The Y86 architecture has 8 32-bit registers, 3 condition codes (ZF, SF, OF), a program counter (PC), and up to 4GB of memory. It supports normal, register, and displacement addressing modes. Instructions include arithmetic, logical operations, jumps, calls, returns, and memory load/store. The execution cycle fetches, decodes, executes, and updates the PC for each instruction. Condition codes track the results of arithmetic operations for conditional jumps.

1. CSE 2421
Autumn 2013
S. Preston

2. Y86 programmer-visible state
• The Y86 has:
•
•
•
•
•
8 32-bit registers with the same names as the IA32 32-bit
registers
3 condition codes: ZF, SF, OF
•
no carry flag - interpret integers as signed
a program counter (PC)
•
Holds the address of the instruction currently being executed
a program status byte: AOK, HLT, ADR, INS
•
State of program execution
memory: up to 4 GB to hold program and data (4096 =
2^12)
RF: Program registers
%eax
%esi
%ecx
%edi
%edx
%esp
%ebx
CC: Condition
codes
Stat: Program Status
%ebp
ZF SF OF
DMEM: Memory
PC
2

3. Condition Codes
• 3 condition codes in y86
• ZF – Set if the result of the last arithmetic
operation is 0
• SF – Set if the result of the last arithmetic
operation resulted in the sign bit being set
• OF – Set if the result of the last arithmetic
operation resulted in an overflow

4. Conditions
• FLAGS: Zero, Sign, Overflow
• Less or Equal
•
Z = 1, S = 1, O = X
•
Z = 0, S = 1, O = X
•
Z = 1, S = 0, O = X
•
Z = 0, S = X, O = X
•
Z = 1, S = 0, O = X
•
Z = 0, S = 0, O = X
• Less
• Equal
• Not Equal
• Greater or Equal
• Greater

5. Simple Addressing Modes
• Normal = (R) = Mem[Reg[R]]
• Register Reg specifies memory address
• denoted by a register in ( )
• Example
value
0x120
0x11
0x121
0x22
0x122
0x33
0x123
ecx = 0x00000120
addr
0x44
movl (%ecx),%eax
move the value that is at the address in ecx into
eax
Moves 0x11223344 into eax
5

6. Simple Addressing Modes
• Displacement = D(R) = Mem[Reg[R]+D]
• Register R specifies start of memory address
• Constant displacement D specifies offset
• In bytes
loads 0x33445566 into edx
value
0x120
0x11
0x121
0x22
0x122
0x33
0x123
0x44
0x124
• Denoted by displacement(register)
ebp = 0x120
movl 2(%ebp),%edx
move the value at ebp (0x120) + 2 into edx
addr
0x55
0x125
0x66
6

7. Y86 example program w/ loop
# y86loop.ys
.pos 0x0
irmovl $0,%eax
irmovl $1,%ecx
Loop:
addl %ecx,%eax
irmovl $1,%edx
addl %edx,%ecx
irmovl $1000,%edx
subl %ecx,%edx
jge Loop
halt
# sum = 0
# num = 1
CONVERT TO C
sum=0;
num = 1;
do {
sum += num;
num++;
}
while (1000 – num >= 0)
# sum += num
# tmp = 1
# num++
# lim = 1000
# if lim - num >= 0
# loop again
7

8. Y86 example program w/ loop
# y86loop.ys
.pos 0x0
irmovl $0,%eax
irmovl $1,%ecx
Loop:
addl %ecx,%eax
irmovl $1,%edx
addl %edx,%ecx
irmovl $1000,%edx
subl %ecx,%edx
jge Loop
halt
# sum = 0
# num = 1
CONVERT TO C
sum=0;
num = 1;
do {
sum += num;
num++;
}
while (1000 – num >= 0)
# sum += num
# tmp = 1
# num++
# lim = 1000
# if lim - num >= 0
# loop again
Why don’t we just do addl $1, %edx??
Cant! not allowed, only register to register
8

9. Y86 Stack
• Stack top address always held in
esp
• Stack grows towards lower
addresses
Stack “Top”
%esp
•
•
•
Stack “Bottom”
Increasing
Addresses

10. Y86 Stack - Push
• Pushing
• Decrement the stack register by 4
then store new data
(1)
addr
value
(2)
addr
value
0x11B
//(1)esp = 0x120
movl 0xFECA8712, %eax
push %eax
//(1)esp = 0x11C
0x11B
0x11C
0x11C 0x12
0x11D
0x11D 0x87
0x11E
0x11E
0xCA
0x11F
0x11F
0xFE
0x120
0x11
0x120
0x11
0x121
0x22
0x121
0x22
0x122
0x33
0x122
0x33

