80386 Instruction Set

80386 Instruction Set

Operand-Size and Address-Size Attributes2

The 80386 can address memory using either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has associated with it an address-size attribute of either 16 or 32 bits.

16-bit addresses imply both the use of a 16-bit displacement in the instruction and the generation of a 16-bit address offset (segment relative address) as the result of the effective address calculation.

32-bit addresses imply the use of a 32-bit displacement and the generation of a 32-bit address offset.

An instruction that accesses words (16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits.

Data Movement Instructions 3

These instructions provide convenient methods for moving bytes, words, or doublewords of data between memory and the registers of the base architecture. They fall into the following classes:

1.General-purpose data movement instructions.2.Stack manipulation instructions.3.Type-conversion instructions.

General-Purpose Data Movement Instructions 4

MOV (Move) transfers a byte, word, or doubleword from the source operand to the destination operand. The MOV instruction is useful for transferring data along any of these paths.

To a Register from MemoryTo Memory from a RegisterBetween General Registers Immediate Data to a Register Immediate Data to a Memory

The MOV instruction cannot move from memory to memory or from segment register to segment register are not allowed.

Memory-to-Memory moves can be performed, however, by the string move instruction MOVS.

General-Purpose Data Movement Instructions 5

XCHG (Exchange) swaps the contents of two operands.

XCHG is especially useful for implementing semaphores or similar data structures for process synchronization.

The XCHG instruction can swap two byte operands, two word operands, or two doubleword operands.

The operands for the XCHG instruction may be two register operands, or a register operand with a memory operand.

Stack Manipulation Instructions - PUSH

6

PUSH decrements the stack pointer (ESP), then transfers the source operand to the top of stack indicated by ESP. PUSH is often used to place parameters on the stack before calling a procedure.

The PUSH instruction operates on memory operands, immediate operands, and register operands (including segment registers).

Stack Manipulation Instructions - PUSH7

PUSHAD (Push All Registers) saves the contents of the eight general registers on the stack. The processor pushes the general registers on the stack in the following order: EAX, ECX, EDX, EBX, the initial value of ESP before EAX was pushed, EBP, ESI, and EDI.

Stack Manipulation Instructions - POP8

POP (Pop) transfers the word or doubleword at the current top of stack (indicated by ESP) to the destination operand, and then increments ESP to point to the new top of stack. POP moves information from the stack to a general register, or to memory

POPAD (Pop All Registers) restores the registers saved on the stack by PUSHAD, except that it ignores the saved value of ESP.

Stack Manipulation Instructions - POPA9

Stack Manipulation Instructions - POPAD10

POPAD – instruction pops all eight 32-bit GP registers from the top of the stack. This is distinct from the POPA instruction, which pops 16-bit values.

PUSHAD – instruction is the functional opposite of the POPAD inst. It causes all 32 bits of the eight GP registers to be pushed onto the stack.

POPFD – instruction is equivalent to the POPF inst except that it pops all 32 bits of the EFLAGS register.

PUSHFD – instruction pushes all 32 bits of the EFLAGS register onto the stack.

Type Conversion Instructions

11

The type conversion instructions convert bytes into words, words into doublewords, and doublewords into 64-bit items (quad-words).

These instructions are especially useful for converting signed integers, because they automatically fill the extra bits of the larger item with the value of the sign bit of the smaller item. This kind of conversion is called sign extension.

Type Conversion Instructions12

There are two classes of type conversion instructions:

1.The forms CWD, CDQ, CBW, and CWDE which operate only on data in the EAX register.2.The forms MOVSX and MOVZX, which permit one operand to be in any general register while permitting the other operand to be in memory or in a register.


CWD (Convert Word to Doubleword) and CDQ (Convert Doubleword to Quad-Word) double the size of the source operand.

CWD extends the sign of the word in register AX throughout register DX. CDQ extends the sign of the doubleword in EAX throughout EDX.

CWD can be used to produce a doubleword dividend from a word before a word division, and CDQ can be used to produce a quad-word dividend from a doubleword before doubleword division.

CBW (Convert Byte to Word) extends the sign of the byte in register AL throughout AX.


CWDE (Convert Word to Doubleword Extended) extends the sign of the word in register AX throughout EAX.

Example MOV AX, 1234h ;AX gets positive numberCWDE

MOVSX (Move with Sign Extension) sign-extends an 8-bit value to a 16-bit value and a 8- or 16-bit value to 32-bit value.

