...

Source file src/golang.org/x/arch/x86/x86asm/decode.go

Documentation: golang.org/x/arch/x86/x86asm

     1  // Copyright 2014 The Go Authors.  All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Table-driven decoding of x86 instructions.
     6  
     7  package x86asm
     8  
     9  import (
    10  	"encoding/binary"
    11  	"errors"
    12  	"fmt"
    13  	"runtime"
    14  )
    15  
    16  // Set trace to true to cause the decoder to print the PC sequence
    17  // of the executed instruction codes. This is typically only useful
    18  // when you are running a test of a single input case.
    19  const trace = false
    20  
    21  // A decodeOp is a single instruction in the decoder bytecode program.
    22  //
    23  // The decodeOps correspond to consuming and conditionally branching
    24  // on input bytes, consuming additional fields, and then interpreting
    25  // consumed data as instruction arguments. The names of the xRead and xArg
    26  // operations are taken from the Intel manual conventions, for example
    27  // Volume 2, Section 3.1.1, page 487 of
    28  // http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
    29  //
    30  // The actual decoding program is generated by ../x86map.
    31  //
    32  // TODO(rsc): We may be able to merge various of the memory operands
    33  // since we don't care about, say, the distinction between m80dec and m80bcd.
    34  // Similarly, mm and mm1 have identical meaning, as do xmm and xmm1.
    35  
    36  type decodeOp uint16
    37  
    38  const (
    39  	xFail  decodeOp = iota // invalid instruction (return)
    40  	xMatch                 // completed match
    41  	xJump                  // jump to pc
    42  
    43  	xCondByte     // switch on instruction byte value
    44  	xCondSlashR   // read and switch on instruction /r value
    45  	xCondPrefix   // switch on presence of instruction prefix
    46  	xCondIs64     // switch on 64-bit processor mode
    47  	xCondDataSize // switch on operand size
    48  	xCondAddrSize // switch on address size
    49  	xCondIsMem    // switch on memory vs register argument
    50  
    51  	xSetOp // set instruction opcode
    52  
    53  	xReadSlashR // read /r
    54  	xReadIb     // read ib
    55  	xReadIw     // read iw
    56  	xReadId     // read id
    57  	xReadIo     // read io
    58  	xReadCb     // read cb
    59  	xReadCw     // read cw
    60  	xReadCd     // read cd
    61  	xReadCp     // read cp
    62  	xReadCm     // read cm
    63  
    64  	xArg1            // arg 1
    65  	xArg3            // arg 3
    66  	xArgAL           // arg AL
    67  	xArgAX           // arg AX
    68  	xArgCL           // arg CL
    69  	xArgCR0dashCR7   // arg CR0-CR7
    70  	xArgCS           // arg CS
    71  	xArgDR0dashDR7   // arg DR0-DR7
    72  	xArgDS           // arg DS
    73  	xArgDX           // arg DX
    74  	xArgEAX          // arg EAX
    75  	xArgEDX          // arg EDX
    76  	xArgES           // arg ES
    77  	xArgFS           // arg FS
    78  	xArgGS           // arg GS
    79  	xArgImm16        // arg imm16
    80  	xArgImm32        // arg imm32
    81  	xArgImm64        // arg imm64
    82  	xArgImm8         // arg imm8
    83  	xArgImm8u        // arg imm8 but record as unsigned
    84  	xArgImm16u       // arg imm8 but record as unsigned
    85  	xArgM            // arg m
    86  	xArgM128         // arg m128
    87  	xArgM256         // arg m256
    88  	xArgM1428byte    // arg m14/28byte
    89  	xArgM16          // arg m16
    90  	xArgM16and16     // arg m16&16
    91  	xArgM16and32     // arg m16&32
    92  	xArgM16and64     // arg m16&64
    93  	xArgM16colon16   // arg m16:16
    94  	xArgM16colon32   // arg m16:32
    95  	xArgM16colon64   // arg m16:64
    96  	xArgM16int       // arg m16int
    97  	xArgM2byte       // arg m2byte
    98  	xArgM32          // arg m32
    99  	xArgM32and32     // arg m32&32
   100  	xArgM32fp        // arg m32fp
   101  	xArgM32int       // arg m32int
   102  	xArgM512byte     // arg m512byte
   103  	xArgM64          // arg m64
   104  	xArgM64fp        // arg m64fp
   105  	xArgM64int       // arg m64int
   106  	xArgM8           // arg m8
   107  	xArgM80bcd       // arg m80bcd
   108  	xArgM80dec       // arg m80dec
   109  	xArgM80fp        // arg m80fp
   110  	xArgM94108byte   // arg m94/108byte
   111  	xArgMm           // arg mm
   112  	xArgMm1          // arg mm1
   113  	xArgMm2          // arg mm2
   114  	xArgMm2M64       // arg mm2/m64
   115  	xArgMmM32        // arg mm/m32
   116  	xArgMmM64        // arg mm/m64
   117  	xArgMem          // arg mem
   118  	xArgMoffs16      // arg moffs16
   119  	xArgMoffs32      // arg moffs32
   120  	xArgMoffs64      // arg moffs64
   121  	xArgMoffs8       // arg moffs8
   122  	xArgPtr16colon16 // arg ptr16:16
   123  	xArgPtr16colon32 // arg ptr16:32
   124  	xArgR16          // arg r16
   125  	xArgR16op        // arg r16 with +rw in opcode
   126  	xArgR32          // arg r32
   127  	xArgR32M16       // arg r32/m16
   128  	xArgR32M8        // arg r32/m8
   129  	xArgR32op        // arg r32 with +rd in opcode
   130  	xArgR64          // arg r64
   131  	xArgR64M16       // arg r64/m16
   132  	xArgR64op        // arg r64 with +rd in opcode
   133  	xArgR8           // arg r8
   134  	xArgR8op         // arg r8 with +rb in opcode
   135  	xArgRAX          // arg RAX
   136  	xArgRDX          // arg RDX
   137  	xArgRM           // arg r/m
   138  	xArgRM16         // arg r/m16
   139  	xArgRM32         // arg r/m32
   140  	xArgRM64         // arg r/m64
   141  	xArgRM8          // arg r/m8
   142  	xArgReg          // arg reg
   143  	xArgRegM16       // arg reg/m16
   144  	xArgRegM32       // arg reg/m32
   145  	xArgRegM8        // arg reg/m8
   146  	xArgRel16        // arg rel16
   147  	xArgRel32        // arg rel32
   148  	xArgRel8         // arg rel8
   149  	xArgSS           // arg SS
   150  	xArgST           // arg ST, aka ST(0)
   151  	xArgSTi          // arg ST(i) with +i in opcode
   152  	xArgSreg         // arg Sreg
   153  	xArgTR0dashTR7   // arg TR0-TR7
   154  	xArgXmm          // arg xmm
   155  	xArgXMM0         // arg <XMM0>
   156  	xArgXmm1         // arg xmm1
   157  	xArgXmm2         // arg xmm2
   158  	xArgXmm2M128     // arg xmm2/m128
   159  	xArgYmm2M256     // arg ymm2/m256
   160  	xArgXmm2M16      // arg xmm2/m16
   161  	xArgXmm2M32      // arg xmm2/m32
   162  	xArgXmm2M64      // arg xmm2/m64
   163  	xArgXmmM128      // arg xmm/m128
   164  	xArgXmmM32       // arg xmm/m32
   165  	xArgXmmM64       // arg xmm/m64
   166  	xArgYmm1         // arg ymm1
   167  	xArgRmf16        // arg r/m16 but force mod=3
   168  	xArgRmf32        // arg r/m32 but force mod=3
   169  	xArgRmf64        // arg r/m64 but force mod=3
   170  )
   171  
   172  // instPrefix returns an Inst describing just one prefix byte.
   173  // It is only used if there is a prefix followed by an unintelligible
   174  // or invalid instruction byte sequence.
   175  func instPrefix(b byte, mode int) (Inst, error) {
   176  	// When tracing it is useful to see what called instPrefix to report an error.
   177  	if trace {
   178  		_, file, line, _ := runtime.Caller(1)
   179  		fmt.Printf("%s:%d\n", file, line)
   180  	}
   181  	p := Prefix(b)
   182  	switch p {
   183  	case PrefixDataSize:
   184  		if mode == 16 {
   185  			p = PrefixData32
   186  		} else {
   187  			p = PrefixData16
   188  		}
   189  	case PrefixAddrSize:
   190  		if mode == 32 {
   191  			p = PrefixAddr16
   192  		} else {
   193  			p = PrefixAddr32
   194  		}
   195  	}
   196  	// Note: using composite literal with Prefix key confuses 'bundle' tool.
   197  	inst := Inst{Len: 1}
   198  	inst.Prefix = Prefixes{p}
   199  	return inst, nil
   200  }
   201  
   202  // truncated reports a truncated instruction.
