X86-64 Instruction Encoding: Difference between revisions

← Older edit

X86-64 Instruction Encoding (view source)

Revision as of 16:19, 25 June 2024

14,737 bytes added , 12 days ago

m

1 revision imported: import new edits from osdev.org wiki

[unchecked revision]

VisualWikitext

Lukflug

Bureaucrats, Interface administrators, Reviewer, Administrators

618

edits

Revision as of 19:15, 27 July 2009 (view source) osdev>Tantrikwizard m (Reverted edits by Combuster (Talk); changed back to last version by Virtlink) ← Older edit		Latest revision as of 16:19, 25 June 2024 (view source) Lukflug (talk \| contribs) m (1 revision imported: import new edits from osdev.org wiki)
(68 intermediate revisions by 7 users not shown)
Line 1: This article describes how ~~X86~~x86 and ~~X86~~x86-64 instructions are encoded. == General Overview == An x86-64 instruction may be at most 15 bytes in length. It consists of the following components in the given order, where the prefixes are at the least-significant (lowest) address in memory: * [[#Legacy Prefixes\|Legacy prefixes]] (1-4 bytes, optional) ~~An X86 instruction may be at most 15 bytes in length. It consists of the following components in the given order, where the prefixes are at the least-significant (lowest) address in memory:~~ * [[#~~Legacy Prefixes~~Opcode\|~~Legacy~~Opcode with prefixes]] (~~optional~~1-4 bytes, required): Lock prefix (1 byte) Repeat prefix (1 byte) Segment override prefix (1 byte) Operand-size override prefix (1 byte) ** Address-size override prefix (1 byte) * [[#REX prefix\|REX prefix]] (1 byte, 64-bit only) * [[#Opcode\|Opcode]] (1, 2 or 3 bytes, required) * [[#ModR.2FM\|ModR/M]] (1 byte, if required) * [[#SIB\|SIB]] (1 byte, if required) * [[#Displacement\|Displacement]] (1, 2, 4 or 48 bytes, if required) * [[#Immediate\|Immediate]] (1, 2, 4 or 48 bytes, if required) == Registers == The registers are encoded using the 4-bit values in the X.Reg column of the following table. ''X.Reg'' is in binary. <div style="font-size: smaller"> {\| {{wikitable\|background: white;}} !style="background-color: #f9f9f9"\| X.Reg !style="background-color: #f9f9f9"\| 8-bit GP !style="background-color: #f9f9f9"\| 16-bit GP !style="background-color: #f9f9f9"\| 32-bit GP !style="background-color: #f9f9f9"\| 64-bit GP !style="background-color: #f9f9f9"\| 80-bit x87 !style="background-color: #f9f9f9"\| 64-bit MMX !style="background-color: #f9f9f9"\| 128-bit XMM !style="background-color: #f9f9f9"\| 256-bit YMM !style="background-color: #f9f9f9"\| 16-bit Segment !style="background-color: #f9f9f9"\| 32-bit Control !style="background-color: #f9f9f9"\| 32-bit Debug \|- !style="background-color: #f9f9f9"\| 0.000 (0) \|AL\|\|AX\|\|EAX\|\|RAX\|\|ST0\|\|MMX0\|\|XMM0\|\|YMM0\|\|ES\|\|CR0\|\|DR0 \|- !style="background-color: #f9f9f9"\| 0.001 (1) \|CL\|\|CX\|\|ECX\|\|RCX\|\|ST1\|\|MMX1\|\|XMM1\|\|YMM1\|\|CS\|\|CR1\|\|DR1 \|- !style="background-color: #f9f9f9"\| 0.010 (2) \|DL\|\|DX\|\|EDX\|\|RDX\|\|ST2\|\|MMX2\|\|XMM2\|\|YMM2\|\|SS\|\|CR2\|\|DR2 \|- !style="background-color: #f9f9f9"\| 0.011 (3) \|BL\|\|BX\|\|EBX\|\|RBX\|\|ST3\|\|MMX3\|\|XMM3\|\|YMM3\|\|DS\|\|CR3\|\|DR3 \|- !style="background-color: #f9f9f9"\| 0.100 (4) \|AH, SPL<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|SP\|\|ESP\|\|RSP\|\|ST4\|\|MMX4\|\|XMM4\|\|YMM4\|\|FS\|\|CR4\|\|DR4 \|- !style="background-color: #f9f9f9"\| 0.101 (5) \|CH, BPL<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|BP\|\|EBP\|\|RBP\|\|ST5\|\|MMX5\|\|XMM5\|\|YMM5\|\|GS\|\|CR5\|\|DR5 \|- !style="background-color: #f9f9f9"\| 0.110 (6) \|DH, SIL<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|SI\|\|ESI\|\|RSI\|\|ST6\|\|MMX6\|\|XMM6\|\|YMM6\|\|-\|\|CR6\|\|DR6 \|- !style="background-color: #f9f9f9"\| 0.111 (7) \|BH, DIL<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|DI\|\|EDI\|\|RDI\|\|ST7\|\|MMX7\|\|XMM7\|\|YMM7\|\|-\|\|CR7\|\|DR7 \|- !style="background-color: #f9f9f9"\| 1.000 (8) \|R8L\|\|R8W\|\|R8D\|\|R8\|\|-\|\|MMX0\|\|XMM8\|\|YMM8\|\|ES\|\|CR8\|\|DR8 \|- !style="background-color: #f9f9f9"\| 1.001 (9) \|R9L\|\|R9W\|\|R9D\|\|R9\|\|-\|\|MMX1\|\|XMM9\|\|YMM9\|\|CS\|\|CR9\|\|DR9 \|- !style="background-color: #f9f9f9"\| 1.010 (10) \|R10L\|\|R10W\|\|R10D\|\|R10\|\|-\|\|MMX2\|\|XMM10\|\|YMM10\|\|SS\|\|CR10\|\|DR10 \|- !style="background-color: #f9f9f9"\| 1.011 (11) \|R11L\|\|R11W\|\|R11D\|\|R11\|\|-\|\|MMX3\|\|XMM11\|\|YMM11\|\|DS\|\|CR11\|\|DR11 \|- !style="background-color: #f9f9f9"\| 1.100 (12) \|R12L\|\|R12W\|\|R12D\|\|R12\|\|-\|\|MMX4\|\|XMM12\|\|YMM12\|\|FS\|\|CR12\|\|DR12 \|- !style="background-color: #f9f9f9"\| 1.101 (13) \|R13L\|\|R13W\|\|R13D\|\|R13\|\|-\|\|MMX5\|\|XMM13\|\|YMM13\|\|GS\|\|CR13\|\|DR13 \|- !style="background-color: #f9f9f9"\| 1.110 (14) \|R14L\|\|R14W\|\|R14D\|\|R14\|\|-\|\|MMX6\|\|XMM14\|\|YMM14\|\|-\|\|CR14\|\|DR14 \|- !style="background-color: #f9f9f9"\| 1.111 (15) \|R15L\|\|R15W\|\|R15D\|\|R15\|\|-\|\|MMX7\|\|XMM15\|\|YMM15\|\|-\|\|CR15\|\|DR15 \|} </div> <small id="Table1Note1">1: When any REX prefix is used, SPL, BPL, SIL and DIL are used. Otherwise, without any REX prefix AH, CH, DH and BH are used.