coregrind/vg_to_ucode.c

/*--------------------------------------------------------------------*/
/*--- The JITter: translate x86 code to ucode.                     ---*/
/*---                                                vg_to_ucode.c ---*/
/*--------------------------------------------------------------------*/

/*
   This file is part of Valgrind, an extensible x86 protected-mode
   emulator for monitoring program execution on x86-Unixes.

   Copyright (C) 2000-2004 Julian Seward 
      jseward@acm.org

   This program is free software; you can redistribute it and/or
   modify it under the terms of the GNU General Public License as
   published by the Free Software Foundation; either version 2 of the
   License, or (at your option) any later version.

   This program is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
   02111-1307, USA.

   The GNU General Public License is contained in the file COPYING.
*/

#include "core.h"


/*------------------------------------------------------------*/
/*--- Debugging output                                     ---*/
/*------------------------------------------------------------*/

#define DIP(format, args...)  \
   if (VG_(print_codegen))        \
      VG_(printf)(format, ## args)

#define DIS(buf, format, args...)  \
   if (VG_(print_codegen))        \
      VG_(sprintf)(buf, format, ## args)

/*------------------------------------------------------------*/
/*--- CPU feature set stuff                                ---*/
/*--- This is a little out of place here, but it will do   ---*/
/*--- for now.                                             ---*/
/*------------------------------------------------------------*/

#define VG_CPU_VENDOR_GENERIC	0
#define VG_CPU_VENDOR_INTEL	1
#define VG_CPU_VENDOR_AMD	2

/* Standard macro to see if a specific flag is changeable */
static inline Bool flag_is_changeable(UInt flag)
{
   UInt f1, f2;

   asm("pushfl\n\t"
       "pushfl\n\t"
       "popl %0\n\t"
       "movl %0,%1\n\t"
       "xorl %2,%0\n\t"
       "pushl %0\n\t"
       "popfl\n\t"
       "pushfl\n\t"
       "popl %0\n\t"
       "popfl\n\t"
       : "=&r" (f1), "=&r" (f2)
       : "ir" (flag));

   return ((f1^f2) & flag) != 0;
}


/* Probe for the CPUID instruction */
static Bool has_cpuid(void)
{
   return flag_is_changeable(EFlagID);
}

// Returns the CPU features, and also the vendorid.  Only ever calls CPUID
// once, and caches the necessary info in static variables for later reuse.
static UInt* get_cpu_features(Int* cpu_vendorid_ptr)
{
   Char vendorstr[13];
   Int  i, cpuid_level;
   static Bool done_before = False;
   static Int  cpu_vendorid = VG_CPU_VENDOR_GENERIC;
   static UInt cpu_features[VG_N_FEATURE_WORDS];
   static const struct {
      const Char *vendorstr;
      Int   vendorid;
   } cpu_vendors[] = {
      { "GenuineIntel", VG_CPU_VENDOR_INTEL },
      { "AuthenticAMD", VG_CPU_VENDOR_AMD },
   };

   // If we haven't already worked this stuff out...
   if (!done_before && has_cpuid()) {

      cpu_features[VG_INT_FEAT] |= (1 << (VG_X86_FEAT_CPUID%32));

      // Get vendor string, eg. "GenuineIntel".  Note characteristically
      // stupid word order chosen by Intel.
      VG_(cpuid)(0, &cpuid_level, (UInt *)&vendorstr[0],
                                  (UInt *)&vendorstr[8],
                                  (UInt *)&vendorstr[4]);
      vendorstr[12] = '\0';

      // Determine vendor ID
      for (i = 0; i < sizeof(cpu_vendors)/sizeof(*cpu_vendors); i++)
         if (VG_(memcmp)(vendorstr, cpu_vendors[i].vendorstr, 12) == 0) {
            cpu_vendorid = cpu_vendors[i].vendorid;
            break;
         }

      // Determine CPU features
      if (cpuid_level >= 1)
         VG_(cpuid)(1, NULL, NULL, &cpu_features[VG_EXT_FEAT],
                                   &cpu_features[VG_X86_FEAT]);

      if (VG_CPU_VENDOR_AMD == cpu_vendorid) {
         /* get AMD-specific flags */
         VG_(cpuid)(0x80000001, NULL, NULL, NULL, &cpu_features[VG_AMD_FEAT]);
      }
   }
   if (NULL != cpu_vendorid_ptr) *cpu_vendorid_ptr = cpu_vendorid;
   return cpu_features;
}

