xref: /openbmc/qemu/target/i386/tcg/translate.c (revision d3860a57)
1 /*
2  *  i386 translation
3  *
4  *  Copyright (c) 2003 Fabrice Bellard
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 
21 #include "qemu/host-utils.h"
22 #include "cpu.h"
23 #include "disas/disas.h"
24 #include "exec/exec-all.h"
25 #include "tcg/tcg-op.h"
26 #include "tcg/tcg-op-gvec.h"
27 #include "exec/cpu_ldst.h"
28 #include "exec/translator.h"
29 #include "fpu/softfloat.h"
30 
31 #include "exec/helper-proto.h"
32 #include "exec/helper-gen.h"
33 #include "helper-tcg.h"
34 
35 #include "exec/log.h"
36 
37 #define PREFIX_REPZ   0x01
38 #define PREFIX_REPNZ  0x02
39 #define PREFIX_LOCK   0x04
40 #define PREFIX_DATA   0x08
41 #define PREFIX_ADR    0x10
42 #define PREFIX_VEX    0x20
43 #define PREFIX_REX    0x40
44 
45 #ifdef TARGET_X86_64
46 # define ctztl  ctz64
47 # define clztl  clz64
48 #else
49 # define ctztl  ctz32
50 # define clztl  clz32
51 #endif
52 
53 /* For a switch indexed by MODRM, match all memory operands for a given OP.  */
54 #define CASE_MODRM_MEM_OP(OP) \
55     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
56     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
57     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7
58 
59 #define CASE_MODRM_OP(OP) \
60     case (0 << 6) | (OP << 3) | 0 ... (0 << 6) | (OP << 3) | 7: \
61     case (1 << 6) | (OP << 3) | 0 ... (1 << 6) | (OP << 3) | 7: \
62     case (2 << 6) | (OP << 3) | 0 ... (2 << 6) | (OP << 3) | 7: \
63     case (3 << 6) | (OP << 3) | 0 ... (3 << 6) | (OP << 3) | 7
64 
65 //#define MACRO_TEST   1
66 
67 /* global register indexes */
68 static TCGv cpu_cc_dst, cpu_cc_src, cpu_cc_src2;
69 static TCGv cpu_eip;
70 static TCGv_i32 cpu_cc_op;
71 static TCGv cpu_regs[CPU_NB_REGS];
72 static TCGv cpu_seg_base[6];
73 static TCGv_i64 cpu_bndl[4];
74 static TCGv_i64 cpu_bndu[4];
75 
76 #include "exec/gen-icount.h"
77 
78 typedef struct DisasContext {
79     DisasContextBase base;
80 
81     target_ulong pc;       /* pc = eip + cs_base */
82     target_ulong cs_base;  /* base of CS segment */
83     target_ulong pc_save;
84 
85     MemOp aflag;
86     MemOp dflag;
87 
88     int8_t override; /* -1 if no override, else R_CS, R_DS, etc */
89     uint8_t prefix;
90 
91     bool has_modrm;
92     uint8_t modrm;
93 
94 #ifndef CONFIG_USER_ONLY
95     uint8_t cpl;   /* code priv level */
96     uint8_t iopl;  /* i/o priv level */
97 #endif
98     uint8_t vex_l;  /* vex vector length */
99     uint8_t vex_v;  /* vex vvvv register, without 1's complement.  */
100     uint8_t popl_esp_hack; /* for correct popl with esp base handling */
101     uint8_t rip_offset; /* only used in x86_64, but left for simplicity */
102 
103 #ifdef TARGET_X86_64
104     uint8_t rex_r;
105     uint8_t rex_x;
106     uint8_t rex_b;
107 #endif
108     bool vex_w; /* used by AVX even on 32-bit processors */
109     bool jmp_opt; /* use direct block chaining for direct jumps */
110     bool repz_opt; /* optimize jumps within repz instructions */
111     bool cc_op_dirty;
112 
113     CCOp cc_op;  /* current CC operation */
114     int mem_index; /* select memory access functions */
115     uint32_t flags; /* all execution flags */
116     int cpuid_features;
117     int cpuid_ext_features;
118     int cpuid_ext2_features;
119     int cpuid_ext3_features;
120     int cpuid_7_0_ebx_features;
121     int cpuid_7_0_ecx_features;
122     int cpuid_xsave_features;
123 
124     /* TCG local temps */
125     TCGv cc_srcT;
126     TCGv A0;
127     TCGv T0;
128     TCGv T1;
129 
130     /* TCG local register indexes (only used inside old micro ops) */
131     TCGv tmp0;
132     TCGv tmp4;
133     TCGv_i32 tmp2_i32;
134     TCGv_i32 tmp3_i32;
135     TCGv_i64 tmp1_i64;
136 
137     sigjmp_buf jmpbuf;
138     TCGOp *prev_insn_end;
139 } DisasContext;
140 
141 #define DISAS_EOB_ONLY         DISAS_TARGET_0
142 #define DISAS_EOB_NEXT         DISAS_TARGET_1
143 #define DISAS_EOB_INHIBIT_IRQ  DISAS_TARGET_2
144 #define DISAS_JUMP             DISAS_TARGET_3
145 
146 /* The environment in which user-only runs is constrained. */
147 #ifdef CONFIG_USER_ONLY
148 #define PE(S)     true
149 #define CPL(S)    3
150 #define IOPL(S)   0
151 #define SVME(S)   false
152 #define GUEST(S)  false
153 #else
154 #define PE(S)     (((S)->flags & HF_PE_MASK) != 0)
155 #define CPL(S)    ((S)->cpl)
156 #define IOPL(S)   ((S)->iopl)
157 #define SVME(S)   (((S)->flags & HF_SVME_MASK) != 0)
158 #define GUEST(S)  (((S)->flags & HF_GUEST_MASK) != 0)
159 #endif
160 #if defined(CONFIG_USER_ONLY) && defined(TARGET_X86_64)
161 #define VM86(S)   false
162 #define CODE32(S) true
163 #define SS32(S)   true
164 #define ADDSEG(S) false
165 #else
166 #define VM86(S)   (((S)->flags & HF_VM_MASK) != 0)
167 #define CODE32(S) (((S)->flags & HF_CS32_MASK) != 0)
168 #define SS32(S)   (((S)->flags & HF_SS32_MASK) != 0)
169 #define ADDSEG(S) (((S)->flags & HF_ADDSEG_MASK) != 0)
170 #endif
171 #if !defined(TARGET_X86_64)
172 #define CODE64(S) false
173 #define LMA(S)    false
174 #elif defined(CONFIG_USER_ONLY)
175 #define CODE64(S) true
176 #define LMA(S)    true
177 #else
178 #define CODE64(S) (((S)->flags & HF_CS64_MASK) != 0)
179 #define LMA(S)    (((S)->flags & HF_LMA_MASK) != 0)
180 #endif
181 
182 #ifdef TARGET_X86_64
183 #define REX_PREFIX(S)  (((S)->prefix & PREFIX_REX) != 0)
184 #define REX_W(S)       ((S)->vex_w)
185 #define REX_R(S)       ((S)->rex_r + 0)
186 #define REX_X(S)       ((S)->rex_x + 0)
187 #define REX_B(S)       ((S)->rex_b + 0)
188 #else
189 #define REX_PREFIX(S)  false
190 #define REX_W(S)       false
191 #define REX_R(S)       0
192 #define REX_X(S)       0
193 #define REX_B(S)       0
194 #endif
195 
196 /*
197  * Many sysemu-only helpers are not reachable for user-only.
198  * Define stub generators here, so that we need not either sprinkle
199  * ifdefs through the translator, nor provide the helper function.
200  */
201 #define STUB_HELPER(NAME, ...) \
202     static inline void gen_helper_##NAME(__VA_ARGS__) \
203     { qemu_build_not_reached(); }
204 
205 #ifdef CONFIG_USER_ONLY
206 STUB_HELPER(clgi, TCGv_env env)
207 STUB_HELPER(flush_page, TCGv_env env, TCGv addr)
208 STUB_HELPER(hlt, TCGv_env env, TCGv_i32 pc_ofs)
209 STUB_HELPER(inb, TCGv ret, TCGv_env env, TCGv_i32 port)
210 STUB_HELPER(inw, TCGv ret, TCGv_env env, TCGv_i32 port)
211 STUB_HELPER(inl, TCGv ret, TCGv_env env, TCGv_i32 port)
212 STUB_HELPER(monitor, TCGv_env env, TCGv addr)
213 STUB_HELPER(mwait, TCGv_env env, TCGv_i32 pc_ofs)
214 STUB_HELPER(outb, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
215 STUB_HELPER(outw, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
216 STUB_HELPER(outl, TCGv_env env, TCGv_i32 port, TCGv_i32 val)
217 STUB_HELPER(rdmsr, TCGv_env env)
218 STUB_HELPER(read_crN, TCGv ret, TCGv_env env, TCGv_i32 reg)
219 STUB_HELPER(get_dr, TCGv ret, TCGv_env env, TCGv_i32 reg)
220 STUB_HELPER(set_dr, TCGv_env env, TCGv_i32 reg, TCGv val)
221 STUB_HELPER(stgi, TCGv_env env)
222 STUB_HELPER(svm_check_intercept, TCGv_env env, TCGv_i32 type)
223 STUB_HELPER(vmload, TCGv_env env, TCGv_i32 aflag)
224 STUB_HELPER(vmmcall, TCGv_env env)
225 STUB_HELPER(vmrun, TCGv_env env, TCGv_i32 aflag, TCGv_i32 pc_ofs)
226 STUB_HELPER(vmsave, TCGv_env env, TCGv_i32 aflag)
227 STUB_HELPER(write_crN, TCGv_env env, TCGv_i32 reg, TCGv val)
228 STUB_HELPER(wrmsr, TCGv_env env)
229 #endif
230 
231 static void gen_eob(DisasContext *s);
232 static void gen_jr(DisasContext *s);
233 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num);
234 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num);
235 static void gen_op(DisasContext *s1, int op, MemOp ot, int d);
236 static void gen_exception_gpf(DisasContext *s);
237 
238 /* i386 arith/logic operations */
239 enum {
240     OP_ADDL,
241     OP_ORL,
242     OP_ADCL,
243     OP_SBBL,
244     OP_ANDL,
245     OP_SUBL,
246     OP_XORL,
247     OP_CMPL,
248 };
249 
250 /* i386 shift ops */
251 enum {
252     OP_ROL,
253     OP_ROR,
254     OP_RCL,
255     OP_RCR,
256     OP_SHL,
257     OP_SHR,
258     OP_SHL1, /* undocumented */
259     OP_SAR = 7,
260 };
261 
262 enum {
263     JCC_O,
264     JCC_B,
265     JCC_Z,
266     JCC_BE,
267     JCC_S,
268     JCC_P,
269     JCC_L,
270     JCC_LE,
271 };
272 
273 enum {
274     /* I386 int registers */
275     OR_EAX,   /* MUST be even numbered */
276     OR_ECX,
277     OR_EDX,
278     OR_EBX,
279     OR_ESP,
280     OR_EBP,
281     OR_ESI,
282     OR_EDI,
283 
284     OR_TMP0 = 16,    /* temporary operand register */
285     OR_TMP1,
286     OR_A0, /* temporary register used when doing address evaluation */
287 };
288 
289 enum {
290     USES_CC_DST  = 1,
291     USES_CC_SRC  = 2,
292     USES_CC_SRC2 = 4,
293     USES_CC_SRCT = 8,
294 };
295 
296 /* Bit set if the global variable is live after setting CC_OP to X.  */
297 static const uint8_t cc_op_live[CC_OP_NB] = {
298     [CC_OP_DYNAMIC] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
299     [CC_OP_EFLAGS] = USES_CC_SRC,
300     [CC_OP_MULB ... CC_OP_MULQ] = USES_CC_DST | USES_CC_SRC,
301     [CC_OP_ADDB ... CC_OP_ADDQ] = USES_CC_DST | USES_CC_SRC,
302     [CC_OP_ADCB ... CC_OP_ADCQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
303     [CC_OP_SUBB ... CC_OP_SUBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRCT,
304     [CC_OP_SBBB ... CC_OP_SBBQ] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
305     [CC_OP_LOGICB ... CC_OP_LOGICQ] = USES_CC_DST,
306     [CC_OP_INCB ... CC_OP_INCQ] = USES_CC_DST | USES_CC_SRC,
307     [CC_OP_DECB ... CC_OP_DECQ] = USES_CC_DST | USES_CC_SRC,
308     [CC_OP_SHLB ... CC_OP_SHLQ] = USES_CC_DST | USES_CC_SRC,
309     [CC_OP_SARB ... CC_OP_SARQ] = USES_CC_DST | USES_CC_SRC,
310     [CC_OP_BMILGB ... CC_OP_BMILGQ] = USES_CC_DST | USES_CC_SRC,
311     [CC_OP_ADCX] = USES_CC_DST | USES_CC_SRC,
312     [CC_OP_ADOX] = USES_CC_SRC | USES_CC_SRC2,
313     [CC_OP_ADCOX] = USES_CC_DST | USES_CC_SRC | USES_CC_SRC2,
314     [CC_OP_CLR] = 0,
315     [CC_OP_POPCNT] = USES_CC_SRC,
316 };
317 
318 static void set_cc_op(DisasContext *s, CCOp op)
319 {
320     int dead;
321 
322     if (s->cc_op == op) {
323         return;
324     }
325 
326     /* Discard CC computation that will no longer be used.  */
327     dead = cc_op_live[s->cc_op] & ~cc_op_live[op];
328     if (dead & USES_CC_DST) {
329         tcg_gen_discard_tl(cpu_cc_dst);
330     }
331     if (dead & USES_CC_SRC) {
332         tcg_gen_discard_tl(cpu_cc_src);
333     }
334     if (dead & USES_CC_SRC2) {
335         tcg_gen_discard_tl(cpu_cc_src2);
336     }
337     if (dead & USES_CC_SRCT) {
338         tcg_gen_discard_tl(s->cc_srcT);
339     }
340 
341     if (op == CC_OP_DYNAMIC) {
342         /* The DYNAMIC setting is translator only, and should never be
343            stored.  Thus we always consider it clean.  */
344         s->cc_op_dirty = false;
345     } else {
346         /* Discard any computed CC_OP value (see shifts).  */
347         if (s->cc_op == CC_OP_DYNAMIC) {
348             tcg_gen_discard_i32(cpu_cc_op);
349         }
350         s->cc_op_dirty = true;
351     }
352     s->cc_op = op;
353 }
354 
355 static void gen_update_cc_op(DisasContext *s)
356 {
357     if (s->cc_op_dirty) {
358         tcg_gen_movi_i32(cpu_cc_op, s->cc_op);
359         s->cc_op_dirty = false;
360     }
361 }
362 
363 #ifdef TARGET_X86_64
364 
365 #define NB_OP_SIZES 4
366 
367 #else /* !TARGET_X86_64 */
368 
369 #define NB_OP_SIZES 3
370 
371 #endif /* !TARGET_X86_64 */
372 
373 #if HOST_BIG_ENDIAN
374 #define REG_B_OFFSET (sizeof(target_ulong) - 1)
375 #define REG_H_OFFSET (sizeof(target_ulong) - 2)
376 #define REG_W_OFFSET (sizeof(target_ulong) - 2)
377 #define REG_L_OFFSET (sizeof(target_ulong) - 4)
378 #define REG_LH_OFFSET (sizeof(target_ulong) - 8)
379 #else
380 #define REG_B_OFFSET 0
381 #define REG_H_OFFSET 1
382 #define REG_W_OFFSET 0
383 #define REG_L_OFFSET 0
384 #define REG_LH_OFFSET 4
385 #endif
386 
387 /* In instruction encodings for byte register accesses the
388  * register number usually indicates "low 8 bits of register N";
389  * however there are some special cases where N 4..7 indicates
390  * [AH, CH, DH, BH], ie "bits 15..8 of register N-4". Return
391  * true for this special case, false otherwise.
392  */
393 static inline bool byte_reg_is_xH(DisasContext *s, int reg)
394 {
395     /* Any time the REX prefix is present, byte registers are uniform */
396     if (reg < 4 || REX_PREFIX(s)) {
397         return false;
398     }
399     return true;
400 }
401 
402 /* Select the size of a push/pop operation.  */
403 static inline MemOp mo_pushpop(DisasContext *s, MemOp ot)
404 {
405     if (CODE64(s)) {
406         return ot == MO_16 ? MO_16 : MO_64;
407     } else {
408         return ot;
409     }
410 }
411 
412 /* Select the size of the stack pointer.  */
413 static inline MemOp mo_stacksize(DisasContext *s)
414 {
415     return CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
416 }
417 
418 /* Select only size 64 else 32.  Used for SSE operand sizes.  */
419 static inline MemOp mo_64_32(MemOp ot)
420 {
421 #ifdef TARGET_X86_64
422     return ot == MO_64 ? MO_64 : MO_32;
423 #else
424     return MO_32;
425 #endif
426 }
427 
428 /* Select size 8 if lsb of B is clear, else OT.  Used for decoding
429    byte vs word opcodes.  */
430 static inline MemOp mo_b_d(int b, MemOp ot)
431 {
432     return b & 1 ? ot : MO_8;
433 }
434 
435 /* Select size 8 if lsb of B is clear, else OT capped at 32.
436    Used for decoding operand size of port opcodes.  */
437 static inline MemOp mo_b_d32(int b, MemOp ot)
438 {
439     return b & 1 ? (ot == MO_16 ? MO_16 : MO_32) : MO_8;
440 }
441 
442 /* Compute the result of writing t0 to the OT-sized register REG.
443  *
444  * If DEST is NULL, store the result into the register and return the
445  * register's TCGv.
446  *
447  * If DEST is not NULL, store the result into DEST and return the
448  * register's TCGv.
449  */
450 static TCGv gen_op_deposit_reg_v(DisasContext *s, MemOp ot, int reg, TCGv dest, TCGv t0)
451 {
452     switch(ot) {
453     case MO_8:
454         if (byte_reg_is_xH(s, reg)) {
455             dest = dest ? dest : cpu_regs[reg - 4];
456             tcg_gen_deposit_tl(dest, cpu_regs[reg - 4], t0, 8, 8);
457             return cpu_regs[reg - 4];
458         }
459         dest = dest ? dest : cpu_regs[reg];
460         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 8);
461         break;
462     case MO_16:
463         dest = dest ? dest : cpu_regs[reg];
464         tcg_gen_deposit_tl(dest, cpu_regs[reg], t0, 0, 16);
465         break;
466     case MO_32:
467         /* For x86_64, this sets the higher half of register to zero.
468            For i386, this is equivalent to a mov. */
469         dest = dest ? dest : cpu_regs[reg];
470         tcg_gen_ext32u_tl(dest, t0);
471         break;
472 #ifdef TARGET_X86_64
473     case MO_64:
474         dest = dest ? dest : cpu_regs[reg];
475         tcg_gen_mov_tl(dest, t0);
476         break;
477 #endif
478     default:
479         tcg_abort();
480     }
481     return cpu_regs[reg];
482 }
483 
484 static void gen_op_mov_reg_v(DisasContext *s, MemOp ot, int reg, TCGv t0)
485 {
486     gen_op_deposit_reg_v(s, ot, reg, NULL, t0);
487 }
488 
489 static inline
490 void gen_op_mov_v_reg(DisasContext *s, MemOp ot, TCGv t0, int reg)
491 {
492     if (ot == MO_8 && byte_reg_is_xH(s, reg)) {
493         tcg_gen_extract_tl(t0, cpu_regs[reg - 4], 8, 8);
494     } else {
495         tcg_gen_mov_tl(t0, cpu_regs[reg]);
496     }
497 }
498 
499 static void gen_add_A0_im(DisasContext *s, int val)
500 {
501     tcg_gen_addi_tl(s->A0, s->A0, val);
502     if (!CODE64(s)) {
503         tcg_gen_ext32u_tl(s->A0, s->A0);
504     }
505 }
506 
507 static inline void gen_op_jmp_v(DisasContext *s, TCGv dest)
508 {
509     tcg_gen_mov_tl(cpu_eip, dest);
510     s->pc_save = -1;
511 }
512 
513 static inline
514 void gen_op_add_reg_im(DisasContext *s, MemOp size, int reg, int32_t val)
515 {
516     tcg_gen_addi_tl(s->tmp0, cpu_regs[reg], val);
517     gen_op_mov_reg_v(s, size, reg, s->tmp0);
518 }
519 
520 static inline void gen_op_add_reg_T0(DisasContext *s, MemOp size, int reg)
521 {
522     tcg_gen_add_tl(s->tmp0, cpu_regs[reg], s->T0);
523     gen_op_mov_reg_v(s, size, reg, s->tmp0);
524 }
525 
526 static inline void gen_op_ld_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
527 {
528     tcg_gen_qemu_ld_tl(t0, a0, s->mem_index, idx | MO_LE);
529 }
530 
531 static inline void gen_op_st_v(DisasContext *s, int idx, TCGv t0, TCGv a0)
532 {
533     tcg_gen_qemu_st_tl(t0, a0, s->mem_index, idx | MO_LE);
534 }
535 
536 static inline void gen_op_st_rm_T0_A0(DisasContext *s, int idx, int d)
537 {
538     if (d == OR_TMP0) {
539         gen_op_st_v(s, idx, s->T0, s->A0);
540     } else {
541         gen_op_mov_reg_v(s, idx, d, s->T0);
542     }
543 }
544 
545 static void gen_update_eip_cur(DisasContext *s)
546 {
547     assert(s->pc_save != -1);
548     if (tb_cflags(s->base.tb) & CF_PCREL) {
549         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->base.pc_next - s->pc_save);
550     } else {
551         tcg_gen_movi_tl(cpu_eip, s->base.pc_next - s->cs_base);
552     }
553     s->pc_save = s->base.pc_next;
554 }
555 
556 static void gen_update_eip_next(DisasContext *s)
557 {
558     assert(s->pc_save != -1);
559     if (tb_cflags(s->base.tb) & CF_PCREL) {
560         tcg_gen_addi_tl(cpu_eip, cpu_eip, s->pc - s->pc_save);
561     } else {
562         tcg_gen_movi_tl(cpu_eip, s->pc - s->cs_base);
563     }
564     s->pc_save = s->pc;
565 }
566 
567 static int cur_insn_len(DisasContext *s)
568 {
569     return s->pc - s->base.pc_next;
570 }
571 
572 static TCGv_i32 cur_insn_len_i32(DisasContext *s)
573 {
574     return tcg_constant_i32(cur_insn_len(s));
575 }
576 
577 static TCGv_i32 eip_next_i32(DisasContext *s)
578 {
579     assert(s->pc_save != -1);
580     /*
581      * This function has two users: lcall_real (always 16-bit mode), and
582      * iret_protected (16, 32, or 64-bit mode).  IRET only uses the value
583      * when EFLAGS.NT is set, which is illegal in 64-bit mode, which is
584      * why passing a 32-bit value isn't broken.  To avoid using this where
585      * we shouldn't, return -1 in 64-bit mode so that execution goes into
586      * the weeds quickly.
587      */
588     if (CODE64(s)) {
589         return tcg_constant_i32(-1);
590     }
591     if (tb_cflags(s->base.tb) & CF_PCREL) {
592         TCGv_i32 ret = tcg_temp_new_i32();
593         tcg_gen_trunc_tl_i32(ret, cpu_eip);
594         tcg_gen_addi_i32(ret, ret, s->pc - s->pc_save);
595         return ret;
596     } else {
597         return tcg_constant_i32(s->pc - s->cs_base);
598     }
599 }
600 
601 static TCGv eip_next_tl(DisasContext *s)
602 {
603     assert(s->pc_save != -1);
604     if (tb_cflags(s->base.tb) & CF_PCREL) {
605         TCGv ret = tcg_temp_new();
606         tcg_gen_addi_tl(ret, cpu_eip, s->pc - s->pc_save);
607         return ret;
608     } else {
609         return tcg_constant_tl(s->pc - s->cs_base);
610     }
611 }
612 
613 static TCGv eip_cur_tl(DisasContext *s)
614 {
615     assert(s->pc_save != -1);
616     if (tb_cflags(s->base.tb) & CF_PCREL) {
617         TCGv ret = tcg_temp_new();
618         tcg_gen_addi_tl(ret, cpu_eip, s->base.pc_next - s->pc_save);
619         return ret;
620     } else {
621         return tcg_constant_tl(s->base.pc_next - s->cs_base);
622     }
623 }
624 
625 /* Compute SEG:REG into A0.  SEG is selected from the override segment
626    (OVR_SEG) and the default segment (DEF_SEG).  OVR_SEG may be -1 to
627    indicate no override.  */
628 static void gen_lea_v_seg(DisasContext *s, MemOp aflag, TCGv a0,
629                           int def_seg, int ovr_seg)
630 {
631     switch (aflag) {
632 #ifdef TARGET_X86_64
633     case MO_64:
634         if (ovr_seg < 0) {
635             tcg_gen_mov_tl(s->A0, a0);
636             return;
637         }
638         break;
639 #endif
640     case MO_32:
641         /* 32 bit address */
642         if (ovr_seg < 0 && ADDSEG(s)) {
643             ovr_seg = def_seg;
644         }
645         if (ovr_seg < 0) {
646             tcg_gen_ext32u_tl(s->A0, a0);
647             return;
648         }
649         break;
650     case MO_16:
651         /* 16 bit address */
652         tcg_gen_ext16u_tl(s->A0, a0);
653         a0 = s->A0;
654         if (ovr_seg < 0) {
655             if (ADDSEG(s)) {
656                 ovr_seg = def_seg;
657             } else {
658                 return;
659             }
660         }
661         break;
662     default:
663         tcg_abort();
664     }
665 
666     if (ovr_seg >= 0) {
667         TCGv seg = cpu_seg_base[ovr_seg];
668 
669         if (aflag == MO_64) {
670             tcg_gen_add_tl(s->A0, a0, seg);
671         } else if (CODE64(s)) {
672             tcg_gen_ext32u_tl(s->A0, a0);
673             tcg_gen_add_tl(s->A0, s->A0, seg);
674         } else {
675             tcg_gen_add_tl(s->A0, a0, seg);
676             tcg_gen_ext32u_tl(s->A0, s->A0);
677         }
678     }
679 }
680 
681 static inline void gen_string_movl_A0_ESI(DisasContext *s)
682 {
683     gen_lea_v_seg(s, s->aflag, cpu_regs[R_ESI], R_DS, s->override);
684 }
685 
686 static inline void gen_string_movl_A0_EDI(DisasContext *s)
687 {
688     gen_lea_v_seg(s, s->aflag, cpu_regs[R_EDI], R_ES, -1);
689 }
690 
691 static inline void gen_op_movl_T0_Dshift(DisasContext *s, MemOp ot)
692 {
693     tcg_gen_ld32s_tl(s->T0, cpu_env, offsetof(CPUX86State, df));
694     tcg_gen_shli_tl(s->T0, s->T0, ot);
695 };
696 
697 static TCGv gen_ext_tl(TCGv dst, TCGv src, MemOp size, bool sign)
698 {
699     switch (size) {
700     case MO_8:
701         if (sign) {
702             tcg_gen_ext8s_tl(dst, src);
703         } else {
704             tcg_gen_ext8u_tl(dst, src);
705         }
706         return dst;
707     case MO_16:
708         if (sign) {
709             tcg_gen_ext16s_tl(dst, src);
710         } else {
711             tcg_gen_ext16u_tl(dst, src);
712         }
713         return dst;
714 #ifdef TARGET_X86_64
715     case MO_32:
716         if (sign) {
717             tcg_gen_ext32s_tl(dst, src);
718         } else {
719             tcg_gen_ext32u_tl(dst, src);
720         }
721         return dst;
722 #endif
723     default:
724         return src;
725     }
726 }
727 
728 static void gen_extu(MemOp ot, TCGv reg)
729 {
730     gen_ext_tl(reg, reg, ot, false);
731 }
732 
733 static void gen_exts(MemOp ot, TCGv reg)
734 {
735     gen_ext_tl(reg, reg, ot, true);
736 }
737 
738 static void gen_op_j_ecx(DisasContext *s, TCGCond cond, TCGLabel *label1)
739 {
740     tcg_gen_mov_tl(s->tmp0, cpu_regs[R_ECX]);
741     gen_extu(s->aflag, s->tmp0);
742     tcg_gen_brcondi_tl(cond, s->tmp0, 0, label1);
743 }
744 
745 static inline void gen_op_jz_ecx(DisasContext *s, TCGLabel *label1)
746 {
747     gen_op_j_ecx(s, TCG_COND_EQ, label1);
748 }
749 
750 static inline void gen_op_jnz_ecx(DisasContext *s, TCGLabel *label1)
751 {
752     gen_op_j_ecx(s, TCG_COND_NE, label1);
753 }
754 
755 static void gen_helper_in_func(MemOp ot, TCGv v, TCGv_i32 n)
756 {
757     switch (ot) {
758     case MO_8:
759         gen_helper_inb(v, cpu_env, n);
760         break;
761     case MO_16:
762         gen_helper_inw(v, cpu_env, n);
763         break;
764     case MO_32:
765         gen_helper_inl(v, cpu_env, n);
766         break;
767     default:
768         tcg_abort();
769     }
770 }
771 
772 static void gen_helper_out_func(MemOp ot, TCGv_i32 v, TCGv_i32 n)
773 {
774     switch (ot) {
775     case MO_8:
776         gen_helper_outb(cpu_env, v, n);
777         break;
778     case MO_16:
779         gen_helper_outw(cpu_env, v, n);
780         break;
781     case MO_32:
782         gen_helper_outl(cpu_env, v, n);
783         break;
784     default:
785         tcg_abort();
786     }
787 }
788 
789 /*
790  * Validate that access to [port, port + 1<<ot) is allowed.
791  * Raise #GP, or VMM exit if not.
792  */
793 static bool gen_check_io(DisasContext *s, MemOp ot, TCGv_i32 port,
794                          uint32_t svm_flags)
795 {
796 #ifdef CONFIG_USER_ONLY
797     /*
798      * We do not implement the ioperm(2) syscall, so the TSS check
799      * will always fail.
