1 /*===- X86DisassemblerDecoder.c - Disassembler decoder -------------*- C -*-==*
3 * The LLVM Compiler Infrastructure
5 * This file is distributed under the University of Illinois Open Source
6 * License. See LICENSE.TXT for details.
8 *===----------------------------------------------------------------------===*
10 * This file is part of the X86 Disassembler.
11 * It contains the implementation of the instruction decoder.
12 * Documentation for the disassembler can be found in X86Disassembler.h.
14 *===----------------------------------------------------------------------===*/
16 #include <stdarg.h> /* for va_*() */
17 #include <stdio.h> /* for vsnprintf() */
18 #include <stdlib.h> /* for exit() */
19 #include <string.h> /* for memset() */
21 #include "X86DisassemblerDecoder.h"
23 #include "X86GenDisassemblerTables.inc"
31 #define debug(s) do { x86DisassemblerDebug(__FILE__, __LINE__, s); } while (0)
33 #define debug(s) do { } while (0)
38 * contextForAttrs - Client for the instruction context table. Takes a set of
39 * attributes and returns the appropriate decode context.
41 * @param attrMask - Attributes, from the enumeration attributeBits.
42 * @return - The InstructionContext to use when looking up an
43 * an instruction with these attributes.
45 static InstructionContext contextForAttrs(uint8_t attrMask) {
46 return CONTEXTS_SYM[attrMask];
50 * modRMRequired - Reads the appropriate instruction table to determine whether
51 * the ModR/M byte is required to decode a particular instruction.
53 * @param type - The opcode type (i.e., how many bytes it has).
54 * @param insnContext - The context for the instruction, as returned by
56 * @param opcode - The last byte of the instruction's opcode, not counting
57 * ModR/M extensions and escapes.
58 * @return - TRUE if the ModR/M byte is required, FALSE otherwise.
60 static int modRMRequired(OpcodeType type,
61 InstructionContext insnContext,
63 const struct ContextDecision* decision = 0;
67 decision = &ONEBYTE_SYM;
70 decision = &TWOBYTE_SYM;
73 decision = &THREEBYTE38_SYM;
76 decision = &THREEBYTE3A_SYM;
80 return decision->opcodeDecisions[insnContext].modRMDecisions[opcode].
81 modrm_type != MODRM_ONEENTRY;
87 * decode - Reads the appropriate instruction table to obtain the unique ID of
90 * @param type - See modRMRequired().
91 * @param insnContext - See modRMRequired().
92 * @param opcode - See modRMRequired().
93 * @param modRM - The ModR/M byte if required, or any value if not.
94 * @return - The UID of the instruction, or 0 on failure.
96 static InstrUID decode(OpcodeType type,
97 InstructionContext insnContext,
100 const struct ModRMDecision* dec;
104 debug("Unknown opcode type");
107 dec = &ONEBYTE_SYM.opcodeDecisions[insnContext].modRMDecisions[opcode];
110 dec = &TWOBYTE_SYM.opcodeDecisions[insnContext].modRMDecisions[opcode];
113 dec = &THREEBYTE38_SYM.opcodeDecisions[insnContext].modRMDecisions[opcode];
116 dec = &THREEBYTE3A_SYM.opcodeDecisions[insnContext].modRMDecisions[opcode];
120 switch (dec->modrm_type) {
122 debug("Corrupt table! Unknown modrm_type");
125 return dec->instructionIDs[0];
127 if (modFromModRM(modRM) == 0x3)
128 return dec->instructionIDs[1];
130 return dec->instructionIDs[0];
132 return dec->instructionIDs[modRM];
137 * specifierForUID - Given a UID, returns the name and operand specification for
140 * @param uid - The unique ID for the instruction. This should be returned by
141 * decode(); specifierForUID will not check bounds.
142 * @return - A pointer to the specification for that instruction.
144 static const struct InstructionSpecifier *specifierForUID(InstrUID uid) {
145 return &INSTRUCTIONS_SYM[uid];
149 * consumeByte - Uses the reader function provided by the user to consume one
150 * byte from the instruction's memory and advance the cursor.
152 * @param insn - The instruction with the reader function to use. The cursor
153 * for this instruction is advanced.
154 * @param byte - A pointer to a pre-allocated memory buffer to be populated
155 * with the data read.
156 * @return - 0 if the read was successful; nonzero otherwise.
158 static int consumeByte(struct InternalInstruction* insn, uint8_t* byte) {
159 int ret = insn->reader(insn->readerArg, byte, insn->readerCursor);
162 ++(insn->readerCursor);
168 * lookAtByte - Like consumeByte, but does not advance the cursor.
170 * @param insn - See consumeByte().
171 * @param byte - See consumeByte().
172 * @return - See consumeByte().
174 static int lookAtByte(struct InternalInstruction* insn, uint8_t* byte) {
175 return insn->reader(insn->readerArg, byte, insn->readerCursor);
178 static void unconsumeByte(struct InternalInstruction* insn) {
179 insn->readerCursor--;
182 #define CONSUME_FUNC(name, type) \
183 static int name(struct InternalInstruction* insn, type* ptr) { \
186 for (offset = 0; offset < sizeof(type); ++offset) { \
188 int ret = insn->reader(insn->readerArg, \
190 insn->readerCursor + offset); \
193 combined = combined | ((type)byte << ((type)offset * 8)); \
196 insn->readerCursor += sizeof(type); \
201 * consume* - Use the reader function provided by the user to consume data
202 * values of various sizes from the instruction's memory and advance the
203 * cursor appropriately. These readers perform endian conversion.