   203  // For now we use instPrefix but perhaps later we will return
   204  // a specific error here.
   205  func truncated(src []byte, mode int) (Inst, error) {
   206  	if len(src) == 0 {
   207  		return Inst{}, ErrTruncated
   208  	}
   209  	return instPrefix(src[0], mode) // too long
   210  }
   211  
   212  // These are the errors returned by Decode.
   213  var (
   214  	ErrInvalidMode  = errors.New("invalid x86 mode in Decode")
   215  	ErrTruncated    = errors.New("truncated instruction")
   216  	ErrUnrecognized = errors.New("unrecognized instruction")
   217  )
   218  
   219  // decoderCover records coverage information for which parts
   220  // of the byte code have been executed.
   221  var decoderCover []bool
   222  
   223  // Decode decodes the leading bytes in src as a single instruction.
   224  // The mode arguments specifies the assumed processor mode:
   225  // 16, 32, or 64 for 16-, 32-, and 64-bit execution modes.
   226  func Decode(src []byte, mode int) (inst Inst, err error) {
   227  	return decode1(src, mode, false)
   228  }
   229  
   230  // decode1 is the implementation of Decode but takes an extra
   231  // gnuCompat flag to cause it to change its behavior to mimic
   232  // bugs (or at least unique features) of GNU libopcodes as used
   233  // by objdump. We don't believe that logic is the right thing to do
   234  // in general, but when testing against libopcodes it simplifies the
   235  // comparison if we adjust a few small pieces of logic.
   236  // The affected logic is in the conditional branch for "mandatory" prefixes,
   237  // case xCondPrefix.
   238  func decode1(src []byte, mode int, gnuCompat bool) (Inst, error) {
   239  	switch mode {
   240  	case 16, 32, 64:
   241  		// ok
   242  		// TODO(rsc): 64-bit mode not tested, probably not working.
   243  	default:
   244  		return Inst{}, ErrInvalidMode
   245  	}
   246  
   247  	// Maximum instruction size is 15 bytes.
   248  	// If we need to read more, return 'truncated instruction.
   249  	if len(src) > 15 {
   250  		src = src[:15]
   251  	}
   252  
   253  	var (
   254  		// prefix decoding information
   255  		pos           = 0    // position reading src
   256  		nprefix       = 0    // number of prefixes
   257  		lockIndex     = -1   // index of LOCK prefix in src and inst.Prefix
   258  		repIndex      = -1   // index of REP/REPN prefix in src and inst.Prefix
   259  		segIndex      = -1   // index of Group 2 prefix in src and inst.Prefix
   260  		dataSizeIndex = -1   // index of Group 3 prefix in src and inst.Prefix
   261  		addrSizeIndex = -1   // index of Group 4 prefix in src and inst.Prefix
   262  		rex           Prefix // rex byte if present (or 0)
   263  		rexUsed       Prefix // bits used in rex byte
   264  		rexIndex      = -1   // index of rex byte
   265  		vex           Prefix // use vex encoding
   266  		vexIndex      = -1   // index of vex prefix
   267  
   268  		addrMode = mode // address mode (width in bits)
   269  		dataMode = mode // operand mode (width in bits)
   270  
   271  		// decoded ModR/M fields
   272  		haveModrm bool
   273  		modrm     int
   274  		mod       int
   275  		regop     int
   276  		rm        int
   277  
   278  		// if ModR/M is memory reference, Mem form
   279  		mem     Mem
   280  		haveMem bool
   281  
   282  		// decoded SIB fields
   283  		haveSIB bool
   284  		sib     int
   285  		scale   int
   286  		index   int
   287  		base    int
   288  		displen int
   289  		dispoff int
   290  
   291  		// decoded immediate values
   292  		imm     int64
   293  		imm8    int8
   294  		immc    int64
   295  		immcpos int
   296  
   297  		// output
   298  		opshift int
   299  		inst    Inst
   300  		narg    int // number of arguments written to inst
   301  	)
   302  
   303  	if mode == 64 {
   304  		dataMode = 32
   305  	}
   306  
   307  	// Prefixes are certainly the most complex and underspecified part of
   308  	// decoding x86 instructions. Although the manuals say things like
   309  	// up to four prefixes, one from each group, nearly everyone seems to
   310  	// agree that in practice as many prefixes as possible, including multiple
   311  	// from a particular group or repetitions of a given prefix, can be used on
   312  	// an instruction, provided the total instruction length including prefixes
   313  	// does not exceed the agreed-upon maximum of 15 bytes.
   314  	// Everyone also agrees that if one of these prefixes is the LOCK prefix
   315  	// and the instruction is not one of the instructions that can be used with
   316  	// the LOCK prefix or if the destination is not a memory operand,
   317  	// then the instruction is invalid and produces the #UD exception.
   318  	// However, that is the end of any semblance of agreement.
   319  	//
   320  	// What happens if prefixes are given that conflict with other prefixes?
   321  	// For example, the memory segment overrides CS, DS, ES, FS, GS, SS
   322  	// conflict with each other: only one segment can be in effect.
   323  	// Disassemblers seem to agree that later prefixes take priority over
   324  	// earlier ones. I have not taken the time to write assembly programs
   325  	// to check to see if the hardware agrees.
   326  	//
   327  	// What happens if prefixes are given that have no meaning for the
   328  	// specific instruction to which they are attached? It depends.
   329  	// If they really have no meaning, they are ignored. However, a future
   330  	// processor may assign a different meaning. As a disassembler, we
   331  	// don't really know whether we're seeing a meaningless prefix or one
   332  	// whose meaning we simply haven't been told yet.
   333  	//
   334  	// Combining the two questions, what happens when conflicting
   335  	// extension prefixes are given? No one seems to know for sure.
   336  	// For example, MOVQ is 66 0F D6 /r, MOVDQ2Q is F2 0F D6 /r,
   337  	// and MOVQ2DQ is F3 0F D6 /r. What is '66 F2 F3 0F D6 /r'?
   338  	// Which prefix wins? See the xCondPrefix prefix for more.
   339  	//
   340  	// Writing assembly test cases to divine which interpretation the
   341  	// CPU uses might clarify the situation, but more likely it would
   342  	// make the situation even less clear.
   343  
   344  	// Read non-REX prefixes.
   345  ReadPrefixes:
   346  	for ; pos < len(src); pos++ {
   347  		p := Prefix(src[pos])
   348  		switch p {
   349  		default:
   350  			nprefix = pos
   351  			break ReadPrefixes
   352  
   353  		// Group 1 - lock and repeat prefixes
   354  		// According to Intel, there should only be one from this set,
   355  		// but according to AMD both can be present.
   356  		case 0xF0:
   357  			if lockIndex >= 0 {
   358  				inst.Prefix[lockIndex] |= PrefixIgnored
   359  			}
   360  			lockIndex = pos
   361  		case 0xF2, 0xF3:
   362  			if repIndex >= 0 {
   363  				inst.Prefix[repIndex] |= PrefixIgnored
   364  			}
   365  			repIndex = pos
   366  
   367  		// Group 2 - segment override / branch hints
   368  		case 0x26, 0x2E, 0x36, 0x3E:
   369  			if mode == 64 {
   370  				p |= PrefixIgnored
   371  				break
   372  			}
   373  			fallthrough
   374  		case 0x64, 0x65:
   375  			if segIndex >= 0 {
   376  				inst.Prefix[segIndex] |= PrefixIgnored
   377  			}
   378  			segIndex = pos
   379  
   380  		// Group 3 - operand size override
   381  		case 0x66:
   382  			if mode == 16 {
   383  				dataMode = 32
   384  				p = PrefixData32
   385  			} else {
   386  				dataMode = 16
   387  				p = PrefixData16
   388  			}
   389  			if dataSizeIndex >= 0 {
   390  				inst.Prefix[dataSizeIndex] |= PrefixIgnored
   391  			}
   392  			dataSizeIndex = pos
   393  
   394  		// Group 4 - address size override
   395  		case 0x67:
   396  			if mode == 32 {
   397  				addrMode = 16
   398  				p = PrefixAddr16
   399  			} else {
   400  				addrMode = 32
   401  				p = PrefixAddr32
   402  			}
   403  			if addrSizeIndex >= 0 {
   404  				inst.Prefix[addrSizeIndex] |= PrefixIgnored
   405  			}
   406  			addrSizeIndex = pos
   407  
   408  		//Group 5 - Vex encoding
   409  		case 0xC5:
   410  			if pos == 0 && pos+1 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
   411  				vex = p
   412  				vexIndex = pos
   413  				inst.Prefix[pos] = p
   414  				inst.Prefix[pos+1] = Prefix(src[pos+1])
   415  				pos += 1
   416  				continue
   417  			} else {
   418  				nprefix = pos
   419  				break ReadPrefixes
   420  			}
   421  		case 0xC4:
   422  			if pos == 0 && pos+2 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
   423  				vex = p
   424  				vexIndex = pos
   425  				inst.Prefix[pos] = p
   426  				inst.Prefix[pos+1] = Prefix(src[pos+1])
   427  				inst.Prefix[pos+2] = Prefix(src[pos+2])
   428  				pos += 2
   429  				continue
   430  			} else {
   431  				nprefix = pos
   432  				break ReadPrefixes
   433  			}
   434  		}
   435  
   436  		if pos >= len(inst.Prefix) {
   437  			return instPrefix(src[0], mode) // too long
   438  		}
   439  
   440  		inst.Prefix[pos] = p
   441  	}
   442  
   443  	// Read REX prefix.