Bool VG_(cpu_has_feature)(UInt feature)
{
   UInt  word = feature / 32;
   UInt  bit  = feature % 32;
   UInt* cpu_features;

   vg_assert(word >= 0 && word < VG_N_FEATURE_WORDS);

   cpu_features = get_cpu_features(NULL);

   return !!( cpu_features[word] & (1 << bit) );
}

/* The set of features we're willing to support for the client
   
   This includes supported instruction set extensions, plus any
   extensions which don't have any user-mode visible effect (but the
   client may find interesting).
 */
#define VG_X86_SUPPORTED_FEATURES		\
	 ((1 << VG_X86_FEAT_FPU)	|	\
	  (1 << VG_X86_FEAT_VME)	|	\
	  (1 << VG_X86_FEAT_DE)		|	\
	  (1 << VG_X86_FEAT_PSE)	|	\
	  (1 << VG_X86_FEAT_TSC)	|	\
	  (0 << VG_X86_FEAT_MSR)	|	\
	  (1 << VG_X86_FEAT_PAE)	|	\
	  (1 << VG_X86_FEAT_MCE)	|	\
	  (1 << VG_X86_FEAT_CX8)	|	\
	  (1 << VG_X86_FEAT_APIC)	|	\
	  (0 << VG_X86_FEAT_SEP)	|	\
	  (1 << VG_X86_FEAT_MTRR)	|	\
	  (1 << VG_X86_FEAT_PGE)	|	\
	  (1 << VG_X86_FEAT_MCA)	|	\
	  (1 << VG_X86_FEAT_CMOV)	|	\
	  (1 << VG_X86_FEAT_PAT)	|	\
	  (1 << VG_X86_FEAT_PSE36)	|	\
	  (0 << VG_X86_FEAT_CLFSH)	|	\
	  (1 << VG_X86_FEAT_DS)		|	\
	  (1 << VG_X86_FEAT_ACPI)	|	\
	  (1 << VG_X86_FEAT_MMX)	|	\
	  (1 << VG_X86_FEAT_FXSR)	|	\
	  (1 << VG_X86_FEAT_SSE)	|	\
	  (1 << VG_X86_FEAT_SSE2)	|	\
	  (1 << VG_X86_FEAT_SS)		|	\
	  (1 << VG_X86_FEAT_HT)		|	\
	  (1 << VG_X86_FEAT_TM)		|	\
	  (0 << VG_X86_FEAT_IA64)	|	\
	  (1 << VG_X86_FEAT_PBE))

#define VG_AMD_SUPPORTED_FEATURES					\
	((0 << (VG_AMD_FEAT_SYSCALL % 32))	|			\
	 (0 << (VG_AMD_FEAT_NXP % 32))		|			\
	 (1 << (VG_AMD_FEAT_MMXEXT % 32))	|			\
	 (0 << (VG_AMD_FEAT_FFXSR % 32))	|			\
	 (0 << (VG_AMD_FEAT_LONGMODE % 32))	|			\
	 (0 << (VG_AMD_FEAT_3DNOWEXT % 32))	|			\
	 (0 << (VG_AMD_FEAT_3DNOW % 32))	|			\
	 /* Common bits between standard features and AMD features */	\
	 (1 << VG_X86_FEAT_FPU)		|				\
	 (1 << VG_X86_FEAT_VME)		|				\
	 (1 << VG_X86_FEAT_DE)		|				\
	 (1 << VG_X86_FEAT_PSE)		|				\
	 (1 << VG_X86_FEAT_TSC)		|				\
	 (0 << VG_X86_FEAT_MSR)		|				\
	 (1 << VG_X86_FEAT_PAE)		|				\
	 (1 << VG_X86_FEAT_MCE)		|				\
	 (1 << VG_X86_FEAT_CX8)		|				\
	 (1 << VG_X86_FEAT_APIC)	|				\
	 (1 << VG_X86_FEAT_MTRR)	|				\
	 (1 << VG_X86_FEAT_PGE)		|				\
	 (1 << VG_X86_FEAT_MCA)		|				\
	 (1 << VG_X86_FEAT_CMOV)	|				\
	 (1 << VG_X86_FEAT_PAT)		|				\
	 (1 << VG_X86_FEAT_PSE36)	|				\
	 (1 << VG_X86_FEAT_MMX)		|				\
	 (1 << VG_X86_FEAT_FXSR))


/*	
   For simulating the cpuid instruction, we will
   issue a "real" cpuid instruction and then mask out
   the bits of the features we do not support currently (3dnow mostly).
   We also claim to not support most CPUID operations.
	
