x86 Assembly Programming

Programming Model

Memory

2³²- bytes

Registers

**8 32-bit General Purpose Registers**
Register	Function	16-bit low end	8-bit
eax	Accumulator	ax	ah, al
ebx	(base index)	bx	bh, bl
ecx	(count)	cx	ch, cl
edx	(data)	dx	dh, dl
edi	(destination index)	do
esi	(source index)	si
ebp	Frame pointer	bp
esp	Stack top pointer	sp

**6 16-bit Section Registers**
Register	Function
cs	Code section
ds	Data section
ss	Stack section
es	(extra section)
fs	(supplemental section)
gs	(supplemental section)

**EFLAGS Register**
S	Sign
Z	Zero
C	Carry
P	Parity
O	Overflow

32-bit EFLAGS Register

32-bit EIP (Instruction Pointer Register)

AT&T Style Syntax (GNU C/C++ compiler and GAS)

Instruction: opcode[b+w+l] src, dest
Register: %reg
Memory operand size: [b+w+l] for byte, word, longword - 8, 16, 32 bits
Memory references: section:disp(base, index, scale) where base and index are optional 32-bit base and index registers, disp is the optional displacement, and scale, taking the values 1, 2, 4, and 8, multiplies index to calculate the address of the operand. -- address is relative to section and is calculated by the expression: base + index*scale + disp
Constants (immediate operands)
- 74 - decimal
- 0112 - binary
- 0x4A - hexadecimal
- 0f-395.667e-36 - floating point
- 'J - character
- "string" - string

Operand Addressing

Code: CS + IP (Code segment + Offset)
Stack: SS + SP (Stack segment + Offset (stack top))
Immediate Operand: $constant_expression
Register Operand: %register_name

Memory Operand: section:displacement(base, index, scale) The section register is often selected by default. cs for code, ss for stack instructions, ds for data references, es for strings.

Base	+(	Index	*	Scale	)+	Displacement
eax ebx ecx edx esp ebp esi edi		eax ebx ecx edx ebp esi edi		1 2 3 4		Name Number

Direct Operand: displacement (often just the symbolic name for a memory location)
Indirect Operand: (base)
Base+displacement: displacement(base)
- index into an array
- access a field of a record
(index*scale)+displacement: displacement(,index,scale)
- index into an array
Base + index + displacement: displacement(base,index)
- two dimensional array
- one dimensional array of records
Base+(index*scale)+ displacement: displacement(base, index,scale)
- two dimensional array

Subroutines

Function -- returns an explicit value
Procedure -- does not return and explicit value

The flow of control and the interface between a subroutine and its caller is described by the following:

Caller ...
call target	Transfer of control from caller to the subroutine by saving the contents of the program counter and the program counter (CS:IP) register to the entry point of the subroutine.
Subroutine
pushl %ebp movl %esp, %ebp	Save base pointer of the caller New base pointer (activation record/frame)
Callee ...	Body of Subroutine
movl %ebp,%esp popl %ebp	Restore the callers stack top pointer Restore the callers base pointer
ret	Return of control from the subroutine to the caller by alter the program counter (CS:IP) register to the saved address of the caller.
Caller ...

An alternative is to have the caller save and restore the values in the registers. (Prior to the call, the caller saves the registers it needs and after the return, restores the values of the registers)

Data

Data Representation

Bits, Bytes, Wyde, word, double word -- modulo 2^n
Sign magnitude -- sign bit 0=+, 1=-; magnitude
One's complement -- negative numbers are complement of positive numbers - problem: two representations for zero
Twos complement (used by Intel) -- to negate:
- Invert (complement)
- add 1
Excess 2^(n-1) (often used for exponent)
ASCII - character data
EBCDIC
BCD

Data Definition Directives

Description provided to the assembler of how static data is to be organized.

Symbolic name (variables and constants)
Size (number of bytes)
Initial value
.data

Define Byte (DB): (8-bit values) [name] DB initial value [, initial value] see key examples in text; multiple values, undefined, expression, C and Pascal strings, one or more lines of text, $ for length of string
Define Word (DW): (16-bit words) [name] DW initial value [, initial value] see key examples in text; reversed storage format, pointers
Define Double Word (DD): (32-bit double words) [name] DW initial value [, initial value]
Example: p. 80
DUP Operator: n dup( value ) see key examples in text; type checking

Constant Definitions

.CONST
EQU: name EQU constant expression

Data Transfer Instructions

mov src, dest
- src: immediate value, register, memory
- dest: register, memory
- except memory, memory
xchg sd1, sd2
- Memory, Register
- Register, Memory
- Register, Register
push src
- src: immediate, register, or memory
pop dest
- dest: register or memory
pusha - save all registers on the stack
popa - restore all registers from the stack