800      */
801     gen_exception_gpf(s);
802     return false;
803 #else
804     if (PE(s) && (CPL(s) > IOPL(s) || VM86(s))) {
805         gen_helper_check_io(cpu_env, port, tcg_constant_i32(1 << ot));
806     }
807     if (GUEST(s)) {
808         gen_update_cc_op(s);
809         gen_update_eip_cur(s);
810         if (s->prefix & (PREFIX_REPZ | PREFIX_REPNZ)) {
811             svm_flags |= SVM_IOIO_REP_MASK;
812         }
813         svm_flags |= 1 << (SVM_IOIO_SIZE_SHIFT + ot);
814         gen_helper_svm_check_io(cpu_env, port,
815                                 tcg_constant_i32(svm_flags),
816                                 cur_insn_len_i32(s));
817     }
818     return true;
819 #endif
820 }
821 
822 static void gen_movs(DisasContext *s, MemOp ot)
823 {
824     gen_string_movl_A0_ESI(s);
825     gen_op_ld_v(s, ot, s->T0, s->A0);
826     gen_string_movl_A0_EDI(s);
827     gen_op_st_v(s, ot, s->T0, s->A0);
828     gen_op_movl_T0_Dshift(s, ot);
829     gen_op_add_reg_T0(s, s->aflag, R_ESI);
830     gen_op_add_reg_T0(s, s->aflag, R_EDI);
831 }
832 
833 static void gen_op_update1_cc(DisasContext *s)
834 {
835     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
836 }
837 
838 static void gen_op_update2_cc(DisasContext *s)
839 {
840     tcg_gen_mov_tl(cpu_cc_src, s->T1);
841     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
842 }
843 
844 static void gen_op_update3_cc(DisasContext *s, TCGv reg)
845 {
846     tcg_gen_mov_tl(cpu_cc_src2, reg);
847     tcg_gen_mov_tl(cpu_cc_src, s->T1);
848     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
849 }
850 
851 static inline void gen_op_testl_T0_T1_cc(DisasContext *s)
852 {
853     tcg_gen_and_tl(cpu_cc_dst, s->T0, s->T1);
854 }
855 
856 static void gen_op_update_neg_cc(DisasContext *s)
857 {
858     tcg_gen_mov_tl(cpu_cc_dst, s->T0);
859     tcg_gen_neg_tl(cpu_cc_src, s->T0);
860     tcg_gen_movi_tl(s->cc_srcT, 0);
861 }
862 
863 /* compute all eflags to cc_src */
864 static void gen_compute_eflags(DisasContext *s)
865 {
866     TCGv zero, dst, src1, src2;
867     int live, dead;
868 
869     if (s->cc_op == CC_OP_EFLAGS) {
870         return;
871     }
872     if (s->cc_op == CC_OP_CLR) {
873         tcg_gen_movi_tl(cpu_cc_src, CC_Z | CC_P);
874         set_cc_op(s, CC_OP_EFLAGS);
875         return;
876     }
877 
878     zero = NULL;
879     dst = cpu_cc_dst;
880     src1 = cpu_cc_src;
881     src2 = cpu_cc_src2;
882 
883     /* Take care to not read values that are not live.  */
884     live = cc_op_live[s->cc_op] & ~USES_CC_SRCT;
885     dead = live ^ (USES_CC_DST | USES_CC_SRC | USES_CC_SRC2);
886     if (dead) {
887         zero = tcg_const_tl(0);
888         if (dead & USES_CC_DST) {
889             dst = zero;
890         }
891         if (dead & USES_CC_SRC) {
892             src1 = zero;
893         }
894         if (dead & USES_CC_SRC2) {
895             src2 = zero;
896         }
897     }
898 
899     gen_update_cc_op(s);
900     gen_helper_cc_compute_all(cpu_cc_src, dst, src1, src2, cpu_cc_op);
901     set_cc_op(s, CC_OP_EFLAGS);
902 }
903 
904 typedef struct CCPrepare {
905     TCGCond cond;
906     TCGv reg;
907     TCGv reg2;
908     target_ulong imm;
909     target_ulong mask;
910     bool use_reg2;
911     bool no_setcond;
912 } CCPrepare;
913 
914 /* compute eflags.C to reg */
915 static CCPrepare gen_prepare_eflags_c(DisasContext *s, TCGv reg)
916 {
917     TCGv t0, t1;
918     int size, shift;
919 
920     switch (s->cc_op) {
921     case CC_OP_SUBB ... CC_OP_SUBQ:
922         /* (DATA_TYPE)CC_SRCT < (DATA_TYPE)CC_SRC */
923         size = s->cc_op - CC_OP_SUBB;
924         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
925         /* If no temporary was used, be careful not to alias t1 and t0.  */
926         t0 = t1 == cpu_cc_src ? s->tmp0 : reg;
927         tcg_gen_mov_tl(t0, s->cc_srcT);
928         gen_extu(size, t0);
929         goto add_sub;
930 
931     case CC_OP_ADDB ... CC_OP_ADDQ:
932         /* (DATA_TYPE)CC_DST < (DATA_TYPE)CC_SRC */
933         size = s->cc_op - CC_OP_ADDB;
934         t1 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
935         t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
936     add_sub:
937         return (CCPrepare) { .cond = TCG_COND_LTU, .reg = t0,
938                              .reg2 = t1, .mask = -1, .use_reg2 = true };
939 
940     case CC_OP_LOGICB ... CC_OP_LOGICQ:
941     case CC_OP_CLR:
942     case CC_OP_POPCNT:
943         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
944 
945     case CC_OP_INCB ... CC_OP_INCQ:
946     case CC_OP_DECB ... CC_OP_DECQ:
947         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
948                              .mask = -1, .no_setcond = true };
949 
950     case CC_OP_SHLB ... CC_OP_SHLQ:
951         /* (CC_SRC >> (DATA_BITS - 1)) & 1 */
952         size = s->cc_op - CC_OP_SHLB;
953         shift = (8 << size) - 1;
954         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
955                              .mask = (target_ulong)1 << shift };
956 
957     case CC_OP_MULB ... CC_OP_MULQ:
958         return (CCPrepare) { .cond = TCG_COND_NE,
959                              .reg = cpu_cc_src, .mask = -1 };
960 
961     case CC_OP_BMILGB ... CC_OP_BMILGQ:
962         size = s->cc_op - CC_OP_BMILGB;
963         t0 = gen_ext_tl(reg, cpu_cc_src, size, false);
964         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
965 
966     case CC_OP_ADCX:
967     case CC_OP_ADCOX:
968         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_dst,
969                              .mask = -1, .no_setcond = true };
970 
971     case CC_OP_EFLAGS:
972     case CC_OP_SARB ... CC_OP_SARQ:
973         /* CC_SRC & 1 */
974         return (CCPrepare) { .cond = TCG_COND_NE,
975                              .reg = cpu_cc_src, .mask = CC_C };
976 
977     default:
978        /* The need to compute only C from CC_OP_DYNAMIC is important
979           in efficiently implementing e.g. INC at the start of a TB.  */
980        gen_update_cc_op(s);
981        gen_helper_cc_compute_c(reg, cpu_cc_dst, cpu_cc_src,
982                                cpu_cc_src2, cpu_cc_op);
983        return (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
984                             .mask = -1, .no_setcond = true };
985     }
986 }
987 
988 /* compute eflags.P to reg */
989 static CCPrepare gen_prepare_eflags_p(DisasContext *s, TCGv reg)
990 {
991     gen_compute_eflags(s);
992     return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
993                          .mask = CC_P };
994 }
995 
996 /* compute eflags.S to reg */
997 static CCPrepare gen_prepare_eflags_s(DisasContext *s, TCGv reg)
998 {
999     switch (s->cc_op) {
1000     case CC_OP_DYNAMIC:
1001         gen_compute_eflags(s);
1002         /* FALLTHRU */
1003     case CC_OP_EFLAGS:
1004     case CC_OP_ADCX:
1005     case CC_OP_ADOX:
1006     case CC_OP_ADCOX:
1007         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1008                              .mask = CC_S };
1009     case CC_OP_CLR:
1010     case CC_OP_POPCNT:
1011         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1012     default:
1013         {
1014             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1015             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, true);
1016             return (CCPrepare) { .cond = TCG_COND_LT, .reg = t0, .mask = -1 };
1017         }
1018     }
1019 }
1020 
1021 /* compute eflags.O to reg */
1022 static CCPrepare gen_prepare_eflags_o(DisasContext *s, TCGv reg)
1023 {
1024     switch (s->cc_op) {
1025     case CC_OP_ADOX:
1026     case CC_OP_ADCOX:
1027         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src2,
1028                              .mask = -1, .no_setcond = true };
1029     case CC_OP_CLR:
1030     case CC_OP_POPCNT:
1031         return (CCPrepare) { .cond = TCG_COND_NEVER, .mask = -1 };
1032     default:
1033         gen_compute_eflags(s);
1034         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1035                              .mask = CC_O };
1036     }
1037 }
1038 
1039 /* compute eflags.Z to reg */
1040 static CCPrepare gen_prepare_eflags_z(DisasContext *s, TCGv reg)
1041 {
1042     switch (s->cc_op) {
1043     case CC_OP_DYNAMIC:
1044         gen_compute_eflags(s);
1045         /* FALLTHRU */
1046     case CC_OP_EFLAGS:
1047     case CC_OP_ADCX:
1048     case CC_OP_ADOX:
1049     case CC_OP_ADCOX:
1050         return (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1051                              .mask = CC_Z };
1052     case CC_OP_CLR:
1053         return (CCPrepare) { .cond = TCG_COND_ALWAYS, .mask = -1 };
1054     case CC_OP_POPCNT:
1055         return (CCPrepare) { .cond = TCG_COND_EQ, .reg = cpu_cc_src,
1056                              .mask = -1 };
1057     default:
1058         {
1059             MemOp size = (s->cc_op - CC_OP_ADDB) & 3;
1060             TCGv t0 = gen_ext_tl(reg, cpu_cc_dst, size, false);
1061             return (CCPrepare) { .cond = TCG_COND_EQ, .reg = t0, .mask = -1 };
1062         }
1063     }
1064 }
1065 
1066 /* perform a conditional store into register 'reg' according to jump opcode
1067    value 'b'. In the fast case, T0 is guaranted not to be used. */
1068 static CCPrepare gen_prepare_cc(DisasContext *s, int b, TCGv reg)
1069 {
1070     int inv, jcc_op, cond;
1071     MemOp size;
1072     CCPrepare cc;
1073     TCGv t0;
1074 
1075     inv = b & 1;
1076     jcc_op = (b >> 1) & 7;
1077 
1078     switch (s->cc_op) {
1079     case CC_OP_SUBB ... CC_OP_SUBQ:
1080         /* We optimize relational operators for the cmp/jcc case.  */
1081         size = s->cc_op - CC_OP_SUBB;
1082         switch (jcc_op) {
1083         case JCC_BE:
1084             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1085             gen_extu(size, s->tmp4);
1086             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, false);
1087             cc = (CCPrepare) { .cond = TCG_COND_LEU, .reg = s->tmp4,
1088                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1089             break;
1090 
1091         case JCC_L:
1092             cond = TCG_COND_LT;
1093             goto fast_jcc_l;
1094         case JCC_LE:
1095             cond = TCG_COND_LE;
1096         fast_jcc_l:
1097             tcg_gen_mov_tl(s->tmp4, s->cc_srcT);
1098             gen_exts(size, s->tmp4);
1099             t0 = gen_ext_tl(s->tmp0, cpu_cc_src, size, true);
1100             cc = (CCPrepare) { .cond = cond, .reg = s->tmp4,
1101                                .reg2 = t0, .mask = -1, .use_reg2 = true };
1102             break;
1103 
1104         default:
1105             goto slow_jcc;
1106         }
1107         break;
1108 
1109     default:
1110     slow_jcc:
1111         /* This actually generates good code for JC, JZ and JS.  */
1112         switch (jcc_op) {
1113         case JCC_O:
1114             cc = gen_prepare_eflags_o(s, reg);
1115             break;
1116         case JCC_B:
1117             cc = gen_prepare_eflags_c(s, reg);
1118             break;
1119         case JCC_Z:
1120             cc = gen_prepare_eflags_z(s, reg);
1121             break;
1122         case JCC_BE:
1123             gen_compute_eflags(s);
1124             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = cpu_cc_src,
1125                                .mask = CC_Z | CC_C };
1126             break;
1127         case JCC_S:
1128             cc = gen_prepare_eflags_s(s, reg);
1129             break;
1130         case JCC_P:
1131             cc = gen_prepare_eflags_p(s, reg);
1132             break;
1133         case JCC_L:
1134             gen_compute_eflags(s);
1135             if (reg == cpu_cc_src) {
1136                 reg = s->tmp0;
1137             }
1138             tcg_gen_shri_tl(reg, cpu_cc_src, 4); /* CC_O -> CC_S */
1139             tcg_gen_xor_tl(reg, reg, cpu_cc_src);
1140             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1141                                .mask = CC_S };
1142             break;
1143         default:
1144         case JCC_LE:
1145             gen_compute_eflags(s);
1146             if (reg == cpu_cc_src) {
1147                 reg = s->tmp0;
1148             }
1149             tcg_gen_shri_tl(reg, cpu_cc_src, 4); /* CC_O -> CC_S */
1150             tcg_gen_xor_tl(reg, reg, cpu_cc_src);
1151             cc = (CCPrepare) { .cond = TCG_COND_NE, .reg = reg,
1152                                .mask = CC_S | CC_Z };
1153             break;
1154         }
1155         break;
1156     }
1157 
1158     if (inv) {
1159         cc.cond = tcg_invert_cond(cc.cond);
1160     }
1161     return cc;
1162 }
1163 
1164 static void gen_setcc1(DisasContext *s, int b, TCGv reg)
1165 {
1166     CCPrepare cc = gen_prepare_cc(s, b, reg);
1167 
1168     if (cc.no_setcond) {
1169         if (cc.cond == TCG_COND_EQ) {
1170             tcg_gen_xori_tl(reg, cc.reg, 1);
1171         } else {
1172             tcg_gen_mov_tl(reg, cc.reg);
1173         }
1174         return;
1175     }
1176 
1177     if (cc.cond == TCG_COND_NE && !cc.use_reg2 && cc.imm == 0 &&
1178         cc.mask != 0 && (cc.mask & (cc.mask - 1)) == 0) {
1179         tcg_gen_shri_tl(reg, cc.reg, ctztl(cc.mask));
1180         tcg_gen_andi_tl(reg, reg, 1);
1181         return;
1182     }
1183     if (cc.mask != -1) {
1184         tcg_gen_andi_tl(reg, cc.reg, cc.mask);
1185         cc.reg = reg;
1186     }
1187     if (cc.use_reg2) {
1188         tcg_gen_setcond_tl(cc.cond, reg, cc.reg, cc.reg2);
1189     } else {
1190         tcg_gen_setcondi_tl(cc.cond, reg, cc.reg, cc.imm);
1191     }
1192 }
1193 
1194 static inline void gen_compute_eflags_c(DisasContext *s, TCGv reg)
1195 {
1196     gen_setcc1(s, JCC_B << 1, reg);
1197 }
1198 
1199 /* generate a conditional jump to label 'l1' according to jump opcode
1200    value 'b'. In the fast case, T0 is guaranted not to be used. */
1201 static inline void gen_jcc1_noeob(DisasContext *s, int b, TCGLabel *l1)
1202 {
1203     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1204 
1205     if (cc.mask != -1) {
1206         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1207         cc.reg = s->T0;
1208     }
1209     if (cc.use_reg2) {
1210         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1211     } else {
1212         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1213     }
1214 }
1215 
1216 /* Generate a conditional jump to label 'l1' according to jump opcode
1217    value 'b'. In the fast case, T0 is guaranted not to be used.
1218    A translation block must end soon.  */
1219 static inline void gen_jcc1(DisasContext *s, int b, TCGLabel *l1)
1220 {
1221     CCPrepare cc = gen_prepare_cc(s, b, s->T0);
1222 
1223     gen_update_cc_op(s);
1224     if (cc.mask != -1) {
1225         tcg_gen_andi_tl(s->T0, cc.reg, cc.mask);
1226         cc.reg = s->T0;
1227     }
1228     set_cc_op(s, CC_OP_DYNAMIC);
1229     if (cc.use_reg2) {
1230         tcg_gen_brcond_tl(cc.cond, cc.reg, cc.reg2, l1);
1231     } else {
1232         tcg_gen_brcondi_tl(cc.cond, cc.reg, cc.imm, l1);
1233     }
1234 }
1235 
1236 /* XXX: does not work with gdbstub "ice" single step - not a
1237    serious problem */
1238 static TCGLabel *gen_jz_ecx_string(DisasContext *s)
1239 {
1240     TCGLabel *l1 = gen_new_label();
1241     TCGLabel *l2 = gen_new_label();
1242     gen_op_jnz_ecx(s, l1);
1243     gen_set_label(l2);
1244     gen_jmp_rel_csize(s, 0, 1);
1245     gen_set_label(l1);
1246     return l2;
1247 }
1248 
1249 static void gen_stos(DisasContext *s, MemOp ot)
1250 {
1251     gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
1252     gen_string_movl_A0_EDI(s);
1253     gen_op_st_v(s, ot, s->T0, s->A0);
1254     gen_op_movl_T0_Dshift(s, ot);
1255     gen_op_add_reg_T0(s, s->aflag, R_EDI);
1256 }
1257 
1258 static void gen_lods(DisasContext *s, MemOp ot)
1259 {
1260     gen_string_movl_A0_ESI(s);
1261     gen_op_ld_v(s, ot, s->T0, s->A0);
1262     gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
1263     gen_op_movl_T0_Dshift(s, ot);
1264     gen_op_add_reg_T0(s, s->aflag, R_ESI);
1265 }
1266 
1267 static void gen_scas(DisasContext *s, MemOp ot)
1268 {
1269     gen_string_movl_A0_EDI(s);
1270     gen_op_ld_v(s, ot, s->T1, s->A0);
1271     gen_op(s, OP_CMPL, ot, R_EAX);
1272     gen_op_movl_T0_Dshift(s, ot);
1273     gen_op_add_reg_T0(s, s->aflag, R_EDI);
1274 }
1275 
1276 static void gen_cmps(DisasContext *s, MemOp ot)
1277 {
1278     gen_string_movl_A0_EDI(s);
1279     gen_op_ld_v(s, ot, s->T1, s->A0);
1280     gen_string_movl_A0_ESI(s);
1281     gen_op(s, OP_CMPL, ot, OR_TMP0);
1282     gen_op_movl_T0_Dshift(s, ot);
1283     gen_op_add_reg_T0(s, s->aflag, R_ESI);
1284     gen_op_add_reg_T0(s, s->aflag, R_EDI);
1285 }
1286 
1287 static void gen_bpt_io(DisasContext *s, TCGv_i32 t_port, int ot)
1288 {
1289     if (s->flags & HF_IOBPT_MASK) {
1290 #ifdef CONFIG_USER_ONLY
1291         /* user-mode cpu should not be in IOBPT mode */
1292         g_assert_not_reached();
1293 #else
1294         TCGv_i32 t_size = tcg_constant_i32(1 << ot);
1295         TCGv t_next = eip_next_tl(s);
1296         gen_helper_bpt_io(cpu_env, t_port, t_size, t_next);
1297 #endif /* CONFIG_USER_ONLY */
1298     }
1299 }
1300 
1301 static void gen_ins(DisasContext *s, MemOp ot)
1302 {
1303     gen_string_movl_A0_EDI(s);
1304     /* Note: we must do this dummy write first to be restartable in
1305        case of page fault. */
1306     tcg_gen_movi_tl(s->T0, 0);
1307     gen_op_st_v(s, ot, s->T0, s->A0);
1308     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1309     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1310     gen_helper_in_func(ot, s->T0, s->tmp2_i32);
1311     gen_op_st_v(s, ot, s->T0, s->A0);
1312     gen_op_movl_T0_Dshift(s, ot);
1313     gen_op_add_reg_T0(s, s->aflag, R_EDI);
1314     gen_bpt_io(s, s->tmp2_i32, ot);
1315 }
1316 
1317 static void gen_outs(DisasContext *s, MemOp ot)
1318 {
1319     gen_string_movl_A0_ESI(s);
1320     gen_op_ld_v(s, ot, s->T0, s->A0);
1321 
1322     tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
1323     tcg_gen_andi_i32(s->tmp2_i32, s->tmp2_i32, 0xffff);
1324     tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T0);
1325     gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
1326     gen_op_movl_T0_Dshift(s, ot);
1327     gen_op_add_reg_T0(s, s->aflag, R_ESI);
1328     gen_bpt_io(s, s->tmp2_i32, ot);
1329 }
1330 
1331 /* Generate jumps to current or next instruction */
1332 static void gen_repz(DisasContext *s, MemOp ot,
1333                      void (*fn)(DisasContext *s, MemOp ot))
1334 {
1335     TCGLabel *l2;
1336     gen_update_cc_op(s);
1337     l2 = gen_jz_ecx_string(s);
1338     fn(s, ot);
1339     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1340     /*
1341      * A loop would cause two single step exceptions if ECX = 1
1342      * before rep string_insn
1343      */
1344     if (s->repz_opt) {
1345         gen_op_jz_ecx(s, l2);
1346     }
1347     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1348 }
1349 
1350 #define GEN_REPZ(op) \
1351     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot) \
1352     { gen_repz(s, ot, gen_##op); }
1353 
1354 static void gen_repz2(DisasContext *s, MemOp ot, int nz,
1355                       void (*fn)(DisasContext *s, MemOp ot))
1356 {
1357     TCGLabel *l2;
1358     gen_update_cc_op(s);
1359     l2 = gen_jz_ecx_string(s);
1360     fn(s, ot);
1361     gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
1362     gen_update_cc_op(s);
1363     gen_jcc1(s, (JCC_Z << 1) | (nz ^ 1), l2);
1364     if (s->repz_opt) {
1365         gen_op_jz_ecx(s, l2);
1366     }
1367     gen_jmp_rel_csize(s, -cur_insn_len(s), 0);
1368 }
1369 
1370 #define GEN_REPZ2(op) \
1371     static inline void gen_repz_ ## op(DisasContext *s, MemOp ot, int nz) \
1372     { gen_repz2(s, ot, nz, gen_##op); }
1373 
1374 GEN_REPZ(movs)
1375 GEN_REPZ(stos)
1376 GEN_REPZ(lods)
1377 GEN_REPZ(ins)
1378 GEN_REPZ(outs)
1379 GEN_REPZ2(scas)
1380 GEN_REPZ2(cmps)
1381 
1382 static void gen_helper_fp_arith_ST0_FT0(int op)
1383 {
1384     switch (op) {
1385     case 0:
1386         gen_helper_fadd_ST0_FT0(cpu_env);
1387         break;
1388     case 1:
1389         gen_helper_fmul_ST0_FT0(cpu_env);
1390         break;
1391     case 2:
1392         gen_helper_fcom_ST0_FT0(cpu_env);
1393         break;
1394     case 3:
1395         gen_helper_fcom_ST0_FT0(cpu_env);
1396         break;
1397     case 4:
1398         gen_helper_fsub_ST0_FT0(cpu_env);
1399         break;
1400     case 5:
1401         gen_helper_fsubr_ST0_FT0(cpu_env);
1402         break;
1403     case 6:
1404         gen_helper_fdiv_ST0_FT0(cpu_env);
1405         break;
1406     case 7:
1407         gen_helper_fdivr_ST0_FT0(cpu_env);
1408         break;
1409     }
1410 }
1411 
1412 /* NOTE the exception in "r" op ordering */
1413 static void gen_helper_fp_arith_STN_ST0(int op, int opreg)
1414 {
1415     TCGv_i32 tmp = tcg_const_i32(opreg);
1416     switch (op) {
1417     case 0:
1418         gen_helper_fadd_STN_ST0(cpu_env, tmp);
1419         break;
1420     case 1:
1421         gen_helper_fmul_STN_ST0(cpu_env, tmp);
1422         break;
1423     case 4:
1424         gen_helper_fsubr_STN_ST0(cpu_env, tmp);
1425         break;
1426     case 5:
1427         gen_helper_fsub_STN_ST0(cpu_env, tmp);
1428         break;
1429     case 6:
1430         gen_helper_fdivr_STN_ST0(cpu_env, tmp);
1431         break;
1432     case 7:
1433         gen_helper_fdiv_STN_ST0(cpu_env, tmp);
1434         break;
1435     }
1436 }
1437 
1438 static void gen_exception(DisasContext *s, int trapno)
1439 {
1440     gen_update_cc_op(s);
1441     gen_update_eip_cur(s);
1442     gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno));
1443     s->base.is_jmp = DISAS_NORETURN;
1444 }
1445 
1446 /* Generate #UD for the current instruction.  The assumption here is that
1447    the instruction is known, but it isn't allowed in the current cpu mode.  */
1448 static void gen_illegal_opcode(DisasContext *s)
1449 {
1450     gen_exception(s, EXCP06_ILLOP);
1451 }
1452 
1453 /* Generate #GP for the current instruction. */
1454 static void gen_exception_gpf(DisasContext *s)
1455 {
1456     gen_exception(s, EXCP0D_GPF);
1457 }
1458 
1459 /* Check for cpl == 0; if not, raise #GP and return false. */
1460 static bool check_cpl0(DisasContext *s)
1461 {
1462     if (CPL(s) == 0) {
1463         return true;
1464     }
1465     gen_exception_gpf(s);
1466     return false;
1467 }
1468 
1469 /* If vm86, check for iopl == 3; if not, raise #GP and return false. */
1470 static bool check_vm86_iopl(DisasContext *s)
1471 {
1472     if (!VM86(s) || IOPL(s) == 3) {
1473         return true;
1474     }
1475     gen_exception_gpf(s);
1476     return false;
1477 }
1478 
1479 /* Check for iopl allowing access; if not, raise #GP and return false. */
1480 static bool check_iopl(DisasContext *s)
1481 {
1482     if (VM86(s) ? IOPL(s) == 3 : CPL(s) <= IOPL(s)) {
1483         return true;
1484     }
1485     gen_exception_gpf(s);
1486     return false;
1487 }
1488 
1489 /* if d == OR_TMP0, it means memory operand (address in A0) */
1490 static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
1491 {
1492     if (d != OR_TMP0) {
1493         if (s1->prefix & PREFIX_LOCK) {
1494             /* Lock prefix when destination is not memory.  */
1495             gen_illegal_opcode(s1);
1496             return;
1497         }
1498         gen_op_mov_v_reg(s1, ot, s1->T0, d);
1499     } else if (!(s1->prefix & PREFIX_LOCK)) {
1500         gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1501     }
1502     switch(op) {
1503     case OP_ADCL:
1504         gen_compute_eflags_c(s1, s1->tmp4);
1505         if (s1->prefix & PREFIX_LOCK) {
1506             tcg_gen_add_tl(s1->T0, s1->tmp4, s1->T1);
1507             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1508                                         s1->mem_index, ot | MO_LE);
1509         } else {
1510             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1511             tcg_gen_add_tl(s1->T0, s1->T0, s1->tmp4);
1512             gen_op_st_rm_T0_A0(s1, ot, d);
1513         }
1514         gen_op_update3_cc(s1, s1->tmp4);
1515         set_cc_op(s1, CC_OP_ADCB + ot);
1516         break;
1517     case OP_SBBL:
1518         gen_compute_eflags_c(s1, s1->tmp4);
1519         if (s1->prefix & PREFIX_LOCK) {
1520             tcg_gen_add_tl(s1->T0, s1->T1, s1->tmp4);
1521             tcg_gen_neg_tl(s1->T0, s1->T0);
1522             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1523                                         s1->mem_index, ot | MO_LE);
1524         } else {
1525             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1526             tcg_gen_sub_tl(s1->T0, s1->T0, s1->tmp4);
1527             gen_op_st_rm_T0_A0(s1, ot, d);
1528         }
1529         gen_op_update3_cc(s1, s1->tmp4);
1530         set_cc_op(s1, CC_OP_SBBB + ot);
1531         break;
1532     case OP_ADDL:
1533         if (s1->prefix & PREFIX_LOCK) {
1534             tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T1,
1535                                         s1->mem_index, ot | MO_LE);
1536         } else {
1537             tcg_gen_add_tl(s1->T0, s1->T0, s1->T1);
1538             gen_op_st_rm_T0_A0(s1, ot, d);
1539         }
1540         gen_op_update2_cc(s1);
1541         set_cc_op(s1, CC_OP_ADDB + ot);
1542         break;
1543     case OP_SUBL:
1544         if (s1->prefix & PREFIX_LOCK) {
1545             tcg_gen_neg_tl(s1->T0, s1->T1);
1546             tcg_gen_atomic_fetch_add_tl(s1->cc_srcT, s1->A0, s1->T0,
1547                                         s1->mem_index, ot | MO_LE);
1548             tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1);
1549         } else {
1550             tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1551             tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
1552             gen_op_st_rm_T0_A0(s1, ot, d);
1553         }
1554         gen_op_update2_cc(s1);
1555         set_cc_op(s1, CC_OP_SUBB + ot);
1556         break;
1557     default:
1558     case OP_ANDL:
1559         if (s1->prefix & PREFIX_LOCK) {
1560             tcg_gen_atomic_and_fetch_tl(s1->T0, s1->A0, s1->T1,
1561                                         s1->mem_index, ot | MO_LE);
1562         } else {
1563             tcg_gen_and_tl(s1->T0, s1->T0, s1->T1);
1564             gen_op_st_rm_T0_A0(s1, ot, d);
1565         }
1566         gen_op_update1_cc(s1);
1567         set_cc_op(s1, CC_OP_LOGICB + ot);
1568         break;
1569     case OP_ORL:
1570         if (s1->prefix & PREFIX_LOCK) {
1571             tcg_gen_atomic_or_fetch_tl(s1->T0, s1->A0, s1->T1,
1572                                        s1->mem_index, ot | MO_LE);
1573         } else {
1574             tcg_gen_or_tl(s1->T0, s1->T0, s1->T1);
1575             gen_op_st_rm_T0_A0(s1, ot, d);
1576         }
1577         gen_op_update1_cc(s1);
1578         set_cc_op(s1, CC_OP_LOGICB + ot);
1579         break;
1580     case OP_XORL:
1581         if (s1->prefix & PREFIX_LOCK) {
1582             tcg_gen_atomic_xor_fetch_tl(s1->T0, s1->A0, s1->T1,
1583                                         s1->mem_index, ot | MO_LE);
1584         } else {
1585             tcg_gen_xor_tl(s1->T0, s1->T0, s1->T1);
1586             gen_op_st_rm_T0_A0(s1, ot, d);
1587         }
1588         gen_op_update1_cc(s1);
1589         set_cc_op(s1, CC_OP_LOGICB + ot);
1590         break;
1591     case OP_CMPL:
1592         tcg_gen_mov_tl(cpu_cc_src, s1->T1);
1593         tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
1594         tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1);
1595         set_cc_op(s1, CC_OP_SUBB + ot);
1596         break;
1597     }
1598 }
1599 
1600 /* if d == OR_TMP0, it means memory operand (address in A0) */
1601 static void gen_inc(DisasContext *s1, MemOp ot, int d, int c)
1602 {
1603     if (s1->prefix & PREFIX_LOCK) {
1604         if (d != OR_TMP0) {
1605             /* Lock prefix when destination is not memory */
1606             gen_illegal_opcode(s1);
1607             return;
1608         }
1609         tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);
1610         tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
1611                                     s1->mem_index, ot | MO_LE);
1612     } else {
1613         if (d != OR_TMP0) {
1614             gen_op_mov_v_reg(s1, ot, s1->T0, d);
1615         } else {
1616             gen_op_ld_v(s1, ot, s1->T0, s1->A0);
1617         }
1618         tcg_gen_addi_tl(s1->T0, s1->T0, (c > 0 ? 1 : -1));
1619         gen_op_st_rm_T0_A0(s1, ot, d);
1620     }
1621 
1622     gen_compute_eflags_c(s1, cpu_cc_src);
1623     tcg_gen_mov_tl(cpu_cc_dst, s1->T0);
1624     set_cc_op(s1, (c > 0 ? CC_OP_INCB : CC_OP_DECB) + ot);
1625 }
1626 
1627 static void gen_shift_flags(DisasContext *s, MemOp ot, TCGv result,
1628                             TCGv shm1, TCGv count, bool is_right)
1629 {
1630     TCGv_i32 z32, s32, oldop;
1631     TCGv z_tl;
1632 
1633     /* Store the results into the CC variables.  If we know that the
1634        variable must be dead, store unconditionally.  Otherwise we'll
1635        need to not disrupt the current contents.  */
1636     z_tl = tcg_const_tl(0);
1637     if (cc_op_live[s->cc_op] & USES_CC_DST) {
1638         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_dst, count, z_tl,
1639                            result, cpu_cc_dst);
1640     } else {
1641         tcg_gen_mov_tl(cpu_cc_dst, result);
1642     }
1643     if (cc_op_live[s->cc_op] & USES_CC_SRC) {
1644         tcg_gen_movcond_tl(TCG_COND_NE, cpu_cc_src, count, z_tl,
1645                            shm1, cpu_cc_src);
1646     } else {
1647         tcg_gen_mov_tl(cpu_cc_src, shm1);
1648     }
1649 
1650     /* Get the two potential CC_OP values into temporaries.  */
1651     tcg_gen_movi_i32(s->tmp2_i32, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1652     if (s->cc_op == CC_OP_DYNAMIC) {
1653         oldop = cpu_cc_op;
1654     } else {
1655         tcg_gen_movi_i32(s->tmp3_i32, s->cc_op);
1656         oldop = s->tmp3_i32;
1657     }
1658 
1659     /* Conditionally store the CC_OP value.  */
1660     z32 = tcg_const_i32(0);
1661     s32 = tcg_temp_new_i32();
1662     tcg_gen_trunc_tl_i32(s32, count);
1663     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, s32, z32, s->tmp2_i32, oldop);
1664 
1665     /* The CC_OP value is no longer predictable.  */
1666     set_cc_op(s, CC_OP_DYNAMIC);
1667 }
1668 
1669 static void gen_shift_rm_T1(DisasContext *s, MemOp ot, int op1,
1670                             int is_right, int is_arith)
1671 {
1672     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1673 
1674     /* load */
1675     if (op1 == OR_TMP0) {
1676         gen_op_ld_v(s, ot, s->T0, s->A0);
1677     } else {
1678         gen_op_mov_v_reg(s, ot, s->T0, op1);
1679     }
1680 
1681     tcg_gen_andi_tl(s->T1, s->T1, mask);
1682     tcg_gen_subi_tl(s->tmp0, s->T1, 1);
1683 
1684     if (is_right) {
1685         if (is_arith) {
1686             gen_exts(ot, s->T0);
1687             tcg_gen_sar_tl(s->tmp0, s->T0, s->tmp0);
1688             tcg_gen_sar_tl(s->T0, s->T0, s->T1);
1689         } else {
1690             gen_extu(ot, s->T0);
1691             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
1692             tcg_gen_shr_tl(s->T0, s->T0, s->T1);
1693         }
1694     } else {
1695         tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
1696         tcg_gen_shl_tl(s->T0, s->T0, s->T1);
1697     }
1698 
1699     /* store */
1700     gen_op_st_rm_T0_A0(s, ot, op1);
1701 
1702     gen_shift_flags(s, ot, s->T0, s->tmp0, s->T1, is_right);
1703 }
1704 
1705 static void gen_shift_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1706                             int is_right, int is_arith)
1707 {
1708     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1709 
1710     /* load */
1711     if (op1 == OR_TMP0)
1712         gen_op_ld_v(s, ot, s->T0, s->A0);
1713     else
1714         gen_op_mov_v_reg(s, ot, s->T0, op1);
1715 
1716     op2 &= mask;
1717     if (op2 != 0) {
1718         if (is_right) {
1719             if (is_arith) {
1720                 gen_exts(ot, s->T0);
1721                 tcg_gen_sari_tl(s->tmp4, s->T0, op2 - 1);
1722                 tcg_gen_sari_tl(s->T0, s->T0, op2);
1723             } else {
1724                 gen_extu(ot, s->T0);
1725                 tcg_gen_shri_tl(s->tmp4, s->T0, op2 - 1);
1726                 tcg_gen_shri_tl(s->T0, s->T0, op2);
1727             }
1728         } else {
1729             tcg_gen_shli_tl(s->tmp4, s->T0, op2 - 1);
1730             tcg_gen_shli_tl(s->T0, s->T0, op2);
1731         }
1732     }
1733 
1734     /* store */
1735     gen_op_st_rm_T0_A0(s, ot, op1);
1736 
1737     /* update eflags if non zero shift */
1738     if (op2 != 0) {
1739         tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
1740         tcg_gen_mov_tl(cpu_cc_dst, s->T0);
1741         set_cc_op(s, (is_right ? CC_OP_SARB : CC_OP_SHLB) + ot);
1742     }
1743 }
1744 
1745 static void gen_rot_rm_T1(DisasContext *s, MemOp ot, int op1, int is_right)
1746 {
1747     target_ulong mask = (ot == MO_64 ? 0x3f : 0x1f);
1748     TCGv_i32 t0, t1;
1749 
1750     /* load */
1751     if (op1 == OR_TMP0) {
1752         gen_op_ld_v(s, ot, s->T0, s->A0);
1753     } else {
1754         gen_op_mov_v_reg(s, ot, s->T0, op1);
1755     }
1756 
1757     tcg_gen_andi_tl(s->T1, s->T1, mask);
1758 
1759     switch (ot) {
1760     case MO_8:
1761         /* Replicate the 8-bit input so that a 32-bit rotate works.  */
1762         tcg_gen_ext8u_tl(s->T0, s->T0);
1763         tcg_gen_muli_tl(s->T0, s->T0, 0x01010101);
1764         goto do_long;
1765     case MO_16:
1766         /* Replicate the 16-bit input so that a 32-bit rotate works.  */
1767         tcg_gen_deposit_tl(s->T0, s->T0, s->T0, 16, 16);
1768         goto do_long;
1769     do_long:
1770 #ifdef TARGET_X86_64
1771     case MO_32:
1772         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1773         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
1774         if (is_right) {
1775             tcg_gen_rotr_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1776         } else {
1777             tcg_gen_rotl_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
1778         }
1779         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1780         break;
1781 #endif
1782     default:
1783         if (is_right) {
1784             tcg_gen_rotr_tl(s->T0, s->T0, s->T1);
1785         } else {
1786             tcg_gen_rotl_tl(s->T0, s->T0, s->T1);
1787         }
1788         break;
1789     }
1790 
1791     /* store */
1792     gen_op_st_rm_T0_A0(s, ot, op1);
1793 
1794     /* We'll need the flags computed into CC_SRC.  */
1795     gen_compute_eflags(s);
1796 
1797     /* The value that was "rotated out" is now present at the other end
1798        of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1799        since we've computed the flags into CC_SRC, these variables are
1800        currently dead.  */
1801     if (is_right) {
1802         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1803         tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1804         tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1805     } else {
1806         tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1807         tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1808     }
1809     tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1810     tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1811 
1812     /* Now conditionally store the new CC_OP value.  If the shift count
1813        is 0 we keep the CC_OP_EFLAGS setting so that only CC_SRC is live.
