x86 Architecture

        2 out of 2 rated this helpfulRate this topic

The Intel x86 processor uses complex instruction set computer (CISC) architecture, which means there is a modest number of special-purpose registers instead of large quantities of general-purpose registers. It also means that complicated special-purpose instructions will predominate.

The x86 processor traces its heritage at least as far back as the 8-bit Intel 8080 processor. Many peculiarities in the x86 instruction are due to the backward compatibility with that processor (and with its Zilog Z-80 variant).

Microsoft Win32 uses the x86 processor in 32-bit flat mode. This documentation will focus only on the flat mode.

Registers

The x86 architecture consists of the following unprivileged integer registers.

eax

Accumulator

ebx

Base register

ecx

Count register

edx

Double-precision register

esi

Source index register

edi

Destination index register

ebp

Base pointer register

esp

Stack pointer

All integer registers are 32 bit. However, many of them have 16-bit or 8-bit subregisters.

ax

Low 16 bits of eax

bx

Low 16 bits of ebx

cx

Low 16 bits of ecx

dx

Low 16 bits of edx

si

Low 16 bits of esi

di

Low 16 bits of edi

bp

Low 16 bits of ebp

sp

Low 16 bits of esp

al

Low 8 bits of eax

ah

High 8 bits of ax

bl

Low 8 bits of ebx

bh

High 8 bits of bx

cl

Low 8 bits of ecx

ch

High 8 bits of cx

dl

Low 8 bits of edx

dh

High 8 bits of dx

Operating on a subregister affects only the subregister and none of the parts outside the subregister. For example, storing to theax register leaves the high 16 bits of the eax register unchanged.

When using the ? (Evaluate Expression) command, registers should be prefixed with an "at" sign (@ ). For example, you should use ? @ax rather than? ax. This ensures that the debugger recognizes ax as a register rather than a symbol.

However, the (@) is not required in the r (Registers) command. For instance, r ax=5 will always be interpreted correctly.

Two other registers are important for the processor's current state. 

eip

instruction pointer

flags

flags

The instruction pointer is the address of the instruction being executed.

The flags register is a collection of single-bit flags. Many instructions alter the flags to describe the result of the instruction. These flags can then be tested by conditional jump instructions. See x86 Flags for details.

Calling Conventions

The x86 architecture has several different calling conventions. Fortunately, they all follow the same register preservation and function return rules:

• Functions must preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, andesp, which must be updated according to the calling convention.

• The eax register receives function return values if the result is 32 bits or smaller. If the result is 64 bits, then the result is stored in theedx:eax pair.

The following is a list of calling conventions used on the x86 architecture:

• Win32 (__stdcall)

  Function parameters are passed on the stack, pushed right to left, and the callee cleans the stack.

• Native C++ method call (also known as thiscall)

  Function parameters are passed on the stack, pushed right to left, the "this" pointer is passed in theecx register, and the callee cleans the stack.

• COM (__stdcall for C++ method calls)

  Function parameters are passed on the stack, pushed right to left, then the "this" pointer is pushed on the stack, and then the function is called. The callee cleans the stack.

• __fastcall

  The first two DWORD-or-smaller arguments are passed in the ecx andedx registers.  The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack.

• __cdecl

  Function parameters are passed on the stack, pushed right to left, and the caller cleans the stack. The__cdecl calling convention is used for all functions with variable-length parameters.

Debugger Display of Registers and Flags

Here is a sample debugger register display:

Copy

eax=00000000 ebx=008b6f00 ecx=01010101 edx=ffffffff esi=00000000 edi=00465000eip=77f9d022 esp=05cffc48 ebp=05cffc54 iopl=0         nv up ei ng nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000286

In user-mode debugging, you can ignore the iopl and the entire last line of the debugger display.

x86 Flags

In the preceding example, the two-letter codes at the end of the second line areflags. These are single-bit registers and have a variety of uses.

The following table lists the x86 flags:

Flag CodeFlag NameValueFlag StatusStatus Description

of

Overflow Flag

0

1

nvov

No overflow

Overflow

df

Direction Flag

0

1

updn

Direction up

Direction down

if

Interrupt Flag

0

1

diei

Interrupts disabled

Interrupts enabled

sf

Sign Flag

0

1

plng

Positive (or zero)

Negative

zf

Zero Flag

0

1

nzzr

Nonzero

Zero

af

Auxiliary Carry Flag

0

1

naac

No auxiliary carry

Auxiliary carry

pf

Parity Flag

0

1

pepo

Parity even

Parity odd

cf

Carry Flag

0

1

nccy

No carry

Carry

tf

Trap Flag

If tf equals 1, the processor will raise a STATUS_SINGLE_STEP exception after the execution of one instruction. This flag is used by a debugger to implement single-step tracing. It should not be used by other applications.

iopl

I/O Privilege Level

This is a two-bit integer, with values between zero and 3. It is used by the operating system to control access to hardware. It should not be used by applications.

When registers are displayed as a result of some command in the Debugger Command window, it is theflag status that is displayed. However, if you want to change a flag using ther (Registers) command, you should refer to it by theflag code.

In the Registers window of WinDbg, the flag code is used to view or alter flags. The flag status is not supported.

