xref: /openbmc/qemu/target/i386/tcg/translate.c (revision 03555199)
1 /*
2  *  i386 translation
3  *
4  *  Copyright (c) 2003 Fabrice Bellard
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 
21 #include "qemu/host-utils.h"
22 #include "cpu.h"
23 #include "disas/disas.h"
24 #include "exec/exec-all.h"
25 #include "tcg/tcg-op.h"
26 #include "tcg/tcg-op-gvec.h"
27 #include "exec/cpu_ldst.h"
28 #include "exec/translator.h"
29 #include "fpu/softfloat.h"
30 
31 #include "exec/helper-proto.h"
32 #include "exec/helper-gen.h"
33 #include "helper-tcg.h"
34 
35 #include "exec/log.h"
36 
37 #define HELPER_H "helper.h"
38 #include "exec/helper-info.c.inc"
39 #undef  HELPER_H
40 
41 
42 #define PREFIX_REPZ   0x01
43 #define PREFIX_REPNZ  0x02
44 #define PREFIX_LOCK   0x04
45 #define PREFIX_DATA   0x08
46 #define PREFIX_ADR    0x10
47 #define PREFIX_VEX    0x20
48 #define PREFIX_REX    0x40
49 
50 #ifdef TARGET_X86_64
51 # define ctztl  ctz64
52 # define clztl  clz64
53 #else
54 # define ctztl  ctz32
55 # define clztl  clz32
56 #endif
57 
58 /* For a switch indexed by MODRM, match all memory operands for a given OP.  */
59 #define CASE_MODRM_MEM_OP(OP) \
60     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
61     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
62     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7
63 
64 #define CASE_MODRM_OP(OP) \
65     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
66     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
67     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7: \
68     case (3 << 6) | (OP << 3) | 0 ... (3 << 6) | (OP << 3) | 7
69 
70 //#define MACRO_TEST   1
71 
72 /* global register indexes */
73 static TCGv cpu_cc_dst, cpu_cc_src, cpu_cc_src2;
74 static TCGv cpu_eip;
75 static TCGv_i32 cpu_cc_op;
76 static TCGv cpu_regs[CPU_NB_REGS];
77 static TCGv cpu_seg_base[6];
78 static TCGv_i64 cpu_bndl[4];
79 static TCGv_i64 cpu_bndu[4];
80 
81 typedef struct DisasContext {
82     DisasContextBase base;
83 
84     target_ulong pc;       /* pc = eip + cs_base */
85     target_ulong cs_base;  /* base of CS segment */
86     target_ulong pc_save;
87 
88     MemOp aflag;
89     MemOp dflag;
90 
91     int8_t override; /* -1 if no override, else R_CS, R_DS, etc */
92     uint8_t prefix;
93 
94     bool has_modrm;
95     uint8_t modrm;
96 
97 #ifndef CONFIG_USER_ONLY
98     uint8_t cpl;   /* code priv level */
99     uint8_t iopl;  /* i/o priv level */
100 #endif
101     uint8_t vex_l;  /* vex vector length */
102     uint8_t vex_v;  /* vex vvvv register, without 1's complement.  */
103     uint8_t popl_esp_hack; /* for correct popl with esp base handling */
104     uint8_t rip_offset; /* only used in x86_64, but left for simplicity */
105 
106 #ifdef TARGET_X86_64
107     uint8_t rex_r;
108     uint8_t rex_x;
109     uint8_t rex_b;
110 #endif
111     bool vex_w; /* used by AVX even on 32-bit processors */
112     bool jmp_opt; /* use direct block chaining for direct jumps */
113     bool repz_opt; /* optimize jumps within repz instructions */
114     bool cc_op_dirty;
115 
116     CCOp cc_op;  /* current CC operation */
117     int mem_index; /* select memory access functions */
118     uint32_t flags; /* all execution flags */
119     int cpuid_features;
120     int cpuid_ext_features;
121     int cpuid_ext2_features;
122     int cpuid_ext3_features;
123     int cpuid_7_0_ebx_features;
124     int cpuid_7_0_ecx_features;
125     int cpuid_7_1_eax_features;
126     int cpuid_xsave_features;
127 
128     /* TCG local temps */
129     TCGv cc_srcT;
130     TCGv A0;
131     TCGv T0;
132     TCGv T1;
133 
134     /* TCG local register indexes (only used inside old micro ops) */
135     TCGv tmp0;
136     TCGv tmp4;
137     TCGv_i32 tmp2_i32;
138     TCGv_i32 tmp3_i32;
139     TCGv_i64 tmp1_i64;
140 
141     sigjmp_buf jmpbuf;
142     TCGOp *prev_insn_start;
143     TCGOp *prev_insn_end;
144 } DisasContext;
145 
146 #define DISAS_EOB_ONLY         DISAS_TARGET_0
147 #define DISAS_EOB_NEXT         DISAS_TARGET_1
148 #define DISAS_EOB_INHIBIT_IRQ  DISAS_TARGET_2
149 #define DISAS_JUMP             DISAS_TARGET_3
150 
151 /* The environment in which user-only runs is constrained. */
152 #ifdef CONFIG_USER_ONLY
153 #define PE(S)     true
154 #define CPL(S)    3
155 #define IOPL(S)   0
156 #define SVME(S)   false
157 #define GUEST(S)  false
158 #else
159 #define PE(S)     (((S)->flags & HF_PE_MASK) != 0)
160 #define CPL(S)    ((S)->cpl)
161 #define IOPL(S)   ((S)->iopl)
162 #define SVME(S)   (((S)->flags & HF_SVME_MASK) != 0)
163 #define GUEST(S)  (((S)->flags & HF_GUEST_MASK) != 0)
164 #endif
165 #if defined(CONFIG_USER_ONLY) && defined(TARGET_X86_64)
166 #define VM86(S)   false
167 #define CODE32(S) true
168 #define SS32(S)   true
169 #define ADDSEG(S) false
170 #else
171 #define VM86(S)   (((S)->flags & HF_VM_MASK) != 0)
172 #define CODE32(S) (((S)->flags & HF_CS32_MASK) != 0)
173 #define SS32(S)   (((S)->flags & HF_SS32_MASK) != 0)
174 #define ADDSEG(S) (((S)->flags & HF_ADDSEG_MASK) != 0)
175 #endif
176 #if !defined(TARGET_X86_64)
177 #define CODE64(S) false
178 #elif defined(CONFIG_USER_ONLY)
179 #define CODE64(S) true
180 #else
181 #define CODE64(S) (((S)->flags & HF_CS64_MASK) != 0)
182 #endif
183 #if defined(CONFIG_USER_ONLY) || defined(TARGET_X86_64)
184 #define LMA(S)    (((S)->flags & HF_LMA_MASK) != 0)
185 #else
186 #define LMA(S)    false
187 #endif
188 
189 #ifdef TARGET_X86_64
190 #define REX_PREFIX(S)  (((S)->prefix & PREFIX_REX) != 0)
191 #define REX_W(S)       ((S)->vex_w)
192 #define REX_R(S)       ((S)->rex_r + 0)
193 #define REX_X(S)       ((S)->rex_x + 0)
194 #define REX_B(S)       ((S)->rex_b + 0)
195 #else
196 #define REX_PREFIX(S)  false
197 #define REX_W(S)       false
198 #define REX_R(S)       0
199 #define REX_X(S)       0
200 #define REX_B(S)       0
201 #endif
202 
203 /*
204  * Many sysemu-only helpers are not reachable for user-only.
205  * Define stub generators here, so that we need not either sprinkle
206  * ifdefs through the translator, nor provide the helper function.
207  */
208 #define STUB_HELPER(NAME, ...) \
209     static inline void gen_helper_##NAME(__VA_ARGS__) \
210     { qemu_build_not_reached(); }
211 
212 #ifdef CONFIG_USER_ONLY
213 STUB_HELPER(clgi, TCGv_env env)
214 STUB_HELPER(flush_page, TCGv_env env, TCGv addr)
215 STUB_HELPER(hlt, TCGv_env env, TCGv_i32 pc_ofs)
216 STUB_HELPER(inb, TCGv ret, TCGv_env env, TCGv_i32 port)
217 STUB_HELPER(inw, TCGv ret, TCGv_env env, TCGv_i32 port)
218 STUB_HELPER(inl, TCGv ret, TCGv_env env, TCGv_i32 port)
219 STUB_HELPER(monitor, TCGv_env env, TCGv addr)
220 STUB_HELPER(mwait, TCGv_env env, TCGv_i32 pc_ofs)
221 STUB_HELPER(outb, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
222 STUB_HELPER(outw, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
223 STUB_HELPER(outl, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
224 STUB_HELPER(rdmsr, TCGv_env env)
225 STUB_HELPER(read_crN, TCGv ret, TCGv_env env, TCGv_i32 reg)
226 STUB_HELPER(get_dr, TCGv ret, TCGv_env env, TCGv_i32 reg)
227 STUB_HELPER(set_dr, TCGv_env env, TCGv_i32 reg, TCGv val)
228 STUB_HELPER(stgi, TCGv_env env)
229 STUB_HELPER(svm_check_intercept, TCGv_env env, TCGv_i32 type)
230 STUB_HELPER(vmload, TCGv_env env, TCGv_i32 aflag)
231 STUB_HELPER(vmmcall, TCGv_env env)
232 STUB_HELPER(vmrun, TCGv_env env, TCGv_i32 aflag, TCGv_i32 pc_ofs)
233 STUB_HELPER(vmsave, TCGv_env env, TCGv_i32 aflag)
234 STUB_HELPER(write_crN, TCGv_env env, TCGv_i32 reg, TCGv val)
235 STUB_HELPER(wrmsr, TCGv_env env)
236 #endif
237 
238 static void gen_eob(DisasContext *s);
239 static void gen_jr(DisasContext *s);
240 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num);
241 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num);
242 static void gen_op(DisasContext *s1, int op, MemOp ot, int d);
243 static void gen_exception_gpf(DisasContext *s);
244 
245 /* i386 arith/logic operations */
246 enum {
247     OP_ADDL,
248     OP_ORL,
249     OP_ADCL,
250     OP_SBBL,
251     OP_ANDL,
252     OP_SUBL,
253     OP_XORL,
254     OP_CMPL,
255 };
256 
257 /* i386 shift ops */
258 enum {
259     OP_ROL,
260     OP_ROR,
261     OP_RCL,
262     OP_RCR,
263     OP_SHL,
264     OP_SHR,
265     OP_SHL1, /* undocumented */
266     OP_SAR = 7,
267 };
268 
269 enum {
270     JCC_O,
271     JCC_B,
272     JCC_Z,
273     JCC_BE,
274     JCC_S,
275     JCC_P,
276     JCC_L,
277     JCC_LE,
278 };
279 
280 enum {
281     /* I386 int registers */
282     OR_EAX,   /* MUST be even numbered */
283     OR_ECX,
284     OR_EDX,
285     OR_EBX,
286     OR_ESP,
287     OR_EBP,
288     OR_ESI,
289     OR_EDI,
290 
291     OR_TMP0 = 16,    /* temporary operand register */
292     OR_TMP1,
293     OR_A0, /* temporary register used when doing address evaluation */
294 };
295 
296 enum {
297     USES_CC_DST  = 1,
298     USES_CC_SRC  = 2,
299     USES_CC_SRC2 = 4,
300     USES_CC_SRCT = 8,
301 };
302 
303 /* Bit set if the global variable is live after setting CC_OP to X.  */
304 static const uint8_t cc_op_live[CC_OP_NB] = {
305     [CC_OP_DYNAMIC] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
306     [CC_OP_EFLAGS] = USES_CC_SRC,
307     [CC_OP_MULB ... CC_OP_MULQ] = USES_CC_DST | USES_CC_SRC,
308     [CC_OP_ADDB ... CC_OP_ADDQ] = USES_CC_DST | USES_CC_SRC,
309     [CC_OP_ADCB ... CC_OP_ADCQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
310     [CC_OP_SUBB ... CC_OP_SUBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRCT,
311     [CC_OP_SBBB ... CC_OP_SBBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
312     [CC_OP_LOGICB ... CC_OP_LOGICQ] = USES_CC_DST,
313     [CC_OP_INCB ... CC_OP_INCQ] = USES_CC_DST | USES_CC_SRC,
314     [CC_OP_DECB ... CC_OP_DECQ] = USES_CC_DST | USES_CC_SRC,
315     [CC_OP_SHLB ... CC_OP_SHLQ] = USES_CC_DST | USES_CC_SRC,
316     [CC_OP_SARB ... CC_OP_SARQ] = USES_CC_DST | USES_CC_SRC,
317     [CC_OP_BMILGB ... CC_OP_BMILGQ] = USES_CC_DST | USES_CC_SRC,
318     [CC_OP_ADCX] = USES_CC_DST | USES_CC_SRC,
319     [CC_OP_ADOX] = USES_CC_SRC | USES_CC_SRC2,
320     [CC_OP_ADCOX] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
321     [CC_OP_CLR] = 0,
322     [CC_OP_POPCNT] = USES_CC_SRC,
323 };
324 
325 static void set_cc_op(DisasContext *s, CCOp op)
326 {
327     int dead;
328 
329     if (s->cc_op == op) {
330         return;
331     }
332 
333     /* Discard CC computation that will no longer be used.  */
334     dead = cc_op_live[s->cc_op] & ~cc_op_live[op];
335     if (dead & USES_CC_DST) {
336         tcg_gen_discard_tl(cpu_cc_dst);
337     }
338     if (dead & USES_CC_SRC) {
339         tcg_gen_discard_tl(cpu_cc_src);
340     }
341     if (dead & USES_CC_SRC2) {
342         tcg_gen_discard_tl(cpu_cc_src2);
343     }
344     if (dead & USES_CC_SRCT) {
345         tcg_gen_discard_tl(s->cc_srcT);
346     }
347 
348     if (op == CC_OP_DYNAMIC) {
349         /* The DYNAMIC setting is translator only, and should never be
350            stored.  Thus we always consider it clean.  */
351         s->cc_op_dirty = false;
352     } else {
353         /* Discard any computed CC_OP value (see shifts).  */
354         if (s->cc_op == CC_OP_DYNAMIC) {
355             tcg_gen_discard_i32(cpu_cc_op);
356         }
357         s->cc_op_dirty = true;
358     }
359     s->cc_op = op;
360 }
361 
362 static void gen_update_cc_op(DisasContext *s)
363 {
364     if (s->cc_op_dirty) {
365         tcg_gen_movi_i32(cpu_cc_op, s->cc_op);
366         s->cc_op_dirty = false;
367     }
368 }
369 
370 #ifdef TARGET_X86_64
371 
372 #define NB_OP_SIZES 4
373 
374 #else /* !TARGET_X86_64 */
375 
376 #define NB_OP_SIZES 3
377 
378 #endif /* !TARGET_X86_64 */
379 
380 #if HOST_BIG_ENDIAN
381 #define REG_B_OFFSET (sizeof(target_ulong) - 1)
382 #define REG_H_OFFSET (sizeof(target_ulong) - 2)
383 #define REG_W_OFFSET (sizeof(target_ulong) - 2)
384 #define REG_L_OFFSET (sizeof(target_ulong) - 4)
385 #define REG_LH_OFFSET (sizeof(target_ulong) - 8)
386 #else
387 #define REG_B_OFFSET 0
388 #define REG_H_OFFSET 1
389 #define REG_W_OFFSET 0
390 #define REG_L_OFFSET 0
391 #define REG_LH_OFFSET 4
392 #endif
393 
394 /* In instruction encodings for byte register accesses the
395  * register number usually indicates "low 8 bits of register N";
396  * however there are some special cases where N 4..7 indicates
397  * [AH, CH, DH, BH], ie "bits 15..8 of register N-4". Return
398  * true for this special case, false otherwise.
399  */
400 static inline bool byte_reg_is_xH(DisasContext *s, int reg)
401 {
402     /* Any time the REX prefix is present, byte registers are uniform */
403     if (reg < 4 || REX_PREFIX(s)) {
404         return false;
405     }
406     return true;
407 }
408 
409 /* Select the size of a push/pop operation.  */
410 static inline MemOp mo_pushpop(DisasContext *s, MemOp ot)
411 {
412     if (CODE64(s)) {
413         return ot == MO_16 ? MO_16 : MO_64;
414     } else {
415         return ot;
416     }
417 }
418 
419 /* Select the size of the stack pointer.  */
420 static inline MemOp mo_stacksize(DisasContext *s)
421 {
422     return CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
423 }
424 
425 /* Select only size 64 else 32.  Used for SSE operand sizes.  */
426 static inline MemOp mo_64_32(MemOp ot)
427 {
428 #ifdef TARGET_X86_64
429     return ot == MO_64 ? MO_64 : MO_32;
430 #else
431     return MO_32;
432 #endif
433 }
434 
435 /* Select size 8 if lsb of B is clear, else OT.  Used for decoding
436    byte vs word opcodes.  */
437 static inline MemOp mo_b_d(int b, MemOp ot)
438 {
439     return b & 1 ? ot : MO_8;
440 }
441 
442 /* Select size 8 if lsb of B is clear, else OT capped at 32.
443    Used for decoding operand size of port opcodes.  */
444 static inline MemOp mo_b_d32(int b, MemOp ot)
445 {
446     return b & 1 ? (ot == MO_16 ? MO_16 : MO_32) : MO_8;
447 }
448 
449 /* Compute the result of writing t0 to the OT-sized register REG.
450  *
451  * If DEST is NULL, store the result into the register and return the
452  * register's TCGv.
453  *
454  * If DEST is not NULL, store the result into DEST and return the
455  * register's TCGv.
456  */
457 static TCGv gen_op_deposit_reg_v(DisasContext *s, MemOp ot, int reg, TCGv dest, TCGv t0)
458 {
459     switch(ot) {
460     case MO_8:
461         if (byte_reg_is_xH(s, reg)) {
462             dest = dest ? dest : cpu_regs[reg - 4];
463             tcg_gen_deposit_tl(dest, cpu_regs[reg - 4], t0, 8, 8);
464             return cpu_regs[reg - 4];
465         }
466         dest = dest ? dest : cpu_regs[reg];
467         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 8);
468         break;
469     case MO_16:
470         dest = dest ? dest : cpu_regs[reg];
471         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 16);
472         break;
473     case MO_32:
474         /* For x86_64, this sets the higher half of register to zero.
475            For i386, this is equivalent to a mov. */
476         dest = dest ? dest : cpu_regs[reg];
477         tcg_gen_ext32u_tl(dest, t0);
478         break;
479 #ifdef TARGET_X86_64
480     case MO_64:
481         dest = dest ? dest : cpu_regs[reg];
482         tcg_gen_mov_tl(dest, t0);
483         break;
484 #endif
485     default:
486         g_assert_not_reached();
487     }
488     return cpu_regs[reg];
489 }
490 
491 static void gen_op_mov_reg_v(DisasContext *s, MemOp ot, int reg, TCGv t0)
492 {
493     gen_op_deposit_reg_v(s, ot, reg, NULL, t0);
494 }
495 
496 static inline
497 void gen_op_mov_v_reg(DisasContext *s, MemOp ot, TCGv t0, int reg)
498 {
499     if (ot == MO_8 && byte_reg_is_xH(s, reg)) {
500         tcg_gen_extract_tl(t0, cpu_regs[reg - 4], 8, 8);
501     } else {
502         tcg_gen_mov_tl(t0, cpu_regs[reg]);
503     }
504 }
505 
506 static void gen_add_A0_im(DisasContext *s, int val)
507 {
508     tcg_gen_addi_tl(s->A0, s->A0, val);
509     if (!CODE64(s)) {
510         tcg_gen_ext32u_tl(s->A0, s->A0);
511     }
512 }
513 
514 static inline void gen_op_jmp_v(DisasContext *s, TCGv dest)
515 {
516     tcg_gen_mov_tl(cpu_eip, dest);
517     s->pc_save = -1;
518 }
519 
520 static inline
521 void gen_op_add_reg_im(DisasContext *s, MemOp size, int reg, int32_t val)
522 {
523     tcg_gen_addi_tl(s->tmp0, cpu_regs[reg], val);
524     gen_op_mov_reg_v(s, size, reg, s->tmp0);
525 }
526 
527 static inline void gen_op_add_reg(DisasContext *s, MemOp size, int reg, TCGv val)
528 {
529     tcg_gen_add_tl(s->tmp0, cpu_regs[reg], val);
530     gen_op_mov_reg_v(s, size, reg, s->tmp0);
531 }
532 
533 static inline void gen_op_ld_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
534 {
535     tcg_gen_qemu_ld_tl(t0, a0, s->mem_index, idx | MO_LE);
536 }
537 
538 static inline void gen_op_st_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
539 {
540     tcg_gen_qemu_st_tl(t0, a0, s->mem_index, idx | MO_LE);
541 }
542 
543 static inline void gen_op_st_rm_T0_A0(DisasContext *s, int idx, int d)
544 {
545     if (d == OR_TMP0) {
546         gen_op_st_v(s, idx, s->T0, s->A0);
547     } else {
548         gen_op_mov_reg_v(s, idx, d, s->T0);
549     }
550 }
551 
552 static void gen_update_eip_cur(DisasContext *s)
553 {
554     assert(s->pc_save != -1);
555     if (tb_cflags(s->base.tb) & CF_PCREL) {
556         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->base.pc_next - s->pc_save);
557     } else if (CODE64(s)) {
558         tcg_gen_movi_tl(cpu_eip, s->base.pc_next);
559     } else {
560         tcg_gen_movi_tl(cpu_eip, (uint32_t)(s->base.pc_next - s->cs_base));
561     }
562     s->pc_save = s->base.pc_next;
563 }
564 
565 static void gen_update_eip_next(DisasContext *s)
566 {
567     assert(s->pc_save != -1);
568     if (tb_cflags(s->base.tb) & CF_PCREL) {
569         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->pc - s->pc_save);
570     } else if (CODE64(s)) {
571         tcg_gen_movi_tl(cpu_eip, s->pc);
572     } else {
573         tcg_gen_movi_tl(cpu_eip, (uint32_t)(s->pc - s->cs_base));
574     }
575     s->pc_save = s->pc;
576 }
577 
578 static int cur_insn_len(DisasContext *s)
579 {
580     return s->pc - s->base.pc_next;
581 }
582 
583 static TCGv_i32 cur_insn_len_i32(DisasContext *s)
584 {
585     return tcg_constant_i32(cur_insn_len(s));
586 }
587 
588 static TCGv_i32 eip_next_i32(DisasContext *s)
589 {
590     assert(s->pc_save != -1);
591     /*
592      * This function has two users: lcall_real (always 16-bit mode), and
593      * iret_protected (16, 32, or 64-bit mode).  IRET only uses the value
594      * when EFLAGS.NT is set, which is illegal in 64-bit mode, which is
595      * why passing a 32-bit value isn't broken.  To avoid using this where
596      * we shouldn't, return -1 in 64-bit mode so that execution goes into
597      * the weeds quickly.
598      */
599     if (CODE64(s)) {
600         return tcg_constant_i32(-1);
601     }
602     if (tb_cflags(s->base.tb) & CF_PCREL) {
603         TCGv_i32 ret = tcg_temp_new_i32();
604         tcg_gen_trunc_tl_i32(ret, cpu_eip);
605         tcg_gen_addi_i32(ret, ret, s->pc - s->pc_save);
606         return ret;
607     } else {
608         return tcg_constant_i32(s->pc - s->cs_base);
609     }
610 }
611 
612 static TCGv eip_next_tl(DisasContext *s)
613 {
614     assert(s->pc_save != -1);
615     if (tb_cflags(s->base.tb) & CF_PCREL) {
616         TCGv ret = tcg_temp_new();
617         tcg_gen_addi_tl(ret, cpu_eip, s->pc - s->pc_save);
618         return ret;
619     } else if (CODE64(s)) {
620         return tcg_constant_tl(s->pc);
621     } else {
622         return tcg_constant_tl((uint32_t)(s->pc - s->cs_base));
623     }
624 }
625 
626 static TCGv eip_cur_tl(DisasContext *s)
627 {
628     assert(s->pc_save != -1);
629     if (tb_cflags(s->base.tb) & CF_PCREL) {
630         TCGv ret = tcg_temp_new();
631         tcg_gen_addi_tl(ret, cpu_eip, s->base.pc_next - s->pc_save);
632         return ret;
633     } else if (CODE64(s)) {
634         return tcg_constant_tl(s->base.pc_next);
635     } else {
636         return tcg_constant_tl((uint32_t)(s->base.pc_next - s->cs_base));
637     }
638 }
639 
640 /* Compute SEG:REG into DEST.  SEG is selected from the override segment
641    (OVR_SEG) and the default segment (DEF_SEG).  OVR_SEG may be -1 to
642    indicate no override.  */
643 static void gen_lea_v_seg_dest(DisasContext *s, MemOp aflag, TCGv dest, TCGv a0,
644                                int def_seg, int ovr_seg)
645 {
646     switch (aflag) {
647 #ifdef TARGET_X86_64
648     case MO_64:
649         if (ovr_seg < 0) {
650             tcg_gen_mov_tl(dest, a0);
651             return;
652         }
653         break;
654 #endif
655     case MO_32:
656         /* 32 bit address */
657         if (ovr_seg < 0 && ADDSEG(s)) {
658             ovr_seg = def_seg;
659         }
660         if (ovr_seg < 0) {
661             tcg_gen_ext32u_tl(dest, a0);
662             return;
663         }
664         break;
665     case MO_16:
666         /* 16 bit address */
667         tcg_gen_ext16u_tl(dest, a0);
668         a0 = dest;
669         if (ovr_seg < 0) {
670             if (ADDSEG(s)) {
671                 ovr_seg = def_seg;
672             } else {
673                 return;
674             }
675         }
676         break;
677     default:
678         g_assert_not_reached();
679     }
680 
681     if (ovr_seg >= 0) {
682         TCGv seg = cpu_seg_base[ovr_seg];
683 
684         if (aflag == MO_64) {
685             tcg_gen_add_tl(dest, a0, seg);
686         } else if (CODE64(s)) {
687             tcg_gen_ext32u_tl(dest, a0);
688             tcg_gen_add_tl(dest, dest, seg);
689         } else {
690             tcg_gen_add_tl(dest, a0, seg);
691             tcg_gen_ext32u_tl(dest, dest);
692         }
693     }
694 }
695 
696 static void gen_lea_v_seg(DisasContext *s, MemOp aflag, TCGv a0,
697                           int def_seg, int ovr_seg)
698 {
699     gen_lea_v_seg_dest(s, aflag, s->A0, a0, def_seg, ovr_seg);
700 }
701 
702 static inline void gen_string_movl_A0_ESI(DisasContext *s)
703 {
704     gen_lea_v_seg(s, s->aflag, cpu_regs[R_ESI], R_DS, s->override);
705 }
706 
707 static inline void gen_string_movl_A0_EDI(DisasContext *s)
708 {
709     gen_lea_v_seg(s, s->aflag, cpu_regs[R_EDI], R_ES, -1);
710 }
711 
712 static inline TCGv gen_compute_Dshift(DisasContext *s, MemOp ot)
713 {
714     TCGv dshift = tcg_temp_new();
715     tcg_gen_ld32s_tl(dshift, tcg_env, offsetof(CPUX86State, df));
716     tcg_gen_shli_tl(dshift, dshift, ot);
717     return dshift;
718 };
719 
720 static TCGv gen_ext_tl(TCGv dst, TCGv src, MemOp size, bool sign)
721 {
722     if (size == MO_TL) {
723         return src;
724     }
725     if (!dst) {
726         dst = tcg_temp_new();
727     }
728     tcg_gen_ext_tl(dst, src, size | (sign ? MO_SIGN : 0));
729     return dst;
730 }
731 
732 static void gen_extu(MemOp ot, TCGv reg)
733 {
734     gen_ext_tl(reg, reg, ot, false);
735 }
736 
737 static void gen_exts(MemOp ot, TCGv reg)
738 {
739     gen_ext_tl(reg, reg, ot, true);
740 }
741 
742 static void gen_op_j_ecx(DisasContext *s, TCGCond cond, TCGLabel *label1)
743 {
744     TCGv tmp = gen_ext_tl(NULL, cpu_regs[R_ECX], s->aflag, false);
745 
746     tcg_gen_brcondi_tl(cond, tmp, 0, label1);
747 }
748 
749 static inline void gen_op_jz_ecx(DisasContext *s, TCGLabel *label1)
750 {
751     gen_op_j_ecx(s, TCG_COND_EQ, label1);
752 }
753 
754 static inline void gen_op_jnz_ecx(DisasContext *s, TCGLabel *label1)
755 {
756     gen_op_j_ecx(s, TCG_COND_NE, label1);
757 }
758 
759 static void gen_helper_in_func(MemOp ot, TCGv v, TCGv_i32 n)
760 {
761     switch (ot) {
762     case MO_8:
763         gen_helper_inb(v, tcg_env, n);
764         break;
765     case MO_16:
766         gen_helper_inw(v, tcg_env, n);
767         break;
768     case MO_32:
769         gen_helper_inl(v, tcg_env, n);
770         break;
771     default:
772         g_assert_not_reached();
773     }
774 }
775 
776 static void gen_helper_out_func(MemOp ot, TCGv_i32 v, TCGv_i32 n)
777 {
778     switch (ot) {
779     case MO_8:
780         gen_helper_outb(tcg_env, v, n);
781         break;
782     case MO_16:
783         gen_helper_outw(tcg_env, v, n);
784         break;
785     case MO_32:
786         gen_helper_outl(tcg_env, v, n);
787         break;
788     default:
789         g_assert_not_reached();
790     }
791 }
792 
793 /*
794  * Validate that access to [port, port + 1<<ot) is allowed.
795  * Raise #GP, or VMM exit if not.
796  */
797 static bool gen_check_io(DisasContext *s, MemOp ot, TCGv_i32 port,
798                          uint32_t svm_flags)
799 {
800 #ifdef CONFIG_USER_ONLY
801     /*
802      * We do not implement the ioperm(2) syscall, so the TSS check
803      * will always fail.