11. Y86 Stack - Pop
• Pushing
• Save new data on stack, Increment
the stack register by 4
(1)
addr
//(1) esp = 0x11C
pop eax
//(2) esp = 0x120
//eax = 0xFECA8712
value
(2)
addr
value
0x11B
0x11B
0x11C 0x12
0x11C
0x11D 0x87
0x11D
0x11E
0xCA
0x11E
0x11F
0xFE
0x11F
0x120
0x11
0x120
0x11
0x121
0x22
0x121
0x22
0x122
0x33
0x122
0x33

12. Stack Example 2
==PUSH==
subl $4, %esp
movl %ebp, (%esp)
==POP===
movl (%esp), %eax
addl $4, %esp

13. Y86 Instruction Set
13

15. Fetch Cycle

16. Executing  rmmovl
• Fetch
•
Read 6 bytes
•
Read operand
registers
• Decode
• Execute
•
Compute
effective address
• Memory
•
Write to memory
•
Do nothing
•
Increment PC by
6
• Write back
• PC Update
16

17. Executing  Arithmetic/Logical Ops
• Fetch
•
Read 2 bytes
•
Read operand
registers
• Decode
• Execute
•
•
Perform operation
Set condition codes
•
Do nothing
•
Update register
•
Increment PC by 2
• Memory
• Write back
• PC Update
17

18. Executing  popl
•
•
•
•
•
Fetch
•
Decode
•
Read stack pointer
Execute
•
Increment stack
pointer by 4
Memory
•
Read from old stack
pointer
Write back
•
•
•
Read 2 bytes
Update stack
pointer
Write result to
register
PC Update
•
Increment PC by 2
18

19. Jumps
•
•
•
•
•
•
Fetch
•
•
Read 5 bytes
Increment PC by 5
Decode
•
Do nothing
Execute
•
Determine whether to
take branch based on
jump condition and
condition codes
Memory
•
Do nothing
Write back
•
Do nothing
PC Update
•
Set PC to Dest if branch
taken or to incremented
PC if not branch
19

20. Executing  Call
•
•
•
•
•
•
Fetch
•
•
Read 5 bytes
Increment PC by 5
Decode
•
Read stack pointer
Execute
•
Decrement stack pointer
by 4
Memory
•
Write incremented PC to
new value of stack pointer
Write back
•
Update stack pointer
PC Update
•
Set PC to Dest
20

21. Executing  ret
•
•
•
•
•
•
Fetch
•
•
Read 1 bytes
Increment PC by 1
Decode
•
Read stack pointer
Execute
•
Decrement stack pointer
by 4
Memory
•
Write incremented PC to
new value of stack pointer
Write back
•
Update stack pointer
PC Update
•
Set PC to Dest
21

23. Instruction encoding practice
•
Determine the byte encoding of the following Y86 instruction
sequence given ―.pos 0x100‖ specifies the starting address of the
object code to be 0x100 (practice problem 4.1)
.pos 0x100 # start code at address 0x100
irmovl
$15, %ebx
#load 15 into %ebx
rrmovl
%ebx, %ecx
#copy 15 to %ecx
loop:
rmmovl
%ecx, -3(%ebx)#save %ecx at addr
15-3=12
addl %ebx, %ecx #increment %ecx by 15
jmp
loop
# goto loop
23

24. Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx
rrmovl
%ebx, %ecx
rmmovl
%ecx, -3(%ebx)
loop:
addl %ebx, %ecx
jmp loop

25. Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx
0x106: 2031
//rrmovl %ebx, %ecx
loop:
rmmovl
%ecx, -3(%ebx)
addl %ebx, %ecx
jmp loop

26. Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx
0x106: 2031
//rrmovl %ebx, %ecx
loop:
0x108: 4013fdffffff //rmmovl %ecx, -3(%ebx)
addl %ebx, %ecx
jmp loop

27. Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx
0x106: 2031
//rrmovl %ebx, %ecx
loop:
0x108: 4013fdffffff //rmmovl %ecx, -3(%ebx)
0x10e: 6031
//addl
%ebx, %ecx
jmp loop

28. Instruction encoding practice
0x100:
0x106:
loop:
0x108:
0x10e:
0x110:
30f30f000000 //irmovl $15, %ebx
2031
//rrmovl %ebx, %ecx
4013fdffffff //rmmovl %ecx, -3(%ebx)
6031
//addl
%ebx, %ecx
708010000
//jmp
loop

29. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f80080200000030f30a00000090
0x400: 6113730004000000
29

30. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
push %esi
0x202: 80080200000030f30a00000090
0x400: 6113730004000000
30

31. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
0x202: 8008020000
0x208: 30f30a00000090
0x400: 6113730004000000
pop %esi
call 0x208
31

32. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
0x202: 800802000000
0x208: 30f30a000000
0x20F: 90
0x400: 6113730004000000
pop %esi
call 0x208
irmovl $a0, %ebx
32

33. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
0x202: 800802000000
0x208: 30f30a000000
0x20F: 90
0x400: 6113730004000000
pop %esi
call 0x208
irmovl $a0, %ebx
ret
33

34. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
0x202: 800802000000
0x208: 30f30a000000
0x20F: 90
0x400: 6113
0x402: 730004000000
pop %esi
call 0x208
irmovl $a0, %ebx
ret
subl %ecx, %ebx
34

35. Instruction encoding practice (cont)
What about disassembling?
0x200: a06f
0x202: 800802000000
0x208: 30f30a000000
0x20F: 90
0x400: 6113
0x402: 73004000000
pop %esi
call 0x208
irmovl $a0, %ebx
ret
subl %ecx, %ebx
je
0x400
35

36. Y86
int Sum(int *Start, int Count)
{
int sum = 0;
while (Count)
{
sum += *Start;
Start++;
Count--;
}
}
36

37. x86
• 8 32 bit registers
• General Purpose Registers
•
•
•
•
•
•
eax
ebx
ecx
edx
esi
edi
• Stack Register
• esp
• Base Register
• ebp

38. x86 - Registers

39. x86 Registers
•
•
•
•
•
•
eax, ebx, ecx, edx
Registers can be accessed in parts
Rrx – Referes to the 64 bit register
erx – Refers to 32 bit register
rx – Referes to the lower 16 bits of erx
rh – Refers to the top 8 bits of the rx bit
register
• rl – Refers to the lower 8 bits of the rx register

40. Condition Flags
• CF – Carry – Last arithmetic resulted in a
carry
• PF – Parity – Last arithmetic/logical operation
results in even parity (even number of 1’s)
• ZF – Zero – Last arithmetic/logical operation
resulted in a zero
• SF – Sign – Last arithmetic operation resulted
in the sign bit being set
• OF – Overflow – Last arithmetic resulted in an
overflow

41. Condition Flags
• AF – Adjust – Last arithmetic results in a carry
out of the lowest 4 bits (Used for BCD
arithmetic)
• TF – Trap – Enables CPU single step mode –
Used for debugging
• IF – Interrupt Enable – Enables cpu to handle
system interrupts
• DF – Direction – Sets the direction of string
processing from R->L

42. Verbiage
• Opcode operand1, operand2
• operand1 and/or operand2 are not always
required, depending on the opcode
• mov
eax, ebx
• Opcode – mov
• operand1 – eax
• operand2 - ebx

43. Operand Specifiers
• Source operand
• Constants, registers, or memory
• Destination operand
• Registers or memory
• Cannot do Memory-Memory transfer with a
single instruction
• 3 types of operands
• Immediate
• Register
• Memory
43

44. IA32 – Intel Architecture
• 32-bit address bus
•
•
normal physical address space of 4 GBytes (232 bytes)
addresses ranging continuously from 0 to 0xFFFFFFFF
• Data formats 
•
•
Primitive data types of C
Single letter suffix
•
•
denotes size of operand
No aggregate types
•
Arrays, structures
C Declaration
Suffix
Size
char
B
8 bits
short
W or S
16 bits
int
L
32 bits
* (pointer)
L
32 bits
float
S
32 bits
44

45. Addressing Modes
• An addressing mode is a mechanism for specifying an
address.
• Immediate
• Register
• Memory
•
•
•
•
Absolute
•
specify the address of the data
Indirect
•
use register to calculate address
Base + displacement
•
use register plus absolute address to calculate address
Indexed
•
•
Indexed
•
Add contents of an index register
Scaled index
•
Add contents of an index register scaled by a constant
45