205 * @param insn - See consumeByte().
206 * @param ptr - A pointer to a pre-allocated memory of appropriate size to
207 * be populated with the data read.
208 * @return - See consumeByte().
210 CONSUME_FUNC(consumeInt8, int8_t)
211 CONSUME_FUNC(consumeInt16, int16_t)
212 CONSUME_FUNC(consumeInt32, int32_t)
213 CONSUME_FUNC(consumeUInt16, uint16_t)
214 CONSUME_FUNC(consumeUInt32, uint32_t)
215 CONSUME_FUNC(consumeUInt64, uint64_t)
218 * dbgprintf - Uses the logging function provided by the user to log a single
219 * message, typically without a carriage-return.
221 * @param insn - The instruction containing the logging function.
222 * @param format - See printf().
223 * @param ... - See printf().
225 static void dbgprintf(struct InternalInstruction* insn,
234 va_start(ap, format);
235 (void)vsnprintf(buffer, sizeof(buffer), format, ap);
238 insn->dlog(insn->dlogArg, buffer);
244 * setPrefixPresent - Marks that a particular prefix is present at a particular
247 * @param insn - The instruction to be marked as having the prefix.
248 * @param prefix - The prefix that is present.
249 * @param location - The location where the prefix is located (in the address
250 * space of the instruction's reader).
252 static void setPrefixPresent(struct InternalInstruction* insn,
256 insn->prefixPresent[prefix] = 1;
257 insn->prefixLocations[prefix] = location;
261 * isPrefixAtLocation - Queries an instruction to determine whether a prefix is
262 * present at a given location.
264 * @param insn - The instruction to be queried.
265 * @param prefix - The prefix.
266 * @param location - The location to query.
267 * @return - Whether the prefix is at that location.
269 static BOOL isPrefixAtLocation(struct InternalInstruction* insn,
273 if (insn->prefixPresent[prefix] == 1 &&
274 insn->prefixLocations[prefix] == location)
281 * readPrefixes - Consumes all of an instruction's prefix bytes, and marks the
282 * instruction as having them. Also sets the instruction's default operand,
283 * address, and other relevant data sizes to report operands correctly.
285 * @param insn - The instruction whose prefixes are to be read.
286 * @return - 0 if the instruction could be read until the end of the prefix
287 * bytes, and no prefixes conflicted; nonzero otherwise.
289 static int readPrefixes(struct InternalInstruction* insn) {
290 BOOL isPrefix = TRUE;
291 BOOL prefixGroups[4] = { FALSE };
292 uint64_t prefixLocation;
295 BOOL hasAdSize = FALSE;
296 BOOL hasOpSize = FALSE;
298 dbgprintf(insn, "readPrefixes()");
301 prefixLocation = insn->readerCursor;
303 if (consumeByte(insn, &byte))
307 case 0xf0: /* LOCK */
308 case 0xf2: /* REPNE/REPNZ */
309 case 0xf3: /* REP or REPE/REPZ */
311 dbgprintf(insn, "Redundant Group 1 prefix");
312 prefixGroups[0] = TRUE;
313 setPrefixPresent(insn, byte, prefixLocation);
315 case 0x2e: /* CS segment override -OR- Branch not taken */
316 case 0x36: /* SS segment override -OR- Branch taken */
317 case 0x3e: /* DS segment override */
318 case 0x26: /* ES segment override */
319 case 0x64: /* FS segment override */
320 case 0x65: /* GS segment override */
323 insn->segmentOverride = SEG_OVERRIDE_CS;
326 insn->segmentOverride = SEG_OVERRIDE_SS;
329 insn->segmentOverride = SEG_OVERRIDE_DS;
332 insn->segmentOverride = SEG_OVERRIDE_ES;
335 insn->segmentOverride = SEG_OVERRIDE_FS;
338 insn->segmentOverride = SEG_OVERRIDE_GS;
341 debug("Unhandled override");
345 dbgprintf(insn, "Redundant Group 2 prefix");
346 prefixGroups[1] = TRUE;
347 setPrefixPresent(insn, byte, prefixLocation);