1814        Otherwise reuse CC_OP_ADCOX which have the C and O flags split out
1815        exactly as we computed above.  */
1816     t0 = tcg_const_i32(0);
1817     t1 = tcg_temp_new_i32();
1818     tcg_gen_trunc_tl_i32(t1, s->T1);
1819     tcg_gen_movi_i32(s->tmp2_i32, CC_OP_ADCOX);
1820     tcg_gen_movi_i32(s->tmp3_i32, CC_OP_EFLAGS);
1821     tcg_gen_movcond_i32(TCG_COND_NE, cpu_cc_op, t1, t0,
1822                         s->tmp2_i32, s->tmp3_i32);
1823 
1824     /* The CC_OP value is no longer predictable.  */
1825     set_cc_op(s, CC_OP_DYNAMIC);
1826 }
1827 
1828 static void gen_rot_rm_im(DisasContext *s, MemOp ot, int op1, int op2,
1829                           int is_right)
1830 {
1831     int mask = (ot == MO_64 ? 0x3f : 0x1f);
1832     int shift;
1833 
1834     /* load */
1835     if (op1 == OR_TMP0) {
1836         gen_op_ld_v(s, ot, s->T0, s->A0);
1837     } else {
1838         gen_op_mov_v_reg(s, ot, s->T0, op1);
1839     }
1840 
1841     op2 &= mask;
1842     if (op2 != 0) {
1843         switch (ot) {
1844 #ifdef TARGET_X86_64
1845         case MO_32:
1846             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
1847             if (is_right) {
1848                 tcg_gen_rotri_i32(s->tmp2_i32, s->tmp2_i32, op2);
1849             } else {
1850                 tcg_gen_rotli_i32(s->tmp2_i32, s->tmp2_i32, op2);
1851             }
1852             tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
1853             break;
1854 #endif
1855         default:
1856             if (is_right) {
1857                 tcg_gen_rotri_tl(s->T0, s->T0, op2);
1858             } else {
1859                 tcg_gen_rotli_tl(s->T0, s->T0, op2);
1860             }
1861             break;
1862         case MO_8:
1863             mask = 7;
1864             goto do_shifts;
1865         case MO_16:
1866             mask = 15;
1867         do_shifts:
1868             shift = op2 & mask;
1869             if (is_right) {
1870                 shift = mask + 1 - shift;
1871             }
1872             gen_extu(ot, s->T0);
1873             tcg_gen_shli_tl(s->tmp0, s->T0, shift);
1874             tcg_gen_shri_tl(s->T0, s->T0, mask + 1 - shift);
1875             tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
1876             break;
1877         }
1878     }
1879 
1880     /* store */
1881     gen_op_st_rm_T0_A0(s, ot, op1);
1882 
1883     if (op2 != 0) {
1884         /* Compute the flags into CC_SRC.  */
1885         gen_compute_eflags(s);
1886 
1887         /* The value that was "rotated out" is now present at the other end
1888            of the word.  Compute C into CC_DST and O into CC_SRC2.  Note that
1889            since we've computed the flags into CC_SRC, these variables are
1890            currently dead.  */
1891         if (is_right) {
1892             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask - 1);
1893             tcg_gen_shri_tl(cpu_cc_dst, s->T0, mask);
1894             tcg_gen_andi_tl(cpu_cc_dst, cpu_cc_dst, 1);
1895         } else {
1896             tcg_gen_shri_tl(cpu_cc_src2, s->T0, mask);
1897             tcg_gen_andi_tl(cpu_cc_dst, s->T0, 1);
1898         }
1899         tcg_gen_andi_tl(cpu_cc_src2, cpu_cc_src2, 1);
1900         tcg_gen_xor_tl(cpu_cc_src2, cpu_cc_src2, cpu_cc_dst);
1901         set_cc_op(s, CC_OP_ADCOX);
1902     }
1903 }
1904 
1905 /* XXX: add faster immediate = 1 case */
1906 static void gen_rotc_rm_T1(DisasContext *s, MemOp ot, int op1,
1907                            int is_right)
1908 {
1909     gen_compute_eflags(s);
1910     assert(s->cc_op == CC_OP_EFLAGS);
1911 
1912     /* load */
1913     if (op1 == OR_TMP0)
1914         gen_op_ld_v(s, ot, s->T0, s->A0);
1915     else
1916         gen_op_mov_v_reg(s, ot, s->T0, op1);
1917 
1918     if (is_right) {
1919         switch (ot) {
1920         case MO_8:
1921             gen_helper_rcrb(s->T0, cpu_env, s->T0, s->T1);
1922             break;
1923         case MO_16:
1924             gen_helper_rcrw(s->T0, cpu_env, s->T0, s->T1);
1925             break;
1926         case MO_32:
1927             gen_helper_rcrl(s->T0, cpu_env, s->T0, s->T1);
1928             break;
1929 #ifdef TARGET_X86_64
1930         case MO_64:
1931             gen_helper_rcrq(s->T0, cpu_env, s->T0, s->T1);
1932             break;
1933 #endif
1934         default:
1935             tcg_abort();
1936         }
1937     } else {
1938         switch (ot) {
1939         case MO_8:
1940             gen_helper_rclb(s->T0, cpu_env, s->T0, s->T1);
1941             break;
1942         case MO_16:
1943             gen_helper_rclw(s->T0, cpu_env, s->T0, s->T1);
1944             break;
1945         case MO_32:
1946             gen_helper_rcll(s->T0, cpu_env, s->T0, s->T1);
1947             break;
1948 #ifdef TARGET_X86_64
1949         case MO_64:
1950             gen_helper_rclq(s->T0, cpu_env, s->T0, s->T1);
1951             break;
1952 #endif
1953         default:
1954             tcg_abort();
1955         }
1956     }
1957     /* store */
1958     gen_op_st_rm_T0_A0(s, ot, op1);
1959 }
1960 
1961 /* XXX: add faster immediate case */
1962 static void gen_shiftd_rm_T1(DisasContext *s, MemOp ot, int op1,
1963                              bool is_right, TCGv count_in)
1964 {
1965     target_ulong mask = (ot == MO_64 ? 63 : 31);
1966     TCGv count;
1967 
1968     /* load */
1969     if (op1 == OR_TMP0) {
1970         gen_op_ld_v(s, ot, s->T0, s->A0);
1971     } else {
1972         gen_op_mov_v_reg(s, ot, s->T0, op1);
1973     }
1974 
1975     count = tcg_temp_new();
1976     tcg_gen_andi_tl(count, count_in, mask);
1977 
1978     switch (ot) {
1979     case MO_16:
1980         /* Note: we implement the Intel behaviour for shift count > 16.
1981            This means "shrdw C, B, A" shifts A:B:A >> C.  Build the B:A
1982            portion by constructing it as a 32-bit value.  */
1983         if (is_right) {
1984             tcg_gen_deposit_tl(s->tmp0, s->T0, s->T1, 16, 16);
1985             tcg_gen_mov_tl(s->T1, s->T0);
1986             tcg_gen_mov_tl(s->T0, s->tmp0);
1987         } else {
1988             tcg_gen_deposit_tl(s->T1, s->T0, s->T1, 16, 16);
1989         }
1990         /*
1991          * If TARGET_X86_64 defined then fall through into MO_32 case,
1992          * otherwise fall through default case.
1993          */
1994     case MO_32:
1995 #ifdef TARGET_X86_64
1996         /* Concatenate the two 32-bit values and use a 64-bit shift.  */
1997         tcg_gen_subi_tl(s->tmp0, count, 1);
1998         if (is_right) {
1999             tcg_gen_concat_tl_i64(s->T0, s->T0, s->T1);
2000             tcg_gen_shr_i64(s->tmp0, s->T0, s->tmp0);
2001             tcg_gen_shr_i64(s->T0, s->T0, count);
2002         } else {
2003             tcg_gen_concat_tl_i64(s->T0, s->T1, s->T0);
2004             tcg_gen_shl_i64(s->tmp0, s->T0, s->tmp0);
2005             tcg_gen_shl_i64(s->T0, s->T0, count);
2006             tcg_gen_shri_i64(s->tmp0, s->tmp0, 32);
2007             tcg_gen_shri_i64(s->T0, s->T0, 32);
2008         }
2009         break;
2010 #endif
2011     default:
2012         tcg_gen_subi_tl(s->tmp0, count, 1);
2013         if (is_right) {
2014             tcg_gen_shr_tl(s->tmp0, s->T0, s->tmp0);
2015 
2016             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2017             tcg_gen_shr_tl(s->T0, s->T0, count);
2018             tcg_gen_shl_tl(s->T1, s->T1, s->tmp4);
2019         } else {
2020             tcg_gen_shl_tl(s->tmp0, s->T0, s->tmp0);
2021             if (ot == MO_16) {
2022                 /* Only needed if count > 16, for Intel behaviour.  */
2023                 tcg_gen_subfi_tl(s->tmp4, 33, count);
2024                 tcg_gen_shr_tl(s->tmp4, s->T1, s->tmp4);
2025                 tcg_gen_or_tl(s->tmp0, s->tmp0, s->tmp4);
2026             }
2027 
2028             tcg_gen_subfi_tl(s->tmp4, mask + 1, count);
2029             tcg_gen_shl_tl(s->T0, s->T0, count);
2030             tcg_gen_shr_tl(s->T1, s->T1, s->tmp4);
2031         }
2032         tcg_gen_movi_tl(s->tmp4, 0);
2033         tcg_gen_movcond_tl(TCG_COND_EQ, s->T1, count, s->tmp4,
2034                            s->tmp4, s->T1);
2035         tcg_gen_or_tl(s->T0, s->T0, s->T1);
2036         break;
2037     }
2038 
2039     /* store */
2040     gen_op_st_rm_T0_A0(s, ot, op1);
2041 
2042     gen_shift_flags(s, ot, s->T0, s->tmp0, count, is_right);
2043 }
2044 
2045 static void gen_shift(DisasContext *s1, int op, MemOp ot, int d, int s)
2046 {
2047     if (s != OR_TMP1)
2048         gen_op_mov_v_reg(s1, ot, s1->T1, s);
2049     switch(op) {
2050     case OP_ROL:
2051         gen_rot_rm_T1(s1, ot, d, 0);
2052         break;
2053     case OP_ROR:
2054         gen_rot_rm_T1(s1, ot, d, 1);
2055         break;
2056     case OP_SHL:
2057     case OP_SHL1:
2058         gen_shift_rm_T1(s1, ot, d, 0, 0);
2059         break;
2060     case OP_SHR:
2061         gen_shift_rm_T1(s1, ot, d, 1, 0);
2062         break;
2063     case OP_SAR:
2064         gen_shift_rm_T1(s1, ot, d, 1, 1);
2065         break;
2066     case OP_RCL:
2067         gen_rotc_rm_T1(s1, ot, d, 0);
2068         break;
2069     case OP_RCR:
2070         gen_rotc_rm_T1(s1, ot, d, 1);
2071         break;
2072     }
2073 }
2074 
2075 static void gen_shifti(DisasContext *s1, int op, MemOp ot, int d, int c)
2076 {
2077     switch(op) {
2078     case OP_ROL:
2079         gen_rot_rm_im(s1, ot, d, c, 0);
2080         break;
2081     case OP_ROR:
2082         gen_rot_rm_im(s1, ot, d, c, 1);
2083         break;
2084     case OP_SHL:
2085     case OP_SHL1:
2086         gen_shift_rm_im(s1, ot, d, c, 0, 0);
2087         break;
2088     case OP_SHR:
2089         gen_shift_rm_im(s1, ot, d, c, 1, 0);
2090         break;
2091     case OP_SAR:
2092         gen_shift_rm_im(s1, ot, d, c, 1, 1);
2093         break;
2094     default:
2095         /* currently not optimized */
2096         tcg_gen_movi_tl(s1->T1, c);
2097         gen_shift(s1, op, ot, d, OR_TMP1);
2098         break;
2099     }
2100 }
2101 
2102 #define X86_MAX_INSN_LENGTH 15
2103 
2104 static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
2105 {
2106     uint64_t pc = s->pc;
2107 
2108     /* This is a subsequent insn that crosses a page boundary.  */
2109     if (s->base.num_insns > 1 &&
2110         !is_same_page(&s->base, s->pc + num_bytes - 1)) {
2111         siglongjmp(s->jmpbuf, 2);
2112     }
2113 
2114     s->pc += num_bytes;
2115     if (unlikely(cur_insn_len(s) > X86_MAX_INSN_LENGTH)) {
2116         /* If the instruction's 16th byte is on a different page than the 1st, a
2117          * page fault on the second page wins over the general protection fault
2118          * caused by the instruction being too long.
2119          * This can happen even if the operand is only one byte long!
2120          */
2121         if (((s->pc - 1) ^ (pc - 1)) & TARGET_PAGE_MASK) {
2122             volatile uint8_t unused =
2123                 cpu_ldub_code(env, (s->pc - 1) & TARGET_PAGE_MASK);
2124             (void) unused;
2125         }
2126         siglongjmp(s->jmpbuf, 1);
2127     }
2128 
2129     return pc;
2130 }
2131 
2132 static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
2133 {
2134     return translator_ldub(env, &s->base, advance_pc(env, s, 1));
2135 }
2136 
2137 static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
2138 {
2139     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2140 }
2141 
2142 static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
2143 {
2144     return translator_lduw(env, &s->base, advance_pc(env, s, 2));
2145 }
2146 
2147 static inline uint32_t x86_ldl_code(CPUX86State *env, DisasContext *s)
2148 {
2149     return translator_ldl(env, &s->base, advance_pc(env, s, 4));
2150 }
2151 
2152 #ifdef TARGET_X86_64
2153 static inline uint64_t x86_ldq_code(CPUX86State *env, DisasContext *s)
2154 {
2155     return translator_ldq(env, &s->base, advance_pc(env, s, 8));
2156 }
2157 #endif
2158 
2159 /* Decompose an address.  */
2160 
2161 typedef struct AddressParts {
2162     int def_seg;
2163     int base;
2164     int index;
2165     int scale;
2166     target_long disp;
2167 } AddressParts;
2168 
2169 static AddressParts gen_lea_modrm_0(CPUX86State *env, DisasContext *s,
2170                                     int modrm)
2171 {
2172     int def_seg, base, index, scale, mod, rm;
2173     target_long disp;
2174     bool havesib;
2175 
2176     def_seg = R_DS;
2177     index = -1;
2178     scale = 0;
2179     disp = 0;
2180 
2181     mod = (modrm >> 6) & 3;
2182     rm = modrm & 7;
2183     base = rm | REX_B(s);
2184 
2185     if (mod == 3) {
2186         /* Normally filtered out earlier, but including this path
2187            simplifies multi-byte nop, as well as bndcl, bndcu, bndcn.  */
2188         goto done;
2189     }
2190 
2191     switch (s->aflag) {
2192     case MO_64:
2193     case MO_32:
2194         havesib = 0;
2195         if (rm == 4) {
2196             int code = x86_ldub_code(env, s);
2197             scale = (code >> 6) & 3;
2198             index = ((code >> 3) & 7) | REX_X(s);
2199             if (index == 4) {
2200                 index = -1;  /* no index */
2201             }
2202             base = (code & 7) | REX_B(s);
2203             havesib = 1;
2204         }
2205 
2206         switch (mod) {
2207         case 0:
2208             if ((base & 7) == 5) {
2209                 base = -1;
2210                 disp = (int32_t)x86_ldl_code(env, s);
2211                 if (CODE64(s) && !havesib) {
2212                     base = -2;
2213                     disp += s->pc + s->rip_offset;
2214                 }
2215             }
2216             break;
2217         case 1:
2218             disp = (int8_t)x86_ldub_code(env, s);
2219             break;
2220         default:
2221         case 2:
2222             disp = (int32_t)x86_ldl_code(env, s);
2223             break;
2224         }
2225 
2226         /* For correct popl handling with esp.  */
2227         if (base == R_ESP && s->popl_esp_hack) {
2228             disp += s->popl_esp_hack;
2229         }
2230         if (base == R_EBP || base == R_ESP) {
2231             def_seg = R_SS;
2232         }
2233         break;
2234 
2235     case MO_16:
2236         if (mod == 0) {
2237             if (rm == 6) {
2238                 base = -1;
2239                 disp = x86_lduw_code(env, s);
2240                 break;
2241             }
2242         } else if (mod == 1) {
2243             disp = (int8_t)x86_ldub_code(env, s);
2244         } else {
2245             disp = (int16_t)x86_lduw_code(env, s);
2246         }
2247 
2248         switch (rm) {
2249         case 0:
2250             base = R_EBX;
2251             index = R_ESI;
2252             break;
2253         case 1:
2254             base = R_EBX;
2255             index = R_EDI;
2256             break;
2257         case 2:
2258             base = R_EBP;
2259             index = R_ESI;
2260             def_seg = R_SS;
2261             break;
2262         case 3:
2263             base = R_EBP;
2264             index = R_EDI;
2265             def_seg = R_SS;
2266             break;
2267         case 4:
2268             base = R_ESI;
2269             break;
2270         case 5:
2271             base = R_EDI;
2272             break;
2273         case 6:
2274             base = R_EBP;
2275             def_seg = R_SS;
2276             break;
2277         default:
2278         case 7:
2279             base = R_EBX;
2280             break;
2281         }
2282         break;
2283 
2284     default:
2285         tcg_abort();
2286     }
2287 
2288  done:
2289     return (AddressParts){ def_seg, base, index, scale, disp };
2290 }
2291 
2292 /* Compute the address, with a minimum number of TCG ops.  */
2293 static TCGv gen_lea_modrm_1(DisasContext *s, AddressParts a, bool is_vsib)
2294 {
2295     TCGv ea = NULL;
2296 
2297     if (a.index >= 0 && !is_vsib) {
2298         if (a.scale == 0) {
2299             ea = cpu_regs[a.index];
2300         } else {
2301             tcg_gen_shli_tl(s->A0, cpu_regs[a.index], a.scale);
2302             ea = s->A0;
2303         }
2304         if (a.base >= 0) {
2305             tcg_gen_add_tl(s->A0, ea, cpu_regs[a.base]);
2306             ea = s->A0;
2307         }
2308     } else if (a.base >= 0) {
2309         ea = cpu_regs[a.base];
2310     }
2311     if (!ea) {
2312         if (tb_cflags(s->base.tb) & CF_PCREL && a.base == -2) {
2313             /* With cpu_eip ~= pc_save, the expression is pc-relative. */
2314             tcg_gen_addi_tl(s->A0, cpu_eip, a.disp - s->pc_save);
2315         } else {
2316             tcg_gen_movi_tl(s->A0, a.disp);
2317         }
2318         ea = s->A0;
2319     } else if (a.disp != 0) {
2320         tcg_gen_addi_tl(s->A0, ea, a.disp);
2321         ea = s->A0;
2322     }
2323 
2324     return ea;
2325 }
2326 
2327 static void gen_lea_modrm(CPUX86State *env, DisasContext *s, int modrm)
2328 {
2329     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2330     TCGv ea = gen_lea_modrm_1(s, a, false);
2331     gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
2332 }
2333 
2334 static void gen_nop_modrm(CPUX86State *env, DisasContext *s, int modrm)
2335 {
2336     (void)gen_lea_modrm_0(env, s, modrm);
2337 }
2338 
2339 /* Used for BNDCL, BNDCU, BNDCN.  */
2340 static void gen_bndck(CPUX86State *env, DisasContext *s, int modrm,
2341                       TCGCond cond, TCGv_i64 bndv)
2342 {
2343     AddressParts a = gen_lea_modrm_0(env, s, modrm);
2344     TCGv ea = gen_lea_modrm_1(s, a, false);
2345 
2346     tcg_gen_extu_tl_i64(s->tmp1_i64, ea);
2347     if (!CODE64(s)) {
2348         tcg_gen_ext32u_i64(s->tmp1_i64, s->tmp1_i64);
2349     }
2350     tcg_gen_setcond_i64(cond, s->tmp1_i64, s->tmp1_i64, bndv);
2351     tcg_gen_extrl_i64_i32(s->tmp2_i32, s->tmp1_i64);
2352     gen_helper_bndck(cpu_env, s->tmp2_i32);
2353 }
2354 
2355 /* used for LEA and MOV AX, mem */
2356 static void gen_add_A0_ds_seg(DisasContext *s)
2357 {
2358     gen_lea_v_seg(s, s->aflag, s->A0, R_DS, s->override);
2359 }
2360 
2361 /* generate modrm memory load or store of 'reg'. TMP0 is used if reg ==
2362    OR_TMP0 */
2363 static void gen_ldst_modrm(CPUX86State *env, DisasContext *s, int modrm,
2364                            MemOp ot, int reg, int is_store)
2365 {
2366     int mod, rm;
2367 
2368     mod = (modrm >> 6) & 3;
2369     rm = (modrm & 7) | REX_B(s);
2370     if (mod == 3) {
2371         if (is_store) {
2372             if (reg != OR_TMP0)
2373                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2374             gen_op_mov_reg_v(s, ot, rm, s->T0);
2375         } else {
2376             gen_op_mov_v_reg(s, ot, s->T0, rm);
2377             if (reg != OR_TMP0)
2378                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2379         }
2380     } else {
2381         gen_lea_modrm(env, s, modrm);
2382         if (is_store) {
2383             if (reg != OR_TMP0)
2384                 gen_op_mov_v_reg(s, ot, s->T0, reg);
2385             gen_op_st_v(s, ot, s->T0, s->A0);
2386         } else {
2387             gen_op_ld_v(s, ot, s->T0, s->A0);
2388             if (reg != OR_TMP0)
2389                 gen_op_mov_reg_v(s, ot, reg, s->T0);
2390         }
2391     }
2392 }
2393 
2394 static target_ulong insn_get_addr(CPUX86State *env, DisasContext *s, MemOp ot)
2395 {
2396     target_ulong ret;
2397 
2398     switch (ot) {
2399     case MO_8:
2400         ret = x86_ldub_code(env, s);
2401         break;
2402     case MO_16:
2403         ret = x86_lduw_code(env, s);
2404         break;
2405     case MO_32:
2406         ret = x86_ldl_code(env, s);
2407         break;
2408 #ifdef TARGET_X86_64
2409     case MO_64:
2410         ret = x86_ldq_code(env, s);
2411         break;
2412 #endif
2413     default:
2414         g_assert_not_reached();
2415     }
2416     return ret;
2417 }
2418 
2419 static inline uint32_t insn_get(CPUX86State *env, DisasContext *s, MemOp ot)
2420 {
2421     uint32_t ret;
2422 
2423     switch (ot) {
2424     case MO_8:
2425         ret = x86_ldub_code(env, s);
2426         break;
2427     case MO_16:
2428         ret = x86_lduw_code(env, s);
2429         break;
2430     case MO_32:
2431 #ifdef TARGET_X86_64
2432     case MO_64:
2433 #endif
2434         ret = x86_ldl_code(env, s);
2435         break;
2436     default:
2437         tcg_abort();
2438     }
2439     return ret;
2440 }
2441 
2442 static target_long insn_get_signed(CPUX86State *env, DisasContext *s, MemOp ot)
2443 {
2444     target_long ret;
2445 
2446     switch (ot) {
2447     case MO_8:
2448         ret = (int8_t) x86_ldub_code(env, s);
2449         break;
2450     case MO_16:
2451         ret = (int16_t) x86_lduw_code(env, s);
2452         break;
2453     case MO_32:
2454         ret = (int32_t) x86_ldl_code(env, s);
2455         break;
2456 #ifdef TARGET_X86_64
2457     case MO_64:
2458         ret = x86_ldq_code(env, s);
2459         break;
2460 #endif
2461     default:
2462         g_assert_not_reached();
2463     }
2464     return ret;
2465 }
2466 
2467 static inline int insn_const_size(MemOp ot)
2468 {
2469     if (ot <= MO_32) {
2470         return 1 << ot;
2471     } else {
2472         return 4;
2473     }
2474 }
2475 
2476 static void gen_jcc(DisasContext *s, int b, int diff)
2477 {
2478     TCGLabel *l1 = gen_new_label();
2479 
2480     gen_jcc1(s, b, l1);
2481     gen_jmp_rel_csize(s, 0, 1);
2482     gen_set_label(l1);
2483     gen_jmp_rel(s, s->dflag, diff, 0);
2484 }
2485 
2486 static void gen_cmovcc1(CPUX86State *env, DisasContext *s, MemOp ot, int b,
2487                         int modrm, int reg)
2488 {
2489     CCPrepare cc;
2490 
2491     gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
2492 
2493     cc = gen_prepare_cc(s, b, s->T1);
2494     if (cc.mask != -1) {
2495         TCGv t0 = tcg_temp_new();
2496         tcg_gen_andi_tl(t0, cc.reg, cc.mask);
2497         cc.reg = t0;
2498     }
2499     if (!cc.use_reg2) {
2500         cc.reg2 = tcg_const_tl(cc.imm);
2501     }
2502 
2503     tcg_gen_movcond_tl(cc.cond, s->T0, cc.reg, cc.reg2,
2504                        s->T0, cpu_regs[reg]);
2505     gen_op_mov_reg_v(s, ot, reg, s->T0);
2506 }
2507 
2508 static inline void gen_op_movl_T0_seg(DisasContext *s, X86Seg seg_reg)
2509 {
2510     tcg_gen_ld32u_tl(s->T0, cpu_env,
2511                      offsetof(CPUX86State,segs[seg_reg].selector));
2512 }
2513 
2514 static inline void gen_op_movl_seg_T0_vm(DisasContext *s, X86Seg seg_reg)
2515 {
2516     tcg_gen_ext16u_tl(s->T0, s->T0);
2517     tcg_gen_st32_tl(s->T0, cpu_env,
2518                     offsetof(CPUX86State,segs[seg_reg].selector));
2519     tcg_gen_shli_tl(cpu_seg_base[seg_reg], s->T0, 4);
2520 }
2521 
2522 /* move T0 to seg_reg and compute if the CPU state may change. Never
2523    call this function with seg_reg == R_CS */
2524 static void gen_movl_seg_T0(DisasContext *s, X86Seg seg_reg)
2525 {
2526     if (PE(s) && !VM86(s)) {
2527         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
2528         gen_helper_load_seg(cpu_env, tcg_const_i32(seg_reg), s->tmp2_i32);
2529         /* abort translation because the addseg value may change or
2530            because ss32 may change. For R_SS, translation must always
2531            stop as a special handling must be done to disable hardware
2532            interrupts for the next instruction */
2533         if (seg_reg == R_SS) {
2534             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2535         } else if (CODE32(s) && seg_reg < R_FS) {
2536             s->base.is_jmp = DISAS_EOB_NEXT;
2537         }
2538     } else {
2539         gen_op_movl_seg_T0_vm(s, seg_reg);
2540         if (seg_reg == R_SS) {
2541             s->base.is_jmp = DISAS_EOB_INHIBIT_IRQ;
2542         }
2543     }
2544 }
2545 
2546 static void gen_svm_check_intercept(DisasContext *s, uint32_t type)
2547 {
2548     /* no SVM activated; fast case */
2549     if (likely(!GUEST(s))) {
2550         return;
2551     }
2552     gen_helper_svm_check_intercept(cpu_env, tcg_constant_i32(type));
2553 }
2554 
2555 static inline void gen_stack_update(DisasContext *s, int addend)
2556 {
2557     gen_op_add_reg_im(s, mo_stacksize(s), R_ESP, addend);
2558 }
2559 
2560 /* Generate a push. It depends on ss32, addseg and dflag.  */
2561 static void gen_push_v(DisasContext *s, TCGv val)
2562 {
2563     MemOp d_ot = mo_pushpop(s, s->dflag);
2564     MemOp a_ot = mo_stacksize(s);
2565     int size = 1 << d_ot;
2566     TCGv new_esp = s->A0;
2567 
2568     tcg_gen_subi_tl(s->A0, cpu_regs[R_ESP], size);
2569 
2570     if (!CODE64(s)) {
2571         if (ADDSEG(s)) {
2572             new_esp = s->tmp4;
2573             tcg_gen_mov_tl(new_esp, s->A0);
2574         }
2575         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2576     }
2577 
2578     gen_op_st_v(s, d_ot, val, s->A0);
2579     gen_op_mov_reg_v(s, a_ot, R_ESP, new_esp);
2580 }
2581 
2582 /* two step pop is necessary for precise exceptions */
2583 static MemOp gen_pop_T0(DisasContext *s)
2584 {
2585     MemOp d_ot = mo_pushpop(s, s->dflag);
2586 
2587     gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
2588     gen_op_ld_v(s, d_ot, s->T0, s->A0);
2589 
2590     return d_ot;
2591 }
2592 
2593 static inline void gen_pop_update(DisasContext *s, MemOp ot)
2594 {
2595     gen_stack_update(s, 1 << ot);
2596 }
2597 
2598 static inline void gen_stack_A0(DisasContext *s)
2599 {
2600     gen_lea_v_seg(s, SS32(s) ? MO_32 : MO_16, cpu_regs[R_ESP], R_SS, -1);
2601 }
2602 
2603 static void gen_pusha(DisasContext *s)
2604 {
2605     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2606     MemOp d_ot = s->dflag;
2607     int size = 1 << d_ot;
2608     int i;
2609 
2610     for (i = 0; i < 8; i++) {
2611         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], (i - 8) * size);
2612         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2613         gen_op_st_v(s, d_ot, cpu_regs[7 - i], s->A0);
2614     }
2615 
2616     gen_stack_update(s, -8 * size);
2617 }
2618 
2619 static void gen_popa(DisasContext *s)
2620 {
2621     MemOp s_ot = SS32(s) ? MO_32 : MO_16;
2622     MemOp d_ot = s->dflag;
2623     int size = 1 << d_ot;
2624     int i;
2625 
2626     for (i = 0; i < 8; i++) {
2627         /* ESP is not reloaded */
2628         if (7 - i == R_ESP) {
2629             continue;
2630         }
2631         tcg_gen_addi_tl(s->A0, cpu_regs[R_ESP], i * size);
2632         gen_lea_v_seg(s, s_ot, s->A0, R_SS, -1);
2633         gen_op_ld_v(s, d_ot, s->T0, s->A0);
2634         gen_op_mov_reg_v(s, d_ot, 7 - i, s->T0);
2635     }
2636 
2637     gen_stack_update(s, 8 * size);
2638 }
2639 
2640 static void gen_enter(DisasContext *s, int esp_addend, int level)
2641 {
2642     MemOp d_ot = mo_pushpop(s, s->dflag);
2643     MemOp a_ot = CODE64(s) ? MO_64 : SS32(s) ? MO_32 : MO_16;
2644     int size = 1 << d_ot;
2645 
2646     /* Push BP; compute FrameTemp into T1.  */
2647     tcg_gen_subi_tl(s->T1, cpu_regs[R_ESP], size);
2648     gen_lea_v_seg(s, a_ot, s->T1, R_SS, -1);
2649     gen_op_st_v(s, d_ot, cpu_regs[R_EBP], s->A0);
2650 
2651     level &= 31;
2652     if (level != 0) {
2653         int i;
2654 
2655         /* Copy level-1 pointers from the previous frame.  */
2656         for (i = 1; i < level; ++i) {
2657             tcg_gen_subi_tl(s->A0, cpu_regs[R_EBP], size * i);
2658             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2659             gen_op_ld_v(s, d_ot, s->tmp0, s->A0);
2660 
2661             tcg_gen_subi_tl(s->A0, s->T1, size * i);
2662             gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2663             gen_op_st_v(s, d_ot, s->tmp0, s->A0);
2664         }
2665 
2666         /* Push the current FrameTemp as the last level.  */
2667         tcg_gen_subi_tl(s->A0, s->T1, size * level);
2668         gen_lea_v_seg(s, a_ot, s->A0, R_SS, -1);
2669         gen_op_st_v(s, d_ot, s->T1, s->A0);
2670     }
2671 
2672     /* Copy the FrameTemp value to EBP.  */
2673     gen_op_mov_reg_v(s, a_ot, R_EBP, s->T1);
2674 
2675     /* Compute the final value of ESP.  */
2676     tcg_gen_subi_tl(s->T1, s->T1, esp_addend + size * level);
2677     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2678 }
2679 
2680 static void gen_leave(DisasContext *s)
2681 {
2682     MemOp d_ot = mo_pushpop(s, s->dflag);
2683     MemOp a_ot = mo_stacksize(s);
2684 
2685     gen_lea_v_seg(s, a_ot, cpu_regs[R_EBP], R_SS, -1);
2686     gen_op_ld_v(s, d_ot, s->T0, s->A0);
2687 
2688     tcg_gen_addi_tl(s->T1, cpu_regs[R_EBP], 1 << d_ot);
2689 
2690     gen_op_mov_reg_v(s, d_ot, R_EBP, s->T0);
2691     gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
2692 }
2693 
2694 /* Similarly, except that the assumption here is that we don't decode
2695    the instruction at all -- either a missing opcode, an unimplemented
2696    feature, or just a bogus instruction stream.  */
2697 static void gen_unknown_opcode(CPUX86State *env, DisasContext *s)
2698 {
2699     gen_illegal_opcode(s);
2700 
2701     if (qemu_loglevel_mask(LOG_UNIMP)) {
2702         FILE *logfile = qemu_log_trylock();
2703         if (logfile) {
2704             target_ulong pc = s->base.pc_next, end = s->pc;
2705 
2706             fprintf(logfile, "ILLOPC: " TARGET_FMT_lx ":", pc);
2707             for (; pc < end; ++pc) {
2708                 fprintf(logfile, " %02x", cpu_ldub_code(env, pc));
2709             }
2710             fprintf(logfile, "\n");
2711             qemu_log_unlock(logfile);
2712         }
2713     }
2714 }
2715 
2716 /* an interrupt is different from an exception because of the
2717    privilege checks */
2718 static void gen_interrupt(DisasContext *s, int intno)
2719 {
2720     gen_update_cc_op(s);
2721     gen_update_eip_cur(s);
2722     gen_helper_raise_interrupt(cpu_env, tcg_constant_i32(intno),
2723                                cur_insn_len_i32(s));
2724     s->base.is_jmp = DISAS_NORETURN;
2725 }
2726 
2727 static void gen_set_hflag(DisasContext *s, uint32_t mask)
2728 {
2729     if ((s->flags & mask) == 0) {
2730         TCGv_i32 t = tcg_temp_new_i32();
2731         tcg_gen_ld_i32(t, cpu_env, offsetof(CPUX86State, hflags));
2732         tcg_gen_ori_i32(t, t, mask);
2733         tcg_gen_st_i32(t, cpu_env, offsetof(CPUX86State, hflags));
2734         s->flags |= mask;
2735     }
2736 }
2737 
2738 static void gen_reset_hflag(DisasContext *s, uint32_t mask)
2739 {
2740     if (s->flags & mask) {
2741         TCGv_i32 t = tcg_temp_new_i32();
2742         tcg_gen_ld_i32(t, cpu_env, offsetof(CPUX86State, hflags));
2743         tcg_gen_andi_i32(t, t, ~mask);
2744         tcg_gen_st_i32(t, cpu_env, offsetof(CPUX86State, hflags));
2745         s->flags &= ~mask;
2746     }
2747 }
2748 
2749 static void gen_set_eflags(DisasContext *s, target_ulong mask)
2750 {
2751     TCGv t = tcg_temp_new();
2752 
2753     tcg_gen_ld_tl(t, cpu_env, offsetof(CPUX86State, eflags));
2754     tcg_gen_ori_tl(t, t, mask);
2755     tcg_gen_st_tl(t, cpu_env, offsetof(CPUX86State, eflags));
2756 }
2757 
2758 static void gen_reset_eflags(DisasContext *s, target_ulong mask)
2759 {
2760     TCGv t = tcg_temp_new();
2761 
2762     tcg_gen_ld_tl(t, cpu_env, offsetof(CPUX86State, eflags));
2763     tcg_gen_andi_tl(t, t, ~mask);
2764     tcg_gen_st_tl(t, cpu_env, offsetof(CPUX86State, eflags));
2765 }
2766 
2767 /* Clear BND registers during legacy branches.  */
2768 static void gen_bnd_jmp(DisasContext *s)
2769 {
2770     /* Clear the registers only if BND prefix is missing, MPX is enabled,
2771        and if the BNDREGs are known to be in use (non-zero) already.