</small> == Legacy Prefixes == Each instruction can have up to four prefixes. Sometimes a prefix is required for the instruction while it loses ~~it's~~its original meaning (i.e. a 'mandatory prefix'). The following prefixes can be used, the order does not matter: * Prefix group 1 ** 0xF0: LOCK prefix Line 36 ⟶ 97: * Prefix group 4 ** 0x67: Address-size override prefix When there are two or more prefixes from a single group, the behavior is undefined. Some processors ignore the subsequent prefixes from the same group, or use only the last prefix specified for any group. === LOCK prefix === With the LOCK prefix, certain read-modify-write instructions are executed atomically. The LOCK prefix can only be used with the following instructions or an [[Exceptions#Invalid Opcode\|Invalid Opcode Exception]] occurs: ADC, ADD, AND, BTC, BTR, BTS, CMPXCHG, CMPXCHG8B, CMPXCHG16B, DEC, INC, NEG, NOT, OR, SBB, SUB, XADD, XCHG and XOR. === REPNE/REPNZ, REP and REPE/REPZ prefixes === The repeat prefixes cause string handling instructions to be repeated. The '''REP''' prefix will repeat the associated instruction up to [[CX]] times, decreasing [[CX]] with every repetition. It can be used with the INS, LODS, MOVS, OUTS and STOS instructions. '''REPE''' and '''REPZ''' are synonyms and repeat the instruction until [[CX]] reaches 0 or when [[ZF]] is set to 0. It can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS, SCASB, SCASD and SCASW instructions. '''REPNE''' and '''REPNZ''' also are synonyms and repeat the instruction until [[CX]] reaches 0 or when [[ZF]] is set to 1. It can be used with the CMPS, CMPSB, CMPSD, CMPSW, SCAS, SCASB, SCASD and SCASW instructions === CS, SS, DS, ES, FS and GS segment override prefixes === Line 55 ⟶ 118: === Branch taken/not taken prefixes === Branch hints may be used to lessen the impact of branch misprediction somewhat. The 'branch taken' hint is a strong hint, while the 'branch not taken' hint is a weak hint. The branch hints are only supported by Intel since the Pentium 4. Whether using them on AMD architectures has any (positive or negative) effect at all is not known. ~~{Stub}~~ ~~Branch prediction prefixes.~~ === Operand-size and address-size override prefix === The default operand-size and address-size can be overridden using these prefix. See the following table: {\| {{wikitable\|background-color: white}} !style="background-color: #f9f9f9"\|   !style="background-color: #f9f9f9"\| CS.d !style="background-color: #f9f9f9"\| REX.W !style="background-color: #f9f9f9"\| Prefix (0x66 if operand, 0x67 if address) !style="background-color: #f9f9f9"\| Operand size !style="background-color: #f9f9f9"\| Address size \|- !style="background-color: #f9f9f9" rowspan="2"\| Real mode /<br />Virtual 8086 mode \| N/A\|\|N/A\|\|{{No}}\|\|16-bit\|\|16-bit \|- \| N/A\|\|N/A\|\|{{Yes}}\|\|32-bit\|\|32-bit \|- ! style="background-color: #f9f9f9" rowspan="4" \| Protected mode /<br />Long compatibility mode \| {{No\|0}}\|\|N/A\|\|{{No}}\|\|16-bit\|\|16-bit \|- \| {{No\|0}}\|\|N/A\|\|{{Yes}}\|\|32-bit\|\|32-bit \|- \| {{Yes\|1}}\|\|N/A\|\|{{No}}\|\|32-bit\|\|32-bit \|- \| {{Yes\|1}}\|\|N/A\|\|{{Yes}}\|\|16-bit\|\|16-bit \|- ! style="background-color: #f9f9f9" rowspan="4" \| Long 64-bit mode \| Ignored\|\|{{No\|0}}\|\|{{No}}\|\|32-bit\|\|64-bit \|- \| Ignored\|\|{{No\|0}}\|\|{{Yes}}\|\|16-bit\|\|32-bit \|- \| Ignored\|\|{{Yes\|1}}\|\|{{No}}\|\|64-bit<span style="vertical-align: super">[[#Table2Note1\|1]]</span>\|\|64-bit \|- \| Ignored\|\|{{Yes\|1}}\|\|{{Yes}}\|\|64-bit\|\|32-bit \|} <small id="Table2Note1">1: Certain instructions default to (or are fixed at) 64-bit operands and do not need the REX prefix for this, see [[#Usage\|this table]].</small> ==== NASM ==== NASM determines the operand size by looking at the ''MODRM.reg'' or (for a register) ''MODRM.rm'' fields. When they are both 32-bit, the operand size becomes 32-bit. Same for 16-bit and 64-bit. When they differ, an error occurs at compile time. The address size is determined by looking at (for a memory operand) the ''MODRM.rm'' field, or the ''SIB.base'', ''SIB.index'' and displacement, in that order. So when ''SIB.base'' uses a 16-bit register (such as AX), the address size becomes 16-bit. Using a 32-bit displacement will result in the displacement being truncated. == Opcode == The x86-64 instruction set defines many opcodes and many ways to encode them, depending on several factors. === Legacy opcodes === Legacy (and x87) opcodes consist of, in this order: * mandatory prefix; * REX prefix; * opcode. ==== Mandatory prefix ==== Certain instructions (most notably the SIMD instructions) require a mandatory prefix (0x66, 0xF2 or 0xF3), which looks like a normal modifier prefix. When a mandatory prefix is required, it is put with the modifier prefixes before the REX prefix (if any). ==== REX prefix ==== The REX prefix is only available in [[Long Mode\|long mode]]. ===== Usage ===== A REX prefix must be encoded when: * using 64-bit operand size and the instruction does not default to 64-bit operand size; or * using one of the extended registers (R8 to R15, XMM8 to XMM15, YMM8 to YMM15, CR8 to CR15 and DR8 to DR15); or * using one of the uniform byte registers SPL, BPL, SIL or DIL. A REX prefix must not be encoded when: * using one of the high byte registers AH, CH, BH or DH. In all other cases, the REX prefix is ignored. The use of multiple REX prefixes is undefined, although processors seem to use only the last REX prefix. Instructions that default to 64-bit operand size in long mode are: {\| {{wikitable}} ~~! Operating mode~~ ~~! CS.d~~ ~~! 0x66 prefix (operand)~~ ~~! 0x67 prefix (address)~~ ~~! REX.w~~ ~~! Operand-size~~ ~~! Address-size~~ \|- \| CALL (near)\|\|ENTER\|\|Jcc ~~\| Real mode\|\|N/A\|\|N/A\|\|N/A\|\|N/A\|\|16-bit\|\|16-bit~~ \|- \| JrCXZ\|\|JMP (near)\|\|LEAVE ~~\| Virtual 8086 mode\|\|N/A\|\|N/A\|\|N/A\|\|N/A\|\|16-bit\|\|16-bit~~ \|- \| LGDT\|\|LIDT\|\|LLDT ~~\| rowspan="8" \| Protected mode\|\|0\|\|no\|\|no\|\|N/A\|\|16-bit\|\|16-bit~~ \|- \| LOOP\|\|LOOPcc\|\|LTR ~~\| 0\|\|no\|\|yes\|\|N/A\|\|16-bit\|\|32-bit~~ \|- \| MOV CR(n)\|\|MOV DR(n)\|\|POP reg/mem ~~\| 0\|\|yes\|\|no\|\|N/A\|\|32-bit\|\|16-bit~~ \|- \| POP reg\|\|POP FS\|\|POP GS ~~\| 0\|\|yes\|\|yes\|\|N/A\|\|32-bit\|\|32-bit~~ \|- \| POPFQ\|\|PUSH imm8\|\|PUSH imm32 ~~\| 1\|\|no\|\|no\|\|N/A\|\|32-bit\|\|32-bit~~ \|- \| PUSH reg/mem\|\|PUSH reg\|\|PUSH FS ~~\| 1\|\|no\|\|yes\|\|N/A\|\|32-bit\|\|16-bit~~ \|- \| PUSH GS\|\|PUSHFQ\|\|RET (near) ~~\| 1\|\|yes\|\|no\|\|N/A\|\|16-bit\|\|32-bit~~ \|} ===== Encoding ===== The layout is as follows: <pre> 7 0 +---+---+---+---+---+---+---+---+ \| 0 1 0 0 \| W \| R \| X \| B \| +---+---+---+---+---+---+---+---+ </pre> {\| {{wikitable\|background-color:white;}} ! style="background-color:#f9f9f9;" \| Field ! style="background-color:#f9f9f9;" \| Length ! style="background-color:#f9f9f9;" \| Description \|- !style="background-color:#f9f9f9;"\| 0100 ~~\| 1\|\|yes\|\|yes\|\|N/A\|\|16-bit\|\|16-bit~~ \|4 bits\|\|Fixed bit pattern \|- !style="background-color:#f9f9f9;"\| W ~~\| rowspan="8" \| Long compatibility mode\|\|0\|\|no\|\|no\|\|N/A\|\|16-bit\|\|16-bit~~ \|1 bit\|\|When 1, a 64-bit operand size is used. Otherwise, when 0, the default operand size is used (which is 32-bit for most but not all instructions, see [[#Operand-size and address-size override prefix\|this table]]). \|- !style="background-color:#f9f9f9;"\| R ~~\| 0\|\|no\|\|yes\|\|N/A\|\|16-bit\|\|32-bit~~ \|1 bit\|\|This 1-bit value is an extension to the ''MODRM.reg'' field. See [[#Registers\|Registers]]. \|- !style="background-color:#f9f9f9;"\| X ~~\| 0\|\|yes\|\|no\|\|N/A\|\|32-bit\|\|16-bit~~ \|1 bit\|\|This 1-bit value is an extension to the ''SIB.index'' field. See [[#64-bit addressing\|64-bit addressing]]. \|- !style="background-color:#f9f9f9;"\| B ~~\| 0\|\|yes\|\|yes\|\|N/A\|\|32-bit\|\|32-bit~~ \|1 bit\|\|This 1-bit value is an extension to the ''MODRM.rm'' field or the ''SIB.base'' field. See [[#64-bit addressing\|64-bit addressing]]. \|} Because the first four bits always equal 4, the existence of the REX prefix wipes out opcodes 0x40-0x4F, which were previously individual increment and decrement instructions for all eight registers. The Intel 64 and IA-32 Architectures Software Developer’s Manual volume 2 states "The single-byte-opcode forms of the INC/DEC instructions are not available in 64-bit mode. INC/DEC functionality is still available using ModR/M forms of the same instructions (opcodes FF/0 and FF/1)." ==== Opcode ==== The opcode can be 1, 2 or 3 bytes in length. Depending on the opcode escape sequence, a different opcode map is selected. Possible opcode sequences are: * <op> * 0x0F <op> * 0x0F 0x38 <op> * 0x0F 0x3A <op> Note that opcodes can specify that the REG field in the ModR/M byte is fixed at a particular value. === VEX/XOP opcodes === A VEX/XOP prefix must be encoded when: * the instruction has only its VEX/XOP opcode and no legacy opcode; or * 256-bit YMM registers are used; or * more than three operands are used (e.g. ''nondestructive-source operations''); or * when using 128-bit XMM destination registers, bits 128-255 of the corresponding YMM register must be cleared. A VEX/XOP prefix must not be encoded when: * when using 128-bit XMM destination registers, bits 128-255 of the corresponding YMM register must not be changed. There are many VEX and XOP instructions, all of which can be encoded using the three byte VEX/XOP escape prefix. The VEX and XOP escape prefixes use fields with the following semantics: {\| {{wikitable\|background-color:white;}} !style="background-color:#f9f9f9;"\| Field !style="background-color:#f9f9f9;"\| Length !style="background-color:#f9f9f9;"\| Description \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| VEX/XOP prefix ~~\| 1\|\|no\|\|no\|\|N/A\|\|32-bit\|\|32-bit~~ \|style="vertical-align: top;"\|8 bits\|\|Prefix. {\| {{wikitable}} ! Prefix ! Opcode map and encoding \|- \| 0xC4\|\|Three-byte VEX ~~\| 1\|\|no\|\|yes\|\|N/A\|\|32-bit\|\|16-bit~~ \|- \| 0xC5\|\|Two-byte VEX ~~\| 1\|\|yes\|\|no\|\|N/A\|\|16-bit\|\|32-bit~~ \|- \| 0x8F\|\|Three-byte XOP ~~\| 1\|\|yes\|\|yes\|\|N/A\|\|16-bit\|\|16-bit~~ \|} \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| ~R ~~\| rowspan="6" \| Long 64-bit mode\|\|ignored\|\|no\|\|no\|\|0\|\|32-bit\|\|64-bit~~ \|style="vertical-align: top;"\|1 bit\|\|This 1-bit value is an 'inverted' extension to the ''MODRM.reg'' field. The inverse of REX.R. See [[#Registers\|Registers]]. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| ~X ~~\| ignored\|\|no\|\|yes\|\|0\|\|32-bit<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|32-bit~~ \|style="vertical-align: top;"\|1 bit\|\|This 1-bit value is an 'inverted' extension to the ''SIB.index'' field. The inverse of REX.X. See [[#64-bit addressing\|64-bit addressing]]. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| ~B ~~\| ignored\|\|yes\|\|no\|\|0\|\|16-bit\|\|64-bit~~ \|style="vertical-align: top;"\|1 bit\|\|This 1-bit value is an 'inverted' extension to the ''MODRM.rm'' field or the ''SIB.base'' field. The inverse of REX.B. See [[#64-bit addressing\|64-bit addressing]]. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| map_select ~~\| ignored\|\|yes\|\|yes\|\|0\|\|16-bit\|\|32-bit~~ \|style="vertical-align: top;"\|5 bits\|\|Specifies the opcode map to use. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| W/E ~~\| ignored\|\|ignored\|\|no\|\|1\|\|64-bit<span style="vertical-align: super">[[#Table1Note1\|1]]</span>\|\|64-bit~~ \|style="vertical-align: top;"\|1 bit\|\|For integer instructions: when 1, a 64-bit operand size is used; otherwise, when 0, the default operand size is used (equivalent with REX.W). For non-integer instructions, this bit is a general opcode extension bit. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| ~vvvv ~~\| ignored\|\|ignored\|\|yes\|\|1\|\|64-bit\|\|32-bit~~ \|style="vertical-align: top;"\|4 bits\|\|An additional operand for the instruction. The value of the XMM or YMM register (see [[#Registers\|Registers]]) is 'inverted'. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| L \|style="vertical-align: top;"\|1 bit\|\|When 0, a 128-bit vector lengh is used. Otherwise, when 1, a 256-bit vector length is used. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| pp \|style="vertical-align: top;"\|2 bits\|\|Specifies an implied mandatory prefix for the opcode. {\| {{wikitable}} ! Value (binary) ! Implied mandatory prefix \|- \| 00\|\|none \|- \| 01\|\|0x66 \|- \| 10\|\|0xF3 \|- \| 11\|\|0xF2 \|} \|} <small id="Table1Note1">1: The following instructions default to (or are fixed at) 64-bit operands and do not need the REX prefix for this: CALL (near), ENTER, Jcc, JrCXZ, JMP (near), LEAVE, LGDT, LIDT, LLDT, LOOP, LOOPcc, LTR, MOV CR(n), MOV DR(n), POP reg/mem, POP reg, POP FS, POP GS, POPFQ, PUSH imm8, PUSH imm32, PUSH reg/mem, PUSH reg, PUSH FS, PUSH GS, PUSHFQ and RET (near).