349 case 0x66: /* Operand-size override */
351 dbgprintf(insn, "Redundant Group 3 prefix");
352 prefixGroups[2] = TRUE;
354 setPrefixPresent(insn, byte, prefixLocation);
356 case 0x67: /* Address-size override */
358 dbgprintf(insn, "Redundant Group 4 prefix");
359 prefixGroups[3] = TRUE;
361 setPrefixPresent(insn, byte, prefixLocation);
363 default: /* Not a prefix byte */
369 dbgprintf(insn, "Found prefix 0x%hhx", byte);
377 if (lookAtByte(insn, &byte1)) {
378 dbgprintf(insn, "Couldn't read second byte of VEX");
382 if (insn->mode == MODE_64BIT || byte1 & 0x8) {
384 insn->necessaryPrefixLocation = insn->readerCursor - 1;
388 insn->necessaryPrefixLocation = insn->readerCursor - 1;
391 if (insn->vexSize == 3) {
392 insn->vexPrefix[0] = byte;
393 consumeByte(insn, &insn->vexPrefix[1]);
394 consumeByte(insn, &insn->vexPrefix[2]);
396 /* We simulate the REX prefix for simplicity's sake */
398 insn->rexPrefix = 0x40
399 | (wFromVEX3of3(insn->vexPrefix[2]) << 3)
400 | (rFromVEX2of3(insn->vexPrefix[1]) << 2)
401 | (xFromVEX2of3(insn->vexPrefix[1]) << 1)
402 | (bFromVEX2of3(insn->vexPrefix[1]) << 0);
404 switch (ppFromVEX3of3(insn->vexPrefix[2]))
413 dbgprintf(insn, "Found VEX prefix 0x%hhx 0x%hhx 0x%hhx", insn->vexPrefix[0], insn->vexPrefix[1], insn->vexPrefix[2]);
416 else if (byte == 0xc5) {
419 if (lookAtByte(insn, &byte1)) {
420 dbgprintf(insn, "Couldn't read second byte of VEX");
424 if (insn->mode == MODE_64BIT || byte1 & 0x8) {
431 if (insn->vexSize == 2) {
432 insn->vexPrefix[0] = byte;
433 consumeByte(insn, &insn->vexPrefix[1]);
435 insn->rexPrefix = 0x40
436 | (rFromVEX2of2(insn->vexPrefix[1]) << 2);
438 switch (ppFromVEX2of2(insn->vexPrefix[1]))
447 dbgprintf(insn, "Found VEX prefix 0x%hhx 0x%hhx", insn->vexPrefix[0], insn->vexPrefix[1]);
451 if (insn->mode == MODE_64BIT) {
452 if ((byte & 0xf0) == 0x40) {
455 if (lookAtByte(insn, &opcodeByte) || ((opcodeByte & 0xf0) == 0x40)) {
456 dbgprintf(insn, "Redundant REX prefix");
460 insn->rexPrefix = byte;
461 insn->necessaryPrefixLocation = insn->readerCursor - 2;
463 dbgprintf(insn, "Found REX prefix 0x%hhx", byte);
466 insn->necessaryPrefixLocation = insn->readerCursor - 1;
470 insn->necessaryPrefixLocation = insn->readerCursor - 1;
474 if (insn->mode == MODE_16BIT) {
475 insn->registerSize = (hasOpSize ? 4 : 2);
476 insn->addressSize = (hasAdSize ? 4 : 2);
477 insn->displacementSize = (hasAdSize ? 4 : 2);
478 insn->immediateSize = (hasOpSize ? 4 : 2);
479 } else if (insn->mode == MODE_32BIT) {
480 insn->registerSize = (hasOpSize ? 2 : 4);
481 insn->addressSize = (hasAdSize ? 2 : 4);
482 insn->displacementSize = (hasAdSize ? 2 : 4);
483 insn->immediateSize = (hasOpSize ? 2 : 4);
484 } else if (insn->mode == MODE_64BIT) {
485 if (insn->rexPrefix && wFromREX(insn->rexPrefix)) {
486 insn->registerSize = 8;
487 insn->addressSize = (hasAdSize ? 4 : 8);
488 insn->displacementSize = 4;
489 insn->immediateSize = 4;
490 } else if (insn->rexPrefix) {
491 insn->registerSize = (hasOpSize ? 2 : 4);
492 insn->addressSize = (hasAdSize ? 4 : 8);
493 insn->displacementSize = (hasOpSize ? 2 : 4);
494 insn->immediateSize = (hasOpSize ? 2 : 4);
496 insn->registerSize = (hasOpSize ? 2 : 4);
497 insn->addressSize = (hasAdSize ? 4 : 8);
498 insn->displacementSize = (hasOpSize ? 2 : 4);
499 insn->immediateSize = (hasOpSize ? 2 : 4);
507 * readOpcode - Reads the opcode (excepting the ModR/M byte in the case of
508 * extended or escape opcodes).
510 * @param insn - The instruction whose opcode is to be read.
511 * @return - 0 if the opcode could be read successfully; nonzero otherwise.