MOVZX (Move with Zero Extension) extends an 8-bit value to a 16-bit value and an 8- or 16-bit value to 32-bit value by inserting high-order zeros.

Addition and Subtraction Instructions15

ADD (Add Integers) replaces the destination operand with the sum of the source and destination operands. Sets CF if overflow.

ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and replaces the destination operand with the result. If CF is cleared, ADC performs the same operation as the ADD instruction. An ADD followed by multiple ADC instructions can be used to add numbers longer than 32 bits.

INC (Increment) adds one to the destination operand. INC does not affect CF. Use ADD with an immediate value of 1 if an increment that updates carry (CF) is needed.

Operand-Size and Address-Size Attributes16

SUB (Subtract Integers) subtracts the source operand from the destination operand and replaces the destination operand with the result. If a borrow is required, the CF is set. The operands may be signed or unsigned bytes, words, or doublewords.

SBB (Subtract Integers with Borrow) subtracts the source operand from the destination operand, subtracts 1 if CF is set, and returns the result to the destination operand.

DEC (Decrement) subtracts 1 from the destination operand. DEC does not update CF. Use SUB with an immediate value of 1 to perform a decrement that affects carry.

Comparison and Sign Change Instruction17

CMP (Compare) subtracts the source operand from the destination operand. It updates OF, SF, ZF, AF, PF, and CF but does not alter the source and destination operands. A subsequent Jcc or SETcc instruction can test the appropriate flags.

Example CMP AX, 4357h ; compare AX to constantJNE far_away ; jump if not equal

NEG (Negate) subtracts a signed integer operand from zero. The effect of NEG is to reverse the sign of the operand from positive to negative or from negative to positive.

Multiplication Instruction 18

The 80386 has separate multiply instructions for unsigned and signed operands.

MUL operates on unsigned numbers, while IMUL operates on signed integers as well as unsigned.

Using IMUL it is possible to multiply any register by any other register or by a memory operand. Signed Multiplication

Example

MOV EBX, 12345678hMOV ESI, 87654321hIMUL EBX, ESI ;EBX = EBX*ESI

Division Instruction 19

DIV - The 80386 performs an unsigned division. The dividend is implicit; only the divisor is given as an operand.

Size Dividend Divisor Quotient Remainder

Byte AX r/m8 AL AH

Word DX:AX r/m16 AX DX

Dword EDX:EAX r/m32 EAX EDX

IDIV - The 80386 performs an signed division. The dividend is implicit; only the divisor is given as an operand.

Logical Instruction 20

The group of logical instructions includes:

The Boolean Operation Instructions Bit Test and Modify Instructions Bit Scan Instructions Rotate and Shift Instructions Byte Set on condition

Bit Test and Modify Instruction21

This group of instructions operates on a single bit which can be in memory or in a general register.

The location of the bit is specified as an offset from the low-order end of the operand. The value of the offset either may be given by an immediate byte in the instruction or may be contained in a general register.

These instructions first assign the value of the selected bit to CF, the carry flag. Then a new value is assigned to the selected bit, as determined by the operation. OF, SF, ZF, AF, PF are left in an undefined state.

Bit Manipulation Instruction22


BT (Bit Test ) – reports the status of a bit in the operand by setting or clearing CF to match it. The operand under test may be either a register or a memory location. The second operand specifies which bit in the first operand to test.

Example

BT EAX, 5 ; test bit 5 of EAXJC foo : jump if bit 5 was set


BTC (Bit Test & Complement ) – It operates exactly like the BT, except that the bit being tested is inverted after the test is performed, and its condition is saved in CF.

Example

BTC EAX, 9 ; test & invert bit 9 JC foo : jump if bit used to be 1


BTR (Bit Test & Reset ) – the BTR instruction operates exactly like the BTC instruction, except that it always clears the bit being tested.

Example

BTR EAX , 0 ; test & clear bit 0 JC foo : jump if it was set

BTS (Bit Test & Set ) – The BTS instruction operates exactly like the BTC instruction, except that it always sets the bit being tested.

Example

BTR DWORD PTR DS:[840621], 3 ; test & set bit 3 JC foo : jump if it was set


Bit Scan Instruction27

These instructions scan a word or doubleword for a one-bit and store the index of the first set bit into a register. The bit string being scanned may be either in a register or in memory.

The ZF flag is set if the entire word is zero; ZF is cleared if a one-bit is found.If no set bit is found, the value of the destination register is undefined.