804      */
805     gen_exception_gpf(s);
806     return false;
807 #else
808     if (PE(s) && (CPL(s) > IOPL(s) || VM86(s))) {
809         gen_helper_check_io(tcg_env, port, tcg_constant_i32(1 << ot));
810     }
811     if (GUEST(s)) {
812         gen_update_cc_op(s);
813         gen_update_eip_cur(s);
814         if (s->prefix & (PREFIX_REPZ | PREFIX_REPNZ)) {
815             svm_flags |= SVM_IOIO_REP_MASK;
816         }
817         svm_flags |= 1 << (SVM_IOIO_SIZE_SHIFT + ot);
818         gen_helper_svm_check_io(tcg_env, port,
819                                 tcg_constant_i32(svm_flags),
820                                 cur_insn_len_i32(s));
821     }
822     return true;
823 #endif
824 }
825 
826 static void gen_movs(DisasContext *s, MemOp ot)
827 {
828     TCGv dshift;
829 
830     gen_string_movl_A0_ESI(s);
831     gen_op_ld_v(s, ot, s->T0, s->A0);
832     gen_string_movl_A0_EDI(s);
833     gen_op_st_v(s, ot, s->T0, s->A0);
834 
835     dshift = gen_compute_Dshift(s, ot);
836     gen_op_add_reg(s, s->aflag, R_ESI, dshift);
837     gen_op_add_reg(s, s->aflag, R_EDI, dshift);
838 }
839 
840 static void gen_op_update1_cc(DisasContext *s)
841 {
842     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
843 }
844 
845 static void gen_op_update2_cc(DisasContext *s)
846 {
847     tcg_gen_mov_tl(cpu_cc_src, s->T1);
848     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
849 }
850 
851 static void gen_op_update3_cc(DisasContext *s, TCGv reg)
852 {
853     tcg_gen_mov_tl(cpu_cc_src2, reg);
854     tcg_gen_mov_tl(cpu_cc_src, s->T1);
855     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
856 }
857 
858 static inline void gen_op_testl_T0_T1_cc(DisasContext *s)
859 {
860     tcg_gen_and_tl(cpu_cc_dst, s->T0, s->T1);
861 }
862 
863 static void gen_op_update_neg_cc(DisasContext *s)
864 {
865     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
866     tcg_gen_neg_tl(cpu_cc_src, s->T0);
867     tcg_gen_movi_tl(s->cc_srcT, 0);
868 }
869 
870 /* compute all eflags to reg */
871 static void gen_mov_eflags(DisasContext *s, TCGv reg)
872 {
873     TCGv dst, src1, src2;
874     TCGv_i32 cc_op;
875     int live, dead;
876 
877     if (s->cc_op == CC_OP_EFLAGS) {
878         tcg_gen_mov_tl(reg, cpu_cc_src);
879         return;
880     }
881     if (s->cc_op == CC_OP_CLR) {
882         tcg_gen_movi_tl(reg, CC_Z | CC_P);
883         return;
884     }
885 
886     dst = cpu_cc_dst;
887     src1 = cpu_cc_src;
888     src2 = cpu_cc_src2;
889 
890     /* Take care to not read values that are not live.  */
891     live = cc_op_live[s->cc_op] & ~USES_CC_SRCT;
892     dead = live ^ (USES_CC_DST | USES_CC_SRC | USES_CC_SRC2);
893     if (dead) {
894         TCGv zero = tcg_constant_tl(0);
895         if (dead & USES_CC_DST) {
896             dst = zero;
897         }
898         if (dead & USES_CC_SRC) {
899             src1 = zero;
900         }
901         if (dead & USES_CC_SRC2) {
902             src2 = zero;
903         }
904     }
905 
906     if (s->cc_op != CC_OP_DYNAMIC) {
907         cc_op = tcg_constant_i32(s->cc_op);
908     } else {
909         cc_op = cpu_cc_op;
910     }
911     gen_helper_cc_compute_all(reg, dst, src1, src2, cc_op);
912 }
913 
914 /* compute all eflags to cc_src */
915 static void gen_compute_eflags(DisasContext *s)
916 {
917     gen_mov_eflags(s, cpu_cc_src);
918     set_cc_op(s, CC_OP_EFLAGS);
919 }
920 
921 typedef struct CCPrepare {
922     TCGCond cond;
923     TCGv reg;
924     TCGv reg2;
925     target_ulong imm;
926     target_ulong mask;
927     bool use_reg2;
928     bool no_setcond;
929 } CCPrepare;
930 
931 /* compute eflags.C to reg */
932 static CCPrepare gen_prepare_eflags_c(DisasContext *s, TCGv reg)
933 {
934     TCGv t0, t1;
935     int size, shift;
936 
937     switch (s->cc_op) {
938     case CC_OP_SUBB ... CC_OP_SUBQ:
939         /* (DATA_TYPE)CC_SRCT < (DATA_TYPE)CC_SRC */
940         size = s->cc_op - CC_OP_SUBB;
941         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
942         /* If no temporary was used, be careful not to alias t1 and t0.  */
943         t0 = t1 == cpu_cc_src ? s->tmp0 : reg;
944         tcg_gen_mov_tl(t0, s->cc_srcT);
945         gen_extu(size, t0);
946         goto add_sub;
947 
948     case CC_OP_ADDB ... CC_OP_ADDQ:
949         /* (DATA_TYPE)CC_DST < (DATA_TYPE)CC_SRC */
950         size = s->cc_op - CC_OP_ADDB;
951         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
952         t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
953     add_sub:
954         return (CCPrepare) { .cond = TCG_COND_LTU, .reg = t0,
955                              .reg2 = t1, .mask = -1, .use_reg2 = true };
956 
957     case CC_OP_LOGICB ... CC_OP_LOGICQ:
958     case CC_OP_CLR:
959     case CC_OP_POPCNT:
960         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
961 
962     case CC_OP_INCB ... CC_OP_INCQ:
963     case CC_OP_DECB ... CC_OP_DECQ:
964         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
965                              .mask = -1, .no_setcond = true };
966 
967     case CC_OP_SHLB ... CC_OP_SHLQ:
968         /* (CC_SRC >> (DATA_BITS - 1)) & 1 */
969         size = s->cc_op - CC_OP_SHLB;
970         shift = (8 << size) - 1;
971         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
972                              .mask = (target_ulong)1 << shift };
973 
974     case CC_OP_MULB ... CC_OP_MULQ:
975         return (CCPrepare) { .cond = TCG_COND_NE,
976                              .reg = cpu_cc_src, .mask = -1 };
977 
978     case CC_OP_BMILGB ... CC_OP_BMILGQ:
979         size = s->cc_op - CC_OP_BMILGB;
980         t0 = gen_ext_tl(reg, cpu_cc_src, size, false);
981         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
982 
983     case CC_OP_ADCX:
984     case CC_OP_ADCOX:
985         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_dst,
986                              .mask = -1, .no_setcond = true };
987 
988     case CC_OP_EFLAGS:
989     case CC_OP_SARB ... CC_OP_SARQ:
990         /* CC_SRC & 1 */
991         return (CCPrepare) { .cond = TCG_COND_NE,
992                              .reg = cpu_cc_src, .mask = CC_C };
993 
994     default:
995        /* The need to compute only C from CC_OP_DYNAMIC is important
996           in efficiently implementing e.g. INC at the start of a TB.  */
997        gen_update_cc_op(s);
998        gen_helper_cc_compute_c(reg, cpu_cc_dst, cpu_cc_src,
999                                cpu_cc_src2, cpu_cc_op);
1000        return (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1001                             .mask = -1, .no_setcond = true };
1002     }
1003 }
1004 
1005 /* compute eflags.P to reg */
1006 static CCPrepare gen_prepare_eflags_p(DisasContext *s, TCGv reg)
1007 {
1008     gen_compute_eflags(s);
1009     return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1010                          .mask = CC_P };
1011 }
1012 
1013 /* compute eflags.S to reg */
1014 static CCPrepare gen_prepare_eflags_s(DisasContext *s, TCGv reg)
1015 {
1016     switch (s->cc_op) {
1017     case CC_OP_DYNAMIC:
1018         gen_compute_eflags(s);
1019         /* FALLTHRU */
1020     case CC_OP_EFLAGS:
1021     case CC_OP_ADCX:
1022     case CC_OP_ADOX:
1023     case CC_OP_ADCOX:
1024         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1025                              .mask = CC_S };
1026     case CC_OP_CLR:
1027     case CC_OP_POPCNT:
1028         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1029     default:
1030         {
1031             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1032             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, true);
1033             return (CCPrepare) { .cond = TCG_COND_LT, .reg = t0, .mask = -1 };
1034         }
1035     }
1036 }
1037 
1038 /* compute eflags.O to reg */
1039 static CCPrepare gen_prepare_eflags_o(DisasContext *s, TCGv reg)
1040 {
1041     switch (s->cc_op) {
1042     case CC_OP_ADOX:
1043     case CC_OP_ADCOX:
1044         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src2,
1045                              .mask = -1, .no_setcond = true };
1046     case CC_OP_CLR:
1047     case CC_OP_POPCNT:
1048         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1049     case CC_OP_MULB ... CC_OP_MULQ:
1050         return (CCPrepare) { .cond = TCG_COND_NE,
1051                              .reg = cpu_cc_src, .mask = -1 };
1052     default:
1053         gen_compute_eflags(s);
1054         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1055                              .mask = CC_O };
1056     }
1057 }
1058 
1059 /* compute eflags.Z to reg */
1060 static CCPrepare gen_prepare_eflags_z(DisasContext *s, TCGv reg)
1061 {
1062     switch (s->cc_op) {
1063     case CC_OP_DYNAMIC:
1064         gen_compute_eflags(s);
1065         /* FALLTHRU */
1066     case CC_OP_EFLAGS:
1067     case CC_OP_ADCX:
1068     case CC_OP_ADOX:
1069     case CC_OP_ADCOX:
1070         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1071                              .mask = CC_Z };
1072     case CC_OP_CLR:
1073         return (CCPrepare) { .cond = TCG_COND_ALWAYS, .mask = -1 };
1074     case CC_OP_POPCNT:
1075         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = cpu_cc_src,
1076                              .mask = -1 };
1077     default:
1078         {
1079             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1080             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
1081             return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
1082         }
1083     }
1084 }
1085 
1086 /* perform a conditional store into register 'reg' according to jump opcode
1087    value 'b'. In the fast case, T0 is guaranteed not to be used. */
1088 static CCPrepare gen_prepare_cc(DisasContext *s, int b, TCGv reg)
1089 {
1090     int inv, jcc_op, cond;
1091     MemOp size;
1092     CCPrepare cc;
1093     TCGv t0;
1094 
1095     inv = b & 1;
1096     jcc_op = (b >> 1) & 7;
1097 
1098     switch (s->cc_op) {
1099     case CC_OP_SUBB ... CC_OP_SUBQ:
1100         /* We optimize relational operators for the cmp/jcc case.  */
1101         size = s->cc_op - CC_OP_SUBB;
1102         switch (jcc_op) {
1103         case JCC_BE:
1104             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1105             gen_extu(size, s->tmp4);
1106             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
1107             cc = (CCPrepare) { .cond = TCG_COND_LEU, .reg = s->tmp4,
1108                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1109             break;
1110 
1111         case JCC_L:
1112             cond = TCG_COND_LT;
1113             goto fast_jcc_l;
1114         case JCC_LE:
1115             cond = TCG_COND_LE;
1116         fast_jcc_l:
1117             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1118             gen_exts(size, s->tmp4);
1119             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, true);
1120             cc = (CCPrepare) { .cond = cond, .reg = s->tmp4,
1121                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1122             break;
1123 
1124         default:
1125             goto slow_jcc;
1126         }
1127         break;
1128 
1129     default:
1130     slow_jcc:
1131         /* This actually generates good code for JC, JZ and JS.  */
1132         switch (jcc_op) {
1133         case JCC_O:
1134             cc = gen_prepare_eflags_o(s, reg);
1135             break;
1136         case JCC_B:
1137             cc = gen_prepare_eflags_c(s, reg);
1138             break;
1139         case JCC_Z:
1140             cc = gen_prepare_eflags_z(s, reg);
1141             break;
1142         case JCC_BE:
1143             gen_compute_eflags(s);
1144             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1145                                .mask = CC_Z | CC_C };
1146             break;
1147         case JCC_S:
1148             cc = gen_prepare_eflags_s(s, reg);
1149             break;
1150         case JCC_P:
1151             cc = gen_prepare_eflags_p(s, reg);
1152             break;
1153         case JCC_L:
1154             gen_compute_eflags(s);
1155             if (reg == cpu_cc_src) {
1156                 reg = s->tmp0;
1157             }
1158             tcg_gen_addi_tl(reg, cpu_cc_src, CC_O - CC_S);
1159             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1160                                .mask = CC_O };
1161             break;
1162         default:
1163         case JCC_LE:
1164             gen_compute_eflags(s);
1165             if (reg == cpu_cc_src) {
1166                 reg = s->tmp0;
1167             }
1168             tcg_gen_addi_tl(reg, cpu_cc_src, CC_O - CC_S);
1169             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1170                                .mask = CC_O | CC_Z };
1171             break;
1172         }
1173         break;
1174     }
1175 
1176     if (inv) {
1177         cc.cond = tcg_invert_cond(cc.cond);
1178     }
1179     return cc;
1180 }
1181 
1182 static void gen_setcc1(DisasContext *s, int b, TCGv reg)
1183 {
1184     CCPrepare cc = gen_prepare_cc(s, b, reg);
1185 
1186     if (cc.no_setcond) {
1187         if (cc.cond == TCG_COND_EQ) {
1188             tcg_gen_xori_tl(reg, cc.reg, 1);
1189         } else {
1190             tcg_gen_mov_tl(reg, cc.reg);
1191         }
1192         return;
1193     }
1194 
1195     if (cc.cond == TCG_COND_NE && !cc.use_reg2 && cc.imm == 0 &&
1196         cc.mask != 0 && (cc.mask & (cc.mask - 1)) == 0) {
1197         tcg_gen_shri_tl(reg, cc.reg, ctztl(cc.mask));
1198         tcg_gen_andi_tl(reg, reg, 1);
1199         return;
1200     }
1201     if (cc.mask != -1) {
1202         tcg_gen_andi_tl(reg, cc.reg, cc.mask);
1203         cc.reg = reg;
1204     }
1205     if (cc.use_reg2) {
1206         tcg_gen_setcond_tl(cc.cond, reg, cc.reg, cc.reg2);
1207     } else {
1208         tcg_gen_setcondi_tl(cc.cond, reg, cc.reg, cc.imm);
1209     }
1210 }
1211 
1212 static inline void gen_compute_eflags_c(DisasContext *s, TCGv reg)
1213 {
1214     gen_setcc1(s, JCC_B << 1, reg);
1215 }
1216 
1217 /* generate a conditional jump to label 'l1' according to jump opcode
1218    value 'b'. In the fast case, T0 is guaranteed not to be used. */
1219 static inline void gen_jcc1_noeob(DisasContext *s, int b, TCGLabel *l1)
1220 {
1221     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1222 
1223     if (cc.mask != -1) {
1224         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1225         cc.reg = s->T0;
1226     }
1227     if (cc.use_reg2) {
1228         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1229     } else {
1230         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1231     }
1232 }
1233 
1234 /* Generate a conditional jump to label 'l1' according to jump opcode
1235    value 'b'. In the fast case, T0 is guaranteed not to be used.
1236    A translation block must end soon.  */
1237 static inline void gen_jcc1(DisasContext *s, int b, TCGLabel *l1)
1238 {
1239     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1240 
1241     gen_update_cc_op(s);
1242     if (cc.mask != -1) {
1243         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1244         cc.reg = s->T0;
1245     }
1246     set_cc_op(s, CC_OP_DYNAMIC);
1247     if (cc.use_reg2) {
1248         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1249     } else {
1250         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1251     }
1252 }
1253 
1254 /* XXX: does not work with gdbstub "ice" single step - not a
1255    serious problem */
1256 static TCGLabel *gen_jz_ecx_string(DisasContext *s)
1257 {
1258     TCGLabel *l1 = gen_new_label();
1259     TCGLabel *l2 = gen_new_label();
1260     gen_op_jnz_ecx(s, l1);
1261     gen_set_label(l2);
1262     gen_jmp_rel_csize(s, 0, 1);
1263     gen_set_label(l1);
1264     return l2;
1265 }
1266 
1267 static void gen_stos(DisasContext *s, MemOp ot)
1268 {
1269     gen_string_movl_A0_EDI(s);
1270     gen_op_st_v(s, ot, s->T0, s->A0);
1271     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1272 }
1273 
1274 static void gen_lods(DisasContext *s, MemOp ot)
1275 {
1276     gen_string_movl_A0_ESI(s);
1277     gen_op_ld_v(s, ot, s->T0, s->A0);
1278     gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
1279     gen_op_add_reg(s, s->aflag, R_ESI, gen_compute_Dshift(s, ot));
1280 }
1281 
1282 static void gen_scas(DisasContext *s, MemOp ot)
1283 {
1284     gen_string_movl_A0_EDI(s);
1285     gen_op_ld_v(s, ot, s->T1, s->A0);
1286     tcg_gen_mov_tl(cpu_cc_src, s->T1);
1287     tcg_gen_mov_tl(s->cc_srcT, s->T0);
1288     tcg_gen_sub_tl(cpu_cc_dst, s->T0, s->T1);
1289     set_cc_op(s, CC_OP_SUBB + ot);
1290 
1291     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1292 }
1293 
1294 static void gen_cmps(DisasContext *s, MemOp ot)
1295 {
1296     TCGv dshift;
1297 
1298     gen_string_movl_A0_EDI(s);
1299     gen_op_ld_v(s, ot, s->T1, s->A0);
1300     gen_string_movl_A0_ESI(s);
1301     gen_op(s, OP_CMPL, ot, OR_TMP0);
1302 
1303     dshift = gen_compute_Dshift(s, ot);
1304     gen_op_add_reg(s, s->aflag, R_ESI, dshift);
1305     gen_op_add_reg(s, s->aflag, R_EDI, dshift);
1306 }
1307 
1308 static void gen_bpt_io(DisasContext *s, TCGv_i32 t_port, int ot)
1309 {
1310     if (s->flags & HF_IOBPT_MASK) {
1311 #ifdef CONFIG_USER_ONLY
1312         /* user-mode cpu should not be in IOBPT mode */
1313         g_assert_not_reached();
1314 #else
1315         TCGv_i32 t_size = tcg_constant_i32(1 << ot);
1316         TCGv t_next = eip_next_tl(s);
1317         gen_helper_bpt_io(tcg_env, t_port, t_size, t_next);
1318 #endif /* CONFIG_USER_ONLY */
1319     }
1320 }
1321 
1322 static void gen_ins(DisasContext *s, MemOp ot)
1323 {
1324     gen_string_movl_A0_EDI(s);
1325     /* Note: we must do this dummy write first to be restartable in
1326        case of page fault. */
1327     tcg_gen_movi_tl(s->T0, 0);
1328     gen_op_st_v(s, ot, s->T0, s->A0);
1329     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1330     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1331     gen_helper_in_func(ot, s->T0, s->tmp2_i32);
1332     gen_op_st_v(s, ot, s->T0, s->A0);
1333     gen_op_add_reg(s, s->aflag, R_EDI, gen_compute_Dshift(s, ot));
1334     gen_bpt_io(s, s->tmp2_i32, ot);
1335 }
1336 
1337 static void gen_outs(DisasContext *s, MemOp ot)
1338 {
1339     gen_string_movl_A0_ESI(s);
1340     gen_op_ld_v(s, ot, s->T0, s->A0);
1341 
1342     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1343     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1344     tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T0);
1345     gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
1346     gen_op_add_reg(s, s->aflag, R_ESI, gen_compute_Dshift(s, ot));
1347     gen_bpt_io(s, s->tmp2_i32, ot);
1348 }
1349 
1350 /* Generate jumps to current or next instruction */
1351 static void gen_repz(DisasContext *s, MemOp ot,
1352                      void (*fn)(DisasContext *s, MemOp ot))
1353 {
1354     TCGLabel *l2;
1355     gen_update_cc_op(s);
1356     l2 = gen_jz_ecx_string(s);
1357     fn(s, ot);
1358     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1359     /*
1360      * A loop would cause two single step exceptions if ECX = 1
1361      * before rep string_insn
1362      */
1363     if (s->repz_opt) {
1364         gen_op_jz_ecx(s, l2);
1365     }
1366     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1367 }
1368 
1369 #define GEN_REPZ(op) \
1370     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot) \
1371     { gen_repz(s, ot, gen_##op); }
1372 
1373 static void gen_repz2(DisasContext *s, MemOp ot, int nz,
1374                       void (*fn)(DisasContext *s, MemOp ot))
1375 {
1376     TCGLabel *l2;
1377     gen_update_cc_op(s);
1378     l2 = gen_jz_ecx_string(s);
1379     fn(s, ot);
1380     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1381     gen_update_cc_op(s);
1382     gen_jcc1(s, (JCC_Z << 1) | (nz ^ 1), l2);
1383     if (s->repz_opt) {
1384         gen_op_jz_ecx(s, l2);
1385     }
1386     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1387 }
1388 
1389 #define GEN_REPZ2(op) \
1390     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot, int nz) \
1391     { gen_repz2(s, ot, nz, gen_##op); }
1392 
1393 GEN_REPZ(movs)
1394 GEN_REPZ(stos)
1395 GEN_REPZ(lods)
1396 GEN_REPZ(ins)
1397 GEN_REPZ(outs)
1398 GEN_REPZ2(scas)
1399 GEN_REPZ2(cmps)
1400 
1401 static void gen_helper_fp_arith_ST0_FT0(int op)
1402 {
1403     switch (op) {
1404     case 0:
1405         gen_helper_fadd_ST0_FT0(tcg_env);
1406         break;
1407     case 1:
1408         gen_helper_fmul_ST0_FT0(tcg_env);
1409         break;
1410     case 2:
1411         gen_helper_fcom_ST0_FT0(tcg_env);
1412         break;
1413     case 3:
1414         gen_helper_fcom_ST0_FT0(tcg_env);
1415         break;
1416     case 4:
1417         gen_helper_fsub_ST0_FT0(tcg_env);
1418         break;
1419     case 5:
1420         gen_helper_fsubr_ST0_FT0(tcg_env);
1421         break;
1422     case 6:
1423         gen_helper_fdiv_ST0_FT0(tcg_env);
1424         break;
1425     case 7:
1426         gen_helper_fdivr_ST0_FT0(tcg_env);
1427         break;
1428     }
1429 }
1430 
1431 /* NOTE the exception in "r" op ordering */
1432 static void gen_helper_fp_arith_STN_ST0(int op, int opreg)
1433 {
1434     TCGv_i32 tmp = tcg_constant_i32(opreg);
1435     switch (op) {
1436     case 0:
1437         gen_helper_fadd_STN_ST0(tcg_env, tmp);
1438         break;
1439     case 1:
1440         gen_helper_fmul_STN_ST0(tcg_env, tmp);
1441         break;
1442     case 4:
1443         gen_helper_fsubr_STN_ST0(tcg_env, tmp);
1444         break;
1445     case 5:
1446         gen_helper_fsub_STN_ST0(tcg_env, tmp);
1447         break;
1448     case 6:
1449         gen_helper_fdivr_STN_ST0(tcg_env, tmp);
1450         break;
1451     case 7:
1452         gen_helper_fdiv_STN_ST0(tcg_env, tmp);
1453         break;
1454     }
1455 }
1456 
1457 static void gen_exception(DisasContext *s, int trapno)
1458 {
1459     gen_update_cc_op(s);
1460     gen_update_eip_cur(s);
1461     gen_helper_raise_exception(tcg_env, tcg_constant_i32(trapno));
1462     s->base.is_jmp = DISAS_NORETURN;
1463 }
1464 
1465 /* Generate #UD for the current instruction.  The assumption here is that
1466    the instruction is known, but it isn't allowed in the current cpu mode.  */
1467 static void gen_illegal_opcode(DisasContext *s)
1468 {
1469     gen_exception(s, EXCP06_ILLOP);
1470 }
1471 
1472 /* Generate #GP for the current instruction. */
1473 static void gen_exception_gpf(DisasContext *s)
1474 {
1475     gen_exception(s, EXCP0D_GPF);
1476 }
1477 
1478 /* Check for cpl == 0; if not, raise #GP and return false. */
1479 static bool check_cpl0(DisasContext *s)
1480 {
1481     if (CPL(s) == 0) {
1482         return true;
1483     }
1484     gen_exception_gpf(s);
1485     return false;
1486 }
1487 
1488 /* If vm86, check for iopl == 3; if not, raise #GP and return false. */
1489 static bool check_vm86_iopl(DisasContext *s)
1490 {
1491     if (!VM86(s) || IOPL(s) == 3) {
1492         return true;
1493     }
1494     gen_exception_gpf(s);
1495     return false;
1496 }
1497 
1498 /* Check for iopl allowing access; if not, raise #GP and return false. */
1499 static bool check_iopl(DisasContext *s)
1500 {
1501     if (VM86(s) ? IOPL(s) == 3 : CPL(s) <= IOPL(s)) {
1502         return true;
1503     }
1504     gen_exception_gpf(s);
1505     return false;
1506 }
1507 
1508 /* if d == OR_TMP0, it means memory operand (address in A0) */
1509 static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
1510 {
1511     /* Invalid lock prefix when destination is not memory or OP_CMPL. */
1512     if ((d != OR_TMP0 || op == OP_CMPL) && s1->prefix & PREFIX_LOCK) {
1513         gen_illegal_opcode(s1);
1514         return;
1515     }
1516 
1517     if (d != OR_TMP0) {
1518         gen_op_mov_v_reg(s1, ot, s1->T0, d);
1519     } else if (!(s1->prefix & PREFIX_LOCK)) {
1520         gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1521     }
1522     switch(op) {
1523     case OP_ADCL:
1524         gen_compute_eflags_c(s1, s1->tmp4);
1525         if (s1->prefix & PREFIX_LOCK) {
1526             tcg_gen_add_tl(s1->T0, s1->tmp4, s1->T1);
1527             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1528                                         s1->mem_index, ot | MO_LE);
1529         } else {
1530             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1531             tcg_gen_add_tl(s1->T0, s1->T0, s1->tmp4);
1532             gen_op_st_rm_T0_A0(s1, ot, d);
1533         }
1534         gen_op_update3_cc(s1, s1->tmp4);
1535         set_cc_op(s1, CC_OP_ADCB + ot);
1536         break;
1537     case OP_SBBL:
1538         gen_compute_eflags_c(s1, s1->tmp4);
1539         if (s1->prefix & PREFIX_LOCK) {
1540             tcg_gen_add_tl(s1->T0, s1->T1, s1->tmp4);
1541             tcg_gen_neg_tl(s1->T0, s1->T0);
1542             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1543                                         s1->mem_index, ot | MO_LE);
1544         } else {
1545             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1546             tcg_gen_sub_tl(s1->T0, s1->T0, s1->tmp4);
1547             gen_op_st_rm_T0_A0(s1, ot, d);
1548         }
1549         gen_op_update3_cc(s1, s1->tmp4);
1550         set_cc_op(s1, CC_OP_SBBB + ot);
1551         break;
1552     case OP_ADDL:
1553         if (s1->prefix & PREFIX_LOCK) {
1554             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T1,
1555                                         s1->mem_index, ot | MO_LE);
1556         } else {
1557             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1558             gen_op_st_rm_T0_A0(s1, ot, d);
1559         }
1560         gen_op_update2_cc(s1);
1561         set_cc_op(s1, CC_OP_ADDB + ot);
1562         break;
1563     case OP_SUBL:
1564         if (s1->prefix & PREFIX_LOCK) {
1565             tcg_gen_neg_tl(s1->T0, s1->T1);
1566             tcg_gen_atomic_fetch_add_tl(s1->cc_srcT, s1->A0, s1->T0,
1567                                         s1->mem_index, ot | MO_LE);
1568             tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1);
1569         } else {
1570             tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1571             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1572             gen_op_st_rm_T0_A0(s1, ot, d);
1573         }
1574         gen_op_update2_cc(s1);
1575         set_cc_op(s1, CC_OP_SUBB + ot);
1576         break;
1577     default:
1578     case OP_ANDL:
1579         if (s1->prefix & PREFIX_LOCK) {
1580             tcg_gen_atomic_and_fetch_tl(s1->T0, s1->A0, s1->T1,
1581                                         s1->mem_index, ot | MO_LE);
1582         } else {
1583             tcg_gen_and_tl(s1->T0, s1->T0, s1->T1);
1584             gen_op_st_rm_T0_A0(s1, ot, d);
1585         }
1586         gen_op_update1_cc(s1);
1587         set_cc_op(s1, CC_OP_LOGICB + ot);
1588         break;
1589     case OP_ORL:
1590         if (s1->prefix & PREFIX_LOCK) {
1591             tcg_gen_atomic_or_fetch_tl(s1->T0, s1->A0, s1->T1,
1592                                        s1->mem_index, ot | MO_LE);
1593         } else {
1594             tcg_gen_or_tl(s1->T0, s1->T0, s1->T1);
1595             gen_op_st_rm_T0_A0(s1, ot, d);
1596         }
1597         gen_op_update1_cc(s1);
1598         set_cc_op(s1, CC_OP_LOGICB + ot);
1599         break;
1600     case OP_XORL:
1601         if (s1->prefix & PREFIX_LOCK) {
1602             tcg_gen_atomic_xor_fetch_tl(s1->T0, s1->A0, s1->T1,
1603                                         s1->mem_index, ot | MO_LE);
1604         } else {
1605             tcg_gen_xor_tl(s1->T0, s1->T0, s1->T1);
1606             gen_op_st_rm_T0_A0(s1, ot, d);
1607         }
1608         gen_op_update1_cc(s1);
1609         set_cc_op(s1, CC_OP_LOGICB + ot);
1610         break;
1611     case OP_CMPL:
1612         tcg_gen_mov_tl(cpu_cc_src, s1->T1);
1613         tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1614         tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1);
1615         set_cc_op(s1, CC_OP_SUBB + ot);
1616         break;
1617     }
1618 }
1619 
1620 /* if d == OR_TMP0, it means memory operand (address in A0) */
1621 static void gen_inc(DisasContext *s1, MemOp ot, int d, int c)
1622 {
1623     if (s1->prefix & PREFIX_LOCK) {
1624         if (d != OR_TMP0) {
1625             /* Lock prefix when destination is not memory */
1626             gen_illegal_opcode(s1);
1627             return;
1628         }
1629         tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);
1630         tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1631                                     s1->mem_index, ot | MO_LE);
1632     } else {
1633         if (d != OR_TMP0) {
1634             gen_op_mov_v_reg(s1, ot, s1->T0, d);
1635         } else {
1636             gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1637         }
1638         tcg_gen_addi_tl(s1->T0, s1->T0, (c > 0 ? 1 : -1));
1639         gen_op_st_rm_T0_A0(s1, ot, d);
1640     }
1641 
1642     gen_compute_eflags_c(s1, cpu_cc_src);
1643     tcg_gen_mov_tl(cpu_cc_dst, s1->T0);
1644     set_cc_op(s1, (c > 0 ? CC_OP_INCB : CC_OP_DECB) + ot);
1645 }
1646 
1647 static void gen_shift_flags(DisasContext *s, MemOp ot, TCGv result,
1648                             TCGv shm1, TCGv count, bool is_right)
1649 {
1650     TCGv_i32 z32, s32, oldop;
1651     TCGv z_tl;
1652 
1653     /* Store the results into the CC variables.  If we know that the
1654        variable must be dead, store unconditionally.  Otherwise we'll
1655        need to not disrupt the current contents.  */
1656     z_tl = tcg_constant_tl(0);
1657     if (cc_op_live[s->cc_op] & USES_CC_DST) {
1658         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_dst, count, z_tl,
1659                            result, cpu_cc_dst);
1660     } else {
1661         tcg_gen_mov_tl(cpu_cc_dst, result);
1662     }
1663     if (cc_op_live[s->cc_op] & USES_CC_SRC) {
1664         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_src, count, z_tl,
1665                            shm1, cpu_cc_src);
1666     } else {
1667         tcg_gen_mov_tl(cpu_cc_src, shm1);
1668     }
1669 
1670     /* Get the two potential CC_OP values into temporaries.  */
1671     tcg_gen_movi_i32(s->tmp2_i32, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1672     if (s->cc_op == CC_OP_DYNAMIC) {
1673         oldop = cpu_cc_op;
1674     } else {
1675         tcg_gen_movi_i32(s->tmp3_i32, s->cc_op);
1676         oldop = s->tmp3_i32;
1677     }
1678 
1679     /* Conditionally store the CC_OP value.  */
1680     z32 = tcg_constant_i32(0);
1681     s32 = tcg_temp_new_i32();
1682     tcg_gen_trunc_tl_i32(s32, count);
1683     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, s32, z32, s->tmp2_i32, oldop);
1684 
1685     /* The CC_OP value is no longer predictable.  */
1686     set_cc_op(s, CC_OP_DYNAMIC);
1687 }
1688 
1689 static void gen_shift_rm_T1(DisasContext *s, MemOp ot, int op1,
1690                             int is_right, int is_arith)
1691 {
1692     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1693 
1694     /* load */
1695     if (op1 == OR_TMP0) {
1696         gen_op_ld_v(s, ot, s->T0, s->A0);
1697     } else {
1698         gen_op_mov_v_reg(s, ot, s->T0, op1);
1699     }
1700 
1701     tcg_gen_andi_tl(s->T1, s->T1, mask);
1702     tcg_gen_subi_tl(s->tmp0, s->T1, 1);
1703 
1704     if (is_right) {
1705         if (is_arith) {
1706             gen_exts(ot, s->T0);
1707             tcg_gen_sar_tl(s->tmp0, s->T0, s->tmp0);
1708             tcg_gen_sar_tl(s->T0, s->T0, s->T1);
1709         } else {
1710             gen_extu(ot, s->T0);
1711             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
1712             tcg_gen_shr_tl(s->T0, s->T0, s->T1);
1713         }
1714     } else {
1715         tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
1716         tcg_gen_shl_tl(s->T0, s->T0, s->T1);
1717     }
1718 
1719     /* store */
1720     gen_op_st_rm_T0_A0(s, ot, op1);
1721 
1722     gen_shift_flags(s, ot, s->T0, s->tmp0, s->T1, is_right);
1723 }
1724 
1725 static void gen_shift_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1726                             int is_right, int is_arith)
1727 {
1728     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1729 
1730     /* load */
1731     if (op1 == OR_TMP0)
1732         gen_op_ld_v(s, ot, s->T0, s->A0);
1733     else
1734         gen_op_mov_v_reg(s, ot, s->T0, op1);
1735 
1736     op2 &= mask;
1737     if (op2 != 0) {
1738         if (is_right) {
1739             if (is_arith) {
1740                 gen_exts(ot, s->T0);
1741                 tcg_gen_sari_tl(s->tmp4, s->T0, op2 - 1);
1742                 tcg_gen_sari_tl(s->T0, s->T0, op2);
1743             } else {
1744                 gen_extu(ot, s->T0);
1745                 tcg_gen_shri_tl(s->tmp4, s->T0, op2 - 1);
1746                 tcg_gen_shri_tl(s->T0, s->T0, op2);
1747             }
1748         } else {
1749             tcg_gen_shli_tl(s->tmp4, s->T0, op2 - 1);
1750             tcg_gen_shli_tl(s->T0, s->T0, op2);
1751         }
1752     }
1753 
1754     /* store */
1755     gen_op_st_rm_T0_A0(s, ot, op1);
1756 
1757     /* update eflags if non zero shift */
1758     if (op2 != 0) {
1759         tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
1760         tcg_gen_mov_tl(cpu_cc_dst, s->T0);
1761         set_cc_op(s, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1762     }
1763 }
1764 
1765 static void gen_rot_rm_T1(DisasContext *s, MemOp ot, int op1, int is_right)
1766 {
1767     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1768     TCGv_i32 t0, t1;
1769 
1770     /* load */
1771     if (op1 == OR_TMP0) {
1772         gen_op_ld_v(s, ot, s->T0, s->A0);
1773     } else {
1774         gen_op_mov_v_reg(s, ot, s->T0, op1);
1775     }
1776 
1777     tcg_gen_andi_tl(s->T1, s->T1, mask);
1778 
1779     switch (ot) {
1780     case MO_8:
1781         /* Replicate the 8-bit input so that a 32-bit rotate works.  */
1782         tcg_gen_ext8u_tl(s->T0, s->T0);
1783         tcg_gen_muli_tl(s->T0, s->T0, 0x01010101);
1784         goto do_long;
1785     case MO_16:
1786         /* Replicate the 16-bit input so that a 32-bit rotate works.  */
1787         tcg_gen_deposit_tl(s->T0, s->T0, s->T0, 16, 16);
1788         goto do_long;
1789     do_long:
1790 #ifdef TARGET_X86_64
1791     case MO_32:
1792         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1793         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
1794         if (is_right) {
1795             tcg_gen_rotr_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1796         } else {
1797             tcg_gen_rotl_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1798         }
1799         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1800         break;
1801 #endif
1802     default:
1803         if (is_right) {
1804             tcg_gen_rotr_tl(s->T0, s->T0, s->T1);
1805         } else {
1806             tcg_gen_rotl_tl(s->T0, s->T0, s->T1);
1807         }
1808         break;
1809     }
1810 
1811     /* store */
1812     gen_op_st_rm_T0_A0(s, ot, op1);
1813 
1814     /* We'll need the flags computed into CC_SRC.  */
1815     gen_compute_eflags(s);
1816 
1817     /* The value that was "rotated out" is now present at the other end
1818        of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1819        since we've computed the flags into CC_SRC, these variables are
1820        currently dead.  */
1821     if (is_right) {
1822         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1823         tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1824         tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1825     } else {
1826         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1827         tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1828     }
1829     tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1830     tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1831 
1832     /* Now conditionally store the new CC_OP value.  If the shift count
1833        is 0 we keep the CC_OP_EFLAGS setting so that only CC_SRC is live.