</small> ==== Three byte VEX escape prefix ==== NASM determines the operand size by looking at the ''MODRM.reg'' or (for a register) ''MODRM.rm'' fields. When they are both 32-bit, the operand size becomes 32-bit. Same for 16-bit and 64-bit. When they differ, an error occurs at compile time. The layout is as follows, starting with a byte with value 0xC4: The address size is determined by looking at (for a memory operand) the ''MODRM.rm'' field, or the ''SIB.base'', ''SIB.index'' and displacement, in that order. So when ''SIB.base'' uses a 16-bit register (such as [[AX]]), the address size becomes 16-bit. Using a 32-bit displacement will result in the displacement being truncated. <pre> 7 0 7 0 7 0 +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ \| 1 1 0 0 0 1 0 0 \| \|~R \|~X \|~B \| map_select \| \|W/E\| ~vvvv \| L \| pp \| +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ </pre> A VEX instruction whose values for certain fields are VEX.~X == 1, VEX.~B == 1, VEX.W/E == 0 and map_select == b00001 may be encoded using the [[#Two_byte_VEX_escape_prefix\|two byte VEX escape prefix]]. ==== ~~REX~~Three byte XOP escape prefix ==== The layout is the same as the [[#Three_byte_VEX_escape_prefix\|three-byte VEX escape prefix]], but with initial byte value 0x8F: ~~The REX prefix enabled 64-bit specific features. The layout is as follows:~~ <pre> 7 0 7 0 7 0 +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ \| 01 10 0 0 1 1 1 1 \| w \|~R r\|~X \|~B \| map_select x \| b \|W/E\| ~vvvv \| L \| pp \| +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ </pre> * b0100 (4 bits) * REX.w (1 bit) * REX.r (1 bit) * REX.x (1 bit) * REX.b (1 bit) The AMD64 Architecture Programmer’s Manual Volume 6 states that the map_select field must be equal to or greater than 8, to differentiate the XOP prefix from the POP instruction that formerly used opcode 0x8F. ~~=== REX.w ===~~ When this 1-bit value is 0, the default operand size is used (which is 32-bit for most but not all instructions, see [[#Operand-size and address-size override prefix\|this table]]). When 1, a 64-bit operand size is used. ==== ~~REX.r~~Two byte VEX escape prefix ==== A VEX instruction whose values for certain fields are VEX.~X == 1, VEX.~B == 1, VEX.W/E == 0 and map_select == b00001 may be encoded using the two byte VEX escape prefix. The layout is as follows: ~~This 1-bit value is an extension to the ''MODRM.reg'' field. See [[#64-bit addressing\|64-bit addressing]].~~ <pre> 7 0 7 0 +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ \| 1 1 0 0 0 1 0 1 \| \|~R \| ~vvvv \| L \| pp \| +---+---+---+---+---+---+---+---+ +---+---+---+---+---+---+---+---+ </pre> === ~~REX.x~~3DNow! opcodes === 3DNow! opcodes consist of, in this order: ~~This 1-bit value is an extension to the ''SIB.index'' field. See [[#64-bit addressing\|64-bit addressing]].~~ * fixed opcode; * (ModR/M, SIB, displacement); * immediate opcode byte. ==== ~~REX.b~~Fixed opcode ==== All 3DNow! opcodes have a fixed two-byte sequence equal to 0x0F 0x0F in the opcode position of the instruction. ~~This 1-bit value is an extension to the ''MODRM.rm'' field or the ''SIB.base'' field. See [[#64-bit addressing\|64-bit addressing]].~~ ==== Immediate opcode byte ==== ~~== Opcode ==~~ 3DNow! instructions encode the actual opcode as an 8-bit immediate value trailing the instruction (thus after the ModR/M, SIB and displacement). ~~There are 1, 2 and 3-byte opcodes. Some opcodes start with the same bytes as some prefixes, without taking the meaning of the prefix.~~ == ModR/M and SIB bytes == The ModR/M and SIB bytes isare used to encode ~~the~~up ~~source~~to ~~and~~two ~~destination~~operands ~~register~~of oran ~~memory~~instruction, ~~offset~~each of anwhich ~~instruction~~is a direct register or effective memory address. === ModR/M === The ModR/M byte encodes a register or an opcode extension, and a register or a memory address~~. It is only required when ''/r'' or ''/0'' through ''/7'' is specified at the opcode syntax~~. It has the following fields: <pre> 7 0 Line 163 ⟶ 370: +---+---+---+---+---+---+---+---+ </pre> {\| {{wikitable\|background-color: white}} * MODRM.mod (2 bits) !style="background-color:#f9f9f9;"\| Field * MODRM.reg (3 bits) !style="background-color:#f9f9f9;"\| Length * MODRM.rm (3 bits) !style="background-color:#f9f9f9;"\| Description ~~The ''MODRM.mod'' and ''MODRM.rm'' fields are explained in the table. The ''MODRM.reg'' field can have one of two values:~~ * A 3-bit opcode extension, which is used by some instructions but has no futher meaning other than distincting the instruction from other instructions. When ''/0'' through ''/7'' is specified at the opcode syntax, use that value as the value for the ''MODRM.reg'' field. * A 3-bit register reference, which can be used as the source or the destination of an instruction (depending on the instruction). This is the case when ''/r'' is specified at the opcode syntax. Which register is meant depends on the [[#Operand-size and address-size override prefix\|operand-size]] of the instruction and the instruction itself. See the ''Value'' column of the following table for the possible values of the ''MODRM.reg'' field: ~~==== Registers ====~~ ~~{\| {{wikitable}}~~ ~~! REX.b,r,x!! Value!! 8-bit GP!! 16-bit GP!! 32-bit GP!! 64-bit GP!! 64-bit MMX!! 128-bit XMM!! 16-bit Seg. reg!! 32-bit Contr. reg!! 32-bit Debug. reg~~ \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| MODRM.mod ~~\| 0\|\|0\|\|AL\|\|AX\|\|EAX\|\|RAX\|\|MM0\|\|XMM0\|\|ES\|\|CR0\|\|DR0~~ \|style="vertical-align: top;"\|2 bits\|\|In general, when this field is b11, then register-direct addressing mode is used; otherwise register-indirect addressing mode is used. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| MODRM.reg ~~\| 0\|\|1\|\|CL\|\|CX\|\|ECX\|\|RCX\|\|MM1\|\|XMM1\|\|CS\|\|CR1\|\|DR1~~ \|style="vertical-align: top;"\|3 bits\|\|This field can have one of two values: * A 3-bit opcode extension, which is used by some instructions but has no further meaning other than distinguishing the instruction from other instructions. * A 3-bit register reference, which can be used as the source or the destination of an instruction (depending on the instruction). The referenced register depends on the [[#Operand-size and address-size override prefix\|operand-size]] of the instruction and the instruction itself. See [[#Registers\|Registers]] for the values to use for each of the registers. The REX.R, VEX.~R or XOP.~R field can extend this field with 1 most-significant bit to 4 bits total. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\| MODRM.rm ~~\| 0\|\|2\|\|DL\|\|DX\|\|EDX\|\|RDX\|\|MM2\|\|XMM2\|\|SS\|\|CR2\|\|DR2~~ \|style="vertical-align: top;"\|3 bits\|\|Specifies a direct or indirect register operand, optionally with a displacement. The REX.B, VEX.~B or XOP.~B field can extend this field with 1 most-significant bit to 4 bits total. \|} ==== 16-bit addressing ==== These are the meanings of the ''Mod'' (vertically) and ''REX/VEX/XOP.B'' and ''R/M'' bits (horizontally) for [[#Operand-size and address-size override prefix\|16-bit addressing]]. ''B.R/M'' and ''Mod'' are in binary. The SIB-byte is not used in 16-bit addressing. In ''Long processing mode'' there is no way to specify 16-bit addresses. <div style="font-size: 70%; text-align: center"> {\| {{wikitable}} ! 16-bit!! colspan="16" style="text-align: left;" \| B.R/M \|- ! Mod ~~\| 0\|\|3\|\|BL\|\|BX\|\|EBX\|\|RBX\|\|MM3\|\|XMM3\|\|DS\|\|CR3\|\|DR3~~ ! x.000<br />AX, R8W ! x.001<br />CX, R9W ! x.010<br />DX, R10W ! x.011<br />BX, R11W ! x.100<br />SP, R12W ! x.101<br />BP, R13W ! x.110<br />SI, R14W ! x.111<br />DI, R15W \|- ! 00 ~~\| 0\|\|4\|\|AH, SPL<span style="vertical-align: super">[[#Table2Note1\|1]]</span>\|\|SP\|\|ESP\|\|RSP\|\|MM4\|\|XMM4\|\|FS\|\|CR4\|\|DR4~~ \| style="background-color: white" \|[BX + SI] \| style="background-color: white" \|[BX + DI] \| style="background-color: white" \|[BP + SI] \| style="background-color: white" \|[BP + DI] \| style="background-color: white" \|[SI] \| style="background-color: white" \|[DI] \| style="background-color: white" \|[disp16] \| style="background-color: white" \|[BX] \|- ! 01 ~~\| 0\|\|5\|\|CH, BPL<span style="vertical-align: super">[[#Table2Note1\|1]]</span>\|\|BP\|\|EBP\|\|RBP\|\|MM5\|\|XMM5\|\|GS\|\|CR5\|\|DR5~~ \| style="background-color: white" \|[BX + SI + disp8] \| style="background-color: white" \|[BX + DI + disp8] \| style="background-color: white" \|[BP + SI + disp8] \| style="background-color: white" \|[BP + DI + disp8] \| style="background-color: white" \|[SI + disp8] \| style="background-color: white" \|[DI + disp8] \| style="background-color: white" \|[BP + disp8] \| style="background-color: white" \|[BX + disp8] \|- ! 10 ~~\| 0\|\|6\|\|DH, SIL<span style="vertical-align: super">[[#Table2Note1\|1]]</span>\|\|SI\|\|ESI\|\|RSI\|\|MM6\|\|XMM6\|\|invalid\|\|CR6\|\|DR6~~ \| style="background-color: white" \|[BX + SI + disp16] \| style="background-color: white" \|[BX + DI + disp16] \| style="background-color: white" \|[BP + SI + disp16] \| style="background-color: white" \|[BP + DI + disp16] \| style="background-color: white" \|[SI + disp16] \| style="background-color: white" \|[DI + disp16] \| style="background-color: white" \|[BP + disp16] \| style="background-color: white" \|[BX + disp16] \|- ! 11 ~~\| 0\|\|7\|\|BH, DIL<span style="vertical-align: super">[[#Table2Note1\|1]]</span>\|\|DI\|\|EDI\|\|RDI\|\|MM7\|\|XMM7\|\|invalid\|\|CR7\|\|DR7~~ \| style="background-color: white" colspan="8"\|r/m \|} </div> ==== 32/64-bit addressing ==== These are the meanings of the ''Mod'' (vertically) and ''REX/VEX/XOP.B'' and ''R/M'' bits (horizontally) for [[#Operand-size and address-size override prefix\|32 and 64-bit addressing]]. ''B.R/M'' and ''Mod'' are in binary. <div style="font-size: 70%; text-align: center"> {\| {{wikitable}} ! 32/64-bit!! colspan="16" style="text-align: left;" \| B.R/M \|- ! Mod ~~\| 1\|\|0\|\|R8L\|\|R8W\|\|R8D\|\|R8\|\|MM0\|\|XMM8\|\|ES\|\|CR8\|\|DR8~~ ! 0.000<br />AX ! 0.001<br />CX ! 0.010<br />DX ! 0.011<br />BX ! 0.100<br />SP ! 0.101<br />BP ! 0.110<br />SI ! 0.111<br />DI ! 1.000<br />R8 ! 1.001<br />R9 ! 1.010<br />R10 ! 1.011<br />R11 ! 1.100<br />R12 ! 1.101<br />R13 ! 1.110<br />R14 ! 1.111<br />R15 \|- ! 00 ~~\| 1\|\|1\|\|R9L\|\|R9W\|\|R9D\|\|R9\|\|MM1\|\|XMM9\|\|CS\|\|CR9\|\|DR9~~ \| style="background-color: white" colspan="4"\|[r/m] \| style="background-color: white" \|[[[#SIB\|SIB]]] \| style="background-color: white" \|[[[#RIP.2FEIP-relative_addressing\|RIP/EIP]]<span style="vertical-align: super">[[#Table8Note1\|1]],[[#Table8Note2\|2]]</span> + disp32] \| style="background-color: white" colspan="6"\|[r/m] \| style="background-color: white" \|[[[#SIB\|SIB]]] \| style="background-color: white" \|[[[#RIP.2FEIP-relative_addressing\|RIP/EIP]]<span style="vertical-align: super">[[#Table8Note1\|1]],[[#Table8Note2\|2]]</span> + disp32] \| style="background-color: white" colspan="2"\|[r/m] \|- ! 01 ~~\| 1\|\|2\|\|R10L\|\|R10W\|\|R10D\|\|R10\|\|MM2\|\|XMM10\|\|SS\|\|CR10\|\|DR10~~ \| style="background-color: white" colspan="4"\|[r/m + disp8] \| style="background-color: white" \|[[[#SIB\|SIB]] + disp8] \| style="background-color: white" colspan="7"\|[r/m + disp8] \| style="background-color: white" \|[[[#SIB\|SIB]] + disp8] \| style="background-color: white" colspan="3"\|[r/m + disp8] \|- ! 10 ~~\| 1\|\|3\|\|R11L\|\|R11W\|\|R11D\|\|R11\|\|MM3\|\|XMM11\|\|DS\|\|CR11\|\|DR11~~ \| style="background-color: white" colspan="4"\|[r/m + disp32] \| style="background-color: white" \|[[[#SIB\|SIB]] + disp32] \| style="background-color: white" colspan="7"\|[r/m + disp32] \| style="background-color: white" \|[[[#SIB\|SIB]] + disp32] \| style="background-color: white" colspan="3"\|[r/m + disp32] \|- ! 