728                 break;
6729             }
6730             goto unknown_op;
6731 
6732         case 0xf8: /* sfence / pcommit */
6733             if (prefixes & PREFIX_DATA) {
6734                 /* pcommit */
6735                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_PCOMMIT)
6736                     || (prefixes & PREFIX_LOCK)) {
6737                     goto illegal_op;
6738                 }
6739                 break;
6740             }
6741             /* fallthru */
6742         case 0xf9 ... 0xff: /* sfence */
6743             if (!(s->cpuid_features & CPUID_SSE)
6744                 || (prefixes & PREFIX_LOCK)) {
6745                 goto illegal_op;
6746             }
6747             tcg_gen_mb(TCG_MO_ST_ST | TCG_BAR_SC);
6748             break;
6749         case 0xe8 ... 0xef: /* lfence */
6750             if (!(s->cpuid_features & CPUID_SSE)
6751                 || (prefixes & PREFIX_LOCK)) {
6752                 goto illegal_op;
6753             }
6754             tcg_gen_mb(TCG_MO_LD_LD | TCG_BAR_SC);
6755             break;
6756         case 0xf0 ... 0xf7: /* mfence */
6757             if (!(s->cpuid_features & CPUID_SSE2)
6758                 || (prefixes & PREFIX_LOCK)) {
6759                 goto illegal_op;
6760             }
6761             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
6762             break;
6763 
6764         default:
6765             goto unknown_op;
6766         }
6767         break;
6768 
6769     case 0x10d: /* 3DNow! prefetch(w) */
6770         modrm = x86_ldub_code(env, s);
6771         mod = (modrm >> 6) & 3;
6772         if (mod == 3)
6773             goto illegal_op;
6774         gen_nop_modrm(env, s, modrm);
6775         break;
6776     case 0x1aa: /* rsm */
6777         gen_svm_check_intercept(s, SVM_EXIT_RSM);
6778         if (!(s->flags & HF_SMM_MASK))
6779             goto illegal_op;
6780 #ifdef CONFIG_USER_ONLY
6781         /* we should not be in SMM mode */
6782         g_assert_not_reached();
6783 #else
6784         gen_update_cc_op(s);
6785         gen_update_eip_next(s);
6786         gen_helper_rsm(tcg_env);
6787 #endif /* CONFIG_USER_ONLY */
6788         s->base.is_jmp = DISAS_EOB_ONLY;
6789         break;
6790     case 0x1b8: /* SSE4.2 popcnt */
6791         if ((prefixes & (PREFIX_REPZ | PREFIX_LOCK | PREFIX_REPNZ)) !=
6792              PREFIX_REPZ)
6793             goto illegal_op;
6794         if (!(s->cpuid_ext_features & CPUID_EXT_POPCNT))
6795             goto illegal_op;
6796 
6797         modrm = x86_ldub_code(env, s);
6798         reg = ((modrm >> 3) & 7) | REX_R(s);
6799 
6800         if (s->prefix & PREFIX_DATA) {
6801             ot = MO_16;
6802         } else {
6803             ot = mo_64_32(dflag);
6804         }
6805 
6806         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
6807         gen_extu(ot, s->T0);
6808         tcg_gen_mov_tl(cpu_cc_src, s->T0);
6809         tcg_gen_ctpop_tl(s->T0, s->T0);
6810         gen_op_mov_reg_v(s, ot, reg, s->T0);
6811 
6812         set_cc_op(s, CC_OP_POPCNT);
6813         break;
6814     case 0x10e ... 0x117:
6815     case 0x128 ... 0x12f:
6816     case 0x138 ... 0x13a:
6817     case 0x150 ... 0x179:
6818     case 0x17c ... 0x17f:
6819     case 0x1c2:
6820     case 0x1c4 ... 0x1c6:
6821     case 0x1d0 ... 0x1fe:
6822         disas_insn_new(s, cpu, b);
6823         break;
6824     default:
6825         goto unknown_op;
6826     }
6827     return true;
6828  illegal_op:
6829     gen_illegal_opcode(s);
6830     return true;
6831  unknown_op:
6832     gen_unknown_opcode(env, s);
6833     return true;
6834 }
6835 
6836 void tcg_x86_init(void)
6837 {
6838     static const char reg_names[CPU_NB_REGS][4] = {
6839 #ifdef TARGET_X86_64
6840         [R_EAX] = "rax",
6841         [R_EBX] = "rbx",
6842         [R_ECX] = "rcx",
6843         [R_EDX] = "rdx",
6844         [R_ESI] = "rsi",
6845         [R_EDI] = "rdi",
6846         [R_EBP] = "rbp",
6847         [R_ESP] = "rsp",
6848         [8]  = "r8",
6849         [9]  = "r9",
6850         [10] = "r10",
6851         [11] = "r11",
6852         [12] = "r12",
6853         [13] = "r13",
6854         [14] = "r14",
6855         [15] = "r15",
6856 #else
6857         [R_EAX] = "eax",
6858         [R_EBX] = "ebx",
6859         [R_ECX] = "ecx",
6860         [R_EDX] = "edx",
6861         [R_ESI] = "esi",
6862         [R_EDI] = "edi",
6863         [R_EBP] = "ebp",
6864         [R_ESP] = "esp",
6865 #endif
6866     };
6867     static const char eip_name[] = {
