[asm]lab4

Assembly Language (Lab 4)

AgendaBasic InstructionsStatus FlagsAddressing ModesBranching (Unconditional & Conditional)LoopCompare Operands

General Instruction FormatLet’s remember …

General Instruction Format

Because the number of operands may vary, we can further subdivide the formats to have zero, one, two, or three operands. Here, we omit the label and comment fields for clarity:

mnemonic

mnemonic [destination]

mnemonic [destination], [source]

mnemonic [destination], [source-1], [source-2]

[label:] mnemonic [operands][ ; comment ]

General Instruction FormatTo give added flexibility to the instruction set, x86

assembly language uses different types of instruction operands.

The following are the easiest to use:1. Immediate uses a numeric literal expression.2. Register uses a named register in the CPU.3. Memory references a memory location.

Hexadecimal Quirks A hexadecimal constant beginning with a letter must

have a leading zero to prevent the assembler from interpreting it as an identifier.

Hexval WORD E123h ;Error: assembler thinks ;E123h is a label

Hexval WORD 0E123h ;correct: as labels never ;starts with number

Data Transfer Instruction MOV sisters :D

Zero Extension of IntegersMOVZX InstructionThe MOVZX instruction (move with zero-extend) copies

the contents of a source operand into a destination operand and zero-extends the value to 16 or 32 bits.

MOVZX dest, source

10001111

00000000 10001111

source

dest

Zero Extension of IntegersMOVZX InstructionIt is only used with unsigned integers.There are three variants:

1. MOVZX reg32, reg/mem82. MOVZX reg32, reg/mem163. MOVZX reg16, reg/mem8

Zero Extension of IntegersMOVZX Instruction

Example

.databyteVal BYTE 10001111b

.codemovzx ax, byteVal ; AX = 0000000010001111b

What Are Registers’ Values?

INCLUDE Irvine32.inc.codemain PROC

mov bx, 0A69Bhmovzx eax, bxmovzx edx, blmovzx cx, bl

exitmain ENDPEND main

BX = A69BhEAX = 0000A69BhEDX = 0000009BhCX = 009Bh

Exercise (1)

Sign Extension of IntegersMOVSX InstructionThe MOVSX instruction (move with sign-extend) copies

the contents of a source operand into a destination operand and sign-extends the value to 16 or 32 bits.

MOVSX dest, source

10001111

11111111 10001111

source

dest

Sign Extension of IntegersMOVSX Instruction

It is only used with signed integers.There are three variants:

1. MOVSX reg32, reg/mem82. MOVSX reg32, reg/mem163. MOVSX reg16, reg/mem8

Sign Extension of IntegersMOVSX Instruction

Example

.databyteVal BYTE 10001111b

.codemovsx ax, byteVal ; AX =

1111111110001111b

What Are Registers’ Values? Exercise (2)


mov bx, 0A69Bhmovsx eax, bxmovsx edx, blmov bl, 7Bhmovsx cx, bl


BX = A69BhEAX = FFFFA69BhEDX = FFFFFF9BhBL = 7BhCX = 007Bh

XCHG InstructionThe XCHG (exchange data) instruction exchanges the

contents of two operands.There are three variants:

1. XCHG reg, reg2. XCHG reg, mem3. XCHG mem, reg

XCHG dest, source

Very fast built in Swap()

XCHG Instruction

Examples

• xchg ax, bx ;exchange 16-bit registers• xchg ah, al ;exchange 8-bit registers• xchg var1, bx ;exchange 16-bit memory

operand with BX• xchg eax, ebx ;exchange 32-bit registers

What Are Registers’ Values? Exercise (3)

INCLUDE Irvine32.inc.data

val1 WORD 1000hval2 WORD 2000h

.codemain PROC

mov ax, val1xchg ax, val2mov val1, ax


AX = 1000hAX = 2000h, val2 = 1000hval1 = 2000h

Direct-Offset OperandsAdding a displacement to the name of a variable

(creating a direct-offset operand) is useful when it is needed to access memory locations that may not have explicit label. (ARRAYS!!)