   444  	if pos < len(src) && mode == 64 && Prefix(src[pos]).IsREX() && vex == 0 {
   445  		rex = Prefix(src[pos])
   446  		rexIndex = pos
   447  		if pos >= len(inst.Prefix) {
   448  			return instPrefix(src[0], mode) // too long
   449  		}
   450  		inst.Prefix[pos] = rex
   451  		pos++
   452  		if rex&PrefixREXW != 0 {
   453  			dataMode = 64
   454  			if dataSizeIndex >= 0 {
   455  				inst.Prefix[dataSizeIndex] |= PrefixIgnored
   456  			}
   457  		}
   458  	}
   459  
   460  	// Decode instruction stream, interpreting decoding instructions.
   461  	// opshift gives the shift to use when saving the next
   462  	// opcode byte into inst.Opcode.
   463  	opshift = 24
   464  
   465  	// Decode loop, executing decoder program.
   466  	var oldPC, prevPC int
   467  Decode:
   468  	for pc := 1; ; { // TODO uint
   469  		oldPC = prevPC
   470  		prevPC = pc
   471  		if trace {
   472  			println("run", pc)
   473  		}
   474  		x := decoder[pc]
   475  		if decoderCover != nil {
   476  			decoderCover[pc] = true
   477  		}
   478  		pc++
   479  
   480  		// Read and decode ModR/M if needed by opcode.
   481  		switch decodeOp(x) {
   482  		case xCondSlashR, xReadSlashR:
   483  			if haveModrm {
   484  				return Inst{Len: pos}, errInternal
   485  			}
   486  			haveModrm = true
   487  			if pos >= len(src) {
   488  				return truncated(src, mode)
   489  			}
   490  			modrm = int(src[pos])
   491  			pos++
   492  			if opshift >= 0 {
   493  				inst.Opcode |= uint32(modrm) << uint(opshift)
   494  				opshift -= 8
   495  			}
   496  			mod = modrm >> 6
   497  			regop = (modrm >> 3) & 07
   498  			rm = modrm & 07
   499  			if rex&PrefixREXR != 0 {
   500  				rexUsed |= PrefixREXR
   501  				regop |= 8
   502  			}
   503  			if addrMode == 16 {
   504  				// 16-bit modrm form
   505  				if mod != 3 {
   506  					haveMem = true
   507  					mem = addr16[rm]
   508  					if rm == 6 && mod == 0 {
   509  						mem.Base = 0
   510  					}
   511  
   512  					// Consume disp16 if present.
   513  					if mod == 0 && rm == 6 || mod == 2 {
   514  						if pos+2 > len(src) {
   515  							return truncated(src, mode)
   516  						}
   517  						mem.Disp = int64(binary.LittleEndian.Uint16(src[pos:]))
   518  						pos += 2
   519  					}
   520  
   521  					// Consume disp8 if present.
   522  					if mod == 1 {
   523  						if pos >= len(src) {
   524  							return truncated(src, mode)
   525  						}
   526  						mem.Disp = int64(int8(src[pos]))
   527  						pos++
   528  					}
   529  				}
   530  			} else {
   531  				haveMem = mod != 3
   532  
   533  				// 32-bit or 64-bit form
   534  				// Consume SIB encoding if present.
   535  				if rm == 4 && mod != 3 {
   536  					haveSIB = true
   537  					if pos >= len(src) {
   538  						return truncated(src, mode)
   539  					}
   540  					sib = int(src[pos])
   541  					pos++
   542  					if opshift >= 0 {
   543  						inst.Opcode |= uint32(sib) << uint(opshift)
   544  						opshift -= 8
   545  					}
   546  					scale = sib >> 6
   547  					index = (sib >> 3) & 07
   548  					base = sib & 07
   549  					if rex&PrefixREXB != 0 || vex == 0xC4 && inst.Prefix[vexIndex+1]&0x20 == 0 {
   550  						rexUsed |= PrefixREXB
   551  						base |= 8
   552  					}
   553  					if rex&PrefixREXX != 0 || vex == 0xC4 && inst.Prefix[vexIndex+1]&0x40 == 0 {
   554  						rexUsed |= PrefixREXX
   555  						index |= 8
   556  					}
   557  
   558  					mem.Scale = 1 << uint(scale)
   559  					if index == 4 {
   560  						// no mem.Index
   561  					} else {
   562  						mem.Index = baseRegForBits(addrMode) + Reg(index)
   563  					}
   564  					if base&7 == 5 && mod == 0 {
   565  						// no mem.Base
   566  					} else {
   567  						mem.Base = baseRegForBits(addrMode) + Reg(base)
   568  					}
   569  				} else {
   570  					if rex&PrefixREXB != 0 {
   571  						rexUsed |= PrefixREXB
   572  						rm |= 8
   573  					}
   574  					if mod == 0 && rm&7 == 5 || rm&7 == 4 {
   575  						// base omitted
   576  					} else if mod != 3 {
   577  						mem.Base = baseRegForBits(addrMode) + Reg(rm)
   578  					}
   579  				}
   580  
   581  				// Consume disp32 if present.
   582  				if mod == 0 && (rm&7 == 5 || haveSIB && base&7 == 5) || mod == 2 {
   583  					if pos+4 > len(src) {
   584  						return truncated(src, mode)
   585  					}
   586  					dispoff = pos
   587  					displen = 4
   588  					mem.Disp = int64(binary.LittleEndian.Uint32(src[pos:]))
   589  					pos += 4
   590  				}
   591  
   592  				// Consume disp8 if present.
   593  				if mod == 1 {
   594  					if pos >= len(src) {
   595  						return truncated(src, mode)
   596  					}
   597  					dispoff = pos
   598  					displen = 1
   599  					mem.Disp = int64(int8(src[pos]))
   600  					pos++
   601  				}
   602  
   603  				// In 64-bit, mod=0 rm=5 is PC-relative instead of just disp.
   604  				// See Vol 2A. Table 2-7.
   605  				if mode == 64 && mod == 0 && rm&7 == 5 {
   606  					if addrMode == 32 {
   607  						mem.Base = EIP
   608  					} else {
   609  						mem.Base = RIP
   610  					}
   611  				}
   612  			}
   613  
   614  			if segIndex >= 0 {
   615  				mem.Segment = prefixToSegment(inst.Prefix[segIndex])
   616  			}
   617  		}
   618  
   619  		// Execute single opcode.
   620  		switch decodeOp(x) {
   621  		default:
   622  			println("bad op", x, "at", pc-1, "from", oldPC)
   623  			return Inst{Len: pos}, errInternal
   624  
   625  		case xFail:
   626  			inst.Op = 0
   627  			break Decode
   628  
   629  		case xMatch:
   630  			break Decode
   631  
   632  		case xJump:
   633  			pc = int(decoder[pc])
   634  
   635  		// Conditional branches.
   636  
   637  		case xCondByte:
   638  			if pos >= len(src) {
   639  				return truncated(src, mode)
   640  			}
   641  			b := src[pos]
   642  			n := int(decoder[pc])
   643  			pc++
   644  			for i := 0; i < n; i++ {
   645  				xb, xpc := decoder[pc], int(decoder[pc+1])
   646  				pc += 2
   647  				if b == byte(xb) {
   648  					pc = xpc
   649  					pos++
   650  					if opshift >= 0 {
   651  						inst.Opcode |= uint32(b) << uint(opshift)
   652  						opshift -= 8
   653  					}
   654  					continue Decode
   655  				}
   656  			}
   657  			// xCondByte is the only conditional with a fall through,
   658  			// so that it can be used to pick off special cases before
   659  			// an xCondSlash. If the fallthrough instruction is xFail,
   660  			// advance the position so that the decoded instruction
   661  			// size includes the byte we just compared against.