BSF (Bit Scan Forward) scans from low-order to high-order (starting from bit index zero).

BSR (Bit Scan Reverse) scans from high-order to low-order (starting from bit index 15 of a word or index 31 of a doubleword).


BSF (Bit Scan Forward) finds first 1 bit in the source operand, starting from LSB to MSB. If the entire source operand has no 1 bits, that is, if it equals 0, ZF is set, and destination operand is undefined. Otherwise, ZF is cleared, and the destination operand gets the bit index of the first 1 bit

Example MOV EAX, 03004000H ; LOAD CONSTANT INTO EAXBSF EBX, EAX ; EBX gets 14JZ zero ; EAX= 0?


BSR (Bit Scan Reverse)operates like BSF, except that it beings scanning from the MSB of the source operand and works to ward bit 0. Example

MOV EAX, 00000F00H ; LOAD constant into EAXBSF EBX, EAX ; EBX gets 11JZ zero ; EAX= 0?

Bit Shift and Rotate Instructions30

Shift and Rotate Instruction31

Shift Arithmetic Left / Shift Logical Left


Shift Logical Right


Shift Arithmetic Right

MOVE Instruction34

MOV

MOVSX (Move with Sign Extend) instruction performs a MOV operation between two operands of dissimilar size. The source operand is sign-extended as it is copied into larger destination operand.

Example MOV BL, 55h ; LOAD CONSTANT INTO EAXMOVSX ECX BL ; ECX = 00000055h

MOVE Instruction35

MOV

MOVZX (Move with Zero Extend) instruction operates just like a MOVSX instruction except that the source operand is zero-extended into the destination operand. If the source operand is positive this has the same effect as a MOVSX.

Example MOV DH, 89h ; DH gets –ve number MOVZX EAX DH ; EAX = 00000089h

Flag Operations 36

LAHF: Load A register from FlagsSAHF: Store A register in FlagsPUSHF: Push flags onto stackPOPF: Pop flags off stackPUSHFD :Push EFlags onto stackPOPFD: Pop EFlags off stackCLC :Clear Carry Flag : set CF=0CLD Clear Direction Flag: set DF=0 ,SI/DI incremented during

string operation (MOVS,CMPS,SCANS)CMC Complement Carry Flag: If CF=0 then CF=1,If CF=1 then

CF=0 STC Set Carry Flag: CF=1STD Set Direction Flag : DF=0

NO Operations 37

NOP : Performs no operation - causes the CPU to do nothing - increment EIP to point to the next

instruction.

INTERRUPTS

38

INT : InterruptINTO : Interrupt if overflowIRET : Return from Interrupt/TaskCLI: Clear interrupt EnableSTI: Set Interrupt Enable

High Level Language Instructions

39

BOUND : Check Array Bounds(checks the value of index register against predefined range of indexes.

e.g. Bound Index, Range ENTER :Setup Parameter Block for EnteringProcedure(create a stack frame) e.g. Enter 4,0 ( op1:dynamic storage space in

bytes,op2 :level of the new procedure being entered

LEAVE : Leave Procedure

Processor Control Instructions

40

HLT : Halt Processing (stop fetching and executing instruction

WAIT: Wait until BUSY# negated -causes processor to wait till an interrupt is

recognized ESC : Escape to external processor LOCK: Lock Bus during next instruction :allows

a microprocessor to make sure that another processor does not take a control of the system bus

Privileged Instructions 41

Instruction Action

HLT Halt the processor

CLTS Clears task-switched flag

LGDT, LIDT, LLDT Loads GDT, IDT, LDT registers

LTR Loads task registers

LMSW Loads machine status word

MOV CR n, REG / MOV REG, CRn Moves to/from control reg.

MOV DR n, REG / MOV REG, DRn Moves to/from debug reg.

MOV TR n, REG / MOV REG, TRn Moves to/from test reg.

These instructions must be executed when CPL is 0; otherwise 80386 generates general protection exception

Special Protection Mode Instruction 42

SGDT Store Global Descriptor Table

SIDT Store Interrupt Descriptor Table

STR Store Task Register

SLDT Store Local Descriptor Table

LGDT Load Global Descriptor Table

LIDT Load Interrupt Descriptor Table

LDR Load Task Register

LLDT Load Local Descriptor Table

ARPL Adjust Requested Privilege Level

LAR Load Access Rights

LSL Load Segment Limit

VERR/VERW Verify Segment for Reading or Writing

LMSW Load Machine Status Word

SMSW Store Machine Status Word

Control Transfer Instruction43

The 80386 provides both conditional and unconditional control transfer instructions to direct the flow of execution. Conditional control transfers depend on the results of operations that affect the flag register.