.dataarrayB BYTE 10h, 20h , 30h, 40h, 50h.codemov al, arrayB ;AL = 10hmov al, [arrayB + 1] ;AL = 20hmov al, [arrayB + 2] ;AL = 30h

Adding 1 to the off`set of arrayB

Adding 2 to the offset of

arrayB

Direct-Offset Operands

arrayB + 1 Effective Address

[arrayB + 1]Dereferencing the

expression to obtain the contents of memory at the

address

mov al, arrayB + 1

mov al, [arrayB + 1]

The brackets are notrequired by MASM, so these statements

are equivalent

Direct-Offset OperandsRange CheckingMASM has no built-in range checking for effective

addresses.If we execute the following statement, the assembler just

retrieves a byte of memory outside the array.

mov al, [arrayB + 20]In other words

there is no index out of

range exception :D

What Are AL’ Values? Exercise (4)


arrayB BYTE 10h, 20h, 30h, 40h, 50h.codemain PROC

mov al, arrayBmov al, [arrayB + 1]mov al, arrayB + 2


AL = 10hAL = 20hAL = 30h


WORD ArraysIn an array of 16-bit words, the offset of each array

element is 2 bytes beyond the previous one.

What are the AX’s values?


arrayW WORD 1000h, 2000h, 3000h.codemain PROC

mov ax, arrayWmov ax, [arrayW + 2]


AX = 1000hAX = 2000h

Adding 2 to the offset of arrayW

to access the second element

Exercise (5)


DWORD ArraysIn an array of 32-bit words, the offset of each array

element is 4 bytes beyond the previous one.

What are the EAX’s values?


arrayD DWORD 10000000h, 20000000h.codemain PROC

mov eax, arrayDmov eax, [arrayD + 4]


EAX = 10000000hEAX = 20000000h

Adding 4 to the offset of arrayD

to access the second element

Exercise (6)

Here is a trick !!What about this?

INCLUDE Irvine32.inc.dataarrayD WORD 1011h, 2022h.codemain PROCmovzx eax, arrayDmovzx eax, [arrayD + 1]exitmain ENDPEND main

100 • 11

102 • 10

103 • 22

104 • 20

Little Indian

AX = 1011hAX = 2210h

Addition and SubtractionRevision and new instructions

Addition and SubtractionADD InstructionThe ADD instruction adds a source operand to a

destination operand of the same size.The set of possible operands is the same as for the MOV

instructions.

ExamplesADD dest, source

• add eax, 4 ; eax = eax + 4• add al, ah ; al = al + ah

Addition and SubtractionSUB InstructionThe SUB instruction subtracts a source operand from a

destination operand.The set of possible operands is the same as for the ADD

and MOV instructions.

ExamplesSUB dest, source

• sub ebx, 3 ; ebx = ebx – 3

Addition and Subtraction

INC and DEC InstructionsThe INC (increment) and DEC (decrement) instructions,

respectively, add 1 and subtract 1 from a single operand.The syntax is:

INC reg/mem

DEC reg/mem

NEW

Addition and SubtractionINC and DEC Instructions

Examples

.datamyWord WORD 1000h

.codeinc myWordmov bx, myWorddec bx

myWord = 1001h BX = 1001hBX = 1000h

Addition and Subtraction

NEG InstructionThe NEG (negate) instruction reverses the sign of a

number by converting the number to its two’s complement.

The following operands are permitted:

NEG reg/mem

NEW

Hands OnWrite the code that implements the following arithmetic

expression:Rval = - Xval + (Yval - Zval)

where Xval = 26, Yval = 30, and Zval = 40

QuestionData types will be Signed or

Un?