513 static int readOpcode(struct InternalInstruction* insn) {
514 /* Determine the length of the primary opcode */
518 dbgprintf(insn, "readOpcode()");
520 insn->opcodeType = ONEBYTE;
522 if (insn->vexSize == 3)
524 switch (mmmmmFromVEX2of3(insn->vexPrefix[1]))
527 dbgprintf(insn, "Unhandled m-mmmm field for instruction (0x%hhx)", mmmmmFromVEX2of3(insn->vexPrefix[1]));
532 insn->twoByteEscape = 0x0f;
533 insn->opcodeType = TWOBYTE;
534 return consumeByte(insn, &insn->opcode);
536 insn->twoByteEscape = 0x0f;
537 insn->threeByteEscape = 0x38;
538 insn->opcodeType = THREEBYTE_38;
539 return consumeByte(insn, &insn->opcode);
541 insn->twoByteEscape = 0x0f;
542 insn->threeByteEscape = 0x3a;
543 insn->opcodeType = THREEBYTE_3A;
544 return consumeByte(insn, &insn->opcode);
547 else if (insn->vexSize == 2)
549 insn->twoByteEscape = 0x0f;
550 insn->opcodeType = TWOBYTE;
551 return consumeByte(insn, &insn->opcode);
554 if (consumeByte(insn, ¤t))
557 if (current == 0x0f) {
558 dbgprintf(insn, "Found a two-byte escape prefix (0x%hhx)", current);
560 insn->twoByteEscape = current;
562 if (consumeByte(insn, ¤t))
565 if (current == 0x38) {
566 dbgprintf(insn, "Found a three-byte escape prefix (0x%hhx)", current);
568 insn->threeByteEscape = current;
570 if (consumeByte(insn, ¤t))
573 insn->opcodeType = THREEBYTE_38;
574 } else if (current == 0x3a) {
575 dbgprintf(insn, "Found a three-byte escape prefix (0x%hhx)", current);
577 insn->threeByteEscape = current;
579 if (consumeByte(insn, ¤t))
582 insn->opcodeType = THREEBYTE_3A;
584 dbgprintf(insn, "Didn't find a three-byte escape prefix");
586 insn->opcodeType = TWOBYTE;
591 * At this point we have consumed the full opcode.
592 * Anything we consume from here on must be unconsumed.
595 insn->opcode = current;
600 static int readModRM(struct InternalInstruction* insn);
603 * getIDWithAttrMask - Determines the ID of an instruction, consuming
604 * the ModR/M byte as appropriate for extended and escape opcodes,
605 * and using a supplied attribute mask.
607 * @param instructionID - A pointer whose target is filled in with the ID of the
609 * @param insn - The instruction whose ID is to be determined.
610 * @param attrMask - The attribute mask to search.
611 * @return - 0 if the ModR/M could be read when needed or was not
612 * needed; nonzero otherwise.
614 static int getIDWithAttrMask(uint16_t* instructionID,
615 struct InternalInstruction* insn,
617 BOOL hasModRMExtension;
619 uint8_t instructionClass;
621 instructionClass = contextForAttrs(attrMask);
623 hasModRMExtension = modRMRequired(insn->opcodeType,
627 if (hasModRMExtension) {
631 *instructionID = decode(insn->opcodeType,
636 *instructionID = decode(insn->opcodeType,
646 * is16BitEquivalent - Determines whether two instruction names refer to
647 * equivalent instructions but one is 16-bit whereas the other is not.
649 * @param orig - The instruction that is not 16-bit
650 * @param equiv - The instruction that is 16-bit
652 static BOOL is16BitEquvalent(const char* orig, const char* equiv) {
656 if (orig[i] == '\0' && equiv[i] == '\0')
658 if (orig[i] == '\0' || equiv[i] == '\0')
660 if (orig[i] != equiv[i]) {
661 if ((orig[i] == 'Q' || orig[i] == 'L') && equiv[i] == 'W')
663 if ((orig[i] == '6' || orig[i] == '3') && equiv[i] == '1')
665 if ((orig[i] == '4' || orig[i] == '2') && equiv[i] == '6')
673 * is64BitEquivalent - Determines whether two instruction names refer to
674 * equivalent instructions but one is 64-bit whereas the other is not.
676 * @param orig - The instruction that is not 64-bit
677 * @param equiv - The instruction that is 64-bit
679 static BOOL is64BitEquivalent(const char* orig, const char* equiv) {
683 if (orig[i] == '\0' && equiv[i] == '\0')
685 if (orig[i] == '\0' || equiv[i] == '\0')
687 if (orig[i] != equiv[i]) {
688 if ((orig[i] == 'W' || orig[i] == 'L') && equiv[i] == 'Q')
690 if ((orig[i] == '1' || orig[i] == '3') && equiv[i] == '6')
692 if ((orig[i] == '6' || orig[i] == '2') && equiv[i] == '4')
701 * getID - Determines the ID of an instruction, consuming the ModR/M byte as
702 * appropriate for extended and escape opcodes. Determines the attributes and
703 * context for the instruction before doing so.
705 * @param insn - The instruction whose ID is to be determined.