   662  			if decodeOp(decoder[pc]) == xJump {
   663  				pc = int(decoder[pc+1])
   664  			}
   665  			if decodeOp(decoder[pc]) == xFail {
   666  				pos++
   667  			}
   668  
   669  		case xCondIs64:
   670  			if mode == 64 {
   671  				pc = int(decoder[pc+1])
   672  			} else {
   673  				pc = int(decoder[pc])
   674  			}
   675  
   676  		case xCondIsMem:
   677  			mem := haveMem
   678  			if !haveModrm {
   679  				if pos >= len(src) {
   680  					return instPrefix(src[0], mode) // too long
   681  				}
   682  				mem = src[pos]>>6 != 3
   683  			}
   684  			if mem {
   685  				pc = int(decoder[pc+1])
   686  			} else {
   687  				pc = int(decoder[pc])
   688  			}
   689  
   690  		case xCondDataSize:
   691  			switch dataMode {
   692  			case 16:
   693  				if dataSizeIndex >= 0 {
   694  					inst.Prefix[dataSizeIndex] |= PrefixImplicit
   695  				}
   696  				pc = int(decoder[pc])
   697  			case 32:
   698  				if dataSizeIndex >= 0 {
   699  					inst.Prefix[dataSizeIndex] |= PrefixImplicit
   700  				}
   701  				pc = int(decoder[pc+1])
   702  			case 64:
   703  				rexUsed |= PrefixREXW
   704  				pc = int(decoder[pc+2])
   705  			}
   706  
   707  		case xCondAddrSize:
   708  			switch addrMode {
   709  			case 16:
   710  				if addrSizeIndex >= 0 {
   711  					inst.Prefix[addrSizeIndex] |= PrefixImplicit
   712  				}
   713  				pc = int(decoder[pc])
   714  			case 32:
   715  				if addrSizeIndex >= 0 {
   716  					inst.Prefix[addrSizeIndex] |= PrefixImplicit
   717  				}
   718  				pc = int(decoder[pc+1])
   719  			case 64:
   720  				pc = int(decoder[pc+2])
   721  			}
   722  
   723  		case xCondPrefix:
   724  			// Conditional branch based on presence or absence of prefixes.
   725  			// The conflict cases here are completely undocumented and
   726  			// differ significantly between GNU libopcodes and Intel xed.
   727  			// I have not written assembly code to divine what various CPUs
   728  			// do, but it wouldn't surprise me if they are not consistent either.
   729  			//
   730  			// The basic idea is to switch on the presence of a prefix, so that
   731  			// for example:
   732  			//
   733  			//	xCondPrefix, 4
   734  			//	0xF3, 123,
   735  			//	0xF2, 234,
   736  			//	0x66, 345,
   737  			//	0, 456
   738  			//
   739  			// branch to 123 if the F3 prefix is present, 234 if the F2 prefix
   740  			// is present, 66 if the 345 prefix is present, and 456 otherwise.
   741  			// The prefixes are given in descending order so that the 0 will be last.
   742  			//
   743  			// It is unclear what should happen if multiple conditions are
   744  			// satisfied: what if F2 and F3 are both present, or if 66 and F2
   745  			// are present, or if all three are present? The one chosen becomes
   746  			// part of the opcode and the others do not. Perhaps the answer
   747  			// depends on the specific opcodes in question.
   748  			//
   749  			// The only clear example is that CRC32 is F2 0F 38 F1 /r, and
   750  			// it comes in 16-bit and 32-bit forms based on the 66 prefix,
   751  			// so 66 F2 0F 38 F1 /r should be treated as F2 taking priority,
   752  			// with the 66 being only an operand size override, and probably
   753  			// F2 66 0F 38 F1 /r should be treated the same.
   754  			// Perhaps that rule is specific to the case of CRC32, since no
   755  			// 66 0F 38 F1 instruction is defined (today) (that we know of).
   756  			// However, both libopcodes and xed seem to generalize this
   757  			// example and choose F2/F3 in preference to 66, and we
   758  			// do the same.
   759  			//
   760  			// Next, what if both F2 and F3 are present? Which wins?
   761  			// The Intel xed rule, and ours, is that the one that occurs last wins.
   762  			// The GNU libopcodes rule, which we implement only in gnuCompat mode,
   763  			// is that F3 beats F2 unless F3 has no special meaning, in which
   764  			// case F3 can be a modified on an F2 special meaning.
   765  			//
   766  			// Concretely,
   767  			//	66 0F D6 /r is MOVQ
   768  			//	F2 0F D6 /r is MOVDQ2Q
   769  			//	F3 0F D6 /r is MOVQ2DQ.
   770  			//
   771  			//	F2 66 0F D6 /r is 66 + MOVDQ2Q always.
   772  			//	66 F2 0F D6 /r is 66 + MOVDQ2Q always.
   773  			//	F3 66 0F D6 /r is 66 + MOVQ2DQ always.
   774  			//	66 F3 0F D6 /r is 66 + MOVQ2DQ always.
   775  			//	F2 F3 0F D6 /r is F2 + MOVQ2DQ always.
   776  			//	F3 F2 0F D6 /r is F3 + MOVQ2DQ in Intel xed, but F2 + MOVQ2DQ in GNU libopcodes.
   777  			//	Adding 66 anywhere in the prefix section of the
   778  			//	last two cases does not change the outcome.
   779  			//
   780  			// Finally, what if there is a variant in which 66 is a mandatory
   781  			// prefix rather than an operand size override, but we know of
   782  			// no corresponding F2/F3 form, and we see both F2/F3 and 66.
   783  			// Does F2/F3 still take priority, so that the result is an unknown
   784  			// instruction, or does the 66 take priority, so that the extended
   785  			// 66 instruction should be interpreted as having a REP/REPN prefix?
   786  			// Intel xed does the former and GNU libopcodes does the latter.
   787  			// We side with Intel xed, unless we are trying to match libopcodes
   788  			// more closely during the comparison-based test suite.
   789  			//
   790  			// In 64-bit mode REX.W is another valid prefix to test for, but
   791  			// there is less ambiguity about that. When present, REX.W is
   792  			// always the first entry in the table.
   793  			n := int(decoder[pc])
   794  			pc++
   795  			sawF3 := false
   796  			for j := 0; j < n; j++ {
   797  				prefix := Prefix(decoder[pc+2*j])
   798  				if prefix.IsREX() {
   799  					rexUsed |= prefix
   800  					if rex&prefix == prefix {
   801  						pc = int(decoder[pc+2*j+1])
   802  						continue Decode
   803  					}
   804  					continue
   805  				}
   806  				ok := false
   807  				if prefix == 0 {
   808  					ok = true
   809  				} else if prefix.IsREX() {
   810  					rexUsed |= prefix
   811  					if rex&prefix == prefix {
   812  						ok = true
   813  					}
   814  				} else if prefix == 0xC5 || prefix == 0xC4 {
   815  					if vex == prefix {
   816  						ok = true
   817  					}
   818  				} else if vex != 0 && (prefix == 0x0F || prefix == 0x0F38 || prefix == 0x0F3A ||
   819  					prefix == 0x66 || prefix == 0xF2 || prefix == 0xF3) {
   820  					var vexM, vexP Prefix
   821  					if vex == 0xC5 {
   822  						vexM = 1 // 2 byte vex always implies 0F
   823  						vexP = inst.Prefix[vexIndex+1]
   824  					} else {
   825  						vexM = inst.Prefix[vexIndex+1]
   826  						vexP = inst.Prefix[vexIndex+2]
   827  					}
   828  					switch prefix {
   829  					case 0x66:
   830  						ok = vexP&3 == 1
   831  					case 0xF3:
   832  						ok = vexP&3 == 2
   833  					case 0xF2:
   834  						ok = vexP&3 == 3
   835  					case 0x0F:
   836  						ok = vexM&3 == 1
   837  					case 0x0F38:
   838  						ok = vexM&3 == 2
   839  					case 0x0F3A:
   840  						ok = vexM&3 == 3
   841  					}
   842  				} else {
   843  					if prefix == 0xF3 {
   844  						sawF3 = true
   845  					}
   846  					switch prefix {
   847  					case PrefixLOCK:
   848  						if lockIndex >= 0 {
   849  							inst.Prefix[lockIndex] |= PrefixImplicit
   850  							ok = true
   851  						}
   852  					case PrefixREP, PrefixREPN:
   853  						if repIndex >= 0 && inst.Prefix[repIndex]&0xFF == prefix {
   854  							inst.Prefix[repIndex] |= PrefixImplicit
   855  							ok = true
   856  						}
   857  						if gnuCompat && !ok && prefix == 0xF3 && repIndex >= 0 && (j+1 >= n || decoder[pc+2*(j+1)] != 0xF2) {
   858  							// Check to see if earlier prefix F3 is present.
   859  							for i := repIndex - 1; i >= 0; i-- {
   860  								if inst.Prefix[i]&0xFF == prefix {
   861  									inst.Prefix[i] |= PrefixImplicit
   862  									ok = true
   863  								}
   864  							}
   865  						}
   866  						if gnuCompat && !ok && prefix == 0xF2 && repIndex >= 0 && !sawF3 && inst.Prefix[repIndex]&0xFF == 0xF3 {
   867  							// Check to see if earlier prefix F2 is present.