Hands Onexpression:

Rval = - Xval + (Yval - Zval)

where Xval = 26, Yval = 30, and Zval

= 40


Rval SDWORD ?Xval SDWORD 26Yval SDWORD 30Zval SDWORD 40

.codemain PROC

mov eax, Xvalneg eaxmov ebx, Yvalsub ebx, Zvaladd eax, ebxmov Rval, eax


Status Flags

Zero

Sign

CarryAuxiliary Carry

Overflow

Flags Affected by Addition and SubtractionWhen executing arithmetic instructions, we often want to

know something about the result.

Is it negative, positive, or zero? Is it too large or too small to fit into the destination operand?

Answers to such questions can help us detect calculation errors that might otherwise cause erratic program behavior

Flags Affected by Addition and Subtraction

We use the values of CPU status flags to check the outcome of arithmetic operations.

We also use status flag values to activate conditional branching instructions, the basic tools of program logic

Flags Affected by Addition and Subtraction

Imagine This

High level language

If(x –y == 0){

Do something;}Else{

Do another;}

Assembly Like

If ZERO Flag == 1GOTO LabelName1

//this will be the else part

LabelName1

So, YesFlags

Controlsbranching

Zero FlagThe Zero Flag (ZF) indicates that an operation produced

zero.

For example, if an operand is subtracted from another of equal value, the Zero flag is set.


mov ecx, 1sub ecx, 1

; ECX = 0, ZF = 1mov eax, 0FFFFFFFFhinc eax

; EAX = 0, ZF = 1inc eax

; EAX = 1, ZF = 0dec eax

; EAX = 0, ZF = 1exitmain ENDPEND main

Zero Flag

Carry FlagThe Carry Flag (CF) indicates unsigned integer overflow.

For example, if an instruction has an 8-bit destination operand but the instruction generates a result larger than 11111111 binary, the Carry flag is set.

Carry Flag – Addition CaseWhen adding two unsigned integers, the Carry flag is a

copy of the carry out of the MSB of the destination operand.

11111111

CF

00000001

000000001

We can say CF = 1 when the sum exceeds the storage size of its destination operand


mov al, 0FFhadd al, 1

; AL = 00, CF = 1mov ax, 00FFhadd ax, 1

; AX = 0100h, CF = 0

mov ax, 0FFFFhadd ax, 1

; AX = 0000, CF = 1exitmain ENDPEND main

Carry Flag – Addition Case

• A subtract operation sets the Carry flag when a larger unsigned integer is subtracted from a smaller one.

Carry Flag – Subtraction

00000001 1

CF

00000010 2

11111111 FFh1

00000001 1

11111110 -2

The carry out ofbit 7 is inverted and placed in the Carry

flag, so CF = 1

Carry Flag – Subtraction


mov al, 1sub al, 2

; AL = FFh, CF = 1exitmain ENDPEND main

Carry Flag Quirks

1. The INC and DEC instructions do not affect the Carry flag.

2. Applying the NEG instruction to a nonzero operand always sets the Carry flag.

Auxiliary Carry FlagThe Auxiliary Carry Flag (AC) is set when a 1 bit carries

out of position 3 in the least significant byte of the destination operand.

It is primarily used in binary coded decimal (BCD) arithmetic, but can be used in other contexts.

AC 00010000 10h1

00000001 1

00001111 0FhThe sum (10h)

contains a 1 in bit position 4 that was carried out of bit

position 3


mov al, 0Fhadd al, 1

; AC = 1exitmain ENDPEND main

Auxiliary Carry Flag

Parity Flag

The Parity Flag (PF) is set when the least significant byte of the destination has an even number of 1 bits, immediately after an arithmetic or boolean instruction has executed.


mov al, 10001100badd al, 00000010b

; AL = 10001110, PF = 1

sub al, 10000000b; AL = 00001110,

PF = 0exitmain ENDPEND main

After the ADD, AL contains binary 10001110 (four 0 bits and four 1

bits), and PF = 1

After the SUB, AL contains binary

00001110 (five 0 bits and three 1 bits),

and PF = 0

Parity Flag

• The Sign Flag (SF) indicates that an operation produced a negative result.

