X86 INSTRUCTIONS:::CONTROL FLOW::: JUMP INSTRUCTIONS:::LOOP INSTRUCTION

Syntax : loop arg The loop instruction decrements ECX and jumps to the address specified by arg unless decrementing ECX caused its value to become zero. Example mov ecx, 5 start_loop: ; the code here would be executed 5 times loop start_loop loop does not set any flags. Syntax : loopx arg These loop instructions decrement ECX and jump to the address specified by arg if their condition is satisfied (that is, a specific flag is set), unless decrementing ECX caused its value to become zero. loope loop if equal loopne loop if not equal loopnz loop if not zero loopz loop if zero

X86 INSTRUCTIONS:::CONTROL FLOW:::JUMP INSTRUCTION::: FUNCTION CALLS

Syntax : call proc Pushes the address of the next opcode onto the top of the stack, and jumps to the specified location. This is used mostly for subroutines. Syntax : ret [val] Loads the next value on the stack into EIP, and then pops the specified number of bytes off the stack. If val is not supplied, the instruction will not pop any values off the stack after returning

X86 INSTRUCTIONS:::CONTROL FLOW:::: JUMP INSTRUCTIONS

The Jump Instructions allow the programmer to (indirectly) set the value of the EIP register. The location passed as the argument is usually a label. The first instruction executed after the jump is the instruction immediately following the label. All of the jump instructions, with the exception of jmp, are conditional jumps, meaning that program flow is diverted only if a condition is true. These instructions are often used after a comparison instruction, but since many other instructions set flags, this order is not required. Unconditional Jumps : Syntax : jmp loc Loads EIP with the specified address (i.e. the next instruction executed will be the one specified by jmp). Jump on Equality : Syntax : je loc ZF = 1 Loads EIP with the specified address, if operands of previous CMP instruction are equal. mov $5, ecx mov $5, edx cmp ecx, edx je equal ; if it did not jump to the label equal, then this means ecx and edx are not equal. equal: ; if it jumped here, then this means ecx and edx are equal Jump on Inequality : Syntax : jne loc ZF = 0 Loads EIP with the specified address, if operands of previous CMP instruction are not equal. Jump if Greater : Syntax 1 : jg loc ZF = 0 and SF = OF Loads EIP with the specified address, if first operand of previous CMP instruction is greater than the second (performs signed comparison). Syntax 2 : jge loc SF = OF Loads EIP with the specified address, if first operand of previous CMP instruction is greater than or equal to the second (performs signed comparison). Syntax 3 : ja loc CF = 0 and ZF = 0 Loads EIP with the specified address, if first operand of previous CMP instruction is greater than the second. ja is the same as jg, except that it performs an unsigned comparison. Syntax 4 : jae loc CF = 0 Loads EIP with the specified address, if first operand of previous CMP instruction is greater than or equal to the second. jae is the same as jge, except that it performs an unsigned comparison. Jump if Less : Syntax 1 : jl loc The criteria required for a JL is that SF <> OF, loads EIP with the specified address, if the criteria is meet. So either SF or OF can be set but not both in order to satisfy this criteria. If we take the SUB(which is basically what a CMP does) instruction as an example, we have: arg2 - arg1 With respect to SUB and CMP there are several cases that fulfill this criteria: arg2 < arg1 and the operation does not have overflow arg2 > arg1 and the operation has an overflow In case 1) SF will be set but not OF and in case 2) OF will be set but not SF since the overflow will reset the most significant bit to zero and thus preventing SF being set. The SF <> OF criteria avoids the cases where: arg2 > arg1 and the operation does not have overflow arg2 < arg1 and the operation has an overflow arg2 == arg1 In case 1) neither SF nor OF are set, in case 2) OF will be set and SF will be set since the overflow will reset the most significant bit to one and in case 3) neither SF nor OF will be set. The example code below runs the five cases outlined above and prints out whether SF and OF are equal or not: ; ; nasm -felf32 -g jlFlagsCheck.asm ; gcc -o jlFlagsCheck jlFlagsCheck.o ; global main extern printf section .data sfneofStr: db 'SF <> OF', 0xA, 0 sfeqofStr: db 'SF == OF', 0xA, 0 section .bss section .text main: ; ; Functions will follow the cdecl call convention ; ; ; arg2 < arg1 and no overflow ; mov eax, 1 cmp eax, 2 call checkSFNEOF ; ; arg2 < arg1 and overflow ; mov al, -2 cmp al, 127 call checkSFNEOF ; ; arg2 > arg1 and no overflow ; mov eax, 2 cmp eax, 1 call checkSFNEOF ; ; arg2 > arg1 and overflow ; mov al, 127 cmp al, -1 call checkSFNEOF ; ; arg2 == arg1 ; mov eax, 2 cmp eax, 2 call checkSFNEOF call exit ; ; Check if SF <> OF, which means the condition for jump less would be meet. ; checkSFNEOF: push ebp mov ebp, esp jl SFNEOF jmp SFEQOF SFNEOF: push dword sfneofStr call printf jmp checkSFNEOFDone SFEQOF: push dword sfeqofStr call printf checkSFNEOFDone: leave ret exit: ; ; Call exit(3) syscall ; void exit(int status) ; mov ebx, 0 ; Arg one: the status mov eax, 1 ; Syscall number: int 0x80 Output : SF <> OF SF <> OF SF == OF SF == OF SF == OF Syntax 2 : jb loc CF = 1 Loads EIP with the specified address, if first operand of previous CMP instruction is less than the second. jb is the same as jl, except that it performs an unsigned comparison. Syntax 3 : jbe loc CF = 1 or ZF = 1 Loads EIP with the specified address, if first operand of previous CMP instruction is less than or equal to the second. jbe is the same as jle, except that it performs an unsigned comparison. Jump on Overflow : Syntax 1 : jo loc OF = 1 Loads EIP with the specified address, if the overflow bit is set on a previous arithmetic expression. Syntax 2 : jno loc OF = 0 Loads EIP with the specified address, if the overflow bit is not set on a previous arithmetic expression. Jump on Zero : Syntax 1 : jz loc ZF = 1 Loads EIP with the specified address, if the zero bit is set from a previous arithmetic expression. jz is identical to je. Syntax 2 : jnz loc ZF = 0 Loads EIP with the specified address, if the zero bit is not set from a previous arithmetic expression. jnz is identical to jne. Jump on Sign : Syntax 1 : js loc SF = 1 Loads EIP with the specified address, if the sign bit is set from a previous arithmetic expression. Syntax 2 : jns loc SF = 0 Loads EIP with the specified address, if the sign bit is not set from a previous arithmetic expression.