1834        Otherwise reuse CC_OP_ADCOX which have the C and O flags split out
1835        exactly as we computed above.  */
1836     t0 = tcg_constant_i32(0);
1837     t1 = tcg_temp_new_i32();
1838     tcg_gen_trunc_tl_i32(t1, s->T1);
1839     tcg_gen_movi_i32(s->tmp2_i32, CC_OP_ADCOX);
1840     tcg_gen_movi_i32(s->tmp3_i32, CC_OP_EFLAGS);
1841     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, t1, t0,
1842                         s->tmp2_i32, s->tmp3_i32);
1843 
1844     /* The CC_OP value is no longer predictable.  */
1845     set_cc_op(s, CC_OP_DYNAMIC);
1846 }
1847 
1848 static void gen_rot_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1849                           int is_right)
1850 {
1851     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1852     int shift;
1853 
1854     /* load */
1855     if (op1 == OR_TMP0) {
1856         gen_op_ld_v(s, ot, s->T0, s->A0);
1857     } else {
1858         gen_op_mov_v_reg(s, ot, s->T0, op1);
1859     }
1860 
1861     op2 &= mask;
1862     if (op2 != 0) {
1863         switch (ot) {
1864 #ifdef TARGET_X86_64
1865         case MO_32:
1866             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1867             if (is_right) {
1868                 tcg_gen_rotri_i32(s->tmp2_i32, s->tmp2_i32, op2);
1869             } else {
1870                 tcg_gen_rotli_i32(s->tmp2_i32, s->tmp2_i32, op2);
1871             }
1872             tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1873             break;
1874 #endif
1875         default:
1876             if (is_right) {
1877                 tcg_gen_rotri_tl(s->T0, s->T0, op2);
1878             } else {
1879                 tcg_gen_rotli_tl(s->T0, s->T0, op2);
1880             }
1881             break;
1882         case MO_8:
1883             mask = 7;
1884             goto do_shifts;
1885         case MO_16:
1886             mask = 15;
1887         do_shifts:
1888             shift = op2 & mask;
1889             if (is_right) {
1890                 shift = mask + 1 - shift;
1891             }
1892             gen_extu(ot, s->T0);
1893             tcg_gen_shli_tl(s->tmp0, s->T0, shift);
1894             tcg_gen_shri_tl(s->T0, s->T0, mask + 1 - shift);
1895             tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
1896             break;
1897         }
1898     }
1899 
1900     /* store */
1901     gen_op_st_rm_T0_A0(s, ot, op1);
1902 
1903     if (op2 != 0) {
1904         /* Compute the flags into CC_SRC.  */
1905         gen_compute_eflags(s);
1906 
1907         /* The value that was "rotated out" is now present at the other end
1908            of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1909            since we've computed the flags into CC_SRC, these variables are
1910            currently dead.  */
1911         if (is_right) {
1912             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1913             tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1914             tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1915         } else {
1916             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1917             tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1918         }
1919         tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1920         tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1921         set_cc_op(s, CC_OP_ADCOX);
1922     }
1923 }
1924 
1925 /* XXX: add faster immediate = 1 case */
1926 static void gen_rotc_rm_T1(DisasContext *s, MemOp ot, int op1,
1927                            int is_right)
1928 {
1929     gen_compute_eflags(s);
1930     assert(s->cc_op == CC_OP_EFLAGS);
1931 
1932     /* load */
1933     if (op1 == OR_TMP0)
1934         gen_op_ld_v(s, ot, s->T0, s->A0);
1935     else
1936         gen_op_mov_v_reg(s, ot, s->T0, op1);
1937 
1938     if (is_right) {
1939         switch (ot) {
1940         case MO_8:
1941             gen_helper_rcrb(s->T0, tcg_env, s->T0, s->T1);
1942             break;
1943         case MO_16:
1944             gen_helper_rcrw(s->T0, tcg_env, s->T0, s->T1);
1945             break;
1946         case MO_32:
1947             gen_helper_rcrl(s->T0, tcg_env, s->T0, s->T1);
1948             break;
1949 #ifdef TARGET_X86_64
1950         case MO_64:
1951             gen_helper_rcrq(s->T0, tcg_env, s->T0, s->T1);
1952             break;
1953 #endif
1954         default:
1955             g_assert_not_reached();
1956         }
1957     } else {
1958         switch (ot) {
1959         case MO_8:
1960             gen_helper_rclb(s->T0, tcg_env, s->T0, s->T1);
1961             break;
1962         case MO_16:
1963             gen_helper_rclw(s->T0, tcg_env, s->T0, s->T1);
1964             break;
1965         case MO_32:
1966             gen_helper_rcll(s->T0, tcg_env, s->T0, s->T1);
1967             break;
1968 #ifdef TARGET_X86_64
1969         case MO_64:
1970             gen_helper_rclq(s->T0, tcg_env, s->T0, s->T1);
1971             break;
1972 #endif
1973         default:
1974             g_assert_not_reached();
1975         }
1976     }
1977     /* store */
1978     gen_op_st_rm_T0_A0(s, ot, op1);
1979 }
1980 
1981 /* XXX: add faster immediate case */
1982 static void gen_shiftd_rm_T1(DisasContext *s, MemOp ot, int op1,
1983                              bool is_right, TCGv count_in)
1984 {
1985     target_ulong mask = (ot == MO_64 ? 63 : 31);
1986     TCGv count;
1987 
1988     /* load */
1989     if (op1 == OR_TMP0) {
1990         gen_op_ld_v(s, ot, s->T0, s->A0);
1991     } else {
1992         gen_op_mov_v_reg(s, ot, s->T0, op1);
1993     }
1994 
1995     count = tcg_temp_new();
1996     tcg_gen_andi_tl(count, count_in, mask);
1997 
1998     switch (ot) {
1999     case MO_16:
2000         /* Note: we implement the Intel behaviour for shift count > 16.
2001            This means "shrdw C, B, A" shifts A:B:A >> C.  Build the B:A
2002            portion by constructing it as a 32-bit value.  */
2003         if (is_right) {
2004             tcg_gen_deposit_tl(s->tmp0, s->T0, s->T1, 16, 16);
2005             tcg_gen_mov_tl(s->T1, s->T0);
2006             tcg_gen_mov_tl(s->T0, s->tmp0);
2007         } else {
2008             tcg_gen_deposit_tl(s->T1, s->T0, s->T1, 16, 16);
2009         }
2010         /*
2011          * If TARGET_X86_64 defined then fall through into MO_32 case,
2012          * otherwise fall through default case.
2013          */
2014     case MO_32:
2015 #ifdef TARGET_X86_64
2016         /* Concatenate the two 32-bit values and use a 64-bit shift.  */
2017         tcg_gen_subi_tl(s->tmp0, count, 1);
2018         if (is_right) {
2019             tcg_gen_concat_tl_i64(s->T0, s->T0, s->T1);
2020             tcg_gen_shr_i64(s->tmp0, s->T0, s->tmp0);
2021             tcg_gen_shr_i64(s->T0, s->T0, count);
2022         } else {
2023             tcg_gen_concat_tl_i64(s->T0, s->T1, s->T0);
2024             tcg_gen_shl_i64(s->tmp0, s->T0, s->tmp0);
2025             tcg_gen_shl_i64(s->T0, s->T0, count);
2026             tcg_gen_shri_i64(s->tmp0, s->tmp0, 32);
2027             tcg_gen_shri_i64(s->T0, s->T0, 32);
2028         }
2029         break;
2030 #endif
2031     default:
2032         tcg_gen_subi_tl(s->tmp0, count, 1);
2033         if (is_right) {
2034             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
2035 
2036             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2037             tcg_gen_shr_tl(s->T0, s->T0, count);
2038             tcg_gen_shl_tl(s->T1, s->T1, s->tmp4);
2039         } else {
2040             tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
2041             if (ot == MO_16) {
2042                 /* Only needed if count > 16, for Intel behaviour.  */
2043                 tcg_gen_subfi_tl(s->tmp4, 33, count);
2044                 tcg_gen_shr_tl(s->tmp4, s->T1, s->tmp4);
2045                 tcg_gen_or_tl(s->tmp0, s->tmp0, s->tmp4);
2046             }
2047 
2048             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2049             tcg_gen_shl_tl(s->T0, s->T0, count);
2050             tcg_gen_shr_tl(s->T1, s->T1, s->tmp4);
2051         }
2052         tcg_gen_movi_tl(s->tmp4, 0);
2053         tcg_gen_movcond_tl(TCG_COND_EQ, s->T1, count, s->tmp4,
2054                            s->tmp4, s->T1);
2055         tcg_gen_or_tl(s->T0, s->T0, s->T1);
2056         break;
2057     }
2058 
2059     /* store */
2060     gen_op_st_rm_T0_A0(s, ot, op1);
2061 
2062     gen_shift_flags(s, ot, s->T0, s->tmp0, count, is_right);
2063 }
2064 
2065 static void gen_shift(DisasContext *s1, int op, MemOp ot, int d, int s)
2066 {
2067     if (s != OR_TMP1)
2068         gen_op_mov_v_reg(s1, ot, s1->T1, s);
2069     switch(op) {
2070     case OP_ROL:
2071         gen_rot_rm_T1(s1, ot, d, 0);
2072         break;
2073     case OP_ROR:
2074         gen_rot_rm_T1(s1, ot, d, 1);
2075         break;
2076     case OP_SHL:
2077     case OP_SHL1:
2078         gen_shift_rm_T1(s1, ot, d, 0, 0);
2079         break;
2080     case OP_SHR:
2081         gen_shift_rm_T1(s1, ot, d, 1, 0);
2082         break;
2083     case OP_SAR:
2084         gen_shift_rm_T1(s1, ot, d, 1, 1);
2085         break;
2086     case OP_RCL:
2087         gen_rotc_rm_T1(s1, ot, d, 0);
2088         break;
2089     case OP_RCR:
2090         gen_rotc_rm_T1(s1, ot, d, 1);
2091         break;
2092     }
2093 }
2094 
2095 static void gen_shifti(DisasContext *s1, int op, MemOp ot, int d, int c)
2096 {
2097     switch(op) {
2098     case OP_ROL:
2099         gen_rot_rm_im(s1, ot, d, c, 0);
2100         break;
2101     case OP_ROR:
2102         gen_rot_rm_im(s1, ot, d, c, 1);
2103         break;
2104     case OP_SHL:
2105     case OP_SHL1:
2106         gen_shift_rm_im(s1, ot, d, c, 0, 0);
2107         break;
2108     case OP_SHR:
2109         gen_shift_rm_im(s1, ot, d, c, 1, 0);
2110         break;
2111     case OP_SAR:
2112         gen_shift_rm_im(s1, ot, d, c, 1, 1);
2113         break;
2114     default:
2115         /* currently not optimized */
2116         tcg_gen_movi_tl(s1->T1, c);
2117         gen_shift(s1, op, ot, d, OR_TMP1);
2118         break;
2119     }
2120 }
2121 
2122 #define X86_MAX_INSN_LENGTH 15
2123 
2124 static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
2125 {
2126     uint64_t pc = s->pc;
2127 
2128     /* This is a subsequent insn that crosses a page boundary.  */
2129     if (s->base.num_insns > 1 &&
2130         !is_same_page(&s->base, s->pc + num_bytes - 1)) {
2131         siglongjmp(s->jmpbuf, 2);
2132     }
2133 
2134     s->pc += num_bytes;
2135     if (unlikely(cur_insn_len(s) > X86_MAX_INSN_LENGTH)) {
2136         /* If the instruction's 16th byte is on a different page than the 1st, a
2137          * page fault on the second page wins over the general protection fault
2138          * caused by the instruction being too long.
2139          * This can happen even if the operand is only one byte long!
2140          */
2141         if (((s->pc - 1) ^ (pc - 1)) & TARGET_PAGE_MASK) {
2142             volatile uint8_t unused =
2143                 cpu_ldub_code(env, (s->pc - 1) & TARGET_PAGE_MASK);
2144             (void) unused;
2145         }
2146         siglongjmp(s->jmpbuf, 1);
2147     }
2148 
2149     return pc;
2150 }
2151 
2152 static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
2153 {
2154     return translator_ldub(env, &s->base, advance_pc(env, s, 1));
2155 }
2156 
2157 static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
2158 {
2159     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2160 }
2161 
2162 static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
2163 {
2164     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2165 }
2166 
2167 static inline uint32_t x86_ldl_code(CPUX86State *env, DisasContext *s)
2168 {
2169     return translator_ldl(env, &s->base, advance_pc(env, s, 4));
2170 }
2171 
2172 #ifdef TARGET_X86_64
2173 static inline uint64_t x86_ldq_code(CPUX86State *env, DisasContext *s)
2174 {
2175     return translator_ldq(env, &s->base, advance_pc(env, s, 8));
2176 }
2177 #endif
2178 
2179 /* Decompose an address.  */
2180 
2181 typedef struct AddressParts {
2182     int def_seg;
2183     int base;
2184     int index;
2185     int scale;
2186     target_long disp;
2187 } AddressParts;
2188 
2189 static AddressParts gen_lea_modrm_0(CPUX86State *env, DisasContext *s,
2190                                     int modrm)
2191 {
2192     int def_seg, base, index, scale, mod, rm;
2193     target_long disp;
2194     bool havesib;
2195 
2196     def_seg = R_DS;
2197     index = -1;
2198     scale = 0;
2199     disp = 0;
2200 
2201     mod = (modrm >> 6) & 3;
2202     rm = modrm & 7;
2203     base = rm | REX_B(s);
2204 
2205     if (mod == 3) {
2206         /* Normally filtered out earlier, but including this path
2207            simplifies multi-byte nop, as well as bndcl, bndcu, bndcn.  */
2208         goto done;
2209     }
2210 
2211     switch (s->aflag) {
2212     case MO_64:
2213     case MO_32:
2214         havesib = 0;
2215         if (rm == 4) {
2216             int code = x86_ldub_code(env, s);
2217             scale = (code >> 6) & 3;
2218             index = ((code >> 3) & 7) | REX_X(s);
2219             if (index == 4) {
2220                 index = -1;  /* no index */
2221             }
2222             base = (code & 7) | REX_B(s);
2223             havesib = 1;
2224         }
2225 
2226         switch (mod) {
2227         case 0:
2228             if ((base & 7) == 5) {
2229                 base = -1;
2230                 disp = (int32_t)x86_ldl_code(env, s);
2231                 if (CODE64(s) && !havesib) {
2232                     base = -2;
2233                     disp += s->pc + s->rip_offset;
2234                 }
2235             }
2236             break;
2237         case 1:
2238             disp = (int8_t)x86_ldub_code(env, s);
2239             break;
2240         default:
2241         case 2:
2242             disp = (int32_t)x86_ldl_code(env, s);
2243             break;
2244         }
2245 
2246         /* For correct popl handling with esp.  */
2247         if (base == R_ESP && s->popl_esp_hack) {
2248             disp += s->popl_esp_hack;
2249         }
2250         if (base == R_EBP || base == R_ESP) {
2251             def_seg = R_SS;
2252         }
2253         break;
2254 
2255     case MO_16:
2256         if (mod == 0) {
2257             if (rm == 6) {
2258                 base = -1;
2259                 disp = x86_lduw_code(env, s);
2260                 break;
2261             }
2262         } else if (mod == 1) {
2263             disp = (int8_t)x86_ldub_code(env, s);
2264         } else {
2265             disp = (int16_t)x86_lduw_code(env, s);
2266         }
2267 
2268         switch (rm) {
2269         case 0:
2270             base = R_EBX;
2271             index = R_ESI;
2272             break;
2273         case 1:
2274             base = R_EBX;
2275             index = R_EDI;
2276             break;
2277         case 2:
2278             base = R_EBP;
2279             index = R_ESI;
2280             def_seg = R_SS;
2281             break;
2282         case 3:
2283             base = R_EBP;
2284             index = R_EDI;
2285             def_seg = R_SS;
2286             break;
2287         case 4:
2288             base = R_ESI;
2289             break;
2290         case 5:
2291             base = R_EDI;
2292             break;
2293         case 6:
2294             base = R_EBP;
2295             def_seg = R_SS;
2296             break;
2297         default:
2298         case 7:
2299             base = R_EBX;
2300             break;
2301         }
2302         break;
2303 
2304     default:
2305         g_assert_not_reached();
2306     }
2307 
2308  done:
2309     return (AddressParts){ def_seg, base, index, scale, disp };
2310 }
2311 
2312 /* Compute the address, with a minimum number of TCG ops.  */
2313 static TCGv gen_lea_modrm_1(DisasContext *s, AddressParts a, bool is_vsib)
2314 {
2315     TCGv ea = NULL;
2316 
2317     if (a.index >= 0 && !is_vsib) {
2318         if (a.scale == 0) {
2319             ea = cpu_regs[a.index];
2320         } else {
2321             tcg_gen_shli_tl(s->A0, cpu_regs[a.index], a.scale);
2322             ea = s->A0;
2323         }
2324         if (a.base >= 0) {
2325             tcg_gen_add_tl(s->A0, ea, cpu_regs[a.base]);
2326             ea = s->A0;
2327         }
2328     } else if (a.base >= 0) {
2329         ea = cpu_regs[a.base];
2330     }
2331     if (!ea) {
2332         if (tb_cflags(s->base.tb) & CF_PCREL && a.base == -2) {
2333             /* With cpu_eip ~= pc_save, the expression is pc-relative. */
2334             tcg_gen_addi_tl(s->A0, cpu_eip, a.disp - s->pc_save);
2335         } else {
2336             tcg_gen_movi_tl(s->A0, a.disp);
2337         }
2338         ea = s->A0;
2339     } else if (a.disp != 0) {
2340         tcg_gen_addi_tl(s->A0, ea, a.disp);
2341         ea = s->A0;
2342     }
2343 
2344     return ea;
2345 }
2346 
2347 static void gen_lea_modrm(CPUX86State *env, DisasContext *s, int modrm)
2348 {
2349     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2350     TCGv ea = gen_lea_modrm_1(s, a, false);
2351     gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
2352 }
2353 
2354 static void gen_nop_modrm(CPUX86State *env, DisasContext *s, int modrm)
2355 {
2356     (void)gen_lea_modrm_0(env, s, modrm);
2357 }
2358 
2359 /* Used for BNDCL, BNDCU, BNDCN.  */
2360 static void gen_bndck(CPUX86State *env, DisasContext *s, int modrm,
2361                       TCGCond cond, TCGv_i64 bndv)
2362 {
2363     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2364     TCGv ea = gen_lea_modrm_1(s, a, false);
2365 
2366     tcg_gen_extu_tl_i64(s->tmp1_i64, ea);
2367     if (!CODE64(s)) {
2368         tcg_gen_ext32u_i64(s->tmp1_i64, s->tmp1_i64);
2369     }
2370     tcg_gen_setcond_i64(cond, s->tmp1_i64, s->tmp1_i64, bndv);
2371     tcg_gen_extrl_i64_i32(s->tmp2_i32, s->tmp1_i64);
2372     gen_helper_bndck(tcg_env, s->tmp2_i32);
2373 }
2374 
2375 /* used for LEA and MOV AX, mem */
2376 static void gen_add_A0_ds_seg(DisasContext *s)
2377 {
2378     gen_lea_v_seg(s, s->aflag, s->A0, R_DS, s->override);
2379 }
2380 
2381 /* generate modrm memory load or store of 'reg'. TMP0 is used if reg ==
2382    OR_TMP0 */
2383 static void gen_ldst_modrm(CPUX86State *env, DisasContext *s, int modrm,
2384                            MemOp ot, int reg, int is_store)
2385 {
2386     int mod, rm;
2387 
2388     mod = (modrm >> 6) & 3;
2389     rm = (modrm & 7) | REX_B(s);
2390     if (mod == 3) {
2391         if (is_store) {
2392             if (reg != OR_TMP0)
2393                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2394             gen_op_mov_reg_v(s, ot, rm, s->T0);
2395         } else {
2396             gen_op_mov_v_reg(s, ot, s->T0, rm);
2397             if (reg != OR_TMP0)
2398                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2399         }
2400     } else {
2401         gen_lea_modrm(env, s, modrm);
2402         if (is_store) {
2403             if (reg != OR_TMP0)
2404                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2405             gen_op_st_v(s, ot, s->T0, s->A0);
2406         } else {
2407             gen_op_ld_v(s, ot, s->T0, s->A0);
2408             if (reg != OR_TMP0)
2409                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2410         }
2411     }
2412 }
2413 
2414 static target_ulong insn_get_addr(CPUX86State *env, DisasContext *s, MemOp ot)
2415 {
2416     target_ulong ret;
2417 
2418     switch (ot) {
2419     case MO_8:
2420         ret = x86_ldub_code(env, s);
2421         break;
2422     case MO_16:
2423         ret = x86_lduw_code(env, s);
2424         break;
2425     case MO_32:
2426         ret = x86_ldl_code(env, s);
2427         break;
2428 #ifdef TARGET_X86_64
2429     case MO_64:
2430         ret = x86_ldq_code(env, s);
2431         break;
2432 #endif
2433     default:
2434         g_assert_not_reached();
2435     }
2436     return ret;
2437 }
2438 
2439 static inline uint32_t insn_get(CPUX86State *env, DisasContext *s, MemOp ot)
2440 {
2441     uint32_t ret;
2442 
2443     switch (ot) {
2444     case MO_8:
2445         ret = x86_ldub_code(env, s);
2446         break;
2447     case MO_16:
2448         ret = x86_lduw_code(env, s);
2449         break;
2450     case MO_32:
2451 #ifdef TARGET_X86_64
2452     case MO_64:
2453 #endif
2454         ret = x86_ldl_code(env, s);
2455         break;
2456     default:
2457         g_assert_not_reached();
2458     }
2459     return ret;
2460 }
2461 
2462 static target_long insn_get_signed(CPUX86State *env, DisasContext *s, MemOp ot)
2463 {
2464     target_long ret;
2465 
2466     switch (ot) {
2467     case MO_8:
2468         ret = (int8_t) x86_ldub_code(env, s);
2469         break;
2470     case MO_16:
2471         ret = (int16_t) x86_lduw_code(env, s);
2472         break;
2473     case MO_32:
2474         ret = (int32_t) x86_ldl_code(env, s);
2475         break;
2476 #ifdef TARGET_X86_64
2477     case MO_64:
2478         ret = x86_ldq_code(env, s);
2479         break;
2480 #endif
2481     default:
2482         g_assert_not_reached();
2483     }
2484     return ret;
2485 }
2486 
2487 static inline int insn_const_size(MemOp ot)
2488 {
2489     if (ot <= MO_32) {
2490         return 1 << ot;
2491     } else {
2492         return 4;
2493     }
2494 }
2495 
2496 static void gen_jcc(DisasContext *s, int b, int diff)
2497 {
2498     TCGLabel *l1 = gen_new_label();
2499 
2500     gen_jcc1(s, b, l1);
2501     gen_jmp_rel_csize(s, 0, 1);
2502     gen_set_label(l1);
2503     gen_jmp_rel(s, s->dflag, diff, 0);
2504 }
2505 
2506 static void gen_cmovcc1(DisasContext *s, int b, TCGv dest, TCGv src)
2507 {
2508     CCPrepare cc = gen_prepare_cc(s, b, s->T1);
2509 
2510     if (cc.mask != -1) {
2511         TCGv t0 = tcg_temp_new();
2512         tcg_gen_andi_tl(t0, cc.reg, cc.mask);
2513         cc.reg = t0;
2514     }
2515     if (!cc.use_reg2) {
2516         cc.reg2 = tcg_constant_tl(cc.imm);
2517     }
2518 
2519     tcg_gen_movcond_tl(cc.cond, dest, cc.reg, cc.reg2, src, dest);
2520 }
2521 
2522 static inline void gen_op_movl_T0_seg(DisasContext *s, X86Seg seg_reg)
2523 {
2524     tcg_gen_ld32u_tl(s->T0, tcg_env,
2525                      offsetof(CPUX86State,segs[seg_reg].selector));
2526 }
2527 
2528 static inline void gen_op_movl_seg_T0_vm(DisasContext *s, X86Seg seg_reg)
2529 {
2530     tcg_gen_ext16u_tl(s->T0, s->T0);
2531     tcg_gen_st32_tl(s->T0, tcg_env,
2532                     offsetof(CPUX86State,segs[seg_reg].selector));
2533     tcg_gen_shli_tl(cpu_seg_base[seg_reg], s->T0, 4);
2534 }
2535 
2536 /* move T0 to seg_reg and compute if the CPU state may change. Never
2537    call this function with seg_reg == R_CS */
2538 static void gen_movl_seg_T0(DisasContext *s, X86Seg seg_reg)
2539 {
2540     if (PE(s) && !VM86(s)) {
2541         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
2542         gen_helper_load_seg(tcg_env, tcg_constant_i32(seg_reg), s->tmp2_i32);
2543         /* abort translation because the addseg value may change or
2544            because ss32 may change. For R_SS, translation must always
2545            stop as a special handling must be done to disable hardware
2546            interrupts for the next instruction */
2547         if (seg_reg == R_SS) {
2548             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2549         } else if (CODE32(s) && seg_reg < R_FS) {
2550             s->base.is_jmp = DISAS_EOB_NEXT;
2551         }
2552     } else {
2553         gen_op_movl_seg_T0_vm(s, seg_reg);
2554         if (seg_reg == R_SS) {
2555             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2556         }
2557     }
2558 }
2559 
2560 static void gen_svm_check_intercept(DisasContext *s, uint32_t type)
2561 {
2562     /* no SVM activated; fast case */
2563     if (likely(!GUEST(s))) {
2564         return;
2565     }
2566     gen_helper_svm_check_intercept(tcg_env, tcg_constant_i32(type));
2567 }
2568 
2569 static inline void gen_stack_update(DisasContext *s, int addend)
2570 {
2571     gen_op_add_reg_im(s, mo_stacksize(s), R_ESP, addend);
2572 }
2573 
2574 /* Generate a push. It depends on ss32, addseg and dflag.  */
2575 static void gen_push_v(DisasContext *s, TCGv val)
2576 {
2577     MemOp d_ot = mo_pushpop(s, s->dflag);
2578     MemOp a_ot = mo_stacksize(s);
2579     int size = 1 << d_ot;
2580     TCGv new_esp = s->A0;
2581 
2582     tcg_gen_subi_tl(s->A0, cpu_regs[R_ESP], size);
2583 
2584     if (!CODE64(s)) {
2585         if (ADDSEG(s)) {
2586             new_esp = tcg_temp_new();
2587             tcg_gen_mov_tl(new_esp, s->A0);
2588         }
2589         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2590     }
2591 
2592     gen_op_st_v(s, d_ot, val, s->A0);
2593     gen_op_mov_reg_v(s, a_ot, R_ESP, new_esp);
2594 }
2595 
2596 /* two step pop is necessary for precise exceptions */
2597 static MemOp gen_pop_T0(DisasContext *s)
2598 {
2599     MemOp d_ot = mo_pushpop(s, s->dflag);
2600 
2601     gen_lea_v_seg_dest(s, mo_stacksize(s), s->T0, cpu_regs[R_ESP], R_SS, -1);
2602     gen_op_ld_v(s, d_ot, s->T0, s->T0);
2603 
2604     return d_ot;
2605 }
2606 
2607 static inline void gen_pop_update(DisasContext *s, MemOp ot)
2608 {
2609     gen_stack_update(s, 1 << ot);
2610 }
2611 
2612 static inline void gen_stack_A0(DisasContext *s)
2613 {
2614     gen_lea_v_seg(s, SS32(s) ? MO_32 : MO_16, cpu_regs[R_ESP], R_SS, -1);
2615 }
2616 
2617 static void gen_pusha(DisasContext *s)
2618 {
2619     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2620     MemOp d_ot = s->dflag;
2621     int size = 1 << d_ot;
2622     int i;
2623 
2624     for (i = 0; i < 8; i++) {
2625         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], (i - 8) * size);
2626         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2627         gen_op_st_v(s, d_ot, cpu_regs[7 - i], s->A0);
2628     }
2629 
2630     gen_stack_update(s, -8 * size);
2631 }
2632 
2633 static void gen_popa(DisasContext *s)
2634 {
2635     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2636     MemOp d_ot = s->dflag;
2637     int size = 1 << d_ot;
2638     int i;
2639 
2640     for (i = 0; i < 8; i++) {
2641         /* ESP is not reloaded */
2642         if (7 - i == R_ESP) {
2643             continue;
2644         }
2645         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], i * size);
2646         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2647         gen_op_ld_v(s, d_ot, s->T0, s->A0);
2648         gen_op_mov_reg_v(s, d_ot, 7 - i, s->T0);
2649     }
2650 
2651     gen_stack_update(s, 8 * size);
2652 }
2653 
2654 static void gen_enter(DisasContext *s, int esp_addend, int level)
2655 {
2656     MemOp d_ot = mo_pushpop(s, s->dflag);
2657     MemOp a_ot = CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
2658     int size = 1 << d_ot;
2659 
2660     /* Push BP; compute FrameTemp into T1.  */
2661     tcg_gen_subi_tl(s->T1, cpu_regs[R_ESP], size);
2662     gen_lea_v_seg(s, a_ot, s->T1, R_SS, -1);
2663     gen_op_st_v(s, d_ot, cpu_regs[R_EBP], s->A0);
2664 
2665     level &= 31;
2666     if (level != 0) {
2667         int i;
2668 
2669         /* Copy level-1 pointers from the previous frame.  */
2670         for (i = 1; i < level; ++i) {
2671             tcg_gen_subi_tl(s->A0, cpu_regs[R_EBP], size * i);
2672             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2673             gen_op_ld_v(s, d_ot, s->tmp0, s->A0);
2674 
2675             tcg_gen_subi_tl(s->A0, s->T1, size * i);
2676             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2677             gen_op_st_v(s, d_ot, s->tmp0, s->A0);
2678         }
2679 
2680         /* Push the current FrameTemp as the last level.  */
2681         tcg_gen_subi_tl(s->A0, s->T1, size * level);
2682         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2683         gen_op_st_v(s, d_ot, s->T1, s->A0);
2684     }
2685 
2686     /* Copy the FrameTemp value to EBP.  */
2687     gen_op_mov_reg_v(s, a_ot, R_EBP, s->T1);
2688 
2689     /* Compute the final value of ESP.  */
2690     tcg_gen_subi_tl(s->T1, s->T1, esp_addend + size * level);
2691     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2692 }
2693 
2694 static void gen_leave(DisasContext *s)
2695 {
2696     MemOp d_ot = mo_pushpop(s, s->dflag);
2697     MemOp a_ot = mo_stacksize(s);
2698 
2699     gen_lea_v_seg(s, a_ot, cpu_regs[R_EBP], R_SS, -1);
2700     gen_op_ld_v(s, d_ot, s->T0, s->A0);
2701 
2702     tcg_gen_addi_tl(s->T1, cpu_regs[R_EBP], 1 << d_ot);
2703 
2704     gen_op_mov_reg_v(s, d_ot, R_EBP, s->T0);
2705     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2706 }
2707 
2708 /* Similarly, except that the assumption here is that we don't decode
2709    the instruction at all -- either a missing opcode, an unimplemented
2710    feature, or just a bogus instruction stream.  */
2711 static void gen_unknown_opcode(CPUX86State *env, DisasContext *s)
2712 {
2713     gen_illegal_opcode(s);
2714 
2715     if (qemu_loglevel_mask(LOG_UNIMP)) {
2716         FILE *logfile = qemu_log_trylock();
2717         if (logfile) {
2718             target_ulong pc = s->base.pc_next, end = s->pc;
2719 
2720             fprintf(logfile, "ILLOPC: " TARGET_FMT_lx ":", pc);
2721             for (; pc < end; ++pc) {
2722                 fprintf(logfile, " %02x", cpu_ldub_code(env, pc));
2723             }
2724             fprintf(logfile, "\n");
2725             qemu_log_unlock(logfile);
2726         }
2727     }
2728 }
2729 
2730 /* an interrupt is different from an exception because of the
2731    privilege checks */
2732 static void gen_interrupt(DisasContext *s, int intno)
2733 {
2734     gen_update_cc_op(s);
2735     gen_update_eip_cur(s);
2736     gen_helper_raise_interrupt(tcg_env, tcg_constant_i32(intno),
2737                                cur_insn_len_i32(s));
2738     s->base.is_jmp = DISAS_NORETURN;
2739 }
2740 
2741 static void gen_set_hflag(DisasContext *s, uint32_t mask)
2742 {
2743     if ((s->flags & mask) == 0) {
2744         TCGv_i32 t = tcg_temp_new_i32();
2745         tcg_gen_ld_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2746         tcg_gen_ori_i32(t, t, mask);
2747         tcg_gen_st_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2748         s->flags |= mask;
2749     }
2750 }
2751 
2752 static void gen_reset_hflag(DisasContext *s, uint32_t mask)
2753 {
2754     if (s->flags & mask) {
2755         TCGv_i32 t = tcg_temp_new_i32();
2756         tcg_gen_ld_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2757         tcg_gen_andi_i32(t, t, ~mask);
2758         tcg_gen_st_i32(t, tcg_env, offsetof(CPUX86State, hflags));
2759         s->flags &= ~mask;
2760     }
2761 }
2762 
2763 static void gen_set_eflags(DisasContext *s, target_ulong mask)
2764 {
2765     TCGv t = tcg_temp_new();
2766 
2767     tcg_gen_ld_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2768     tcg_gen_ori_tl(t, t, mask);
2769     tcg_gen_st_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2770 }
2771 
2772 static void gen_reset_eflags(DisasContext *s, target_ulong mask)
2773 {
2774     TCGv t = tcg_temp_new();
2775 
2776     tcg_gen_ld_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2777     tcg_gen_andi_tl(t, t, ~mask);
2778     tcg_gen_st_tl(t, tcg_env, offsetof(CPUX86State, eflags));
2779 }
2780 
2781 /* Clear BND registers during legacy branches.  */
2782 static void gen_bnd_jmp(DisasContext *s)
2783 {
2784     /* Clear the registers only if BND prefix is missing, MPX is enabled,
2785        and if the BNDREGs are known to be in use (non-zero) already.