• It is set when the result of a signed arithmetic operation is negative.

• In other words, if the most significant bit (MSB) of the destination operand is set, the Sign flag is set.

Sign Flag


mov eax, 4sub eax, 5

; EAX = -1, SF = 1mov bl, 1

; BL = 01hsub bl, 2

; BL = FFh, SF = 1exitmain ENDPEND main

the Sign flag is a copy of the destination operand’s high bit

Sign Flag

• The Overflow Flag (OF) indicates signed integer overflow.

• It is set when the result of a signed arithmetic operation overflows or underflows the destination operand.

Overflow Flag

mov al, +127add al, 1 ; OF = 1

mov al, -128sub al, 1 ; OF = 1

• For example, the largest possible integer signed byte value is +127; adding 1 to it causes overflow, as the destination operand value does not hold a valid arithmetic result, and the Overflow flag is set:

• Similarly, the smallest possible negative integer byte value is -128. Subtracting 1 from it causes underflow, and the Overflow flag is set:

Overflow Flag

• How the Hardware Detects Overflow?!• The CPU uses an interesting mechanism to

determine the state of the Overflow flag after an addition or subtraction operation.

• The Carry flag is exclusive ORed with the high bit of the result. The resulting value is placed in the Overflow flag.

• OF = CF XOR (high bit of the result)

Overflow Flag – Overflow Detection56

• We show that adding the 8-bit binary integers 10000000 and 11111111 produces :

• 01111111 and CF = 1 so the resulting MSB = 0. In other words, 1 XOR 0 produces OF = 1.

CF 011111111

10000000

11111111

OF = CF XOR high bit of result= 1 XOR 0= 1

Overflow Flag – Overflow Detection

• The NEG instruction produces an invalid result if the destination operand cannot be stored correctly.

• For example, if we move -128 to AL and try to negate it, the correct value +128 will not fit into AL. The Overflow flag is set, indicating that AL contains an invalid value:

• On the other hand, if 127 is negated, the result is valid and the Overflow flag is clear:

Overflow Flag – Overflow Detection

mov al, -128 ; AL = 10000000bneg al ; AL = 10000000b, OF = 1

mov al, +127 ; AL = 01111111bneg al ; AL = 10000001b, OF = 0

Addressing Modes

Addressing ModesThe instruction operands can reside whether in a register

or in memory.

There are a number of methods that allow accessing operands.

These methods are called addressing. How can the instruction get the

value of its operands?

Addressing Modes

Types

Register Addressin

g

Immediate Addressin

g

Direct Memory

Addressing

In-Direct Memory

Addressing

Direct Offset

Addressing

1.Register Addressing

Using register names

MOV AX, BX

2. Immediate Addressing

Immediate Addressing (source operand only) by specifying the operand value in the instruction itself.

MOV EAX, 23

3. Direct Memory Addressing

Using the variable names

MOV AX, X

4. Indirect Memory Addressing

Using register value as the operand address (not the operand value).

Registers can be used to reference memory items by their addresses.

Register value is considered to be the offset address.


100 Main Memory

EBX

MOV EAX, [EBX]


100 Main Memory

EBX

103MOV ECX, [EBX + 3]

Base Displacement Addressing


100 Main Memory

EBX

150MOV ECX, [EBX + ESI]

Base‐Index Addressing

50ESI


100 Main Memory

EBX

154MOV ECX, [EBX + ESI + 4]

Base‐Index with Displacement Addressing

50ESI

5. Direct Offset Addressing

It is similar to accessing items in an array, but the number used represents the number of bytes, not the index of the items.

MOV CL, byteArr[2]MOV CL, [byteArr + 2]MOV CL, byteArr + 2

The instruction copies the byte that

is distanced two bytes from byteArr

to CL

JMP and LOOP Instruction

Let’s change the sequence of the program and make use of flags…

Conditional InstructionsBy default, the CPU loads and executes programs

sequentially.But the current instruction might be conditional,

meaning that it transfers control to a new location in the program based on the values of CPU status flags (Zero, Sign, Carry, etc.).