X86 INSTRUCTIONS:::CONTROL FLOW::: comparison instruction

Performs a bit-wise logical AND on arg1 and arg2 the result of which we will refer to as Temp and sets the ZF(zero), SF(sign) and PF(parity) flags based on Temp. Temp is then discarded. Syntax test arg1, arg2 #GAS Syntax test arg2, arg1 #Intel syntax Operands arg1 Register Immediate arg2 AL/AX/EAX (only if arg1 is immediate) Register Memory Modified flags SF <- MostSignificantBit(Temp) If Temp == 0 ZF <- 1 else ZF <- 0 PF <- BitWiseXorNor(Temp[Max-1:0]) CF <- 0 OF <- 0 AF is undefined Performs a comparison operation between arg1 and arg2. The comparison is performed by a (signed) subtraction of arg2 from arg1, the results of which can be called Temp. Temp is then discarded. If arg2 is an immediate value it will be sign extended to the length of arg1. The EFLAGS register is set in the same manner as a sub instruction. Syntax cmp arg2, arg1 #GAS Syntax cmp arg1, arg2 #Intel syntax the GAS/AT&T syntax can be rather confusing, as for example cmp $0, %rax followed by jl branch will branch if %rax < 0 (and not the opposite as might be expected from the order of the operands). Operands arg1 AL/AX/EAX (only if arg2 is immediate) Register Memory arg2 Register Immediate Memory Modified flags SF <- MostSignificantBit(Temp) If Temp == 0 ZF <- 1 else ZF <- 0 PF <- BitWiseXorNor(Temp[Max-1:0]) CF, OF and AF<- 0

X86 INSTRUCTIONS:::CONTROL FLOW:::INTRODUCTION

Almost all programming languages have the ability to change the order in which statements are evaluated, and assembly is no exception. The instruction pointer (EIP) register contains the address of the next instruction to be executed. To change the flow of control, the programmer must be able to modify the value of EIP. This is where control flow functions come in. mov eip, label ; wrong jmp label ; right