706 * @return - 0 if the ModR/M could be read when needed or was not needed;
709 static int getID(struct InternalInstruction* insn) {
711 uint16_t instructionID;
713 dbgprintf(insn, "getID()");
715 attrMask = ATTR_NONE;
717 if (insn->mode == MODE_64BIT)
718 attrMask |= ATTR_64BIT;
721 attrMask |= ATTR_VEX;
723 if (insn->vexSize == 3) {
724 switch (ppFromVEX3of3(insn->vexPrefix[2])) {
726 attrMask |= ATTR_OPSIZE;
736 if (wFromVEX3of3(insn->vexPrefix[2]))
737 attrMask |= ATTR_REXW;
738 if (lFromVEX3of3(insn->vexPrefix[2]))
739 attrMask |= ATTR_VEXL;
741 else if (insn->vexSize == 2) {
742 switch (ppFromVEX2of2(insn->vexPrefix[1])) {
744 attrMask |= ATTR_OPSIZE;
754 if (lFromVEX2of2(insn->vexPrefix[1]))
755 attrMask |= ATTR_VEXL;
762 if (insn->rexPrefix & 0x08)
763 attrMask |= ATTR_REXW;
765 if (isPrefixAtLocation(insn, 0x66, insn->necessaryPrefixLocation))
766 attrMask |= ATTR_OPSIZE;
767 else if (isPrefixAtLocation(insn, 0xf3, insn->necessaryPrefixLocation))
769 else if (isPrefixAtLocation(insn, 0xf2, insn->necessaryPrefixLocation))
774 if (getIDWithAttrMask(&instructionID, insn, attrMask))
777 /* The following clauses compensate for limitations of the tables. */
779 if ((attrMask & ATTR_XD) && (attrMask & ATTR_REXW)) {
781 * Although for SSE instructions it is usually necessary to treat REX.W+F2
782 * as F2 for decode (in the absence of a 64BIT_REXW_XD category) there is
783 * an occasional instruction where F2 is incidental and REX.W is the more
784 * significant. If the decoded instruction is 32-bit and adding REX.W
785 * instead of F2 changes a 32 to a 64, we adopt the new encoding.
788 const struct InstructionSpecifier *spec;
789 uint16_t instructionIDWithREXw;
790 const struct InstructionSpecifier *specWithREXw;
792 spec = specifierForUID(instructionID);
794 if (getIDWithAttrMask(&instructionIDWithREXw,
796 attrMask & (~ATTR_XD))) {
798 * Decoding with REX.w would yield nothing; give up and return original
802 insn->instructionID = instructionID;
807 specWithREXw = specifierForUID(instructionIDWithREXw);
809 if (is64BitEquivalent(spec->name, specWithREXw->name)) {
810 insn->instructionID = instructionIDWithREXw;
811 insn->spec = specWithREXw;
813 insn->instructionID = instructionID;
819 if (insn->prefixPresent[0x66] && !(attrMask & ATTR_OPSIZE)) {
821 * The instruction tables make no distinction between instructions that
822 * allow OpSize anywhere (i.e., 16-bit operations) and that need it in a
823 * particular spot (i.e., many MMX operations). In general we're
824 * conservative, but in the specific case where OpSize is present but not
825 * in the right place we check if there's a 16-bit operation.
828 const struct InstructionSpecifier *spec;
829 uint16_t instructionIDWithOpsize;
830 const struct InstructionSpecifier *specWithOpsize;
832 spec = specifierForUID(instructionID);
834 if (getIDWithAttrMask(&instructionIDWithOpsize,
836 attrMask | ATTR_OPSIZE)) {
838 * ModRM required with OpSize but not present; give up and return version
842 insn->instructionID = instructionID;
847 specWithOpsize = specifierForUID(instructionIDWithOpsize);
849 if (is16BitEquvalent(spec->name, specWithOpsize->name)) {
850 insn->instructionID = instructionIDWithOpsize;
851 insn->spec = specWithOpsize;
853 insn->instructionID = instructionID;
859 insn->instructionID = instructionID;
860 insn->spec = specifierForUID(insn->instructionID);
866 * readSIB - Consumes the SIB byte to determine addressing information for an
869 * @param insn - The instruction whose SIB byte is to be read.
870 * @return - 0 if the SIB byte was successfully read; nonzero otherwise.
872 static int readSIB(struct InternalInstruction* insn) {
873 SIBIndex sibIndexBase = 0;
874 SIBBase sibBaseBase = 0;
877 dbgprintf(insn, "readSIB()");
879 if (insn->consumedSIB)
882 insn->consumedSIB = TRUE;
884 switch (insn->addressSize) {
886 dbgprintf(insn, "SIB-based addressing doesn't work in 16-bit mode");
890 sibIndexBase = SIB_INDEX_EAX;
891 sibBaseBase = SIB_BASE_EAX;
894 sibIndexBase = SIB_INDEX_RAX;
895 sibBaseBase = SIB_BASE_RAX;
899 if (consumeByte(insn, &insn->sib))
902 index = indexFromSIB(insn->sib) | (xFromREX(insn->rexPrefix) << 3);
906 insn->sibIndex = SIB_INDEX_NONE;
909 insn->sibIndex = (SIBIndex)(sibIndexBase + index);
910 if (insn->sibIndex == SIB_INDEX_sib ||
911 insn->sibIndex == SIB_INDEX_sib64)
912 insn->sibIndex = SIB_INDEX_NONE;
916 switch (scaleFromSIB(insn->sib)) {
931 base = baseFromSIB(insn->sib) | (bFromREX(insn->rexPrefix) << 3);
935 switch (modFromModRM(insn->modRM)) {
937 insn->eaDisplacement = EA_DISP_32;
938 insn->sibBase = SIB_BASE_NONE;
941 insn->eaDisplacement = EA_DISP_8;
942 insn->sibBase = (insn->addressSize == 4 ?