A transfer of control (jump), or branch, is a

way of altering the order in which

statements are executed

Assembly language programs use conditional instructions to implement high-level statements such as IF statements and loops

JMPThe JMP instruction causes an unconditional transfer to a

destination, identified by a code label that is translated by the assembler into an offset (address).

When the CPU executes an unconditional transfer, the offset of destination is moved into the instruction pointer (EIP), causing execution to continue at the new location.

JMP destination

JMPJumps may be short (between –128 and +127 bytes),

near (between –32,768 and +32,767 bytes from the instruction following the jump), or far (in a different code segment).

When the 80386+ processors are in FLAT memory model, short jumps range is from –128 to +127 bytes and near jumps range is from –2 to +2 gigabytes.

JMP ExampleComment on this

program …INCLUDE Irvine32.inc

.data

.code main PROCL1:

call DumpRegsjmp L1;go to L1 line of code

exit main ENDP END main

LOOP The LOOP instruction, formally known as Loop According

to ECX Counter, repeats a block of statements a specific number of times.

ECX is automatically used as a counter and is decremented each time the loop repeats.

So expected before using any LOOP inst. We have to set the ECX to a specific value

LOOP destination

LOOP

The execution of the LOOP instruction involves two steps:

It subtracts 1 from ECX

It compares ECX to zero

If ECX is not equal to zero, a jump is taken to the label

identified by destination

If ECX equals zero, no jump takes place, and control passes to

the instruction following the loop

Tracing


mov ax, 0mov ecx, 5

L1:inc axloop Ll


AX = 0ECX = 5

AX = 1ECX = 4

AX = 2ECX = 3

AX = 3ECX = 2

AX = 4ECX = 1

AX = 5ECX = 0

Tracing Quirks …


mov ax, 0mov ecx, 0

L1:inc axloop Ll


AX = 0ECX = 0

AX = 1ECX = FFFFFFFFh

AX = 2ECX = FFFFFFFEh

The loop repeats4,294,967,296

times

If CX is the loop counter (in real-address mode), it repeats 65,536 times

…

Example: Sum of Int ArrayThis example calculates the summation of an array. It first

gets the offset of the array and stores it in ESI register. Then, initialize ECX by the length of the array. Within the loop, it accumulates the current element of the array then slides ESI to point to the next element of the array and so on till the ECX becomes zero.

.dataArr1DWORD10, 20, 30, 40, 50sum_val DWORD?

.codemain PROC

mov esi, offset Arr1;put array address in esimov eax, 0;initialize eax by zero for temp summov ecx, 5;initialize ecx (loop counter) ;by array sizesum_loop:add eax, DWORD PTR [esi]add esi, 4;increment esi pointer by 4 ;(size of array element) loop sum_loop ;ECX decremented implicitly by LOOP instruction

call writeint ;output the sum (which already stored in EAX)mov sum_val, eaxcall CrLf

Here is a Trick!!What is the difference between

mov esi, offset Arr1 mov esi, Arr1VS

Mov the Address

Mov the 1st value

Notes PTR is an operator that overrides the size of an operand. It is always preceded

by a Type (BYTE, WORD, DWORD…etc). In the instruction add eax, DWORD PTR [esi], you can remove DWORD PTR as the assembler will assume a default size equals to the size of the second operand which in this case DWORD. If ax is used instead of eax, WORD size will be assumed and so on.

Writeint function is a function defined in Irvine library. It prints a signed integer stored in EAX on the screen.

LENGTHOF operator retrieves the length of an array. For example, the instruction mov ECX, LENGTHOF Arr1 gets the length of Arr1 array and stores it in ECX.