   Dirk Mueller <mueller@kde.org>

   http://www.sandpile.org/ia32/cpuid.htm

   references: 

   pre-MMX pentium:

   <werner> cpuid words (0): 0x1 0x756e6547 0x6c65746e 0x49656e69
   <werner> cpuid words (1): 0x52b 0x0 0x0 0x1bf

   Updated to be more extensible about future vendor extensions and
   vendor-specific parts of CPUID.
*/
void VG_(helperc_CPUID)(UInt op, UInt *eax_ret, UInt *ebx_ret,
                                 UInt *ecx_ret, UInt *edx_ret)
{
   UInt eax, ebx, ecx, edx;
   Int  cpu_vendorid;

   // This function should not be called unless the CPU has CPUID.
   vg_assert( VG_(cpu_has_feature)(VG_X86_FEAT_CPUID) );

   // Get vendor ID.
   get_cpu_features( &cpu_vendorid );

   VG_(cpuid)(op, &eax, &ebx, &ecx, &edx);

   /* Common mangling */
   switch(op) {
   case 1:
      edx &= VG_X86_SUPPORTED_FEATURES;
      break;

   case 0xd8000000: {
      /* Implement some private information at 0xd8000000 */
      static const Char valgrind_vendor[] = "ValgrindVCPU";

      eax = 0xd8000000;		/* max request */
      ebx = *(UInt *)&valgrind_vendor[0];
      ecx = *(UInt *)&valgrind_vendor[8];
      edx = *(UInt *)&valgrind_vendor[4];
   }
      break;
   }

   /* Vendor-specific mangling of the results */
   switch (cpu_vendorid) {
   case VG_CPU_VENDOR_INTEL:
      switch(op) {
      case 1:
	 ecx = 0;		/* mask out all extended features for now */
	 break;

      case 0x80000001:
	 ebx = ecx = edx = 0;
	 break;
      }
      break;

   case VG_CPU_VENDOR_AMD:
      switch(op) {
      case 0x80000001:
	 edx &= VG_AMD_SUPPORTED_FEATURES;
	 break;
      }
      break;
   }

   *eax_ret = eax;
   *ebx_ret = ebx;
   *ecx_ret = ecx;
   *edx_ret = edx;
}


/*------------------------------------------------------------*/
/*--- Here so it can be inlined everywhere.                ---*/
/*------------------------------------------------------------*/

/* Allocate a new temp reg number. */
__inline__ Int VG_(get_new_temp) ( UCodeBlock* cb )
{
   Int t = cb->nextTemp;
   cb->nextTemp += 2;
   return t;
}

Int VG_(get_new_shadow) ( UCodeBlock* cb )
{
   Int t = cb->nextTemp;
   cb->nextTemp += 2;
   return SHADOW(t);
}


/*------------------------------------------------------------*/
/*--- Helper bits and pieces for deconstructing the        ---*/
/*--- x86 insn stream.                                     ---*/
/*------------------------------------------------------------*/

static Char* nameGrp1 ( Int opc_aux )
{
   static Char* grp1_names[8] 
     = { "add", "or", "adc", "sbb", "and", "sub", "xor", "cmp" };
   if (opc_aux < 0 || opc_aux > 7) VG_(core_panic)("nameGrp1");
   return grp1_names[opc_aux];
}

static Char* nameGrp2 ( Int opc_aux )
{
   static Char* grp2_names[8] 
     = { "rol", "ror", "rcl", "rcr", "shl", "shr", "shl", "sar" };
   if (opc_aux < 0 || opc_aux > 7) VG_(core_panic)("nameGrp2");
   return grp2_names[opc_aux];
}