6868 #ifdef TARGET_X86_64
6869         "rip"
6870 #else
6871         "eip"
6872 #endif
6873     };
6874     static const char seg_base_names[6][8] = {
6875         [R_CS] = "cs_base",
6876         [R_DS] = "ds_base",
6877         [R_ES] = "es_base",
6878         [R_FS] = "fs_base",
6879         [R_GS] = "gs_base",
6880         [R_SS] = "ss_base",
6881     };
6882     static const char bnd_regl_names[4][8] = {
6883         "bnd0_lb", "bnd1_lb", "bnd2_lb", "bnd3_lb"
6884     };
6885     static const char bnd_regu_names[4][8] = {
6886         "bnd0_ub", "bnd1_ub", "bnd2_ub", "bnd3_ub"
6887     };
6888     int i;
6889 
6890     cpu_cc_op = tcg_global_mem_new_i32(tcg_env,
6891                                        offsetof(CPUX86State, cc_op), "cc_op");
6892     cpu_cc_dst = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_dst),
6893                                     "cc_dst");
6894     cpu_cc_src = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_src),
6895                                     "cc_src");
6896     cpu_cc_src2 = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_src2),
6897                                      "cc_src2");
6898     cpu_eip = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, eip), eip_name);
6899 
6900     for (i = 0; i < CPU_NB_REGS; ++i) {
6901         cpu_regs[i] = tcg_global_mem_new(tcg_env,
6902                                          offsetof(CPUX86State, regs[i]),
6903                                          reg_names[i]);
6904     }
6905 
6906     for (i = 0; i < 6; ++i) {
6907         cpu_seg_base[i]
6908             = tcg_global_mem_new(tcg_env,
6909                                  offsetof(CPUX86State, segs[i].base),
6910                                  seg_base_names[i]);
6911     }
6912 
6913     for (i = 0; i < 4; ++i) {
6914         cpu_bndl[i]
6915             = tcg_global_mem_new_i64(tcg_env,
6916                                      offsetof(CPUX86State, bnd_regs[i].lb),
6917                                      bnd_regl_names[i]);
6918         cpu_bndu[i]
6919             = tcg_global_mem_new_i64(tcg_env,
6920                                      offsetof(CPUX86State, bnd_regs[i].ub),
6921                                      bnd_regu_names[i]);
6922     }
6923 }
6924 
6925 static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
6926 {
6927     DisasContext *dc = container_of(dcbase, DisasContext, base);
6928     CPUX86State *env = cpu_env(cpu);
6929     uint32_t flags = dc->base.tb->flags;
6930     uint32_t cflags = tb_cflags(dc->base.tb);
6931     int cpl = (flags >> HF_CPL_SHIFT) & 3;
6932     int iopl = (flags >> IOPL_SHIFT) & 3;
6933 
6934     dc->cs_base = dc->base.tb->cs_base;
6935     dc->pc_save = dc->base.pc_next;
6936     dc->flags = flags;
6937 #ifndef CONFIG_USER_ONLY
6938     dc->cpl = cpl;
6939     dc->iopl = iopl;
6940 #endif
6941 
6942     /* We make some simplifying assumptions; validate they're correct. */
6943     g_assert(PE(dc) == ((flags & HF_PE_MASK) != 0));
6944     g_assert(CPL(dc) == cpl);
6945     g_assert(IOPL(dc) == iopl);
6946     g_assert(VM86(dc) == ((flags & HF_VM_MASK) != 0));
6947     g_assert(CODE32(dc) == ((flags & HF_CS32_MASK) != 0));
6948     g_assert(CODE64(dc) == ((flags & HF_CS64_MASK) != 0));
6949     g_assert(SS32(dc) == ((flags & HF_SS32_MASK) != 0));
6950     g_assert(LMA(dc) == ((flags & HF_LMA_MASK) != 0));
6951     g_assert(ADDSEG(dc) == ((flags & HF_ADDSEG_MASK) != 0));
6952     g_assert(SVME(dc) == ((flags & HF_SVME_MASK) != 0));
6953     g_assert(GUEST(dc) == ((flags & HF_GUEST_MASK) != 0));
6954 
6955     dc->cc_op = CC_OP_DYNAMIC;
6956     dc->cc_op_dirty = false;
6957     dc->popl_esp_hack = 0;
6958     /* select memory access functions */
6959     dc->mem_index = cpu_mmu_index(cpu, false);
6960     dc->cpuid_features = env->features[FEAT_1_EDX];
6961     dc->cpuid_ext_features = env->features[FEAT_1_ECX];
6962     dc->cpuid_ext2_features = env->features[FEAT_8000_0001_EDX];
6963     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
6964     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
6965     dc->cpuid_7_0_ecx_features = env->features[FEAT_7_0_ECX];
6966     dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
6967     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
6968     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
6969                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
6970     /*
6971      * If jmp_opt, we want to handle each string instruction individually.