11 ~~\| 1\|\|4\|\|R12L\|\|R12W\|\|R12D\|\|R12\|\|MM4\|\|XMM12\|\|FS\|\|CR12\|\|DR12~~ \| style="background-color: white" colspan="16"\|r/m \|- ~~\| 1\|\|5\|\|R13L\|\|R13W\|\|R13D\|\|R13\|\|MM5\|\|XMM13\|\|GS\|\|CR13\|\|DR13~~ \|- ~~\| 1\|\|6\|\|R14L\|\|R14W\|\|R14D\|\|R14\|\|MM6\|\|XMM14\|\|invalid\|\|CR14\|\|DR14~~ \|- ~~\| 1\|\|7\|\|R15L\|\|R15W\|\|R15D\|\|R15\|\|MM7\|\|XMM15\|\|invalid\|\|CR15\|\|DR15~~ \|} </div> ~~<small id="Table2Note1">1: When any REX prefix is used, SPL, BPL, SIL and DIL are used. Otherwise, without any REX prefix AH, CH, DH and BH are used.</small>~~ <small id="Table8Note1">1: In protected/compatibility mode, this is just ''disp32'', but in long mode this is ''[RIP]+disp32'' (for 64-bit addresses) or ''[EIP]+disp32'' (for 32-bit addresses, i.e. with address-size override prefix, [http://objectmix.com/asm-x86-asm-370/69055-effect-address-size-prefix-rip-relative-addressing.html see here]).</small><br /> <small id="Table8Note2">2: In long mode, to encode ''disp32'' as in protected/compatibility mode, use the SIB byte.</small> ===== ~~SIB~~RIP/EIP-relative addressing ===== Addressing in x86-64 can be relative to the current instruction pointer value. This is indicated with the ''RIP'' (64-bit) and ''EIP'' (32-bit) instruction pointer registers, which are not otherwise exposed to the program and may not exist physically. RIP-relative addressing allows object files to be location independent. === SIB === The SIB byte has the following fields: <pre> Line 218 ⟶ 503: +---+---+---+---+---+---+---+---+ </pre> {\| {{wikitable\|background-color: white}} * SIB.scale (2 bits) !style="background-color:#f9f9f9;"\| Field * SIB.index (3 bits) !style="background-color:#f9f9f9;"\| Length * SIB.base (3 bits) !style="background-color:#f9f9f9;"\| Description \|- ~~<div id="SIBScale">The ''SIB.scale'' field indicates the scaling factor, where ''s'' (as used in the tables) equals 2<span style="vertical-align: super;">SIB.scale</span>.</div>~~ !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\|SIB.scale \|style="vertical-align: top;"\|2 bits\|\|This field indicates the scaling factor of SIB.index, where ''s'' (as used in the tables) equals 2<span style="vertical-align: super;">SIB.scale</span>. {\| {{wikitable}} ! SIB.scale ! factor ''s'' \|- !\| b00\|\|1 \|1 \|- !\| b01\|\|2 \|2 \|- !\| b10\|\|4 \|4 \|- !\| b11\|\|8 \|8} \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\|SIB.index \|style="vertical-align: top;"\|3 bits\|\|The index register to use. See [[#Registers\|Registers]] for the values to use for each of the registers. The REX.X, VEX.~X or XOP.~X field can extend this field with 1 most-significant bit to 4 bits total. \|- !style="background-color:#f9f9f9; text-align: left; vertical-align: top;"\|SIB.base \|style="vertical-align: top;"\|3 bits\|\|The base register to use. See [[#Registers\|Registers]] for the values to use for each of the registers. The REX.B, VEX.~B or XOP.~B field can extend this field with 1 most-significant bit to 4 bits total. \|} ==== 1632/64-bit addressing ==== The meaning of the SIB byte while using 32 or 64-bit addressing is as follows. The ModR/M byte's ''Mod'' field and the SIB byte's ''index'' field are used vertically, the SIB byte's ''base'' field and REX/VEX/XOP.B bit horizontally. The ''s'' is the [[#SIB\|scaling factor]]. ''B.Base'', ''X.Index'' and ''Mod'' are in binary. These are the meanings of the ''Mod'' (vertically) and ''R/M'' (horizontally) bits for [[#Operand-size and address-size override prefix\|16-bit addressing]]: (The SIB-byte is not used in 16-bit addressing.) <div style="font-size: 70%; text-align: center"> {\| {{wikitable}} ! colspan="2" \| !! colspan="16" style="text-align: left;" \| B.Base ~~! Mod !! R/M=b000 !! b001 !! b010 !! b011 !! b100 !! b101 !! b110 !! b111~~ \|- ! ~~b00~~Mod ! style="text-align: left;" \| X.Index ~~\|[BX+SI]\|\|[BX+DI]\|\|[BP+SI]\|\|[BP+DI]\|\|[SI]\|\|[DI]\|\|disp16\|\|[BX]~~ ! 0.000<br />AX ! 0.001<br />CX ! 0.010<br />DX ! 0.011<br />BX ! 0.100<br />SP ! 0.101<span style="vertical-align: super">[[#Table10Note1\|1]]</span><br />BP ! 0.110<br />SI ! 0.111<br />DI ! 1.000<br />R8 ! 1.001<br />R9 ! 1.010<br />R10 ! 1.011<br />R11 ! 1.100<br />R12 ! 1.101<span style="vertical-align: super">[[#Table10Note1\|1]]</span><br />R13 ! 1.110<br />R14 ! 1.111<br />R15 \|- ! rowspan="16" \| 00 !! style="text-align: left;" \| 0.000 AX ~~! b01~~ \| style="background-color: white" rowspan="4" colspan="5"\|[base + (index * s)] ~~\|[BX+SI]+disp8\|\|[BX+DI]+disp8\|\|[BP+SI]+disp8\|\|[BP+DI]+disp8\|\|[SI]+disp8\|\|[DI]+disp8\|\|[BP]+disp8\|\|[BX]+disp8~~ \| style="background-color: white" rowspan="4"\|[(index * s) + disp32] \| style="background-color: white" rowspan="4" colspan="7" \|[base + (index * s)] \| style="background-color: white" rowspan="4"\|[(index * s) + disp32] \| style="background-color: white" rowspan="4" colspan="2"\|[base + (index * s)] \|- ! style="text-align: left;" \| 0.001 CX ~~! b10~~ ~~\|[BX+SI]+disp16\|\|[BX+DI]+disp16\|\|[BP+SI]+disp16\|\|[BP+DI]+disp16\|\|[SI]+disp16\|\|[DI]+disp16\|\|[BP]+disp16\|\|[BX]+disp16~~ \|- ! style="text-align: left;" \| 0.010 DX ~~! b11~~ ~~\|AL, AX\|\|CL, CX\|\|DL, DX\|\|BL, BX\|\|AH, SP\|\|CH, BP\|\|DH, SI\|\|BH, DI~~ \|} ~~=== 32-bit addressing ===~~ ~~These are the meanings of the ''Mod'' (vertically) and ''R/M'' (horizontally) bits for [[#Operand-size and address-size override prefix\|32-bit addressing]]:~~ ~~{\| {{wikitable}}~~ ~~! Mod !! R/M=b000 !! b001 !! b010 !! b011 !! b100 !! b101 !! b110 !! b111~~ \|- ! style="text-align: left;" \| 0.011 BX ~~! b00~~ ~~\|[EAX]\|\|[ECX]\|\|[EDX]\|\|[EBX]\|\|[[#32-bit SIB byte\|SIB]]\|\|disp32\|\|[ESI]\|\|[EDI]~~ \|- ! style="text-align: left;" \| 0.100<span style="vertical-align: super">[[#Table10Note2\|2]]</span> SP ~~! b01~~ \| style="background-color: white" colspan="5"\|[base] ~~\|[EAX]+disp8\|\|[ECX]+disp8\|\|[EDX]+disp8\|\|[EBX]+disp8\|\|[[#32-bit SIB byte\|SIB]]+disp8\|\|[EBP]+disp8\|\|[ESI]+disp8\|\|[EDI]+disp8~~ \| style="background-color: white"\| [disp32] \| style="background-color: white" colspan="7"\|[base] \| style="background-color: white"\| [disp32] \| style="background-color: white" colspan="2"\|[base] \|- ! style="text-align: left;" \| 0.101 BP ~~! b10~~ \| style="background-color: white" rowspan="11" colspan="5"\|[base + (index * s)] ~~\|[EAX]+disp32\|\|[ECX]+disp32\|\|[EDX]+disp32\|\|[EBX]+disp32\|\|[[#32-bit SIB byte\|SIB]]+disp32\|\|[EBP]+disp32\|\|[ESI]+disp32\|\|[EDI]+disp32~~ \| style="background-color: white" rowspan="11"\|[(index * s) + disp32] \| style="background-color: white" rowspan="11" colspan="7"\|[base + (index * s)] \| style="background-color: white" rowspan="11"\|[(index * s) + disp32] \| style="background-color: white" rowspan="11" colspan="2"\|[base + (index * s)] \|- ! style="text-align: left;" \| 0.110 SI \|- ! style="text-align: left;" \| 0.111 DI \|- ! style="text-align: left;" \| 1.000 R8 \|- ! style="text-align: left;" \| 1.001 R9 \|- ! style="text-align: left;" \| 1.010 R10 \|- ! style="text-align: left;" \| 1.011 R11 \|- ! style="text-align: left;" \| 1.100 R12 \|- ! style="text-align: left;" \| 1.101 R13 \|- ! style="text-align: left;" \| 1.110 R14 \|- ! style="text-align: left;" \| 1.111 R15 \|- \| colspan="18" style="background-color: white; border-top: solid 2px black; border-bottom: solid 2px black; border-left: none; border-right: none;" \| \|- ! colspan="2" \| !! colspan="16" style="text-align: left;" \| B.Base \|- ~~! b11~~ ~~\|EAX, MM0, XMM0\|\|ECX, MM1, XMM1\|\|EDX, MM2, XMM2\|\|EBX, MM3, XMM3\|\|ESP, MM4, XMM4\|\|EBP, MM5, XMM5\|\|ESI, MM6, XMM6\|\|EDI, MM7, XMM7~~ \|} ~~==== 32-bit SIB byte ====~~ The meaning of the SIB byte while using 32-bit addressing is as follows. The ModR/M byte's ''Mod'' field and the SIB byte's ''index'' field are used vertically, the SIB byte's ''base'' field horizontally. The ''s'' is the [[#SIBScale\|scaling factor]]. ~~<div style="font-size: 70%">~~ ~~{\| {{wikitable}}~~ ! Mod ! style="text-align: left;" \| X.Index ~~! Index~~ ! 0.000<br />AX ~~! Base=b000~~ ! 0.001<br />CX ~~! b001~~ ! 0.010<br />DX ~~! b010~~ ! 0.011<br />BX ~~! b011~~ ! 0.100<br />SP ~~! b100~~ ! 0.101<br />BP ~~! b101~~ ! 0.110<br />SI ~~! b110~~ ! 0.111<br />DI ~~! b111~~ ! 1.000<br />R8 ! 1.001<br />R9 ! 1.010<br />R10 ! 1.011<br />R11 ! 1.100<br />R12 ! 1.101<br />R13 ! 1.110<br />R14 ! 1.111<br />R15 \|- ! rowspan="816" \| ~~b00~~01 !!~~b000~~ style="text-align: left;" \| 0.000 AX \| style="background-color: white" rowspan="4" colspan="16"\|[base + (index * s) + disp8] ~~\|[EAX] + ([EAX] * s)\|\|[ECX] + ([EAX] * s)\|\|[EDX] + ([EAX] * s)\|\|[EBX] + ([EAX] * s)\|\|[ESP] + ([EAX] * s)\|\|([EAX] * s) + disp32\|\|[ESI] + ([EAX] * s)\|\|[EDI] + ([EAX] * s)~~ \|- ! style="text-align: left;" \| 0.001 CX ~~! b001~~ ~~\|[EAX] + ([ECX] * s)\|\|[ECX] + ([ECX] * s)\|\|[EDX] + ([ECX] * s)\|\|[EBX] + ([ECX] * s)\|\|[ESP] + ([ECX] * s)\|\|([ECX] * s) + disp32\|\|[ESI] + ([ECX] * s)\|\|[EDI] + ([ECX] * s)~~ \|- ! style="text-align: left;" \| 0.010 DX ~~! b010~~ ~~\|[EAX] + ([EDX] * s)\|\|[ECX] + ([EDX] * s)\|\|[EDX] + ([EDX] * s)\|\|[EBX] + ([EDX] * s)\|\|[ESP] + ([EDX] * s)\|\|([EDX] * s) + disp32\|\|[ESI] + ([EDX] * s)\|\|[EDI] + ([EDX] * s)~~ \|- ! style="text-align: left;" \| 0.011 BX ~~! b011~~ ~~\|[EAX] + ([EBX] * s)\|\|[ECX] + ([EBX] * s)\|\|[EDX] + ([EBX] * s)\|\|[EBX] + ([EBX] * s)\|\|[ESP] + ([EBX] * s)\|\|([EBX] * s) + disp32\|\|[ESI] + ([EBX] * s)\|\|[EDI] + ([EBX] * s)~~ \|- ! style="text-align: left;" \| 0.100<span style="vertical-align: super">[[#Table10Note2\|2]]</span> SP ~~! b100~~ \| style="background-color: white" colspan="16"\|[base + disp8] ~~\|[EAX]\|\|[ECX]\|\|[EDX]\|\|[EBX]\|\|[ESP]\|\|disp32\|\|[ESI]\|\|[EDI]~~ \|- ! style="text-align: left;" \| 0.101 BP ~~! b101~~ \| style="background-color: white" rowspan="11" colspan="16"\|[base + (index * s) + disp8] ~~\|[EAX] + ([EBP] * s)\|\|[ECX] + ([EBP] * s)\|\|[EDX] + ([EBP] * s)\|\|[EBX] + ([EBP] * s)\|\|[ESP] + ([EBP] * s)\|\|([EBP] * s) + disp32\|\|[ESI] + ([EBP] * s)\|\|[EDI] + ([EBP] * s)~~ \|- ! style="text-align: left;" \| 0.110 SI ~~! b110~~ ~~\|[EAX] + ([ESI] * s)\|\|[ECX] + ([ESI] * s)\|\|[EDX] + ([ESI] * s)\|\|[EBX] + ([ESI] * s)\|\|[ESP] + ([ESI] * s)\|\|([ESI] * s) + disp32\|\|[ESI] + ([ESI] * s)\|\|[EDI] + ([ESI] * s)~~ \|- ! style="text-align: left;" \| 0.111 DI ~~! b111~~ ~~\|[EAX] + ([EDI] * s)\|\|[ECX] + ([EDI] * s)\|\|[EDX] + ([EDI] * s)\|\|[EBX] + ([EDI] * s)\|\|[ESP] + ([EDI] * s)\|\|([EDI] * s) + disp32\|\|[ESI] + ([EDI] * s)\|\|[EDI] + ([EDI] * s)~~ \|- ! style="text-align: left;" \| 1.000 R8 ~~\| colspan="10" \|~~ \|- ! style="text-align: left;" \| 1.001 R9 ~~! rowspan="8" \| b01!!b000~~ \|[EAX] + ([EAX] * s) + disp8\|\|[ECX] + ([EAX] * s) + disp8\|\|[EDX] + ([EAX] * s) + disp8\|\|[EBX] + ([EAX] * s) + disp8\|\|[ESP] + ([EAX] * s) + disp8\|\|[EBP] + ([EAX] * s) + disp8\|\|[ESI] + ([EAX] * s) + disp8\|\|[EDI] + ([EAX] * s) + disp8 \|- ! style="text-align: left;" \| 1.010 R10 ~~! b001~~ \|[EAX] + ([ECX] * s) + disp8\|\|[ECX] + ([ECX] * s) + disp8\|\|[EDX] + ([ECX] * s) + disp8\|\|[EBX] + ([ECX] * s) + disp8\|\|[ESP] + ([ECX] * s) + disp8\|\|[EBP] + ([ECX] * s) + disp8\|\|[ESI] + ([ECX] * s) + disp8\|\|[EDI] + ([ECX] * s) + disp8 \|- ! style="text-align: left;" \| 1.011 R11 ~~! b010~~ \|[EAX] + ([EDX] * s) + disp8\|\|[ECX] + ([EDX] * s) + disp8\|\|[EDX] + ([EDX] * s) + disp8\|\|[EBX] + ([EDX] * s) + disp8\|\|[ESP] + ([EDX] * s) + disp8\|\|[EBP] + ([EDX] * s) + disp8\|\|[ESI] + ([EDX] * s) + disp8\|\|[EDI] + ([EDX] * s) + disp8 \|- ! style="text-align: left;" \| 1.100 R12 ~~! b011~~ \|[EAX] + ([EBX] * s) + disp8\|\|[ECX] + ([EBX] * s) + disp8\|\|[EDX] + ([EBX] * s) + disp8\|\|[EBX] + ([EBX] * s) + disp8\|\|[ESP] + ([EBX] * s) + disp8\|\|[EBP] + ([EBX] * s) + disp8\|\|[ESI] + ([EBX] * s) + disp8\|\|[EDI] + ([EBX] * s) + disp8 \|- ! style="text-align: left;" \| 1.101 R13 ~~! b100~~ ~~\|[EAX] + disp8\|\|[ECX] + disp8\|\|[EDX] + disp8\|\|[EBX] + disp8\|\|[ESP] + disp8\|\|[EBP] + disp8\|\|[ESI] + disp8\|\|[EDI] + disp8~~ \|- ! style="text-align: left;" \| 1.110 R14 ~~! b101~~ \|[EAX] + ([EBP] * s) + disp8\|\|[ECX] + ([EBP] * s) + disp8\|\|[EDX] + ([EBP] * s) + disp8\|\|[EBX] + ([EBP] * s) + disp8\|\|[ESP] + ([EBP] * s) + disp8\|\|[EBP] + ([EBP] * s) + disp8\|\|[ESI] + ([EBP] * s) + disp8\|\|[EDI] + ([EBP] * s) + disp8 \|- ! style="text-align: left;" \| 1.111 R15 ~~! b110~~ \|[EAX] + ([ESI] * s) + disp8\|\|[ECX] + ([ESI] * s) + disp8\|\|[EDX] + ([ESI] * s) + disp8\|\|[EBX] + ([ESI] * s) + disp8\|\|[ESP] + ([ESI] * s) + disp8\|\|[EBP] + ([ESI] * s) + disp8\|\|[ESI] + ([ESI] * s) + disp8\|\|[EDI] + ([ESI] * s) + disp8 \|- \| colspan="18" style="background-color: white; border-top: solid 2px black; border-bottom: solid 2px black; border-left: none; border-right: none;" \| ~~! b111~~ \|[EAX] + ([EDI] * s) + disp8\|\|[ECX] + ([EDI] * s) + disp8\|\|[EDX] + ([EDI] * s) + disp8\|\|[EBX] + ([EDI] * s) + disp8\|\|[ESP] + ([EDI] * s) + disp8\|\|[EBP] + ([EDI] * s) + disp8\|\|[ESI] + ([EDI] * s) + disp8\|\|[EDI] + ([EDI] * s) + disp8 \|- ! colspan="2" \| !! colspan="1016" style="text-align: left;" \| B.Base \|- ! Mod ~~! rowspan="8" \| b10!!b000~~ ! style="text-align: left;" \| X.Index \|[EAX] + ([EAX] * s) + disp32\|\|[ECX] + ([EAX] * s) + disp32\|\|[EDX] + ([EAX] * s) + disp32\|\|[EBX] + ([EAX] * s) + disp32\|\|[ESP] + ([EAX] * s) + disp32\|\|[EBP] + ([EAX] * s) + disp32\|\|[ESI] + ([EAX] * s) + disp32\|\|[EDI] + ([EAX] * s) + disp32 ! 0.000<br />AX ! 0.001<br />CX ! 0.010<br />DX ! 0.011<br />BX ! 0.100<br />SP ! 0.101<br />BP ! 0.110<br />SI ! 0.111<br />DI ! 1.000<br />R8 ! 1.001<br />R9 ! 1.010<br />R10 ! 1.011<br />R11 ! 1.100<br />R12 ! 1.101<br />R13 ! 1.110<br />R14 ! 1.111<br />R15 \|- ! rowspan="16" \| 10 !! style="text-align: left;" \| 0.000 AX ~~! b001~~ \| style="background-color: white" rowspan="4" colspan="16"\|[base + (index * s) + disp32] \|[EAX] + ([ECX] * s) + disp32\|\|[ECX] + ([ECX] * s) + disp32\|\|[EDX] + ([ECX] * s) + disp32\|\|[EBX] + ([ECX] * s) + disp32\|\|[ESP] + ([ECX] * s) + disp32\|\|[EBP] + ([ECX] * s) + disp32\|\|[ESI] + ([ECX] * s) + disp32\|\|[EDI] + ([ECX] * s) + disp32 \|- ! style="text-align: left;" \| 0.001 CX ~~! b010~~ \|[EAX] + ([EDX] * s) + disp32\|\|[ECX] + ([EDX] * s) + disp32\|\|[EDX] + ([EDX] * s) + disp32\|\|[EBX] + ([EDX] * s) + disp32\|\|[ESP] + ([EDX] * s) + disp32\|\|[EBP] + ([EDX] * s) + disp32\|\|[ESI] + ([EDX] * s) + disp32\|\|[EDI] + ([EDX] * s) + disp32 \|- ! style="text-align: left;" \| 0.010 DX ~~! b011~~ \|[EAX] + ([EBX] * s) + disp32\|\|[ECX] + ([EBX] * s) + disp32\|\|[EDX] + ([EBX] * s) + disp32\|\|[EBX] + ([EBX] * s) + disp32\|\|[ESP] + ([EBX] * s) + disp32\|\|[EBP] + ([EBX] * s) + disp32\|\|[ESI] + ([EBX] * s) + disp32\|\|[EDI] + ([EBX] * s) + disp32 \|- ! style="text-align: left;" \| 0.011 BX ~~! b100~~ ~~\|[EAX] + disp32\|\|[ECX] + disp32\|\|[EDX] + disp32\|\|[EBX] + disp32\|\|[ESP] + disp32\|\|[EBP] + disp32\|\|[ESI] + disp32\|\|[EDI] + disp32~~ \|- ! style="text-align: left;" \| 0.100<span style="vertical-align: super">[[#Table10Note2\|2]]</span> SP ~~! b101~~ \| style="background-color: white" colspan="16"\|[base + disp32] \|[EAX] + ([EBP] * s) + disp32\|\|[ECX] + ([EBP] * s) + disp32\|\|[EDX] + ([EBP] * s) + disp32\|\|[EBX] + ([EBP] * s) + disp32\|\|[ESP] + ([EBP] * s) + disp32\|\|[EBP] + ([EBP] * s) + disp32\|\|[ESI] + ([EBP] * s) + disp32\|\|[EDI] + ([EBP] * s) + disp32 \|- ! style="text-align: left;" \| 0.101 BP ~~! b110~~ \| style="background-color: white" rowspan="11" colspan="16"\|[base + (index * s) + disp32] \|[EAX] + ([ESI] * s) + disp32\|\|[ECX] + ([ESI] * s) + disp32\|\|[EDX] + ([ESI] * s) + disp32\|\|[EBX] + ([ESI] * s) + disp32\|\|[ESP] + ([ESI] * s) + disp32\|\|[EBP] + ([ESI] * s) + disp32\|\|[ESI] + ([ESI] * s) + disp32\|\|[EDI] + ([ESI] * s) + disp32 \|- ! style="text-align: left;" \| 0.110 SI ~~! b111~~ \|- \|[EAX] + ([EDI] * s) + disp32\|\|[ECX] + ([EDI] * s) + disp32\|\|[EDX] + ([EDI] * s) + disp32\|\|[EBX] + ([EDI] * s) + disp32\|\|[ESP] + ([EDI] * s) + disp32\|\|[EBP] + ([EDI] * s) + disp32\|\|[ESI] + ([EDI] * s) + disp32\|\|[EDI] + ([EDI] * s) + disp32 ! style="text-align: left;" \| 0.111 DI \|- ! style="text-align: left;" \| 1.000 R8 \|- ! style="text-align: left;" \| 1.001 R9 \|- ! style="text-align: left;" \| 1.010 R10 \|- ! style="text-align: left;" \| 1.011 R11 \|- ! style="text-align: left;" \| 1.100 R12 \|- ! style="text-align: left;" \| 1.101 R13 \|- ! style="text-align: left;" \| 1.110 R14 \|- ! style="text-align: left;" \| 1.111 R15 \|} </div> <small id="Table10Note1">1: No base register is encoded.</small><br /> <small id="Table10Note2">2: No index register is encoded.</small> ~~=== 64-bit addressing ===~~ ~~{Stub}~~ == Displacement == A displacement value is a 1, 2, 4, or 8 byte offset added to the calculated address. When an 8 byte displacement is used, no immediate operand is encoded. The displacement value, if any, follows the ModR/M and SIB bytes discussed above. When the ModR/M or SIB tables state that a ''disp'' value is required, or without a ModR/M byte the use of ''moffset'' (AMD) or ''moffs'' (Intel) in the mnemonic syntax of the instruction, then the displacement bytes are required. == Immediate == Some instructions require an immediate value. The instruction (and the operand-size column in the above table) determine the length of the immediate value. The ''imm8'' mnemonic (or 8-bit [[#Operand-size and address-size override prefix\|operand-size]]) means a one byte immediate value, ''imm16'' (or 16-bit operand-size) means a two byte immediate value, ''imm32'' (or 32-bit operand-size) a four byte value and ''imm64'' (or 64-bit operand-size) an eight byte value. When an 8 byte immediate value is encoded, no displacement can be encoded. == See Also == === External References === * AMD64 Architecture Programmer's Manual [~~http~~https://www.amd.com/~~us-en~~system/~~assets~~files/~~content_type/white_papers_and_tech_docs~~TechDocs/24594.pdf Volume 3: General-Purpose and System Instructions] * [http://www.intel.com/products/processor/manuals/ Intel 64 and IA-32 Architectures Software Developer's Manuals] [[Category:X86 CPU]] [[Category:X86-64]]