static Char* nameGrp4 ( Int opc_aux )
{
   static Char* grp4_names[8] 
     = { "inc", "dec", "???", "???", "???", "???", "???", "???" };
   if (opc_aux < 0 || opc_aux > 1) VG_(core_panic)("nameGrp4");
   return grp4_names[opc_aux];
}

static Char* nameGrp5 ( Int opc_aux )
{
   static Char* grp5_names[8] 
     = { "inc", "dec", "call*", "call*", "jmp*", "jmp*", "push", "???" };
   if (opc_aux < 0 || opc_aux > 6) VG_(core_panic)("nameGrp5");
   return grp5_names[opc_aux];
}

static Char* nameGrp8 ( Int opc_aux )
{
   static Char* grp8_names[8] 
     = { "???", "???", "???", "???", "bt", "bts", "btr", "btc" };
   if (opc_aux < 4 || opc_aux > 7) VG_(core_panic)("nameGrp8");
   return grp8_names[opc_aux];
}

const Char* VG_(name_of_int_reg) ( Int size, Int reg )
{
   static Char* ireg32_names[8] 
     = { "%eax", "%ecx", "%edx", "%ebx", 
         "%esp", "%ebp", "%esi", "%edi" };
   static Char* ireg16_names[8] 
     = { "%ax", "%cx", "%dx", "%bx", "%sp", "%bp", "%si", "%di" };
   static Char* ireg8_names[8] 
     = { "%al", "%cl", "%dl", "%bl", 
         "%ah{sp}", "%ch{bp}", "%dh{si}", "%bh{di}" };
   if (reg < 0 || reg > 7) goto bad;
   switch (size) {
      case 4: return ireg32_names[reg];
      case 2: return ireg16_names[reg];
      case 1: return ireg8_names[reg];
   }
  bad:
   VG_(core_panic)("name_of_int_reg");
   return NULL; /*notreached*/
}

const Char* VG_(name_of_seg_reg) ( Int sreg )
{
   switch (sreg) {
      case R_ES: return "%es";
      case R_CS: return "%cs";
      case R_SS: return "%ss";
      case R_DS: return "%ds";
      case R_FS: return "%fs";
      case R_GS: return "%gs";
      default: VG_(core_panic)("nameOfSegReg");
   }
}

const Char* VG_(name_of_mmx_reg) ( Int mmxreg )
{
   static const Char* mmx_names[8] 
     = { "%mm0", "%mm1", "%mm2", "%mm3", "%mm4", "%mm5", "%mm6", "%mm7" };
   if (mmxreg < 0 || mmxreg > 7) VG_(core_panic)("name_of_mmx_reg");
   return mmx_names[mmxreg];
}

const Char* VG_(name_of_xmm_reg) ( Int xmmreg )
{
   static const Char* xmm_names[8] 
     = { "%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5", "%xmm6", "%xmm7" };
   if (xmmreg < 0 || xmmreg > 7) VG_(core_panic)("name_of_xmm_reg");
   return xmm_names[xmmreg];
}

const Char* VG_(name_of_mmx_gran) ( UChar gran )
{
   switch (gran) {
      case 0: return "b";
      case 1: return "w";
      case 2: return "d";
      case 3: return "q";
      default: VG_(core_panic)("name_of_mmx_gran");
   }
}

const Char VG_(name_of_int_size) ( Int size )
{
   switch (size) {
      case 4: return 'l';
      case 2: return 'w';
      case 1: return 'b';
      default: VG_(core_panic)("name_of_int_size");
   }
}

__inline__ UInt VG_(extend_s_8to32) ( UInt x )
{
   return (UInt)((((Int)x) << 24) >> 24);
}

__inline__ static UInt extend_s_16to32 ( UInt x )
{
   return (UInt)((((Int)x) << 16) >> 16);
}


/* Get a byte value out of the insn stream and sign-extend to 32
   bits. */
__inline__ static UInt getSDisp8 ( Addr eip0 )
{
   UChar* eip = (UChar*)eip0;
   return VG_(extend_s_8to32)( (UInt) (eip[0]) );
}

__inline__ static UInt getSDisp16 ( Addr eip0 )
{
   UChar* eip = (UChar*)eip0;
   UInt d = *eip++;
   d |= ((*eip++) << 8);
   return extend_s_16to32(d);
}