   868  							for i := repIndex - 1; i >= 0; i-- {
   869  								if inst.Prefix[i]&0xFF == prefix {
   870  									inst.Prefix[i] |= PrefixImplicit
   871  									ok = true
   872  								}
   873  							}
   874  						}
   875  					case PrefixCS, PrefixDS, PrefixES, PrefixFS, PrefixGS, PrefixSS:
   876  						if segIndex >= 0 && inst.Prefix[segIndex]&0xFF == prefix {
   877  							inst.Prefix[segIndex] |= PrefixImplicit
   878  							ok = true
   879  						}
   880  					case PrefixDataSize:
   881  						// Looking for 66 mandatory prefix.
   882  						// The F2/F3 mandatory prefixes take priority when both are present.
   883  						// If we got this far in the xCondPrefix table and an F2/F3 is present,
   884  						// it means the table didn't have any entry for that prefix. But if 66 has
   885  						// special meaning, perhaps F2/F3 have special meaning that we don't know.
   886  						// Intel xed works this way, treating the F2/F3 as inhibiting the 66.
   887  						// GNU libopcodes allows the 66 to match. We do what Intel xed does
   888  						// except in gnuCompat mode.
   889  						if repIndex >= 0 && !gnuCompat {
   890  							inst.Op = 0
   891  							break Decode
   892  						}
   893  						if dataSizeIndex >= 0 {
   894  							inst.Prefix[dataSizeIndex] |= PrefixImplicit
   895  							ok = true
   896  						}
   897  					case PrefixAddrSize:
   898  						if addrSizeIndex >= 0 {
   899  							inst.Prefix[addrSizeIndex] |= PrefixImplicit
   900  							ok = true
   901  						}
   902  					}
   903  				}
   904  				if ok {
   905  					pc = int(decoder[pc+2*j+1])
   906  					continue Decode
   907  				}
   908  			}
   909  			inst.Op = 0
   910  			break Decode
   911  
   912  		case xCondSlashR:
   913  			pc = int(decoder[pc+regop&7])
   914  
   915  		// Input.
   916  
   917  		case xReadSlashR:
   918  			// done above
   919  
   920  		case xReadIb:
   921  			if pos >= len(src) {
   922  				return truncated(src, mode)
   923  			}
   924  			imm8 = int8(src[pos])
   925  			pos++
   926  
   927  		case xReadIw:
   928  			if pos+2 > len(src) {
   929  				return truncated(src, mode)
   930  			}
   931  			imm = int64(binary.LittleEndian.Uint16(src[pos:]))
   932  			pos += 2
   933  
   934  		case xReadId:
   935  			if pos+4 > len(src) {
   936  				return truncated(src, mode)
   937  			}
   938  			imm = int64(binary.LittleEndian.Uint32(src[pos:]))
   939  			pos += 4
   940  
   941  		case xReadIo:
   942  			if pos+8 > len(src) {
   943  				return truncated(src, mode)
   944  			}
   945  			imm = int64(binary.LittleEndian.Uint64(src[pos:]))
   946  			pos += 8
   947  
   948  		case xReadCb:
   949  			if pos >= len(src) {
   950  				return truncated(src, mode)
   951  			}
   952  			immcpos = pos
   953  			immc = int64(src[pos])
   954  			pos++
   955  
   956  		case xReadCw:
   957  			if pos+2 > len(src) {
   958  				return truncated(src, mode)
   959  			}
   960  			immcpos = pos
   961  			immc = int64(binary.LittleEndian.Uint16(src[pos:]))
   962  			pos += 2
   963  
   964  		case xReadCm:
   965  			immcpos = pos
   966  			if addrMode == 16 {
   967  				if pos+2 > len(src) {
   968  					return truncated(src, mode)
   969  				}
   970  				immc = int64(binary.LittleEndian.Uint16(src[pos:]))
   971  				pos += 2
   972  			} else if addrMode == 32 {
   973  				if pos+4 > len(src) {
   974  					return truncated(src, mode)
   975  				}
   976  				immc = int64(binary.LittleEndian.Uint32(src[pos:]))
   977  				pos += 4
   978  			} else {
   979  				if pos+8 > len(src) {
   980  					return truncated(src, mode)
   981  				}
   982  				immc = int64(binary.LittleEndian.Uint64(src[pos:]))
   983  				pos += 8
   984  			}
   985  		case xReadCd:
   986  			immcpos = pos
   987  			if pos+4 > len(src) {
   988  				return truncated(src, mode)
   989  			}
   990  			immc = int64(binary.LittleEndian.Uint32(src[pos:]))
   991  			pos += 4
   992  
   993  		case xReadCp:
   994  			immcpos = pos
   995  			if pos+6 > len(src) {
   996  				return truncated(src, mode)
   997  			}
   998  			w := binary.LittleEndian.Uint32(src[pos:])
   999  			w2 := binary.LittleEndian.Uint16(src[pos+4:])
  1000  			immc = int64(w2)<<32 | int64(w)
  1001  			pos += 6
  1002  
  1003  		// Output.
  1004  
  1005  		case xSetOp:
  1006  			inst.Op = Op(decoder[pc])
  1007  			pc++
  1008  
  1009  		case xArg1,
  1010  			xArg3,
  1011  			xArgAL,
  1012  			xArgAX,
  1013  			xArgCL,
  1014  			xArgCS,
  1015  			xArgDS,
  1016  			xArgDX,
  1017  			xArgEAX,
  1018  			xArgEDX,
  1019  			xArgES,
  1020  			xArgFS,
  1021  			xArgGS,
  1022  			xArgRAX,
  1023  			xArgRDX,
  1024  			xArgSS,
  1025  			xArgST,
  1026  			xArgXMM0:
  1027  			inst.Args[narg] = fixedArg[x]
  1028  			narg++
  1029  
  1030  		case xArgImm8:
  1031  			inst.Args[narg] = Imm(imm8)
  1032  			narg++
  1033  
  1034  		case xArgImm8u:
  1035  			inst.Args[narg] = Imm(uint8(imm8))
  1036  			narg++
  1037  
  1038  		case xArgImm16:
  1039  			inst.Args[narg] = Imm(int16(imm))
  1040  			narg++
  1041  
  1042  		case xArgImm16u:
  1043  			inst.Args[narg] = Imm(uint16(imm))
  1044  			narg++
  1045  
  1046  		case xArgImm32:
  1047  			inst.Args[narg] = Imm(int32(imm))
  1048  			narg++
  1049  
  1050  		case xArgImm64:
  1051  			inst.Args[narg] = Imm(imm)
  1052  			narg++
  1053  
  1054  		case xArgM,
  1055  			xArgM128,
  1056  			xArgM256,
  1057  			xArgM1428byte,
  1058  			xArgM16,
  1059  			xArgM16and16,
  1060  			xArgM16and32,
  1061  			xArgM16and64,
  1062  			xArgM16colon16,
  1063  			xArgM16colon32,
  1064  			xArgM16colon64,
  1065  			xArgM16int,
  1066  			xArgM2byte,
  1067  			xArgM32,
  1068  			xArgM32and32,
  1069  			xArgM32fp,
  1070  			xArgM32int,
  1071  			xArgM512byte,
  1072  			xArgM64,
  1073  			xArgM64fp,
  1074  			xArgM64int,
  1075  			xArgM8,
  1076  			xArgM80bcd,
  1077  			xArgM80dec,
  1078  			xArgM80fp,
  1079  			xArgM94108byte,
  1080  			xArgMem:
  1081  			if !haveMem {
  1082  				inst.Op = 0
  1083  				break Decode
  1084  			}
  1085  			inst.Args[narg] = mem
  1086  			inst.MemBytes = int(memBytes[decodeOp(x)])
  1087  			if mem.Base == RIP {
  1088  				inst.PCRel = displen
  1089  				inst.PCRelOff = dispoff
  1090  			}
  1091  			narg++
  1092  
  1093  		case xArgPtr16colon16:
  1094  			inst.Args[narg] = Imm(immc >> 16)
  1095  			inst.Args[narg+1] = Imm(immc & (1<<16 - 1))
  1096  			narg += 2
  1097  
  1098  		case xArgPtr16colon32:
  1099  			inst.Args[narg] = Imm(immc >> 32)
  1100  			inst.Args[narg+1] = Imm(immc & (1<<32 - 1))
  1101  			narg += 2
  1102  
  1103  		case xArgMoffs8, xArgMoffs16, xArgMoffs32, xArgMoffs64:
  1104  			// TODO(rsc): Can address be 64 bits?