DATA TRANSFER INSTRUCTION FOR 8086 MICROPROCESSOR

General purpose byte or word transfer instructions: Instruction Description MOV copy byte or word from specified source to specified destination PUSH copy specified word to top of stack POP copy word from top of stack to specified location PUSHA copy all registers to stack POPA copy words from stack to all registers XCHG Exchange bytes or exchange words XLAT translate a byte in AL using a table in memory These are I/O port transfer instructions: Instruction Description IN copy a byte or word from specific port to accumulator OUT copy a byte or word from accumulator to specific port Special address transfer Instructions: Instruction Description LEA load effective address of operand into specified register LDS load DS register and other specified register from memory LES load ES register and other specified register from memory Flag transfer instructions: Instruction Description LAHF load AH with the low byte of flag register SAHF Stores AH register to low byte of flag register PUSHF copy flag register to top of stack POPF copy top of stack word to flag register

X86 INSTRUCTIONS:::DATA TRANSFER INSTRUCTION:::6-LOAD EFFECTIVE ADDRESS

Load Effective Address : Syntax : lea src, dest #GAS Syntax lea dest, src #Intel syntax The lea instruction calculates the address of the src operand and loads it into the dest operand. Operands src Immediate Register Memory dest Register Modified flags No FLAGS are modified by this instruction Load Effective Address calculates its src operand in the same way as the mov instruction does, but rather than loading the contents of that address into the dest operand, it loads the address itself. lea can be used not only for calculating addresses, but also general-purpose unsigned integer arithmetic (with the caveat and possible advantage that FLAGS are unmodified). This can be quite powerful, since the src operand can take up to 4 parameters: base register, index register, scalar multiplier and displacement, e.g. [eax + edx*4 -4] (Intel syntax) or -4(%eax, %edx, 4) (GAS syntax). The scalar multiplier is limited to constant values 1, 2, 4, or 8 for byte, word, double word or quad word offsets respectively. This by itself allows for multiplication of a general register by constant values 2, 3, 4, 5, 8 and 9, as shown below (using NASM syntax): Example : lea ebx, [ebx*2] ; Multiply ebx by 2 lea ebx, [ebx*8+ebx] ; Multiply ebx by 9, which totals ebx*18

X86 INSTRUCTIONS::: DATA TRANSFER INSTRUCTIONS:::5-MOVE STRING

Move byte Syntax : movsb The movsb instruction copies one byte from the memory location specified in esi to the location specified in edi. If the direction flag is cleared, then esi and edi are incremented after the operation. Otherwise, if the direction flag is set, then the pointers are decremented. In that case the copy would happen in the reverse direction, starting at the highest address and moving toward lower addresses until ecx is zero. Operands None. Modified flags No FLAGS are modified by this instruction Example : section .text ; copy mystr into mystr2 mov esi, mystr ; loads address of mystr into esi mov edi, mystr2 ; loads address of mystr2 into edi cld ; clear direction flag (forward) mov ecx,6 rep movsb ; copy six times section .bss mystr2: resb 6 section .data mystr db "Hello", 0x0 Move Word Syntax : movsw The movsw instruction copies one word (two bytes) from the location specified in esi to the location specified in edi. It basically does the same thing as movsb, except with words instead of bytes. Operands None. Modified flags No FLAGS are modified by this instruction Example : section .code ; copy mystr into mystr2 mov esi, mystr mov edi, mystr2 cld mov ecx,4 rep movsw ; mystr2 is now AaBbCca\0 section .bss mystr2: resb 8 section .data mystr db "AaBbCca", 0x0

X86 INSTRUCTIONS::: DATA TRANSFER INSTRUCTION:::4-MOVE SIGN EXTEND

Move sign extend : Syntax : movs src, dest #GAS Syntax movsx dest, src #Intel syntax The movs instruction copies the src operand in the dest operand and pads the remaining bits not provided by src with the sign bit (the MSB) of src. This instruction is useful for copying a signed small value to a bigger register. Operands src Register Memory dest Register Modified flags No FLAGS are modified by this instruction Example : .data byteval: .byte -24 # = 0xe8 .text .global _start _start: movsbw byteval, %ax # %ax is now -24 = 0xffe8 movswl %ax, %ebx # %ebx is now -24 = 0xffffffe8 movsbl byteval, %esi # %esi is now -24 = 0xffffffe8 # Linux sys_exit mov $1, %eax xorl %ebx, %ebx int $0x80