/* Get a 32-bit value out of the insn stream. */
__inline__ static UInt getUDisp32 ( Addr eip0 )
{
   UChar* eip = (UChar*)eip0;
   UInt v = eip[3]; v <<= 8;
   v |= eip[2]; v <<= 8;
   v |= eip[1]; v <<= 8;
   v |= eip[0];
   return v;
}

__inline__ static UInt getUDisp16 ( Addr eip0 )
{
   UChar* eip = (UChar*)eip0;
   UInt v = eip[1]; v <<= 8;
   v |= eip[0];
   return v;
}

__inline__ static UChar getUChar ( Addr eip0 )
{
   UChar* eip = (UChar*)eip0;
   return eip[0];
}

__inline__ static UInt LOW24 ( UInt x )
{
   return x & 0x00FFFFFF;
}

__inline__ static UInt HI8 ( UInt x )
{
   return x >> 24;
}

__inline__ static UInt getUDisp ( Int size, Addr eip )
{
   switch (size) {
      case 4: return getUDisp32(eip);
      case 2: return getUDisp16(eip);
      case 1: return getUChar(eip);
      default: VG_(core_panic)("getUDisp");
  }
  return 0; /*notreached*/
}

__inline__ static UInt getSDisp ( Int size, Addr eip )
{
   switch (size) {
      case 4: return getUDisp32(eip);
      case 2: return getSDisp16(eip);
      case 1: return getSDisp8(eip);
      default: VG_(core_panic)("getUDisp");
  }
  return 0; /*notreached*/
}

/*------------------------------------------------------------*/
/*--- Flag-related helpers.                                ---*/
/*------------------------------------------------------------*/

static void setFlagsFromUOpcode ( UCodeBlock* cb, Int uopc )
{
   switch (uopc) {
      case XOR: case OR: case AND:
         uFlagsRWU(cb, FlagsEmpty, FlagsOSZCP,  FlagA); break;
      case ADC: case SBB: 
         uFlagsRWU(cb, FlagC,      FlagsOSZACP, FlagsEmpty); break;
      case MUL: case UMUL:
	 uFlagsRWU(cb, FlagsEmpty, FlagsOC,     FlagsSZAP); break;
      case ADD: case SUB: case NEG: 
         uFlagsRWU(cb, FlagsEmpty, FlagsOSZACP, FlagsEmpty); break;
      case INC: case DEC:
         uFlagsRWU(cb, FlagsEmpty, FlagsOSZAP,  FlagsEmpty); break;
      case SHR: case SAR: case SHL:
         uFlagsRWU(cb, FlagsEmpty, FlagsOSZCP,  FlagA); break;
      case ROL: case ROR:
         uFlagsRWU(cb, FlagsEmpty, FlagsOC,     FlagsEmpty); break;
      case RCR: case RCL: 
         uFlagsRWU(cb, FlagC,      FlagsOC,     FlagsEmpty); break;
      case NOT:
         uFlagsRWU(cb, FlagsEmpty, FlagsEmpty,  FlagsEmpty); break;
      default: 
         VG_(printf)("unhandled case is %s\n", 
                     VG_(name_UOpcode)(True, uopc));
         VG_(core_panic)("setFlagsFromUOpcode: unhandled case");
   }
}

/*------------------------------------------------------------*/
/*--- JMP helpers                                          ---*/
/*------------------------------------------------------------*/

static __inline__
void jmp_lit( UCodeBlock* cb, Addr d32 )
{
   uInstr1 (cb, JMP,   0, Literal, 0);
   uLiteral(cb, d32);
   uCond   (cb, CondAlways);
}

static __inline__
void jmp_treg( UCodeBlock* cb, Int t )
{
   uInstr1 (cb, JMP,   0, TempReg, t);
   uCond   (cb, CondAlways);
}

static __inline__
void jcc_lit( UCodeBlock* cb, Addr d32, Condcode cond )
{
   uInstr1  (cb, JMP, 0, Literal, 0);
   uLiteral (cb, d32);
   uCond    (cb, cond);
   uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
}