  1105  			mem = Mem{Disp: int64(immc)}
  1106  			if segIndex >= 0 {
  1107  				mem.Segment = prefixToSegment(inst.Prefix[segIndex])
  1108  				inst.Prefix[segIndex] |= PrefixImplicit
  1109  			}
  1110  			inst.Args[narg] = mem
  1111  			inst.MemBytes = int(memBytes[decodeOp(x)])
  1112  			if mem.Base == RIP {
  1113  				inst.PCRel = displen
  1114  				inst.PCRelOff = dispoff
  1115  			}
  1116  			narg++
  1117  
  1118  		case xArgYmm1:
  1119  			base := baseReg[x]
  1120  			index := Reg(regop)
  1121  			if inst.Prefix[vexIndex+1]&0x80 == 0 {
  1122  				index += 8
  1123  			}
  1124  			inst.Args[narg] = base + index
  1125  			narg++
  1126  
  1127  		case xArgR8, xArgR16, xArgR32, xArgR64, xArgXmm, xArgXmm1, xArgDR0dashDR7:
  1128  			base := baseReg[x]
  1129  			index := Reg(regop)
  1130  			if rex != 0 && base == AL && index >= 4 {
  1131  				rexUsed |= PrefixREX
  1132  				index -= 4
  1133  				base = SPB
  1134  			}
  1135  			inst.Args[narg] = base + index
  1136  			narg++
  1137  
  1138  		case xArgMm, xArgMm1, xArgTR0dashTR7:
  1139  			inst.Args[narg] = baseReg[x] + Reg(regop&7)
  1140  			narg++
  1141  
  1142  		case xArgCR0dashCR7:
  1143  			// AMD documents an extension that the LOCK prefix
  1144  			// can be used in place of a REX prefix in order to access
  1145  			// CR8 from 32-bit mode. The LOCK prefix is allowed in
  1146  			// all modes, provided the corresponding CPUID bit is set.
  1147  			if lockIndex >= 0 {
  1148  				inst.Prefix[lockIndex] |= PrefixImplicit
  1149  				regop += 8
  1150  			}
  1151  			inst.Args[narg] = CR0 + Reg(regop)
  1152  			narg++
  1153  
  1154  		case xArgSreg:
  1155  			regop &= 7
  1156  			if regop >= 6 {
  1157  				inst.Op = 0
  1158  				break Decode
  1159  			}
  1160  			inst.Args[narg] = ES + Reg(regop)
  1161  			narg++
  1162  
  1163  		case xArgRmf16, xArgRmf32, xArgRmf64:
  1164  			base := baseReg[x]
  1165  			index := Reg(modrm & 07)
  1166  			if rex&PrefixREXB != 0 {
  1167  				rexUsed |= PrefixREXB
  1168  				index += 8
  1169  			}
  1170  			inst.Args[narg] = base + index
  1171  			narg++
  1172  
  1173  		case xArgR8op, xArgR16op, xArgR32op, xArgR64op, xArgSTi:
  1174  			n := inst.Opcode >> uint(opshift+8) & 07
  1175  			base := baseReg[x]
  1176  			index := Reg(n)
  1177  			if rex&PrefixREXB != 0 && decodeOp(x) != xArgSTi {
  1178  				rexUsed |= PrefixREXB
  1179  				index += 8
  1180  			}
  1181  			if rex != 0 && base == AL && index >= 4 {
  1182  				rexUsed |= PrefixREX
  1183  				index -= 4
  1184  				base = SPB
  1185  			}
  1186  			inst.Args[narg] = base + index
  1187  			narg++
  1188  		case xArgRM8, xArgRM16, xArgRM32, xArgRM64, xArgR32M16, xArgR32M8, xArgR64M16,
  1189  			xArgMmM32, xArgMmM64, xArgMm2M64,
  1190  			xArgXmm2M16, xArgXmm2M32, xArgXmm2M64, xArgXmmM64, xArgXmmM128, xArgXmmM32, xArgXmm2M128,
  1191  			xArgYmm2M256:
  1192  			if haveMem {
  1193  				inst.Args[narg] = mem
  1194  				inst.MemBytes = int(memBytes[decodeOp(x)])
  1195  				if mem.Base == RIP {
  1196  					inst.PCRel = displen
  1197  					inst.PCRelOff = dispoff
  1198  				}
  1199  			} else {
  1200  				base := baseReg[x]
  1201  				index := Reg(rm)
  1202  				switch decodeOp(x) {
  1203  				case xArgMmM32, xArgMmM64, xArgMm2M64:
  1204  					// There are only 8 MMX registers, so these ignore the REX.X bit.
  1205  					index &= 7
  1206  				case xArgRM8:
  1207  					if rex != 0 && index >= 4 {
  1208  						rexUsed |= PrefixREX
  1209  						index -= 4
  1210  						base = SPB
  1211  					}
  1212  				case xArgYmm2M256:
  1213  					if vex == 0xC4 && inst.Prefix[vexIndex+1]&0x40 == 0x40 {
  1214  						index += 8
  1215  					}
  1216  				}
  1217  				inst.Args[narg] = base + index
  1218  			}
  1219  			narg++
  1220  
  1221  		case xArgMm2: // register only; TODO(rsc): Handle with tag modrm_regonly tag
  1222  			if haveMem {
  1223  				inst.Op = 0
  1224  				break Decode
  1225  			}
  1226  			inst.Args[narg] = baseReg[x] + Reg(rm&7)
  1227  			narg++
  1228  
  1229  		case xArgXmm2: // register only; TODO(rsc): Handle with tag modrm_regonly tag
  1230  			if haveMem {
  1231  				inst.Op = 0
  1232  				break Decode
  1233  			}
  1234  			inst.Args[narg] = baseReg[x] + Reg(rm)
  1235  			narg++
  1236  
  1237  		case xArgRel8:
  1238  			inst.PCRelOff = immcpos
  1239  			inst.PCRel = 1
  1240  			inst.Args[narg] = Rel(int8(immc))
  1241  			narg++
  1242  
  1243  		case xArgRel16:
  1244  			inst.PCRelOff = immcpos
  1245  			inst.PCRel = 2
  1246  			inst.Args[narg] = Rel(int16(immc))
  1247  			narg++
  1248  
  1249  		case xArgRel32:
  1250  			inst.PCRelOff = immcpos
  1251  			inst.PCRel = 4
  1252  			inst.Args[narg] = Rel(int32(immc))
  1253  			narg++
  1254  		}
  1255  	}
  1256  
  1257  	if inst.Op == 0 {
  1258  		// Invalid instruction.
  1259  		if nprefix > 0 {
  1260  			return instPrefix(src[0], mode) // invalid instruction
  1261  		}
  1262  		return Inst{Len: pos}, ErrUnrecognized
  1263  	}
  1264  
  1265  	// Matched! Hooray!
  1266  
  1267  	// 90 decodes as XCHG EAX, EAX but is NOP.
  1268  	// 66 90 decodes as XCHG AX, AX and is NOP too.
  1269  	// 48 90 decodes as XCHG RAX, RAX and is NOP too.
  1270  	// 43 90 decodes as XCHG R8D, EAX and is *not* NOP.
  1271  	// F3 90 decodes as REP XCHG EAX, EAX but is PAUSE.
  1272  	// It's all too special to handle in the decoding tables, at least for now.
  1273  	if inst.Op == XCHG && inst.Opcode>>24 == 0x90 {
  1274  		if inst.Args[0] == RAX || inst.Args[0] == EAX || inst.Args[0] == AX {
  1275  			inst.Op = NOP
  1276  			if dataSizeIndex >= 0 {
  1277  				inst.Prefix[dataSizeIndex] &^= PrefixImplicit
  1278  			}
  1279  			inst.Args[0] = nil
  1280  			inst.Args[1] = nil
  1281  		}
  1282  		if repIndex >= 0 && inst.Prefix[repIndex] == 0xF3 {
  1283  			inst.Prefix[repIndex] |= PrefixImplicit
  1284  			inst.Op = PAUSE
  1285  			inst.Args[0] = nil
  1286  			inst.Args[1] = nil
  1287  		} else if gnuCompat {
  1288  			for i := nprefix - 1; i >= 0; i-- {
  1289  				if inst.Prefix[i]&0xFF == 0xF3 {
  1290  					inst.Prefix[i] |= PrefixImplicit
  1291  					inst.Op = PAUSE
  1292  					inst.Args[0] = nil
  1293  					inst.Args[1] = nil
  1294  					break
  1295  				}
  1296  			}
  1297  		}
  1298  	}
  1299  
  1300  	// defaultSeg returns the default segment for an implicit
  1301  	// memory reference: the final override if present, or else DS.
  1302  	defaultSeg := func() Reg {
  1303  		if segIndex >= 0 {
  1304  			inst.Prefix[segIndex] |= PrefixImplicit
  1305  			return prefixToSegment(inst.Prefix[segIndex])
  1306  		}
  1307  		return DS
  1308  	}
  1309  
  1310  	// Add implicit arguments not present in the tables.
  1311  	// Normally we shy away from making implicit arguments explicit,
  1312  	// following the Intel manuals, but adding the arguments seems
  1313  	// the best way to express the effect of the segment override prefixes.