2772        The helper itself will check BNDPRESERVE at runtime.  */
2773     if ((s->prefix & PREFIX_REPNZ) == 0
2774         && (s->flags & HF_MPX_EN_MASK) != 0
2775         && (s->flags & HF_MPX_IU_MASK) != 0) {
2776         gen_helper_bnd_jmp(cpu_env);
2777     }
2778 }
2779 
2780 /* Generate an end of block. Trace exception is also generated if needed.
2781    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.
2782    If RECHECK_TF, emit a rechecking helper for #DB, ignoring the state of
2783    S->TF.  This is used by the syscall/sysret insns.  */
2784 static void
2785 do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
2786 {
2787     gen_update_cc_op(s);
2788 
2789     /* If several instructions disable interrupts, only the first does it.  */
2790     if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
2791         gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
2792     } else {
2793         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
2794     }
2795 
2796     if (s->base.tb->flags & HF_RF_MASK) {
2797         gen_reset_eflags(s, RF_MASK);
2798     }
2799     if (recheck_tf) {
2800         gen_helper_rechecking_single_step(cpu_env);
2801         tcg_gen_exit_tb(NULL, 0);
2802     } else if (s->flags & HF_TF_MASK) {
2803         gen_helper_single_step(cpu_env);
2804     } else if (jr) {
2805         tcg_gen_lookup_and_goto_ptr();
2806     } else {
2807         tcg_gen_exit_tb(NULL, 0);
2808     }
2809     s->base.is_jmp = DISAS_NORETURN;
2810 }
2811 
2812 static inline void
2813 gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf)
2814 {
2815     do_gen_eob_worker(s, inhibit, recheck_tf, false);
2816 }
2817 
2818 /* End of block.
2819    If INHIBIT, set HF_INHIBIT_IRQ_MASK if it isn't already set.  */
2820 static void gen_eob_inhibit_irq(DisasContext *s, bool inhibit)
2821 {
2822     gen_eob_worker(s, inhibit, false);
2823 }
2824 
2825 /* End of block, resetting the inhibit irq flag.  */
2826 static void gen_eob(DisasContext *s)
2827 {
2828     gen_eob_worker(s, false, false);
2829 }
2830 
2831 /* Jump to register */
2832 static void gen_jr(DisasContext *s)
2833 {
2834     do_gen_eob_worker(s, false, false, true);
2835 }
2836 
2837 /* Jump to eip+diff, truncating the result to OT. */
2838 static void gen_jmp_rel(DisasContext *s, MemOp ot, int diff, int tb_num)
2839 {
2840     bool use_goto_tb = s->jmp_opt;
2841     target_ulong mask = -1;
2842     target_ulong new_pc = s->pc + diff;
2843     target_ulong new_eip = new_pc - s->cs_base;
2844 
2845     /* In 64-bit mode, operand size is fixed at 64 bits. */
2846     if (!CODE64(s)) {
2847         if (ot == MO_16) {
2848             mask = 0xffff;
2849             if (tb_cflags(s->base.tb) & CF_PCREL && CODE32(s)) {
2850                 use_goto_tb = false;
2851             }
2852         } else {
2853             mask = 0xffffffff;
2854         }
2855     }
2856     new_eip &= mask;
2857 
2858     gen_update_cc_op(s);
2859     set_cc_op(s, CC_OP_DYNAMIC);
2860 
2861     if (tb_cflags(s->base.tb) & CF_PCREL) {
2862         tcg_gen_addi_tl(cpu_eip, cpu_eip, new_pc - s->pc_save);
2863         /*
2864          * If we can prove the branch does not leave the page and we have
2865          * no extra masking to apply (data16 branch in code32, see above),
2866          * then we have also proven that the addition does not wrap.
2867          */
2868         if (!use_goto_tb || !is_same_page(&s->base, new_pc)) {
2869             tcg_gen_andi_tl(cpu_eip, cpu_eip, mask);
2870             use_goto_tb = false;
2871         }
2872     }
2873 
2874     if (use_goto_tb &&
2875         translator_use_goto_tb(&s->base, new_eip + s->cs_base)) {
2876         /* jump to same page: we can use a direct jump */
2877         tcg_gen_goto_tb(tb_num);
2878         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2879             tcg_gen_movi_tl(cpu_eip, new_eip);
2880         }
2881         tcg_gen_exit_tb(s->base.tb, tb_num);
2882         s->base.is_jmp = DISAS_NORETURN;
2883     } else {
2884         if (!(tb_cflags(s->base.tb) & CF_PCREL)) {
2885             tcg_gen_movi_tl(cpu_eip, new_eip);
2886         }
2887         if (s->jmp_opt) {
2888             gen_jr(s);   /* jump to another page */
2889         } else {
2890             gen_eob(s);  /* exit to main loop */
2891         }
2892     }
2893 }
2894 
2895 /* Jump to eip+diff, truncating to the current code size. */
2896 static void gen_jmp_rel_csize(DisasContext *s, int diff, int tb_num)
2897 {
2898     /* CODE64 ignores the OT argument, so we need not consider it. */
2899     gen_jmp_rel(s, CODE32(s) ? MO_32 : MO_16, diff, tb_num);
2900 }
2901 
2902 static inline void gen_ldq_env_A0(DisasContext *s, int offset)
2903 {
2904     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2905     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset);
2906 }
2907 
2908 static inline void gen_stq_env_A0(DisasContext *s, int offset)
2909 {
2910     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset);
2911     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0, s->mem_index, MO_LEUQ);
2912 }
2913 
2914 static inline void gen_ldo_env_A0(DisasContext *s, int offset, bool align)
2915 {
2916     int mem_index = s->mem_index;
2917     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0, mem_index,
2918                         MO_LEUQ | (align ? MO_ALIGN_16 : 0));
2919     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(XMMReg, XMM_Q(0)));
2920     tcg_gen_addi_tl(s->tmp0, s->A0, 8);
2921     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2922     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(XMMReg, XMM_Q(1)));
2923 }
2924 
2925 static inline void gen_sto_env_A0(DisasContext *s, int offset, bool align)
2926 {
2927     int mem_index = s->mem_index;
2928     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(XMMReg, XMM_Q(0)));
2929     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0, mem_index,
2930                         MO_LEUQ | (align ? MO_ALIGN_16 : 0));
2931     tcg_gen_addi_tl(s->tmp0, s->A0, 8);
2932     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(XMMReg, XMM_Q(1)));
2933     tcg_gen_qemu_st_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2934 }
2935 
2936 static void gen_ldy_env_A0(DisasContext *s, int offset, bool align)
2937 {
2938     int mem_index = s->mem_index;
2939     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0, mem_index,
2940                         MO_LEUQ | (align ? MO_ALIGN_32 : 0));
2941     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(0)));
2942     tcg_gen_addi_tl(s->tmp0, s->A0, 8);
2943     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2944     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(1)));
2945 
2946     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2947     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2948     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(2)));
2949     tcg_gen_addi_tl(s->tmp0, s->A0, 24);
2950     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2951     tcg_gen_st_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(3)));
2952 }
2953 
2954 static void gen_sty_env_A0(DisasContext *s, int offset, bool align)
2955 {
2956     int mem_index = s->mem_index;
2957     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(0)));
2958     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0, mem_index,
2959                         MO_LEUQ | (align ? MO_ALIGN_32 : 0));
2960     tcg_gen_addi_tl(s->tmp0, s->A0, 8);
2961     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(1)));
2962     tcg_gen_qemu_st_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2963     tcg_gen_addi_tl(s->tmp0, s->A0, 16);
2964     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(2)));
2965     tcg_gen_qemu_st_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2966     tcg_gen_addi_tl(s->tmp0, s->A0, 24);
2967     tcg_gen_ld_i64(s->tmp1_i64, cpu_env, offset + offsetof(YMMReg, YMM_Q(3)));
2968     tcg_gen_qemu_st_i64(s->tmp1_i64, s->tmp0, mem_index, MO_LEUQ);
2969 }
2970 
2971 #include "decode-new.h"
2972 #include "emit.c.inc"
2973 #include "decode-new.c.inc"
2974 
2975 static void gen_cmpxchg8b(DisasContext *s, CPUX86State *env, int modrm)
2976 {
2977     TCGv_i64 cmp, val, old;
2978     TCGv Z;
2979 
2980     gen_lea_modrm(env, s, modrm);
2981 
2982     cmp = tcg_temp_new_i64();
2983     val = tcg_temp_new_i64();
2984     old = tcg_temp_new_i64();
2985 
2986     /* Construct the comparison values from the register pair. */
2987     tcg_gen_concat_tl_i64(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
2988     tcg_gen_concat_tl_i64(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
2989 
2990     /* Only require atomic with LOCK; non-parallel handled in generator. */
2991     if (s->prefix & PREFIX_LOCK) {
2992         tcg_gen_atomic_cmpxchg_i64(old, s->A0, cmp, val, s->mem_index, MO_TEUQ);
2993     } else {
2994         tcg_gen_nonatomic_cmpxchg_i64(old, s->A0, cmp, val,
2995                                       s->mem_index, MO_TEUQ);
2996     }
2997 
2998     /* Set tmp0 to match the required value of Z. */
2999     tcg_gen_setcond_i64(TCG_COND_EQ, cmp, old, cmp);
3000     Z = tcg_temp_new();
3001     tcg_gen_trunc_i64_tl(Z, cmp);
3002 
3003     /*
3004      * Extract the result values for the register pair.
3005      * For 32-bit, we may do this unconditionally, because on success (Z=1),
3006      * the old value matches the previous value in EDX:EAX.  For x86_64,
3007      * the store must be conditional, because we must leave the source
3008      * registers unchanged on success, and zero-extend the writeback
3009      * on failure (Z=0).
3010      */
3011     if (TARGET_LONG_BITS == 32) {
3012         tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], old);
3013     } else {
3014         TCGv zero = tcg_constant_tl(0);
3015 
3016         tcg_gen_extr_i64_tl(s->T0, s->T1, old);
3017         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EAX], Z, zero,
3018                            s->T0, cpu_regs[R_EAX]);
3019         tcg_gen_movcond_tl(TCG_COND_EQ, cpu_regs[R_EDX], Z, zero,
3020                            s->T1, cpu_regs[R_EDX]);
3021     }
3022 
3023     /* Update Z. */
3024     gen_compute_eflags(s);
3025     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, Z, ctz32(CC_Z), 1);
3026 }
3027 
3028 #ifdef TARGET_X86_64
3029 static void gen_cmpxchg16b(DisasContext *s, CPUX86State *env, int modrm)
3030 {
3031     MemOp mop = MO_TE | MO_128 | MO_ALIGN;
3032     TCGv_i64 t0, t1;
3033     TCGv_i128 cmp, val;
3034 
3035     gen_lea_modrm(env, s, modrm);
3036 
3037     cmp = tcg_temp_new_i128();
3038     val = tcg_temp_new_i128();
3039     tcg_gen_concat_i64_i128(cmp, cpu_regs[R_EAX], cpu_regs[R_EDX]);
3040     tcg_gen_concat_i64_i128(val, cpu_regs[R_EBX], cpu_regs[R_ECX]);
3041 
3042     /* Only require atomic with LOCK; non-parallel handled in generator. */
3043     if (s->prefix & PREFIX_LOCK) {
3044         tcg_gen_atomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3045     } else {
3046         tcg_gen_nonatomic_cmpxchg_i128(val, s->A0, cmp, val, s->mem_index, mop);
3047     }
3048 
3049     tcg_gen_extr_i128_i64(s->T0, s->T1, val);
3050 
3051     /* Determine success after the fact. */
3052     t0 = tcg_temp_new_i64();
3053     t1 = tcg_temp_new_i64();
3054     tcg_gen_xor_i64(t0, s->T0, cpu_regs[R_EAX]);
3055     tcg_gen_xor_i64(t1, s->T1, cpu_regs[R_EDX]);
3056     tcg_gen_or_i64(t0, t0, t1);
3057 
3058     /* Update Z. */
3059     gen_compute_eflags(s);
3060     tcg_gen_setcondi_i64(TCG_COND_EQ, t0, t0, 0);
3061     tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, t0, ctz32(CC_Z), 1);
3062 
3063     /*
3064      * Extract the result values for the register pair.  We may do this
3065      * unconditionally, because on success (Z=1), the old value matches
3066      * the previous value in RDX:RAX.
3067      */
3068     tcg_gen_mov_i64(cpu_regs[R_EAX], s->T0);
3069     tcg_gen_mov_i64(cpu_regs[R_EDX], s->T1);
3070 }
3071 #endif
3072 
3073 /* convert one instruction. s->base.is_jmp is set if the translation must
3074    be stopped. Return the next pc value */
3075 static bool disas_insn(DisasContext *s, CPUState *cpu)
3076 {
3077     CPUX86State *env = cpu->env_ptr;
3078     int b, prefixes;
3079     int shift;
3080     MemOp ot, aflag, dflag;
3081     int modrm, reg, rm, mod, op, opreg, val;
3082     bool orig_cc_op_dirty = s->cc_op_dirty;
3083     CCOp orig_cc_op = s->cc_op;
3084     target_ulong orig_pc_save = s->pc_save;
3085 
3086     s->pc = s->base.pc_next;
3087     s->override = -1;
3088 #ifdef TARGET_X86_64
3089     s->rex_r = 0;
3090     s->rex_x = 0;
3091     s->rex_b = 0;
3092 #endif
3093     s->rip_offset = 0; /* for relative ip address */
3094     s->vex_l = 0;
3095     s->vex_v = 0;
3096     s->vex_w = false;
3097     switch (sigsetjmp(s->jmpbuf, 0)) {
3098     case 0:
3099         break;
3100     case 1:
3101         gen_exception_gpf(s);
3102         return true;
3103     case 2:
3104         /* Restore state that may affect the next instruction. */
3105         s->pc = s->base.pc_next;
3106         /*
3107          * TODO: These save/restore can be removed after the table-based
3108          * decoder is complete; we will be decoding the insn completely
3109          * before any code generation that might affect these variables.
3110          */
3111         s->cc_op_dirty = orig_cc_op_dirty;
3112         s->cc_op = orig_cc_op;
3113         s->pc_save = orig_pc_save;
3114         /* END TODO */
3115         s->base.num_insns--;
3116         tcg_remove_ops_after(s->prev_insn_end);
3117         s->base.is_jmp = DISAS_TOO_MANY;
3118         return false;
3119     default:
3120         g_assert_not_reached();
3121     }
3122 
3123     prefixes = 0;
3124 
3125  next_byte:
3126     s->prefix = prefixes;
3127     b = x86_ldub_code(env, s);
3128     /* Collect prefixes.  */
3129     switch (b) {
3130     default:
3131         break;
3132     case 0x0f:
3133         b = x86_ldub_code(env, s) + 0x100;
3134         break;
3135     case 0xf3:
3136         prefixes |= PREFIX_REPZ;
3137         prefixes &= ~PREFIX_REPNZ;
3138         goto next_byte;
3139     case 0xf2:
3140         prefixes |= PREFIX_REPNZ;
3141         prefixes &= ~PREFIX_REPZ;
3142         goto next_byte;
3143     case 0xf0:
3144         prefixes |= PREFIX_LOCK;
3145         goto next_byte;
3146     case 0x2e:
3147         s->override = R_CS;
3148         goto next_byte;
3149     case 0x36:
3150         s->override = R_SS;
3151         goto next_byte;
3152     case 0x3e:
3153         s->override = R_DS;
3154         goto next_byte;
3155     case 0x26:
3156         s->override = R_ES;
3157         goto next_byte;
3158     case 0x64:
3159         s->override = R_FS;
3160         goto next_byte;
3161     case 0x65:
3162         s->override = R_GS;
3163         goto next_byte;
3164     case 0x66:
3165         prefixes |= PREFIX_DATA;
3166         goto next_byte;
3167     case 0x67:
3168         prefixes |= PREFIX_ADR;
3169         goto next_byte;
3170 #ifdef TARGET_X86_64
3171     case 0x40 ... 0x4f:
3172         if (CODE64(s)) {
3173             /* REX prefix */
3174             prefixes |= PREFIX_REX;
3175             s->vex_w = (b >> 3) & 1;
3176             s->rex_r = (b & 0x4) << 1;
3177             s->rex_x = (b & 0x2) << 2;
3178             s->rex_b = (b & 0x1) << 3;
3179             goto next_byte;
3180         }
3181         break;
3182 #endif
3183     case 0xc5: /* 2-byte VEX */
3184     case 0xc4: /* 3-byte VEX */
3185         if (CODE32(s) && !VM86(s)) {
3186             int vex2 = x86_ldub_code(env, s);
3187             s->pc--; /* rewind the advance_pc() x86_ldub_code() did */
3188 
3189             if (!CODE64(s) && (vex2 & 0xc0) != 0xc0) {
3190                 /* 4.1.4.6: In 32-bit mode, bits [7:6] must be 11b,
3191                    otherwise the instruction is LES or LDS.  */
3192                 break;
3193             }
3194             disas_insn_new(s, cpu, b);
3195             return s->pc;
3196         }
3197         break;
3198     }
3199 
3200     /* Post-process prefixes.  */
3201     if (CODE64(s)) {
3202         /* In 64-bit mode, the default data size is 32-bit.  Select 64-bit
3203            data with rex_w, and 16-bit data with 0x66; rex_w takes precedence
3204            over 0x66 if both are present.  */
3205         dflag = (REX_W(s) ? MO_64 : prefixes & PREFIX_DATA ? MO_16 : MO_32);
3206         /* In 64-bit mode, 0x67 selects 32-bit addressing.  */
3207         aflag = (prefixes & PREFIX_ADR ? MO_32 : MO_64);
3208     } else {
3209         /* In 16/32-bit mode, 0x66 selects the opposite data size.  */
3210         if (CODE32(s) ^ ((prefixes & PREFIX_DATA) != 0)) {
3211             dflag = MO_32;
3212         } else {
3213             dflag = MO_16;
3214         }
3215         /* In 16/32-bit mode, 0x67 selects the opposite addressing.  */
3216         if (CODE32(s) ^ ((prefixes & PREFIX_ADR) != 0)) {
3217             aflag = MO_32;
3218         }  else {
3219             aflag = MO_16;
3220         }
3221     }
3222 
3223     s->prefix = prefixes;
3224     s->aflag = aflag;
3225     s->dflag = dflag;
3226 
3227     /* now check op code */
3228     switch (b) {
3229         /**************************/
3230         /* arith & logic */
3231     case 0x00 ... 0x05:
3232     case 0x08 ... 0x0d:
3233     case 0x10 ... 0x15:
3234     case 0x18 ... 0x1d:
3235     case 0x20 ... 0x25:
3236     case 0x28 ... 0x2d:
3237     case 0x30 ... 0x35:
3238     case 0x38 ... 0x3d:
3239         {
3240             int op, f, val;
3241             op = (b >> 3) & 7;
3242             f = (b >> 1) & 3;
3243 
3244             ot = mo_b_d(b, dflag);
3245 
3246             switch(f) {
3247             case 0: /* OP Ev, Gv */
3248                 modrm = x86_ldub_code(env, s);
3249                 reg = ((modrm >> 3) & 7) | REX_R(s);
3250                 mod = (modrm >> 6) & 3;
3251                 rm = (modrm & 7) | REX_B(s);
3252                 if (mod != 3) {
3253                     gen_lea_modrm(env, s, modrm);
3254                     opreg = OR_TMP0;
3255                 } else if (op == OP_XORL && rm == reg) {
3256                 xor_zero:
3257                     /* xor reg, reg optimisation */
3258                     set_cc_op(s, CC_OP_CLR);
3259                     tcg_gen_movi_tl(s->T0, 0);
3260                     gen_op_mov_reg_v(s, ot, reg, s->T0);
3261                     break;
3262                 } else {
3263                     opreg = rm;
3264                 }
3265                 gen_op_mov_v_reg(s, ot, s->T1, reg);
3266                 gen_op(s, op, ot, opreg);
3267                 break;
3268             case 1: /* OP Gv, Ev */
3269                 modrm = x86_ldub_code(env, s);
3270                 mod = (modrm >> 6) & 3;
3271                 reg = ((modrm >> 3) & 7) | REX_R(s);
3272                 rm = (modrm & 7) | REX_B(s);
3273                 if (mod != 3) {
3274                     gen_lea_modrm(env, s, modrm);
3275                     gen_op_ld_v(s, ot, s->T1, s->A0);
3276                 } else if (op == OP_XORL && rm == reg) {
3277                     goto xor_zero;
3278                 } else {
3279                     gen_op_mov_v_reg(s, ot, s->T1, rm);
3280                 }
3281                 gen_op(s, op, ot, reg);
3282                 break;
3283             case 2: /* OP A, Iv */
3284                 val = insn_get(env, s, ot);
3285                 tcg_gen_movi_tl(s->T1, val);
3286                 gen_op(s, op, ot, OR_EAX);
3287                 break;
3288             }
3289         }
3290         break;
3291 
3292     case 0x82:
3293         if (CODE64(s))
3294             goto illegal_op;
3295         /* fall through */
3296     case 0x80: /* GRP1 */
3297     case 0x81:
3298     case 0x83:
3299         {
3300             int val;
3301 
3302             ot = mo_b_d(b, dflag);
3303 
3304             modrm = x86_ldub_code(env, s);
3305             mod = (modrm >> 6) & 3;
3306             rm = (modrm & 7) | REX_B(s);
3307             op = (modrm >> 3) & 7;
3308 
3309             if (mod != 3) {
3310                 if (b == 0x83)
3311                     s->rip_offset = 1;
3312                 else
3313                     s->rip_offset = insn_const_size(ot);
3314                 gen_lea_modrm(env, s, modrm);
3315                 opreg = OR_TMP0;
3316             } else {
3317                 opreg = rm;
3318             }
3319 
3320             switch(b) {
3321             default:
3322             case 0x80:
3323             case 0x81:
3324             case 0x82:
3325                 val = insn_get(env, s, ot);
3326                 break;
3327             case 0x83:
3328                 val = (int8_t)insn_get(env, s, MO_8);
3329                 break;
3330             }
3331             tcg_gen_movi_tl(s->T1, val);
3332             gen_op(s, op, ot, opreg);
3333         }
3334         break;
3335 
3336         /**************************/
3337         /* inc, dec, and other misc arith */
3338     case 0x40 ... 0x47: /* inc Gv */
3339         ot = dflag;
3340         gen_inc(s, ot, OR_EAX + (b & 7), 1);
3341         break;
3342     case 0x48 ... 0x4f: /* dec Gv */
3343         ot = dflag;
3344         gen_inc(s, ot, OR_EAX + (b & 7), -1);
3345         break;
3346     case 0xf6: /* GRP3 */
3347     case 0xf7:
3348         ot = mo_b_d(b, dflag);
3349 
3350         modrm = x86_ldub_code(env, s);
3351         mod = (modrm >> 6) & 3;
3352         rm = (modrm & 7) | REX_B(s);
3353         op = (modrm >> 3) & 7;
3354         if (mod != 3) {
3355             if (op == 0) {
3356                 s->rip_offset = insn_const_size(ot);
3357             }
3358             gen_lea_modrm(env, s, modrm);
3359             /* For those below that handle locked memory, don't load here.  */
3360             if (!(s->prefix & PREFIX_LOCK)
3361                 || op != 2) {
3362                 gen_op_ld_v(s, ot, s->T0, s->A0);
3363             }
3364         } else {
3365             gen_op_mov_v_reg(s, ot, s->T0, rm);
3366         }
3367 
3368         switch(op) {
3369         case 0: /* test */
3370             val = insn_get(env, s, ot);
3371             tcg_gen_movi_tl(s->T1, val);
3372             gen_op_testl_T0_T1_cc(s);
3373             set_cc_op(s, CC_OP_LOGICB + ot);
3374             break;
3375         case 2: /* not */
3376             if (s->prefix & PREFIX_LOCK) {
3377                 if (mod == 3) {
3378                     goto illegal_op;
3379                 }
3380                 tcg_gen_movi_tl(s->T0, ~0);
3381                 tcg_gen_atomic_xor_fetch_tl(s->T0, s->A0, s->T0,
3382                                             s->mem_index, ot | MO_LE);
3383             } else {
3384                 tcg_gen_not_tl(s->T0, s->T0);
3385                 if (mod != 3) {
3386                     gen_op_st_v(s, ot, s->T0, s->A0);
3387                 } else {
3388                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3389                 }
3390             }
3391             break;
3392         case 3: /* neg */
3393             if (s->prefix & PREFIX_LOCK) {
3394                 TCGLabel *label1;
3395                 TCGv a0, t0, t1, t2;
3396 
3397                 if (mod == 3) {
3398                     goto illegal_op;
3399                 }
3400                 a0 = s->A0;
3401                 t0 = s->T0;
3402                 label1 = gen_new_label();
3403 
3404                 gen_set_label(label1);
3405                 t1 = tcg_temp_new();
3406                 t2 = tcg_temp_new();
3407                 tcg_gen_mov_tl(t2, t0);
3408                 tcg_gen_neg_tl(t1, t0);
3409                 tcg_gen_atomic_cmpxchg_tl(t0, a0, t0, t1,
3410                                           s->mem_index, ot | MO_LE);
3411                 tcg_gen_brcond_tl(TCG_COND_NE, t0, t2, label1);
3412 
3413                 tcg_gen_neg_tl(s->T0, t0);
3414             } else {
3415                 tcg_gen_neg_tl(s->T0, s->T0);
3416                 if (mod != 3) {
3417                     gen_op_st_v(s, ot, s->T0, s->A0);
3418                 } else {
3419                     gen_op_mov_reg_v(s, ot, rm, s->T0);
3420                 }
3421             }
3422             gen_op_update_neg_cc(s);
3423             set_cc_op(s, CC_OP_SUBB + ot);
3424             break;
3425         case 4: /* mul */
3426             switch(ot) {
3427             case MO_8:
3428                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3429                 tcg_gen_ext8u_tl(s->T0, s->T0);
3430                 tcg_gen_ext8u_tl(s->T1, s->T1);
3431                 /* XXX: use 32 bit mul which could be faster */
3432                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3433                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3434                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3435                 tcg_gen_andi_tl(cpu_cc_src, s->T0, 0xff00);
3436                 set_cc_op(s, CC_OP_MULB);
3437                 break;
3438             case MO_16:
3439                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3440                 tcg_gen_ext16u_tl(s->T0, s->T0);
3441                 tcg_gen_ext16u_tl(s->T1, s->T1);
3442                 /* XXX: use 32 bit mul which could be faster */
3443                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3444                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3445                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3446                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3447                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3448                 tcg_gen_mov_tl(cpu_cc_src, s->T0);
3449                 set_cc_op(s, CC_OP_MULW);
3450                 break;
3451             default:
3452             case MO_32:
3453                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3454                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3455                 tcg_gen_mulu2_i32(s->tmp2_i32, s->tmp3_i32,
3456                                   s->tmp2_i32, s->tmp3_i32);
3457                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3458                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3459                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3460                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3461                 set_cc_op(s, CC_OP_MULL);
3462                 break;
3463 #ifdef TARGET_X86_64
3464             case MO_64:
3465                 tcg_gen_mulu2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3466                                   s->T0, cpu_regs[R_EAX]);
3467                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3468                 tcg_gen_mov_tl(cpu_cc_src, cpu_regs[R_EDX]);
3469                 set_cc_op(s, CC_OP_MULQ);
3470                 break;
3471 #endif
3472             }
3473             break;
3474         case 5: /* imul */
3475             switch(ot) {
3476             case MO_8:
3477                 gen_op_mov_v_reg(s, MO_8, s->T1, R_EAX);
3478                 tcg_gen_ext8s_tl(s->T0, s->T0);
3479                 tcg_gen_ext8s_tl(s->T1, s->T1);
3480                 /* XXX: use 32 bit mul which could be faster */
3481                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3482                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3483                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3484                 tcg_gen_ext8s_tl(s->tmp0, s->T0);
3485                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3486                 set_cc_op(s, CC_OP_MULB);
3487                 break;
3488             case MO_16:
3489                 gen_op_mov_v_reg(s, MO_16, s->T1, R_EAX);
3490                 tcg_gen_ext16s_tl(s->T0, s->T0);
3491                 tcg_gen_ext16s_tl(s->T1, s->T1);
3492                 /* XXX: use 32 bit mul which could be faster */
3493                 tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3494                 gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3495                 tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3496                 tcg_gen_ext16s_tl(s->tmp0, s->T0);
3497                 tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3498                 tcg_gen_shri_tl(s->T0, s->T0, 16);
3499                 gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3500                 set_cc_op(s, CC_OP_MULW);
3501                 break;
3502             default:
3503             case MO_32:
3504                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3505                 tcg_gen_trunc_tl_i32(s->tmp3_i32, cpu_regs[R_EAX]);
3506                 tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3507                                   s->tmp2_i32, s->tmp3_i32);
3508                 tcg_gen_extu_i32_tl(cpu_regs[R_EAX], s->tmp2_i32);
3509                 tcg_gen_extu_i32_tl(cpu_regs[R_EDX], s->tmp3_i32);
3510                 tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3511                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3512                 tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3513                 tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3514                 set_cc_op(s, CC_OP_MULL);
3515                 break;
3516 #ifdef TARGET_X86_64
3517             case MO_64:
3518                 tcg_gen_muls2_i64(cpu_regs[R_EAX], cpu_regs[R_EDX],
3519                                   s->T0, cpu_regs[R_EAX]);
3520                 tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[R_EAX]);
3521                 tcg_gen_sari_tl(cpu_cc_src, cpu_regs[R_EAX], 63);
3522                 tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, cpu_regs[R_EDX]);
3523                 set_cc_op(s, CC_OP_MULQ);
3524                 break;
3525 #endif
3526             }
3527             break;
3528         case 6: /* div */
3529             switch(ot) {
3530             case MO_8:
3531                 gen_helper_divb_AL(cpu_env, s->T0);
3532                 break;
3533             case MO_16:
3534                 gen_helper_divw_AX(cpu_env, s->T0);
3535                 break;
3536             default:
3537             case MO_32:
3538                 gen_helper_divl_EAX(cpu_env, s->T0);
3539                 break;
3540 #ifdef TARGET_X86_64
3541             case MO_64:
3542                 gen_helper_divq_EAX(cpu_env, s->T0);
3543                 break;
3544 #endif
3545             }
3546             break;
3547         case 7: /* idiv */
3548             switch(ot) {
3549             case MO_8:
3550                 gen_helper_idivb_AL(cpu_env, s->T0);
3551                 break;
3552             case MO_16:
3553                 gen_helper_idivw_AX(cpu_env, s->T0);
3554                 break;
3555             default:
3556             case MO_32:
3557                 gen_helper_idivl_EAX(cpu_env, s->T0);
3558                 break;
3559 #ifdef TARGET_X86_64
3560             case MO_64:
3561                 gen_helper_idivq_EAX(cpu_env, s->T0);
3562                 break;
3563 #endif
3564             }
3565             break;
3566         default:
3567             goto unknown_op;
3568         }
3569         break;
3570 
3571     case 0xfe: /* GRP4 */
3572     case 0xff: /* GRP5 */
3573         ot = mo_b_d(b, dflag);
3574 
3575         modrm = x86_ldub_code(env, s);
3576         mod = (modrm >> 6) & 3;
3577         rm = (modrm & 7) | REX_B(s);
3578         op = (modrm >> 3) & 7;
3579         if (op >= 2 && b == 0xfe) {
3580             goto unknown_op;
3581         }
3582         if (CODE64(s)) {
3583             if (op == 2 || op == 4) {
3584                 /* operand size for jumps is 64 bit */
3585                 ot = MO_64;
3586             } else if (op == 3 || op == 5) {
3587                 ot = dflag != MO_16 ? MO_32 + REX_W(s) : MO_16;
3588             } else if (op == 6) {
3589                 /* default push size is 64 bit */
3590                 ot = mo_pushpop(s, dflag);
3591             }
3592         }
3593         if (mod != 3) {
3594             gen_lea_modrm(env, s, modrm);
3595             if (op >= 2 && op != 3 && op != 5)
3596                 gen_op_ld_v(s, ot, s->T0, s->A0);
3597         } else {
3598             gen_op_mov_v_reg(s, ot, s->T0, rm);
3599         }
3600 
3601         switch(op) {
3602         case 0: /* inc Ev */
3603             if (mod != 3)
3604                 opreg = OR_TMP0;
3605             else
3606                 opreg = rm;
3607             gen_inc(s, ot, opreg, 1);
3608             break;
3609         case 1: /* dec Ev */
3610             if (mod != 3)
3611                 opreg = OR_TMP0;
3612             else
3613                 opreg = rm;
3614             gen_inc(s, ot, opreg, -1);
3615             break;
3616         case 2: /* call Ev */
3617             /* XXX: optimize if memory (no 'and' is necessary) */
3618             if (dflag == MO_16) {
3619                 tcg_gen_ext16u_tl(s->T0, s->T0);
3620             }
3621             gen_push_v(s, eip_next_tl(s));
3622             gen_op_jmp_v(s, s->T0);
3623             gen_bnd_jmp(s);
3624             s->base.is_jmp = DISAS_JUMP;
3625             break;
3626         case 3: /* lcall Ev */
3627             if (mod == 3) {
3628                 goto illegal_op;
3629             }
3630             gen_op_ld_v(s, ot, s->T1, s->A0);
3631             gen_add_A0_im(s, 1 << ot);
3632             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3633         do_lcall:
3634             if (PE(s) && !VM86(s)) {
3635                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3636                 gen_helper_lcall_protected(cpu_env, s->tmp2_i32, s->T1,
3637                                            tcg_constant_i32(dflag - 1),
3638                                            eip_next_tl(s));
3639             } else {
3640                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3641                 tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3642                 gen_helper_lcall_real(cpu_env, s->tmp2_i32, s->tmp3_i32,
3643                                       tcg_constant_i32(dflag - 1),
3644                                       eip_next_i32(s));
3645             }
3646             s->base.is_jmp = DISAS_JUMP;
3647             break;
3648         case 4: /* jmp Ev */
3649             if (dflag == MO_16) {
3650                 tcg_gen_ext16u_tl(s->T0, s->T0);
3651             }
3652             gen_op_jmp_v(s, s->T0);
3653             gen_bnd_jmp(s);
3654             s->base.is_jmp = DISAS_JUMP;
3655             break;
3656         case 5: /* ljmp Ev */
3657             if (mod == 3) {
3658                 goto illegal_op;
3659             }
3660             gen_op_ld_v(s, ot, s->T1, s->A0);
3661             gen_add_A0_im(s, 1 << ot);
3662             gen_op_ld_v(s, MO_16, s->T0, s->A0);
3663         do_ljmp:
3664             if (PE(s) && !VM86(s)) {
3665                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3666                 gen_helper_ljmp_protected(cpu_env, s->tmp2_i32, s->T1,
3667                                           eip_next_tl(s));
3668             } else {
3669                 gen_op_movl_seg_T0_vm(s, R_CS);
3670                 gen_op_jmp_v(s, s->T1);
3671             }
3672             s->base.is_jmp = DISAS_JUMP;
3673             break;
3674         case 6: /* push Ev */
3675             gen_push_v(s, s->T0);
3676             break;
3677         default:
3678             goto unknown_op;
3679         }
3680         break;
3681 
3682     case 0x84: /* test Ev, Gv */
3683     case 0x85:
3684         ot = mo_b_d(b, dflag);
3685 
3686         modrm = x86_ldub_code(env, s);
3687         reg = ((modrm >> 3) & 7) | REX_R(s);
3688 
3689         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3690         gen_op_mov_v_reg(s, ot, s->T1, reg);
3691         gen_op_testl_T0_T1_cc(s);
3692         set_cc_op(s, CC_OP_LOGICB + ot);
3693         break;
3694 
3695     case 0xa8: /* test eAX, Iv */
3696     case 0xa9:
3697         ot = mo_b_d(b, dflag);
3698         val = insn_get(env, s, ot);
3699 
3700         gen_op_mov_v_reg(s, ot, s->T0, OR_EAX);
3701         tcg_gen_movi_tl(s->T1, val);
3702         gen_op_testl_T0_T1_cc(s);
3703         set_cc_op(s, CC_OP_LOGICB + ot);
3704         break;
3705 
3706     case 0x98: /* CWDE/CBW */
3707         switch (dflag) {
3708 #ifdef TARGET_X86_64
3709         case MO_64:
3710             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3711             tcg_gen_ext32s_tl(s->T0, s->T0);
3712             gen_op_mov_reg_v(s, MO_64, R_EAX, s->T0);
3713             break;
3714 #endif
3715         case MO_32:
3716             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3717             tcg_gen_ext16s_tl(s->T0, s->T0);
3718             gen_op_mov_reg_v(s, MO_32, R_EAX, s->T0);
3719             break;
3720         case MO_16:
3721             gen_op_mov_v_reg(s, MO_8, s->T0, R_EAX);
3722             tcg_gen_ext8s_tl(s->T0, s->T0);
3723             gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
3724             break;
3725         default:
3726             tcg_abort();
3727         }
3728         break;
3729     case 0x99: /* CDQ/CWD */
3730         switch (dflag) {
3731 #ifdef TARGET_X86_64
3732         case MO_64:
3733             gen_op_mov_v_reg(s, MO_64, s->T0, R_EAX);
3734             tcg_gen_sari_tl(s->T0, s->T0, 63);
3735             gen_op_mov_reg_v(s, MO_64, R_EDX, s->T0);
3736             break;
3737 #endif
3738         case MO_32:
3739             gen_op_mov_v_reg(s, MO_32, s->T0, R_EAX);
3740             tcg_gen_ext32s_tl(s->T0, s->T0);
3741             tcg_gen_sari_tl(s->T0, s->T0, 31);
3742             gen_op_mov_reg_v(s, MO_32, R_EDX, s->T0);
3743             break;
3744         case MO_16:
3745             gen_op_mov_v_reg(s, MO_16, s->T0, R_EAX);
3746             tcg_gen_ext16s_tl(s->T0, s->T0);
3747             tcg_gen_sari_tl(s->T0, s->T0, 15);
3748             gen_op_mov_reg_v(s, MO_16, R_EDX, s->T0);
3749             break;
3750         default:
3751             tcg_abort();
3752         }
3753         break;
3754     case 0x1af: /* imul Gv, Ev */
3755     case 0x69: /* imul Gv, Ev, I */
3756     case 0x6b:
3757         ot = dflag;
3758         modrm = x86_ldub_code(env, s);
3759         reg = ((modrm >> 3) & 7) | REX_R(s);
3760         if (b == 0x69)
3761             s->rip_offset = insn_const_size(ot);
3762         else if (b == 0x6b)
3763             s->rip_offset = 1;
3764         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
3765         if (b == 0x69) {
3766             val = insn_get(env, s, ot);
3767             tcg_gen_movi_tl(s->T1, val);
3768         } else if (b == 0x6b) {
3769             val = (int8_t)insn_get(env, s, MO_8);
3770             tcg_gen_movi_tl(s->T1, val);
3771         } else {
3772             gen_op_mov_v_reg(s, ot, s->T1, reg);
3773         }
3774         switch (ot) {
3775 #ifdef TARGET_X86_64
3776         case MO_64:
3777             tcg_gen_muls2_i64(cpu_regs[reg], s->T1, s->T0, s->T1);
3778             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3779             tcg_gen_sari_tl(cpu_cc_src, cpu_cc_dst, 63);
3780             tcg_gen_sub_tl(cpu_cc_src, cpu_cc_src, s->T1);
3781             break;
3782 #endif
3783         case MO_32:
3784             tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
3785             tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
3786             tcg_gen_muls2_i32(s->tmp2_i32, s->tmp3_i32,
3787                               s->tmp2_i32, s->tmp3_i32);
3788             tcg_gen_extu_i32_tl(cpu_regs[reg], s->tmp2_i32);
3789             tcg_gen_sari_i32(s->tmp2_i32, s->tmp2_i32, 31);
3790             tcg_gen_mov_tl(cpu_cc_dst, cpu_regs[reg]);
3791             tcg_gen_sub_i32(s->tmp2_i32, s->tmp2_i32, s->tmp3_i32);
3792             tcg_gen_extu_i32_tl(cpu_cc_src, s->tmp2_i32);
3793             break;
3794         default:
3795             tcg_gen_ext16s_tl(s->T0, s->T0);
3796             tcg_gen_ext16s_tl(s->T1, s->T1);
3797             /* XXX: use 32 bit mul which could be faster */
3798             tcg_gen_mul_tl(s->T0, s->T0, s->T1);
3799             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
3800             tcg_gen_ext16s_tl(s->tmp0, s->T0);
3801             tcg_gen_sub_tl(cpu_cc_src, s->T0, s->tmp0);
3802             gen_op_mov_reg_v(s, ot, reg, s->T0);
3803             break;
3804         }
3805         set_cc_op(s, CC_OP_MULB + ot);
3806         break;
3807     case 0x1c0:
3808     case 0x1c1: /* xadd Ev, Gv */
3809         ot = mo_b_d(b, dflag);
3810         modrm = x86_ldub_code(env, s);
3811         reg = ((modrm >> 3) & 7) | REX_R(s);
3812         mod = (modrm >> 6) & 3;
3813         gen_op_mov_v_reg(s, ot, s->T0, reg);
3814         if (mod == 3) {
3815             rm = (modrm & 7) | REX_B(s);
3816             gen_op_mov_v_reg(s, ot, s->T1, rm);
3817             tcg_gen_add_tl(s->T0, s->T0, s->T1);
3818             gen_op_mov_reg_v(s, ot, reg, s->T1);
3819             gen_op_mov_reg_v(s, ot, rm, s->T0);
3820         } else {
3821             gen_lea_modrm(env, s, modrm);
3822             if (s->prefix & PREFIX_LOCK) {
3823                 tcg_gen_atomic_fetch_add_tl(s->T1, s->A0, s->T0,
3824                                             s->mem_index, ot | MO_LE);
3825                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3826             } else {
3827                 gen_op_ld_v(s, ot, s->T1, s->A0);
3828                 tcg_gen_add_tl(s->T0, s->T0, s->T1);
3829                 gen_op_st_v(s, ot, s->T0, s->A0);
3830             }
3831             gen_op_mov_reg_v(s, ot, reg, s->T1);
3832         }
3833         gen_op_update2_cc(s);
3834         set_cc_op(s, CC_OP_ADDB + ot);
3835         break;
3836     case 0x1b0:
3837     case 0x1b1: /* cmpxchg Ev, Gv */
3838         {
3839             TCGv oldv, newv, cmpv, dest;
3840 
3841             ot = mo_b_d(b, dflag);
3842             modrm = x86_ldub_code(env, s);
3843             reg = ((modrm >> 3) & 7) | REX_R(s);
3844             mod = (modrm >> 6) & 3;
3845             oldv = tcg_temp_new();
3846             newv = tcg_temp_new();
3847             cmpv = tcg_temp_new();
3848             gen_op_mov_v_reg(s, ot, newv, reg);
3849             tcg_gen_mov_tl(cmpv, cpu_regs[R_EAX]);
3850             gen_extu(ot, cmpv);
3851             if (s->prefix & PREFIX_LOCK) {
3852                 if (mod == 3) {
3853                     goto illegal_op;
3854                 }
3855                 gen_lea_modrm(env, s, modrm);
3856                 tcg_gen_atomic_cmpxchg_tl(oldv, s->A0, cmpv, newv,
3857                                           s->mem_index, ot | MO_LE);
3858             } else {
3859                 if (mod == 3) {
3860                     rm = (modrm & 7) | REX_B(s);
3861                     gen_op_mov_v_reg(s, ot, oldv, rm);
3862                     gen_extu(ot, oldv);
3863 
3864                     /*
3865                      * Unlike the memory case, where "the destination operand receives
3866                      * a write cycle without regard to the result of the comparison",
3867                      * rm must not be touched altogether if the write fails, including
3868                      * not zero-extending it on 64-bit processors.  So, precompute
3869                      * the result of a successful writeback and perform the movcond
3870                      * directly on cpu_regs.  Also need to write accumulator first, in
3871                      * case rm is part of RAX too.
