x86 Architecture
The Intel x86 processor uses complex instruction set computer (CISC) architecture, which means there is a modest number of special-purpose registers instead of large quantities of general-purpose registers. It also means that complex special-purpose instructions will predominate.
The x86 processor traces its heritage at least as far back as the 8-bit Intel 8080 processor. Many peculiarities in the x86 instruction set are due to the backward compatibility with that processor (and with its Zilog Z-80 variant).
Microsoft Win32 uses the x86 processor in 32-bit flat mode. This documentation will focus only on the flat mode.
Registers
The x86 architecture consists of the following unprivileged integer registers.
eax |
Accumulator |
ebx |
Base register |
ecx |
Counter register |
edx |
Data register - can be used for I/O port access and arithmetic functions |
esi |
Source index register |
edi |
Destination index register |
ebp |
Base pointer register |
esp |
Stack pointer |
All integer registers are 32 bit. However, many of them have 16-bit or 8-bit subregisters.
ax |
Low 16 bits of eax |
bx |
Low 16 bits of ebx |
cx |
Low 16 bits of ecx |
dx |
Low 16 bits of edx |
si |
Low 16 bits of esi |
di |
Low 16 bits of edi |
bp |
Low 16 bits of ebp |
sp |
Low 16 bits of esp |
al |
Low 8 bits of eax |
ah |
High 8 bits of ax |
bl |
Low 8 bits of ebx |
bh |
High 8 bits of bx |
cl |
Low 8 bits of ecx |
ch |
High 8 bits of cx |
dl |
Low 8 bits of edx |
dh |
High 8 bits of dx |
Operating on a subregister affects only the subregister and none of the parts outside the subregister. For example, storing to the ax register leaves the high 16 bits of the eax register unchanged.
When using the ? (Evaluate Expression) command, registers should be prefixed with an "at" sign ( @ ). For example, you should use ? @ax rather than ? ax. This ensures that the debugger recognizes ax as a register rather than a symbol.
However, the (@) is not required in the r (Registers) command. For instance, r ax=5 will always be interpreted correctly.
Two other registers are important for the processor's current state.
eip |
instruction pointer |
flags |
flags |
The instruction pointer is the address of the instruction being executed.
The flags register is a collection of single-bit flags. Many instructions alter the flags to describe the result of the instruction. These flags can then be tested by conditional jump instructions. See x86 Flags for details.
Calling Conventions
The x86 architecture has several different calling conventions. Fortunately, they all follow the same register preservation and function return rules:
Functions must preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, and esp, which must be updated according to the calling convention.
The eax register receives function return values if the result is 32 bits or smaller. If the result is 64 bits, then the result is stored in the edx:eax pair.
The following is a list of calling conventions used on the x86 architecture:
Win32 (__stdcall)
Function parameters are passed on the stack, pushed right to left, and the callee cleans the stack.
Native C++ method call (also known as thiscall)
Function parameters are passed on the stack, pushed right to left, the "this" pointer is passed in the ecx register, and the callee cleans the stack.
COM (__stdcall for C++ method calls)
Function parameters are passed on the stack, pushed right to left, then the "this" pointer is pushed on the stack, and then the function is called. The callee cleans the stack.
__fastcall
The first two DWORD-or-smaller arguments are passed in the ecx and edx registers. The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack.
__cdecl
Function parameters are passed on the stack, pushed right to left, and the caller cleans the stack. The __cdecl calling convention is used for all functions with variable-length parameters.
Debugger Display of Registers and Flags
Here is a sample debugger register display:
eax=00000000 ebx=008b6f00 ecx=01010101 edx=ffffffff esi=00000000 edi=00465000
eip=77f9d022 esp=05cffc48 ebp=05cffc54 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286
In user-mode debugging, you can ignore the iopl and the entire last line of the debugger display.
x86 Flags
In the preceding example, the two-letter codes at the end of the second line are flags. These are single-bit registers and have a variety of uses.
The following table lists the x86 flags:
| Flag Code | Flag Name | Value | Flag Status | Description |
|---|---|---|---|---|
| of | Overflow Flag | 0 1 | nvov | No overflow - Overflow |
| df | Direction Flag | 0 1 | updn | Direction up - Direction down |
| if | Interrupt Flag | 0 1 | diei | Interrupts disabled - Interrupts enabled |
| sf | Sign Flag | 0 1 | plng | Positive (or zero) - Negative |
| zf | Zero Flag | 0 1 | nzzr | Nonzero - Zero |
| af | Auxiliary Carry Flag | 0 1 | naac | No auxiliary carry - Auxiliary carry |
| pf | Parity Flag | 0 1 | pepo | Parity odd - Parity even |
| cf | Carry Flag | 0 1 | nccy | No carry - Carry |
| tf | Trap Flag | If tf equals 1, the processor will raise a STATUS_SINGLE_STEP exception after the execution of one instruction. This flag is used by a debugger to implement single-step tracing. It should not be used by other applications. | ||
| iopl | I/O Privilege Level | I/O Privilege Level This is a two-bit integer, with values between zero and 3. It is used by the operating system to control access to hardware. It should not be used by applications. |
When registers are displayed as a result of some command in the Debugger Command window, it is the flag status that is displayed. However, if you want to change a flag using the r (Registers) command, you should refer to it by the flag code.
In the Registers window of WinDbg, the flag code is used to view or alter flags. The flag status is not supported.