Here is an example. In the preceding register display, the flag status ng appears. This means that the sign flag is currently set to 1. To change this, use the following command:

Copy

r sf=0

This sets the sign flag to zero. If you do another register display, the ng status code will not appear. Instead, the pl status code will be displayed.

The Sign Flag, Zero Flag, and Carry Flag are the most commonly-used flags.

Conditions

A condition describes the state of one or more flags.  All conditional operations on the x86 are expressed in terms of conditions.

The assembler uses a one or two letter abbreviation to represent a condition. A condition can be represented by multiple abbreviations. For example, AE ("above or equal") is the same condition as NB ("not below"). The following table lists some common conditions and their meaning.

Condition NameFlagsMeaning

Z

ZF=1

Result of last operation was zero.

NZ

ZF=0

Result of last operation was not zero.

C

CF=1

Last operation required a carry or borrow.  (For unsigned integers, this indicates overflow.)

NC

CF=0

Last operation did not require a carry or borrow.   (For unsigned integers, this indicates overflow.)

S

SF=1

Result of last operation has its high bit set.

NS

SF=0

Result of last operation has its high bit clear.

O

OF=1

When treated as a signed integer operation, the last operation caused an overflow or underflow. 

NO

OF=0

When treated as signed integer operation, the last operation did not cause an overflow or underflow. 

Conditions can also be used to compare two values.  The cmp instruction compares its two operands, and then sets flags as if subtracted one operand from the other.  The following conditions can be used to check the result ofcmp value1, value2.

Condition NameFlagsMeaning after a CMP operation.

E

ZF=1

value1 == value2.

NE

ZF=0

value1 != value2.

GE

NL

SF=OF

value1 >= value2. 

Values are treated as signed integers.

LE

NG

ZF=1 or SF!=OF

value1 <= value2.  Values are treated as signed integers.

G

NLE

ZF=0 and SF=OF

value1 > value2.  Values are treated as signed integers.

L

NGE

SF!=OF

value1 < value2.  Values are treated as signed integers.

AE

NB

CF=0

value1 >= value2.  Values are treated as unsigned integers.

BE

NA

CF=1 or ZF=1

value1 <= value2.  Values are treated as unsigned integers.

A

NBE

CF=0 and ZF=0

value1 > value2.  Values are treated as unsigned integers.

B

NAE

CF=1

value1 < value2.  Values are treated as unsigned integers.

Conditions are typically used to act on the result of a cmp ortest instruction. For example,

Copy

cmp eax, 5jz equal

compares the eax register against the number 5 by computing the expression (eax - 5) and setting flags according to the result. If the result of the subtraction is zero, then thezr flag will be set, and the jz condition will be true so the jump will be taken.

Data Types

• byte: 8 bits

• word: 16 bits

• dword: 32 bits

• qword: 64 bits (includes floating-point doubles)

• tword: 80 bits (includes floating-point extended doubles)

• oword: 128 bits

Notation

The following table indicates the notation used to describe assembly language instructions.

NotationMeaning

r, r1, r2...

Registers

m

Memory address (see the succeeding Addressing Modes section for more information.)

#n

Immediate constant

r/m

Register or memory

r/#n

Register or immediate constant

r/m/#n

Register, memory, or immediate constant

cc

A condition code listed in the preceding Conditions section.

T

"B", "W", or "D" (byte, word or dword)

accT

Size T accumulator: al if T = "B", ax if T = "W", or eax if T = "D"

Addressing Modes

There are several different addressing modes, but they all take the form T ptr [expr], where T is some data type (see the preceding Data Types section) andexpr is some expression involving constants and registers.

The notation for most modes can be deduced without much difficulty. For example,BYTE PTR [esi+edx*8+3] means "take the value of the esi register, add to it eight times the value of theedx register, add three, then access the byte at the resulting address."

Pipelining

The Pentium is dual-issue, which means that it can perform up to two actions in one clock tick. However, the rules on when it is capable of doing two actions at once (known aspairing) are very complicated.

Because x86 is a CISC processor, you do not have to worry about jump delay slots.

Synchronized Memory Access

Load, modify, and store instructions can receive a lock prefix, which modifies the instruction as follows:

1. Before issuing the instruction, the CPU will flush all pending memory operations to ensure coherency. All data prefetches are abandoned.

2. While issuing the instruction, the CPU will have exclusive access to the bus. This ensures the atomicity of the load/modify/store operation.

The xchg instruction automatically obeys the previous rules whenever it exchanges  a value with memory.

All other instructions default to nonlocking.

Jump Prediction

Unconditional jumps are predicted to be taken.

Conditional jumps are predicted to be taken or not taken, depending on whether they were taken the last time they were executed. The cache for recording jump history is limited in size.

If the CPU does not have a record of whether the conditional jump was taken or not taken the last time it was executed, it predicts backward conditional jumps as taken and forward conditional jumps as not taken.

Alignment

The x86 processor will automatically correct unaligned memory access, at a performance penalty. No exception is raised.

A memory access is considered aligned if the address is an integer multiple of the object size. For example, all BYTE accesses are aligned (everything is an integer multiple of 1), WORD accesses to even addresses are aligned, and DWORD addresses must be a multiple of 4 in order to be aligned.

The lock prefix should not be used for unaligned memory accesses.

Send comments about this topic to Microsoft

Build date: 2/14/2012

http://msdn.microsoft.com/en-us/library/ff561502(v=vs.85).aspx