  1314  	// TODO(rsc): Perhaps add these to the tables and
  1315  	// create bytecode instructions for them.
  1316  	usedAddrSize := false
  1317  	switch inst.Op {
  1318  	case INSB, INSW, INSD:
  1319  		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
  1320  		inst.Args[1] = DX
  1321  		usedAddrSize = true
  1322  
  1323  	case OUTSB, OUTSW, OUTSD:
  1324  		inst.Args[0] = DX
  1325  		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
  1326  		usedAddrSize = true
  1327  
  1328  	case MOVSB, MOVSW, MOVSD, MOVSQ:
  1329  		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
  1330  		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
  1331  		usedAddrSize = true
  1332  
  1333  	case CMPSB, CMPSW, CMPSD, CMPSQ:
  1334  		inst.Args[0] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
  1335  		inst.Args[1] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
  1336  		usedAddrSize = true
  1337  
  1338  	case LODSB, LODSW, LODSD, LODSQ:
  1339  		switch inst.Op {
  1340  		case LODSB:
  1341  			inst.Args[0] = AL
  1342  		case LODSW:
  1343  			inst.Args[0] = AX
  1344  		case LODSD:
  1345  			inst.Args[0] = EAX
  1346  		case LODSQ:
  1347  			inst.Args[0] = RAX
  1348  		}
  1349  		inst.Args[1] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + SI - AX}
  1350  		usedAddrSize = true
  1351  
  1352  	case STOSB, STOSW, STOSD, STOSQ:
  1353  		inst.Args[0] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
  1354  		switch inst.Op {
  1355  		case STOSB:
  1356  			inst.Args[1] = AL
  1357  		case STOSW:
  1358  			inst.Args[1] = AX
  1359  		case STOSD:
  1360  			inst.Args[1] = EAX
  1361  		case STOSQ:
  1362  			inst.Args[1] = RAX
  1363  		}
  1364  		usedAddrSize = true
  1365  
  1366  	case SCASB, SCASW, SCASD, SCASQ:
  1367  		inst.Args[1] = Mem{Segment: ES, Base: baseRegForBits(addrMode) + DI - AX}
  1368  		switch inst.Op {
  1369  		case SCASB:
  1370  			inst.Args[0] = AL
  1371  		case SCASW:
  1372  			inst.Args[0] = AX
  1373  		case SCASD:
  1374  			inst.Args[0] = EAX
  1375  		case SCASQ:
  1376  			inst.Args[0] = RAX
  1377  		}
  1378  		usedAddrSize = true
  1379  
  1380  	case XLATB:
  1381  		inst.Args[0] = Mem{Segment: defaultSeg(), Base: baseRegForBits(addrMode) + BX - AX}
  1382  		usedAddrSize = true
  1383  	}
  1384  
  1385  	// If we used the address size annotation to construct the
  1386  	// argument list, mark that prefix as implicit: it doesn't need
  1387  	// to be shown when printing the instruction.
  1388  	if haveMem || usedAddrSize {
  1389  		if addrSizeIndex >= 0 {
  1390  			inst.Prefix[addrSizeIndex] |= PrefixImplicit
  1391  		}
  1392  	}
  1393  
  1394  	// Similarly, if there's some memory operand, the segment
  1395  	// will be shown there and doesn't need to be shown as an
  1396  	// explicit prefix.
  1397  	if haveMem {
  1398  		if segIndex >= 0 {
  1399  			inst.Prefix[segIndex] |= PrefixImplicit
  1400  		}
  1401  	}
  1402  
  1403  	// Branch predict prefixes are overloaded segment prefixes,
  1404  	// since segment prefixes don't make sense on conditional jumps.
  1405  	// Rewrite final instance to prediction prefix.
  1406  	// The set of instructions to which the prefixes apply (other then the
  1407  	// Jcc conditional jumps) is not 100% clear from the manuals, but
  1408  	// the disassemblers seem to agree about the LOOP and JCXZ instructions,
  1409  	// so we'll follow along.
  1410  	// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
  1411  	if isCondJmp[inst.Op] || isLoop[inst.Op] || inst.Op == JCXZ || inst.Op == JECXZ || inst.Op == JRCXZ {
  1412  	PredictLoop:
  1413  		for i := nprefix - 1; i >= 0; i-- {
  1414  			p := inst.Prefix[i]
  1415  			switch p & 0xFF {
  1416  			case PrefixCS:
  1417  				inst.Prefix[i] = PrefixPN
  1418  				break PredictLoop
  1419  			case PrefixDS:
  1420  				inst.Prefix[i] = PrefixPT
  1421  				break PredictLoop
  1422  			}
  1423  		}
  1424  	}
  1425  
  1426  	// The BND prefix is part of the Intel Memory Protection Extensions (MPX).
  1427  	// A REPN applied to certain control transfers is a BND prefix to bound
  1428  	// the range of possible destinations. There's surprisingly little documentation
  1429  	// about this, so we just do what libopcodes and xed agree on.
  1430  	// In particular, it's unclear why a REPN applied to LOOP or JCXZ instructions
  1431  	// does not turn into a BND.
  1432  	// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
  1433  	if isCondJmp[inst.Op] || inst.Op == JMP || inst.Op == CALL || inst.Op == RET {
  1434  		for i := nprefix - 1; i >= 0; i-- {
  1435  			p := inst.Prefix[i]
  1436  			if p&^PrefixIgnored == PrefixREPN {
  1437  				inst.Prefix[i] = PrefixBND
  1438  				break
  1439  			}
  1440  		}
  1441  	}
  1442  
  1443  	// The LOCK prefix only applies to certain instructions, and then only
  1444  	// to instances of the instruction with a memory destination.
  1445  	// Other uses of LOCK are invalid and cause a processor exception,
  1446  	// in contrast to the "just ignore it" spirit applied to all other prefixes.
  1447  	// Mark invalid lock prefixes.
  1448  	hasLock := false
  1449  	if lockIndex >= 0 && inst.Prefix[lockIndex]&PrefixImplicit == 0 {
  1450  		switch inst.Op {
  1451  		// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
  1452  		case ADD, ADC, AND, BTC, BTR, BTS, CMPXCHG, CMPXCHG8B, CMPXCHG16B, DEC, INC, NEG, NOT, OR, SBB, SUB, XOR, XADD, XCHG:
  1453  			if isMem(inst.Args[0]) {
  1454  				hasLock = true
  1455  				break
  1456  			}
  1457  			fallthrough
  1458  		default:
  1459  			inst.Prefix[lockIndex] |= PrefixInvalid
  1460  		}
  1461  	}
  1462  
  1463  	// In certain cases, all of which require a memory destination,
  1464  	// the REPN and REP prefixes are interpreted as XACQUIRE and XRELEASE
  1465  	// from the Intel Transactional Synchroniation Extensions (TSX).
  1466  	//
  1467  	// The specific rules are:
  1468  	// (1) Any instruction with a valid LOCK prefix can have XACQUIRE or XRELEASE.
  1469  	// (2) Any XCHG, which always has an implicit LOCK, can have XACQUIRE or XRELEASE.
  1470  	// (3) Any 0x88-, 0x89-, 0xC6-, or 0xC7-opcode MOV can have XRELEASE.
  1471  	if isMem(inst.Args[0]) {
  1472  		if inst.Op == XCHG {
  1473  			hasLock = true
  1474  		}
  1475  
  1476  		for i := len(inst.Prefix) - 1; i >= 0; i-- {
  1477  			p := inst.Prefix[i] &^ PrefixIgnored
  1478  			switch p {
  1479  			case PrefixREPN:
  1480  				if hasLock {
  1481  					inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXACQUIRE
  1482  				}
  1483  
  1484  			case PrefixREP:
  1485  				if hasLock {
  1486  					inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXRELEASE
  1487  				}
  1488  
  1489  				if inst.Op == MOV {
  1490  					op := (inst.Opcode >> 24) &^ 1
  1491  					if op == 0x88 || op == 0xC6 {
  1492  						inst.Prefix[i] = inst.Prefix[i]&PrefixIgnored | PrefixXRELEASE
  1493  					}
  1494  				}
  1495  			}
  1496  		}
  1497  	}
  1498  
  1499  	// If REP is used on a non-REP-able instruction, mark the prefix as ignored.
  1500  	if repIndex >= 0 {
  1501  		switch inst.Prefix[repIndex] {
  1502  		case PrefixREP, PrefixREPN:
  1503  			switch inst.Op {
  1504  			// According to the manuals, the REP/REPE prefix applies to all of these,
  1505  			// while the REPN applies only to some of them. However, both libopcodes
  1506  			// and xed show both prefixes explicitly for all instructions, so we do the same.
  1507  			// TODO(rsc): Perhaps this instruction class should be derived from the CSV.