3872                      */
3873                     dest = gen_op_deposit_reg_v(s, ot, rm, newv, newv);
3874                     tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, newv, dest);
3875                 } else {
3876                     gen_lea_modrm(env, s, modrm);
3877                     gen_op_ld_v(s, ot, oldv, s->A0);
3878 
3879                     /*
3880                      * Perform an unconditional store cycle like physical cpu;
3881                      * must be before changing accumulator to ensure
3882                      * idempotency if the store faults and the instruction
3883                      * is restarted
3884                      */
3885                     tcg_gen_movcond_tl(TCG_COND_EQ, newv, oldv, cmpv, newv, oldv);
3886                     gen_op_st_v(s, ot, newv, s->A0);
3887                 }
3888             }
3889 	    /*
3890 	     * Write EAX only if the cmpxchg fails; reuse newv as the destination,
3891 	     * since it's dead here.
3892 	     */
3893             dest = gen_op_deposit_reg_v(s, ot, R_EAX, newv, oldv);
3894             tcg_gen_movcond_tl(TCG_COND_EQ, dest, oldv, cmpv, dest, newv);
3895             tcg_gen_mov_tl(cpu_cc_src, oldv);
3896             tcg_gen_mov_tl(s->cc_srcT, cmpv);
3897             tcg_gen_sub_tl(cpu_cc_dst, cmpv, oldv);
3898             set_cc_op(s, CC_OP_SUBB + ot);
3899         }
3900         break;
3901     case 0x1c7: /* cmpxchg8b */
3902         modrm = x86_ldub_code(env, s);
3903         mod = (modrm >> 6) & 3;
3904         switch ((modrm >> 3) & 7) {
3905         case 1: /* CMPXCHG8, CMPXCHG16 */
3906             if (mod == 3) {
3907                 goto illegal_op;
3908             }
3909 #ifdef TARGET_X86_64
3910             if (dflag == MO_64) {
3911                 if (!(s->cpuid_ext_features & CPUID_EXT_CX16)) {
3912                     goto illegal_op;
3913                 }
3914                 gen_cmpxchg16b(s, env, modrm);
3915                 break;
3916             }
3917 #endif
3918             if (!(s->cpuid_features & CPUID_CX8)) {
3919                 goto illegal_op;
3920             }
3921             gen_cmpxchg8b(s, env, modrm);
3922             break;
3923 
3924         case 7: /* RDSEED */
3925         case 6: /* RDRAND */
3926             if (mod != 3 ||
3927                 (s->prefix & (PREFIX_LOCK | PREFIX_REPZ | PREFIX_REPNZ)) ||
3928                 !(s->cpuid_ext_features & CPUID_EXT_RDRAND)) {
3929                 goto illegal_op;
3930             }
3931             if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
3932                 gen_io_start();
3933                 s->base.is_jmp = DISAS_TOO_MANY;
3934             }
3935             gen_helper_rdrand(s->T0, cpu_env);
3936             rm = (modrm & 7) | REX_B(s);
3937             gen_op_mov_reg_v(s, dflag, rm, s->T0);
3938             set_cc_op(s, CC_OP_EFLAGS);
3939             break;
3940 
3941         default:
3942             goto illegal_op;
3943         }
3944         break;
3945 
3946         /**************************/
3947         /* push/pop */
3948     case 0x50 ... 0x57: /* push */
3949         gen_op_mov_v_reg(s, MO_32, s->T0, (b & 7) | REX_B(s));
3950         gen_push_v(s, s->T0);
3951         break;
3952     case 0x58 ... 0x5f: /* pop */
3953         ot = gen_pop_T0(s);
3954         /* NOTE: order is important for pop %sp */
3955         gen_pop_update(s, ot);
3956         gen_op_mov_reg_v(s, ot, (b & 7) | REX_B(s), s->T0);
3957         break;
3958     case 0x60: /* pusha */
3959         if (CODE64(s))
3960             goto illegal_op;
3961         gen_pusha(s);
3962         break;
3963     case 0x61: /* popa */
3964         if (CODE64(s))
3965             goto illegal_op;
3966         gen_popa(s);
3967         break;
3968     case 0x68: /* push Iv */
3969     case 0x6a:
3970         ot = mo_pushpop(s, dflag);
3971         if (b == 0x68)
3972             val = insn_get(env, s, ot);
3973         else
3974             val = (int8_t)insn_get(env, s, MO_8);
3975         tcg_gen_movi_tl(s->T0, val);
3976         gen_push_v(s, s->T0);
3977         break;
3978     case 0x8f: /* pop Ev */
3979         modrm = x86_ldub_code(env, s);
3980         mod = (modrm >> 6) & 3;
3981         ot = gen_pop_T0(s);
3982         if (mod == 3) {
3983             /* NOTE: order is important for pop %sp */
3984             gen_pop_update(s, ot);
3985             rm = (modrm & 7) | REX_B(s);
3986             gen_op_mov_reg_v(s, ot, rm, s->T0);
3987         } else {
3988             /* NOTE: order is important too for MMU exceptions */
3989             s->popl_esp_hack = 1 << ot;
3990             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
3991             s->popl_esp_hack = 0;
3992             gen_pop_update(s, ot);
3993         }
3994         break;
3995     case 0xc8: /* enter */
3996         {
3997             int level;
3998             val = x86_lduw_code(env, s);
3999             level = x86_ldub_code(env, s);
4000             gen_enter(s, val, level);
4001         }
4002         break;
4003     case 0xc9: /* leave */
4004         gen_leave(s);
4005         break;
4006     case 0x06: /* push es */
4007     case 0x0e: /* push cs */
4008     case 0x16: /* push ss */
4009     case 0x1e: /* push ds */
4010         if (CODE64(s))
4011             goto illegal_op;
4012         gen_op_movl_T0_seg(s, b >> 3);
4013         gen_push_v(s, s->T0);
4014         break;
4015     case 0x1a0: /* push fs */
4016     case 0x1a8: /* push gs */
4017         gen_op_movl_T0_seg(s, (b >> 3) & 7);
4018         gen_push_v(s, s->T0);
4019         break;
4020     case 0x07: /* pop es */
4021     case 0x17: /* pop ss */
4022     case 0x1f: /* pop ds */
4023         if (CODE64(s))
4024             goto illegal_op;
4025         reg = b >> 3;
4026         ot = gen_pop_T0(s);
4027         gen_movl_seg_T0(s, reg);
4028         gen_pop_update(s, ot);
4029         break;
4030     case 0x1a1: /* pop fs */
4031     case 0x1a9: /* pop gs */
4032         ot = gen_pop_T0(s);
4033         gen_movl_seg_T0(s, (b >> 3) & 7);
4034         gen_pop_update(s, ot);
4035         break;
4036 
4037         /**************************/
4038         /* mov */
4039     case 0x88:
4040     case 0x89: /* mov Gv, Ev */
4041         ot = mo_b_d(b, dflag);
4042         modrm = x86_ldub_code(env, s);
4043         reg = ((modrm >> 3) & 7) | REX_R(s);
4044 
4045         /* generate a generic store */
4046         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
4047         break;
4048     case 0xc6:
4049     case 0xc7: /* mov Ev, Iv */
4050         ot = mo_b_d(b, dflag);
4051         modrm = x86_ldub_code(env, s);
4052         mod = (modrm >> 6) & 3;
4053         if (mod != 3) {
4054             s->rip_offset = insn_const_size(ot);
4055             gen_lea_modrm(env, s, modrm);
4056         }
4057         val = insn_get(env, s, ot);
4058         tcg_gen_movi_tl(s->T0, val);
4059         if (mod != 3) {
4060             gen_op_st_v(s, ot, s->T0, s->A0);
4061         } else {
4062             gen_op_mov_reg_v(s, ot, (modrm & 7) | REX_B(s), s->T0);
4063         }
4064         break;
4065     case 0x8a:
4066     case 0x8b: /* mov Ev, Gv */
4067         ot = mo_b_d(b, dflag);
4068         modrm = x86_ldub_code(env, s);
4069         reg = ((modrm >> 3) & 7) | REX_R(s);
4070 
4071         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
4072         gen_op_mov_reg_v(s, ot, reg, s->T0);
4073         break;
4074     case 0x8e: /* mov seg, Gv */
4075         modrm = x86_ldub_code(env, s);
4076         reg = (modrm >> 3) & 7;
4077         if (reg >= 6 || reg == R_CS)
4078             goto illegal_op;
4079         gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
4080         gen_movl_seg_T0(s, reg);
4081         break;
4082     case 0x8c: /* mov Gv, seg */
4083         modrm = x86_ldub_code(env, s);
4084         reg = (modrm >> 3) & 7;
4085         mod = (modrm >> 6) & 3;
4086         if (reg >= 6)
4087             goto illegal_op;
4088         gen_op_movl_T0_seg(s, reg);
4089         ot = mod == 3 ? dflag : MO_16;
4090         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
4091         break;
4092 
4093     case 0x1b6: /* movzbS Gv, Eb */
4094     case 0x1b7: /* movzwS Gv, Eb */
4095     case 0x1be: /* movsbS Gv, Eb */
4096     case 0x1bf: /* movswS Gv, Eb */
4097         {
4098             MemOp d_ot;
4099             MemOp s_ot;
4100 
4101             /* d_ot is the size of destination */
4102             d_ot = dflag;
4103             /* ot is the size of source */
4104             ot = (b & 1) + MO_8;
4105             /* s_ot is the sign+size of source */
4106             s_ot = b & 8 ? MO_SIGN | ot : ot;
4107 
4108             modrm = x86_ldub_code(env, s);
4109             reg = ((modrm >> 3) & 7) | REX_R(s);
4110             mod = (modrm >> 6) & 3;
4111             rm = (modrm & 7) | REX_B(s);
4112 
4113             if (mod == 3) {
4114                 if (s_ot == MO_SB && byte_reg_is_xH(s, rm)) {
4115                     tcg_gen_sextract_tl(s->T0, cpu_regs[rm - 4], 8, 8);
4116                 } else {
4117                     gen_op_mov_v_reg(s, ot, s->T0, rm);
4118                     switch (s_ot) {
4119                     case MO_UB:
4120                         tcg_gen_ext8u_tl(s->T0, s->T0);
4121                         break;
4122                     case MO_SB:
4123                         tcg_gen_ext8s_tl(s->T0, s->T0);
4124                         break;
4125                     case MO_UW:
4126                         tcg_gen_ext16u_tl(s->T0, s->T0);
4127                         break;
4128                     default:
4129                     case MO_SW:
4130                         tcg_gen_ext16s_tl(s->T0, s->T0);
4131                         break;
4132                     }
4133                 }
4134                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4135             } else {
4136                 gen_lea_modrm(env, s, modrm);
4137                 gen_op_ld_v(s, s_ot, s->T0, s->A0);
4138                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
4139             }
4140         }
4141         break;
4142 
4143     case 0x8d: /* lea */
4144         modrm = x86_ldub_code(env, s);
4145         mod = (modrm >> 6) & 3;
4146         if (mod == 3)
4147             goto illegal_op;
4148         reg = ((modrm >> 3) & 7) | REX_R(s);
4149         {
4150             AddressParts a = gen_lea_modrm_0(env, s, modrm);
4151             TCGv ea = gen_lea_modrm_1(s, a, false);
4152             gen_lea_v_seg(s, s->aflag, ea, -1, -1);
4153             gen_op_mov_reg_v(s, dflag, reg, s->A0);
4154         }
4155         break;
4156 
4157     case 0xa0: /* mov EAX, Ov */
4158     case 0xa1:
4159     case 0xa2: /* mov Ov, EAX */
4160     case 0xa3:
4161         {
4162             target_ulong offset_addr;
4163 
4164             ot = mo_b_d(b, dflag);
4165             offset_addr = insn_get_addr(env, s, s->aflag);
4166             tcg_gen_movi_tl(s->A0, offset_addr);
4167             gen_add_A0_ds_seg(s);
4168             if ((b & 2) == 0) {
4169                 gen_op_ld_v(s, ot, s->T0, s->A0);
4170                 gen_op_mov_reg_v(s, ot, R_EAX, s->T0);
4171             } else {
4172                 gen_op_mov_v_reg(s, ot, s->T0, R_EAX);
4173                 gen_op_st_v(s, ot, s->T0, s->A0);
4174             }
4175         }
4176         break;
4177     case 0xd7: /* xlat */
4178         tcg_gen_mov_tl(s->A0, cpu_regs[R_EBX]);
4179         tcg_gen_ext8u_tl(s->T0, cpu_regs[R_EAX]);
4180         tcg_gen_add_tl(s->A0, s->A0, s->T0);
4181         gen_extu(s->aflag, s->A0);
4182         gen_add_A0_ds_seg(s);
4183         gen_op_ld_v(s, MO_8, s->T0, s->A0);
4184         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
4185         break;
4186     case 0xb0 ... 0xb7: /* mov R, Ib */
4187         val = insn_get(env, s, MO_8);
4188         tcg_gen_movi_tl(s->T0, val);
4189         gen_op_mov_reg_v(s, MO_8, (b & 7) | REX_B(s), s->T0);
4190         break;
4191     case 0xb8 ... 0xbf: /* mov R, Iv */
4192 #ifdef TARGET_X86_64
4193         if (dflag == MO_64) {
4194             uint64_t tmp;
4195             /* 64 bit case */
4196             tmp = x86_ldq_code(env, s);
4197             reg = (b & 7) | REX_B(s);
4198             tcg_gen_movi_tl(s->T0, tmp);
4199             gen_op_mov_reg_v(s, MO_64, reg, s->T0);
4200         } else
4201 #endif
4202         {
4203             ot = dflag;
4204             val = insn_get(env, s, ot);
4205             reg = (b & 7) | REX_B(s);
4206             tcg_gen_movi_tl(s->T0, val);
4207             gen_op_mov_reg_v(s, ot, reg, s->T0);
4208         }
4209         break;
4210 
4211     case 0x91 ... 0x97: /* xchg R, EAX */
4212     do_xchg_reg_eax:
4213         ot = dflag;
4214         reg = (b & 7) | REX_B(s);
4215         rm = R_EAX;
4216         goto do_xchg_reg;
4217     case 0x86:
4218     case 0x87: /* xchg Ev, Gv */
4219         ot = mo_b_d(b, dflag);
4220         modrm = x86_ldub_code(env, s);
4221         reg = ((modrm >> 3) & 7) | REX_R(s);
4222         mod = (modrm >> 6) & 3;
4223         if (mod == 3) {
4224             rm = (modrm & 7) | REX_B(s);
4225         do_xchg_reg:
4226             gen_op_mov_v_reg(s, ot, s->T0, reg);
4227             gen_op_mov_v_reg(s, ot, s->T1, rm);
4228             gen_op_mov_reg_v(s, ot, rm, s->T0);
4229             gen_op_mov_reg_v(s, ot, reg, s->T1);
4230         } else {
4231             gen_lea_modrm(env, s, modrm);
4232             gen_op_mov_v_reg(s, ot, s->T0, reg);
4233             /* for xchg, lock is implicit */
4234             tcg_gen_atomic_xchg_tl(s->T1, s->A0, s->T0,
4235                                    s->mem_index, ot | MO_LE);
4236             gen_op_mov_reg_v(s, ot, reg, s->T1);
4237         }
4238         break;
4239     case 0xc4: /* les Gv */
4240         /* In CODE64 this is VEX3; see above.  */
4241         op = R_ES;
4242         goto do_lxx;
4243     case 0xc5: /* lds Gv */
4244         /* In CODE64 this is VEX2; see above.  */
4245         op = R_DS;
4246         goto do_lxx;
4247     case 0x1b2: /* lss Gv */
4248         op = R_SS;
4249         goto do_lxx;
4250     case 0x1b4: /* lfs Gv */
4251         op = R_FS;
4252         goto do_lxx;
4253     case 0x1b5: /* lgs Gv */
4254         op = R_GS;
4255     do_lxx:
4256         ot = dflag != MO_16 ? MO_32 : MO_16;
4257         modrm = x86_ldub_code(env, s);
4258         reg = ((modrm >> 3) & 7) | REX_R(s);
4259         mod = (modrm >> 6) & 3;
4260         if (mod == 3)
4261             goto illegal_op;
4262         gen_lea_modrm(env, s, modrm);
4263         gen_op_ld_v(s, ot, s->T1, s->A0);
4264         gen_add_A0_im(s, 1 << ot);
4265         /* load the segment first to handle exceptions properly */
4266         gen_op_ld_v(s, MO_16, s->T0, s->A0);
4267         gen_movl_seg_T0(s, op);
4268         /* then put the data */
4269         gen_op_mov_reg_v(s, ot, reg, s->T1);
4270         break;
4271 
4272         /************************/
4273         /* shifts */
4274     case 0xc0:
4275     case 0xc1:
4276         /* shift Ev,Ib */
4277         shift = 2;
4278     grp2:
4279         {
4280             ot = mo_b_d(b, dflag);
4281             modrm = x86_ldub_code(env, s);
4282             mod = (modrm >> 6) & 3;
4283             op = (modrm >> 3) & 7;
4284 
4285             if (mod != 3) {
4286                 if (shift == 2) {
4287                     s->rip_offset = 1;
4288                 }
4289                 gen_lea_modrm(env, s, modrm);
4290                 opreg = OR_TMP0;
4291             } else {
4292                 opreg = (modrm & 7) | REX_B(s);
4293             }
4294 
4295             /* simpler op */
4296             if (shift == 0) {
4297                 gen_shift(s, op, ot, opreg, OR_ECX);
4298             } else {
4299                 if (shift == 2) {
4300                     shift = x86_ldub_code(env, s);
4301                 }
4302                 gen_shifti(s, op, ot, opreg, shift);
4303             }
4304         }
4305         break;
4306     case 0xd0:
4307     case 0xd1:
4308         /* shift Ev,1 */
4309         shift = 1;
4310         goto grp2;
4311     case 0xd2:
4312     case 0xd3:
4313         /* shift Ev,cl */
4314         shift = 0;
4315         goto grp2;
4316 
4317     case 0x1a4: /* shld imm */
4318         op = 0;
4319         shift = 1;
4320         goto do_shiftd;
4321     case 0x1a5: /* shld cl */
4322         op = 0;
4323         shift = 0;
4324         goto do_shiftd;
4325     case 0x1ac: /* shrd imm */
4326         op = 1;
4327         shift = 1;
4328         goto do_shiftd;
4329     case 0x1ad: /* shrd cl */
4330         op = 1;
4331         shift = 0;
4332     do_shiftd:
4333         ot = dflag;
4334         modrm = x86_ldub_code(env, s);
4335         mod = (modrm >> 6) & 3;
4336         rm = (modrm & 7) | REX_B(s);
4337         reg = ((modrm >> 3) & 7) | REX_R(s);
4338         if (mod != 3) {
4339             gen_lea_modrm(env, s, modrm);
4340             opreg = OR_TMP0;
4341         } else {
4342             opreg = rm;
4343         }
4344         gen_op_mov_v_reg(s, ot, s->T1, reg);
4345 
4346         if (shift) {
4347             TCGv imm = tcg_const_tl(x86_ldub_code(env, s));
4348             gen_shiftd_rm_T1(s, ot, opreg, op, imm);
4349         } else {
4350             gen_shiftd_rm_T1(s, ot, opreg, op, cpu_regs[R_ECX]);
4351         }
4352         break;
4353 
4354         /************************/
4355         /* floats */
4356     case 0xd8 ... 0xdf:
4357         {
4358             bool update_fip = true;
4359 
4360             if (s->flags & (HF_EM_MASK | HF_TS_MASK)) {
4361                 /* if CR0.EM or CR0.TS are set, generate an FPU exception */
4362                 /* XXX: what to do if illegal op ? */
4363                 gen_exception(s, EXCP07_PREX);
4364                 break;
4365             }
4366             modrm = x86_ldub_code(env, s);
4367             mod = (modrm >> 6) & 3;
4368             rm = modrm & 7;
4369             op = ((b & 7) << 3) | ((modrm >> 3) & 7);
4370             if (mod != 3) {
4371                 /* memory op */
4372                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
4373                 TCGv ea = gen_lea_modrm_1(s, a, false);
4374                 TCGv last_addr = tcg_temp_new();
4375                 bool update_fdp = true;
4376 
4377                 tcg_gen_mov_tl(last_addr, ea);
4378                 gen_lea_v_seg(s, s->aflag, ea, a.def_seg, s->override);
4379 
4380                 switch (op) {
4381                 case 0x00 ... 0x07: /* fxxxs */
4382                 case 0x10 ... 0x17: /* fixxxl */
4383                 case 0x20 ... 0x27: /* fxxxl */
4384                 case 0x30 ... 0x37: /* fixxx */
4385                     {
4386                         int op1;
4387                         op1 = op & 7;
4388 
4389                         switch (op >> 4) {
4390                         case 0:
4391                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4392                                                 s->mem_index, MO_LEUL);
4393                             gen_helper_flds_FT0(cpu_env, s->tmp2_i32);
4394                             break;
4395                         case 1:
4396                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4397                                                 s->mem_index, MO_LEUL);
4398                             gen_helper_fildl_FT0(cpu_env, s->tmp2_i32);
4399                             break;
4400                         case 2:
4401                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4402                                                 s->mem_index, MO_LEUQ);
4403                             gen_helper_fldl_FT0(cpu_env, s->tmp1_i64);
4404                             break;
4405                         case 3:
4406                         default:
4407                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4408                                                 s->mem_index, MO_LESW);
4409                             gen_helper_fildl_FT0(cpu_env, s->tmp2_i32);
4410                             break;
4411                         }
4412 
4413                         gen_helper_fp_arith_ST0_FT0(op1);
4414                         if (op1 == 3) {
4415                             /* fcomp needs pop */
4416                             gen_helper_fpop(cpu_env);
4417                         }
4418                     }
4419                     break;
4420                 case 0x08: /* flds */
4421                 case 0x0a: /* fsts */
4422                 case 0x0b: /* fstps */
4423                 case 0x18 ... 0x1b: /* fildl, fisttpl, fistl, fistpl */
4424                 case 0x28 ... 0x2b: /* fldl, fisttpll, fstl, fstpl */
4425                 case 0x38 ... 0x3b: /* filds, fisttps, fists, fistps */
4426                     switch (op & 7) {
4427                     case 0:
4428                         switch (op >> 4) {
4429                         case 0:
4430                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4431                                                 s->mem_index, MO_LEUL);
4432                             gen_helper_flds_ST0(cpu_env, s->tmp2_i32);
4433                             break;
4434                         case 1:
4435                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4436                                                 s->mem_index, MO_LEUL);
4437                             gen_helper_fildl_ST0(cpu_env, s->tmp2_i32);
4438                             break;
4439                         case 2:
4440                             tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4441                                                 s->mem_index, MO_LEUQ);
4442                             gen_helper_fldl_ST0(cpu_env, s->tmp1_i64);
4443                             break;
4444                         case 3:
4445                         default:
4446                             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4447                                                 s->mem_index, MO_LESW);
4448                             gen_helper_fildl_ST0(cpu_env, s->tmp2_i32);
4449                             break;
4450                         }
4451                         break;
4452                     case 1:
4453                         /* XXX: the corresponding CPUID bit must be tested ! */
4454                         switch (op >> 4) {
4455                         case 1:
4456                             gen_helper_fisttl_ST0(s->tmp2_i32, cpu_env);
4457                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4458                                                 s->mem_index, MO_LEUL);
4459                             break;
4460                         case 2:
4461                             gen_helper_fisttll_ST0(s->tmp1_i64, cpu_env);
4462                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4463                                                 s->mem_index, MO_LEUQ);
4464                             break;
4465                         case 3:
4466                         default:
4467                             gen_helper_fistt_ST0(s->tmp2_i32, cpu_env);
4468                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4469                                                 s->mem_index, MO_LEUW);
4470                             break;
4471                         }
4472                         gen_helper_fpop(cpu_env);
4473                         break;
4474                     default:
4475                         switch (op >> 4) {
4476                         case 0:
4477                             gen_helper_fsts_ST0(s->tmp2_i32, cpu_env);
4478                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4479                                                 s->mem_index, MO_LEUL);
4480                             break;
4481                         case 1:
4482                             gen_helper_fistl_ST0(s->tmp2_i32, cpu_env);
4483                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4484                                                 s->mem_index, MO_LEUL);
4485                             break;
4486                         case 2:
4487                             gen_helper_fstl_ST0(s->tmp1_i64, cpu_env);
4488                             tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4489                                                 s->mem_index, MO_LEUQ);
4490                             break;
4491                         case 3:
4492                         default:
4493                             gen_helper_fist_ST0(s->tmp2_i32, cpu_env);
4494                             tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4495                                                 s->mem_index, MO_LEUW);
4496                             break;
4497                         }
4498                         if ((op & 7) == 3) {
4499                             gen_helper_fpop(cpu_env);
4500                         }
4501                         break;
4502                     }
4503                     break;
4504                 case 0x0c: /* fldenv mem */
4505                     gen_helper_fldenv(cpu_env, s->A0,
4506                                       tcg_const_i32(dflag - 1));
4507                     update_fip = update_fdp = false;
4508                     break;
4509                 case 0x0d: /* fldcw mem */
4510                     tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0,
4511                                         s->mem_index, MO_LEUW);
4512                     gen_helper_fldcw(cpu_env, s->tmp2_i32);
4513                     update_fip = update_fdp = false;
4514                     break;
4515                 case 0x0e: /* fnstenv mem */
4516                     gen_helper_fstenv(cpu_env, s->A0,
4517                                       tcg_const_i32(dflag - 1));
4518                     update_fip = update_fdp = false;
4519                     break;
4520                 case 0x0f: /* fnstcw mem */
4521                     gen_helper_fnstcw(s->tmp2_i32, cpu_env);
4522                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4523                                         s->mem_index, MO_LEUW);
4524                     update_fip = update_fdp = false;
4525                     break;
4526                 case 0x1d: /* fldt mem */
4527                     gen_helper_fldt_ST0(cpu_env, s->A0);
4528                     break;
4529                 case 0x1f: /* fstpt mem */
4530                     gen_helper_fstt_ST0(cpu_env, s->A0);
4531                     gen_helper_fpop(cpu_env);
4532                     break;
4533                 case 0x2c: /* frstor mem */
4534                     gen_helper_frstor(cpu_env, s->A0,
4535                                       tcg_const_i32(dflag - 1));
4536                     update_fip = update_fdp = false;
4537                     break;
4538                 case 0x2e: /* fnsave mem */
4539                     gen_helper_fsave(cpu_env, s->A0,
4540                                      tcg_const_i32(dflag - 1));
4541                     update_fip = update_fdp = false;
4542                     break;
4543                 case 0x2f: /* fnstsw mem */
4544                     gen_helper_fnstsw(s->tmp2_i32, cpu_env);
4545                     tcg_gen_qemu_st_i32(s->tmp2_i32, s->A0,
4546                                         s->mem_index, MO_LEUW);
4547                     update_fip = update_fdp = false;
4548                     break;
4549                 case 0x3c: /* fbld */
4550                     gen_helper_fbld_ST0(cpu_env, s->A0);
4551                     break;
4552                 case 0x3e: /* fbstp */
4553                     gen_helper_fbst_ST0(cpu_env, s->A0);
4554                     gen_helper_fpop(cpu_env);
4555                     break;
4556                 case 0x3d: /* fildll */
4557                     tcg_gen_qemu_ld_i64(s->tmp1_i64, s->A0,
4558                                         s->mem_index, MO_LEUQ);
4559                     gen_helper_fildll_ST0(cpu_env, s->tmp1_i64);
4560                     break;
4561                 case 0x3f: /* fistpll */
4562                     gen_helper_fistll_ST0(s->tmp1_i64, cpu_env);
4563                     tcg_gen_qemu_st_i64(s->tmp1_i64, s->A0,
4564                                         s->mem_index, MO_LEUQ);
4565                     gen_helper_fpop(cpu_env);
4566                     break;
4567                 default:
4568                     goto unknown_op;
4569                 }
4570 
4571                 if (update_fdp) {
4572                     int last_seg = s->override >= 0 ? s->override : a.def_seg;
4573 
4574                     tcg_gen_ld_i32(s->tmp2_i32, cpu_env,
4575                                    offsetof(CPUX86State,
4576                                             segs[last_seg].selector));
4577                     tcg_gen_st16_i32(s->tmp2_i32, cpu_env,
4578                                      offsetof(CPUX86State, fpds));
4579                     tcg_gen_st_tl(last_addr, cpu_env,
4580                                   offsetof(CPUX86State, fpdp));
4581                 }
4582             } else {
4583                 /* register float ops */
4584                 opreg = rm;
4585 
4586                 switch (op) {
4587                 case 0x08: /* fld sti */
4588                     gen_helper_fpush(cpu_env);
4589                     gen_helper_fmov_ST0_STN(cpu_env,
4590                                             tcg_const_i32((opreg + 1) & 7));
4591                     break;
4592                 case 0x09: /* fxchg sti */
4593                 case 0x29: /* fxchg4 sti, undocumented op */
4594                 case 0x39: /* fxchg7 sti, undocumented op */
4595                     gen_helper_fxchg_ST0_STN(cpu_env, tcg_const_i32(opreg));
4596                     break;
4597                 case 0x0a: /* grp d9/2 */
4598                     switch (rm) {
4599                     case 0: /* fnop */
4600                         /* check exceptions (FreeBSD FPU probe) */
4601                         gen_helper_fwait(cpu_env);
4602                         update_fip = false;
4603                         break;
4604                     default:
4605                         goto unknown_op;
4606                     }
4607                     break;
4608                 case 0x0c: /* grp d9/4 */
4609                     switch (rm) {
4610                     case 0: /* fchs */
4611                         gen_helper_fchs_ST0(cpu_env);
4612                         break;
4613                     case 1: /* fabs */
4614                         gen_helper_fabs_ST0(cpu_env);
4615                         break;
4616                     case 4: /* ftst */
4617                         gen_helper_fldz_FT0(cpu_env);
4618                         gen_helper_fcom_ST0_FT0(cpu_env);
4619                         break;
4620                     case 5: /* fxam */
4621                         gen_helper_fxam_ST0(cpu_env);
4622                         break;
4623                     default:
4624                         goto unknown_op;
4625                     }
4626                     break;
4627                 case 0x0d: /* grp d9/5 */
4628                     {
4629                         switch (rm) {
4630                         case 0:
4631                             gen_helper_fpush(cpu_env);
4632                             gen_helper_fld1_ST0(cpu_env);
4633                             break;
4634                         case 1:
4635                             gen_helper_fpush(cpu_env);
4636                             gen_helper_fldl2t_ST0(cpu_env);
4637                             break;
4638                         case 2:
4639                             gen_helper_fpush(cpu_env);
4640                             gen_helper_fldl2e_ST0(cpu_env);