2786        The helper itself will check BNDPRESERVE at runtime.  */
2787     if ((s->prefix & PREFIX_REPNZ) == 0
2788         && (s->flags & HF_MPX_EN_MASK) != 0
2789         && (s->flags & HF_MPX_IU_MASK) != 0) {
2790         gen_helper_bnd_jmp(tcg_env);
2791     }
2792 }
2793 
2794 /* Generate an end of block. Trace exception is also generated if needed.
2795    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.
2796    If RECHECK_TF, emit a rechecking helper for #DB, ignoring the state of
2797    S->TF.  This is used by the syscall/sysret insns.  */
2798 static void
2799 do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
2800 {
2801     gen_update_cc_op(s);
2802 
2803     /* If several instructions disable interrupts, only the first does it.  */
2804     if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
2805         gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
2806     } else {
2807         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
2808     }
2809 
2810     if (s->base.tb->flags & HF_RF_MASK) {
2811         gen_reset_eflags(s, RF_MASK);
2812     }
2813     if (recheck_tf) {
2814         gen_helper_rechecking_single_step(tcg_env);
2815         tcg_gen_exit_tb(NULL, 0);
2816     } else if (s->flags & HF_TF_MASK) {
2817         gen_helper_single_step(tcg_env);
2818     } else if (jr) {
2819         tcg_gen_lookup_and_goto_ptr();
2820     } else {
2821         tcg_gen_exit_tb(NULL, 0);
2822     }
2823     s->base.is_jmp = DISAS_NORETURN;
2824 }
2825 
2826 static inline void
2827 gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf)
2828 {
2829     do_gen_eob_worker(s, inhibit, recheck_tf, false);
2830 }
2831 
2832 /* End of block.
2833    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.  */
2834 static void gen_eob_inhibit_irq(DisasContext *s, bool inhibit)
2835 {
2836     gen_eob_worker(s, inhibit, false);
2837 }
2838 
2839 /* End of block, resetting the inhibit irq flag.  */
2840 static void gen_eob(DisasContext *s)
2841 {
2842     gen_eob_worker(s, false, false);
2843 }
2844 
2845 /* Jump to register */
2846 static void gen_jr(DisasContext *s)
2847 {
2848     do_gen_eob_worker(s, false, false, true);
2849 }
2850 
2851 /* Jump to eip+diff, truncating the result to OT. */
2852 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num)
2853 {
2854     bool use_goto_tb = s->jmp_opt;
2855     target_ulong mask = -1;
2856     target_ulong new_pc = s->pc + diff;
2857     target_ulong new_eip = new_pc - s->cs_base;
2858 
2859     /* In 64-bit mode, operand size is fixed at 64 bits. */
2860     if (!CODE64(s)) {
2861         if (ot == MO_16) {
2862             mask = 0xffff;
2863             if (tb_cflags(s->base.tb) & CF_PCREL && CODE32(s)) {
2864                 use_goto_tb = false;
2865             }
2866         } else {
2867             mask = 0xffffffff;
2868         }
2869     }
2870     new_eip &= mask;
2871 
2872     gen_update_cc_op(s);
2873     set_cc_op(s, CC_OP_DYNAMIC);
2874 
2875     if (tb_cflags(s->base.tb) & CF_PCREL) {
2876         tcg_gen_addi_tl(cpu_eip, cpu_eip, new_pc - s->pc_save);
2877         /*
2878          * If we can prove the branch does not leave the page and we have
2879          * no extra masking to apply (data16 branch in code32, see above),
2880          * then we have also proven that the addition does not wrap.
2881          */
2882         if (!use_goto_tb || !is_same_page(&s->base, new_pc)) {
2883             tcg_gen_andi_tl(cpu_eip, cpu_eip, mask);
2884             use_goto_tb = false;
2885         }
2886     } else if (!CODE64(s)) {
2887         new_pc = (uint32_t)(new_eip + s->cs_base);
2888     }
2889 
2890     if (use_goto_tb && translator_use_goto_tb(&s->base, new_pc)) {
2891         /* jump to same page: we can use a direct jump */
2892         tcg_gen_goto_tb(tb_num);
2893         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2894             tcg_gen_movi_tl(cpu_eip, new_eip);
2895         }
2896         tcg_gen_exit_tb(s->base.tb, tb_num);
2897         s->base.is_jmp = DISAS_NORETURN;
2898     } else {
2899         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2900             tcg_gen_movi_tl(cpu_eip, new_eip);
2901         }
2902         if (s->jmp_opt) {
2903             gen_jr(s);   /* jump to another page */
2904         } else {
2905             gen_eob(s);  /* exit to main loop */
2906         }
2907     }
2908 }
2909 
2910 /* Jump to eip+diff, truncating to the current code size. */
2911 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num)
2912 {
2913     /* CODE64 ignores the OT argument, so we need not consider it. */
2914     gen_jmp_rel(s, CODE32(s) ? MO_32 : MO_16, diff, tb_num);
2915 }
2916 
2917 static inline void gen_ldq_env_A0(DisasContext *s, int offset)
2918 {
2919     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2920     tcg_gen_st_i64(s->tmp1_i64, tcg_env, offset);
2921 }
2922 
2923 static inline void gen_stq_env_A0(DisasContext *s, int offset)
2924 {
2925     tcg_gen_ld_i64(s->tmp1_i64, tcg_env, offset);
2926     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2927 }
2928 
2929 static inline void gen_ldo_env_A0(DisasContext *s, int offset, bool align)
2930 {
2931     MemOp atom = (s->cpuid_ext_features & CPUID_EXT_AVX
2932                   ? MO_ATOM_IFALIGN : MO_ATOM_IFALIGN_PAIR);
2933     MemOp mop = MO_128 | MO_LE | atom | (align ? MO_ALIGN_16 : 0);
2934     int mem_index = s->mem_index;
2935     TCGv_i128 t = tcg_temp_new_i128();
2936 
2937     tcg_gen_qemu_ld_i128(t, s->A0, mem_index, mop);
2938     tcg_gen_st_i128(t, tcg_env, offset);
2939 }
2940 
2941 static inline void gen_sto_env_A0(DisasContext *s, int offset, bool align)
2942 {
2943     MemOp atom = (s->cpuid_ext_features & CPUID_EXT_AVX
2944                   ? MO_ATOM_IFALIGN : MO_ATOM_IFALIGN_PAIR);
2945     MemOp mop = MO_128 | MO_LE | atom | (align ? MO_ALIGN_16 : 0);
2946     int mem_index = s->mem_index;
2947     TCGv_i128 t = tcg_temp_new_i128();
2948 
2949     tcg_gen_ld_i128(t, tcg_env, offset);
2950     tcg_gen_qemu_st_i128(t, s->A0, mem_index, mop);
2951 }
2952 
2953 static void gen_ldy_env_A0(DisasContext *s, int offset, bool align)
2954 {
2955     MemOp mop = MO_128 | MO_LE | MO_ATOM_IFALIGN_PAIR;
2956     int mem_index = s->mem_index;
2957     TCGv_i128 t0 = tcg_temp_new_i128();
2958     TCGv_i128 t1 = tcg_temp_new_i128();
2959 
2960     tcg_gen_qemu_ld_i128(t0, s->A0, mem_index, mop | (align ? MO_ALIGN_32 : 0));
2961     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2962     tcg_gen_qemu_ld_i128(t1, s->tmp0, mem_index, mop);
2963 
2964     tcg_gen_st_i128(t0, tcg_env, offset + offsetof(YMMReg, YMM_X(0)));
2965     tcg_gen_st_i128(t1, tcg_env, offset + offsetof(YMMReg, YMM_X(1)));
2966 }
2967 
2968 static void gen_sty_env_A0(DisasContext *s, int offset, bool align)
2969 {
2970     MemOp mop = MO_128 | MO_LE | MO_ATOM_IFALIGN_PAIR;
2971     int mem_index = s->mem_index;
2972     TCGv_i128 t = tcg_temp_new_i128();
2973 
2974     tcg_gen_ld_i128(t, tcg_env, offset + offsetof(YMMReg, YMM_X(0)));
2975     tcg_gen_qemu_st_i128(t, s->A0, mem_index, mop | (align ? MO_ALIGN_32 : 0));
2976     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2977     tcg_gen_ld_i128(t, tcg_env, offset + offsetof(YMMReg, YMM_X(1)));
2978     tcg_gen_qemu_st_i128(t, s->tmp0, mem_index, mop);
2979 }
2980 
2981 #include "decode-new.h"
2982 #include "emit.c.inc"
2983 #include "decode-new.c.inc"
2984 
2985 static void gen_cmpxchg8b(DisasContext *s, CPUX86State *env, int modrm)
2986 {
2987     TCGv_i64 cmp, val, old;
2988     TCGv Z;
2989 
2990     gen_lea_modrm(env, s, modrm);
2991 
2992     cmp = tcg_temp_new_i64();
2993     val = tcg_temp_new_i64();
2994     old = tcg_temp_new_i64();
2995 
2996     /* Construct the comparison values from the register pair. */
2997     tcg_gen_concat_tl_i64(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
2998     tcg_gen_concat_tl_i64(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
2999 
3000     /* Only require atomic with LOCK; non-parallel handled in generator. */
3001     if (s->prefix & PREFIX_LOCK) {
3002         tcg_gen_atomic_cmpxchg_i64(old, s->A0, cmp, val, s->mem_index, MO_TEUQ);
3003     } else {
3004         tcg_gen_nonatomic_cmpxchg_i64(old, s->A0, cmp, val,
3005                                       s->mem_index, MO_TEUQ);
3006     }
3007 
3008     /* Set tmp0 to match the required value of Z. */
3009     tcg_gen_setcond_i64(TCG_COND_EQ, cmp, old, cmp);
3010     Z = tcg_temp_new();
3011     tcg_gen_trunc_i64_tl(Z, cmp);
3012 
3013     /*
3014      * Extract the result values for the register pair.
3015      * For 32-bit, we may do this unconditionally, because on success (Z=1),
3016      * the old value matches the previous value in EDX:EAX.  For x86_64,
3017      * the store must be conditional, because we must leave the source
3018      * registers unchanged on success, and zero-extend the writeback
3019      * on failure (Z=0).
3020      */
3021     if (TARGET_LONG_BITS == 32) {
3022         tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], old);
3023     } else {
3024         TCGv zero = tcg_constant_tl(0);
3025 
3026         tcg_gen_extr_i64_tl(s->T0, s->T1, old);
3027         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EAX], Z, zero,
3028                            s->T0, cpu_regs[R_EAX]);
3029         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EDX], Z, zero,
3030                            s->T1, cpu_regs[R_EDX]);
3031     }
3032 
3033     /* Update Z. */
3034     gen_compute_eflags(s);
3035     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, Z, ctz32(CC_Z), 1);
3036 }
3037 
3038 #ifdef TARGET_X86_64
3039 static void gen_cmpxchg16b(DisasContext *s, CPUX86State *env, int modrm)
3040 {
3041     MemOp mop = MO_TE | MO_128 | MO_ALIGN;
3042     TCGv_i64 t0, t1;
3043     TCGv_i128 cmp, val;
3044 
3045     gen_lea_modrm(env, s, modrm);
3046 
3047     cmp = tcg_temp_new_i128();
3048     val = tcg_temp_new_i128();
3049     tcg_gen_concat_i64_i128(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
3050     tcg_gen_concat_i64_i128(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
3051 
3052     /* Only require atomic with LOCK; non-parallel handled in generator. */
3053     if (s->prefix & PREFIX_LOCK) {
3054         tcg_gen_atomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3055     } else {
3056         tcg_gen_nonatomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3057     }
3058 
3059     tcg_gen_extr_i128_i64(s->T0, s->T1, val);
3060 
3061     /* Determine success after the fact. */
3062     t0 = tcg_temp_new_i64();
3063     t1 = tcg_temp_new_i64();
3064     tcg_gen_xor_i64(t0, s->T0, cpu_regs[R_EAX]);
3065     tcg_gen_xor_i64(t1, s->T1, cpu_regs[R_EDX]);
3066     tcg_gen_or_i64(t0, t0, t1);
3067 
3068     /* Update Z. */
3069     gen_compute_eflags(s);
3070     tcg_gen_setcondi_i64(TCG_COND_EQ, t0, t0, 0);
3071     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, t0, ctz32(CC_Z), 1);
3072 
3073     /*
3074      * Extract the result values for the register pair.  We may do this
3075      * unconditionally, because on success (Z=1), the old value matches
3076      * the previous value in RDX:RAX.
3077      */
3078     tcg_gen_mov_i64(cpu_regs[R_EAX], s->T0);
3079     tcg_gen_mov_i64(cpu_regs[R_EDX], s->T1);
3080 }
3081 #endif
3082 
3083 /* convert one instruction. s->base.is_jmp is set if the translation must
3084    be stopped. Return the next pc value */
3085 static bool disas_insn(DisasContext *s, CPUState *cpu)
3086 {
3087     CPUX86State *env = cpu_env(cpu);
3088     int b, prefixes;
3089     int shift;
3090     MemOp ot, aflag, dflag;
3091     int modrm, reg, rm, mod, op, opreg, val;
3092     bool orig_cc_op_dirty = s->cc_op_dirty;
3093     CCOp orig_cc_op = s->cc_op;
3094     target_ulong orig_pc_save = s->pc_save;
3095 
3096     s->pc = s->base.pc_next;
3097     s->override = -1;
3098 #ifdef TARGET_X86_64
3099     s->rex_r = 0;
3100     s->rex_x = 0;
3101     s->rex_b = 0;
3102 #endif
3103     s->rip_offset = 0; /* for relative ip address */
3104     s->vex_l = 0;
3105     s->vex_v = 0;
3106     s->vex_w = false;
3107     switch (sigsetjmp(s->jmpbuf, 0)) {
3108     case 0:
3109         break;
3110     case 1:
3111         gen_exception_gpf(s);
3112         return true;
3113     case 2:
3114         /* Restore state that may affect the next instruction. */
3115         s->pc = s->base.pc_next;
3116         /*
3117          * TODO: These save/restore can be removed after the table-based
3118          * decoder is complete; we will be decoding the insn completely
3119          * before any code generation that might affect these variables.
3120          */
3121         s->cc_op_dirty = orig_cc_op_dirty;
3122         s->cc_op = orig_cc_op;
3123         s->pc_save = orig_pc_save;
3124         /* END TODO */
3125         s->base.num_insns--;
3126         tcg_remove_ops_after(s->prev_insn_end);
3127         s->base.insn_start = s->prev_insn_start;
3128         s->base.is_jmp = DISAS_TOO_MANY;
3129         return false;
3130     default:
3131         g_assert_not_reached();
3132     }
3133 
3134     prefixes = 0;
3135 
3136  next_byte:
3137     s->prefix = prefixes;
3138     b = x86_ldub_code(env, s);
3139     /* Collect prefixes.  */
3140     switch (b) {
3141     default:
3142         break;
3143     case 0x0f:
3144         b = x86_ldub_code(env, s) + 0x100;
3145         break;
3146     case 0xf3:
3147         prefixes |= PREFIX_REPZ;
3148         prefixes &= ~PREFIX_REPNZ;
3149         goto next_byte;
3150     case 0xf2:
3151         prefixes |= PREFIX_REPNZ;
3152         prefixes &= ~PREFIX_REPZ;
3153         goto next_byte;
3154     case 0xf0:
3155         prefixes |= PREFIX_LOCK;
3156         goto next_byte;
3157     case 0x2e:
3158         s->override = R_CS;
3159         goto next_byte;
3160     case 0x36:
3161         s->override = R_SS;
3162         goto next_byte;
3163     case 0x3e:
3164         s->override = R_DS;
3165         goto next_byte;
3166     case 0x26:
3167         s->override = R_ES;
3168         goto next_byte;
3169     case 0x64:
3170         s->override = R_FS;
3171         goto next_byte;
3172     case 0x65:
3173         s->override = R_GS;
3174         goto next_byte;
3175     case 0x66:
3176         prefixes |= PREFIX_DATA;
3177         goto next_byte;
3178     case 0x67:
3179         prefixes |= PREFIX_ADR;
3180         goto next_byte;
3181 #ifdef TARGET_X86_64
3182     case 0x40 ... 0x4f:
3183         if (CODE64(s)) {
3184             /* REX prefix */
3185             prefixes |= PREFIX_REX;
3186             s->vex_w = (b >> 3) & 1;
3187             s->rex_r = (b & 0x4) << 1;
3188             s->rex_x = (b & 0x2) << 2;
3189             s->rex_b = (b & 0x1) << 3;
3190             goto next_byte;
3191         }
3192         break;
3193 #endif
3194     case 0xc5: /* 2-byte VEX */
3195     case 0xc4: /* 3-byte VEX */
3196         if (CODE32(s) && !VM86(s)) {
3197             int vex2 = x86_ldub_code(env, s);
3198             s->pc--; /* rewind the advance_pc() x86_ldub_code() did */
3199 
3200             if (!CODE64(s) && (vex2 & 0xc0) != 0xc0) {
3201                 /* 4.1.4.6: In 32-bit mode, bits [7:6] must be 11b,
3202                    otherwise the instruction is LES or LDS.  */
3203                 break;
3204             }
3205             disas_insn_new(s, cpu, b);
3206             return s->pc;
3207         }
3208         break;
3209     }
3210 
3211     /* Post-process prefixes.  */
3212     if (CODE64(s)) {
3213         /* In 64-bit mode, the default data size is 32-bit.  Select 64-bit
3214            data with rex_w, and 16-bit data with 0x66; rex_w takes precedence
3215            over 0x66 if both are present.  */
3216         dflag = (REX_W(s) ? MO_64 : prefixes & PREFIX_DATA ? MO_16 : MO_32);
3217         /* In 64-bit mode, 0x67 selects 32-bit addressing.  */
3218         aflag = (prefixes & PREFIX_ADR ? MO_32 : MO_64);
3219     } else {
3220         /* In 16/32-bit mode, 0x66 selects the opposite data size.  */
3221         if (CODE32(s) ^ ((prefixes & PREFIX_DATA) != 0)) {
3222             dflag = MO_32;
3223         } else {
3224             dflag = MO_16;
3225         }
3226         /* In 16/32-bit mode, 0x67 selects the opposite addressing.  */
3227         if (CODE32(s) ^ ((prefixes & PREFIX_ADR) != 0)) {
3228             aflag = MO_32;
3229         }  else {
3230             aflag = MO_16;
3231         }
3232     }
3233 
3234     s->prefix = prefixes;
3235     s->aflag = aflag;
3236     s->dflag = dflag;
3237 
3238     /* now check op code */
3239     switch (b) {
3240         /**************************/
3241         /* arith & logic */
3242     case 0x00 ... 0x05:
3243     case 0x08 ... 0x0d:
3244     case 0x10 ... 0x15:
3245     case 0x18 ... 0x1d:
3246     case 0x20 ... 0x25:
3247     case 0x28 ... 0x2d:
3248     case 0x30 ... 0x35:
3249     case 0x38 ... 0x3d:
3250         {
3251             int f;
3252             op = (b >> 3) & 7;
3253             f = (b >> 1) & 3;
3254 
3255             ot = mo_b_d(b, dflag);
3256 
3257             switch(f) {
3258             case 0: /* OP Ev, Gv */
3259                 modrm = x86_ldub_code(env, s);
3260                 reg = ((modrm >> 3) & 7) | REX_R(s);
3261                 mod = (modrm >> 6) & 3;
3262                 rm = (modrm & 7) | REX_B(s);
3263                 if (mod != 3) {
3264                     gen_lea_modrm(env, s, modrm);
3265                     opreg = OR_TMP0;
3266                 } else if (op == OP_XORL && rm == reg) {
3267                 xor_zero:
3268                     /* xor reg, reg optimisation */
3269                     set_cc_op(s, CC_OP_CLR);
3270                     tcg_gen_movi_tl(s->T0, 0);
3271                     gen_op_mov_reg_v(s, ot, reg, s->T0);
3272                     break;
3273                 } else {
3274                     opreg = rm;
3275                 }
3276                 gen_op_mov_v_reg(s, ot, s->T1, reg);
3277                 gen_op(s, op, ot, opreg);
3278                 break;
3279             case 1: /* OP Gv, Ev */
3280                 modrm = x86_ldub_code(env, s);
3281                 mod = (modrm >> 6) & 3;
3282                 reg = ((modrm >> 3) & 7) | REX_R(s);
3283                 rm = (modrm & 7) | REX_B(s);
3284                 if (mod != 3) {
3285                     gen_lea_modrm(env, s, modrm);
3286                     gen_op_ld_v(s, ot, s->T1, s->A0);
3287                 } else if (op == OP_XORL && rm == reg) {
3288                     goto xor_zero;
3289                 } else {
3290                     gen_op_mov_v_reg(s, ot, s->T1, rm);
3291                 }
3292                 gen_op(s, op, ot, reg);
3293                 break;
3294             case 2: /* OP A, Iv */
3295                 val = insn_get(env, s, ot);
3296                 tcg_gen_movi_tl(s->T1, val);
3297                 gen_op(s, op, ot, OR_EAX);
3298                 break;
3299             }
3300         }
3301         break;
3302 
3303     case 0x82:
3304         if (CODE64(s))
3305             goto illegal_op;
3306         /* fall through */
3307     case 0x80: /* GRP1 */
3308     case 0x81:
3309     case 0x83:
3310         {
3311             ot = mo_b_d(b, dflag);
3312 
3313             modrm = x86_ldub_code(env, s);
3314             mod = (modrm >> 6) & 3;
3315             rm = (modrm & 7) | REX_B(s);
3316             op = (modrm >> 3) & 7;
3317 
3318             if (mod != 3) {
3319                 if (b == 0x83)
3320                     s->rip_offset = 1;
3321                 else
3322                     s->rip_offset = insn_const_size(ot);
3323                 gen_lea_modrm(env, s, modrm);
3324                 opreg = OR_TMP0;
3325             } else {
3326                 opreg = rm;
3327             }
3328 
3329             switch(b) {
3330             default:
3331             case 0x80:
3332             case 0x81:
3333             case 0x82:
3334                 val = insn_get(env, s, ot);
3335                 break;
3336             case 0x83:
3337                 val = (int8_t)insn_get(env, s, MO_8);
3338                 break;
3339             }
3340             tcg_gen_movi_tl(s->T1, val);
3341             gen_op(s, op, ot, opreg);
3342         }
3343         break;
3344 
3345         /**************************/
3346         /* inc, dec, and other misc arith */
3347     case 0x40 ... 0x47: /* inc Gv */
3348         ot = dflag;
3349         gen_inc(s, ot, OR_EAX + (b & 7), 1);
3350         break;
3351     case 0x48 ... 0x4f: /* dec Gv */
3352         ot = dflag;
3353         gen_inc(s, ot, OR_EAX + (b & 7), -1);
3354         break;
3355     case 0xf6: /* GRP3 */
3356     case 0xf7:
3357         ot = mo_b_d(b, dflag);
3358 
3359         modrm = x86_ldub_code(env, s);
3360         mod = (modrm >> 6) & 3;
3361         rm = (modrm & 7) | REX_B(s);
3362         op = (modrm >> 3) & 7;
3363         if (mod != 3) {
3364             if (op == 0) {
3365                 s->rip_offset = insn_const_size(ot);
3366             }
3367             gen_lea_modrm(env, s, modrm);
3368             /* For those below that handle locked memory, don't load here.  */
3369             if (!(s->prefix & PREFIX_LOCK)
3370                 || op != 2) {
3371                 gen_op_ld_v(s, ot, s->T0, s->A0);
3372             }
3373         } else {
3374             gen_op_mov_v_reg(s, ot, s->T0, rm);
3375         }
3376 
3377         switch(op) {
3378         case 0: /* test */
3379             val = insn_get(env, s, ot);
3380             tcg_gen_movi_tl(s->T1, val);
3381             gen_op_testl_T0_T1_cc(s);
3382             set_cc_op(s, CC_OP_LOGICB + ot);
3383             break;
3384         case 2: /* not */
3385             if (s->prefix & PREFIX_LOCK) {
3386                 if (mod == 3) {
3387                     goto illegal_op;
3388                 }
3389                 tcg_gen_movi_tl(s->T0, ~0);
3390                 tcg_gen_atomic_xor_fetch_tl(s->T0, s->A0, s->T0,
3391                                             s->mem_index, ot | MO_LE);
3392             } else {
3393                 tcg_gen_not_tl(s->T0, s->T0);
3394                 if (mod != 3) {
3395                     gen_op_st_v(s, ot, s->T0, s->A0);
3396                 } else {
3397                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3398                 }
3399             }
3400             break;
3401         case 3: /* neg */
3402             if (s->prefix & PREFIX_LOCK) {
3403                 TCGLabel *label1;
3404                 TCGv a0, t0, t1, t2;
3405 
3406                 if (mod == 3) {
3407                     goto illegal_op;
3408                 }
3409                 a0 = s->A0;
3410                 t0 = s->T0;
3411                 label1 = gen_new_label();
3412 
3413                 gen_set_label(label1);
3414                 t1 = tcg_temp_new();
3415                 t2 = tcg_temp_new();
3416                 tcg_gen_mov_tl(t2, t0);
3417                 tcg_gen_neg_tl(t1, t0);
3418                 tcg_gen_atomic_cmpxchg_tl(t0, a0, t0, t1,
3419                                           s->mem_index, ot | MO_LE);
3420                 tcg_gen_brcond_tl(TCG_COND_NE, t0, t2, label1);
3421 
3422                 tcg_gen_neg_tl(s->T0, t0);
3423             } else {
3424                 tcg_gen_neg_tl(s->T0, s->T0);
3425                 if (mod != 3) {
3426                     gen_op_st_v(s, ot, s->T0, s->A0);
3427                 } else {
3428                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3429                 }
3430             }
3431             gen_op_update_neg_cc(s);
3432             set_cc_op(s, CC_OP_SUBB + ot);
3433             break;
3434         case 4: /* mul */
3435             switch(ot) {
3436             case MO_8:
3437                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3438                 tcg_gen_ext8u_tl(s->T0, s->T0);
3439                 tcg_gen_ext8u_tl(s->T1, s->T1);
3440                 /* XXX: use 32 bit mul which could be faster */
3441                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3442                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3443                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3444                 tcg_gen_andi_tl(cpu_cc_src, s->T0, 0xff00);
3445                 set_cc_op(s, CC_OP_MULB);
3446                 break;
3447             case MO_16:
3448                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3449                 tcg_gen_ext16u_tl(s->T0, s->T0);
3450                 tcg_gen_ext16u_tl(s->T1, s->T1);
3451                 /* XXX: use 32 bit mul which could be faster */
3452                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3453                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3454                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3455                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3456                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3457                 tcg_gen_mov_tl(cpu_cc_src, s->T0);
3458                 set_cc_op(s, CC_OP_MULW);
3459                 break;
3460             default:
3461             case MO_32:
3462                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3463                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3464                 tcg_gen_mulu2_i32(s->tmp2_i32, s->tmp3_i32,
3465                                   s->tmp2_i32, s->tmp3_i32);
3466                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3467                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3468                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3469                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3470                 set_cc_op(s, CC_OP_MULL);
3471                 break;
3472 #ifdef TARGET_X86_64
3473             case MO_64:
3474                 tcg_gen_mulu2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3475                                   s->T0, cpu_regs[R_EAX]);
3476                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3477                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3478                 set_cc_op(s, CC_OP_MULQ);
3479                 break;
3480 #endif
3481             }
3482             break;
3483         case 5: /* imul */
3484             switch(ot) {
3485             case MO_8:
3486                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3487                 tcg_gen_ext8s_tl(s->T0, s->T0);
3488                 tcg_gen_ext8s_tl(s->T1, s->T1);
3489                 /* XXX: use 32 bit mul which could be faster */
3490                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3491                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3492                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3493                 tcg_gen_ext8s_tl(s->tmp0, s->T0);
3494                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3495                 set_cc_op(s, CC_OP_MULB);
3496                 break;
3497             case MO_16:
3498                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3499                 tcg_gen_ext16s_tl(s->T0, s->T0);
3500                 tcg_gen_ext16s_tl(s->T1, s->T1);
3501                 /* XXX: use 32 bit mul which could be faster */
3502                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3503                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3504                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3505                 tcg_gen_ext16s_tl(s->tmp0, s->T0);
3506                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3507                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3508                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3509                 set_cc_op(s, CC_OP_MULW);
3510                 break;
3511             default:
3512             case MO_32:
3513                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3514                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3515                 tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3516                                   s->tmp2_i32, s->tmp3_i32);
3517                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3518                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3519                 tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3520                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3521                 tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3522                 tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3523                 set_cc_op(s, CC_OP_MULL);
3524                 break;
3525 #ifdef TARGET_X86_64
3526             case MO_64:
3527                 tcg_gen_muls2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3528                                   s->T0, cpu_regs[R_EAX]);
3529                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3530                 tcg_gen_sari_tl(cpu_cc_src, cpu_regs[R_EAX], 63);
3531                 tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, cpu_regs[R_EDX]);
3532                 set_cc_op(s, CC_OP_MULQ);
3533                 break;
3534 #endif
3535             }
3536             break;
3537         case 6: /* div */
3538             switch(ot) {
3539             case MO_8:
3540                 gen_helper_divb_AL(tcg_env, s->T0);
3541                 break;
3542             case MO_16:
3543                 gen_helper_divw_AX(tcg_env, s->T0);
3544                 break;
3545             default:
3546             case MO_32:
3547                 gen_helper_divl_EAX(tcg_env, s->T0);
3548                 break;
3549 #ifdef TARGET_X86_64
3550             case MO_64:
3551                 gen_helper_divq_EAX(tcg_env, s->T0);
3552                 break;
3553 #endif
3554             }
3555             break;
3556         case 7: /* idiv */
3557             switch(ot) {
3558             case MO_8:
3559                 gen_helper_idivb_AL(tcg_env, s->T0);
3560                 break;
3561             case MO_16:
3562                 gen_helper_idivw_AX(tcg_env, s->T0);
3563                 break;
3564             default:
3565             case MO_32:
3566                 gen_helper_idivl_EAX(tcg_env, s->T0);
3567                 break;
3568 #ifdef TARGET_X86_64
3569             case MO_64:
3570                 gen_helper_idivq_EAX(tcg_env, s->T0);
3571                 break;
3572 #endif
3573             }
3574             break;
3575         default:
3576             goto unknown_op;
3577         }
3578         break;
3579 
3580     case 0xfe: /* GRP4 */
3581     case 0xff: /* GRP5 */
3582         ot = mo_b_d(b, dflag);
3583 
3584         modrm = x86_ldub_code(env, s);
3585         mod = (modrm >> 6) & 3;
3586         rm = (modrm & 7) | REX_B(s);
3587         op = (modrm >> 3) & 7;
3588         if (op >= 2 && b == 0xfe) {
3589             goto unknown_op;
3590         }
3591         if (CODE64(s)) {
3592             if (op == 2 || op == 4) {
3593                 /* operand size for jumps is 64 bit */
3594                 ot = MO_64;
3595             } else if (op == 3 || op == 5) {
3596                 ot = dflag != MO_16 ? MO_32 + REX_W(s) : MO_16;
3597             } else if (op == 6) {
3598                 /* default push size is 64 bit */
3599                 ot = mo_pushpop(s, dflag);
3600             }
3601         }
3602         if (mod != 3) {
3603             gen_lea_modrm(env, s, modrm);
3604             if (op >= 2 && op != 3 && op != 5)
3605                 gen_op_ld_v(s, ot, s->T0, s->A0);
3606         } else {
3607             gen_op_mov_v_reg(s, ot, s->T0, rm);
3608         }
3609 
3610         switch(op) {
3611         case 0: /* inc Ev */
3612             if (mod != 3)
3613                 opreg = OR_TMP0;
3614             else
3615                 opreg = rm;
3616             gen_inc(s, ot, opreg, 1);
3617             break;
3618         case 1: /* dec Ev */
3619             if (mod != 3)
3620                 opreg = OR_TMP0;
3621             else
3622                 opreg = rm;
3623             gen_inc(s, ot, opreg, -1);
3624             break;
3625         case 2: /* call Ev */
3626             /* XXX: optimize if memory (no 'and' is necessary) */
3627             if (dflag == MO_16) {
3628                 tcg_gen_ext16u_tl(s->T0, s->T0);
3629             }
3630             gen_push_v(s, eip_next_tl(s));
3631             gen_op_jmp_v(s, s->T0);
3632             gen_bnd_jmp(s);
3633             s->base.is_jmp = DISAS_JUMP;
3634             break;
3635         case 3: /* lcall Ev */
3636             if (mod == 3) {
3637                 goto illegal_op;
3638             }
3639             gen_op_ld_v(s, ot, s->T1, s->A0);
3640             gen_add_A0_im(s, 1 << ot);
3641             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3642         do_lcall:
3643             if (PE(s) && !VM86(s)) {
3644                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3645                 gen_helper_lcall_protected(tcg_env, s->tmp2_i32, s->T1,
3646                                            tcg_constant_i32(dflag - 1),
3647                                            eip_next_tl(s));
3648             } else {
3649                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3650                 tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3651                 gen_helper_lcall_real(tcg_env, s->tmp2_i32, s->tmp3_i32,
3652                                       tcg_constant_i32(dflag - 1),
3653                                       eip_next_i32(s));
3654             }
3655             s->base.is_jmp = DISAS_JUMP;
3656             break;
3657         case 4: /* jmp Ev */
3658             if (dflag == MO_16) {
3659                 tcg_gen_ext16u_tl(s->T0, s->T0);
3660             }
3661             gen_op_jmp_v(s, s->T0);
3662             gen_bnd_jmp(s);
3663             s->base.is_jmp = DISAS_JUMP;
3664             break;
3665         case 5: /* ljmp Ev */
3666             if (mod == 3) {
3667                 goto illegal_op;
3668             }
3669             gen_op_ld_v(s, ot, s->T1, s->A0);
3670             gen_add_A0_im(s, 1 << ot);
3671             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3672         do_ljmp:
3673             if (PE(s) && !VM86(s)) {
3674                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3675                 gen_helper_ljmp_protected(tcg_env, s->tmp2_i32, s->T1,
3676                                           eip_next_tl(s));
3677             } else {
3678                 gen_op_movl_seg_T0_vm(s, R_CS);
3679                 gen_op_jmp_v(s, s->T1);
3680             }
3681             s->base.is_jmp = DISAS_JUMP;
3682             break;
3683         case 6: /* push Ev */
3684             gen_push_v(s, s->T0);
3685             break;
3686         default:
3687             goto unknown_op;
3688         }
3689         break;
3690 
3691     case 0x84: /* test Ev, Gv */
3692     case 0x85:
3693         ot = mo_b_d(b, dflag);
3694 
3695         modrm = x86_ldub_code(env, s);
3696         reg = ((modrm >> 3) & 7) | REX_R(s);
3697 
3698         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3699         gen_op_mov_v_reg(s, ot, s->T1, reg);
3700         gen_op_testl_T0_T1_cc(s);
3701         set_cc_op(s, CC_OP_LOGICB + ot);
3702         break;
3703 
3704     case 0xa8: /* test eAX, Iv */
3705     case 0xa9:
3706         ot = mo_b_d(b, dflag);
3707         val = insn_get(env, s, ot);
3708 
3709         gen_op_mov_v_reg(s, ot, s->T0, OR_EAX);
3710         tcg_gen_movi_tl(s->T1, val);
3711         gen_op_testl_T0_T1_cc(s);
3712         set_cc_op(s, CC_OP_LOGICB + ot);
3713         break;
3714 
3715     case 0x98: /* CWDE/CBW */
3716         switch (dflag) {
3717 #ifdef TARGET_X86_64
3718         case MO_64:
3719             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3720             tcg_gen_ext32s_tl(s->T0, s->T0);
3721             gen_op_mov_reg_v(s, MO_64, R_EAX, s->T0);
3722             break;
3723 #endif
3724         case MO_32:
3725             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3726             tcg_gen_ext16s_tl(s->T0, s->T0);
3727             gen_op_mov_reg_v(s, MO_32, R_EAX, s->T0);
3728             break;
3729         case MO_16:
3730             gen_op_mov_v_reg(s, MO_8, s->T0, R_EAX);
3731             tcg_gen_ext8s_tl(s->T0, s->T0);
3732             gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3733             break;
3734         default:
3735             g_assert_not_reached();
3736         }
3737         break;
3738     case 0x99: /* CDQ/CWD */
3739         switch (dflag) {
3740 #ifdef TARGET_X86_64
3741         case MO_64:
3742             gen_op_mov_v_reg(s, MO_64, s->T0, R_EAX);
3743             tcg_gen_sari_tl(s->T0, s->T0, 63);
3744             gen_op_mov_reg_v(s, MO_64, R_EDX, s->T0);
3745             break;
3746 #endif
3747         case MO_32:
3748             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3749             tcg_gen_ext32s_tl(s->T0, s->T0);
3750             tcg_gen_sari_tl(s->T0, s->T0, 31);
3751             gen_op_mov_reg_v(s, MO_32, R_EDX, s->T0);
3752             break;
3753         case MO_16:
3754             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3755             tcg_gen_ext16s_tl(s->T0, s->T0);
3756             tcg_gen_sari_tl(s->T0, s->T0, 15);
3757             gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3758             break;
3759         default:
3760             g_assert_not_reached();
3761         }
3762         break;
3763     case 0x1af: /* imul Gv, Ev */
3764     case 0x69: /* imul Gv, Ev, I */
3765     case 0x6b:
3766         ot = dflag;
3767         modrm = x86_ldub_code(env, s);
3768         reg = ((modrm >> 3) & 7) | REX_R(s);
3769         if (b == 0x69)
3770             s->rip_offset = insn_const_size(ot);
3771         else if (b == 0x6b)
3772             s->rip_offset = 1;
3773         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3774         if (b == 0x69) {
3775             val = insn_get(env, s, ot);
3776             tcg_gen_movi_tl(s->T1, val);
3777         } else if (b == 0x6b) {
3778             val = (int8_t)insn_get(env, s, MO_8);
3779             tcg_gen_movi_tl(s->T1, val);
3780         } else {
3781             gen_op_mov_v_reg(s, ot, s->T1, reg);
3782         }
3783         switch (ot) {
3784 #ifdef TARGET_X86_64
3785         case MO_64:
3786             tcg_gen_muls2_i64(cpu_regs[reg], s->T1, s->T0, s->T1);
3787             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3788             tcg_gen_sari_tl(cpu_cc_src, cpu_cc_dst, 63);
3789             tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, s->T1);
3790             break;
3791 #endif
3792         case MO_32:
3793             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3794             tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3795             tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3796                               s->tmp2_i32, s->tmp3_i32);
3797             tcg_gen_extu_i32_tl(cpu_regs[reg], s->tmp2_i32);
3798             tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3799             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3800             tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3801             tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3802             break;
3803         default:
3804             tcg_gen_ext16s_tl(s->T0, s->T0);
3805             tcg_gen_ext16s_tl(s->T1, s->T1);
3806             /* XXX: use 32 bit mul which could be faster */
3807             tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3808             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3809             tcg_gen_ext16s_tl(s->tmp0, s->T0);
3810             tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3811             gen_op_mov_reg_v(s, ot, reg, s->T0);
3812             break;
3813         }
3814         set_cc_op(s, CC_OP_MULB + ot);
3815         break;
3816     case 0x1c0:
3817     case 0x1c1: /* xadd Ev, Gv */
3818         ot = mo_b_d(b, dflag);
3819         modrm = x86_ldub_code(env, s);
3820         reg = ((modrm >> 3) & 7) | REX_R(s);
3821         mod = (modrm >> 6) & 3;
3822         gen_op_mov_v_reg(s, ot, s->T0, reg);
3823         if (mod == 3) {
3824             rm = (modrm & 7) | REX_B(s);
3825             gen_op_mov_v_reg(s, ot, s->T1, rm);
3826             tcg_gen_add_tl(s->T0, s->T0, s->T1);
3827             gen_op_mov_reg_v(s, ot, reg, s->T1);
3828             gen_op_mov_reg_v(s, ot, rm, s->T0);
3829         } else {
3830             gen_lea_modrm(env, s, modrm);
3831             if (s->prefix & PREFIX_LOCK) {
3832                 tcg_gen_atomic_fetch_add_tl(s->T1, s->A0, s->T0,
3833                                             s->mem_index, ot | MO_LE);
3834                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3835             } else {
3836                 gen_op_ld_v(s, ot, s->T1, s->A0);
3837                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3838                 gen_op_st_v(s, ot, s->T0, s->A0);
3839             }
3840             gen_op_mov_reg_v(s, ot, reg, s->T1);
3841         }
3842         gen_op_update2_cc(s);
3843         set_cc_op(s, CC_OP_ADDB + ot);
3844         break;
3845     case 0x1b0:
3846     case 0x1b1: /* cmpxchg Ev, Gv */
3847         {
3848             TCGv oldv, newv, cmpv, dest;
3849 
3850             ot = mo_b_d(b, dflag);
3851             modrm = x86_ldub_code(env, s);
3852             reg = ((modrm >> 3) & 7) | REX_R(s);
3853             mod = (modrm >> 6) & 3;
3854             oldv = tcg_temp_new();
3855             newv = tcg_temp_new();
3856             cmpv = tcg_temp_new();
3857             gen_op_mov_v_reg(s, ot, newv, reg);
3858             tcg_gen_mov_tl(cmpv, cpu_regs[R_EAX]);
3859             gen_extu(ot, cmpv);
3860             if (s->prefix & PREFIX_LOCK) {
3861                 if (mod == 3) {
3862                     goto illegal_op;
3863                 }
3864                 gen_lea_modrm(env, s, modrm);
3865                 tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv,
3866                                           s->mem_index, ot | MO_LE);
3867             } else {
3868                 if (mod == 3) {
3869                     rm = (modrm & 7) | REX_B(s);
3870                     gen_op_mov_v_reg(s, ot, oldv, rm);
3871                     gen_extu(ot, oldv);
3872 
3873                     /*
3874                      * Unlike the memory case, where "the destination operand receives
3875                      * a write cycle without regard to the result of the comparison",
3876                      * rm must not be touched altogether if the write fails, including
3877                      * not zero-extending it on 64-bit processors.  So, precompute
3878                      * the result of a successful writeback and perform the movcond
3879                      * directly on cpu_regs.  Also need to write accumulator first, in
3880                      * case rm is part of RAX too.