6972      * For icount also disable repz optimization so that each iteration
6973      * is accounted separately.
6974      */
6975     dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
6976 
6977     dc->T0 = tcg_temp_new();
6978     dc->T1 = tcg_temp_new();
6979     dc->A0 = tcg_temp_new();
6980 
6981     dc->tmp0 = tcg_temp_new();
6982     dc->tmp1_i64 = tcg_temp_new_i64();
6983     dc->tmp2_i32 = tcg_temp_new_i32();
6984     dc->tmp3_i32 = tcg_temp_new_i32();
6985     dc->tmp4 = tcg_temp_new();
6986     dc->cc_srcT = tcg_temp_new();
6987 }
6988 
6989 static void i386_tr_tb_start(DisasContextBase *db, CPUState *cpu)
6990 {
6991 }
6992 
6993 static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
6994 {
6995     DisasContext *dc = container_of(dcbase, DisasContext, base);
6996     target_ulong pc_arg = dc->base.pc_next;
6997 
6998     dc->prev_insn_end = tcg_last_op();
6999     if (tb_cflags(dcbase->tb) & CF_PCREL) {
7000         pc_arg &= ~TARGET_PAGE_MASK;
7001     }
7002     tcg_gen_insn_start(pc_arg, dc->cc_op);
7003 }
7004 
7005 static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
7006 {
7007     DisasContext *dc = container_of(dcbase, DisasContext, base);
7008 
7009 #ifdef TARGET_VSYSCALL_PAGE
7010     /*
7011      * Detect entry into the vsyscall page and invoke the syscall.
7012      */
7013     if ((dc->base.pc_next & TARGET_PAGE_MASK) == TARGET_VSYSCALL_PAGE) {
7014         gen_exception(dc, EXCP_VSYSCALL);
7015         dc->base.pc_next = dc->pc + 1;
7016         return;
7017     }
7018 #endif
7019 
7020     if (disas_insn(dc, cpu)) {
7021         target_ulong pc_next = dc->pc;
7022         dc->base.pc_next = pc_next;
7023 
7024         if (dc->base.is_jmp == DISAS_NEXT) {
7025             if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
7026                 /*
7027                  * If single step mode, we generate only one instruction and
7028                  * generate an exception.
7029                  * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
7030                  * the flag and abort the translation to give the irqs a
7031                  * chance to happen.
7032                  */
7033                 dc->base.is_jmp = DISAS_EOB_NEXT;
7034             } else if (!is_same_page(&dc->base, pc_next)) {
7035                 dc->base.is_jmp = DISAS_TOO_MANY;
7036             }
7037         }
7038     }
7039 }
7040 
7041 static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
7042 {
7043     DisasContext *dc = container_of(dcbase, DisasContext, base);
7044 
7045     switch (dc->base.is_jmp) {
7046     case DISAS_NORETURN:
7047         break;
7048     case DISAS_TOO_MANY:
7049         gen_update_cc_op(dc);
7050         gen_jmp_rel_csize(dc, 0, 0);
7051         break;
7052     case DISAS_EOB_NEXT:
7053         gen_update_cc_op(dc);
7054         gen_update_eip_cur(dc);
7055         /* fall through */
7056     case DISAS_EOB_ONLY:
7057         gen_eob(dc);
7058         break;
7059     case DISAS_EOB_INHIBIT_IRQ:
7060         gen_update_cc_op(dc);
7061         gen_update_eip_cur(dc);
7062         gen_eob_inhibit_irq(dc, true);
7063         break;
7064     case DISAS_JUMP:
7065         gen_jr(dc);
7066         break;
7067     default:
7068         g_assert_not_reached();
7069     }
7070 }
7071 
7072 static void i386_tr_disas_log(const DisasContextBase *dcbase,
7073                               CPUState *cpu, FILE *logfile)
7074 {
7075     DisasContext *dc = container_of(dcbase, DisasContext, base);
7076 
7077     fprintf(logfile, "IN: %s\n", lookup_symbol(dc->base.pc_first));
7078     target_disas(logfile, cpu, dc->base.pc_first, dc->base.tb->size);
7079 }
7080 
7081 static const TranslatorOps i386_tr_ops = {
7082     .init_disas_context = i386_tr_init_disas_context,
7083     .tb_start           = i386_tr_tb_start,
7084     .insn_start         = i386_tr_insn_start,
7085     .translate_insn     = i386_tr_translate_insn,
7086     .tb_stop            = i386_tr_tb_stop,
7087     .disas_log          = i386_tr_disas_log,
7088 };
7089 
7090 /* generate intermediate code for basic block 'tb'.  */
7091 void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int *max_insns,
7092                            vaddr pc, void *host_pc)
7093 {
7094     DisasContext dc;
7095 
7096     translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
7097 }
7098