4641                             break;
4642                         case 3:
4643                             gen_helper_fpush(cpu_env);
4644                             gen_helper_fldpi_ST0(cpu_env);
4645                             break;
4646                         case 4:
4647                             gen_helper_fpush(cpu_env);
4648                             gen_helper_fldlg2_ST0(cpu_env);
4649                             break;
4650                         case 5:
4651                             gen_helper_fpush(cpu_env);
4652                             gen_helper_fldln2_ST0(cpu_env);
4653                             break;
4654                         case 6:
4655                             gen_helper_fpush(cpu_env);
4656                             gen_helper_fldz_ST0(cpu_env);
4657                             break;
4658                         default:
4659                             goto unknown_op;
4660                         }
4661                     }
4662                     break;
4663                 case 0x0e: /* grp d9/6 */
4664                     switch (rm) {
4665                     case 0: /* f2xm1 */
4666                         gen_helper_f2xm1(cpu_env);
4667                         break;
4668                     case 1: /* fyl2x */
4669                         gen_helper_fyl2x(cpu_env);
4670                         break;
4671                     case 2: /* fptan */
4672                         gen_helper_fptan(cpu_env);
4673                         break;
4674                     case 3: /* fpatan */
4675                         gen_helper_fpatan(cpu_env);
4676                         break;
4677                     case 4: /* fxtract */
4678                         gen_helper_fxtract(cpu_env);
4679                         break;
4680                     case 5: /* fprem1 */
4681                         gen_helper_fprem1(cpu_env);
4682                         break;
4683                     case 6: /* fdecstp */
4684                         gen_helper_fdecstp(cpu_env);
4685                         break;
4686                     default:
4687                     case 7: /* fincstp */
4688                         gen_helper_fincstp(cpu_env);
4689                         break;
4690                     }
4691                     break;
4692                 case 0x0f: /* grp d9/7 */
4693                     switch (rm) {
4694                     case 0: /* fprem */
4695                         gen_helper_fprem(cpu_env);
4696                         break;
4697                     case 1: /* fyl2xp1 */
4698                         gen_helper_fyl2xp1(cpu_env);
4699                         break;
4700                     case 2: /* fsqrt */
4701                         gen_helper_fsqrt(cpu_env);
4702                         break;
4703                     case 3: /* fsincos */
4704                         gen_helper_fsincos(cpu_env);
4705                         break;
4706                     case 5: /* fscale */
4707                         gen_helper_fscale(cpu_env);
4708                         break;
4709                     case 4: /* frndint */
4710                         gen_helper_frndint(cpu_env);
4711                         break;
4712                     case 6: /* fsin */
4713                         gen_helper_fsin(cpu_env);
4714                         break;
4715                     default:
4716                     case 7: /* fcos */
4717                         gen_helper_fcos(cpu_env);
4718                         break;
4719                     }
4720                     break;
4721                 case 0x00: case 0x01: case 0x04 ... 0x07: /* fxxx st, sti */
4722                 case 0x20: case 0x21: case 0x24 ... 0x27: /* fxxx sti, st */
4723                 case 0x30: case 0x31: case 0x34 ... 0x37: /* fxxxp sti, st */
4724                     {
4725                         int op1;
4726 
4727                         op1 = op & 7;
4728                         if (op >= 0x20) {
4729                             gen_helper_fp_arith_STN_ST0(op1, opreg);
4730                             if (op >= 0x30) {
4731                                 gen_helper_fpop(cpu_env);
4732                             }
4733                         } else {
4734                             gen_helper_fmov_FT0_STN(cpu_env,
4735                                                     tcg_const_i32(opreg));
4736                             gen_helper_fp_arith_ST0_FT0(op1);
4737                         }
4738                     }
4739                     break;
4740                 case 0x02: /* fcom */
4741                 case 0x22: /* fcom2, undocumented op */
4742                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4743                     gen_helper_fcom_ST0_FT0(cpu_env);
4744                     break;
4745                 case 0x03: /* fcomp */
4746                 case 0x23: /* fcomp3, undocumented op */
4747                 case 0x32: /* fcomp5, undocumented op */
4748                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4749                     gen_helper_fcom_ST0_FT0(cpu_env);
4750                     gen_helper_fpop(cpu_env);
4751                     break;
4752                 case 0x15: /* da/5 */
4753                     switch (rm) {
4754                     case 1: /* fucompp */
4755                         gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(1));
4756                         gen_helper_fucom_ST0_FT0(cpu_env);
4757                         gen_helper_fpop(cpu_env);
4758                         gen_helper_fpop(cpu_env);
4759                         break;
4760                     default:
4761                         goto unknown_op;
4762                     }
4763                     break;
4764                 case 0x1c:
4765                     switch (rm) {
4766                     case 0: /* feni (287 only, just do nop here) */
4767                         break;
4768                     case 1: /* fdisi (287 only, just do nop here) */
4769                         break;
4770                     case 2: /* fclex */
4771                         gen_helper_fclex(cpu_env);
4772                         update_fip = false;
4773                         break;
4774                     case 3: /* fninit */
4775                         gen_helper_fninit(cpu_env);
4776                         update_fip = false;
4777                         break;
4778                     case 4: /* fsetpm (287 only, just do nop here) */
4779                         break;
4780                     default:
4781                         goto unknown_op;
4782                     }
4783                     break;
4784                 case 0x1d: /* fucomi */
4785                     if (!(s->cpuid_features & CPUID_CMOV)) {
4786                         goto illegal_op;
4787                     }
4788                     gen_update_cc_op(s);
4789                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4790                     gen_helper_fucomi_ST0_FT0(cpu_env);
4791                     set_cc_op(s, CC_OP_EFLAGS);
4792                     break;
4793                 case 0x1e: /* fcomi */
4794                     if (!(s->cpuid_features & CPUID_CMOV)) {
4795                         goto illegal_op;
4796                     }
4797                     gen_update_cc_op(s);
4798                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4799                     gen_helper_fcomi_ST0_FT0(cpu_env);
4800                     set_cc_op(s, CC_OP_EFLAGS);
4801                     break;
4802                 case 0x28: /* ffree sti */
4803                     gen_helper_ffree_STN(cpu_env, tcg_const_i32(opreg));
4804                     break;
4805                 case 0x2a: /* fst sti */
4806                     gen_helper_fmov_STN_ST0(cpu_env, tcg_const_i32(opreg));
4807                     break;
4808                 case 0x2b: /* fstp sti */
4809                 case 0x0b: /* fstp1 sti, undocumented op */
4810                 case 0x3a: /* fstp8 sti, undocumented op */
4811                 case 0x3b: /* fstp9 sti, undocumented op */
4812                     gen_helper_fmov_STN_ST0(cpu_env, tcg_const_i32(opreg));
4813                     gen_helper_fpop(cpu_env);
4814                     break;
4815                 case 0x2c: /* fucom st(i) */
4816                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4817                     gen_helper_fucom_ST0_FT0(cpu_env);
4818                     break;
4819                 case 0x2d: /* fucomp st(i) */
4820                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4821                     gen_helper_fucom_ST0_FT0(cpu_env);
4822                     gen_helper_fpop(cpu_env);
4823                     break;
4824                 case 0x33: /* de/3 */
4825                     switch (rm) {
4826                     case 1: /* fcompp */
4827                         gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(1));
4828                         gen_helper_fcom_ST0_FT0(cpu_env);
4829                         gen_helper_fpop(cpu_env);
4830                         gen_helper_fpop(cpu_env);
4831                         break;
4832                     default:
4833                         goto unknown_op;
4834                     }
4835                     break;
4836                 case 0x38: /* ffreep sti, undocumented op */
4837                     gen_helper_ffree_STN(cpu_env, tcg_const_i32(opreg));
4838                     gen_helper_fpop(cpu_env);
4839                     break;
4840                 case 0x3c: /* df/4 */
4841                     switch (rm) {
4842                     case 0:
4843                         gen_helper_fnstsw(s->tmp2_i32, cpu_env);
4844                         tcg_gen_extu_i32_tl(s->T0, s->tmp2_i32);
4845                         gen_op_mov_reg_v(s, MO_16, R_EAX, s->T0);
4846                         break;
4847                     default:
4848                         goto unknown_op;
4849                     }
4850                     break;
4851                 case 0x3d: /* fucomip */
4852                     if (!(s->cpuid_features & CPUID_CMOV)) {
4853                         goto illegal_op;
4854                     }
4855                     gen_update_cc_op(s);
4856                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4857                     gen_helper_fucomi_ST0_FT0(cpu_env);
4858                     gen_helper_fpop(cpu_env);
4859                     set_cc_op(s, CC_OP_EFLAGS);
4860                     break;
4861                 case 0x3e: /* fcomip */
4862                     if (!(s->cpuid_features & CPUID_CMOV)) {
4863                         goto illegal_op;
4864                     }
4865                     gen_update_cc_op(s);
4866                     gen_helper_fmov_FT0_STN(cpu_env, tcg_const_i32(opreg));
4867                     gen_helper_fcomi_ST0_FT0(cpu_env);
4868                     gen_helper_fpop(cpu_env);
4869                     set_cc_op(s, CC_OP_EFLAGS);
4870                     break;
4871                 case 0x10 ... 0x13: /* fcmovxx */
4872                 case 0x18 ... 0x1b:
4873                     {
4874                         int op1;
4875                         TCGLabel *l1;
4876                         static const uint8_t fcmov_cc[8] = {
4877                             (JCC_B << 1),
4878                             (JCC_Z << 1),
4879                             (JCC_BE << 1),
4880                             (JCC_P << 1),
4881                         };
4882 
4883                         if (!(s->cpuid_features & CPUID_CMOV)) {
4884                             goto illegal_op;
4885                         }
4886                         op1 = fcmov_cc[op & 3] | (((op >> 3) & 1) ^ 1);
4887                         l1 = gen_new_label();
4888                         gen_jcc1_noeob(s, op1, l1);
4889                         gen_helper_fmov_ST0_STN(cpu_env, tcg_const_i32(opreg));
4890                         gen_set_label(l1);
4891                     }
4892                     break;
4893                 default:
4894                     goto unknown_op;
4895                 }
4896             }
4897 
4898             if (update_fip) {
4899                 tcg_gen_ld_i32(s->tmp2_i32, cpu_env,
4900                                offsetof(CPUX86State, segs[R_CS].selector));
4901                 tcg_gen_st16_i32(s->tmp2_i32, cpu_env,
4902                                  offsetof(CPUX86State, fpcs));
4903                 tcg_gen_st_tl(eip_cur_tl(s),
4904                               cpu_env, offsetof(CPUX86State, fpip));
4905             }
4906         }
4907         break;
4908         /************************/
4909         /* string ops */
4910 
4911     case 0xa4: /* movsS */
4912     case 0xa5:
4913         ot = mo_b_d(b, dflag);
4914         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4915             gen_repz_movs(s, ot);
4916         } else {
4917             gen_movs(s, ot);
4918         }
4919         break;
4920 
4921     case 0xaa: /* stosS */
4922     case 0xab:
4923         ot = mo_b_d(b, dflag);
4924         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4925             gen_repz_stos(s, ot);
4926         } else {
4927             gen_stos(s, ot);
4928         }
4929         break;
4930     case 0xac: /* lodsS */
4931     case 0xad:
4932         ot = mo_b_d(b, dflag);
4933         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4934             gen_repz_lods(s, ot);
4935         } else {
4936             gen_lods(s, ot);
4937         }
4938         break;
4939     case 0xae: /* scasS */
4940     case 0xaf:
4941         ot = mo_b_d(b, dflag);
4942         if (prefixes & PREFIX_REPNZ) {
4943             gen_repz_scas(s, ot, 1);
4944         } else if (prefixes & PREFIX_REPZ) {
4945             gen_repz_scas(s, ot, 0);
4946         } else {
4947             gen_scas(s, ot);
4948         }
4949         break;
4950 
4951     case 0xa6: /* cmpsS */
4952     case 0xa7:
4953         ot = mo_b_d(b, dflag);
4954         if (prefixes & PREFIX_REPNZ) {
4955             gen_repz_cmps(s, ot, 1);
4956         } else if (prefixes & PREFIX_REPZ) {
4957             gen_repz_cmps(s, ot, 0);
4958         } else {
4959             gen_cmps(s, ot);
4960         }
4961         break;
4962     case 0x6c: /* insS */
4963     case 0x6d:
4964         ot = mo_b_d32(b, dflag);
4965         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
4966         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
4967         if (!gen_check_io(s, ot, s->tmp2_i32,
4968                           SVM_IOIO_TYPE_MASK | SVM_IOIO_STR_MASK)) {
4969             break;
4970         }
4971         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
4972             gen_io_start();
4973             s->base.is_jmp = DISAS_TOO_MANY;
4974         }
4975         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4976             gen_repz_ins(s, ot);
4977         } else {
4978             gen_ins(s, ot);
4979         }
4980         break;
4981     case 0x6e: /* outsS */
4982     case 0x6f:
4983         ot = mo_b_d32(b, dflag);
4984         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
4985         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
4986         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_STR_MASK)) {
4987             break;
4988         }
4989         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
4990             gen_io_start();
4991             s->base.is_jmp = DISAS_TOO_MANY;
4992         }
4993         if (prefixes & (PREFIX_REPZ | PREFIX_REPNZ)) {
4994             gen_repz_outs(s, ot);
4995         } else {
4996             gen_outs(s, ot);
4997         }
4998         break;
4999 
5000         /************************/
5001         /* port I/O */
5002 
5003     case 0xe4:
5004     case 0xe5:
5005         ot = mo_b_d32(b, dflag);
5006         val = x86_ldub_code(env, s);
5007         tcg_gen_movi_i32(s->tmp2_i32, val);
5008         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5009             break;
5010         }
5011         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
5012             gen_io_start();
5013             s->base.is_jmp = DISAS_TOO_MANY;
5014         }
5015         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5016         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5017         gen_bpt_io(s, s->tmp2_i32, ot);
5018         break;
5019     case 0xe6:
5020     case 0xe7:
5021         ot = mo_b_d32(b, dflag);
5022         val = x86_ldub_code(env, s);
5023         tcg_gen_movi_i32(s->tmp2_i32, val);
5024         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5025             break;
5026         }
5027         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
5028             gen_io_start();
5029             s->base.is_jmp = DISAS_TOO_MANY;
5030         }
5031         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5032         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5033         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5034         gen_bpt_io(s, s->tmp2_i32, ot);
5035         break;
5036     case 0xec:
5037     case 0xed:
5038         ot = mo_b_d32(b, dflag);
5039         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5040         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5041         if (!gen_check_io(s, ot, s->tmp2_i32, SVM_IOIO_TYPE_MASK)) {
5042             break;
5043         }
5044         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
5045             gen_io_start();
5046             s->base.is_jmp = DISAS_TOO_MANY;
5047         }
5048         gen_helper_in_func(ot, s->T1, s->tmp2_i32);
5049         gen_op_mov_reg_v(s, ot, R_EAX, s->T1);
5050         gen_bpt_io(s, s->tmp2_i32, ot);
5051         break;
5052     case 0xee:
5053     case 0xef:
5054         ot = mo_b_d32(b, dflag);
5055         tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_EDX]);
5056         tcg_gen_ext16u_i32(s->tmp2_i32, s->tmp2_i32);
5057         if (!gen_check_io(s, ot, s->tmp2_i32, 0)) {
5058             break;
5059         }
5060         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
5061             gen_io_start();
5062             s->base.is_jmp = DISAS_TOO_MANY;
5063         }
5064         gen_op_mov_v_reg(s, ot, s->T1, R_EAX);
5065         tcg_gen_trunc_tl_i32(s->tmp3_i32, s->T1);
5066         gen_helper_out_func(ot, s->tmp2_i32, s->tmp3_i32);
5067         gen_bpt_io(s, s->tmp2_i32, ot);
5068         break;
5069 
5070         /************************/
5071         /* control */
5072     case 0xc2: /* ret im */
5073         val = x86_ldsw_code(env, s);
5074         ot = gen_pop_T0(s);
5075         gen_stack_update(s, val + (1 << ot));
5076         /* Note that gen_pop_T0 uses a zero-extending load.  */
5077         gen_op_jmp_v(s, s->T0);
5078         gen_bnd_jmp(s);
5079         s->base.is_jmp = DISAS_JUMP;
5080         break;
5081     case 0xc3: /* ret */
5082         ot = gen_pop_T0(s);
5083         gen_pop_update(s, ot);
5084         /* Note that gen_pop_T0 uses a zero-extending load.  */
5085         gen_op_jmp_v(s, s->T0);
5086         gen_bnd_jmp(s);
5087         s->base.is_jmp = DISAS_JUMP;
5088         break;
5089     case 0xca: /* lret im */
5090         val = x86_ldsw_code(env, s);
5091     do_lret:
5092         if (PE(s) && !VM86(s)) {
5093             gen_update_cc_op(s);
5094             gen_update_eip_cur(s);
5095             gen_helper_lret_protected(cpu_env, tcg_const_i32(dflag - 1),
5096                                       tcg_const_i32(val));
5097         } else {
5098             gen_stack_A0(s);
5099             /* pop offset */
5100             gen_op_ld_v(s, dflag, s->T0, s->A0);
5101             /* NOTE: keeping EIP updated is not a problem in case of
5102                exception */
5103             gen_op_jmp_v(s, s->T0);
5104             /* pop selector */
5105             gen_add_A0_im(s, 1 << dflag);
5106             gen_op_ld_v(s, dflag, s->T0, s->A0);
5107             gen_op_movl_seg_T0_vm(s, R_CS);
5108             /* add stack offset */
5109             gen_stack_update(s, val + (2 << dflag));
5110         }
5111         s->base.is_jmp = DISAS_EOB_ONLY;
5112         break;
5113     case 0xcb: /* lret */
5114         val = 0;
5115         goto do_lret;
5116     case 0xcf: /* iret */
5117         gen_svm_check_intercept(s, SVM_EXIT_IRET);
5118         if (!PE(s) || VM86(s)) {
5119             /* real mode or vm86 mode */
5120             if (!check_vm86_iopl(s)) {
5121                 break;
5122             }
5123             gen_helper_iret_real(cpu_env, tcg_const_i32(dflag - 1));
5124         } else {
5125             gen_helper_iret_protected(cpu_env, tcg_constant_i32(dflag - 1),
5126                                       eip_next_i32(s));
5127         }
5128         set_cc_op(s, CC_OP_EFLAGS);
5129         s->base.is_jmp = DISAS_EOB_ONLY;
5130         break;
5131     case 0xe8: /* call im */
5132         {
5133             int diff = (dflag != MO_16
5134                         ? (int32_t)insn_get(env, s, MO_32)
5135                         : (int16_t)insn_get(env, s, MO_16));
5136             gen_push_v(s, eip_next_tl(s));
5137             gen_bnd_jmp(s);
5138             gen_jmp_rel(s, dflag, diff, 0);
5139         }
5140         break;
5141     case 0x9a: /* lcall im */
5142         {
5143             unsigned int selector, offset;
5144 
5145             if (CODE64(s))
5146                 goto illegal_op;
5147             ot = dflag;
5148             offset = insn_get(env, s, ot);
5149             selector = insn_get(env, s, MO_16);
5150 
5151             tcg_gen_movi_tl(s->T0, selector);
5152             tcg_gen_movi_tl(s->T1, offset);
5153         }
5154         goto do_lcall;
5155     case 0xe9: /* jmp im */
5156         {
5157             int diff = (dflag != MO_16
5158                         ? (int32_t)insn_get(env, s, MO_32)
5159                         : (int16_t)insn_get(env, s, MO_16));
5160             gen_bnd_jmp(s);
5161             gen_jmp_rel(s, dflag, diff, 0);
5162         }
5163         break;
5164     case 0xea: /* ljmp im */
5165         {
5166             unsigned int selector, offset;
5167 
5168             if (CODE64(s))
5169                 goto illegal_op;
5170             ot = dflag;
5171             offset = insn_get(env, s, ot);
5172             selector = insn_get(env, s, MO_16);
5173 
5174             tcg_gen_movi_tl(s->T0, selector);
5175             tcg_gen_movi_tl(s->T1, offset);
5176         }
5177         goto do_ljmp;
5178     case 0xeb: /* jmp Jb */
5179         {
5180             int diff = (int8_t)insn_get(env, s, MO_8);
5181             gen_jmp_rel(s, dflag, diff, 0);
5182         }
5183         break;
5184     case 0x70 ... 0x7f: /* jcc Jb */
5185         {
5186             int diff = (int8_t)insn_get(env, s, MO_8);
5187             gen_bnd_jmp(s);
5188             gen_jcc(s, b, diff);
5189         }
5190         break;
5191     case 0x180 ... 0x18f: /* jcc Jv */
5192         {
5193             int diff = (dflag != MO_16
5194                         ? (int32_t)insn_get(env, s, MO_32)
5195                         : (int16_t)insn_get(env, s, MO_16));
5196             gen_bnd_jmp(s);
5197             gen_jcc(s, b, diff);
5198         }
5199         break;
5200 
5201     case 0x190 ... 0x19f: /* setcc Gv */
5202         modrm = x86_ldub_code(env, s);
5203         gen_setcc1(s, b, s->T0);
5204         gen_ldst_modrm(env, s, modrm, MO_8, OR_TMP0, 1);
5205         break;
5206     case 0x140 ... 0x14f: /* cmov Gv, Ev */
5207         if (!(s->cpuid_features & CPUID_CMOV)) {
5208             goto illegal_op;
5209         }
5210         ot = dflag;
5211         modrm = x86_ldub_code(env, s);
5212         reg = ((modrm >> 3) & 7) | REX_R(s);
5213         gen_cmovcc1(env, s, ot, b, modrm, reg);
5214         break;
5215 
5216         /************************/
5217         /* flags */
5218     case 0x9c: /* pushf */
5219         gen_svm_check_intercept(s, SVM_EXIT_PUSHF);
5220         if (check_vm86_iopl(s)) {
5221             gen_update_cc_op(s);
5222             gen_helper_read_eflags(s->T0, cpu_env);
5223             gen_push_v(s, s->T0);
5224         }
5225         break;
5226     case 0x9d: /* popf */
5227         gen_svm_check_intercept(s, SVM_EXIT_POPF);
5228         if (check_vm86_iopl(s)) {
5229             int mask = TF_MASK | AC_MASK | ID_MASK | NT_MASK;
5230 
5231             if (CPL(s) == 0) {
5232                 mask |= IF_MASK | IOPL_MASK;
5233             } else if (CPL(s) <= IOPL(s)) {
5234                 mask |= IF_MASK;
5235             }
5236             if (dflag == MO_16) {
5237                 mask &= 0xffff;
5238             }
5239 
5240             ot = gen_pop_T0(s);
5241             gen_helper_write_eflags(cpu_env, s->T0, tcg_constant_i32(mask));
5242             gen_pop_update(s, ot);
5243             set_cc_op(s, CC_OP_EFLAGS);
5244             /* abort translation because TF/AC flag may change */
5245             s->base.is_jmp = DISAS_EOB_NEXT;
5246         }
5247         break;
5248     case 0x9e: /* sahf */
5249         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5250             goto illegal_op;
5251         tcg_gen_shri_tl(s->T0, cpu_regs[R_EAX], 8);
5252         gen_compute_eflags(s);
5253         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, CC_O);
5254         tcg_gen_andi_tl(s->T0, s->T0, CC_S | CC_Z | CC_A | CC_P | CC_C);
5255         tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, s->T0);
5256         break;
5257     case 0x9f: /* lahf */
5258         if (CODE64(s) && !(s->cpuid_ext3_features & CPUID_EXT3_LAHF_LM))
5259             goto illegal_op;
5260         gen_compute_eflags(s);
5261         /* Note: gen_compute_eflags() only gives the condition codes */
5262         tcg_gen_ori_tl(s->T0, cpu_cc_src, 0x02);
5263         tcg_gen_deposit_tl(cpu_regs[R_EAX], cpu_regs[R_EAX], s->T0, 8, 8);
5264         break;
5265     case 0xf5: /* cmc */
5266         gen_compute_eflags(s);
5267         tcg_gen_xori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5268         break;
5269     case 0xf8: /* clc */
5270         gen_compute_eflags(s);
5271         tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_C);
5272         break;
5273     case 0xf9: /* stc */
5274         gen_compute_eflags(s);
5275         tcg_gen_ori_tl(cpu_cc_src, cpu_cc_src, CC_C);
5276         break;
5277     case 0xfc: /* cld */
5278         tcg_gen_movi_i32(s->tmp2_i32, 1);
5279         tcg_gen_st_i32(s->tmp2_i32, cpu_env, offsetof(CPUX86State, df));
5280         break;
5281     case 0xfd: /* std */
5282         tcg_gen_movi_i32(s->tmp2_i32, -1);
5283         tcg_gen_st_i32(s->tmp2_i32, cpu_env, offsetof(CPUX86State, df));
5284         break;
5285 
5286         /************************/
5287         /* bit operations */
5288     case 0x1ba: /* bt/bts/btr/btc Gv, im */
5289         ot = dflag;
5290         modrm = x86_ldub_code(env, s);
5291         op = (modrm >> 3) & 7;
5292         mod = (modrm >> 6) & 3;
5293         rm = (modrm & 7) | REX_B(s);
5294         if (mod != 3) {
5295             s->rip_offset = 1;
5296             gen_lea_modrm(env, s, modrm);
5297             if (!(s->prefix & PREFIX_LOCK)) {
5298                 gen_op_ld_v(s, ot, s->T0, s->A0);
5299             }
5300         } else {
5301             gen_op_mov_v_reg(s, ot, s->T0, rm);
5302         }
5303         /* load shift */
5304         val = x86_ldub_code(env, s);
5305         tcg_gen_movi_tl(s->T1, val);
5306         if (op < 4)
5307             goto unknown_op;
5308         op -= 4;
5309         goto bt_op;
5310     case 0x1a3: /* bt Gv, Ev */
5311         op = 0;
5312         goto do_btx;
5313     case 0x1ab: /* bts */
5314         op = 1;
5315         goto do_btx;
5316     case 0x1b3: /* btr */
5317         op = 2;
5318         goto do_btx;
5319     case 0x1bb: /* btc */
5320         op = 3;
5321     do_btx:
5322         ot = dflag;
5323         modrm = x86_ldub_code(env, s);
5324         reg = ((modrm >> 3) & 7) | REX_R(s);
5325         mod = (modrm >> 6) & 3;
5326         rm = (modrm & 7) | REX_B(s);
5327         gen_op_mov_v_reg(s, MO_32, s->T1, reg);
5328         if (mod != 3) {
5329             AddressParts a = gen_lea_modrm_0(env, s, modrm);
5330             /* specific case: we need to add a displacement */
5331             gen_exts(ot, s->T1);
5332             tcg_gen_sari_tl(s->tmp0, s->T1, 3 + ot);
5333             tcg_gen_shli_tl(s->tmp0, s->tmp0, ot);
5334             tcg_gen_add_tl(s->A0, gen_lea_modrm_1(s, a, false), s->tmp0);
5335             gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
5336             if (!(s->prefix & PREFIX_LOCK)) {
5337                 gen_op_ld_v(s, ot, s->T0, s->A0);
5338             }
5339         } else {
5340             gen_op_mov_v_reg(s, ot, s->T0, rm);
5341         }
5342     bt_op:
5343         tcg_gen_andi_tl(s->T1, s->T1, (1 << (3 + ot)) - 1);
5344         tcg_gen_movi_tl(s->tmp0, 1);
5345         tcg_gen_shl_tl(s->tmp0, s->tmp0, s->T1);
5346         if (s->prefix & PREFIX_LOCK) {
5347             switch (op) {
5348             case 0: /* bt */
5349                 /* Needs no atomic ops; we surpressed the normal
5350                    memory load for LOCK above so do it now.  */
5351                 gen_op_ld_v(s, ot, s->T0, s->A0);
5352                 break;
5353             case 1: /* bts */
5354                 tcg_gen_atomic_fetch_or_tl(s->T0, s->A0, s->tmp0,
5355                                            s->mem_index, ot | MO_LE);
5356                 break;
5357             case 2: /* btr */
5358                 tcg_gen_not_tl(s->tmp0, s->tmp0);
5359                 tcg_gen_atomic_fetch_and_tl(s->T0, s->A0, s->tmp0,
5360                                             s->mem_index, ot | MO_LE);
5361                 break;
5362             default:
5363             case 3: /* btc */
5364                 tcg_gen_atomic_fetch_xor_tl(s->T0, s->A0, s->tmp0,
5365                                             s->mem_index, ot | MO_LE);
5366                 break;
5367             }
5368             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5369         } else {
5370             tcg_gen_shr_tl(s->tmp4, s->T0, s->T1);
5371             switch (op) {
5372             case 0: /* bt */
5373                 /* Data already loaded; nothing to do.  */
5374                 break;
5375             case 1: /* bts */
5376                 tcg_gen_or_tl(s->T0, s->T0, s->tmp0);
5377                 break;
5378             case 2: /* btr */
5379                 tcg_gen_andc_tl(s->T0, s->T0, s->tmp0);
5380                 break;
5381             default:
5382             case 3: /* btc */
5383                 tcg_gen_xor_tl(s->T0, s->T0, s->tmp0);
5384                 break;
5385             }
5386             if (op != 0) {
5387                 if (mod != 3) {
5388                     gen_op_st_v(s, ot, s->T0, s->A0);
5389                 } else {
5390                     gen_op_mov_reg_v(s, ot, rm, s->T0);
5391                 }
5392             }
5393         }
5394 
5395         /* Delay all CC updates until after the store above.  Note that
5396            C is the result of the test, Z is unchanged, and the others
5397            are all undefined.  */
5398         switch (s->cc_op) {
5399         case CC_OP_MULB ... CC_OP_MULQ:
5400         case CC_OP_ADDB ... CC_OP_ADDQ:
5401         case CC_OP_ADCB ... CC_OP_ADCQ:
5402         case CC_OP_SUBB ... CC_OP_SUBQ:
5403         case CC_OP_SBBB ... CC_OP_SBBQ:
5404         case CC_OP_LOGICB ... CC_OP_LOGICQ:
5405         case CC_OP_INCB ... CC_OP_INCQ:
5406         case CC_OP_DECB ... CC_OP_DECQ:
5407         case CC_OP_SHLB ... CC_OP_SHLQ:
5408         case CC_OP_SARB ... CC_OP_SARQ:
5409         case CC_OP_BMILGB ... CC_OP_BMILGQ:
5410             /* Z was going to be computed from the non-zero status of CC_DST.