Here is an example. In the preceding register display, the flag status ng appears. This means that the sign flag is currently set to 1. To change this, use the following command:
r sf=0
This sets the sign flag to zero. If you do another register display, the ng status code will not appear. Instead, the pl status code will be displayed.
The Sign Flag, Zero Flag, and Carry Flag are the most commonly-used flags.
Conditions
A condition describes the state of one or more flags. All conditional operations on the x86 are expressed in terms of conditions.
The assembler uses a one or two letter abbreviation to represent a condition. A condition can be represented by multiple abbreviations. For example, AE ("above or equal") is the same condition as NB ("not below"). The following table lists some common conditions and their meaning.
| Condition Name | Flags | Meaning |
|---|---|---|
Z |
ZF=1 |
Result of last operation was zero. |
NZ |
ZF=0 |
Result of last operation was not zero. |
C |
CF=1 |
Last operation required a carry or borrow. (For unsigned integers, this indicates overflow.) |
NC |
CF=0 |
Last operation did not require a carry or borrow. (For unsigned integers, this indicates overflow.) |
S |
SF=1 |
Result of last operation has its high bit set. |
NS |
SF=0 |
Result of last operation has its high bit clear. |
O |
OF=1 |
When treated as a signed integer operation, the last operation caused an overflow or underflow. |
NO |
OF=0 |
When treated as signed integer operation, the last operation did not cause an overflow or underflow. |
Conditions can also be used to compare two values. The cmp instruction compares its two operands, and then sets flags as if subtracted one operand from the other. The following conditions can be used to check the result of cmp value1, value2.
| Condition Name | Flags | Meaning after a CMP operation. |
|---|---|---|
E |
ZF=1 |
value1 == value2. |
NE |
ZF=0 |
value1 != value2. |
| GE NL | SF=OF |
value1 >= value2. Values are treated as signed integers. |
| LE NG | ZF=1 or SF!=OF |
value1 <= value2. Values are treated as signed integers. |
| G NLE | ZF=0 and SF=OF |
value1 > value2. Values are treated as signed integers. |
| L NGE | SF!=OF |
value1 < value2. Values are treated as signed integers. |
| AE NB | CF=0 |
value1 >= value2. Values are treated as unsigned integers. |
| BE NA | CF=1 or ZF=1 |
value1 <= value2. Values are treated as unsigned integers. |
| A NBE | CF=0 and ZF=0 |
value1 > value2. Values are treated as unsigned integers. |
| B NAE | CF=1 |
value1 < value2. Values are treated as unsigned integers. |
Conditions are typically used to act on the result of a cmp or test instruction. For example,
cmp eax, 5
jz equal
compares the eax register against the number 5 by computing the expression (eax - 5) and setting flags according to the result. If the result of the subtraction is zero, then the zr flag will be set, and the jz condition will be true so the jump will be taken.
Data Types
byte: 8 bits
word: 16 bits
dword: 32 bits
qword: 64 bits (includes floating-point doubles)
tword: 80 bits (includes floating-point extended doubles)
oword: 128 bits
Notation
The following table indicates the notation used to describe assembly language instructions.
| Notation | Meaning |
|---|---|
r, r1, r2... |
Registers |
m |
Memory address (see the succeeding Addressing Modes section for more information.) |
#n |
Immediate constant |
r/m |
Register or memory |
r/#n |
Register or immediate constant |
r/m/#n |
Register, memory, or immediate constant |
cc |
A condition code listed in the preceding Conditions section. |
T |
"B", "W", or "D" (byte, word or dword) |
accT |
Size T accumulator: al if T = "B", ax if T = "W", or eax if T = "D" |
Addressing Modes
There are several different addressing modes, but they all take the form T ptr [expr], where T is some data type (see the preceding Data Types section) and expr is some expression involving constants and registers.
The notation for most modes can be deduced without much difficulty. For example, BYTE PTR [esi+edx*8+3] means "take the value of the esi register, add to it eight times the value of the edx register, add three, then access the byte at the resulting address."
Pipelining
The Pentium is dual-issue, which means that it can perform up to two actions in one clock tick. However, the rules on when it is capable of doing two actions at once (known as pairing) are very complicated.
Because x86 is a CISC processor, you do not have to worry about jump delay slots.
Synchronized Memory Access
Load, modify, and store instructions can receive a lock prefix, which modifies the instruction as follows:
Before issuing the instruction, the CPU will flush all pending memory operations to ensure coherency. All data prefetches are abandoned.
While issuing the instruction, the CPU will have exclusive access to the bus. This ensures the atomicity of the load/modify/store operation.
The xchg instruction automatically obeys the previous rules whenever it exchanges a value with memory.
All other instructions default to nonlocking.
Jump Prediction
Unconditional jumps are predicted to be taken.
Conditional jumps are predicted to be taken or not taken, depending on whether they were taken the last time they were executed. The cache for recording jump history is limited in size.
If the CPU does not have a record of whether the conditional jump was taken or not taken the last time it was executed, it predicts backward conditional jumps as taken and forward conditional jumps as not taken.
Alignment
The x86 processor will automatically correct unaligned memory access, at a performance penalty. No exception is raised.
A memory access is considered aligned if the address is an integer multiple of the object size. For example, all BYTE accesses are aligned (everything is an integer multiple of 1), WORD accesses to even addresses are aligned, and DWORD addresses must be a multiple of 4 in order to be aligned.
The lock prefix should not be used for unaligned memory accesses.