Arithmetic Instructions

add src, dest; subl src, dest - src +- dest, result in dest
- Memory, Register
- Register, Memory
- Register, Register
Flags Affected by add and sub: OF (overflow), SF (sign), ZF (zero), PF (parity), CF (carry), AF (borrow)
inc dest; decl dest faster than add/subtract
- Memory
- Register
Flags Affected by inc and dec: OF (overflow), SF (sign), ZF (zero), PF (parity), AF (borrow)
adc & sbb add with carry/subtract with borrow - used for adding numbers with more than 32-bits
cmp src, dest computes src - dest (neither src or dest changes) but may change flags.
- Memory, Register
- Register, Memory
- Register, Register
cmpxchg src, dest - compares dest with accumulator and if equal, src is copied into destination. If not equal, destination is copied to the accumlator.
neg dest - change sign or two's complement
- Memory
- Register
Flags Affected by NEG: SF (sign), ZF (zero), PF (parity), CF (carry), AF (borrow)
mul src - unsigned multiplication EDX:EAX = src * eax
imul src - signed multiplication EDX:EAX = src * eax
Flags Affected by MUL, IMUL:
- undefined: SF, ZF, AF, PF
- OF, CF set if upper half is nonzero, set otherwise
div src (unsigned) src is general register or memory quotient eax = edx:eax/src; remainder edx = edx:eax mod src
idiv src (signed) src is general register or memory quotient eax = edx:eax/src; remainder edx = edx:eax mod src
- Flags Affected by DIV, IDIV:
  - undefined: OF, SF, ZF, AF, PF
  - Type 0 interrupt if quotient is too large for destination register.
CBW (change byte to word) expands AL to AX - signed arithmetic
CWD (change word to double word) expands AX to DX:AX - signed arithmetic
BCD Arithmetic - often used in point of sale terminals
ASCII Arithmetic - rarely used

Logic Instructions

andl src, dest - dest = src and dest
orl src, dest
xorl src, dest
notl dest - logical inversion or one's complement
neg dest - change sign or two's complement
- Memory
- Register
testl src, dest (an AND that does not change dest, only flags)

Shift and Rotate Instructions

Logical Shift
- shr count, dest - shift dest count bits to the right
- shl count, dest - shift dest count bits to the left
Arithmetic Shift(preserves sign)
- sar count, dest - shift dest count bits to the right
- sal count, dest - shift dest count bits to the left
Rotate without/With carry flag
- ror count, dest - rotate dest count bits to the right
- rol count, dest - rotate dest count bits to the left
- rcr count, dest - rotate dest count bits to the right
- rcl count, dest - rotate dest count bits to the left
test arg, arg (an AND that does not change dest, only flags)
cmp src, dest subtract src from dest (neither src or dest changes) but may change flags.
- Memory, Register
- Register, Memory
- Register, Register
- CMP
Flag Bit Operations
- Complement CF: CMC
- Clear CF, DF, and IF: CLC,CLD,CLI,
Set CF, DF, and IF: STC, STD, STI

Control Transfer Instructions

cmp src, dest - compute dest - src and set flags accordingly
Jump instructions: the transfer is one-way; that is, a return address is not saved.

   NEXT:...
        ...
        jmp NEXT  ;GOTO NEXT

**Jump Instructions**
jmp dest		unconditional	NEXT:... ... jmp NEXT ;GOTO NEXT
*Unsigned conditional jumps*
jcc dest
ja/jnbe	C=0 and Z=0	Jump if above
jae/jnb	C=0	Jump if above or equal to
jb/jnae	C=1	Jump if below
jbe/jna	C=1 or Z=1	Jump if below or equal to
jc	C=1	Jump if carry set
je/jz	Z=1	Jump if equal to
jnc	C=0	jump if carry cleared
jne/jnz	Z=0	jump if not equal
jnp/jpo	P=0	jump if no parity
jp/jpe	P=1	jump on parity
jcxz	cx=0	jump if cx=0	gcc does not use
jecxz	ecx=0	jump if ecx=0	gcc does not use
*Signed conditional jumps*
jcc dest
jg/jnle	Z=0 and S=0	jump if greater than
jge/jnl	S=0	jump if greater than or equal
jl/jnge	S=1	jump if less than
jle/jng	Z=1 or S=1	jump if less than or equal
jno	O=0	jump if no overflow
jns	S=0	jump on no sign
jo	O=1	jump on overflow
js	S=1	jump on sign

Loop instructions: The loop instruction decrements the ecx register then jumps to the label if the termination condition is not satisfied.

      movl count, %ecx
LABLE:
                 ...
                 loop LABEL

	Termination condition
loop label	ecx = 0	gcc does not use
loopz/loope lab el	ecx =0 or ZF = 0	gcc does not use
loopnz/loopne label	ecx = 0 or ZF = 1	gcc does not use

call name - call subroutine name
ret - return from subroutine
enter
leave
int n - interrupt
into - interrupt on overflow
iret - interrupt return
bound - value out of range
IF C THEN S;
IF C THEN S1 ELSE S2;
CASE E DO c1 : S1; c2 : S2; ... cn : Sn end;
WHILE C DO S;
REPEAT S UNTIL C;
FOR I from J to K by L DO S;

String Instructions

The sring instructions assume that by default, the address of the source string is in ds:esi (section register may be any of cs, ss, es, fs, or gs) and the address of the destination string is in es:edi (no override on the destination section). Typical code follow the scheme

initialize esi and edi with addresses for source and destination strings
initialize ecx with count
Set the direction flag with cld to count up, with std to cound down
prefix string-operation

[prefix]movs - move string
[prefix]cmps - compare string WARNING: subtraction is dest - source, the reverse of the cmp instruction
[prefix]scas - scan string
[prefix]lods - load string
[prefix]stos - store string
String instruction prefixes: The ecx register must be initialized and the DF flag in initialized to control the increment or decrement of the ecx register. Unlike the loop instruction, the test is performed before the instruction is executed.
- rep - repeat while ecx not zero
- repe - repeat while equal or zero (used only with cmps and scas)
- repne - repeat while not equal or not zero (used only with cmps and scas)

Miscellaneous Instructions

leal src, dest(load effective address -- the address of src into dest)
- Memory, Register
nop
xlat/xlatb
cpuid

Floating Point Instructions

**Floating Point**
**8 32-bit registers**
Register	Function
st
st(0)
st(1)
...
st(7)

MMX Instructions

System Instructions

hlt
lock
esc
bound
enter leave

Interrupts

int
into

Memory Management Unit

invlpg

Cache

References

http://www.x86.org/