5411                We can get that same Z value (and the new C value) by leaving
5412                CC_DST alone, setting CC_SRC, and using a CC_OP_SAR of the
5413                same width.  */
5414             tcg_gen_mov_tl(cpu_cc_src, s->tmp4);
5415             set_cc_op(s, ((s->cc_op - CC_OP_MULB) & 3) + CC_OP_SARB);
5416             break;
5417         default:
5418             /* Otherwise, generate EFLAGS and replace the C bit.  */
5419             gen_compute_eflags(s);
5420             tcg_gen_deposit_tl(cpu_cc_src, cpu_cc_src, s->tmp4,
5421                                ctz32(CC_C), 1);
5422             break;
5423         }
5424         break;
5425     case 0x1bc: /* bsf / tzcnt */
5426     case 0x1bd: /* bsr / lzcnt */
5427         ot = dflag;
5428         modrm = x86_ldub_code(env, s);
5429         reg = ((modrm >> 3) & 7) | REX_R(s);
5430         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
5431         gen_extu(ot, s->T0);
5432 
5433         /* Note that lzcnt and tzcnt are in different extensions.  */
5434         if ((prefixes & PREFIX_REPZ)
5435             && (b & 1
5436                 ? s->cpuid_ext3_features & CPUID_EXT3_ABM
5437                 : s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_BMI1)) {
5438             int size = 8 << ot;
5439             /* For lzcnt/tzcnt, C bit is defined related to the input. */
5440             tcg_gen_mov_tl(cpu_cc_src, s->T0);
5441             if (b & 1) {
5442                 /* For lzcnt, reduce the target_ulong result by the
5443                    number of zeros that we expect to find at the top.  */
5444                 tcg_gen_clzi_tl(s->T0, s->T0, TARGET_LONG_BITS);
5445                 tcg_gen_subi_tl(s->T0, s->T0, TARGET_LONG_BITS - size);
5446             } else {
5447                 /* For tzcnt, a zero input must return the operand size.  */
5448                 tcg_gen_ctzi_tl(s->T0, s->T0, size);
5449             }
5450             /* For lzcnt/tzcnt, Z bit is defined related to the result.  */
5451             gen_op_update1_cc(s);
5452             set_cc_op(s, CC_OP_BMILGB + ot);
5453         } else {
5454             /* For bsr/bsf, only the Z bit is defined and it is related
5455                to the input and not the result.  */
5456             tcg_gen_mov_tl(cpu_cc_dst, s->T0);
5457             set_cc_op(s, CC_OP_LOGICB + ot);
5458 
5459             /* ??? The manual says that the output is undefined when the
5460                input is zero, but real hardware leaves it unchanged, and
5461                real programs appear to depend on that.  Accomplish this
5462                by passing the output as the value to return upon zero.  */
5463             if (b & 1) {
5464                 /* For bsr, return the bit index of the first 1 bit,
5465                    not the count of leading zeros.  */
5466                 tcg_gen_xori_tl(s->T1, cpu_regs[reg], TARGET_LONG_BITS - 1);
5467                 tcg_gen_clz_tl(s->T0, s->T0, s->T1);
5468                 tcg_gen_xori_tl(s->T0, s->T0, TARGET_LONG_BITS - 1);
5469             } else {
5470                 tcg_gen_ctz_tl(s->T0, s->T0, cpu_regs[reg]);
5471             }
5472         }
5473         gen_op_mov_reg_v(s, ot, reg, s->T0);
5474         break;
5475         /************************/
5476         /* bcd */
5477     case 0x27: /* daa */
5478         if (CODE64(s))
5479             goto illegal_op;
5480         gen_update_cc_op(s);
5481         gen_helper_daa(cpu_env);
5482         set_cc_op(s, CC_OP_EFLAGS);
5483         break;
5484     case 0x2f: /* das */
5485         if (CODE64(s))
5486             goto illegal_op;
5487         gen_update_cc_op(s);
5488         gen_helper_das(cpu_env);
5489         set_cc_op(s, CC_OP_EFLAGS);
5490         break;
5491     case 0x37: /* aaa */
5492         if (CODE64(s))
5493             goto illegal_op;
5494         gen_update_cc_op(s);
5495         gen_helper_aaa(cpu_env);
5496         set_cc_op(s, CC_OP_EFLAGS);
5497         break;
5498     case 0x3f: /* aas */
5499         if (CODE64(s))
5500             goto illegal_op;
5501         gen_update_cc_op(s);
5502         gen_helper_aas(cpu_env);
5503         set_cc_op(s, CC_OP_EFLAGS);
5504         break;
5505     case 0xd4: /* aam */
5506         if (CODE64(s))
5507             goto illegal_op;
5508         val = x86_ldub_code(env, s);
5509         if (val == 0) {
5510             gen_exception(s, EXCP00_DIVZ);
5511         } else {
5512             gen_helper_aam(cpu_env, tcg_const_i32(val));
5513             set_cc_op(s, CC_OP_LOGICB);
5514         }
5515         break;
5516     case 0xd5: /* aad */
5517         if (CODE64(s))
5518             goto illegal_op;
5519         val = x86_ldub_code(env, s);
5520         gen_helper_aad(cpu_env, tcg_const_i32(val));
5521         set_cc_op(s, CC_OP_LOGICB);
5522         break;
5523         /************************/
5524         /* misc */
5525     case 0x90: /* nop */
5526         /* XXX: correct lock test for all insn */
5527         if (prefixes & PREFIX_LOCK) {
5528             goto illegal_op;
5529         }
5530         /* If REX_B is set, then this is xchg eax, r8d, not a nop.  */
5531         if (REX_B(s)) {
5532             goto do_xchg_reg_eax;
5533         }
5534         if (prefixes & PREFIX_REPZ) {
5535             gen_update_cc_op(s);
5536             gen_update_eip_cur(s);
5537             gen_helper_pause(cpu_env, cur_insn_len_i32(s));
5538             s->base.is_jmp = DISAS_NORETURN;
5539         }
5540         break;
5541     case 0x9b: /* fwait */
5542         if ((s->flags & (HF_MP_MASK | HF_TS_MASK)) ==
5543             (HF_MP_MASK | HF_TS_MASK)) {
5544             gen_exception(s, EXCP07_PREX);
5545         } else {
5546             gen_helper_fwait(cpu_env);
5547         }
5548         break;
5549     case 0xcc: /* int3 */
5550         gen_interrupt(s, EXCP03_INT3);
5551         break;
5552     case 0xcd: /* int N */
5553         val = x86_ldub_code(env, s);
5554         if (check_vm86_iopl(s)) {
5555             gen_interrupt(s, val);
5556         }
5557         break;
5558     case 0xce: /* into */
5559         if (CODE64(s))
5560             goto illegal_op;
5561         gen_update_cc_op(s);
5562         gen_update_eip_cur(s);
5563         gen_helper_into(cpu_env, cur_insn_len_i32(s));
5564         break;
5565 #ifdef WANT_ICEBP
5566     case 0xf1: /* icebp (undocumented, exits to external debugger) */
5567         gen_svm_check_intercept(s, SVM_EXIT_ICEBP);
5568         gen_debug(s);
5569         break;
5570 #endif
5571     case 0xfa: /* cli */
5572         if (check_iopl(s)) {
5573             gen_reset_eflags(s, IF_MASK);
5574         }
5575         break;
5576     case 0xfb: /* sti */
5577         if (check_iopl(s)) {
5578             gen_set_eflags(s, IF_MASK);
5579             /* interruptions are enabled only the first insn after sti */
5580             gen_update_eip_next(s);
5581             gen_eob_inhibit_irq(s, true);
5582         }
5583         break;
5584     case 0x62: /* bound */
5585         if (CODE64(s))
5586             goto illegal_op;
5587         ot = dflag;
5588         modrm = x86_ldub_code(env, s);
5589         reg = (modrm >> 3) & 7;
5590         mod = (modrm >> 6) & 3;
5591         if (mod == 3)
5592             goto illegal_op;
5593         gen_op_mov_v_reg(s, ot, s->T0, reg);
5594         gen_lea_modrm(env, s, modrm);
5595         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5596         if (ot == MO_16) {
5597             gen_helper_boundw(cpu_env, s->A0, s->tmp2_i32);
5598         } else {
5599             gen_helper_boundl(cpu_env, s->A0, s->tmp2_i32);
5600         }
5601         break;
5602     case 0x1c8 ... 0x1cf: /* bswap reg */
5603         reg = (b & 7) | REX_B(s);
5604 #ifdef TARGET_X86_64
5605         if (dflag == MO_64) {
5606             tcg_gen_bswap64_i64(cpu_regs[reg], cpu_regs[reg]);
5607             break;
5608         }
5609 #endif
5610         tcg_gen_bswap32_tl(cpu_regs[reg], cpu_regs[reg], TCG_BSWAP_OZ);
5611         break;
5612     case 0xd6: /* salc */
5613         if (CODE64(s))
5614             goto illegal_op;
5615         gen_compute_eflags_c(s, s->T0);
5616         tcg_gen_neg_tl(s->T0, s->T0);
5617         gen_op_mov_reg_v(s, MO_8, R_EAX, s->T0);
5618         break;
5619     case 0xe0: /* loopnz */
5620     case 0xe1: /* loopz */
5621     case 0xe2: /* loop */
5622     case 0xe3: /* jecxz */
5623         {
5624             TCGLabel *l1, *l2;
5625             int diff = (int8_t)insn_get(env, s, MO_8);
5626 
5627             l1 = gen_new_label();
5628             l2 = gen_new_label();
5629             gen_update_cc_op(s);
5630             b &= 3;
5631             switch(b) {
5632             case 0: /* loopnz */
5633             case 1: /* loopz */
5634                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5635                 gen_op_jz_ecx(s, l2);
5636                 gen_jcc1(s, (JCC_Z << 1) | (b ^ 1), l1);
5637                 break;
5638             case 2: /* loop */
5639                 gen_op_add_reg_im(s, s->aflag, R_ECX, -1);
5640                 gen_op_jnz_ecx(s, l1);
5641                 break;
5642             default:
5643             case 3: /* jcxz */
5644                 gen_op_jz_ecx(s, l1);
5645                 break;
5646             }
5647 
5648             gen_set_label(l2);
5649             gen_jmp_rel_csize(s, 0, 1);
5650 
5651             gen_set_label(l1);
5652             gen_jmp_rel(s, dflag, diff, 0);
5653         }
5654         break;
5655     case 0x130: /* wrmsr */
5656     case 0x132: /* rdmsr */
5657         if (check_cpl0(s)) {
5658             gen_update_cc_op(s);
5659             gen_update_eip_cur(s);
5660             if (b & 2) {
5661                 gen_helper_rdmsr(cpu_env);
5662             } else {
5663                 gen_helper_wrmsr(cpu_env);
5664                 s->base.is_jmp = DISAS_EOB_NEXT;
5665             }
5666         }
5667         break;
5668     case 0x131: /* rdtsc */
5669         gen_update_cc_op(s);
5670         gen_update_eip_cur(s);
5671         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
5672             gen_io_start();
5673             s->base.is_jmp = DISAS_TOO_MANY;
5674         }
5675         gen_helper_rdtsc(cpu_env);
5676         break;
5677     case 0x133: /* rdpmc */
5678         gen_update_cc_op(s);
5679         gen_update_eip_cur(s);
5680         gen_helper_rdpmc(cpu_env);
5681         s->base.is_jmp = DISAS_NORETURN;
5682         break;
5683     case 0x134: /* sysenter */
5684         /* For Intel SYSENTER is valid on 64-bit */
5685         if (CODE64(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1)
5686             goto illegal_op;
5687         if (!PE(s)) {
5688             gen_exception_gpf(s);
5689         } else {
5690             gen_helper_sysenter(cpu_env);
5691             s->base.is_jmp = DISAS_EOB_ONLY;
5692         }
5693         break;
5694     case 0x135: /* sysexit */
5695         /* For Intel SYSEXIT is valid on 64-bit */
5696         if (CODE64(s) && env->cpuid_vendor1 != CPUID_VENDOR_INTEL_1)
5697             goto illegal_op;
5698         if (!PE(s)) {
5699             gen_exception_gpf(s);
5700         } else {
5701             gen_helper_sysexit(cpu_env, tcg_const_i32(dflag - 1));
5702             s->base.is_jmp = DISAS_EOB_ONLY;
5703         }
5704         break;
5705 #ifdef TARGET_X86_64
5706     case 0x105: /* syscall */
5707         /* XXX: is it usable in real mode ? */
5708         gen_update_cc_op(s);
5709         gen_update_eip_cur(s);
5710         gen_helper_syscall(cpu_env, cur_insn_len_i32(s));
5711         /* TF handling for the syscall insn is different. The TF bit is  checked
5712            after the syscall insn completes. This allows #DB to not be
5713            generated after one has entered CPL0 if TF is set in FMASK.  */
5714         gen_eob_worker(s, false, true);
5715         break;
5716     case 0x107: /* sysret */
5717         if (!PE(s)) {
5718             gen_exception_gpf(s);
5719         } else {
5720             gen_helper_sysret(cpu_env, tcg_const_i32(dflag - 1));
5721             /* condition codes are modified only in long mode */
5722             if (LMA(s)) {
5723                 set_cc_op(s, CC_OP_EFLAGS);
5724             }
5725             /* TF handling for the sysret insn is different. The TF bit is
5726                checked after the sysret insn completes. This allows #DB to be
5727                generated "as if" the syscall insn in userspace has just
5728                completed.  */
5729             gen_eob_worker(s, false, true);
5730         }
5731         break;
5732 #endif
5733     case 0x1a2: /* cpuid */
5734         gen_update_cc_op(s);
5735         gen_update_eip_cur(s);
5736         gen_helper_cpuid(cpu_env);
5737         break;
5738     case 0xf4: /* hlt */
5739         if (check_cpl0(s)) {
5740             gen_update_cc_op(s);
5741             gen_update_eip_cur(s);
5742             gen_helper_hlt(cpu_env, cur_insn_len_i32(s));
5743             s->base.is_jmp = DISAS_NORETURN;
5744         }
5745         break;
5746     case 0x100:
5747         modrm = x86_ldub_code(env, s);
5748         mod = (modrm >> 6) & 3;
5749         op = (modrm >> 3) & 7;
5750         switch(op) {
5751         case 0: /* sldt */
5752             if (!PE(s) || VM86(s))
5753                 goto illegal_op;
5754             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5755                 break;
5756             }
5757             gen_svm_check_intercept(s, SVM_EXIT_LDTR_READ);
5758             tcg_gen_ld32u_tl(s->T0, cpu_env,
5759                              offsetof(CPUX86State, ldt.selector));
5760             ot = mod == 3 ? dflag : MO_16;
5761             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5762             break;
5763         case 2: /* lldt */
5764             if (!PE(s) || VM86(s))
5765                 goto illegal_op;
5766             if (check_cpl0(s)) {
5767                 gen_svm_check_intercept(s, SVM_EXIT_LDTR_WRITE);
5768                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5769                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5770                 gen_helper_lldt(cpu_env, s->tmp2_i32);
5771             }
5772             break;
5773         case 1: /* str */
5774             if (!PE(s) || VM86(s))
5775                 goto illegal_op;
5776             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5777                 break;
5778             }
5779             gen_svm_check_intercept(s, SVM_EXIT_TR_READ);
5780             tcg_gen_ld32u_tl(s->T0, cpu_env,
5781                              offsetof(CPUX86State, tr.selector));
5782             ot = mod == 3 ? dflag : MO_16;
5783             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
5784             break;
5785         case 3: /* ltr */
5786             if (!PE(s) || VM86(s))
5787                 goto illegal_op;
5788             if (check_cpl0(s)) {
5789                 gen_svm_check_intercept(s, SVM_EXIT_TR_WRITE);
5790                 gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5791                 tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
5792                 gen_helper_ltr(cpu_env, s->tmp2_i32);
5793             }
5794             break;
5795         case 4: /* verr */
5796         case 5: /* verw */
5797             if (!PE(s) || VM86(s))
5798                 goto illegal_op;
5799             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
5800             gen_update_cc_op(s);
5801             if (op == 4) {
5802                 gen_helper_verr(cpu_env, s->T0);
5803             } else {
5804                 gen_helper_verw(cpu_env, s->T0);
5805             }
5806             set_cc_op(s, CC_OP_EFLAGS);
5807             break;
5808         default:
5809             goto unknown_op;
5810         }
5811         break;
5812 
5813     case 0x101:
5814         modrm = x86_ldub_code(env, s);
5815         switch (modrm) {
5816         CASE_MODRM_MEM_OP(0): /* sgdt */
5817             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5818                 break;
5819             }
5820             gen_svm_check_intercept(s, SVM_EXIT_GDTR_READ);
5821             gen_lea_modrm(env, s, modrm);
5822             tcg_gen_ld32u_tl(s->T0,
5823                              cpu_env, offsetof(CPUX86State, gdt.limit));
5824             gen_op_st_v(s, MO_16, s->T0, s->A0);
5825             gen_add_A0_im(s, 2);
5826             tcg_gen_ld_tl(s->T0, cpu_env, offsetof(CPUX86State, gdt.base));
5827             if (dflag == MO_16) {
5828                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
5829             }
5830             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5831             break;
5832 
5833         case 0xc8: /* monitor */
5834             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5835                 goto illegal_op;
5836             }
5837             gen_update_cc_op(s);
5838             gen_update_eip_cur(s);
5839             tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
5840             gen_extu(s->aflag, s->A0);
5841             gen_add_A0_ds_seg(s);
5842             gen_helper_monitor(cpu_env, s->A0);
5843             break;
5844 
5845         case 0xc9: /* mwait */
5846             if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
5847                 goto illegal_op;
5848             }
5849             gen_update_cc_op(s);
5850             gen_update_eip_cur(s);
5851             gen_helper_mwait(cpu_env, cur_insn_len_i32(s));
5852             s->base.is_jmp = DISAS_NORETURN;
5853             break;
5854 
5855         case 0xca: /* clac */
5856             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5857                 || CPL(s) != 0) {
5858                 goto illegal_op;
5859             }
5860             gen_reset_eflags(s, AC_MASK);
5861             s->base.is_jmp = DISAS_EOB_NEXT;
5862             break;
5863 
5864         case 0xcb: /* stac */
5865             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
5866                 || CPL(s) != 0) {
5867                 goto illegal_op;
5868             }
5869             gen_set_eflags(s, AC_MASK);
5870             s->base.is_jmp = DISAS_EOB_NEXT;
5871             break;
5872 
5873         CASE_MODRM_MEM_OP(1): /* sidt */
5874             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
5875                 break;
5876             }
5877             gen_svm_check_intercept(s, SVM_EXIT_IDTR_READ);
5878             gen_lea_modrm(env, s, modrm);
5879             tcg_gen_ld32u_tl(s->T0, cpu_env, offsetof(CPUX86State, idt.limit));
5880             gen_op_st_v(s, MO_16, s->T0, s->A0);
5881             gen_add_A0_im(s, 2);
5882             tcg_gen_ld_tl(s->T0, cpu_env, offsetof(CPUX86State, idt.base));
5883             if (dflag == MO_16) {
5884                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
5885             }
5886             gen_op_st_v(s, CODE64(s) + MO_32, s->T0, s->A0);
5887             break;
5888 
5889         case 0xd0: /* xgetbv */
5890             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5891                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5892                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5893                 goto illegal_op;
5894             }
5895             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5896             gen_helper_xgetbv(s->tmp1_i64, cpu_env, s->tmp2_i32);
5897             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
5898             break;
5899 
5900         case 0xd1: /* xsetbv */
5901             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
5902                 || (s->prefix & (PREFIX_LOCK | PREFIX_DATA
5903                                  | PREFIX_REPZ | PREFIX_REPNZ))) {
5904                 goto illegal_op;
5905             }
5906             if (!check_cpl0(s)) {
5907                 break;
5908             }
5909             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
5910                                   cpu_regs[R_EDX]);
5911             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
5912             gen_helper_xsetbv(cpu_env, s->tmp2_i32, s->tmp1_i64);
5913             /* End TB because translation flags may change.  */
5914             s->base.is_jmp = DISAS_EOB_NEXT;
5915             break;
5916 
5917         case 0xd8: /* VMRUN */
5918             if (!SVME(s) || !PE(s)) {
5919                 goto illegal_op;
5920             }
5921             if (!check_cpl0(s)) {
5922                 break;
5923             }
5924             gen_update_cc_op(s);
5925             gen_update_eip_cur(s);
5926             gen_helper_vmrun(cpu_env, tcg_const_i32(s->aflag - 1),
5927                              cur_insn_len_i32(s));
5928             tcg_gen_exit_tb(NULL, 0);
5929             s->base.is_jmp = DISAS_NORETURN;
5930             break;
5931 
5932         case 0xd9: /* VMMCALL */
5933             if (!SVME(s)) {
5934                 goto illegal_op;
5935             }
5936             gen_update_cc_op(s);
5937             gen_update_eip_cur(s);
5938             gen_helper_vmmcall(cpu_env);
5939             break;
5940 
5941         case 0xda: /* VMLOAD */
5942             if (!SVME(s) || !PE(s)) {
5943                 goto illegal_op;
5944             }
5945             if (!check_cpl0(s)) {
5946                 break;
5947             }
5948             gen_update_cc_op(s);
5949             gen_update_eip_cur(s);
5950             gen_helper_vmload(cpu_env, tcg_const_i32(s->aflag - 1));
5951             break;
5952 
5953         case 0xdb: /* VMSAVE */
5954             if (!SVME(s) || !PE(s)) {
5955                 goto illegal_op;
5956             }
5957             if (!check_cpl0(s)) {
5958                 break;
5959             }
5960             gen_update_cc_op(s);
5961             gen_update_eip_cur(s);
5962             gen_helper_vmsave(cpu_env, tcg_const_i32(s->aflag - 1));
5963             break;
5964 
5965         case 0xdc: /* STGI */
5966             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
5967                 || !PE(s)) {
5968                 goto illegal_op;
5969             }
5970             if (!check_cpl0(s)) {
5971                 break;
5972             }
5973             gen_update_cc_op(s);
5974             gen_helper_stgi(cpu_env);
5975             s->base.is_jmp = DISAS_EOB_NEXT;
5976             break;
5977 
5978         case 0xdd: /* CLGI */
5979             if (!SVME(s) || !PE(s)) {
5980                 goto illegal_op;
5981             }
5982             if (!check_cpl0(s)) {
5983                 break;
5984             }
5985             gen_update_cc_op(s);
5986             gen_update_eip_cur(s);
5987             gen_helper_clgi(cpu_env);
5988             break;
5989 
5990         case 0xde: /* SKINIT */
5991             if ((!SVME(s) && !(s->cpuid_ext3_features & CPUID_EXT3_SKINIT))
5992                 || !PE(s)) {
5993                 goto illegal_op;
5994             }
5995             gen_svm_check_intercept(s, SVM_EXIT_SKINIT);
5996             /* If not intercepted, not implemented -- raise #UD. */
5997             goto illegal_op;
5998 
5999         case 0xdf: /* INVLPGA */
6000             if (!SVME(s) || !PE(s)) {
6001                 goto illegal_op;
6002             }
6003             if (!check_cpl0(s)) {
6004                 break;
6005             }
6006             gen_svm_check_intercept(s, SVM_EXIT_INVLPGA);
6007             if (s->aflag == MO_64) {
6008                 tcg_gen_mov_tl(s->A0, cpu_regs[R_EAX]);
6009             } else {
6010                 tcg_gen_ext32u_tl(s->A0, cpu_regs[R_EAX]);
6011             }
6012             gen_helper_flush_page(cpu_env, s->A0);
6013             s->base.is_jmp = DISAS_EOB_NEXT;
6014             break;
6015 
6016         CASE_MODRM_MEM_OP(2): /* lgdt */
6017             if (!check_cpl0(s)) {
6018                 break;
6019             }
6020             gen_svm_check_intercept(s, SVM_EXIT_GDTR_WRITE);
6021             gen_lea_modrm(env, s, modrm);
6022             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6023             gen_add_A0_im(s, 2);
6024             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6025             if (dflag == MO_16) {
6026                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6027             }
6028             tcg_gen_st_tl(s->T0, cpu_env, offsetof(CPUX86State, gdt.base));
6029             tcg_gen_st32_tl(s->T1, cpu_env, offsetof(CPUX86State, gdt.limit));
6030             break;
6031 
6032         CASE_MODRM_MEM_OP(3): /* lidt */
6033             if (!check_cpl0(s)) {
6034                 break;
6035             }
6036             gen_svm_check_intercept(s, SVM_EXIT_IDTR_WRITE);
6037             gen_lea_modrm(env, s, modrm);
6038             gen_op_ld_v(s, MO_16, s->T1, s->A0);
6039             gen_add_A0_im(s, 2);
6040             gen_op_ld_v(s, CODE64(s) + MO_32, s->T0, s->A0);
6041             if (dflag == MO_16) {
6042                 tcg_gen_andi_tl(s->T0, s->T0, 0xffffff);
6043             }
6044             tcg_gen_st_tl(s->T0, cpu_env, offsetof(CPUX86State, idt.base));
6045             tcg_gen_st32_tl(s->T1, cpu_env, offsetof(CPUX86State, idt.limit));
6046             break;
6047 
6048         CASE_MODRM_OP(4): /* smsw */
6049             if (s->flags & HF_UMIP_MASK && !check_cpl0(s)) {
6050                 break;
6051             }
6052             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0);
6053             tcg_gen_ld_tl(s->T0, cpu_env, offsetof(CPUX86State, cr[0]));
6054             /*
6055              * In 32-bit mode, the higher 16 bits of the destination
6056              * register are undefined.  In practice CR0[31:0] is stored
6057              * just like in 64-bit mode.
6058              */
6059             mod = (modrm >> 6) & 3;
6060             ot = (mod != 3 ? MO_16 : s->dflag);
6061             gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
6062             break;
6063         case 0xee: /* rdpkru */
6064             if (prefixes & PREFIX_LOCK) {
6065                 goto illegal_op;
6066             }
6067             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6068             gen_helper_rdpkru(s->tmp1_i64, cpu_env, s->tmp2_i32);
6069             tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
6070             break;
6071         case 0xef: /* wrpkru */
6072             if (prefixes & PREFIX_LOCK) {
6073                 goto illegal_op;
6074             }
6075             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6076                                   cpu_regs[R_EDX]);
6077             tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
6078             gen_helper_wrpkru(cpu_env, s->tmp2_i32, s->tmp1_i64);
6079             break;
6080 
6081         CASE_MODRM_OP(6): /* lmsw */
6082             if (!check_cpl0(s)) {
6083                 break;
6084             }
6085             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6086             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6087             /*
6088              * Only the 4 lower bits of CR0 are modified.
6089              * PE cannot be set to zero if already set to one.