3881                      */
3882                     dest = gen_op_deposit_reg_v(s, ot, rm, newv, newv);
3883                     tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, newv, dest);
3884                 } else {
3885                     gen_lea_modrm(env, s, modrm);
3886                     gen_op_ld_v(s, ot, oldv, s->A0);
3887 
3888                     /*
3889                      * Perform an unconditional store cycle like physical cpu;
3890                      * must be before changing accumulator to ensure
3891                      * idempotency if the store faults and the instruction
3892                      * is restarted
3893                      */
3894                     tcg_gen_movcond_tl(TCG_COND_EQ, newv, oldv, cmpv, newv, oldv);
3895                     gen_op_st_v(s, ot, newv, s->A0);
3896                 }
3897             }
3898 	    /*
3899 	     * Write EAX only if the cmpxchg fails; reuse newv as the destination,
3900 	     * since it's dead here.
3901 	     */
3902             dest = gen_op_deposit_reg_v(s, ot, R_EAX, newv, oldv);
3903             tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, dest, newv);
3904             tcg_gen_mov_tl(cpu_cc_src, oldv);
3905             tcg_gen_mov_tl(s->cc_srcT, cmpv);
3906             tcg_gen_sub_tl(cpu_cc_dst, cmpv, oldv);
3907             set_cc_op(s, CC_OP_SUBB + ot);
3908         }
3909         break;
3910     case 0x1c7: /* cmpxchg8b */
3911         modrm = x86_ldub_code(env, s);
3912         mod = (modrm >> 6) & 3;
3913         switch ((modrm >> 3) & 7) {
3914         case 1: /* CMPXCHG8, CMPXCHG16 */
3915             if (mod == 3) {
3916                 goto illegal_op;
3917             }
3918 #ifdef TARGET_X86_64
3919             if (dflag == MO_64) {
3920                 if (!(s->cpuid_ext_features & CPUID_EXT_CX16)) {
3921                     goto illegal_op;
3922                 }
3923                 gen_cmpxchg16b(s, env, modrm);
3924                 break;
3925             }
3926 #endif
3927             if (!(s->cpuid_features & CPUID_CX8)) {
3928                 goto illegal_op;
3929             }
3930             gen_cmpxchg8b(s, env, modrm);
3931             break;
3932 
3933         case 7: /* RDSEED, RDPID with f3 prefix */
3934             if (mod != 3 ||
3935                 (s->prefix & (PREFIX_LOCK | PREFIX_REPNZ))) {
3936                 goto illegal_op;
3937             }
3938             if (s->prefix & PREFIX_REPZ) {
3939                 if (!(s->cpuid_ext_features & CPUID_7_0_ECX_RDPID)) {
3940                     goto illegal_op;
3941                 }
3942                 gen_helper_rdpid(s->T0, tcg_env);
3943                 rm = (modrm & 7) | REX_B(s);
3944                 gen_op_mov_reg_v(s, dflag, rm, s->T0);
3945                 break;
3946             } else {
3947                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_RDSEED)) {
3948                     goto illegal_op;
3949                 }
3950                 goto do_rdrand;
3951             }
3952 
3953         case 6: /* RDRAND */
3954             if (mod != 3 ||
3955                 (s->prefix & (PREFIX_LOCK | PREFIX_REPZ | PREFIX_REPNZ)) ||
3956                 !(s->cpuid_ext_features & CPUID_EXT_RDRAND)) {
3957                 goto illegal_op;
3958             }
3959         do_rdrand:
3960             translator_io_start(&s->base);
3961             gen_helper_rdrand(s->T0, tcg_env);
3962             rm = (modrm & 7) | REX_B(s);
3963             gen_op_mov_reg_v(s, dflag, rm, s->T0);
3964             set_cc_op(s, CC_OP_EFLAGS);
3965             break;
3966 
3967         default:
3968             goto illegal_op;
3969         }
3970         break;
3971 
3972         /**************************/
3973         /* push/pop */
3974     case 0x50 ... 0x57: /* push */
3975         gen_op_mov_v_reg(s, MO_32, s->T0, (b & 7) | REX_B(s));
3976         gen_push_v(s, s->T0);
3977         break;
3978     case 0x58 ... 0x5f: /* pop */
3979         ot = gen_pop_T0(s);
3980         /* NOTE: order is important for pop %sp */
3981         gen_pop_update(s, ot);
3982         gen_op_mov_reg_v(s, ot, (b & 7) | REX_B(s), s->T0);
3983         break;
3984     case 0x60: /* pusha */
3985         if (CODE64(s))
3986             goto illegal_op;
3987         gen_pusha(s);
3988         break;
3989     case 0x61: /* popa */
3990         if (CODE64(s))
3991             goto illegal_op;
3992         gen_popa(s);
3993         break;
3994     case 0x68: /* push Iv */
3995     case 0x6a:
3996         ot = mo_pushpop(s, dflag);
3997         if (b == 0x68)
3998             val = insn_get(env, s, ot);
3999         else
4000             val = (int8_t)insn_get(env, s, MO_8);
4001         tcg_gen_movi_tl(s->T0, val);
4002         gen_push_v(s, s->T0);
4003         break;
4004     case 0x8f: /* pop Ev */
4005         modrm = x86_ldub_code(env, s);
4006         mod = (modrm >> 6) & 3;
4007         ot = gen_pop_T0(s);
4008         if (mod == 3) {
4009             /* NOTE: order is important for pop %sp */
4010             gen_pop_update(s, ot);
4011             rm = (modrm & 7) | REX_B(s);
4012             gen_op_mov_reg_v(s, ot, rm, s->T0);
4013         } else {
4014             /* NOTE: order is important too for MMU exceptions */
4015             s->popl_esp_hack = 1 << ot;
4016             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
4017             s->popl_esp_hack = 0;
4018             gen_pop_update(s, ot);
4019         }
4020         break;
4021     case 0xc8: /* enter */
4022         {
4023             int level;
4024             val = x86_lduw_code(env, s);
4025             level = x86_ldub_code(env, s);
4026             gen_enter(s, val, level);
4027         }
4028         break;
4029     case 0xc9: /* leave */
4030         gen_leave(s);
4031         break;
4032     case 0x06: /* push es */
4033     case 0x0e: /* push cs */
4034     case 0x16: /* push ss */
4035     case 0x1e: /* push ds */
4036         if (CODE64(s))
4037             goto illegal_op;
4038         gen_op_movl_T0_seg(s, b >> 3);
4039         gen_push_v(s, s->T0);
4040         break;
4041     case 0x1a0: /* push fs */
4042     case 0x1a8: /* push gs */
4043         gen_op_movl_T0_seg(s, (b >> 3) & 7);
4044         gen_push_v(s, s->T0);
4045         break;
4046     case 0x07: /* pop es */
4047     case 0x17: /* pop ss */
4048     case 0x1f: /* pop ds */
4049         if (CODE64(s))
4050             goto illegal_op;
4051         reg = b >> 3;
4052         ot = gen_pop_T0(s);
4053         gen_movl_seg_T0(s, reg);
4054         gen_pop_update(s, ot);
4055         break;
4056     case 0x1a1: /* pop fs */
4057     case 0x1a9: /* pop gs */
4058         ot = gen_pop_T0(s);
4059         gen_movl_seg_T0(s, (b >> 3) & 7);
4060         gen_pop_update(s, ot);
4061         break;
4062 
4063         /**************************/
4064         /* mov */
4065     case 0x88:
4066     case 0x89: /* mov Gv, Ev */
4067         ot = mo_b_d(b, dflag);
4068         modrm = x86_ldub_code(env, s);
4069         reg = ((modrm >> 3) & 7) | REX_R(s);
4070 
4071         /* generate a generic store */
4072         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
4073         break;
4074     case 0xc6:
4075     case 0xc7: /* mov Ev, Iv */
4076         ot = mo_b_d(b, dflag);
4077         modrm = x86_ldub_code(env, s);
4078         mod = (modrm >> 6) & 3;
4079         if (mod != 3) {
4080             s->rip_offset = insn_const_size(ot);
4081             gen_lea_modrm(env, s, modrm);
4082         }
4083         val = insn_get(env, s, ot);
4084         tcg_gen_movi_tl(s->T0, val);
4085         if (mod != 3) {
4086             gen_op_st_v(s, ot, s->T0, s->A0);
4087         } else {
4088             gen_op_mov_reg_v(s, ot, (modrm & 7) | REX_B(s), s->T0);
4089         }
4090         break;
4091     case 0x8a:
4092     case 0x8b: /* mov Ev, Gv */
4093         ot = mo_b_d(b, dflag);
4094         modrm = x86_ldub_code(env, s);
4095         reg = ((modrm >> 3) & 7) | REX_R(s);
4096 
4097         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
4098         gen_op_mov_reg_v(s, ot, reg, s->T0);
4099         break;
4100     case 0x8e: /* mov seg, Gv */
4101         modrm = x86_ldub_code(env, s);
4102         reg = (modrm >> 3) & 7;
4103         if (reg >= 6 || reg == R_CS)
4104             goto illegal_op;
4105         gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
4106         gen_movl_seg_T0(s, reg);
4107         break;
4108     case 0x8c: /* mov Gv, seg */
4109         modrm = x86_ldub_code(env, s);
4110         reg = (modrm >> 3) & 7;
4111         mod = (modrm >> 6) & 3;
4112         if (reg >= 6)
4113             goto illegal_op;
4114         gen_op_movl_T0_seg(s, reg);
4115         ot = mod == 3 ? dflag : MO_16;
4116         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
4117         break;
4118 
4119     case 0x1b6: /* movzbS Gv, Eb */
4120     case 0x1b7: /* movzwS Gv, Eb */
4121     case 0x1be: /* movsbS Gv, Eb */
4122     case 0x1bf: /* movswS Gv, Eb */
4123         {
4124             MemOp d_ot;
4125             MemOp s_ot;
4126 
4127             /* d_ot is the size of destination */
4128             d_ot = dflag;
4129             /* ot is the size of source */
4130             ot = (b & 1) + MO_8;
4131             /* s_ot is the sign+size of source */
4132             s_ot = b & 8 ? MO_SIGN | ot : ot;
4133 
4134             modrm = x86_ldub_code(env, s);
4135             reg = ((modrm >> 3) & 7) | REX_R(s);
4136             mod = (modrm >> 6) & 3;
4137             rm = (modrm & 7) | REX_B(s);
4138 
4139             if (mod == 3) {
4140                 if (s_ot == MO_SB && byte_reg_is_xH(s, rm)) {
4141                     tcg_gen_sextract_tl(s->T0, cpu_regs[rm - 4], 8, 8);
4142                 } else {
4143                     gen_op_mov_v_reg(s, ot, s->T0, rm);
4144                     switch (s_ot) {
4145                     case MO_UB:
4146                         tcg_gen_ext8u_tl(s->T0, s->T0);
4147                         break;
4148                     case MO_SB:
4149                         tcg_gen_ext8s_tl(s->T0, s->T0);
4150                         break;
4151                     case MO_UW:
4152                         tcg_gen_ext16u_tl(s->T0, s->T0);
4153                         break;
4154                     default:
4155                     case MO_SW:
4156                         tcg_gen_ext16s_tl(s->T0, s->T0);
4157                         break;
4158                     }
4159                 }
4160                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4161             } else {
4162                 gen_lea_modrm(env, s, modrm);
4163                 gen_op_ld_v(s, s_ot, s->T0, s->A0);
4164                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4165             }
4166         }
4167         break;
4168 
4169     case 0x8d: /* lea */
4170         modrm = x86_ldub_code(env, s);
4171         mod = (modrm >> 6) & 3;
4172         if (mod == 3)
4173             goto illegal_op;
4174         reg = ((modrm >> 3) & 7) | REX_R(s);
4175         {
4176             AddressParts a = gen_lea_modrm_0(env, s, modrm);
4177             TCGv ea = gen_lea_modrm_1(s, a, false);
4178             gen_lea_v_seg(s, s->aflag, ea, -1, -1);
4179             gen_op_mov_reg_v(s, dflag, reg, s->A0);
4180         }
4181         break;
4182 
4183     case 0xa0: /* mov EAX, Ov */
4184     case 0xa1:
4185     case 0xa2: /* mov Ov, EAX */
4186     case 0xa3:
4187         {
4188             target_ulong offset_addr;
4189 
4190             ot = mo_b_d(b, dflag);
4191             offset_addr = insn_get_addr(env, s, s->aflag);
4192             tcg_gen_movi_tl(s->A0, offset_addr);
4193             gen_add_A0_ds_seg(s);
4194             if ((b & 2) == 0) {
4195                 gen_op_ld_v(s, ot, s->T0, s->A0);
4196                 gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
4197             } else {
4198                 gen_op_mov_v_reg(s, ot, s->T0, R_EAX);
4199                 gen_op_st_v(s, ot, s->T0, s->A0);
4200             }
4201         }
4202         break;
4203     case 0xd7: /* xlat */
4204         tcg_gen_mov_tl(s->A0, cpu_regs[R_EBX]);
4205         tcg_gen_ext8u_tl(s->T0, cpu_regs[R_EAX]);
4206         tcg_gen_add_tl(s->A0, s->A0, s->T0);
4207         gen_add_A0_ds_seg(s);
4208         gen_op_ld_v(s, MO_8, s->T0, s->A0);
4209         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
4210         break;
4211     case 0xb0 ... 0xb7: /* mov R, Ib */
4212         val = insn_get(env, s, MO_8);
4213         tcg_gen_movi_tl(s->T0, val);
4214         gen_op_mov_reg_v(s, MO_8, (b & 7) | REX_B(s), s->T0);
4215         break;
4216     case 0xb8 ... 0xbf: /* mov R, Iv */
4217 #ifdef TARGET_X86_64
4218         if (dflag == MO_64) {
4219             uint64_t tmp;
4220             /* 64 bit case */
4221             tmp = x86_ldq_code(env, s);
4222             reg = (b & 7) | REX_B(s);
4223             tcg_gen_movi_tl(s->T0, tmp);
4224             gen_op_mov_reg_v(s, MO_64, reg, s->T0);
4225         } else
4226 #endif
4227         {
4228             ot = dflag;
4229             val = insn_get(env, s, ot);
4230             reg = (b & 7) | REX_B(s);
4231             tcg_gen_movi_tl(s->T0, val);
4232             gen_op_mov_reg_v(s, ot, reg, s->T0);
4233         }
4234         break;
4235 
4236     case 0x91 ... 0x97: /* xchg R, EAX */
4237     do_xchg_reg_eax:
4238         ot = dflag;
4239         reg = (b & 7) | REX_B(s);
4240         rm = R_EAX;
4241         goto do_xchg_reg;
4242     case 0x86:
4243     case 0x87: /* xchg Ev, Gv */
4244         ot = mo_b_d(b, dflag);
4245         modrm = x86_ldub_code(env, s);
4246         reg = ((modrm >> 3) & 7) | REX_R(s);
4247         mod = (modrm >> 6) & 3;
4248         if (mod == 3) {
4249             rm = (modrm & 7) | REX_B(s);
4250         do_xchg_reg:
4251             gen_op_mov_v_reg(s, ot, s->T0, reg);
4252             gen_op_mov_v_reg(s, ot, s->T1, rm);
4253             gen_op_mov_reg_v(s, ot, rm, s->T0);
4254             gen_op_mov_reg_v(s, ot, reg, s->T1);
4255         } else {
4256             gen_lea_modrm(env, s, modrm);
4257             gen_op_mov_v_reg(s, ot, s->T0, reg);
4258             /* for xchg, lock is implicit */
4259             tcg_gen_atomic_xchg_tl(s->T1, s->A0, s->T0,
4260                                    s->mem_index, ot | MO_LE);
4261             gen_op_mov_reg_v(s, ot, reg, s->T1);
4262         }
4263         break;
4264     case 0xc4: /* les Gv */
4265         /* In CODE64 this is VEX3; see above.  */
4266         op = R_ES;
4267         goto do_lxx;
4268     case 0xc5: /* lds Gv */
4269         /* In CODE64 this is VEX2; see above.  */
4270         op = R_DS;
4271         goto do_lxx;
4272     case 0x1b2: /* lss Gv */
4273         op = R_SS;
4274         goto do_lxx;
4275     case 0x1b4: /* lfs Gv */
4276         op = R_FS;
4277         goto do_lxx;
4278     case 0x1b5: /* lgs Gv */
4279         op = R_GS;
4280     do_lxx:
4281         ot = dflag != MO_16 ? MO_32 : MO_16;
4282         modrm = x86_ldub_code(env, s);
4283         reg = ((modrm >> 3) & 7) | REX_R(s);
4284         mod = (modrm >> 6) & 3;
4285         if (mod == 3)
4286             goto illegal_op;
4287         gen_lea_modrm(env, s, modrm);
4288         gen_op_ld_v(s, ot, s->T1, s->A0);
4289         gen_add_A0_im(s, 1 << ot);
4290         /* load the segment first to handle exceptions properly */
4291         gen_op_ld_v(s, MO_16, s->T0, s->A0);
4292         gen_movl_seg_T0(s, op);
4293         /* then put the data */
4294         gen_op_mov_reg_v(s, ot, reg, s->T1);
4295         break;
4296 
4297         /************************/
4298         /* shifts */
4299     case 0xc0:
4300     case 0xc1:
4301         /* shift Ev,Ib */
4302         shift = 2;
4303     grp2:
4304         {
4305             ot = mo_b_d(b, dflag);
4306             modrm = x86_ldub_code(env, s);
4307             mod = (modrm >> 6) & 3;
4308             op = (modrm >> 3) & 7;
4309 
4310             if (mod != 3) {
4311                 if (shift == 2) {
4312                     s->rip_offset = 1;
4313                 }
4314                 gen_lea_modrm(env, s, modrm);
4315                 opreg = OR_TMP0;
4316             } else {
4317                 opreg = (modrm & 7) | REX_B(s);
4318             }
4319 
4320             /* simpler op */
4321             if (shift == 0) {
4322                 gen_shift(s, op, ot, opreg, OR_ECX);
4323             } else {
4324                 if (shift == 2) {
4325                     shift = x86_ldub_code(env, s);
4326                 }
4327                 gen_shifti(s, op, ot, opreg, shift);
4328             }
4329         }
4330         break;
4331     case 0xd0:
4332     case 0xd1:
4333         /* shift Ev,1 */
4334         shift = 1;
4335         goto grp2;
4336     case 0xd2:
4337     case 0xd3:
4338         /* shift Ev,cl */
4339         shift = 0;
4340         goto grp2;
4341 
4342     case 0x1a4: /* shld imm */
4343         op = 0;
4344         shift = 1;
4345         goto do_shiftd;
4346     case 0x1a5: /* shld cl */
4347         op = 0;
4348         shift = 0;
4349         goto do_shiftd;
4350     case 0x1ac: /* shrd imm */
4351         op = 1;
4352         shift = 1;
4353         goto do_shiftd;
4354     case 0x1ad: /* shrd cl */
4355         op = 1;
4356         shift = 0;
4357     do_shiftd:
4358         ot = dflag;
4359         modrm = x86_ldub_code(env, s);
4360         mod = (modrm >> 6) & 3;
4361         rm = (modrm & 7) | REX_B(s);
4362         reg = ((modrm >> 3) & 7) | REX_R(s);
4363         if (mod != 3) {
4364             gen_lea_modrm(env, s, modrm);
4365             opreg = OR_TMP0;
4366         } else {
4367             opreg = rm;
4368         }
4369         gen_op_mov_v_reg(s, ot, s->T1, reg);
4370 
4371         if (shift) {
4372             TCGv imm = tcg_constant_tl(x86_ldub_code(env, s));
4373             gen_shiftd_rm_T1(s, ot, opreg, op, imm);
4374         } else {
4375             gen_shiftd_rm_T1(s, ot, opreg, op, cpu_regs[R_ECX]);
4376         }
4377         break;
4378 
4379         /************************/
4380         /* floats */
4381     case 0xd8 ... 0xdf:
4382         {
4383             bool update_fip = true;
4384 
4385             if (s->flags & (HF_EM_MASK | HF_TS_MASK)) {
4386                 /* if CR0.EM or CR0.TS are set, generate an FPU exception */
4387                 /* XXX: what to do if illegal op ? */
4388                 gen_exception(s, EXCP07_PREX);
4389                 break;
4390             }
4391             modrm = x86_ldub_code(env, s);
4392             mod = (modrm >> 6) & 3;
4393             rm = modrm & 7;
4394             op = ((b & 7) << 3) | ((modrm >> 3) & 7);
4395             if (mod != 3) {
4396                 /* memory op */
4397                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
4398                 TCGv ea = gen_lea_modrm_1(s, a, false);
4399                 TCGv last_addr = tcg_temp_new();
4400                 bool update_fdp = true;
4401 
4402                 tcg_gen_mov_tl(last_addr, ea);
4403                 gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
4404 
4405                 switch (op) {
4406                 case 0x00 ... 0x07: /* fxxxs */
4407                 case 0x10 ... 0x17: /* fixxxl */
4408                 case 0x20 ... 0x27: /* fxxxl */
4409                 case 0x30 ... 0x37: /* fixxx */
4410                     {
4411                         int op1;
4412                         op1 = op & 7;
4413 
4414                         switch (op >> 4) {
4415                         case 0:
4416                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4417                                                 s->mem_index, MO_LEUL);
4418                             gen_helper_flds_FT0(tcg_env, s->tmp2_i32);
4419                             break;
4420                         case 1:
4421                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4422                                                 s->mem_index, MO_LEUL);
4423                             gen_helper_fildl_FT0(tcg_env, s->tmp2_i32);
4424                             break;
4425                         case 2:
4426                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4427                                                 s->mem_index, MO_LEUQ);
4428                             gen_helper_fldl_FT0(tcg_env, s->tmp1_i64);
4429                             break;
4430                         case 3:
4431                         default:
4432                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4433                                                 s->mem_index, MO_LESW);
4434                             gen_helper_fildl_FT0(tcg_env, s->tmp2_i32);
4435                             break;
4436                         }
4437 
4438                         gen_helper_fp_arith_ST0_FT0(op1);
4439                         if (op1 == 3) {
4440                             /* fcomp needs pop */
4441                             gen_helper_fpop(tcg_env);
4442                         }
4443                     }
4444                     break;
4445                 case 0x08: /* flds */
4446                 case 0x0a: /* fsts */
4447                 case 0x0b: /* fstps */
4448                 case 0x18 ... 0x1b: /* fildl, fisttpl, fistl, fistpl */
4449                 case 0x28 ... 0x2b: /* fldl, fisttpll, fstl, fstpl */
4450                 case 0x38 ... 0x3b: /* filds, fisttps, fists, fistps */
4451                     switch (op & 7) {
4452                     case 0:
4453                         switch (op >> 4) {
4454                         case 0:
4455                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4456                                                 s->mem_index, MO_LEUL);
4457                             gen_helper_flds_ST0(tcg_env, s->tmp2_i32);
4458                             break;
4459                         case 1:
4460                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4461                                                 s->mem_index, MO_LEUL);
4462                             gen_helper_fildl_ST0(tcg_env, s->tmp2_i32);
4463                             break;
4464                         case 2:
4465                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4466                                                 s->mem_index, MO_LEUQ);
4467                             gen_helper_fldl_ST0(tcg_env, s->tmp1_i64);
4468                             break;
4469                         case 3:
4470                         default:
4471                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4472                                                 s->mem_index, MO_LESW);
4473                             gen_helper_fildl_ST0(tcg_env, s->tmp2_i32);
4474                             break;
4475                         }
4476                         break;
4477                     case 1:
4478                         /* XXX: the corresponding CPUID bit must be tested ! */
4479                         switch (op >> 4) {
4480                         case 1:
4481                             gen_helper_fisttl_ST0(s->tmp2_i32, tcg_env);
4482                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4483                                                 s->mem_index, MO_LEUL);
4484                             break;
4485                         case 2:
4486                             gen_helper_fisttll_ST0(s->tmp1_i64, tcg_env);
4487                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4488                                                 s->mem_index, MO_LEUQ);
4489                             break;
4490                         case 3:
4491                         default:
4492                             gen_helper_fistt_ST0(s->tmp2_i32, tcg_env);
4493                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4494                                                 s->mem_index, MO_LEUW);
4495                             break;
4496                         }
4497                         gen_helper_fpop(tcg_env);
4498                         break;
4499                     default:
4500                         switch (op >> 4) {
4501                         case 0:
4502                             gen_helper_fsts_ST0(s->tmp2_i32, tcg_env);
4503                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4504                                                 s->mem_index, MO_LEUL);
4505                             break;
4506                         case 1:
4507                             gen_helper_fistl_ST0(s->tmp2_i32, tcg_env);
4508                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4509                                                 s->mem_index, MO_LEUL);
4510                             break;
4511                         case 2:
4512                             gen_helper_fstl_ST0(s->tmp1_i64, tcg_env);
4513                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4514                                                 s->mem_index, MO_LEUQ);
4515                             break;
4516                         case 3:
4517                         default:
4518                             gen_helper_fist_ST0(s->tmp2_i32, tcg_env);
4519                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4520                                                 s->mem_index, MO_LEUW);
4521                             break;
4522                         }
4523                         if ((op & 7) == 3) {
4524                             gen_helper_fpop(tcg_env);
4525                         }
4526                         break;
4527                     }
4528                     break;
4529                 case 0x0c: /* fldenv mem */
4530                     gen_helper_fldenv(tcg_env, s->A0,
4531                                       tcg_constant_i32(dflag - 1));
4532                     update_fip = update_fdp = false;
4533                     break;
4534                 case 0x0d: /* fldcw mem */
4535                     tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4536                                         s->mem_index, MO_LEUW);
4537                     gen_helper_fldcw(tcg_env, s->tmp2_i32);
4538                     update_fip = update_fdp = false;
4539                     break;
4540                 case 0x0e: /* fnstenv mem */
4541                     gen_helper_fstenv(tcg_env, s->A0,
4542                                       tcg_constant_i32(dflag - 1));
4543                     update_fip = update_fdp = false;
4544                     break;
4545                 case 0x0f: /* fnstcw mem */
4546                     gen_helper_fnstcw(s->tmp2_i32, tcg_env);
4547                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4548                                         s->mem_index, MO_LEUW);
4549                     update_fip = update_fdp = false;
4550                     break;
4551                 case 0x1d: /* fldt mem */
4552                     gen_helper_fldt_ST0(tcg_env, s->A0);
4553                     break;
4554                 case 0x1f: /* fstpt mem */
4555                     gen_helper_fstt_ST0(tcg_env, s->A0);
4556                     gen_helper_fpop(tcg_env);
4557                     break;
4558                 case 0x2c: /* frstor mem */
4559                     gen_helper_frstor(tcg_env, s->A0,
4560                                       tcg_constant_i32(dflag - 1));
4561                     update_fip = update_fdp = false;
4562                     break;
4563                 case 0x2e: /* fnsave mem */
4564                     gen_helper_fsave(tcg_env, s->A0,
4565                                      tcg_constant_i32(dflag - 1));
4566                     update_fip = update_fdp = false;
4567                     break;
4568                 case 0x2f: /* fnstsw mem */
4569                     gen_helper_fnstsw(s->tmp2_i32, tcg_env);
4570                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4571                                         s->mem_index, MO_LEUW);
4572                     update_fip = update_fdp = false;
4573                     break;
4574                 case 0x3c: /* fbld */
4575                     gen_helper_fbld_ST0(tcg_env, s->A0);
4576                     break;
4577                 case 0x3e: /* fbstp */
4578                     gen_helper_fbst_ST0(tcg_env, s->A0);
4579                     gen_helper_fpop(tcg_env);
4580                     break;
4581                 case 0x3d: /* fildll */
4582                     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4583                                         s->mem_index, MO_LEUQ);
4584                     gen_helper_fildll_ST0(tcg_env, s->tmp1_i64);
4585                     break;
4586                 case 0x3f: /* fistpll */
4587                     gen_helper_fistll_ST0(s->tmp1_i64, tcg_env);
4588                     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4589                                         s->mem_index, MO_LEUQ);
4590                     gen_helper_fpop(tcg_env);
4591                     break;
4592                 default:
4593                     goto unknown_op;
4594                 }
4595 
4596                 if (update_fdp) {
4597                     int last_seg = s->override >= 0 ? s->override : a.def_seg;
4598 
4599                     tcg_gen_ld_i32(s->tmp2_i32, tcg_env,
4600                                    offsetof(CPUX86State,
4601                                             segs[last_seg].selector));
4602                     tcg_gen_st16_i32(s->tmp2_i32, tcg_env,
4603                                      offsetof(CPUX86State, fpds));
4604                     tcg_gen_st_tl(last_addr, tcg_env,
4605                                   offsetof(CPUX86State, fpdp));
4606                 }
4607             } else {
4608                 /* register float ops */
4609                 opreg = rm;
4610 
4611                 switch (op) {
4612                 case 0x08: /* fld sti */
4613                     gen_helper_fpush(tcg_env);
4614                     gen_helper_fmov_ST0_STN(tcg_env,
4615                                             tcg_constant_i32((opreg + 1) & 7));
4616                     break;
4617                 case 0x09: /* fxchg sti */
4618                 case 0x29: /* fxchg4 sti, undocumented op */
4619                 case 0x39: /* fxchg7 sti, undocumented op */
4620                     gen_helper_fxchg_ST0_STN(tcg_env, tcg_constant_i32(opreg));
4621                     break;
4622                 case 0x0a: /* grp d9/2 */
4623                     switch (rm) {
4624                     case 0: /* fnop */
4625                         /*
4626                          * check exceptions (FreeBSD FPU probe)
4627                          * needs to be treated as I/O because of ferr_irq
4628                          */
4629                         translator_io_start(&s->base);
4630                         gen_helper_fwait(tcg_env);
4631                         update_fip = false;
4632                         break;
4633                     default:
4634                         goto unknown_op;
4635                     }
4636                     break;
4637                 case 0x0c: /* grp d9/4 */
4638                     switch (rm) {
4639                     case 0: /* fchs */
4640                         gen_helper_fchs_ST0(tcg_env);
4641                         break;
4642                     case 1: /* fabs */
4643                         gen_helper_fabs_ST0(tcg_env);
4644                         break;
4645                     case 4: /* ftst */
4646                         gen_helper_fldz_FT0(tcg_env);
4647                         gen_helper_fcom_ST0_FT0(tcg_env);
4648                         break;
4649                     case 5: /* fxam */
4650                         gen_helper_fxam_ST0(tcg_env);
4651                         break;
4652                     default:
4653                         goto unknown_op;
4654                     }
4655                     break;
4656                 case 0x0d: /* grp d9/5 */
4657                     {
4658                         switch (rm) {