TYPE operator retrieves the number of bytes allocated for each item in the given array. For example, the instruction add esi, TYPE Arr1 adds 4 to esi if Arr1 is DWORD array, adds 2 if Arr1 is WORD array and adds 1 if Arr1 is BYTE array

CMP InstructionThe CMP instruction compares the destination operand

to the source operand.It performs an implied subtraction of a source operand

from a destination operand. Neither operand is modified.CMP is a valuable tool for creating conditional logic

structures.

CMP destination, Source

CMP ConditionsThe following restrictions on CMP instruction should be

considered:

1. All combinations of operands are allowed except CMP mem, mem. It is not accepted.

2. Can't compare two segment registers. 3. Can't compare operands with different sizes.

CMP InstructionWhen two unsigned operands are compared, the Zero

and Carry flags indicate the following relations between operands.

CMP Results ZF CFDestination < source 0 1

Destination > source 0 0

Destination = source 1 0

CMP Instruction Examples

mov ax, 5cmp ax, 10

ZF = 0, CF = 1

mov ax, 1000mov cx, 1000cmp cx, ax

mov si, 105cmp si, 0

ZF = 1, CF = 0

ZF = 0, CF = 0

CMP InstructionWhen two signed operands are compared, the Sign, Zero

and Overflow flags indicate the following relations between operands.

CMP Results FlagsDestination < source SF ≠ OF

Destination > source SF = OF

Destination = source ZF = 1

Conditional JMP

Two Steps are involved in executing a conditional statement

Comparison Jump

An operation such as CMP, AND or SUB modifies the CPU

status flags

Conditional jump instruction tests the flags and causes a branch to a new

address

Conditional Jump InstructionsA conditional jump instruction branches to a destination

label when a status flag condition is true.

If the flag condition is false, the instruction immediately following the conditional jump is executed. (Skipped)

Jxxx destination

Conditional Jump Instructionsxxx expresses the relation tested.The following table shows the conditional Jump

instructions.

Jxxx destination

Relation For Unsigned Data For Signed DataEqual/Zero JE/JZ

Not Equal/ Not Zero JNE/ JNZ

Above/ Greater JA/JNBE JG/JNLE

Above or Equal/Greater or Equal

JAE/JNB JGE/JNL

Below/ Less JB/JNAE JL/JNGE

Below or Equal/Less or Equal

JBE/JNA JLE/JNG

Example, 2 Var RelationThis example accepts two integers from the user and

prints the relation between those integers: greater, less, or equal.

INCLUDE Irvine32.inc

.datastrgreater byte "X is above than Y", 0strless byte "X is below than Y", 0 strequal byte "X is equal to Y", 0

x dword ?y dword ?

.codemain PROC ;An Irvine function that reads an 32-bit unsigned

call ReadDec ;decimal integer from user and stores it in EAXmov x, eax ;save entered data to X.

call ReadDecmov y, eax

cmp x, eax ;eax still has the y value

ja above ;Assume unsigned data. use JA and JB (Not JG and JL)jb belowje equal

above:mov edx, offset strgreater ;handle above case call writestringjmp next

below:mov edx, offset strless ;handle below case call writestringjmp next

equal:mov edx, offset strequal ;handle equal case call writestringjmp next

next:;An Irvine function that prints new linecall writestringcall CrLfexit

main ENDPEND main

NotesReadInt function is a function defined in Irvine library. It

reads a 32 bit ‐ signed decimal integer from the user and stores it in EAX Register, stopping when the Enter key is pressed, leading spaces are ignored, and an optional leading + or sign is permitted. ReadInt will display an ‐error message, set the Overflow flag, and reset EAX to zero if the value entered cannot be represented as a 32‐bit signed integer. If you need to store the entered value in a variable, you need to move it from EAX to this variable.

ReadDec is the same for Unsigned

NotesWritestring function is a function defined in Irvine library.

It prints a string constant to which the EDX register points. The string must be null terminated (ends with a ‐byte contains 0). This explains why string variables are appended by 0 at its initializer.

OFFSET reserved word is an operator that retrieves the offset address of the given variable.

Questions?!

Thanks!

[asm]lab4

Education