Unconditional control transfers are always executed.

JMP (Jump) unconditionally transfers control to the target location. JMP is a one-way transfer of execution; it does not save a return address on the stack.

Control Transfer Instruction44

CALL (Call Procedure) activates an out-of-line procedure, saving on the stack the address of the instruction following the CALL for later use by a RET (Return) instruction.

CALL places the current value of EIP on the stack.

The RET instruction in the called procedure uses this address to transfer control back to the calling program.

Return & Return-From-Interrupt Instruction 45

RET (Return From Procedure) terminates the execution of a procedure and transfers control through a back-link on the stack to the program that originally invoked the procedure.

RET restores the value of EIP that was saved on the stack by the previous CALL instruction.

IRET (Return From Interrupt) returns control to an interrupted procedure.

IRET differs from RET in that it also pops the flags from the stack into the flags register. The flags are stored on the stack by the interrupt mechanism.

Conditional Jump Instructions 46

Conditional Jump Instructions 47

Loop Instructions 48

The loop instructions are conditional jumps that use a value placed in ECX to specify the number of repetitions of a software loop. All loop instructions automatically decrement ECX and terminate the loop when ECX=0.

LOOP (Loop While ECX Not Zero) is a conditional transfer that automatically decrements the ECX register before testing ECX for the branch condition. If ECX is non-zero, the program branches to the target label specified in the instruction. The LOOP instruction causes the repetition of a code section until the operation of the LOOP instruction decrements ECX to a value of zero.

Loop Instructions 49

LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are synonyms for the same instruction.

If ECX is non-zero and ZF=1, the program branches to the target label specified in the instruction. If LOOPE or LOOPZ finds that ECX=0 or ZF=0, control transfers to the instruction immediately following the LOOPE or LOOPZ instruction.

LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are synonyms for the same instruction.

If ECX is non-zero and ZF=0, the program branches to the target label specified in the instruction.

Initialization & Transition toProtected Mode

Steps to Initialize Protected Mode 51

Intel 386 DX begins executing in Real Mode immediately after RESET.

The 80386 fetches its first instruction from physical address FFFFFFF0. it is customary to place an unconditional NEAR JMP instruction here.

TO enter into protected mode, it is necessary to initialize the system tables and registers with the appropriate values.


The GDT and IDT registers must refer to a valid GDT and IDT.

The IDT should be at least 256 bytes long, and GDT must contain descriptors for the initial code, and data segments.

The actual method of enabling Protected Mode is to load CR0 with the PE bit set, via the MOV CR0, R/M instruction. This puts the Intel386 DX in Protected Mode.

After enabling Protected Mode, the next instruction should execute an intersegment JMP to load the CS register and flush the instruction decode queue. The final step is to load all of the data segment registers with the initial selector values.


The steps accomplish the switch from real mode to protected mode.

1.Prepare GDT with a null descriptor in the first GDT entry, one code segment descriptor, one stack segment descriptor and one data segment descriptor.

2.Initialize the interrupt descriptor table so that it contains valid interrupt gates for at least the first 32 interrupt type numbers. The IDT may contain up to 256 8-byte interrupt gates defining all 256 interrupt types.

3.Load the base address and limit of the GDT to GDTR register, using ‘LGDT’ instruction

4.Set PE flag in CR0 register, using MOV CR05.Immediately, execute an intersegment jump to load the CS register

and flush the instruction decode queue.

Simple Protected System 54

GDT Descriptor for Simple System 55

Returning to Real Mode56

To return the processor to Real mode without turning off the power or resetting the system, you can simply clear PE in CR0

If paging is enabled, it should be disabled first. Reset PG in CR0. The next major step is to use segment descriptors that look as much

like Real mode segments as possible. Load selector to descriptors with the attributes shown below.

Attribute Value

Limit FFFF 64 K

Granularity 0 Byte granular

Expansion Direction 0 Expand up

Writeable 1 Writeable

Present 1 Segment present

Returning to Real Mode57

A

PG = 1?

JMP to identity- mapped page

Set PG = 0

Set CR0 = 0

InitializeDS, ES, FS, GS, SS

Initialize CS

Set PE = 0

FAR JMP

LIDT

Documents

80386 Instruction Set