943 SIB_BASE_EBP : SIB_BASE_RBP);
946 insn->eaDisplacement = EA_DISP_32;
947 insn->sibBase = (insn->addressSize == 4 ?
948 SIB_BASE_EBP : SIB_BASE_RBP);
951 debug("Cannot have Mod = 0b11 and a SIB byte");
956 insn->sibBase = (SIBBase)(sibBaseBase + base);
964 * readDisplacement - Consumes the displacement of an instruction.
966 * @param insn - The instruction whose displacement is to be read.
967 * @return - 0 if the displacement byte was successfully read; nonzero
970 static int readDisplacement(struct InternalInstruction* insn) {
975 dbgprintf(insn, "readDisplacement()");
977 if (insn->consumedDisplacement)
980 insn->consumedDisplacement = TRUE;
982 switch (insn->eaDisplacement) {
984 insn->consumedDisplacement = FALSE;
987 if (consumeInt8(insn, &d8))
989 insn->displacement = d8;
992 if (consumeInt16(insn, &d16))
994 insn->displacement = d16;
997 if (consumeInt32(insn, &d32))
999 insn->displacement = d32;
1003 insn->consumedDisplacement = TRUE;
1008 * readModRM - Consumes all addressing information (ModR/M byte, SIB byte, and
1009 * displacement) for an instruction and interprets it.
1011 * @param insn - The instruction whose addressing information is to be read.
1012 * @return - 0 if the information was successfully read; nonzero otherwise.
1014 static int readModRM(struct InternalInstruction* insn) {
1015 uint8_t mod, rm, reg;
1017 dbgprintf(insn, "readModRM()");
1019 if (insn->consumedModRM)
1022 if (consumeByte(insn, &insn->modRM))
1024 insn->consumedModRM = TRUE;
1026 mod = modFromModRM(insn->modRM);
1027 rm = rmFromModRM(insn->modRM);
1028 reg = regFromModRM(insn->modRM);
1031 * This goes by insn->registerSize to pick the correct register, which messes
1032 * up if we're using (say) XMM or 8-bit register operands. That gets fixed in
1035 switch (insn->registerSize) {
1037 insn->regBase = MODRM_REG_AX;
1038 insn->eaRegBase = EA_REG_AX;
1041 insn->regBase = MODRM_REG_EAX;
1042 insn->eaRegBase = EA_REG_EAX;
1045 insn->regBase = MODRM_REG_RAX;
1046 insn->eaRegBase = EA_REG_RAX;
1050 reg |= rFromREX(insn->rexPrefix) << 3;
1051 rm |= bFromREX(insn->rexPrefix) << 3;
1053 insn->reg = (Reg)(insn->regBase + reg);
1055 switch (insn->addressSize) {
1057 insn->eaBaseBase = EA_BASE_BX_SI;
1062 insn->eaBase = EA_BASE_NONE;
1063 insn->eaDisplacement = EA_DISP_16;
1064 if (readDisplacement(insn))
1067 insn->eaBase = (EABase)(insn->eaBaseBase + rm);
1068 insn->eaDisplacement = EA_DISP_NONE;
1072 insn->eaBase = (EABase)(insn->eaBaseBase + rm);
1073 insn->eaDisplacement = EA_DISP_8;
1074 if (readDisplacement(insn))
1078 insn->eaBase = (EABase)(insn->eaBaseBase + rm);
1079 insn->eaDisplacement = EA_DISP_16;
1080 if (readDisplacement(insn))
1084 insn->eaBase = (EABase)(insn->eaRegBase + rm);
1085 if (readDisplacement(insn))
1092 insn->eaBaseBase = (insn->addressSize == 4 ? EA_BASE_EAX : EA_BASE_RAX);
1096 insn->eaDisplacement = EA_DISP_NONE; /* readSIB may override this */
1099 case 0xc: /* in case REXW.b is set */
1100 insn->eaBase = (insn->addressSize == 4 ?
1101 EA_BASE_sib : EA_BASE_sib64);
1103 if (readDisplacement(insn))
1107 insn->eaBase = EA_BASE_NONE;
1108 insn->eaDisplacement = EA_DISP_32;
1109 if (readDisplacement(insn))
1113 insn->eaBase = (EABase)(insn->eaBaseBase + rm);
1119 insn->eaDisplacement = (mod == 0x1 ? EA_DISP_8 : EA_DISP_32);
1122 case 0xc: /* in case REXW.b is set */
1123 insn->eaBase = EA_BASE_sib;
1125 if (readDisplacement(insn))
1129 insn->eaBase = (EABase)(insn->eaBaseBase + rm);
1130 if (readDisplacement(insn))
1136 insn->eaDisplacement = EA_DISP_NONE;
1137 insn->eaBase = (EABase)(insn->eaRegBase + rm);
1141 } /* switch (insn->addressSize) */
1146 #define GENERIC_FIXUP_FUNC(name, base, prefix) \
1147 static uint8_t name(struct InternalInstruction *insn, \
1154 debug("Unhandled register type"); \
1158 return base + index; \
1160 if (insn->rexPrefix && \
1161 index >= 4 && index <= 7) { \
1162 return prefix##_SPL + (index - 4); \
1164 return prefix##_AL + index; \
1167 return prefix##_AX + index; \
1169 return prefix##_EAX + index; \
1171 return prefix##_RAX + index; \
1173 return prefix##_YMM0 + index; \
1178 return prefix##_XMM0 + index; \
1184 return prefix##_MM0 + index; \
1185 case TYPE_SEGMENTREG: \
1188 return prefix##_ES + index; \
1189 case TYPE_DEBUGREG: \
1192 return prefix##_DR0 + index; \
1193 case TYPE_CONTROLREG: \
1196 return prefix##_CR0 + index; \
1201 * fixup*Value - Consults an operand type to determine the meaning of the
1202 * reg or R/M field. If the operand is an XMM operand, for example, an
1203 * operand would be XMM0 instead of AX, which readModRM() would otherwise
1204 * misinterpret it as.