4659                         case 0:
4660                             gen_helper_fpush(tcg_env);
4661                             gen_helper_fld1_ST0(tcg_env);
4662                             break;
4663                         case 1:
4664                             gen_helper_fpush(tcg_env);
4665                             gen_helper_fldl2t_ST0(tcg_env);
4666                             break;
4667                         case 2:
4668                             gen_helper_fpush(tcg_env);
4669                             gen_helper_fldl2e_ST0(tcg_env);
4670                             break;
4671                         case 3:
4672                             gen_helper_fpush(tcg_env);
4673                             gen_helper_fldpi_ST0(tcg_env);
4674                             break;
4675                         case 4:
4676                             gen_helper_fpush(tcg_env);
4677                             gen_helper_fldlg2_ST0(tcg_env);
4678                             break;
4679                         case 5:
4680                             gen_helper_fpush(tcg_env);
4681                             gen_helper_fldln2_ST0(tcg_env);
4682                             break;
4683                         case 6:
4684                             gen_helper_fpush(tcg_env);
4685                             gen_helper_fldz_ST0(tcg_env);
4686                             break;
4687                         default:
4688                             goto unknown_op;
4689                         }
4690                     }
4691                     break;
4692                 case 0x0e: /* grp d9/6 */
4693                     switch (rm) {
4694                     case 0: /* f2xm1 */
4695                         gen_helper_f2xm1(tcg_env);
4696                         break;
4697                     case 1: /* fyl2x */
4698                         gen_helper_fyl2x(tcg_env);
4699                         break;
4700                     case 2: /* fptan */
4701                         gen_helper_fptan(tcg_env);
4702                         break;
4703                     case 3: /* fpatan */
4704                         gen_helper_fpatan(tcg_env);
4705                         break;
4706                     case 4: /* fxtract */
4707                         gen_helper_fxtract(tcg_env);
4708                         break;
4709                     case 5: /* fprem1 */
4710                         gen_helper_fprem1(tcg_env);
4711                         break;
4712                     case 6: /* fdecstp */
4713                         gen_helper_fdecstp(tcg_env);
4714                         break;
4715                     default:
4716                     case 7: /* fincstp */
4717                         gen_helper_fincstp(tcg_env);
4718                         break;
4719                     }
4720                     break;
4721                 case 0x0f: /* grp d9/7 */
4722                     switch (rm) {
4723                     case 0: /* fprem */
4724                         gen_helper_fprem(tcg_env);
4725                         break;
4726                     case 1: /* fyl2xp1 */
4727                         gen_helper_fyl2xp1(tcg_env);
4728                         break;
4729                     case 2: /* fsqrt */
4730                         gen_helper_fsqrt(tcg_env);
4731                         break;
4732                     case 3: /* fsincos */
4733                         gen_helper_fsincos(tcg_env);
4734                         break;
4735                     case 5: /* fscale */
4736                         gen_helper_fscale(tcg_env);
4737                         break;
4738                     case 4: /* frndint */
4739                         gen_helper_frndint(tcg_env);
4740                         break;
4741                     case 6: /* fsin */
4742                         gen_helper_fsin(tcg_env);
4743                         break;
4744                     default:
4745                     case 7: /* fcos */
4746                         gen_helper_fcos(tcg_env);
4747                         break;
4748                     }
4749                     break;
4750                 case 0x00: case 0x01: case 0x04 ... 0x07: /* fxxx st, sti */
4751                 case 0x20: case 0x21: case 0x24 ... 0x27: /* fxxx sti, st */
4752                 case 0x30: case 0x31: case 0x34 ... 0x37: /* fxxxp sti, st */
4753                     {
4754                         int op1;
4755 
4756                         op1 = op & 7;
4757                         if (op >= 0x20) {
4758                             gen_helper_fp_arith_STN_ST0(op1, opreg);
4759                             if (op >= 0x30) {
4760                                 gen_helper_fpop(tcg_env);
4761                             }
4762                         } else {
4763                             gen_helper_fmov_FT0_STN(tcg_env,
4764                                                     tcg_constant_i32(opreg));
4765                             gen_helper_fp_arith_ST0_FT0(op1);
4766                         }
4767                     }
4768                     break;
4769                 case 0x02: /* fcom */
4770                 case 0x22: /* fcom2, undocumented op */
4771                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4772                     gen_helper_fcom_ST0_FT0(tcg_env);
4773                     break;
4774                 case 0x03: /* fcomp */
4775                 case 0x23: /* fcomp3, undocumented op */
4776                 case 0x32: /* fcomp5, undocumented op */
4777                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4778                     gen_helper_fcom_ST0_FT0(tcg_env);
4779                     gen_helper_fpop(tcg_env);
4780                     break;
4781                 case 0x15: /* da/5 */
4782                     switch (rm) {
4783                     case 1: /* fucompp */
4784                         gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(1));
4785                         gen_helper_fucom_ST0_FT0(tcg_env);
4786                         gen_helper_fpop(tcg_env);
4787                         gen_helper_fpop(tcg_env);
4788                         break;
4789                     default:
4790                         goto unknown_op;
4791                     }
4792                     break;
4793                 case 0x1c:
4794                     switch (rm) {
4795                     case 0: /* feni (287 only, just do nop here) */
4796                         break;
4797                     case 1: /* fdisi (287 only, just do nop here) */
4798                         break;
4799                     case 2: /* fclex */
4800                         gen_helper_fclex(tcg_env);
4801                         update_fip = false;
4802                         break;
4803                     case 3: /* fninit */
4804                         gen_helper_fninit(tcg_env);
4805                         update_fip = false;
4806                         break;
4807                     case 4: /* fsetpm (287 only, just do nop here) */
4808                         break;
4809                     default:
4810                         goto unknown_op;
4811                     }
4812                     break;
4813                 case 0x1d: /* fucomi */
4814                     if (!(s->cpuid_features & CPUID_CMOV)) {
4815                         goto illegal_op;
4816                     }
4817                     gen_update_cc_op(s);
4818                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4819                     gen_helper_fucomi_ST0_FT0(tcg_env);
4820                     set_cc_op(s, CC_OP_EFLAGS);
4821                     break;
4822                 case 0x1e: /* fcomi */
4823                     if (!(s->cpuid_features & CPUID_CMOV)) {
4824                         goto illegal_op;
4825                     }
4826                     gen_update_cc_op(s);
4827                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4828                     gen_helper_fcomi_ST0_FT0(tcg_env);
4829                     set_cc_op(s, CC_OP_EFLAGS);
4830                     break;
4831                 case 0x28: /* ffree sti */
4832                     gen_helper_ffree_STN(tcg_env, tcg_constant_i32(opreg));
4833                     break;
4834                 case 0x2a: /* fst sti */
4835                     gen_helper_fmov_STN_ST0(tcg_env, tcg_constant_i32(opreg));
4836                     break;
4837                 case 0x2b: /* fstp sti */
4838                 case 0x0b: /* fstp1 sti, undocumented op */
4839                 case 0x3a: /* fstp8 sti, undocumented op */
4840                 case 0x3b: /* fstp9 sti, undocumented op */
4841                     gen_helper_fmov_STN_ST0(tcg_env, tcg_constant_i32(opreg));
4842                     gen_helper_fpop(tcg_env);
4843                     break;
4844                 case 0x2c: /* fucom st(i) */
4845                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4846                     gen_helper_fucom_ST0_FT0(tcg_env);
4847                     break;
4848                 case 0x2d: /* fucomp st(i) */
4849                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4850                     gen_helper_fucom_ST0_FT0(tcg_env);
4851                     gen_helper_fpop(tcg_env);
4852                     break;
4853                 case 0x33: /* de/3 */
4854                     switch (rm) {
4855                     case 1: /* fcompp */
4856                         gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(1));
4857                         gen_helper_fcom_ST0_FT0(tcg_env);
4858                         gen_helper_fpop(tcg_env);
4859                         gen_helper_fpop(tcg_env);
4860                         break;
4861                     default:
4862                         goto unknown_op;
4863                     }
4864                     break;
4865                 case 0x38: /* ffreep sti, undocumented op */
4866                     gen_helper_ffree_STN(tcg_env, tcg_constant_i32(opreg));
4867                     gen_helper_fpop(tcg_env);
4868                     break;
4869                 case 0x3c: /* df/4 */
4870                     switch (rm) {
4871                     case 0:
4872                         gen_helper_fnstsw(s->tmp2_i32, tcg_env);
4873                         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
4874                         gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
4875                         break;
4876                     default:
4877                         goto unknown_op;
4878                     }
4879                     break;
4880                 case 0x3d: /* fucomip */
4881                     if (!(s->cpuid_features & CPUID_CMOV)) {
4882                         goto illegal_op;
4883                     }
4884                     gen_update_cc_op(s);
4885                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4886                     gen_helper_fucomi_ST0_FT0(tcg_env);
4887                     gen_helper_fpop(tcg_env);
4888                     set_cc_op(s, CC_OP_EFLAGS);
4889                     break;
4890                 case 0x3e: /* fcomip */
4891                     if (!(s->cpuid_features & CPUID_CMOV)) {
4892                         goto illegal_op;
4893                     }
4894                     gen_update_cc_op(s);
4895                     gen_helper_fmov_FT0_STN(tcg_env, tcg_constant_i32(opreg));
4896                     gen_helper_fcomi_ST0_FT0(tcg_env);
4897                     gen_helper_fpop(tcg_env);
4898                     set_cc_op(s, CC_OP_EFLAGS);
4899                     break;
4900                 case 0x10 ... 0x13: /* fcmovxx */
4901                 case 0x18 ... 0x1b:
4902                     {
4903                         int op1;
4904                         TCGLabel *l1;
4905                         static const uint8_t fcmov_cc[8] = {
4906                             (JCC_B << 1),
4907                             (JCC_Z << 1),
4908                             (JCC_BE << 1),
4909                             (JCC_P << 1),
4910                         };
4911 
4912                         if (!(s->cpuid_features & CPUID_CMOV)) {
4913                             goto illegal_op;
4914                         }
4915                         op1 = fcmov_cc[op & 3] | (((op >> 3) & 1) ^ 1);
4916                         l1 = gen_new_label();
4917                         gen_jcc1_noeob(s, op1, l1);
4918                         gen_helper_fmov_ST0_STN(tcg_env,
4919                                                 tcg_constant_i32(opreg));
4920                         gen_set_label(l1);
4921                     }
4922                     break;
4923                 default:
4924                     goto unknown_op;
4925                 }
4926             }
4927 
4928             if (update_fip) {
4929                 tcg_gen_ld_i32(s->tmp2_i32, tcg_env,
4930                                offsetof(CPUX86State, segs[R_CS].selector));
4931                 tcg_gen_st16_i32(s->tmp2_i32, tcg_env,
4932                                  offsetof(CPUX86State, fpcs));
4933                 tcg_gen_st_tl(eip_cur_tl(s),
4934                               tcg_env, offsetof(CPUX86State, fpip));
4935             }
4936         }
4937         break;
4938         /************************/
4939         /* string ops */
4940 
4941     case 0xa4: /* movsS */
4942     case 0xa5:
4943         ot = mo_b_d(b, dflag);
4944         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4945             gen_repz_movs(s, ot);
4946         } else {
4947             gen_movs(s, ot);
4948         }
4949         break;
4950 
4951     case 0xaa: /* stosS */
4952     case 0xab:
4953         ot = mo_b_d(b, dflag);
4954         gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
4955         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4956             gen_repz_stos(s, ot);
4957         } else {
4958             gen_stos(s, ot);
4959         }
4960         break;
4961     case 0xac: /* lodsS */
4962     case 0xad:
4963         ot = mo_b_d(b, dflag);
4964         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4965             gen_repz_lods(s, ot);
4966         } else {
4967             gen_lods(s, ot);
4968         }
4969         break;
4970     case 0xae: /* scasS */
4971     case 0xaf:
4972         ot = mo_b_d(b, dflag);
4973         gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
4974         if (prefixes & PREFIX_REPNZ) {
4975             gen_repz_scas(s, ot, 1);
4976         } else if (prefixes & PREFIX_REPZ) {
4977             gen_repz_scas(s, ot, 0);
4978         } else {
4979             gen_scas(s, ot);
4980         }
4981         break;
4982 
4983     case 0xa6: /* cmpsS */
4984     case 0xa7:
4985         ot = mo_b_d(b, dflag);
4986         if (prefixes & PREFIX_REPNZ) {
4987             gen_repz_cmps(s, ot, 1);
4988         } else if (prefixes & PREFIX_REPZ) {
4989             gen_repz_cmps(s, ot, 0);
4990         } else {
4991             gen_cmps(s, ot);
4992         }
4993         break;
4994     case 0x6c: /* insS */
4995     case 0x6d:
4996         ot = mo_b_d32(b, dflag);
4997         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
4998         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
4999         if (!gen_check_io(s, ot, s->tmp2_i32,
5000                           SVM_IOIO_TYPE_MASK | SVM_IOIO_STR_MASK)) {
5001             break;
5002         }
5003         translator_io_start(&s->base);
5004         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
5005             gen_repz_ins(s, ot);
5006         } else {
5007             gen_ins(s, ot);
5008         }
5009         break;
5010     case 0x6e: /* outsS */
5011     case 0x6f:
5012         ot = mo_b_d32(b, dflag);
5013         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5014         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5015         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_STR_MASK)) {
5016             break;
5017         }
5018         translator_io_start(&s->base);
5019         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
5020             gen_repz_outs(s, ot);
5021         } else {
5022             gen_outs(s, ot);
5023         }
5024         break;
5025 
5026         /************************/
5027         /* port I/O */
5028 
5029     case 0xe4:
5030     case 0xe5:
5031         ot = mo_b_d32(b, dflag);
5032         val = x86_ldub_code(env, s);
5033         tcg_gen_movi_i32(s->tmp2_i32, val);
5034         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5035             break;
5036         }
5037         translator_io_start(&s->base);
5038         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5039         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5040         gen_bpt_io(s, s->tmp2_i32, ot);
5041         break;
5042     case 0xe6:
5043     case 0xe7:
5044         ot = mo_b_d32(b, dflag);
5045         val = x86_ldub_code(env, s);
5046         tcg_gen_movi_i32(s->tmp2_i32, val);
5047         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5048             break;
5049         }
5050         translator_io_start(&s->base);
5051         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5052         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5053         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5054         gen_bpt_io(s, s->tmp2_i32, ot);
5055         break;
5056     case 0xec:
5057     case 0xed:
5058         ot = mo_b_d32(b, dflag);
5059         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5060         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5061         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5062             break;
5063         }
5064         translator_io_start(&s->base);
5065         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5066         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5067         gen_bpt_io(s, s->tmp2_i32, ot);
5068         break;
5069     case 0xee:
5070     case 0xef:
5071         ot = mo_b_d32(b, dflag);
5072         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5073         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5074         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5075             break;
5076         }
5077         translator_io_start(&s->base);
5078         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5079         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5080         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5081         gen_bpt_io(s, s->tmp2_i32, ot);
5082         break;
5083 
5084         /************************/
5085         /* control */
5086     case 0xc2: /* ret im */
5087         val = x86_ldsw_code(env, s);
5088         ot = gen_pop_T0(s);
5089         gen_stack_update(s, val + (1 << ot));
5090         /* Note that gen_pop_T0 uses a zero-extending load.  */
5091         gen_op_jmp_v(s, s->T0);
5092         gen_bnd_jmp(s);
5093         s->base.is_jmp = DISAS_JUMP;
5094         break;
5095     case 0xc3: /* ret */
5096         ot = gen_pop_T0(s);
5097         gen_pop_update(s, ot);
5098         /* Note that gen_pop_T0 uses a zero-extending load.  */
5099         gen_op_jmp_v(s, s->T0);
5100         gen_bnd_jmp(s);
5101         s->base.is_jmp = DISAS_JUMP;
5102         break;
5103     case 0xca: /* lret im */
5104         val = x86_ldsw_code(env, s);
5105     do_lret:
5106         if (PE(s) && !VM86(s)) {
5107             gen_update_cc_op(s);
5108             gen_update_eip_cur(s);
5109             gen_helper_lret_protected(tcg_env, tcg_constant_i32(dflag - 1),
5110                                       tcg_constant_i32(val));
5111         } else {
5112             gen_stack_A0(s);
5113             /* pop offset */
5114             gen_op_ld_v(s, dflag, s->T0, s->A0);
5115             /* NOTE: keeping EIP updated is not a problem in case of
5116                exception */
5117             gen_op_jmp_v(s, s->T0);
5118             /* pop selector */
5119             gen_add_A0_im(s, 1 << dflag);
5120             gen_op_ld_v(s, dflag, s->T0, s->A0);
5121             gen_op_movl_seg_T0_vm(s, R_CS);
5122             /* add stack offset */
5123             gen_stack_update(s, val + (2 << dflag));
5124         }
5125         s->base.is_jmp = DISAS_EOB_ONLY;
5126         break;
5127     case 0xcb: /* lret */
5128         val = 0;
5129         goto do_lret;
5130     case 0xcf: /* iret */
5131         gen_svm_check_intercept(s, SVM_EXIT_IRET);
5132         if (!PE(s) || VM86(s)) {
5133             /* real mode or vm86 mode */
5134             if (!check_vm86_iopl(s)) {
5135                 break;
5136             }
5137             gen_helper_iret_real(tcg_env, tcg_constant_i32(dflag - 1));
5138         } else {
5139             gen_helper_iret_protected(tcg_env, tcg_constant_i32(dflag - 1),
5140                                       eip_next_i32(s));
5141         }
5142         set_cc_op(s, CC_OP_EFLAGS);
5143         s->base.is_jmp = DISAS_EOB_ONLY;
5144         break;
5145     case 0xe8: /* call im */
5146         {
5147             int diff = (dflag != MO_16
5148                         ? (int32_t)insn_get(env, s, MO_32)
5149                         : (int16_t)insn_get(env, s, MO_16));
5150             gen_push_v(s, eip_next_tl(s));
5151             gen_bnd_jmp(s);
5152             gen_jmp_rel(s, dflag, diff, 0);
5153         }
5154         break;
5155     case 0x9a: /* lcall im */
5156         {
5157             unsigned int selector, offset;
5158 
5159             if (CODE64(s))
5160                 goto illegal_op;
5161             ot = dflag;
5162             offset = insn_get(env, s, ot);
5163             selector = insn_get(env, s, MO_16);
5164 
5165             tcg_gen_movi_tl(s->T0, selector);
5166             tcg_gen_movi_tl(s->T1, offset);
5167         }
5168         goto do_lcall;
5169     case 0xe9: /* jmp im */
5170         {
5171             int diff = (dflag != MO_16
5172                         ? (int32_t)insn_get(env, s, MO_32)
5173                         : (int16_t)insn_get(env, s, MO_16));
5174             gen_bnd_jmp(s);
5175             gen_jmp_rel(s, dflag, diff, 0);
5176         }
5177         break;
5178     case 0xea: /* ljmp im */
5179         {
5180             unsigned int selector, offset;
5181 
5182             if (CODE64(s))
5183                 goto illegal_op;
5184             ot = dflag;
5185             offset = insn_get(env, s, ot);
5186             selector = insn_get(env, s, MO_16);
5187 
5188             tcg_gen_movi_tl(s->T0, selector);
5189             tcg_gen_movi_tl(s->T1, offset);
5190         }
5191         goto do_ljmp;
5192     case 0xeb: /* jmp Jb */
5193         {
5194             int diff = (int8_t)insn_get(env, s, MO_8);
5195             gen_jmp_rel(s, dflag, diff, 0);
5196         }
5197         break;
5198     case 0x70 ... 0x7f: /* jcc Jb */
5199         {
5200             int diff = (int8_t)insn_get(env, s, MO_8);
5201             gen_bnd_jmp(s);
5202             gen_jcc(s, b, diff);
5203         }
5204         break;
5205     case 0x180 ... 0x18f: /* jcc Jv */
5206         {
5207             int diff = (dflag != MO_16
5208                         ? (int32_t)insn_get(env, s, MO_32)
5209                         : (int16_t)insn_get(env, s, MO_16));
5210             gen_bnd_jmp(s);
5211             gen_jcc(s, b, diff);
5212         }
5213         break;
5214 
5215     case 0x190 ... 0x19f: /* setcc Gv */
5216         modrm = x86_ldub_code(env, s);
5217         gen_setcc1(s, b, s->T0);
5218         gen_ldst_modrm(env, s, modrm, MO_8, OR_TMP0, 1);
5219         break;
5220     case 0x140 ... 0x14f: /* cmov Gv, Ev */
5221         if (!(s->cpuid_features & CPUID_CMOV)) {
5222             goto illegal_op;
5223         }
5224         ot = dflag;
5225         modrm = x86_ldub_code(env, s);
5226         reg = ((modrm >> 3) & 7) | REX_R(s);
5227         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
5228         gen_cmovcc1(s, b ^ 1, s->T0, cpu_regs[reg]);
5229         gen_op_mov_reg_v(s, ot, reg, s->T0);
5230         break;
5231 
5232         /************************/
5233         /* flags */
5234     case 0x9c: /* pushf */
5235         gen_svm_check_intercept(s, SVM_EXIT_PUSHF);
5236         if (check_vm86_iopl(s)) {
5237             gen_update_cc_op(s);
5238             gen_helper_read_eflags(s->T0, tcg_env);
5239             gen_push_v(s, s->T0);
5240         }
5241         break;
5242     case 0x9d: /* popf */
5243         gen_svm_check_intercept(s, SVM_EXIT_POPF);
5244         if (check_vm86_iopl(s)) {
5245             int mask = TF_MASK | AC_MASK | ID_MASK | NT_MASK;
5246 
5247             if (CPL(s) == 0) {
5248                 mask |= IF_MASK | IOPL_MASK;
5249             } else if (CPL(s) <= IOPL(s)) {
5250                 mask |= IF_MASK;
5251             }
5252             if (dflag == MO_16) {
5253                 mask &= 0xffff;
5254             }
5255 
5256             ot = gen_pop_T0(s);
5257             gen_helper_write_eflags(tcg_env, s->T0, tcg_constant_i32(mask));
5258             gen_pop_update(s, ot);
5259             set_cc_op(s, CC_OP_EFLAGS);
5260             /* abort translation because TF/AC flag may change */
5261             s->base.is_jmp = DISAS_EOB_NEXT;
5262         }
5263         break;
5264     case 0x9e: /* sahf */
5265         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5266             goto illegal_op;
5267         tcg_gen_shri_tl(s->T0, cpu_regs[R_EAX], 8);
5268         gen_compute_eflags(s);
5269         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, CC_O);
5270         tcg_gen_andi_tl(s->T0, s->T0, CC_S | CC_Z | CC_A | CC_P | CC_C);
5271         tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, s->T0);
5272         break;
5273     case 0x9f: /* lahf */
5274         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5275             goto illegal_op;
5276         gen_compute_eflags(s);
5277         /* Note: gen_compute_eflags() only gives the condition codes */
5278         tcg_gen_ori_tl(s->T0, cpu_cc_src, 0x02);
5279         tcg_gen_deposit_tl(cpu_regs[R_EAX], cpu_regs[R_EAX], s->T0, 8, 8);
5280         break;
5281     case 0xf5: /* cmc */
5282         gen_compute_eflags(s);
5283         tcg_gen_xori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5284         break;
5285     case 0xf8: /* clc */
5286         gen_compute_eflags(s);
5287         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_C);
5288         break;
5289     case 0xf9: /* stc */
5290         gen_compute_eflags(s);
5291         tcg_gen_ori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5292         break;
5293     case 0xfc: /* cld */
5294         tcg_gen_movi_i32(s->tmp2_i32, 1);
5295         tcg_gen_st_i32(s->tmp2_i32, tcg_env, offsetof(CPUX86State, df));
5296         break;
5297     case 0xfd: /* std */
5298         tcg_gen_movi_i32(s->tmp2_i32, -1);
5299         tcg_gen_st_i32(s->tmp2_i32, tcg_env, offsetof(CPUX86State, df));
5300         break;
5301 
5302         /************************/
5303         /* bit operations */
5304     case 0x1ba: /* bt/bts/btr/btc Gv, im */
5305         ot = dflag;
5306         modrm = x86_ldub_code(env, s);
5307         op = (modrm >> 3) & 7;
5308         mod = (modrm >> 6) & 3;
5309         rm = (modrm & 7) | REX_B(s);
5310         if (mod != 3) {
5311             s->rip_offset = 1;
5312             gen_lea_modrm(env, s, modrm);
5313             if (!(s->prefix & PREFIX_LOCK)) {
5314                 gen_op_ld_v(s, ot, s->T0, s->A0);
5315             }
5316         } else {
5317             gen_op_mov_v_reg(s, ot, s->T0, rm);
5318         }
5319         /* load shift */
5320         val = x86_ldub_code(env, s);
5321         tcg_gen_movi_tl(s->T1, val);
5322         if (op < 4)
5323             goto unknown_op;
5324         op -= 4;
5325         goto bt_op;
5326     case 0x1a3: /* bt Gv, Ev */
5327         op = 0;
5328         goto do_btx;
5329     case 0x1ab: /* bts */
5330         op = 1;
5331         goto do_btx;
5332     case 0x1b3: /* btr */
5333         op = 2;
5334         goto do_btx;
5335     case 0x1bb: /* btc */
5336         op = 3;
5337     do_btx:
5338         ot = dflag;
5339         modrm = x86_ldub_code(env, s);
5340         reg = ((modrm >> 3) & 7) | REX_R(s);
5341         mod = (modrm >> 6) & 3;
5342         rm = (modrm & 7) | REX_B(s);
5343         gen_op_mov_v_reg(s, MO_32, s->T1, reg);
5344         if (mod != 3) {
5345             AddressParts a = gen_lea_modrm_0(env, s, modrm);
5346             /* specific case: we need to add a displacement */
5347             gen_exts(ot, s->T1);
5348             tcg_gen_sari_tl(s->tmp0, s->T1, 3 + ot);
5349             tcg_gen_shli_tl(s->tmp0, s->tmp0, ot);
5350             tcg_gen_add_tl(s->A0, gen_lea_modrm_1(s, a, false), s->tmp0);
5351             gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
5352             if (!(s->prefix & PREFIX_LOCK)) {
5353                 gen_op_ld_v(s, ot, s->T0, s->A0);
5354             }
5355         } else {
5356             gen_op_mov_v_reg(s, ot, s->T0, rm);
5357         }
5358     bt_op:
5359         tcg_gen_andi_tl(s->T1, s->T1, (1 << (3 + ot)) - 1);
5360         tcg_gen_movi_tl(s->tmp0, 1);
5361         tcg_gen_shl_tl(s->tmp0, s->tmp0, s->T1);
5362         if (s->prefix & PREFIX_LOCK) {
5363             switch (op) {
5364             case 0: /* bt */
5365                 /* Needs no atomic ops; we suppressed the normal
5366                    memory load for LOCK above so do it now.  */
5367                 gen_op_ld_v(s, ot, s->T0, s->A0);
5368                 break;
5369             case 1: /* bts */
5370                 tcg_gen_atomic_fetch_or_tl(s->T0, s->A0, s->tmp0,
5371                                            s->mem_index, ot | MO_LE);
5372                 break;
5373             case 2: /* btr */
5374                 tcg_gen_not_tl(s->tmp0, s->tmp0);
5375                 tcg_gen_atomic_fetch_and_tl(s->T0, s->A0, s->tmp0,
5376                                             s->mem_index, ot | MO_LE);
5377                 break;
5378             default:
5379             case 3: /* btc */
5380                 tcg_gen_atomic_fetch_xor_tl(s->T0, s->A0, s->tmp0,
5381                                             s->mem_index, ot | MO_LE);
5382                 break;
5383             }
5384             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5385         } else {
5386             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5387             switch (op) {
5388             case 0: /* bt */
5389                 /* Data already loaded; nothing to do.  */
5390                 break;
5391             case 1: /* bts */
5392                 tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
5393                 break;
5394             case 2: /* btr */
5395                 tcg_gen_andc_tl(s->T0, s->T0, s->tmp0);
5396                 break;
5397             default:
5398             case 3: /* btc */
5399                 tcg_gen_xor_tl(s->T0, s->T0, s->tmp0);
5400                 break;
5401             }
5402             if (op != 0) {
5403                 if (mod != 3) {
5404                     gen_op_st_v(s, ot, s->T0, s->A0);
5405                 } else {
5406                     gen_op_mov_reg_v(s, ot, rm, s->T0);
5407                 }
5408             }
5409         }
5410 
5411         /* Delay all CC updates until after the store above.  Note that
5412            C is the result of the test, Z is unchanged, and the others
5413            are all undefined.  */
5414         switch (s->cc_op) {
5415         case CC_OP_MULB ... CC_OP_MULQ:
5416         case CC_OP_ADDB ... CC_OP_ADDQ:
5417         case CC_OP_ADCB ... CC_OP_ADCQ:
5418         case CC_OP_SUBB ... CC_OP_SUBQ:
5419         case CC_OP_SBBB ... CC_OP_SBBQ:
5420         case CC_OP_LOGICB ... CC_OP_LOGICQ:
5421         case CC_OP_INCB ... CC_OP_INCQ:
5422         case CC_OP_DECB ... CC_OP_DECQ:
5423         case CC_OP_SHLB ... CC_OP_SHLQ:
5424         case CC_OP_SARB ... CC_OP_SARQ:
5425         case CC_OP_BMILGB ... CC_OP_BMILGQ:
5426             /* Z was going to be computed from the non-zero status of CC_DST.