/*------------------------------------------------------------*/
/*--- Disassembling addressing modes                       ---*/
/*------------------------------------------------------------*/

static 
UChar* sorbTxt ( UChar sorb )
{
   switch (sorb) {
      case 0:    return ""; /* no override */
      case 0x3E: return "%ds";
      case 0x26: return "%es:";
      case 0x64: return "%fs:";
      case 0x65: return "%gs:";
      default: VG_(core_panic)("sorbTxt");
   }
}


/* Tmp is a TempReg holding a virtual address.  Convert it to a linear
   address by adding any required segment override as indicated by
   sorb. */
static
void handleSegOverride ( UCodeBlock* cb, UChar sorb, Int tmp )
{
   Int sreg, tsreg;

   if (sorb == 0)
      /* the common case - no override */
      return;

   switch (sorb) {
      case 0x3E: sreg = R_DS; break;
      case 0x26: sreg = R_ES; break;
      case 0x64: sreg = R_FS; break;
      case 0x65: sreg = R_GS; break;
      default: VG_(core_panic)("handleSegOverride");
   }

   tsreg = newTemp(cb);

   /* sreg -> tsreg */
   uInstr2(cb, GETSEG, 2, ArchRegS, sreg, TempReg, tsreg );

   /* tmp += segment_base(ldt[tsreg]); also do limit check */
   uInstr2(cb, USESEG, 0, TempReg, tsreg, TempReg, tmp );
}


/* Generate ucode to calculate an address indicated by a ModRM and
   following SIB bytes, getting the value in a new temporary.  The
   temporary, and the number of bytes in the address mode, are
   returned, as a pair (length << 24) | temp.  Note that this fn should
   not be called if the R/M part of the address denotes a register
   instead of memory.  If VG_(print_codegen) is true, text of the addressing
   mode is placed therein. */

static 
UInt disAMode ( UCodeBlock* cb, UChar sorb, Addr eip0, UChar* buf )
{
   UChar* eip        = (UChar*)eip0;
   UChar  mod_reg_rm = *eip++;
   Int    tmp        = newTemp(cb);

   /* squeeze out the reg field from mod_reg_rm, since a 256-entry
      jump table seems a bit excessive. 
   */
   mod_reg_rm &= 0xC7;               /* is now XX000YYY */
   mod_reg_rm |= (mod_reg_rm >> 3);  /* is now XX0XXYYY */
   mod_reg_rm &= 0x1F;               /* is now 000XXYYY */
   switch (mod_reg_rm) {

      /* (%eax) .. (%edi), not including (%esp) or (%ebp).
         --> GET %reg, t 
      */
      case 0x00: case 0x01: case 0x02: case 0x03: 
      /* ! 04 */ /* ! 05 */ case 0x06: case 0x07:
         { UChar rm  = mod_reg_rm;
           uInstr2(cb, GET, 4, ArchReg, rm,  TempReg, tmp);
           handleSegOverride(cb, sorb, tmp);
           DIS(buf, "%s(%s)", sorbTxt(sorb), nameIReg(4,rm));
           return (1<<24 | tmp);
         }

      /* d8(%eax) ... d8(%edi), not including d8(%esp) 
         --> GET %reg, t ; ADDL d8, t
      */
      case 0x08: case 0x09: case 0x0A: case 0x0B: 
      /* ! 0C */ case 0x0D: case 0x0E: case 0x0F:
         { UChar rm  = mod_reg_rm & 7;
           Int   tmq = newTemp(cb);
           UInt  d   = getSDisp8((Addr)eip); eip++;
           uInstr2(cb, GET,  4, ArchReg, rm,  TempReg, tmq);
           uInstr2(cb, LEA1, 4, TempReg, tmq, TempReg, tmp);
           uLiteral(cb, d);
           handleSegOverride(cb, sorb, tmp);
           DIS(buf, "%s%d(%s)", sorbTxt(sorb), d, nameIReg(4,rm));
           return (2<<24 | tmp);
         }

      /* d32(%eax) ... d32(%edi), not including d32(%esp)
         --> GET %reg, t ; ADDL d8, t
      */
      case 0x10: case 0x11: case 0x12: case 0x13: 
      /* ! 14 */ case 0x15: case 0x16: case 0x17:
         { UChar rm  = mod_reg_rm & 7;
           Int   tmq = newTemp(cb);
           UInt  d   = getUDisp32((Addr)eip); eip += 4;
           uInstr2(cb, GET,  4, ArchReg, rm,  TempReg, tmq);
           uInstr2(cb, LEA1, 4, TempReg, tmq, TempReg, tmp);
           uLiteral(cb, d);
           handleSegOverride(cb, sorb, tmp);
           DIS(buf, "%s0x%x(%s)", sorbTxt(sorb), d, nameIReg(4,rm));
           return (5<<24 | tmp);
         }