1206 * @param insn - The instruction containing the operand.
1207 * @param type - The operand type.
1208 * @param index - The existing value of the field as reported by readModRM().
1209 * @param valid - The address of a uint8_t. The target is set to 1 if the
1210 * field is valid for the register class; 0 if not.
1211 * @return - The proper value.
1213 GENERIC_FIXUP_FUNC(fixupRegValue, insn->regBase, MODRM_REG)
1214 GENERIC_FIXUP_FUNC(fixupRMValue, insn->eaRegBase, EA_REG)
1217 * fixupReg - Consults an operand specifier to determine which of the
1218 * fixup*Value functions to use in correcting readModRM()'ss interpretation.
1220 * @param insn - See fixup*Value().
1221 * @param op - The operand specifier.
1222 * @return - 0 if fixup was successful; -1 if the register returned was
1223 * invalid for its class.
1225 static int fixupReg(struct InternalInstruction *insn,
1226 const struct OperandSpecifier *op) {
1229 dbgprintf(insn, "fixupReg()");
1231 switch ((OperandEncoding)op->encoding) {
1233 debug("Expected a REG or R/M encoding in fixupReg");
1236 insn->vvvv = (Reg)fixupRegValue(insn,
1237 (OperandType)op->type,
1244 insn->reg = (Reg)fixupRegValue(insn,
1245 (OperandType)op->type,
1246 insn->reg - insn->regBase,
1252 if (insn->eaBase >= insn->eaRegBase) {
1253 insn->eaBase = (EABase)fixupRMValue(insn,
1254 (OperandType)op->type,
1255 insn->eaBase - insn->eaRegBase,
1267 * readOpcodeModifier - Reads an operand from the opcode field of an
1268 * instruction. Handles AddRegFrm instructions.
1270 * @param insn - The instruction whose opcode field is to be read.
1271 * @param inModRM - Indicates that the opcode field is to be read from the
1272 * ModR/M extension; useful for escape opcodes
1273 * @return - 0 on success; nonzero otherwise.
1275 static int readOpcodeModifier(struct InternalInstruction* insn) {
1276 dbgprintf(insn, "readOpcodeModifier()");
1278 if (insn->consumedOpcodeModifier)
1281 insn->consumedOpcodeModifier = TRUE;
1283 switch (insn->spec->modifierType) {
1285 debug("Unknown modifier type.");
1288 debug("No modifier but an operand expects one.");
1290 case MODIFIER_OPCODE:
1291 insn->opcodeModifier = insn->opcode - insn->spec->modifierBase;
1293 case MODIFIER_MODRM:
1294 insn->opcodeModifier = insn->modRM - insn->spec->modifierBase;
1300 * readOpcodeRegister - Reads an operand from the opcode field of an
1301 * instruction and interprets it appropriately given the operand width.
1302 * Handles AddRegFrm instructions.
1304 * @param insn - See readOpcodeModifier().
1305 * @param size - The width (in bytes) of the register being specified.
1306 * 1 means AL and friends, 2 means AX, 4 means EAX, and 8 means
1308 * @return - 0 on success; nonzero otherwise.
1310 static int readOpcodeRegister(struct InternalInstruction* insn, uint8_t size) {
1311 dbgprintf(insn, "readOpcodeRegister()");
1313 if (readOpcodeModifier(insn))
1317 size = insn->registerSize;
1321 insn->opcodeRegister = (Reg)(MODRM_REG_AL + ((bFromREX(insn->rexPrefix) << 3)
1322 | insn->opcodeModifier));
1323 if (insn->rexPrefix &&
1324 insn->opcodeRegister >= MODRM_REG_AL + 0x4 &&
1325 insn->opcodeRegister < MODRM_REG_AL + 0x8) {
1326 insn->opcodeRegister = (Reg)(MODRM_REG_SPL
1327 + (insn->opcodeRegister - MODRM_REG_AL - 4));
1332 insn->opcodeRegister = (Reg)(MODRM_REG_AX
1333 + ((bFromREX(insn->rexPrefix) << 3)
1334 | insn->opcodeModifier));
1337 insn->opcodeRegister = (Reg)(MODRM_REG_EAX
1338 + ((bFromREX(insn->rexPrefix) << 3)
1339 | insn->opcodeModifier));
1342 insn->opcodeRegister = (Reg)(MODRM_REG_RAX
1343 + ((bFromREX(insn->rexPrefix) << 3)
1344 | insn->opcodeModifier));
1352 * readImmediate - Consumes an immediate operand from an instruction, given the
1353 * desired operand size.