5427                We can get that same Z value (and the new C value) by leaving
5428                CC_DST alone, setting CC_SRC, and using a CC_OP_SAR of the
5429                same width.  */
5430             tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
5431             set_cc_op(s, ((s->cc_op - CC_OP_MULB) & 3) + CC_OP_SARB);
5432             break;
5433         default:
5434             /* Otherwise, generate EFLAGS and replace the C bit.  */
5435             gen_compute_eflags(s);
5436             tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, s->tmp4,
5437                                ctz32(CC_C), 1);
5438             break;
5439         }
5440         break;
5441     case 0x1bc: /* bsf / tzcnt */
5442     case 0x1bd: /* bsr / lzcnt */
5443         ot = dflag;
5444         modrm = x86_ldub_code(env, s);
5445         reg = ((modrm >> 3) & 7) | REX_R(s);
5446         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
5447         gen_extu(ot, s->T0);
5448 
5449         /* Note that lzcnt and tzcnt are in different extensions.  */
5450         if ((prefixes & PREFIX_REPZ)
5451             && (b & 1
5452                 ? s->cpuid_ext3_features & CPUID_EXT3_ABM
5453                 : s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_BMI1)) {
5454             int size = 8 << ot;
5455             /* For lzcnt/tzcnt, C bit is defined related to the input. */
5456             tcg_gen_mov_tl(cpu_cc_src, s->T0);
5457             if (b & 1) {
5458                 /* For lzcnt, reduce the target_ulong result by the
5459                    number of zeros that we expect to find at the top.  */
5460                 tcg_gen_clzi_tl(s->T0, s->T0, TARGET_LONG_BITS);
5461                 tcg_gen_subi_tl(s->T0, s->T0, TARGET_LONG_BITS - size);
5462             } else {
5463                 /* For tzcnt, a zero input must return the operand size.  */
5464                 tcg_gen_ctzi_tl(s->T0, s->T0, size);
5465             }
5466             /* For lzcnt/tzcnt, Z bit is defined related to the result.  */
5467             gen_op_update1_cc(s);
5468             set_cc_op(s, CC_OP_BMILGB + ot);
5469         } else {
5470             /* For bsr/bsf, only the Z bit is defined and it is related
5471                to the input and not the result.  */
5472             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
5473             set_cc_op(s, CC_OP_LOGICB + ot);
5474 
5475             /* ??? The manual says that the output is undefined when the
5476                input is zero, but real hardware leaves it unchanged, and
5477                real programs appear to depend on that.  Accomplish this
5478                by passing the output as the value to return upon zero.  */
5479             if (b & 1) {
5480                 /* For bsr, return the bit index of the first 1 bit,
5481                    not the count of leading zeros.  */
5482                 tcg_gen_xori_tl(s->T1, cpu_regs[reg], TARGET_LONG_BITS - 1);
5483                 tcg_gen_clz_tl(s->T0, s->T0, s->T1);
5484                 tcg_gen_xori_tl(s->T0, s->T0, TARGET_LONG_BITS - 1);
5485             } else {
5486                 tcg_gen_ctz_tl(s->T0, s->T0, cpu_regs[reg]);
5487             }
5488         }
5489         gen_op_mov_reg_v(s, ot, reg, s->T0);
5490         break;
5491         /************************/
5492         /* bcd */
5493     case 0x27: /* daa */
5494         if (CODE64(s))
5495             goto illegal_op;
5496         gen_update_cc_op(s);
5497         gen_helper_daa(tcg_env);
5498         set_cc_op(s, CC_OP_EFLAGS);
5499         break;
5500     case 0x2f: /* das */
5501         if (CODE64(s))
5502             goto illegal_op;
5503         gen_update_cc_op(s);
5504         gen_helper_das(tcg_env);
5505         set_cc_op(s, CC_OP_EFLAGS);
5506         break;
5507     case 0x37: /* aaa */
5508         if (CODE64(s))
5509             goto illegal_op;
5510         gen_update_cc_op(s);
5511         gen_helper_aaa(tcg_env);
5512         set_cc_op(s, CC_OP_EFLAGS);
5513         break;
5514     case 0x3f: /* aas */
5515         if (CODE64(s))
5516             goto illegal_op;
5517         gen_update_cc_op(s);
5518         gen_helper_aas(tcg_env);
5519         set_cc_op(s, CC_OP_EFLAGS);
5520         break;
5521     case 0xd4: /* aam */
5522         if (CODE64(s))
5523             goto illegal_op;
5524         val = x86_ldub_code(env, s);
5525         if (val == 0) {
5526             gen_exception(s, EXCP00_DIVZ);
5527         } else {
5528             gen_helper_aam(tcg_env, tcg_constant_i32(val));
5529             set_cc_op(s, CC_OP_LOGICB);
5530         }
5531         break;
5532     case 0xd5: /* aad */
5533         if (CODE64(s))
5534             goto illegal_op;
5535         val = x86_ldub_code(env, s);
5536         gen_helper_aad(tcg_env, tcg_constant_i32(val));
5537         set_cc_op(s, CC_OP_LOGICB);
5538         break;
5539         /************************/
5540         /* misc */
5541     case 0x90: /* nop */
5542         /* XXX: correct lock test for all insn */
5543         if (prefixes & PREFIX_LOCK) {
5544             goto illegal_op;
5545         }
5546         /* If REX_B is set, then this is xchg eax, r8d, not a nop.  */
5547         if (REX_B(s)) {
5548             goto do_xchg_reg_eax;
5549         }
5550         if (prefixes & PREFIX_REPZ) {
5551             gen_update_cc_op(s);
5552             gen_update_eip_cur(s);
5553             gen_helper_pause(tcg_env, cur_insn_len_i32(s));
5554             s->base.is_jmp = DISAS_NORETURN;
5555         }
5556         break;
5557     case 0x9b: /* fwait */
5558         if ((s->flags & (HF_MP_MASK | HF_TS_MASK)) ==
5559             (HF_MP_MASK | HF_TS_MASK)) {
5560             gen_exception(s, EXCP07_PREX);
5561         } else {
5562             /* needs to be treated as I/O because of ferr_irq */
5563             translator_io_start(&s->base);
5564             gen_helper_fwait(tcg_env);
5565         }
5566         break;
5567     case 0xcc: /* int3 */
5568         gen_interrupt(s, EXCP03_INT3);
5569         break;
5570     case 0xcd: /* int N */
5571         val = x86_ldub_code(env, s);
5572         if (check_vm86_iopl(s)) {
5573             gen_interrupt(s, val);
5574         }
5575         break;
5576     case 0xce: /* into */
5577         if (CODE64(s))
5578             goto illegal_op;
5579         gen_update_cc_op(s);
5580         gen_update_eip_cur(s);
5581         gen_helper_into(tcg_env, cur_insn_len_i32(s));
5582         break;
5583 #ifdef WANT_ICEBP
5584     case 0xf1: /* icebp (undocumented, exits to external debugger) */
5585         gen_svm_check_intercept(s, SVM_EXIT_ICEBP);
5586         gen_debug(s);
5587         break;
5588 #endif
5589     case 0xfa: /* cli */
5590         if (check_iopl(s)) {
5591             gen_reset_eflags(s, IF_MASK);
5592         }
5593         break;
5594     case 0xfb: /* sti */
5595         if (check_iopl(s)) {
5596             gen_set_eflags(s, IF_MASK);
5597             /* interruptions are enabled only the first insn after sti */
5598             gen_update_eip_next(s);
5599             gen_eob_inhibit_irq(s, true);
5600         }
5601         break;
5602     case 0x62: /* bound */
5603         if (CODE64(s))
5604             goto illegal_op;
5605         ot = dflag;
5606         modrm = x86_ldub_code(env, s);
5607         reg = (modrm >> 3) & 7;
5608         mod = (modrm >> 6) & 3;
5609         if (mod == 3)
5610             goto illegal_op;
5611         gen_op_mov_v_reg(s, ot, s->T0, reg);
5612         gen_lea_modrm(env, s, modrm);
5613         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5614         if (ot == MO_16) {
5615             gen_helper_boundw(tcg_env, s->A0, s->tmp2_i32);
5616         } else {
5617             gen_helper_boundl(tcg_env, s->A0, s->tmp2_i32);
5618         }
5619         break;
5620     case 0x1c8 ... 0x1cf: /* bswap reg */
5621         reg = (b & 7) | REX_B(s);
5622 #ifdef TARGET_X86_64
5623         if (dflag == MO_64) {
5624             tcg_gen_bswap64_i64(cpu_regs[reg], cpu_regs[reg]);
5625             break;
5626         }
5627 #endif
5628         tcg_gen_bswap32_tl(cpu_regs[reg], cpu_regs[reg], TCG_BSWAP_OZ);
5629         break;
5630     case 0xd6: /* salc */
5631         if (CODE64(s))
5632             goto illegal_op;
5633         gen_compute_eflags_c(s, s->T0);
5634         tcg_gen_neg_tl(s->T0, s->T0);
5635         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
5636         break;
5637     case 0xe0: /* loopnz */
5638     case 0xe1: /* loopz */
5639     case 0xe2: /* loop */
5640     case 0xe3: /* jecxz */
5641         {
5642             TCGLabel *l1, *l2;
5643             int diff = (int8_t)insn_get(env, s, MO_8);
5644 
5645             l1 = gen_new_label();
5646             l2 = gen_new_label();
5647             gen_update_cc_op(s);
5648             b &= 3;
5649             switch(b) {
5650             case 0: /* loopnz */
5651             case 1: /* loopz */
5652                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5653                 gen_op_jz_ecx(s, l2);
5654                 gen_jcc1(s, (JCC_Z << 1) | (b ^ 1), l1);
5655                 break;
5656             case 2: /* loop */
5657                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5658                 gen_op_jnz_ecx(s, l1);
5659                 break;
5660             default:
5661             case 3: /* jcxz */
5662                 gen_op_jz_ecx(s, l1);
5663                 break;
5664             }
5665 
5666             gen_set_label(l2);
5667             gen_jmp_rel_csize(s, 0, 1);
5668 
5669             gen_set_label(l1);
5670             gen_jmp_rel(s, dflag, diff, 0);
5671         }
5672         break;
5673     case 0x130: /* wrmsr */
5674     case 0x132: /* rdmsr */
5675         if (check_cpl0(s)) {
5676             gen_update_cc_op(s);
5677             gen_update_eip_cur(s);
5678             if (b & 2) {
5679                 gen_helper_rdmsr(tcg_env);
5680             } else {
5681                 gen_helper_wrmsr(tcg_env);
5682                 s->base.is_jmp = DISAS_EOB_NEXT;
5683             }
5684         }
5685         break;
5686     case 0x131: /* rdtsc */
5687         gen_update_cc_op(s);
5688         gen_update_eip_cur(s);
5689         translator_io_start(&s->base);
5690         gen_helper_rdtsc(tcg_env);
5691         break;
5692     case 0x133: /* rdpmc */
5693         gen_update_cc_op(s);
5694         gen_update_eip_cur(s);
5695         gen_helper_rdpmc(tcg_env);
5696         s->base.is_jmp = DISAS_NORETURN;
5697         break;
5698     case 0x134: /* sysenter */
5699         /* For AMD SYSENTER is not valid in long mode */
5700         if (LMA(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1) {
5701             goto illegal_op;
5702         }
5703         if (!PE(s)) {
5704             gen_exception_gpf(s);
5705         } else {
5706             gen_helper_sysenter(tcg_env);
5707             s->base.is_jmp = DISAS_EOB_ONLY;
5708         }
5709         break;
5710     case 0x135: /* sysexit */
5711         /* For AMD SYSEXIT is not valid in long mode */
5712         if (LMA(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1) {
5713             goto illegal_op;
5714         }
5715         if (!PE(s) || CPL(s) != 0) {
5716             gen_exception_gpf(s);
5717         } else {
5718             gen_helper_sysexit(tcg_env, tcg_constant_i32(dflag - 1));
5719             s->base.is_jmp = DISAS_EOB_ONLY;
5720         }
5721         break;
5722     case 0x105: /* syscall */
5723         /* For Intel SYSCALL is only valid in long mode */
5724         if (!LMA(s) && env->cpuid_vendor1 == CPUID_VENDOR_INTEL_1) {
5725             goto illegal_op;
5726         }
5727         gen_update_cc_op(s);
5728         gen_update_eip_cur(s);
5729         gen_helper_syscall(tcg_env, cur_insn_len_i32(s));
5730         /* TF handling for the syscall insn is different. The TF bit is  checked
5731            after the syscall insn completes. This allows #DB to not be
5732            generated after one has entered CPL0 if TF is set in FMASK.  */
5733         gen_eob_worker(s, false, true);
5734         break;
5735     case 0x107: /* sysret */
5736         /* For Intel SYSRET is only valid in long mode */
5737         if (!LMA(s) && env->cpuid_vendor1 == CPUID_VENDOR_INTEL_1) {
5738             goto illegal_op;
5739         }
5740         if (!PE(s) || CPL(s) != 0) {
5741             gen_exception_gpf(s);
5742         } else {
5743             gen_helper_sysret(tcg_env, tcg_constant_i32(dflag - 1));
5744             /* condition codes are modified only in long mode */
5745             if (LMA(s)) {
5746                 set_cc_op(s, CC_OP_EFLAGS);
5747             }
5748             /* TF handling for the sysret insn is different. The TF bit is
5749                checked after the sysret insn completes. This allows #DB to be
5750                generated "as if" the syscall insn in userspace has just
5751                completed.  */
5752             gen_eob_worker(s, false, true);
5753         }
5754         break;
5755     case 0x1a2: /* cpuid */
5756         gen_update_cc_op(s);
5757         gen_update_eip_cur(s);
5758         gen_helper_cpuid(tcg_env);
5759         break;
5760     case 0xf4: /* hlt */
5761         if (check_cpl0(s)) {
5762             gen_update_cc_op(s);
5763             gen_update_eip_cur(s);
5764             gen_helper_hlt(tcg_env, cur_insn_len_i32(s));
5765             s->base.is_jmp = DISAS_NORETURN;
5766         }
5767         break;
5768     case 0x100:
5769         modrm = x86_ldub_code(env, s);
5770         mod = (modrm >> 6) & 3;
5771         op = (modrm >> 3) & 7;
5772         switch(op) {
5773         case 0: /* sldt */
5774             if (!PE(s) || VM86(s))
5775                 goto illegal_op;
5776             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5777                 break;
5778             }
5779             gen_svm_check_intercept(s, SVM_EXIT_LDTR_READ);
5780             tcg_gen_ld32u_tl(s->T0, tcg_env,
5781                              offsetof(CPUX86State, ldt.selector));
5782             ot = mod == 3 ? dflag : MO_16;
5783             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5784             break;
5785         case 2: /* lldt */
5786             if (!PE(s) || VM86(s))
5787                 goto illegal_op;
5788             if (check_cpl0(s)) {
5789                 gen_svm_check_intercept(s, SVM_EXIT_LDTR_WRITE);
5790                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5791                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5792                 gen_helper_lldt(tcg_env, s->tmp2_i32);
5793             }
5794             break;
5795         case 1: /* str */
5796             if (!PE(s) || VM86(s))
5797                 goto illegal_op;
5798             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5799                 break;
5800             }
5801             gen_svm_check_intercept(s, SVM_EXIT_TR_READ);
5802             tcg_gen_ld32u_tl(s->T0, tcg_env,
5803                              offsetof(CPUX86State, tr.selector));
5804             ot = mod == 3 ? dflag : MO_16;
5805             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5806             break;
5807         case 3: /* ltr */
5808             if (!PE(s) || VM86(s))
5809                 goto illegal_op;
5810             if (check_cpl0(s)) {
5811                 gen_svm_check_intercept(s, SVM_EXIT_TR_WRITE);
5812                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5813                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5814                 gen_helper_ltr(tcg_env, s->tmp2_i32);
5815             }
5816             break;
5817         case 4: /* verr */
5818         case 5: /* verw */
5819             if (!PE(s) || VM86(s))
5820                 goto illegal_op;
5821             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5822             gen_update_cc_op(s);
5823             if (op == 4) {
5824                 gen_helper_verr(tcg_env, s->T0);
5825             } else {
5826                 gen_helper_verw(tcg_env, s->T0);
5827             }
5828             set_cc_op(s, CC_OP_EFLAGS);
5829             break;
5830         default:
5831             goto unknown_op;
5832         }
5833         break;
5834 
5835     case 0x101:
5836         modrm = x86_ldub_code(env, s);
5837         switch (modrm) {
5838         CASE_MODRM_MEM_OP(0): /* sgdt */
5839             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5840                 break;
5841             }
5842             gen_svm_check_intercept(s, SVM_EXIT_GDTR_READ);
5843             gen_lea_modrm(env, s, modrm);
5844             tcg_gen_ld32u_tl(s->T0,
5845                              tcg_env, offsetof(CPUX86State, gdt.limit));
5846             gen_op_st_v(s, MO_16, s->T0, s->A0);
5847             gen_add_A0_im(s, 2);
5848             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, gdt.base));
5849             /*
5850              * NB: Despite a confusing description in Intel CPU documentation,
5851              *     all 32-bits are written regardless of operand size.
5852              */
5853             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5854             break;
5855 
5856         case 0xc8: /* monitor */
5857             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5858                 goto illegal_op;
5859             }
5860             gen_update_cc_op(s);
5861             gen_update_eip_cur(s);
5862             tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
5863             gen_add_A0_ds_seg(s);
5864             gen_helper_monitor(tcg_env, s->A0);
5865             break;
5866 
5867         case 0xc9: /* mwait */
5868             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5869                 goto illegal_op;
5870             }
5871             gen_update_cc_op(s);
5872             gen_update_eip_cur(s);
5873             gen_helper_mwait(tcg_env, cur_insn_len_i32(s));
5874             s->base.is_jmp = DISAS_NORETURN;
5875             break;
5876 
5877         case 0xca: /* clac */
5878             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5879                 || CPL(s) != 0) {
5880                 goto illegal_op;
5881             }
5882             gen_reset_eflags(s, AC_MASK);
5883             s->base.is_jmp = DISAS_EOB_NEXT;
5884             break;
5885 
5886         case 0xcb: /* stac */
5887             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5888                 || CPL(s) != 0) {
5889                 goto illegal_op;
5890             }
5891             gen_set_eflags(s, AC_MASK);
5892             s->base.is_jmp = DISAS_EOB_NEXT;
5893             break;
5894 
5895         CASE_MODRM_MEM_OP(1): /* sidt */
5896             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5897                 break;
5898             }
5899             gen_svm_check_intercept(s, SVM_EXIT_IDTR_READ);
5900             gen_lea_modrm(env, s, modrm);
5901             tcg_gen_ld32u_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.limit));
5902             gen_op_st_v(s, MO_16, s->T0, s->A0);
5903             gen_add_A0_im(s, 2);
5904             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.base));
5905             /*
5906              * NB: Despite a confusing description in Intel CPU documentation,
5907              *     all 32-bits are written regardless of operand size.
5908              */
5909             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5910             break;
5911 
5912         case 0xd0: /* xgetbv */
5913             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5914                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5915                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5916                 goto illegal_op;
5917             }
5918             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5919             gen_helper_xgetbv(s->tmp1_i64, tcg_env, s->tmp2_i32);
5920             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
5921             break;
5922 
5923         case 0xd1: /* xsetbv */
5924             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5925                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5926                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5927                 goto illegal_op;
5928             }
5929             gen_svm_check_intercept(s, SVM_EXIT_XSETBV);
5930             if (!check_cpl0(s)) {
5931                 break;
5932             }
5933             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
5934                                   cpu_regs[R_EDX]);
5935             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5936             gen_helper_xsetbv(tcg_env, s->tmp2_i32, s->tmp1_i64);
5937             /* End TB because translation flags may change.  */
5938             s->base.is_jmp = DISAS_EOB_NEXT;
5939             break;
5940 
5941         case 0xd8: /* VMRUN */
5942             if (!SVME(s) || !PE(s)) {
5943                 goto illegal_op;
5944             }
5945             if (!check_cpl0(s)) {
5946                 break;
5947             }
5948             gen_update_cc_op(s);
5949             gen_update_eip_cur(s);
5950             gen_helper_vmrun(tcg_env, tcg_constant_i32(s->aflag - 1),
5951                              cur_insn_len_i32(s));
5952             tcg_gen_exit_tb(NULL, 0);
5953             s->base.is_jmp = DISAS_NORETURN;
5954             break;
5955 
5956         case 0xd9: /* VMMCALL */
5957             if (!SVME(s)) {
5958                 goto illegal_op;
5959             }
5960             gen_update_cc_op(s);
5961             gen_update_eip_cur(s);
5962             gen_helper_vmmcall(tcg_env);
5963             break;
5964 
5965         case 0xda: /* VMLOAD */
5966             if (!SVME(s) || !PE(s)) {
5967                 goto illegal_op;
5968             }
5969             if (!check_cpl0(s)) {
5970                 break;
5971             }
5972             gen_update_cc_op(s);
5973             gen_update_eip_cur(s);
5974             gen_helper_vmload(tcg_env, tcg_constant_i32(s->aflag - 1));
5975             break;
5976 
5977         case 0xdb: /* VMSAVE */
5978             if (!SVME(s) || !PE(s)) {
5979                 goto illegal_op;
5980             }
5981             if (!check_cpl0(s)) {
5982                 break;
5983             }
5984             gen_update_cc_op(s);
5985             gen_update_eip_cur(s);
5986             gen_helper_vmsave(tcg_env, tcg_constant_i32(s->aflag - 1));
5987             break;
5988 
5989         case 0xdc: /* STGI */
5990             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
5991                 || !PE(s)) {
5992                 goto illegal_op;
5993             }
5994             if (!check_cpl0(s)) {
5995                 break;
5996             }
5997             gen_update_cc_op(s);
5998             gen_helper_stgi(tcg_env);
5999             s->base.is_jmp = DISAS_EOB_NEXT;
6000             break;
6001 
6002         case 0xdd: /* CLGI */
6003             if (!SVME(s) || !PE(s)) {
6004                 goto illegal_op;
6005             }
6006             if (!check_cpl0(s)) {
6007                 break;
6008             }
6009             gen_update_cc_op(s);
6010             gen_update_eip_cur(s);
6011             gen_helper_clgi(tcg_env);
6012             break;
6013 
6014         case 0xde: /* SKINIT */
6015             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
6016                 || !PE(s)) {
6017                 goto illegal_op;
6018             }
6019             gen_svm_check_intercept(s, SVM_EXIT_SKINIT);
6020             /* If not intercepted, not implemented -- raise #UD. */
6021             goto illegal_op;
6022 
6023         case 0xdf: /* INVLPGA */
6024             if (!SVME(s) || !PE(s)) {
6025                 goto illegal_op;
6026             }
6027             if (!check_cpl0(s)) {
6028                 break;
6029             }
6030             gen_svm_check_intercept(s, SVM_EXIT_INVLPGA);
6031             if (s->aflag == MO_64) {
6032                 tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
6033             } else {
6034                 tcg_gen_ext32u_tl(s->A0, cpu_regs[R_EAX]);
6035             }
6036             gen_helper_flush_page(tcg_env, s->A0);
6037             s->base.is_jmp = DISAS_EOB_NEXT;
6038             break;
6039 
6040         CASE_MODRM_MEM_OP(2): /* lgdt */
6041             if (!check_cpl0(s)) {
6042                 break;
6043             }
6044             gen_svm_check_intercept(s, SVM_EXIT_GDTR_WRITE);
6045             gen_lea_modrm(env, s, modrm);
6046             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6047             gen_add_A0_im(s, 2);
6048             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6049             if (dflag == MO_16) {
6050                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6051             }
6052             tcg_gen_st_tl(s->T0, tcg_env, offsetof(CPUX86State, gdt.base));
6053             tcg_gen_st32_tl(s->T1, tcg_env, offsetof(CPUX86State, gdt.limit));
6054             break;
6055 
6056         CASE_MODRM_MEM_OP(3): /* lidt */
6057             if (!check_cpl0(s)) {
6058                 break;
6059             }
6060             gen_svm_check_intercept(s, SVM_EXIT_IDTR_WRITE);
6061             gen_lea_modrm(env, s, modrm);
6062             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6063             gen_add_A0_im(s, 2);
6064             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6065             if (dflag == MO_16) {
6066                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6067             }
6068             tcg_gen_st_tl(s->T0, tcg_env, offsetof(CPUX86State, idt.base));
6069             tcg_gen_st32_tl(s->T1, tcg_env, offsetof(CPUX86State, idt.limit));
6070             break;
6071 
6072         CASE_MODRM_OP(4): /* smsw */
6073             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
6074                 break;
6075             }
6076             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0);
6077             tcg_gen_ld_tl(s->T0, tcg_env, offsetof(CPUX86State, cr[0]));
6078             /*
6079              * In 32-bit mode, the higher 16 bits of the destination
6080              * register are undefined.  In practice CR0[31:0] is stored
6081              * just like in 64-bit mode.
6082              */
6083             mod = (modrm >> 6) & 3;
6084             ot = (mod != 3 ? MO_16 : s->dflag);
6085             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
6086             break;
6087         case 0xee: /* rdpkru */
6088             if (prefixes & PREFIX_LOCK) {
6089                 goto illegal_op;
6090             }
6091             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6092             gen_helper_rdpkru(s->tmp1_i64, tcg_env, s->tmp2_i32);
6093             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
6094             break;
6095         case 0xef: /* wrpkru */
6096             if (prefixes & PREFIX_LOCK) {
6097                 goto illegal_op;
6098             }
6099             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6100                                   cpu_regs[R_EDX]);
6101             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6102             gen_helper_wrpkru(tcg_env, s->tmp2_i32, s->tmp1_i64);
6103             break;
6104 
6105         CASE_MODRM_OP(6): /* lmsw */
6106             if (!check_cpl0(s)) {
6107                 break;
6108             }
6109             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6110             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6111             /*
6112              * Only the 4 lower bits of CR0 are modified.
6113              * PE cannot be set to zero if already set to one.