      /* a register, %eax .. %edi.  This shouldn't happen. */
      case 0x18: case 0x19: case 0x1A: case 0x1B:
      case 0x1C: case 0x1D: case 0x1E: case 0x1F:
         VG_(core_panic)("disAMode: not an addr!");

      /* a 32-bit literal address
         --> MOV d32, tmp 
      */
      case 0x05: 
         { UInt d = getUDisp32((Addr)eip); eip += 4;
           uInstr2(cb, MOV, 4, Literal, 0, TempReg, tmp);
           uLiteral(cb, d);
           handleSegOverride(cb, sorb, tmp);
           DIS(buf, "%s(0x%x)", sorbTxt(sorb), d);
           return (5<<24 | tmp);
         }

      case 0x04: {
         /* SIB, with no displacement.  Special cases:
            -- %esp cannot act as an index value.  
               If index_r indicates %esp, zero is used for the index.
            -- when mod is zero and base indicates EBP, base is instead
               a 32-bit literal.
            It's all madness, I tell you.  Extract %index, %base and 
            scale from the SIB byte.  The value denoted is then:
               | %index == %ESP && %base == %EBP
               = d32 following SIB byte
               | %index == %ESP && %base != %EBP
               = %base
               | %index != %ESP && %base == %EBP
               = d32 following SIB byte + (%index << scale)
               | %index != %ESP && %base != %ESP
               = %base + (%index << scale)

            What happens to the souls of CPU architects who dream up such
            horrendous schemes, do you suppose?  
         */
         UChar sib     = *eip++;
         UChar scale   = (sib >> 6) & 3;
         UChar index_r = (sib >> 3) & 7;
         UChar base_r  = sib & 7;

         if (index_r != R_ESP && base_r != R_EBP) {
            Int index_tmp = newTemp(cb);
            Int base_tmp  = newTemp(cb);
            uInstr2(cb, GET,  4, ArchReg, index_r,  TempReg, index_tmp);
            uInstr2(cb, GET,  4, ArchReg, base_r,   TempReg, base_tmp);
            uInstr3(cb, LEA2, 4, TempReg, base_tmp, TempReg, index_tmp, 
                                 TempReg, tmp);
            uLiteral(cb, 0);
            LAST_UINSTR(cb).extra4b = 1 << scale;
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s(%s,%s,%d)", sorbTxt(sorb), 
                      nameIReg(4,base_r), nameIReg(4,index_r), 1<<scale);
            return (2<<24 | tmp);
         }

         if (index_r != R_ESP && base_r == R_EBP) {
            Int index_tmp = newTemp(cb);
            UInt d = getUDisp32((Addr)eip); eip += 4;
            uInstr2(cb, GET,  4, ArchReg, index_r,  TempReg, index_tmp);
            uInstr2(cb, MOV,  4, Literal, 0,        TempReg, tmp);
            uLiteral(cb, 0);
            uInstr3(cb, LEA2, 4, TempReg, tmp,      TempReg, index_tmp, 
                                 TempReg, tmp);
            uLiteral(cb, d);
            LAST_UINSTR(cb).extra4b = 1 << scale;
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s0x%x(,%s,%d)", sorbTxt(sorb), d, 
                      nameIReg(4,index_r), 1<<scale);
            return (6<<24 | tmp);
         }

         if (index_r == R_ESP && base_r != R_EBP) {
            uInstr2(cb, GET, 4, ArchReg, base_r, TempReg, tmp);
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s(%s,,)", sorbTxt(sorb), nameIReg(4,base_r));
            return (2<<24 | tmp);
         }

         if (index_r == R_ESP && base_r == R_EBP) {
            UInt d = getUDisp32((Addr)eip); eip += 4;
            uInstr2(cb, MOV, 4, Literal, 0, TempReg, tmp);
	    uLiteral(cb, d);
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s0x%x()", sorbTxt(sorb), d);
            return (6<<24 | tmp);
         }