X86 INSTRUCTIONS:::DATA TRANSFER INSTRUCTION:::3- MOVE WITH ZERO EXTEND

Move Zero Extend : Syntax : movz src, dest #GAS Syntax movzx dest, src #Intel syntax The movz instruction copies the src operand in the dest operand and pads the remaining bits not provided by src with zeros (0). This instruction is useful for copying a small, unsigned value to a bigger register. Operands arg1 Register Memory arg2 Register Modified flags No FLAGS are modified by this instruction Example : .data byteval: .byte 204 .text .global _start _start: movzbw byteval, %ax # %eax is now 204 movzwl %ax, %ebx # %ebx is now 204 movzbl byteval, %esi # %esi is now 204 # Linux sys_exit mov $1, %eax xorl %ebx, %ebx int $0x80

X86 INSTRUCTIONS::::::DATA TRANSFER INSTRUCTION::::2- DATA SWAP

Exchange : Syntax : xchg src, dest #GAS Syntax xchg dest, src #Intel syntax The xchg instruction swaps the src operand with the dest operand. It's like doing three move operations: from dest to a temporary (another register), then from src to dest, then from the temporary to src, except that no register needs to be reserved for temporary storage. If one of the operands is a memory address, then the operation has an implicit LOCK prefix, that is, the exchange operation is atomic. This can have a large performance penalty. It's also worth noting that the common NOP (no op) instruction, 0x90, is the opcode for xchgl %eax, %eax. Operands src Register Memory dest Register Memory However, only one operand can be in memory: the other must be a register. Modified flags No FLAGS are modified by this instruction Example : .data value: .long 2 .text .global _start _start: movl $54, %ebx xorl %eax, %eax xchgl value, %ebx # %ebx is now 2 # value is now 54 xchgw %ax, value # Value is now 0 # %eax is now 54 xchgb %al, %bl # %ebx is now 54 # %eax is now 2 xchgw value(%eax), %ax # value is now 0x00020000 = 131072 # %eax is now 0 # Linux sys_exit mov $1, %eax xorl %ebx, %ebx int $0x80 Compare and exchange : Syntax : cmpxchg arg2, arg1 #GAS Syntax cmpxchg arg1, arg2 #Intel syntax The cmpxchg instruction has two implicit operands AL/AX/EAX(depending on the size of arg1) and ZF(zero) flag. The instruction compares arg1 to AL/AX/EAX and if they are equal sets arg1 to arg2 and sets the zero flag, otherwise it sets AL/AX/EAX to arg1 and clears the zero flag. Unlike xchg there is not an implicit lock prefix and if the instruction is required to be atomic then lock must be prefixed. Operands arg1 Register Memory arg2 Register Modified flags The ZF flag is modified by this instruction In order to assemble, link and run the program we need to do the following: $ nasm -felf32 -g cmpxchgSpinLock.asm $ gcc -o cmpxchgSpinLock cmpxchgSpinLock.o -lpthread $ ./cmpxchgSpinLock

X86 INSTRUCTIONS:::::DATA TRANSFER INSTRUCTION::::::1- MOVE

Data Transfer Some of the most important and most frequently used instructions are those that move data. Without them, there would be no way for registers or memory to even have anything in them to operate on. Data Transfer Instructions Move Syntax : mov src, dest #GAS Syntax mov dest, src #Intel syntax Move : The mov instruction copies the src operand into the dest operand. Operands src Immediate Register Memory dest Register Memory Modified flags No FLAGS are modified by this instruction Example : .data value: .long 2 .text .global _start _start: movl $6, %eax # %eax is now 6 movw %ax, value # value is now 6 movl $0, %ebx # %ebx is now 0 movb %al, %bl # %ebx is now 6 movl value, %ebx # %ebx is now 6 movl $value, %esi # %esi is now the address of value xorl %ebx, %ebx # %ebx is now 0 movw value(, %ebx, 1), %bx # %ebx is now 6 # Linux sys_exit mov $1, %eax xorl %ebx, %ebx int $0x80