46. Operand addressing example
Address Value
0x100
0xFF
0x104
0xAB
0x108
0x13
0x10C
0x11
Register
Value
ax
0x100
cx
0x01
dx
0x03
Operand
%eax
0x104
$0x108
(%eax)
Value Comment
0x100 Register
0xAB Absolute Address - memory
0x108 Immediate
0xFF Address 0x100 - indirect
Address 0x104 - base+displacement
4(%eax)
0XAB (4+register)
Address 0x10C – indexed
9(%eax,%edx)
0X11 (9 + eax+edx)
Address 0x108 – indexed
0x104(%ecx,%edx) 0X13 (0x104+ecx+edx)
Address 0x100 - scaled index
0xFC(,%ecx,4)
0XFF (0xfc+0+ecx*4)
Address 0x10C - scaled index
(%eax,%edx,4)
0X11 (eax+edx*4)
*scaled index multiplies the 2nd argument by the scaled value (the 3rd argument)
which must be a value of 1, 2, 4 or 8 (sizes of the primitive data types)
46

47. Operand Combinations example
Source
Dest
Src,Dest*
C analog
Immediate Register
movl $0x4, %eax
temp = 0x4;
Immediate Memory
movl $-147, (%eax)
*p = -147;
Register
Register
movl %eax, %edx
temp2 = temp1;
Register
Memory
movl %eax, (%edx)
*p = temp;
Memory
Register
movl (%eax), %edx
temp = *p;
• Each statement should be viewed separately.
• REMINDER: cannot do memory-memory transfer with a single instruction.
• The parentheses around the register tell the assembler to use the register
as a pointer.
47

48. Size Directive
• Typically you can infer the size being operated
on by which variation of the register is in use
• mov (ebx), %eax
• Destination EAX, implies moving 4 bytes
• mov (ebx), %ax
• Destination AX implies moving only 2 bytes
• mov (ebx), %ah
• Destination ah implies moving only 1 bytes

49. Size Directive
• Sometimes it is unclear though.
• mov $2, (%ebx)
• How many bytes do you move into memory @
address ebx. 2? 4? 8?
• Have to explicitly specify size when dealing
with immediate values
• movw $2, (%ebx)
• Explicitly move 2 bytes
• movl $2, (%ebx)
• Explicitly move 4 bytes
C Declaration
Suffix
Size
char
b
8 bits
short
w or s
16 bits
int
l
32 bits
* (pointer)
l
32 bits
float
s
32 bits
long
q
64 bits

50. x86 Instructions
• Three categories
• Data Movement
• Arithmetic/Logic
• Control-Flow
• We will not cover ALL x86 instructions, there
are numerous obscure ones
• We will cover all of the common instructions
• For full list of operands see Intel’s instruction
set reference

51. x86 Instructions
<reg32>
Any 32-bit register (EAX, EBX, ECX,
EDX, ESI, EDI, ESP, or EBP)
<reg16> Any 16-bit register (AX, BX, CX, or
DX)
<reg8> Any 8-bit register (AH, BH, CH, DH,
AL, BL, CL, or DL)
<reg> Any register
<mem> A memory address (e.g., [eax], [var +
4], or dword ptr [eax+ebx])
<con32> Any 32-bit constant
<con16> Any 16-bit constant
<con8> Any 8-bit constant
<con> Any 8-, 16-, or 32-bit constant

52. Data Movement
• mov source, destination
• Move data from source to destination
• Syntax
mov <reg>,<reg>
mov <reg>,<mem>
mov <mem>,<reg>
mov <const>, <reg>
mov <const>, <mem>
• Examples
mov %eax, %ebx — copy the value in eax
into ebx

53. Data Movement
• push
• add 4 bytes on top of the stack
• Syntax
push <reg32>
push <mem>
push <con32>
• Examples
push %eax — push eax on the stack

54. Data Movement
• pop
• remove top 4 byte value from stack
• Syntax
pop <reg32>
pop <mem>
• Examples
pop %eax — pop off stack into eax

55. Data Movement
• lea – Load Effective Address
• loads the address of the source into the
registers in the second operand
• Syntax
lea <mem>, <reg32>
• Examples
lea (var), %eax — address of var is
placed into eax

56. Arithmetic and Logic
• add
• adds together the two operands and stores result
in the second operand
• Syntax
add <reg>,<reg>
add <reg>,<mem>
add <mem>,<reg>
add <imm>,<reg>
add <imm>,<mem>
Examples
add $10, %eax — add 10 to the current value
in eax, and store result in eax

57. Arithmetic and Logic
• sub
• subtracts the two operands and stores result in the
second operand
• Syntax
sub <reg>,<reg>
sub <reg>,<mem>
sub <mem>,<reg>
sub <imm>,<reg>
sub <imm>,<mem>
Examples
sub $10, %eax — subtracts 10 from the
current value in eax, and store result in eax