1355 * @param insn - The instruction whose operand is to be read.
1356 * @param size - The width (in bytes) of the operand.
1357 * @return - 0 if the immediate was successfully consumed; nonzero
1360 static int readImmediate(struct InternalInstruction* insn, uint8_t size) {
1366 dbgprintf(insn, "readImmediate()");
1368 if (insn->numImmediatesConsumed == 2) {
1369 debug("Already consumed two immediates");
1374 size = insn->immediateSize;
1376 insn->immediateSize = size;
1380 if (consumeByte(insn, &imm8))
1382 insn->immediates[insn->numImmediatesConsumed] = imm8;
1385 if (consumeUInt16(insn, &imm16))
1387 insn->immediates[insn->numImmediatesConsumed] = imm16;
1390 if (consumeUInt32(insn, &imm32))
1392 insn->immediates[insn->numImmediatesConsumed] = imm32;
1395 if (consumeUInt64(insn, &imm64))
1397 insn->immediates[insn->numImmediatesConsumed] = imm64;
1401 insn->numImmediatesConsumed++;
1407 * readVVVV - Consumes an immediate operand from an instruction, given the
1408 * desired operand size.
1410 * @param insn - The instruction whose operand is to be read.
1411 * @return - 0 if the immediate was successfully consumed; nonzero
1414 static int readVVVV(struct InternalInstruction* insn) {
1415 dbgprintf(insn, "readVVVV()");
1417 if (insn->vexSize == 3)
1418 insn->vvvv = vvvvFromVEX3of3(insn->vexPrefix[2]);
1419 else if (insn->vexSize == 2)
1420 insn->vvvv = vvvvFromVEX2of2(insn->vexPrefix[1]);
1428 * readOperands - Consults the specifier for an instruction and consumes all
1429 * operands for that instruction, interpreting them as it goes.
1431 * @param insn - The instruction whose operands are to be read and interpreted.
1432 * @return - 0 if all operands could be read; nonzero otherwise.
1434 static int readOperands(struct InternalInstruction* insn) {
1437 dbgprintf(insn, "readOperands()");
1439 for (index = 0; index < X86_MAX_OPERANDS; ++index) {
1440 switch (insn->spec->operands[index].encoding) {
1445 if (readModRM(insn))
1447 if (fixupReg(insn, &insn->spec->operands[index]))
1456 dbgprintf(insn, "We currently don't hande code-offset encodings");
1459 if (readImmediate(insn, 1))
1461 if (insn->spec->operands[index].type == TYPE_IMM3 &&
1462 insn->immediates[insn->numImmediatesConsumed - 1] > 7)
1466 if (readImmediate(insn, 2))
1470 if (readImmediate(insn, 4))
1474 if (readImmediate(insn, 8))
1478 if (readImmediate(insn, insn->immediateSize))
1482 if (readImmediate(insn, insn->addressSize))
1486 if (readOpcodeRegister(insn, 1))
1490 if (readOpcodeRegister(insn, 2))
1494 if (readOpcodeRegister(insn, 4))
1498 if (readOpcodeRegister(insn, 8))
1502 if (readOpcodeRegister(insn, 0))
1506 if (readOpcodeModifier(insn))
1512 if (fixupReg(insn, &insn->spec->operands[index]))
1518 dbgprintf(insn, "Encountered an operand with an unknown encoding.");
1527 * decodeInstruction - Reads and interprets a full instruction provided by the
1530 * @param insn - A pointer to the instruction to be populated. Must be
1532 * @param reader - The function to be used to read the instruction's bytes.
1533 * @param readerArg - A generic argument to be passed to the reader to store
1534 * any internal state.
1535 * @param logger - If non-NULL, the function to be used to write log messages
1537 * @param loggerArg - A generic argument to be passed to the logger to store
1538 * any internal state.
1539 * @param startLoc - The address (in the reader's address space) of the first
1540 * byte in the instruction.
1541 * @param mode - The mode (real mode, IA-32e, or IA-32e in 64-bit mode) to
1542 * decode the instruction in.
1543 * @return - 0 if the instruction's memory could be read; nonzero if
1546 int decodeInstruction(struct InternalInstruction* insn,
1547 byteReader_t reader,
1552 DisassemblerMode mode) {
1553 memset(insn, 0, sizeof(struct InternalInstruction));
1555 insn->reader = reader;
1556 insn->readerArg = readerArg;
1557 insn->dlog = logger;
1558 insn->dlogArg = loggerArg;
1559 insn->startLocation = startLoc;
1560 insn->readerCursor = startLoc;
1562 insn->numImmediatesConsumed = 0;
1564 if (readPrefixes(insn) ||
1567 insn->instructionID == 0 ||
1571 insn->length = insn->readerCursor - insn->startLocation;
1573 dbgprintf(insn, "Read from 0x%llx to 0x%llx: length %zu",
1574 startLoc, insn->readerCursor, insn->length);
1576 if (insn->length > 15)
1577 dbgprintf(insn, "Instruction exceeds 15-byte limit");