6090              */
6091             tcg_gen_ld_tl(s->T1, cpu_env, offsetof(CPUX86State, cr[0]));
6092             tcg_gen_andi_tl(s->T0, s->T0, 0xf);
6093             tcg_gen_andi_tl(s->T1, s->T1, ~0xe);
6094             tcg_gen_or_tl(s->T0, s->T0, s->T1);
6095             gen_helper_write_crN(cpu_env, tcg_constant_i32(0), s->T0);
6096             s->base.is_jmp = DISAS_EOB_NEXT;
6097             break;
6098 
6099         CASE_MODRM_MEM_OP(7): /* invlpg */
6100             if (!check_cpl0(s)) {
6101                 break;
6102             }
6103             gen_svm_check_intercept(s, SVM_EXIT_INVLPG);
6104             gen_lea_modrm(env, s, modrm);
6105             gen_helper_flush_page(cpu_env, s->A0);
6106             s->base.is_jmp = DISAS_EOB_NEXT;
6107             break;
6108 
6109         case 0xf8: /* swapgs */
6110 #ifdef TARGET_X86_64
6111             if (CODE64(s)) {
6112                 if (check_cpl0(s)) {
6113                     tcg_gen_mov_tl(s->T0, cpu_seg_base[R_GS]);
6114                     tcg_gen_ld_tl(cpu_seg_base[R_GS], cpu_env,
6115                                   offsetof(CPUX86State, kernelgsbase));
6116                     tcg_gen_st_tl(s->T0, cpu_env,
6117                                   offsetof(CPUX86State, kernelgsbase));
6118                 }
6119                 break;
6120             }
6121 #endif
6122             goto illegal_op;
6123 
6124         case 0xf9: /* rdtscp */
6125             if (!(s->cpuid_ext2_features & CPUID_EXT2_RDTSCP)) {
6126                 goto illegal_op;
6127             }
6128             gen_update_cc_op(s);
6129             gen_update_eip_cur(s);
6130             if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
6131                 gen_io_start();
6132                 s->base.is_jmp = DISAS_TOO_MANY;
6133             }
6134             gen_helper_rdtscp(cpu_env);
6135             break;
6136 
6137         default:
6138             goto unknown_op;
6139         }
6140         break;
6141 
6142     case 0x108: /* invd */
6143     case 0x109: /* wbinvd */
6144         if (check_cpl0(s)) {
6145             gen_svm_check_intercept(s, (b & 2) ? SVM_EXIT_INVD : SVM_EXIT_WBINVD);
6146             /* nothing to do */
6147         }
6148         break;
6149     case 0x63: /* arpl or movslS (x86_64) */
6150 #ifdef TARGET_X86_64
6151         if (CODE64(s)) {
6152             int d_ot;
6153             /* d_ot is the size of destination */
6154             d_ot = dflag;
6155 
6156             modrm = x86_ldub_code(env, s);
6157             reg = ((modrm >> 3) & 7) | REX_R(s);
6158             mod = (modrm >> 6) & 3;
6159             rm = (modrm & 7) | REX_B(s);
6160 
6161             if (mod == 3) {
6162                 gen_op_mov_v_reg(s, MO_32, s->T0, rm);
6163                 /* sign extend */
6164                 if (d_ot == MO_64) {
6165                     tcg_gen_ext32s_tl(s->T0, s->T0);
6166                 }
6167                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6168             } else {
6169                 gen_lea_modrm(env, s, modrm);
6170                 gen_op_ld_v(s, MO_32 | MO_SIGN, s->T0, s->A0);
6171                 gen_op_mov_reg_v(s, d_ot, reg, s->T0);
6172             }
6173         } else
6174 #endif
6175         {
6176             TCGLabel *label1;
6177             TCGv t0, t1, t2;
6178 
6179             if (!PE(s) || VM86(s))
6180                 goto illegal_op;
6181             t0 = tcg_temp_new();
6182             t1 = tcg_temp_new();
6183             t2 = tcg_temp_new();
6184             ot = MO_16;
6185             modrm = x86_ldub_code(env, s);
6186             reg = (modrm >> 3) & 7;
6187             mod = (modrm >> 6) & 3;
6188             rm = modrm & 7;
6189             if (mod != 3) {
6190                 gen_lea_modrm(env, s, modrm);
6191                 gen_op_ld_v(s, ot, t0, s->A0);
6192             } else {
6193                 gen_op_mov_v_reg(s, ot, t0, rm);
6194             }
6195             gen_op_mov_v_reg(s, ot, t1, reg);
6196             tcg_gen_andi_tl(s->tmp0, t0, 3);
6197             tcg_gen_andi_tl(t1, t1, 3);
6198             tcg_gen_movi_tl(t2, 0);
6199             label1 = gen_new_label();
6200             tcg_gen_brcond_tl(TCG_COND_GE, s->tmp0, t1, label1);
6201             tcg_gen_andi_tl(t0, t0, ~3);
6202             tcg_gen_or_tl(t0, t0, t1);
6203             tcg_gen_movi_tl(t2, CC_Z);
6204             gen_set_label(label1);
6205             if (mod != 3) {
6206                 gen_op_st_v(s, ot, t0, s->A0);
6207            } else {
6208                 gen_op_mov_reg_v(s, ot, rm, t0);
6209             }
6210             gen_compute_eflags(s);
6211             tcg_gen_andi_tl(cpu_cc_src, cpu_cc_src, ~CC_Z);
6212             tcg_gen_or_tl(cpu_cc_src, cpu_cc_src, t2);
6213         }
6214         break;
6215     case 0x102: /* lar */
6216     case 0x103: /* lsl */
6217         {
6218             TCGLabel *label1;
6219             TCGv t0;
6220             if (!PE(s) || VM86(s))
6221                 goto illegal_op;
6222             ot = dflag != MO_16 ? MO_32 : MO_16;
6223             modrm = x86_ldub_code(env, s);
6224             reg = ((modrm >> 3) & 7) | REX_R(s);
6225             gen_ldst_modrm(env, s, modrm, MO_16, OR_TMP0, 0);
6226             t0 = tcg_temp_new();
6227             gen_update_cc_op(s);
6228             if (b == 0x102) {
6229                 gen_helper_lar(t0, cpu_env, s->T0);
6230             } else {
6231                 gen_helper_lsl(t0, cpu_env, s->T0);
6232             }
6233             tcg_gen_andi_tl(s->tmp0, cpu_cc_src, CC_Z);
6234             label1 = gen_new_label();
6235             tcg_gen_brcondi_tl(TCG_COND_EQ, s->tmp0, 0, label1);
6236             gen_op_mov_reg_v(s, ot, reg, t0);
6237             gen_set_label(label1);
6238             set_cc_op(s, CC_OP_EFLAGS);
6239         }
6240         break;
6241     case 0x118:
6242         modrm = x86_ldub_code(env, s);
6243         mod = (modrm >> 6) & 3;
6244         op = (modrm >> 3) & 7;
6245         switch(op) {
6246         case 0: /* prefetchnta */
6247         case 1: /* prefetchnt0 */
6248         case 2: /* prefetchnt0 */
6249         case 3: /* prefetchnt0 */
6250             if (mod == 3)
6251                 goto illegal_op;
6252             gen_nop_modrm(env, s, modrm);
6253             /* nothing more to do */
6254             break;
6255         default: /* nop (multi byte) */
6256             gen_nop_modrm(env, s, modrm);
6257             break;
6258         }
6259         break;
6260     case 0x11a:
6261         modrm = x86_ldub_code(env, s);
6262         if (s->flags & HF_MPX_EN_MASK) {
6263             mod = (modrm >> 6) & 3;
6264             reg = ((modrm >> 3) & 7) | REX_R(s);
6265             if (prefixes & PREFIX_REPZ) {
6266                 /* bndcl */
6267                 if (reg >= 4
6268                     || (prefixes & PREFIX_LOCK)
6269                     || s->aflag == MO_16) {
6270                     goto illegal_op;
6271                 }
6272                 gen_bndck(env, s, modrm, TCG_COND_LTU, cpu_bndl[reg]);
6273             } else if (prefixes & PREFIX_REPNZ) {
6274                 /* bndcu */
6275                 if (reg >= 4
6276                     || (prefixes & PREFIX_LOCK)
6277                     || s->aflag == MO_16) {
6278                     goto illegal_op;
6279                 }
6280                 TCGv_i64 notu = tcg_temp_new_i64();
6281                 tcg_gen_not_i64(notu, cpu_bndu[reg]);
6282                 gen_bndck(env, s, modrm, TCG_COND_GTU, notu);
6283             } else if (prefixes & PREFIX_DATA) {
6284                 /* bndmov -- from reg/mem */
6285                 if (reg >= 4 || s->aflag == MO_16) {
6286                     goto illegal_op;
6287                 }
6288                 if (mod == 3) {
6289                     int reg2 = (modrm & 7) | REX_B(s);
6290                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6291                         goto illegal_op;
6292                     }
6293                     if (s->flags & HF_MPX_IU_MASK) {
6294                         tcg_gen_mov_i64(cpu_bndl[reg], cpu_bndl[reg2]);
6295                         tcg_gen_mov_i64(cpu_bndu[reg], cpu_bndu[reg2]);
6296                     }
6297                 } else {
6298                     gen_lea_modrm(env, s, modrm);
6299                     if (CODE64(s)) {
6300                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6301                                             s->mem_index, MO_LEUQ);
6302                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6303                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6304                                             s->mem_index, MO_LEUQ);
6305                     } else {
6306                         tcg_gen_qemu_ld_i64(cpu_bndl[reg], s->A0,
6307                                             s->mem_index, MO_LEUL);
6308                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6309                         tcg_gen_qemu_ld_i64(cpu_bndu[reg], s->A0,
6310                                             s->mem_index, MO_LEUL);
6311                     }
6312                     /* bnd registers are now in-use */
6313                     gen_set_hflag(s, HF_MPX_IU_MASK);
6314                 }
6315             } else if (mod != 3) {
6316                 /* bndldx */
6317                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6318                 if (reg >= 4
6319                     || (prefixes & PREFIX_LOCK)
6320                     || s->aflag == MO_16
6321                     || a.base < -1) {
6322                     goto illegal_op;
6323                 }
6324                 if (a.base >= 0) {
6325                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6326                 } else {
6327                     tcg_gen_movi_tl(s->A0, 0);
6328                 }
6329                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6330                 if (a.index >= 0) {
6331                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6332                 } else {
6333                     tcg_gen_movi_tl(s->T0, 0);
6334                 }
6335                 if (CODE64(s)) {
6336                     gen_helper_bndldx64(cpu_bndl[reg], cpu_env, s->A0, s->T0);
6337                     tcg_gen_ld_i64(cpu_bndu[reg], cpu_env,
6338                                    offsetof(CPUX86State, mmx_t0.MMX_Q(0)));
6339                 } else {
6340                     gen_helper_bndldx32(cpu_bndu[reg], cpu_env, s->A0, s->T0);
6341                     tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndu[reg]);
6342                     tcg_gen_shri_i64(cpu_bndu[reg], cpu_bndu[reg], 32);
6343                 }
6344                 gen_set_hflag(s, HF_MPX_IU_MASK);
6345             }
6346         }
6347         gen_nop_modrm(env, s, modrm);
6348         break;
6349     case 0x11b:
6350         modrm = x86_ldub_code(env, s);
6351         if (s->flags & HF_MPX_EN_MASK) {
6352             mod = (modrm >> 6) & 3;
6353             reg = ((modrm >> 3) & 7) | REX_R(s);
6354             if (mod != 3 && (prefixes & PREFIX_REPZ)) {
6355                 /* bndmk */
6356                 if (reg >= 4
6357                     || (prefixes & PREFIX_LOCK)
6358                     || s->aflag == MO_16) {
6359                     goto illegal_op;
6360                 }
6361                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6362                 if (a.base >= 0) {
6363                     tcg_gen_extu_tl_i64(cpu_bndl[reg], cpu_regs[a.base]);
6364                     if (!CODE64(s)) {
6365                         tcg_gen_ext32u_i64(cpu_bndl[reg], cpu_bndl[reg]);
6366                     }
6367                 } else if (a.base == -1) {
6368                     /* no base register has lower bound of 0 */
6369                     tcg_gen_movi_i64(cpu_bndl[reg], 0);
6370                 } else {
6371                     /* rip-relative generates #ud */
6372                     goto illegal_op;
6373                 }
6374                 tcg_gen_not_tl(s->A0, gen_lea_modrm_1(s, a, false));
6375                 if (!CODE64(s)) {
6376                     tcg_gen_ext32u_tl(s->A0, s->A0);
6377                 }
6378                 tcg_gen_extu_tl_i64(cpu_bndu[reg], s->A0);
6379                 /* bnd registers are now in-use */
6380                 gen_set_hflag(s, HF_MPX_IU_MASK);
6381                 break;
6382             } else if (prefixes & PREFIX_REPNZ) {
6383                 /* bndcn */
6384                 if (reg >= 4
6385                     || (prefixes & PREFIX_LOCK)
6386                     || s->aflag == MO_16) {
6387                     goto illegal_op;
6388                 }
6389                 gen_bndck(env, s, modrm, TCG_COND_GTU, cpu_bndu[reg]);
6390             } else if (prefixes & PREFIX_DATA) {
6391                 /* bndmov -- to reg/mem */
6392                 if (reg >= 4 || s->aflag == MO_16) {
6393                     goto illegal_op;
6394                 }
6395                 if (mod == 3) {
6396                     int reg2 = (modrm & 7) | REX_B(s);
6397                     if (reg2 >= 4 || (prefixes & PREFIX_LOCK)) {
6398                         goto illegal_op;
6399                     }
6400                     if (s->flags & HF_MPX_IU_MASK) {
6401                         tcg_gen_mov_i64(cpu_bndl[reg2], cpu_bndl[reg]);
6402                         tcg_gen_mov_i64(cpu_bndu[reg2], cpu_bndu[reg]);
6403                     }
6404                 } else {
6405                     gen_lea_modrm(env, s, modrm);
6406                     if (CODE64(s)) {
6407                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6408                                             s->mem_index, MO_LEUQ);
6409                         tcg_gen_addi_tl(s->A0, s->A0, 8);
6410                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6411                                             s->mem_index, MO_LEUQ);
6412                     } else {
6413                         tcg_gen_qemu_st_i64(cpu_bndl[reg], s->A0,
6414                                             s->mem_index, MO_LEUL);
6415                         tcg_gen_addi_tl(s->A0, s->A0, 4);
6416                         tcg_gen_qemu_st_i64(cpu_bndu[reg], s->A0,
6417                                             s->mem_index, MO_LEUL);
6418                     }
6419                 }
6420             } else if (mod != 3) {
6421                 /* bndstx */
6422                 AddressParts a = gen_lea_modrm_0(env, s, modrm);
6423                 if (reg >= 4
6424                     || (prefixes & PREFIX_LOCK)
6425                     || s->aflag == MO_16
6426                     || a.base < -1) {
6427                     goto illegal_op;
6428                 }
6429                 if (a.base >= 0) {
6430                     tcg_gen_addi_tl(s->A0, cpu_regs[a.base], a.disp);
6431                 } else {
6432                     tcg_gen_movi_tl(s->A0, 0);
6433                 }
6434                 gen_lea_v_seg(s, s->aflag, s->A0, a.def_seg, s->override);
6435                 if (a.index >= 0) {
6436                     tcg_gen_mov_tl(s->T0, cpu_regs[a.index]);
6437                 } else {
6438                     tcg_gen_movi_tl(s->T0, 0);
6439                 }
6440                 if (CODE64(s)) {
6441                     gen_helper_bndstx64(cpu_env, s->A0, s->T0,
6442                                         cpu_bndl[reg], cpu_bndu[reg]);
6443                 } else {
6444                     gen_helper_bndstx32(cpu_env, s->A0, s->T0,
6445                                         cpu_bndl[reg], cpu_bndu[reg]);
6446                 }
6447             }
6448         }
6449         gen_nop_modrm(env, s, modrm);
6450         break;
6451     case 0x119: case 0x11c ... 0x11f: /* nop (multi byte) */
6452         modrm = x86_ldub_code(env, s);
6453         gen_nop_modrm(env, s, modrm);
6454         break;
6455 
6456     case 0x120: /* mov reg, crN */
6457     case 0x122: /* mov crN, reg */
6458         if (!check_cpl0(s)) {
6459             break;
6460         }
6461         modrm = x86_ldub_code(env, s);
6462         /*
6463          * Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6464          * AMD documentation (24594.pdf) and testing of Intel 386 and 486
6465          * processors all show that the mod bits are assumed to be 1's,
6466          * regardless of actual values.
6467          */
6468         rm = (modrm & 7) | REX_B(s);
6469         reg = ((modrm >> 3) & 7) | REX_R(s);
6470         switch (reg) {
6471         case 0:
6472             if ((prefixes & PREFIX_LOCK) &&
6473                 (s->cpuid_ext3_features & CPUID_EXT3_CR8LEG)) {
6474                 reg = 8;
6475             }
6476             break;
6477         case 2:
6478         case 3:
6479         case 4:
6480         case 8:
6481             break;
6482         default:
6483             goto unknown_op;
6484         }
6485         ot  = (CODE64(s) ? MO_64 : MO_32);
6486 
6487         if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
6488             gen_io_start();
6489             s->base.is_jmp = DISAS_TOO_MANY;
6490         }
6491         if (b & 2) {
6492             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0 + reg);
6493             gen_op_mov_v_reg(s, ot, s->T0, rm);
6494             gen_helper_write_crN(cpu_env, tcg_constant_i32(reg), s->T0);
6495             s->base.is_jmp = DISAS_EOB_NEXT;
6496         } else {
6497             gen_svm_check_intercept(s, SVM_EXIT_READ_CR0 + reg);
6498             gen_helper_read_crN(s->T0, cpu_env, tcg_constant_i32(reg));
6499             gen_op_mov_reg_v(s, ot, rm, s->T0);
6500         }
6501         break;
6502 
6503     case 0x121: /* mov reg, drN */
6504     case 0x123: /* mov drN, reg */
6505         if (check_cpl0(s)) {
6506             modrm = x86_ldub_code(env, s);
6507             /* Ignore the mod bits (assume (modrm&0xc0)==0xc0).
6508              * AMD documentation (24594.pdf) and testing of
6509              * intel 386 and 486 processors all show that the mod bits
6510              * are assumed to be 1's, regardless of actual values.
6511              */
6512             rm = (modrm & 7) | REX_B(s);
6513             reg = ((modrm >> 3) & 7) | REX_R(s);
6514             if (CODE64(s))
6515                 ot = MO_64;
6516             else
6517                 ot = MO_32;
6518             if (reg >= 8) {
6519                 goto illegal_op;
6520             }
6521             if (b & 2) {
6522                 gen_svm_check_intercept(s, SVM_EXIT_WRITE_DR0 + reg);
6523                 gen_op_mov_v_reg(s, ot, s->T0, rm);
6524                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6525                 gen_helper_set_dr(cpu_env, s->tmp2_i32, s->T0);
6526                 s->base.is_jmp = DISAS_EOB_NEXT;
6527             } else {
6528                 gen_svm_check_intercept(s, SVM_EXIT_READ_DR0 + reg);
6529                 tcg_gen_movi_i32(s->tmp2_i32, reg);
6530                 gen_helper_get_dr(s->T0, cpu_env, s->tmp2_i32);
6531                 gen_op_mov_reg_v(s, ot, rm, s->T0);
6532             }
6533         }
6534         break;
6535     case 0x106: /* clts */
6536         if (check_cpl0(s)) {
6537             gen_svm_check_intercept(s, SVM_EXIT_WRITE_CR0);
6538             gen_helper_clts(cpu_env);
6539             /* abort block because static cpu state changed */
6540             s->base.is_jmp = DISAS_EOB_NEXT;
6541         }
6542         break;
6543     /* MMX/3DNow!/SSE/SSE2/SSE3/SSSE3/SSE4 support */
6544     case 0x1c3: /* MOVNTI reg, mem */
6545         if (!(s->cpuid_features & CPUID_SSE2))
6546             goto illegal_op;
6547         ot = mo_64_32(dflag);
6548         modrm = x86_ldub_code(env, s);
6549         mod = (modrm >> 6) & 3;
6550         if (mod == 3)
6551             goto illegal_op;
6552         reg = ((modrm >> 3) & 7) | REX_R(s);
6553         /* generate a generic store */
6554         gen_ldst_modrm(env, s, modrm, ot, reg, 1);
6555         break;
6556     case 0x1ae:
6557         modrm = x86_ldub_code(env, s);
6558         switch (modrm) {
6559         CASE_MODRM_MEM_OP(0): /* fxsave */
6560             if (!(s->cpuid_features & CPUID_FXSR)
6561                 || (prefixes & PREFIX_LOCK)) {
6562                 goto illegal_op;
6563             }
6564             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6565                 gen_exception(s, EXCP07_PREX);
6566                 break;
6567             }
6568             gen_lea_modrm(env, s, modrm);
6569             gen_helper_fxsave(cpu_env, s->A0);
6570             break;
6571 
6572         CASE_MODRM_MEM_OP(1): /* fxrstor */
6573             if (!(s->cpuid_features & CPUID_FXSR)
6574                 || (prefixes & PREFIX_LOCK)) {
6575                 goto illegal_op;
6576             }
6577             if ((s->flags & HF_EM_MASK) || (s->flags & HF_TS_MASK)) {
6578                 gen_exception(s, EXCP07_PREX);
6579                 break;
6580             }
6581             gen_lea_modrm(env, s, modrm);
6582             gen_helper_fxrstor(cpu_env, s->A0);
6583             break;
6584 
6585         CASE_MODRM_MEM_OP(2): /* ldmxcsr */
6586             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6587                 goto illegal_op;
6588             }
6589             if (s->flags & HF_TS_MASK) {
6590                 gen_exception(s, EXCP07_PREX);
6591                 break;
6592             }
6593             gen_lea_modrm(env, s, modrm);
6594             tcg_gen_qemu_ld_i32(s->tmp2_i32, s->A0, s->mem_index, MO_LEUL);
6595             gen_helper_ldmxcsr(cpu_env, s->tmp2_i32);
6596             break;
6597 
6598         CASE_MODRM_MEM_OP(3): /* stmxcsr */
6599             if ((s->flags & HF_EM_MASK) || !(s->flags & HF_OSFXSR_MASK)) {
6600                 goto illegal_op;
6601             }
6602             if (s->flags & HF_TS_MASK) {
6603                 gen_exception(s, EXCP07_PREX);
6604                 break;
6605             }
6606             gen_helper_update_mxcsr(cpu_env);
6607             gen_lea_modrm(env, s, modrm);
6608             tcg_gen_ld32u_tl(s->T0, cpu_env, offsetof(CPUX86State, mxcsr));
6609             gen_op_st_v(s, MO_32, s->T0, s->A0);
6610             break;
6611 
6612         CASE_MODRM_MEM_OP(4): /* xsave */
6613             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6614                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6615                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6616                 goto illegal_op;
6617             }
6618             gen_lea_modrm(env, s, modrm);
6619             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6620                                   cpu_regs[R_EDX]);
6621             gen_helper_xsave(cpu_env, s->A0, s->tmp1_i64);
6622             break;
6623 
6624         CASE_MODRM_MEM_OP(5): /* xrstor */
6625             if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6626                 || (prefixes & (PREFIX_LOCK | PREFIX_DATA
6627                                 | PREFIX_REPZ | PREFIX_REPNZ))) {
6628                 goto illegal_op;
6629             }
6630             gen_lea_modrm(env, s, modrm);
6631             tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6632                                   cpu_regs[R_EDX]);
6633             gen_helper_xrstor(cpu_env, s->A0, s->tmp1_i64);
6634             /* XRSTOR is how MPX is enabled, which changes how
6635                we translate.  Thus we need to end the TB.  */
6636             s->base.is_jmp = DISAS_EOB_NEXT;
6637             break;
6638 
6639         CASE_MODRM_MEM_OP(6): /* xsaveopt / clwb */
6640             if (prefixes & PREFIX_LOCK) {
6641                 goto illegal_op;
6642             }
6643             if (prefixes & PREFIX_DATA) {
6644                 /* clwb */
6645                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLWB)) {
6646                     goto illegal_op;
6647                 }
6648                 gen_nop_modrm(env, s, modrm);
6649             } else {
6650                 /* xsaveopt */
6651                 if ((s->cpuid_ext_features & CPUID_EXT_XSAVE) == 0
6652                     || (s->cpuid_xsave_features & CPUID_XSAVE_XSAVEOPT) == 0
6653                     || (prefixes & (PREFIX_REPZ | PREFIX_REPNZ))) {
6654                     goto illegal_op;
6655                 }
6656                 gen_lea_modrm(env, s, modrm);
6657                 tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
6658                                       cpu_regs[R_EDX]);
6659                 gen_helper_xsaveopt(cpu_env, s->A0, s->tmp1_i64);
6660             }
6661             break;
6662 
6663         CASE_MODRM_MEM_OP(7): /* clflush / clflushopt */
6664             if (prefixes & PREFIX_LOCK) {
6665                 goto illegal_op;
6666             }
6667             if (prefixes & PREFIX_DATA) {
6668                 /* clflushopt */
6669                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_CLFLUSHOPT)) {
6670                     goto illegal_op;
6671                 }
6672             } else {
6673                 /* clflush */
6674                 if ((s->prefix & (PREFIX_REPZ | PREFIX_REPNZ))
6675                     || !(s->cpuid_features & CPUID_CLFLUSH)) {
6676                     goto illegal_op;
6677                 }
6678             }
6679             gen_nop_modrm(env, s, modrm);
6680             break;
6681 
6682         case 0xc0 ... 0xc7: /* rdfsbase (f3 0f ae /0) */
6683         case 0xc8 ... 0xcf: /* rdgsbase (f3 0f ae /1) */
6684         case 0xd0 ... 0xd7: /* wrfsbase (f3 0f ae /2) */
6685         case 0xd8 ... 0xdf: /* wrgsbase (f3 0f ae /3) */
6686             if (CODE64(s)
6687                 && (prefixes & PREFIX_REPZ)
6688                 && !(prefixes & PREFIX_LOCK)
6689                 && (s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_FSGSBASE)) {
6690                 TCGv base, treg, src, dst;
6691 
6692                 /* Preserve hflags bits by testing CR4 at runtime.  */
6693                 tcg_gen_movi_i32(s->tmp2_i32, CR4_FSGSBASE_MASK);
6694                 gen_helper_cr4_testbit(cpu_env, s->tmp2_i32);
6695 
6696                 base = cpu_seg_base[modrm & 8 ? R_GS : R_FS];
6697                 treg = cpu_regs[(modrm & 7) | REX_B(s)];
6698 
6699                 if (modrm & 0x10) {
6700                     /* wr*base */
6701                     dst = base, src = treg;
6702                 } else {
6703                     /* rd*base */
6704                     dst = treg, src = base;
6705                 }
6706 
6707                 if (s->dflag == MO_32) {
6708                     tcg_gen_ext32u_tl(dst, src);
6709                 } else {
6710                     tcg_gen_mov_tl(dst, src);
6711                 }
6712                 break;
6713             }
6714             goto unknown_op;
6715 
6716         case 0xf8: /* sfence / pcommit */
6717             if (prefixes & PREFIX_DATA) {
6718                 /* pcommit */
6719                 if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_PCOMMIT)
6720                     || (prefixes & PREFIX_LOCK)) {
6721                     goto illegal_op;
6722                 }
6723                 break;
6724             }
6725             /* fallthru */
6726         case 0xf9 ... 0xff: /* sfence */
6727             if (!(s->cpuid_features & CPUID_SSE)
6728                 || (prefixes & PREFIX_LOCK)) {
6729                 goto illegal_op;
6730             }
6731             tcg_gen_mb(TCG_MO_ST_ST | TCG_BAR_SC);
6732             break;
6733         case 0xe8 ... 0xef: /* lfence */
6734             if (!(s->cpuid_features & CPUID_SSE)
6735                 || (prefixes & PREFIX_LOCK)) {
6736                 goto illegal_op;
6737             }
6738             tcg_gen_mb(TCG_MO_LD_LD | TCG_BAR_SC);
6739             break;
6740         case 0xf0 ... 0xf7: /* mfence */
6741             if (!(s->cpuid_features & CPUID_SSE2)
6742                 || (prefixes & PREFIX_LOCK)) {
6743                 goto illegal_op;
6744             }
6745             tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
6746             break;
6747 
6748         default:
6749             goto unknown_op;
6750         }
6751         break;
6752 
6753     case 0x10d: /* 3DNow! prefetch(w) */
6754         modrm = x86_ldub_code(env, s);
6755         mod = (modrm >> 6) & 3;
6756         if (mod == 3)
6757             goto illegal_op;
6758         gen_nop_modrm(env, s, modrm);
6759         break;
6760     case 0x1aa: /* rsm */
6761         gen_svm_check_intercept(s, SVM_EXIT_RSM);
6762         if (!(s->flags & HF_SMM_MASK))
6763             goto illegal_op;
6764 #ifdef CONFIG_USER_ONLY
6765         /* we should not be in SMM mode */
6766         g_assert_not_reached();
6767 #else
6768         gen_update_cc_op(s);
6769         gen_update_eip_next(s);
6770         gen_helper_rsm(cpu_env);
6771 #endif /* CONFIG_USER_ONLY */
6772         s->base.is_jmp = DISAS_EOB_ONLY;
6773         break;
6774     case 0x1b8: /* SSE4.2 popcnt */
6775         if ((prefixes & (PREFIX_REPZ | PREFIX_LOCK | PREFIX_REPNZ)) !=
6776              PREFIX_REPZ)
6777             goto illegal_op;
6778         if (!(s->cpuid_ext_features & CPUID_EXT_POPCNT))
6779             goto illegal_op;
6780 
6781         modrm = x86_ldub_code(env, s);
6782         reg = ((modrm >> 3) & 7) | REX_R(s);
6783 
6784         if (s->prefix & PREFIX_DATA) {
6785             ot = MO_16;
6786         } else {
6787             ot = mo_64_32(dflag);
6788         }
6789 
6790         gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
6791         gen_extu(ot, s->T0);
6792         tcg_gen_mov_tl(cpu_cc_src, s->T0);
6793         tcg_gen_ctpop_tl(s->T0, s->T0);
6794         gen_op_mov_reg_v(s, ot, reg, s->T0);
6795 
6796         set_cc_op(s, CC_OP_POPCNT);
6797         break;
6798     case 0x10e ... 0x117:
6799     case 0x128 ... 0x12f:
6800     case 0x138 ... 0x13a:
6801     case 0x150 ... 0x179:
6802     case 0x17c ... 0x17f:
6803     case 0x1c2:
6804     case 0x1c4 ... 0x1c6:
6805     case 0x1d0 ... 0x1fe:
6806         disas_insn_new(s, cpu, b);
6807         break;
6808     default:
6809         goto unknown_op;
6810     }
6811     return true;
6812  illegal_op:
6813     gen_illegal_opcode(s);
6814     return true;
6815  unknown_op:
6816     gen_unknown_opcode(env, s);
6817     return true;
6818 }
6819 
6820 void tcg_x86_init(void)
6821 {
6822     static const char reg_names[CPU_NB_REGS][4] = {
6823 #ifdef TARGET_X86_64
6824         [R_EAX] = "rax",
6825         [R_EBX] = "rbx",
6826         [R_ECX] = "rcx",
6827         [R_EDX] = "rdx",
6828         [R_ESI] = "rsi",
6829         [R_EDI] = "rdi",
6830         [R_EBP] = "rbp",
6831         [R_ESP] = "rsp",
6832         [8]  = "r8",
6833         [9]  = "r9",
6834         [10] = "r10",
6835         [11] = "r11",
6836         [12] = "r12",
6837         [13] = "r13",
6838         [14] = "r14",
6839         [15] = "r15",
6840 #else
6841         [R_EAX] = "eax",
6842         [R_EBX] = "ebx",
6843         [R_ECX] = "ecx",
6844         [R_EDX] = "edx",
6845         [R_ESI] = "esi",
6846         [R_EDI] = "edi",
6847         [R_EBP] = "ebp",
6848         [R_ESP] = "esp",
6849 #endif
6850     };
6851     static const char eip_name[] = {
6852 #ifdef TARGET_X86_64
6853         "rip"
6854 #else
6855         "eip"
6856 #endif
6857     };
6858     static const char seg_base_names[6][8] = {
6859         [R_CS] = "cs_base",
6860         [R_DS] = "ds_base",
6861         [R_ES] = "es_base",
6862         [R_FS] = "fs_base",
6863         [R_GS] = "gs_base",
6864         [R_SS] = "ss_base",
6865     };
6866     static const char bnd_regl_names[4][8] = {
6867         "bnd0_lb", "bnd1_lb", "bnd2_lb", "bnd3_lb"
6868     };
6869     static const char bnd_regu_names[4][8] = {
6870         "bnd0_ub", "bnd1_ub", "bnd2_ub", "bnd3_ub"
6871     };
6872     int i;
6873 
6874     cpu_cc_op = tcg_global_mem_new_i32(cpu_env,
6875                                        offsetof(CPUX86State, cc_op), "cc_op");
6876     cpu_cc_dst = tcg_global_mem_new(cpu_env, offsetof(CPUX86State, cc_dst),
6877                                     "cc_dst");
6878     cpu_cc_src = tcg_global_mem_new(cpu_env, offsetof(CPUX86State, cc_src),
6879                                     "cc_src");
6880     cpu_cc_src2 = tcg_global_mem_new(cpu_env, offsetof(CPUX86State, cc_src2),
6881                                      "cc_src2");
6882     cpu_eip = tcg_global_mem_new(cpu_env, offsetof(CPUX86State, eip), eip_name);
6883 
6884     for (i = 0; i < CPU_NB_REGS; ++i) {
6885         cpu_regs[i] = tcg_global_mem_new(cpu_env,
6886                                          offsetof(CPUX86State, regs[i]),
6887                                          reg_names[i]);
6888     }
6889 
6890     for (i = 0; i < 6; ++i) {
6891         cpu_seg_base[i]
6892             = tcg_global_mem_new(cpu_env,
6893                                  offsetof(CPUX86State, segs[i].base),
6894                                  seg_base_names[i]);
6895     }
6896 
6897     for (i = 0; i < 4; ++i) {
6898         cpu_bndl[i]
6899             = tcg_global_mem_new_i64(cpu_env,
6900                                      offsetof(CPUX86State, bnd_regs[i].lb),
6901                                      bnd_regl_names[i]);
6902         cpu_bndu[i]
6903             = tcg_global_mem_new_i64(cpu_env,
6904                                      offsetof(CPUX86State, bnd_regs[i].ub),
6905                                      bnd_regu_names[i]);
6906     }
6907 }
6908 
6909 static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
6910 {
6911     DisasContext *dc = container_of(dcbase, DisasContext, base);
6912     CPUX86State *env = cpu->env_ptr;
6913     uint32_t flags = dc->base.tb->flags;
6914     uint32_t cflags = tb_cflags(dc->base.tb);
6915     int cpl = (flags >> HF_CPL_SHIFT) & 3;
6916     int iopl = (flags >> IOPL_SHIFT) & 3;
6917 
6918     dc->cs_base = dc->base.tb->cs_base;
6919     dc->pc_save = dc->base.pc_next;
6920     dc->flags = flags;
6921 #ifndef CONFIG_USER_ONLY
6922     dc->cpl = cpl;
6923     dc->iopl = iopl;
6924 #endif
6925 
6926     /* We make some simplifying assumptions; validate they're correct. */
6927     g_assert(PE(dc) == ((flags & HF_PE_MASK) != 0));
6928     g_assert(CPL(dc) == cpl);
6929     g_assert(IOPL(dc) == iopl);
6930     g_assert(VM86(dc) == ((flags & HF_VM_MASK) != 0));
6931     g_assert(CODE32(dc) == ((flags & HF_CS32_MASK) != 0));
6932     g_assert(CODE64(dc) == ((flags & HF_CS64_MASK) != 0));
6933     g_assert(SS32(dc) == ((flags & HF_SS32_MASK) != 0));
6934     g_assert(LMA(dc) == ((flags & HF_LMA_MASK) != 0));
6935     g_assert(ADDSEG(dc) == ((flags & HF_ADDSEG_MASK) != 0));
6936     g_assert(SVME(dc) == ((flags & HF_SVME_MASK) != 0));
6937     g_assert(GUEST(dc) == ((flags & HF_GUEST_MASK) != 0));
6938 
6939     dc->cc_op = CC_OP_DYNAMIC;
6940     dc->cc_op_dirty = false;
6941     dc->popl_esp_hack = 0;
6942     /* select memory access functions */
6943     dc->mem_index = 0;
6944 #ifdef CONFIG_SOFTMMU
6945     dc->mem_index = cpu_mmu_index(env, false);
6946 #endif
6947     dc->cpuid_features = env->features[FEAT_1_EDX];
6948     dc->cpuid_ext_features = env->features[FEAT_1_ECX];
6949     dc->cpuid_ext2_features = env->features[FEAT_8000_0001_EDX];
6950     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
6951     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
6952     dc->cpuid_7_0_ecx_features = env->features[FEAT_7_0_ECX];
6953     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
6954     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
6955                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
6956     /*
6957      * If jmp_opt, we want to handle each string instruction individually.
6958      * For icount also disable repz optimization so that each iteration
6959      * is accounted separately.
6960      */
6961     dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
6962 
6963     dc->T0 = tcg_temp_new();
6964     dc->T1 = tcg_temp_new();
6965     dc->A0 = tcg_temp_new();
6966 
6967     dc->tmp0 = tcg_temp_new();
6968     dc->tmp1_i64 = tcg_temp_new_i64();
6969     dc->tmp2_i32 = tcg_temp_new_i32();
6970     dc->tmp3_i32 = tcg_temp_new_i32();
6971     dc->tmp4 = tcg_temp_new();
6972     dc->cc_srcT = tcg_temp_new();
6973 }
6974 
6975 static void i386_tr_tb_start(DisasContextBase *db, CPUState *cpu)
6976 {
6977 }
6978 
6979 static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
6980 {
6981     DisasContext *dc = container_of(dcbase, DisasContext, base);
6982     target_ulong pc_arg = dc->base.pc_next;
6983 
6984     dc->prev_insn_end = tcg_last_op();
6985     if (tb_cflags(dcbase->tb) & CF_PCREL) {
6986         pc_arg -= dc->cs_base;
6987         pc_arg &= ~TARGET_PAGE_MASK;
6988     }
6989     tcg_gen_insn_start(pc_arg, dc->cc_op);
6990 }
6991 
6992 static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
6993 {
6994     DisasContext *dc = container_of(dcbase, DisasContext, base);
6995 
6996 #ifdef TARGET_VSYSCALL_PAGE
6997     /*
6998      * Detect entry into the vsyscall page and invoke the syscall.
6999      */
7000     if ((dc->base.pc_next & TARGET_PAGE_MASK) == TARGET_VSYSCALL_PAGE) {
7001         gen_exception(dc, EXCP_VSYSCALL);
7002         dc->base.pc_next = dc->pc + 1;
7003         return;
7004     }
7005 #endif
7006 
7007     if (disas_insn(dc, cpu)) {
7008         target_ulong pc_next = dc->pc;
7009         dc->base.pc_next = pc_next;
7010 
7011         if (dc->base.is_jmp == DISAS_NEXT) {
7012             if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
7013                 /*
7014                  * If single step mode, we generate only one instruction and
7015                  * generate an exception.
7016                  * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
7017                  * the flag and abort the translation to give the irqs a
7018                  * chance to happen.
7019                  */
7020                 dc->base.is_jmp = DISAS_EOB_NEXT;
7021             } else if (!is_same_page(&dc->base, pc_next)) {
7022                 dc->base.is_jmp = DISAS_TOO_MANY;
7023             }
7024         }
7025     }
7026 }
7027 
7028 static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
7029 {
7030     DisasContext *dc = container_of(dcbase, DisasContext, base);
7031 
7032     switch (dc->base.is_jmp) {
7033     case DISAS_NORETURN:
7034         break;
7035     case DISAS_TOO_MANY:
7036         gen_update_cc_op(dc);
7037         gen_jmp_rel_csize(dc, 0, 0);
7038         break;
7039     case DISAS_EOB_NEXT:
7040         gen_update_cc_op(dc);
7041         gen_update_eip_cur(dc);
7042         /* fall through */
7043     case DISAS_EOB_ONLY:
7044         gen_eob(dc);
7045         break;
7046     case DISAS_EOB_INHIBIT_IRQ:
7047         gen_update_cc_op(dc);
7048         gen_update_eip_cur(dc);
7049         gen_eob_inhibit_irq(dc, true);
7050         break;
7051     case DISAS_JUMP:
7052         gen_jr(dc);
7053         break;
7054     default:
7055         g_assert_not_reached();
7056     }
7057 }
7058 
7059 static void i386_tr_disas_log(const DisasContextBase *dcbase,
7060                               CPUState *cpu, FILE *logfile)
7061 {
7062     DisasContext *dc = container_of(dcbase, DisasContext, base);
7063 
7064     fprintf(logfile, "IN: %s\n", lookup_symbol(dc->base.pc_first));
7065     target_disas(logfile, cpu, dc->base.pc_first, dc->base.tb->size);
7066 }
7067 
7068 static const TranslatorOps i386_tr_ops = {
7069     .init_disas_context = i386_tr_init_disas_context,
7070     .tb_start           = i386_tr_tb_start,
7071     .insn_start         = i386_tr_insn_start,
7072     .translate_insn     = i386_tr_translate_insn,
7073     .tb_stop            = i386_tr_tb_stop,
7074     .disas_log          = i386_tr_disas_log,
7075 };
7076 
7077 /* generate intermediate code for basic block 'tb'.  */
7078 void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int *max_insns,
7079                            target_ulong pc, void *host_pc)
7080 {
7081     DisasContext dc;
7082 
7083     translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
7084 }
7085