  1508  			case INSB, INSW, INSD,
  1509  				MOVSB, MOVSW, MOVSD, MOVSQ,
  1510  				OUTSB, OUTSW, OUTSD,
  1511  				LODSB, LODSW, LODSD, LODSQ,
  1512  				CMPSB, CMPSW, CMPSD, CMPSQ,
  1513  				SCASB, SCASW, SCASD, SCASQ,
  1514  				STOSB, STOSW, STOSD, STOSQ:
  1515  				// ok
  1516  			default:
  1517  				inst.Prefix[repIndex] |= PrefixIgnored
  1518  			}
  1519  		}
  1520  	}
  1521  
  1522  	// If REX was present, mark implicit if all the 1 bits were consumed.
  1523  	if rexIndex >= 0 {
  1524  		if rexUsed != 0 {
  1525  			rexUsed |= PrefixREX
  1526  		}
  1527  		if rex&^rexUsed == 0 {
  1528  			inst.Prefix[rexIndex] |= PrefixImplicit
  1529  		}
  1530  	}
  1531  
  1532  	inst.DataSize = dataMode
  1533  	inst.AddrSize = addrMode
  1534  	inst.Mode = mode
  1535  	inst.Len = pos
  1536  	return inst, nil
  1537  }
  1538  
  1539  var errInternal = errors.New("internal error")
  1540  
  1541  // addr16 records the eight 16-bit addressing modes.
  1542  var addr16 = [8]Mem{
  1543  	{Base: BX, Scale: 1, Index: SI},
  1544  	{Base: BX, Scale: 1, Index: DI},
  1545  	{Base: BP, Scale: 1, Index: SI},
  1546  	{Base: BP, Scale: 1, Index: DI},
  1547  	{Base: SI},
  1548  	{Base: DI},
  1549  	{Base: BP},
  1550  	{Base: BX},
  1551  }
  1552  
  1553  // baseRegForBits returns the base register for a given register size in bits.
  1554  func baseRegForBits(bits int) Reg {
  1555  	switch bits {
  1556  	case 8:
  1557  		return AL
  1558  	case 16:
  1559  		return AX
  1560  	case 32:
  1561  		return EAX
  1562  	case 64:
  1563  		return RAX
  1564  	}
  1565  	return 0
  1566  }
  1567  
  1568  // baseReg records the base register for argument types that specify
  1569  // a range of registers indexed by op, regop, or rm.
  1570  var baseReg = [...]Reg{
  1571  	xArgDR0dashDR7: DR0,
  1572  	xArgMm1:        M0,
  1573  	xArgMm2:        M0,
  1574  	xArgMm2M64:     M0,
  1575  	xArgMm:         M0,
  1576  	xArgMmM32:      M0,
  1577  	xArgMmM64:      M0,
  1578  	xArgR16:        AX,
  1579  	xArgR16op:      AX,
  1580  	xArgR32:        EAX,
  1581  	xArgR32M16:     EAX,
  1582  	xArgR32M8:      EAX,
  1583  	xArgR32op:      EAX,
  1584  	xArgR64:        RAX,
  1585  	xArgR64M16:     RAX,
  1586  	xArgR64op:      RAX,
  1587  	xArgR8:         AL,
  1588  	xArgR8op:       AL,
  1589  	xArgRM16:       AX,
  1590  	xArgRM32:       EAX,
  1591  	xArgRM64:       RAX,
  1592  	xArgRM8:        AL,
  1593  	xArgRmf16:      AX,
  1594  	xArgRmf32:      EAX,
  1595  	xArgRmf64:      RAX,
  1596  	xArgSTi:        F0,
  1597  	xArgTR0dashTR7: TR0,
  1598  	xArgXmm1:       X0,
  1599  	xArgYmm1:       X0,
  1600  	xArgXmm2:       X0,
  1601  	xArgXmm2M128:   X0,
  1602  	xArgYmm2M256:   X0,
  1603  	xArgXmm2M16:    X0,
  1604  	xArgXmm2M32:    X0,
  1605  	xArgXmm2M64:    X0,
  1606  	xArgXmm:        X0,
  1607  	xArgXmmM128:    X0,
  1608  	xArgXmmM32:     X0,
  1609  	xArgXmmM64:     X0,
  1610  }
  1611  
  1612  // prefixToSegment returns the segment register
  1613  // corresponding to a particular segment prefix.
  1614  func prefixToSegment(p Prefix) Reg {
  1615  	switch p &^ PrefixImplicit {
  1616  	case PrefixCS:
  1617  		return CS
  1618  	case PrefixDS:
  1619  		return DS
  1620  	case PrefixES:
  1621  		return ES
  1622  	case PrefixFS:
  1623  		return FS
  1624  	case PrefixGS:
  1625  		return GS
  1626  	case PrefixSS:
  1627  		return SS
  1628  	}
  1629  	return 0
  1630  }
  1631  
  1632  // fixedArg records the fixed arguments corresponding to the given bytecodes.
  1633  var fixedArg = [...]Arg{
  1634  	xArg1:    Imm(1),
  1635  	xArg3:    Imm(3),
  1636  	xArgAL:   AL,
  1637  	xArgAX:   AX,
  1638  	xArgDX:   DX,
  1639  	xArgEAX:  EAX,
  1640  	xArgEDX:  EDX,
  1641  	xArgRAX:  RAX,
  1642  	xArgRDX:  RDX,
  1643  	xArgCL:   CL,
  1644  	xArgCS:   CS,
  1645  	xArgDS:   DS,
  1646  	xArgES:   ES,
  1647  	xArgFS:   FS,
  1648  	xArgGS:   GS,
  1649  	xArgSS:   SS,
  1650  	xArgST:   F0,
  1651  	xArgXMM0: X0,
  1652  }
  1653  
  1654  // memBytes records the size of the memory pointed at
  1655  // by a memory argument of the given form.
  1656  var memBytes = [...]int8{
  1657  	xArgM128:       128 / 8,
  1658  	xArgM256:       256 / 8,
  1659  	xArgM16:        16 / 8,
  1660  	xArgM16and16:   (16 + 16) / 8,
  1661  	xArgM16colon16: (16 + 16) / 8,
  1662  	xArgM16colon32: (16 + 32) / 8,
  1663  	xArgM16int:     16 / 8,
  1664  	xArgM2byte:     2,
  1665  	xArgM32:        32 / 8,
  1666  	xArgM32and32:   (32 + 32) / 8,
  1667  	xArgM32fp:      32 / 8,
  1668  	xArgM32int:     32 / 8,
  1669  	xArgM64:        64 / 8,
  1670  	xArgM64fp:      64 / 8,
  1671  	xArgM64int:     64 / 8,
  1672  	xArgMm2M64:     64 / 8,
  1673  	xArgMmM32:      32 / 8,
  1674  	xArgMmM64:      64 / 8,
  1675  	xArgMoffs16:    16 / 8,
  1676  	xArgMoffs32:    32 / 8,
  1677  	xArgMoffs64:    64 / 8,
  1678  	xArgMoffs8:     8 / 8,
  1679  	xArgR32M16:     16 / 8,
  1680  	xArgR32M8:      8 / 8,
  1681  	xArgR64M16:     16 / 8,
  1682  	xArgRM16:       16 / 8,
  1683  	xArgRM32:       32 / 8,
  1684  	xArgRM64:       64 / 8,
  1685  	xArgRM8:        8 / 8,
  1686  	xArgXmm2M128:   128 / 8,
  1687  	xArgYmm2M256:   256 / 8,
  1688  	xArgXmm2M16:    16 / 8,
  1689  	xArgXmm2M32:    32 / 8,
  1690  	xArgXmm2M64:    64 / 8,
  1691  	xArgXmm:        128 / 8,
  1692  	xArgXmmM128:    128 / 8,
  1693  	xArgXmmM32:     32 / 8,
  1694  	xArgXmmM64:     64 / 8,
  1695  }
  1696  
  1697  // isCondJmp records the conditional jumps.
  1698  var isCondJmp = [maxOp + 1]bool{
  1699  	JA:  true,
  1700  	JAE: true,
  1701  	JB:  true,
  1702  	JBE: true,
  1703  	JE:  true,
  1704  	JG:  true,
  1705  	JGE: true,
  1706  	JL:  true,
  1707  	JLE: true,
  1708  	JNE: true,
  1709  	JNO: true,
  1710  	JNP: true,
  1711  	JNS: true,
  1712  	JO:  true,
  1713  	JP:  true,
  1714  	JS:  true,
  1715  }
  1716  
  1717  // isLoop records the loop operators.
  1718  var isLoop = [maxOp + 1]bool{
  1719  	LOOP:   true,
  1720  	LOOPE:  true,
  1721  	LOOPNE: true,
  1722  	JECXZ:  true,
  1723  	JRCXZ:  true,
  1724  }
  1725  

View as plain text