6114              */
6115             tcg_gen_ld_tl(s->T1, tcg_env, offsetof(CPUX86State, cr[0]));
6116             tcg_gen_andi_tl(s->T0, s->T0, 0xf);
6117             tcg_gen_andi_tl(s->T1, s->T1, ~0xe);
6118             tcg_gen_or_tl(s->T0, s->T0, s->T1);
6119             gen_helper_write_crN(tcg_env, tcg_constant_i32(0), s->T0);
6120             s->base.is_jmp = DISAS_EOB_NEXT;
6121             break;
6122 
6123         CASE_MODRM_MEM_OP(7): /* invlpg */
6124             if (!check_cpl0(s)) {
6125                 break;
6126             }
6127             gen_svm_check_intercept(s, SVM_EXIT_INVLPG);
6128             gen_lea_modrm(env, s, modrm);
6129             gen_helper_flush_page(tcg_env, s->A0);
6130             s->base.is_jmp = DISAS_EOB_NEXT;
6131             break;
6132 
6133         case 0xf8: /* swapgs */
6134 #ifdef TARGET_X86_64
6135             if (CODE64(s)) {
6136                 if (check_cpl0(s)) {
6137                     tcg_gen_mov_tl(s->T0, cpu_seg_base[R_GS]);
6138                     tcg_gen_ld_tl(cpu_seg_base[R_GS], tcg_env,
6139                                   offsetof(CPUX86State, kernelgsbase));
6140                     tcg_gen_st_tl(s->T0, tcg_env,
6141                                   offsetof(CPUX86State, kernelgsbase));
6142                 }
6143                 break;
6144             }
6145 #endif
6146             goto illegal_op;
6147 
6148         case 0xf9: /* rdtscp */
6149             if (!(s->cpuid_ext2_features & CPUID_EXT2_RDTSCP)) {
6150                 goto illegal_op;
6151             }
6152             gen_update_cc_op(s);
6153             gen_update_eip_cur(s);
6154             translator_io_start(&s->base);
6155             gen_helper_rdtsc(tcg_env);
6156             gen_helper_rdpid(s->T0, tcg_env);
6157             gen_op_mov_reg_v(s, dflag, R_ECX, s->T0);
6158             break;
6159 
6160         default:
6161             goto unknown_op;
6162         }
6163         break;
6164 
6165     case 0x108: /* invd */
6166     case 0x109: /* wbinvd; wbnoinvd with REPZ prefix */
6167         if (check_cpl0(s)) {
6168             gen_svm_check_intercept(s, (b & 1) ? SVM_EXIT_WBINVD : SVM_EXIT_INVD);
6169             /* nothing to do */
6170         }
6171         break;
6172     case 0x63: /* arpl or movslS (x86_64) */
6173 #ifdef TARGET_X86_64
6174         if (CODE64(s)) {
6175             int d_ot;
6176             /* d_ot is the size of destination */
6177             d_ot = dflag;
6178 
6179             modrm = x86_ldub_code(env, s);
6180             reg = ((modrm >> 3) & 7) | REX_R(s);
6181             mod = (modrm >> 6) & 3;
6182             rm = (modrm & 7) | REX_B(s);
6183 
6184             if (mod == 3) {
6185                 gen_op_mov_v_reg(s, MO_32, s->T0, rm);
6186                 /* sign extend */
6187                 if (d_ot == MO_64) {
6188                     tcg_gen_ext32s_tl(s->T0, s->T0);
6189                 }
6190                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6191             } else {
6192                 gen_lea_modrm(env, s, modrm);
6193                 gen_op_ld_v(s, MO_32 | MO_SIGN, s->T0, s->A0);
6194                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6195             }
6196         } else
6197 #endif
6198         {
6199             TCGLabel *label1;
6200             TCGv t0, t1, t2;
6201 
6202             if (!PE(s) || VM86(s))
6203                 goto illegal_op;
6204             t0 = tcg_temp_new();
6205             t1 = tcg_temp_new();
6206             t2 = tcg_temp_new();
6207             ot = MO_16;
6208             modrm = x86_ldub_code(env, s);
6209             reg = (modrm >> 3) & 7;
6210             mod = (modrm >> 6) & 3;
6211             rm = modrm & 7;
6212             if (mod != 3) {
6213                 gen_lea_modrm(env, s, modrm);
6214                 gen_op_ld_v(s, ot, t0, s->A0);
6215             } else {
6216                 gen_op_mov_v_reg(s, ot, t0, rm);
6217             }
6218             gen_op_mov_v_reg(s, ot, t1, reg);
6219             tcg_gen_andi_tl(s->tmp0, t0, 3);
6220             tcg_gen_andi_tl(t1, t1, 3);
6221             tcg_gen_movi_tl(t2, 0);
6222             label1 = gen_new_label();
6223             tcg_gen_brcond_tl(TCG_COND_GE, s->tmp0, t1, label1);
6224             tcg_gen_andi_tl(t0, t0, ~3);
6225             tcg_gen_or_tl(t0, t0, t1);
6226             tcg_gen_movi_tl(t2, CC_Z);
6227             gen_set_label(label1);
6228             if (mod != 3) {
6229                 gen_op_st_v(s, ot, t0, s->A0);
6230            } else {
6231                 gen_op_mov_reg_v(s, ot, rm, t0);
6232             }
6233             gen_compute_eflags(s);
6234             tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_Z);
6235             tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, t2);
6236         }
6237         break;
6238     case 0x102: /* lar */
6239     case 0x103: /* lsl */
6240         {
6241             TCGLabel *label1;
6242             TCGv t0;
6243             if (!PE(s) || VM86(s))
6244                 goto illegal_op;
6245             ot = dflag != MO_16 ? MO_32 : MO_16;
6246             modrm = x86_ldub_code(env, s);
6247             reg = ((modrm >> 3) & 7) | REX_R(s);
6248             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6249             t0 = tcg_temp_new();
6250             gen_update_cc_op(s);
6251             if (b == 0x102) {
6252                 gen_helper_lar(t0, tcg_env, s->T0);
6253             } else {
6254                 gen_helper_lsl(t0, tcg_env, s->T0);
6255             }
6256             tcg_gen_andi_tl(s->tmp0, cpu_cc_src, CC_Z);
6257             label1 = gen_new_label();
6258             tcg_gen_brcondi_tl(TCG_COND_EQ, s->tmp0, 0, label1);
6259             gen_op_mov_reg_v(s, ot, reg, t0);
6260             gen_set_label(label1);
6261             set_cc_op(s, CC_OP_EFLAGS);
6262         }
6263         break;
6264     case 0x118:
6265         modrm = x86_ldub_code(env, s);
6266         mod = (modrm >> 6) & 3;
6267         op = (modrm >> 3) & 7;
6268         switch(op) {
6269         case 0: /* prefetchnta */
6270         case 1: /* prefetchnt0 */
6271         case 2: /* prefetchnt0 */
6272         case 3: /* prefetchnt0 */
6273             if (mod == 3)
6274                 goto illegal_op;
6275             gen_nop_modrm(env, s, modrm);
6276             /* nothing more to do */
6277             break;
6278         default: /* nop (multi byte) */
6279             gen_nop_modrm(env, s, modrm);
6280             break;
6281         }
6282         break;
6283     case 0x11a:
6284         modrm = x86_ldub_code(env, s);
6285         if (s->flags & HF_MPX_EN_MASK) {
6286             mod = (modrm >> 6) & 3;
6287             reg = ((modrm >> 3) & 7) | REX_R(s);
6288             if (prefixes & PREFIX_REPZ) {
6289                 /* bndcl */
6290                 if (reg >= 4
6291                     || (prefixes & PREFIX_LOCK)
6292                     || s->aflag == MO_16) {
6293                     goto illegal_op;
6294                 }
6295                 gen_bndck(env, s, modrm, TCG_COND_LTU, cpu_bndl[reg]);
6296             } else if (prefixes & PREFIX_REPNZ) {
6297                 /* bndcu */
6298                 if (reg >= 4
6299                     || (prefixes & PREFIX_LOCK)
6300                     || s->aflag == MO_16) {
6301                     goto illegal_op;
6302                 }
6303                 TCGv_i64 notu = tcg_temp_new_i64();
6304                 tcg_gen_not_i64(notu, cpu_bndu[reg]);
6305                 gen_bndck(env, s, modrm, TCG_COND_GTU, notu);
6306             } else if (prefixes & PREFIX_DATA) {
6307                 /* bndmov -- from reg/mem */
6308                 if (reg >= 4 || s->aflag == MO_16) {
6309                     goto illegal_op;
6310                 }
6311                 if (mod == 3) {
6312                     int reg2 = (modrm & 7) | REX_B(s);
6313                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6314                         goto illegal_op;
6315                     }
6316                     if (s->flags & HF_MPX_IU_MASK) {
6317                         tcg_gen_mov_i64(cpu_bndl[reg], cpu_bndl[reg2]);
6318                         tcg_gen_mov_i64(cpu_bndu[reg], cpu_bndu[reg2]);
6319                     }
6320                 } else {
6321                     gen_lea_modrm(env, s, modrm);
6322                     if (CODE64(s)) {
6323                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6324                                             s->mem_index, MO_LEUQ);
6325                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6326                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6327                                             s->mem_index, MO_LEUQ);
6328                     } else {
6329                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6330                                             s->mem_index, MO_LEUL);
6331                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6332                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6333                                             s->mem_index, MO_LEUL);
6334                     }
6335                     /* bnd registers are now in-use */
6336                     gen_set_hflag(s, HF_MPX_IU_MASK);
6337                 }
6338             } else if (mod != 3) {
6339                 /* bndldx */
6340                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6341                 if (reg >= 4
6342                     || (prefixes & PREFIX_LOCK)
6343                     || s->aflag == MO_16
6344                     || a.base < -1) {
6345                     goto illegal_op;
6346                 }
6347                 if (a.base >= 0) {
6348                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6349                 } else {
6350                     tcg_gen_movi_tl(s->A0, 0);
6351                 }
6352                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6353                 if (a.index >= 0) {
6354                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6355                 } else {
6356                     tcg_gen_movi_tl(s->T0, 0);
6357                 }
6358                 if (CODE64(s)) {
6359                     gen_helper_bndldx64(cpu_bndl[reg], tcg_env, s->A0, s->T0);
6360                     tcg_gen_ld_i64(cpu_bndu[reg], tcg_env,
6361                                    offsetof(CPUX86State, mmx_t0.MMX_Q(0)));
6362                 } else {
6363                     gen_helper_bndldx32(cpu_bndu[reg], tcg_env, s->A0, s->T0);
6364                     tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndu[reg]);
6365                     tcg_gen_shri_i64(cpu_bndu[reg], cpu_bndu[reg], 32);
6366                 }
6367                 gen_set_hflag(s, HF_MPX_IU_MASK);
6368             }
6369         }
6370         gen_nop_modrm(env, s, modrm);
6371         break;
6372     case 0x11b:
6373         modrm = x86_ldub_code(env, s);
6374         if (s->flags & HF_MPX_EN_MASK) {
6375             mod = (modrm >> 6) & 3;
6376             reg = ((modrm >> 3) & 7) | REX_R(s);
6377             if (mod != 3 && (prefixes & PREFIX_REPZ)) {
6378                 /* bndmk */
6379                 if (reg >= 4
6380                     || (prefixes & PREFIX_LOCK)
6381                     || s->aflag == MO_16) {
6382                     goto illegal_op;
6383                 }
6384                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6385                 if (a.base >= 0) {
6386                     tcg_gen_extu_tl_i64(cpu_bndl[reg], cpu_regs[a.base]);
6387                     if (!CODE64(s)) {
6388                         tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndl[reg]);
6389                     }
6390                 } else if (a.base == -1) {
6391                     /* no base register has lower bound of 0 */
6392                     tcg_gen_movi_i64(cpu_bndl[reg], 0);
6393                 } else {
6394                     /* rip-relative generates #ud */
6395                     goto illegal_op;
6396                 }
6397                 tcg_gen_not_tl(s->A0, gen_lea_modrm_1(s, a, false));
6398                 if (!CODE64(s)) {
6399                     tcg_gen_ext32u_tl(s->A0, s->A0);
6400                 }
6401                 tcg_gen_extu_tl_i64(cpu_bndu[reg], s->A0);
6402                 /* bnd registers are now in-use */
6403                 gen_set_hflag(s, HF_MPX_IU_MASK);
6404                 break;
6405             } else if (prefixes & PREFIX_REPNZ) {
6406                 /* bndcn */
6407                 if (reg >= 4
6408                     || (prefixes & PREFIX_LOCK)
6409                     || s->aflag == MO_16) {
6410                     goto illegal_op;
6411                 }
6412                 gen_bndck(env, s, modrm, TCG_COND_GTU, cpu_bndu[reg]);
6413             } else if (prefixes & PREFIX_DATA) {
6414                 /* bndmov -- to reg/mem */
6415                 if (reg >= 4 || s->aflag == MO_16) {
6416                     goto illegal_op;
6417                 }
6418                 if (mod == 3) {
6419                     int reg2 = (modrm & 7) | REX_B(s);
6420                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6421                         goto illegal_op;
6422                     }
6423                     if (s->flags & HF_MPX_IU_MASK) {
6424                         tcg_gen_mov_i64(cpu_bndl[reg2], cpu_bndl[reg]);
6425                         tcg_gen_mov_i64(cpu_bndu[reg2], cpu_bndu[reg]);
6426                     }
6427                 } else {
6428                     gen_lea_modrm(env, s, modrm);
6429                     if (CODE64(s)) {
6430                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6431                                             s->mem_index, MO_LEUQ);
6432                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6433                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6434                                             s->mem_index, MO_LEUQ);
6435                     } else {
6436                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6437                                             s->mem_index, MO_LEUL);
6438                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6439                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6440                                             s->mem_index, MO_LEUL);
6441                     }
6442                 }
6443             } else if (mod != 3) {
6444                 /* bndstx */
6445                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6446                 if (reg >= 4
6447                     || (prefixes & PREFIX_LOCK)
6448                     || s->aflag == MO_16
6449                     || a.base < -1) {
6450                     goto illegal_op;
6451                 }
6452                 if (a.base >= 0) {
6453                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6454                 } else {
6455                     tcg_gen_movi_tl(s->A0, 0);
6456                 }
6457                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6458                 if (a.index >= 0) {
6459                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6460                 } else {
6461                     tcg_gen_movi_tl(s->T0, 0);
6462                 }
6463                 if (CODE64(s)) {
6464                     gen_helper_bndstx64(tcg_env, s->A0, s->T0,
6465                                         cpu_bndl[reg], cpu_bndu[reg]);
6466                 } else {
6467                     gen_helper_bndstx32(tcg_env, s->A0, s->T0,
6468                                         cpu_bndl[reg], cpu_bndu[reg]);
6469                 }
6470             }
6471         }
6472         gen_nop_modrm(env, s, modrm);
6473         break;
6474     case 0x119: case 0x11c ... 0x11f: /* nop (multi byte) */
6475         modrm = x86_ldub_code(env, s);
6476         gen_nop_modrm(env, s, modrm);
6477         break;
6478 
6479     case 0x120: /* mov reg, crN */
6480     case 0x122: /* mov crN, reg */
6481         if (!check_cpl0(s)) {
6482             break;
6483         }
6484         modrm = x86_ldub_code(env, s);
6485         /*
6486          * Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6487          * AMD documentation (24594.pdf) and testing of Intel 386 and 486
6488          * processors all show that the mod bits are assumed to be 1's,
6489          * regardless of actual values.
6490          */
6491         rm = (modrm & 7) | REX_B(s);
6492         reg = ((modrm >> 3) & 7) | REX_R(s);
6493         switch (reg) {
6494         case 0:
6495             if ((prefixes & PREFIX_LOCK) &&
6496                 (s->cpuid_ext3_features & CPUID_EXT3_CR8LEG)) {
6497                 reg = 8;
6498             }
6499             break;
6500         case 2:
6501         case 3:
6502         case 4:
6503         case 8:
6504             break;
6505         default:
6506             goto unknown_op;
6507         }
6508         ot  = (CODE64(s) ? MO_64 : MO_32);
6509 
6510         translator_io_start(&s->base);
6511         if (b & 2) {
6512             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0 + reg);
6513             gen_op_mov_v_reg(s, ot, s->T0, rm);
6514             gen_helper_write_crN(tcg_env, tcg_constant_i32(reg), s->T0);
6515             s->base.is_jmp = DISAS_EOB_NEXT;
6516         } else {
6517             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0 + reg);
6518             gen_helper_read_crN(s->T0, tcg_env, tcg_constant_i32(reg));
6519             gen_op_mov_reg_v(s, ot, rm, s->T0);
6520         }
6521         break;
6522 
6523     case 0x121: /* mov reg, drN */
6524     case 0x123: /* mov drN, reg */
6525         if (check_cpl0(s)) {
6526             modrm = x86_ldub_code(env, s);
6527             /* Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6528              * AMD documentation (24594.pdf) and testing of
6529              * intel 386 and 486 processors all show that the mod bits
6530              * are assumed to be 1's, regardless of actual values.
6531              */
6532             rm = (modrm & 7) | REX_B(s);
6533             reg = ((modrm >> 3) & 7) | REX_R(s);
6534             if (CODE64(s))
6535                 ot = MO_64;
6536             else
6537                 ot = MO_32;
6538             if (reg >= 8) {
6539                 goto illegal_op;
6540             }
6541             if (b & 2) {
6542                 gen_svm_check_intercept(s, SVM_EXIT_WRITE_DR0 + reg);
6543                 gen_op_mov_v_reg(s, ot, s->T0, rm);
6544                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6545                 gen_helper_set_dr(tcg_env, s->tmp2_i32, s->T0);
6546                 s->base.is_jmp = DISAS_EOB_NEXT;
6547             } else {
6548                 gen_svm_check_intercept(s, SVM_EXIT_READ_DR0 + reg);
6549                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6550                 gen_helper_get_dr(s->T0, tcg_env, s->tmp2_i32);
6551                 gen_op_mov_reg_v(s, ot, rm, s->T0);
6552             }
6553         }
6554         break;
6555     case 0x106: /* clts */
6556         if (check_cpl0(s)) {
6557             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6558             gen_helper_clts(tcg_env);
6559             /* abort block because static cpu state changed */
6560             s->base.is_jmp = DISAS_EOB_NEXT;
6561         }
6562         break;
6563     /* MMX/3DNow!/SSE/SSE2/SSE3/SSSE3/SSE4 support */
6564     case 0x1c3: /* MOVNTI reg, mem */
6565         if (!(s->cpuid_features & CPUID_SSE2))
6566             goto illegal_op;
6567         ot = mo_64_32(dflag);
6568         modrm = x86_ldub_code(env, s);
6569         mod = (modrm >> 6) & 3;
6570         if (mod == 3)
6571             goto illegal_op;
6572         reg = ((modrm >> 3) & 7) | REX_R(s);
6573         /* generate a generic store */
6574         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
6575         break;
6576     case 0x1ae:
6577         modrm = x86_ldub_code(env, s);
6578         switch (modrm) {
6579         CASE_MODRM_MEM_OP(0): /* fxsave */
6580             if (!(s->cpuid_features & CPUID_FXSR)
6581                 || (prefixes & PREFIX_LOCK)) {
6582                 goto illegal_op;
6583             }
6584             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6585                 gen_exception(s, EXCP07_PREX);
6586                 break;
6587             }
6588             gen_lea_modrm(env, s, modrm);
6589             gen_helper_fxsave(tcg_env, s->A0);
6590             break;
6591 
6592         CASE_MODRM_MEM_OP(1): /* fxrstor */
6593             if (!(s->cpuid_features & CPUID_FXSR)
6594                 || (prefixes & PREFIX_LOCK)) {
6595                 goto illegal_op;
6596             }
6597             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6598                 gen_exception(s, EXCP07_PREX);
6599                 break;
6600             }
6601             gen_lea_modrm(env, s, modrm);
6602             gen_helper_fxrstor(tcg_env, s->A0);
6603             break;
6604 
6605         CASE_MODRM_MEM_OP(2): /* ldmxcsr */
6606             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6607                 goto illegal_op;
6608             }
6609             if (s->flags & HF_TS_MASK) {
6610                 gen_exception(s, EXCP07_PREX);
6611                 break;
6612             }
6613             gen_lea_modrm(env, s, modrm);
6614             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0, s->mem_index, MO_LEUL);
6615             gen_helper_ldmxcsr(tcg_env, s->tmp2_i32);
6616             break;
6617 
6618         CASE_MODRM_MEM_OP(3): /* stmxcsr */
6619             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6620                 goto illegal_op;
6621             }
6622             if (s->flags & HF_TS_MASK) {
6623                 gen_exception(s, EXCP07_PREX);
6624                 break;
6625             }
6626             gen_helper_update_mxcsr(tcg_env);
6627             gen_lea_modrm(env, s, modrm);
6628             tcg_gen_ld32u_tl(s->T0, tcg_env, offsetof(CPUX86State, mxcsr));
6629             gen_op_st_v(s, MO_32, s->T0, s->A0);
6630             break;
6631 
6632         CASE_MODRM_MEM_OP(4): /* xsave */
6633             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6634                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6635                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6636                 goto illegal_op;
6637             }
6638             gen_lea_modrm(env, s, modrm);
6639             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6640                                   cpu_regs[R_EDX]);
6641             gen_helper_xsave(tcg_env, s->A0, s->tmp1_i64);
6642             break;
6643 
6644         CASE_MODRM_MEM_OP(5): /* xrstor */
6645             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6646                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6647                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6648                 goto illegal_op;
6649             }
6650             gen_lea_modrm(env, s, modrm);
6651             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6652                                   cpu_regs[R_EDX]);
6653             gen_helper_xrstor(tcg_env, s->A0, s->tmp1_i64);
6654             /* XRSTOR is how MPX is enabled, which changes how
6655                we translate.  Thus we need to end the TB.  */
6656             s->base.is_jmp = DISAS_EOB_NEXT;
6657             break;
6658 
6659         CASE_MODRM_MEM_OP(6): /* xsaveopt / clwb */
6660             if (prefixes & PREFIX_LOCK) {
6661                 goto illegal_op;
6662             }
6663             if (prefixes & PREFIX_DATA) {
6664                 /* clwb */
6665                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLWB)) {
6666                     goto illegal_op;
6667                 }
6668                 gen_nop_modrm(env, s, modrm);
6669             } else {
6670                 /* xsaveopt */
6671                 if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6672                     || (s->cpuid_xsave_features & CPUID_XSAVE_XSAVEOPT) == 0
6673                     || (prefixes & (PREFIX_REPZ | PREFIX_REPNZ))) {
6674                     goto illegal_op;
6675                 }
6676                 gen_lea_modrm(env, s, modrm);
6677                 tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6678                                       cpu_regs[R_EDX]);
6679                 gen_helper_xsaveopt(tcg_env, s->A0, s->tmp1_i64);
6680             }
6681             break;
6682 
6683         CASE_MODRM_MEM_OP(7): /* clflush / clflushopt */
6684             if (prefixes & PREFIX_LOCK) {
6685                 goto illegal_op;
6686             }
6687             if (prefixes & PREFIX_DATA) {
6688                 /* clflushopt */
6689                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLFLUSHOPT)) {
6690                     goto illegal_op;
6691                 }
6692             } else {
6693                 /* clflush */
6694                 if ((s->prefix & (PREFIX_REPZ | PREFIX_REPNZ))
6695                     || !(s->cpuid_features & CPUID_CLFLUSH)) {
6696                     goto illegal_op;
6697                 }
6698             }
6699             gen_nop_modrm(env, s, modrm);
6700             break;
6701 
6702         case 0xc0 ... 0xc7: /* rdfsbase (f3 0f ae /0) */
6703         case 0xc8 ... 0xcf: /* rdgsbase (f3 0f ae /1) */
6704         case 0xd0 ... 0xd7: /* wrfsbase (f3 0f ae /2) */
6705         case 0xd8 ... 0xdf: /* wrgsbase (f3 0f ae /3) */
6706             if (CODE64(s)
6707                 && (prefixes & PREFIX_REPZ)
6708                 && !(prefixes & PREFIX_LOCK)
6709                 && (s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_FSGSBASE)) {
6710                 TCGv base, treg, src, dst;
6711 
6712                 /* Preserve hflags bits by testing CR4 at runtime.  */
6713                 tcg_gen_movi_i32(s->tmp2_i32, CR4_FSGSBASE_MASK);
6714                 gen_helper_cr4_testbit(tcg_env, s->tmp2_i32);
6715 
6716                 base = cpu_seg_base[modrm & 8 ? R_GS : R_FS];
6717                 treg = cpu_regs[(modrm & 7) | REX_B(s)];
6718 
6719                 if (modrm & 0x10) {
6720                     /* wr*base */
6721                     dst = base, src = treg;
6722                 } else {
6723                     /* rd*base */
6724                     dst = treg, src = base;
6725                 }
6726 
6727                 if (s->dflag == MO_32) {
6728                     tcg_gen_ext32u_tl(dst, src);
6729                 } else {
6730                     tcg_gen_mov_tl(dst, src);
6731                 }
6732                 break;
6733             }
6734             goto unknown_op;
6735 
6736         case 0xf8: /* sfence / pcommit */
6737             if (prefixes & PREFIX_DATA) {
6738                 /* pcommit */
6739                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_PCOMMIT)
6740                     || (prefixes & PREFIX_LOCK)) {
6741                     goto illegal_op;
6742                 }
6743                 break;
6744             }
6745             /* fallthru */
6746         case 0xf9 ... 0xff: /* sfence */
6747             if (!(s->cpuid_features & CPUID_SSE)
6748                 || (prefixes & PREFIX_LOCK)) {
6749                 goto illegal_op;
6750             }
6751             tcg_gen_mb(TCG_MO_ST_ST | TCG_BAR_SC);
6752             break;
6753         case 0xe8 ... 0xef: /* lfence */
6754             if (!(s->cpuid_features & CPUID_SSE)
6755                 || (prefixes & PREFIX_LOCK)) {
6756                 goto illegal_op;
6757             }
6758             tcg_gen_mb(TCG_MO_LD_LD | TCG_BAR_SC);
6759             break;
6760         case 0xf0 ... 0xf7: /* mfence */
6761             if (!(s->cpuid_features & CPUID_SSE2)
6762                 || (prefixes & PREFIX_LOCK)) {
6763                 goto illegal_op;
6764             }
6765             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
6766             break;
6767 
6768         default:
6769             goto unknown_op;
6770         }
6771         break;
6772 
6773     case 0x10d: /* 3DNow! prefetch(w) */
6774         modrm = x86_ldub_code(env, s);
6775         mod = (modrm >> 6) & 3;
6776         if (mod == 3)
6777             goto illegal_op;
6778         gen_nop_modrm(env, s, modrm);
6779         break;
6780     case 0x1aa: /* rsm */
6781         gen_svm_check_intercept(s, SVM_EXIT_RSM);
6782         if (!(s->flags & HF_SMM_MASK))
6783             goto illegal_op;
6784 #ifdef CONFIG_USER_ONLY
6785         /* we should not be in SMM mode */
6786         g_assert_not_reached();
6787 #else
6788         gen_update_cc_op(s);
6789         gen_update_eip_next(s);
6790         gen_helper_rsm(tcg_env);
6791 #endif /* CONFIG_USER_ONLY */
6792         s->base.is_jmp = DISAS_EOB_ONLY;
6793         break;
6794     case 0x1b8: /* SSE4.2 popcnt */
6795         if ((prefixes & (PREFIX_REPZ | PREFIX_LOCK | PREFIX_REPNZ)) !=
6796              PREFIX_REPZ)
6797             goto illegal_op;
6798         if (!(s->cpuid_ext_features & CPUID_EXT_POPCNT))
6799             goto illegal_op;
6800 
6801         modrm = x86_ldub_code(env, s);
6802         reg = ((modrm >> 3) & 7) | REX_R(s);
6803 
6804         if (s->prefix & PREFIX_DATA) {
6805             ot = MO_16;
6806         } else {
6807             ot = mo_64_32(dflag);
6808         }
6809 
6810         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
6811         gen_extu(ot, s->T0);
6812         tcg_gen_mov_tl(cpu_cc_src, s->T0);
6813         tcg_gen_ctpop_tl(s->T0, s->T0);
6814         gen_op_mov_reg_v(s, ot, reg, s->T0);
6815 
6816         set_cc_op(s, CC_OP_POPCNT);
6817         break;
6818     case 0x10e ... 0x117:
6819     case 0x128 ... 0x12f:
6820     case 0x138 ... 0x13a:
6821     case 0x150 ... 0x179:
6822     case 0x17c ... 0x17f:
6823     case 0x1c2:
6824     case 0x1c4 ... 0x1c6:
6825     case 0x1d0 ... 0x1fe:
6826         disas_insn_new(s, cpu, b);
6827         break;
6828     default:
6829         goto unknown_op;
6830     }
6831     return true;
6832  illegal_op:
6833     gen_illegal_opcode(s);
6834     return true;
6835  unknown_op:
6836     gen_unknown_opcode(env, s);
6837     return true;
6838 }
6839 
6840 void tcg_x86_init(void)
6841 {
6842     static const char reg_names[CPU_NB_REGS][4] = {
6843 #ifdef TARGET_X86_64
6844         [R_EAX] = "rax",
6845         [R_EBX] = "rbx",
6846         [R_ECX] = "rcx",
6847         [R_EDX] = "rdx",
6848         [R_ESI] = "rsi",
6849         [R_EDI] = "rdi",
6850         [R_EBP] = "rbp",
6851         [R_ESP] = "rsp",
6852         [8]  = "r8",
6853         [9]  = "r9",
6854         [10] = "r10",
6855         [11] = "r11",
6856         [12] = "r12",
6857         [13] = "r13",
6858         [14] = "r14",
6859         [15] = "r15",
6860 #else
6861         [R_EAX] = "eax",
6862         [R_EBX] = "ebx",
6863         [R_ECX] = "ecx",
6864         [R_EDX] = "edx",
6865         [R_ESI] = "esi",
6866         [R_EDI] = "edi",
6867         [R_EBP] = "ebp",
6868         [R_ESP] = "esp",
6869 #endif
6870     };
6871     static const char eip_name[] = {
6872 #ifdef TARGET_X86_64
6873         "rip"
6874 #else
6875         "eip"
6876 #endif
6877     };
6878     static const char seg_base_names[6][8] = {
6879         [R_CS] = "cs_base",
6880         [R_DS] = "ds_base",
6881         [R_ES] = "es_base",
6882         [R_FS] = "fs_base",
6883         [R_GS] = "gs_base",
6884         [R_SS] = "ss_base",
6885     };
6886     static const char bnd_regl_names[4][8] = {
6887         "bnd0_lb", "bnd1_lb", "bnd2_lb", "bnd3_lb"
6888     };
6889     static const char bnd_regu_names[4][8] = {
6890         "bnd0_ub", "bnd1_ub", "bnd2_ub", "bnd3_ub"
6891     };
6892     int i;
6893 
6894     cpu_cc_op = tcg_global_mem_new_i32(tcg_env,
6895                                        offsetof(CPUX86State, cc_op), "cc_op");
6896     cpu_cc_dst = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_dst),
6897                                     "cc_dst");
6898     cpu_cc_src = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_src),
6899                                     "cc_src");
6900     cpu_cc_src2 = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, cc_src2),
6901                                      "cc_src2");
6902     cpu_eip = tcg_global_mem_new(tcg_env, offsetof(CPUX86State, eip), eip_name);
6903 
6904     for (i = 0; i < CPU_NB_REGS; ++i) {
6905         cpu_regs[i] = tcg_global_mem_new(tcg_env,
6906                                          offsetof(CPUX86State, regs[i]),
6907                                          reg_names[i]);
6908     }
6909 
6910     for (i = 0; i < 6; ++i) {
6911         cpu_seg_base[i]
6912             = tcg_global_mem_new(tcg_env,
6913                                  offsetof(CPUX86State, segs[i].base),
6914                                  seg_base_names[i]);
6915     }
6916 
6917     for (i = 0; i < 4; ++i) {
6918         cpu_bndl[i]
6919             = tcg_global_mem_new_i64(tcg_env,
6920                                      offsetof(CPUX86State, bnd_regs[i].lb),
6921                                      bnd_regl_names[i]);
6922         cpu_bndu[i]
6923             = tcg_global_mem_new_i64(tcg_env,
6924                                      offsetof(CPUX86State, bnd_regs[i].ub),
6925                                      bnd_regu_names[i]);
6926     }
6927 }
6928 
6929 static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
6930 {
6931     DisasContext *dc = container_of(dcbase, DisasContext, base);
6932     CPUX86State *env = cpu_env(cpu);
6933     uint32_t flags = dc->base.tb->flags;
6934     uint32_t cflags = tb_cflags(dc->base.tb);
6935     int cpl = (flags >> HF_CPL_SHIFT) & 3;
6936     int iopl = (flags >> IOPL_SHIFT) & 3;
6937 
6938     dc->cs_base = dc->base.tb->cs_base;
6939     dc->pc_save = dc->base.pc_next;
6940     dc->flags = flags;
6941 #ifndef CONFIG_USER_ONLY
6942     dc->cpl = cpl;
6943     dc->iopl = iopl;
6944 #endif
6945 
6946     /* We make some simplifying assumptions; validate they're correct. */
6947     g_assert(PE(dc) == ((flags & HF_PE_MASK) != 0));
6948     g_assert(CPL(dc) == cpl);
6949     g_assert(IOPL(dc) == iopl);
6950     g_assert(VM86(dc) == ((flags & HF_VM_MASK) != 0));
6951     g_assert(CODE32(dc) == ((flags & HF_CS32_MASK) != 0));
6952     g_assert(CODE64(dc) == ((flags & HF_CS64_MASK) != 0));
6953     g_assert(SS32(dc) == ((flags & HF_SS32_MASK) != 0));
6954     g_assert(LMA(dc) == ((flags & HF_LMA_MASK) != 0));
6955     g_assert(ADDSEG(dc) == ((flags & HF_ADDSEG_MASK) != 0));
6956     g_assert(SVME(dc) == ((flags & HF_SVME_MASK) != 0));
6957     g_assert(GUEST(dc) == ((flags & HF_GUEST_MASK) != 0));
6958 
6959     dc->cc_op = CC_OP_DYNAMIC;
6960     dc->cc_op_dirty = false;
6961     dc->popl_esp_hack = 0;
6962     /* select memory access functions */
6963     dc->mem_index = cpu_mmu_index(cpu, false);
6964     dc->cpuid_features = env->features[FEAT_1_EDX];
6965     dc->cpuid_ext_features = env->features[FEAT_1_ECX];
6966     dc->cpuid_ext2_features = env->features[FEAT_8000_0001_EDX];
6967     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
6968     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
6969     dc->cpuid_7_0_ecx_features = env->features[FEAT_7_0_ECX];
6970     dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
6971     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
6972     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
6973                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
6974     /*
6975      * If jmp_opt, we want to handle each string instruction individually.
6976      * For icount also disable repz optimization so that each iteration
6977      * is accounted separately.
6978      */
6979     dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
6980 
6981     dc->T0 = tcg_temp_new();
6982     dc->T1 = tcg_temp_new();
6983     dc->A0 = tcg_temp_new();
6984 
6985     dc->tmp0 = tcg_temp_new();
6986     dc->tmp1_i64 = tcg_temp_new_i64();
6987     dc->tmp2_i32 = tcg_temp_new_i32();
6988     dc->tmp3_i32 = tcg_temp_new_i32();
6989     dc->tmp4 = tcg_temp_new();
6990     dc->cc_srcT = tcg_temp_new();
6991 }
6992 
6993 static void i386_tr_tb_start(DisasContextBase *db, CPUState *cpu)
6994 {
6995 }
6996 
6997 static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
6998 {
6999     DisasContext *dc = container_of(dcbase, DisasContext, base);
7000     target_ulong pc_arg = dc->base.pc_next;
7001 
7002     dc->prev_insn_start = dc->base.insn_start;
7003     dc->prev_insn_end = tcg_last_op();
7004     if (tb_cflags(dcbase->tb) & CF_PCREL) {
7005         pc_arg &= ~TARGET_PAGE_MASK;
7006     }
7007     tcg_gen_insn_start(pc_arg, dc->cc_op);
7008 }
7009 
7010 static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
7011 {
7012     DisasContext *dc = container_of(dcbase, DisasContext, base);
7013 
7014 #ifdef TARGET_VSYSCALL_PAGE
7015     /*
7016      * Detect entry into the vsyscall page and invoke the syscall.
7017      */
7018     if ((dc->base.pc_next & TARGET_PAGE_MASK) == TARGET_VSYSCALL_PAGE) {
7019         gen_exception(dc, EXCP_VSYSCALL);
7020         dc->base.pc_next = dc->pc + 1;
7021         return;
7022     }
7023 #endif
7024 
7025     if (disas_insn(dc, cpu)) {
7026         target_ulong pc_next = dc->pc;
7027         dc->base.pc_next = pc_next;
7028 
7029         if (dc->base.is_jmp == DISAS_NEXT) {
7030             if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
7031                 /*
7032                  * If single step mode, we generate only one instruction and
7033                  * generate an exception.
7034                  * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
7035                  * the flag and abort the translation to give the irqs a
7036                  * chance to happen.
7037                  */
7038                 dc->base.is_jmp = DISAS_EOB_NEXT;
7039             } else if (!is_same_page(&dc->base, pc_next)) {
7040                 dc->base.is_jmp = DISAS_TOO_MANY;
7041             }
7042         }
7043     }
7044 }
7045 
7046 static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
7047 {
7048     DisasContext *dc = container_of(dcbase, DisasContext, base);
7049 
7050     switch (dc->base.is_jmp) {
7051     case DISAS_NORETURN:
7052         break;
7053     case DISAS_TOO_MANY:
7054         gen_update_cc_op(dc);
7055         gen_jmp_rel_csize(dc, 0, 0);
7056         break;
7057     case DISAS_EOB_NEXT:
7058         gen_update_cc_op(dc);
7059         gen_update_eip_cur(dc);
7060         /* fall through */
7061     case DISAS_EOB_ONLY:
7062         gen_eob(dc);
7063         break;
7064     case DISAS_EOB_INHIBIT_IRQ:
7065         gen_update_cc_op(dc);
7066         gen_update_eip_cur(dc);
7067         gen_eob_inhibit_irq(dc, true);
7068         break;
7069     case DISAS_JUMP:
7070         gen_jr(dc);
7071         break;
7072     default:
7073         g_assert_not_reached();
7074     }
7075 }
7076 
7077 static void i386_tr_disas_log(const DisasContextBase *dcbase,
7078                               CPUState *cpu, FILE *logfile)
7079 {
7080     DisasContext *dc = container_of(dcbase, DisasContext, base);
7081 
7082     fprintf(logfile, "IN: %s\n", lookup_symbol(dc->base.pc_first));
7083     target_disas(logfile, cpu, dc->base.pc_first, dc->base.tb->size);
7084 }
7085 
7086 static const TranslatorOps i386_tr_ops = {
7087     .init_disas_context = i386_tr_init_disas_context,
7088     .tb_start           = i386_tr_tb_start,
7089     .insn_start         = i386_tr_insn_start,
7090     .translate_insn     = i386_tr_translate_insn,
7091     .tb_stop            = i386_tr_tb_stop,
7092     .disas_log          = i386_tr_disas_log,
7093 };
7094 
7095 /* generate intermediate code for basic block 'tb'.  */
7096 void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int *max_insns,
7097                            vaddr pc, void *host_pc)
7098 {
7099     DisasContext dc;
7100 
7101     translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
7102 }
7103