X86 INSTRUCTIONS:::::::INTRODUCTION

The different instructions are broken up into groups as follows : Data Transfer Instructions Control Flow Instructions Arithmetic Instructions Logic Instructions Shift and Rotate Instructions Other Instructions x86 Interrupts Conventions The following template will be used for instructions that take no operands: Syntax : Instr The following template will be used for instructions that take 1 operand: Syntax : Instr arg The following template will be used for instructions that take 2 operands. Notice how the format of the instruction is different for different assemblers. Syntax : Instr src, dest #GAS Syntax Instr dest, src #Intel syntax The following template will be used for instructions that take 3 operands. Notice how the format of the instruction is different for different assemblers. Syntax : Instr aux, src, dest #GAS Syntax Instr dest, src, aux #Intel syntax Suffixes Some instructions, especially when built for non-Windows platforms (i.e. Unix, Linux, etc.), require the use of suffixes to specify the size of the data which will be the subject of the operation. Some possible suffixes are: b (byte) = 8 bits w (word) = 16 bits l (long) = 32 bits q (quad) = 64 bits Example of the usage with the mov instruction on a 32-bit architecture, GAS syntax: Syntax : # Store the value F into the eax register movl $0x000F, %eax On Intel Syntax you don't have to use the suffix. Based on the register name and the used immediate value the compiler knows which data size to use. Syntax : MOV EAX, 0x000F

GENERAL PURPOSE REGISTERS IN A MICROPROCESSOR

64-bit x86 adds 8 more general-purpose registers, named R8, R9, R10 and so on up to R15. It also introduces a new naming convention that must be used for these new registers and can also be used for the old ones (except that AH, CH, DH and BH have no equivalents). In the new convention : R0 is RAX. R1 is RCX. R2 is RDX. R3 is RBX. R4 is RSP. R5 is RBP. R6 is RSI. R7 is RDI. R8,R9,R10,R11,R12,R13,R14,R15 are the new registers and have no other names. R0D~R15D are the lowermost 32 bits of each register. For example, R0D is EAX. R0W~R15W are the lowermost 16 bits of each register. For example, R0W is AX. R0L~R15L are the lowermost 8 bits of each register. For example, R0L is AL. As well, 64-bit x86 includes SSE2, so each 64-bit x86 CPU has at least 8 registers (named XMM0~XMM7) that are 128 bits wide, but only accessible through SSE instructions. They cannot be used for quadruple-precision (128-bit) floating-point arithmetic, but they can each hold 2 double-precision or 4 single-precision floating-point values for a SIMD parallel instruction. They can also be operated on as 128-bit integers or vectors of shorter integers. If the processor supports AVX, as newer Intel and AMD desktop CPUs do, then each of these registers is actually the lower half of a 256-bit register (named YMM0~YMM7), the whole of which can be accessed with AVX instructions for further parallelization.

ADDRESSING MODE OF THE X86 ARCHITECTURE IN MICROPROCESSOR

The addressing mode indicates the manner in which the operand is presented. Register Addressing (operand address R is in the address field) mov ax, bx ; moves contents of register bx into ax Immediate (actual value is in the field) mov ax, 1 ; moves value of 1 into register ax or mov ax, 010Ch ; moves value of 0x010C into register ax Direct memory addressing (operand address is in the address field) .data my_var dw 0abcdh ; my_var = 0xabcd .code mov ax, [my_var] ; copy my_var content into ax (ax=0xabcd) Direct offset addressing (uses arithmetics to modify address) byte_tbl db 12,15,16,22,..... ; Table of bytes mov al,[byte_tbl+2] mov al,byte_tbl[2] ; same as the former Register Indirect (field points to a register that contains the operand address) mov ax,[di] The registers used for indirect addressing are BX, BP, SI, DI Base-index mov ax,[bx + di] For example, if we are talking about an array, BX contains the address of the beginning of the array, and DI contains the index into the array. Base-index with displacement mov ax,[bx + di + 10]

TWO'S COMPLEMENT REPRESENTING IN MICROPROCESSOR

Two's complement is the standard way of representing negative integers in binary. The sign is changed by inverting all of the bits and adding one. Two's complement example Start: 0001 Invert: 1110 Add One: 1111 0001 represents decimal 1 1111 represents decimal -1

MEMORY OF THE X86 ARCHITECTURE IN A MICROPROCESSOR

The x86 architecture is little-endian, meaning that multi-byte values are written least significant byte first. (This refers only to the ordering of the bytes, not to the bits.) So the 32 bit value B3B2B1B016 on an x86 would be represented in memory as : Little endian representation B0 B1 B2 B3 For example, the 32 bits double word 0x1BA583D4 (the 0x denotes hexadecimal) would be written in memory as : Little endian example D4 83 A5 1B This will be seen as 0xD4 0x83 0xA5 0x1B when doing a memory dump.