         vg_assert(0);
      }

      /* SIB, with 8-bit displacement.  Special cases:
         -- %esp cannot act as an index value.  
            If index_r indicates %esp, zero is used for the index.
         Denoted value is:
            | %index == %ESP
            = d8 + %base
            | %index != %ESP
            = d8 + %base + (%index << scale)
      */
      case 0x0C: {
         UChar sib     = *eip++;
         UChar scale   = (sib >> 6) & 3;
         UChar index_r = (sib >> 3) & 7;
         UChar base_r  = sib & 7;
         UInt d        = getSDisp8((Addr)eip); eip++;

         if (index_r == R_ESP) {
            Int tmq = newTemp(cb);
            uInstr2(cb, GET,  4, ArchReg, base_r,  TempReg, tmq);
            uInstr2(cb, LEA1, 4, TempReg, tmq, TempReg, tmp);
            uLiteral(cb, d);
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s%d(%s,,)", sorbTxt(sorb), d, nameIReg(4,base_r));
            return (3<<24 | tmp);
         } else {
            Int index_tmp = newTemp(cb);
            Int base_tmp  = newTemp(cb);
            uInstr2(cb, GET, 4,  ArchReg, index_r,  TempReg, index_tmp);
            uInstr2(cb, GET, 4,  ArchReg, base_r,   TempReg, base_tmp);
            uInstr3(cb, LEA2, 4, TempReg, base_tmp, TempReg, index_tmp, 
                                 TempReg, tmp);
            uLiteral(cb, d);
            LAST_UINSTR(cb).extra4b = 1 << scale;
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s%d(%s,%s,%d)", sorbTxt(sorb), d, 
                     nameIReg(4,base_r), nameIReg(4,index_r), 1<<scale);
            return (3<<24 | tmp);
         }
         vg_assert(0);
      }

      /* SIB, with 32-bit displacement.  Special cases:
         -- %esp cannot act as an index value.  
            If index_r indicates %esp, zero is used for the index.
         Denoted value is:
            | %index == %ESP
            = d32 + %base
            | %index != %ESP
            = d32 + %base + (%index << scale)
      */
      case 0x14: {
         UChar sib     = *eip++;
         UChar scale   = (sib >> 6) & 3;
         UChar index_r = (sib >> 3) & 7;
         UChar base_r  = sib & 7;
         UInt d        = getUDisp32((Addr)eip); eip += 4;

         if (index_r == R_ESP) {
            Int tmq = newTemp(cb);
            uInstr2(cb, GET,  4, ArchReg, base_r,  TempReg, tmq);
            uInstr2(cb, LEA1, 4, TempReg, tmq, TempReg, tmp);
            uLiteral(cb, d);
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s%d(%s,,)", sorbTxt(sorb), d, nameIReg(4,base_r));
            return (6<<24 | tmp);
         } else {
            Int index_tmp = newTemp(cb);
            Int base_tmp = newTemp(cb);
            uInstr2(cb, GET,  4, ArchReg, index_r, TempReg, index_tmp);
            uInstr2(cb, GET,  4, ArchReg, base_r, TempReg, base_tmp);
            uInstr3(cb, LEA2, 4, TempReg, base_tmp, TempReg, index_tmp, 
                                 TempReg, tmp);
            uLiteral(cb, d);
            LAST_UINSTR(cb).extra4b = 1 << scale;
            handleSegOverride(cb, sorb, tmp);
            DIS(buf, "%s%d(%s,%s,%d)", sorbTxt(sorb), d, 
                      nameIReg(4,base_r), nameIReg(4,index_r), 1<<scale);
            return (6<<24 | tmp);
         }
         vg_assert(0);
      }

      default:
         VG_(core_panic)("disAMode");
         return 0; /*notreached*/
   }
}


/* Figure out the number of (insn-stream) bytes constituting the amode
   beginning at eip0.  Is useful for getting hold of literals beyond
   the end of the amode before it has been disassembled.  */

static UInt lengthAMode ( Addr eip0 )
{
   UChar* eip        = (UChar*)eip0;
   UChar  mod_reg_rm = *eip++;

   /* squeeze out the reg field from mod_reg_rm, since a 256-entry
      jump table seems a bit excessive. 
   */
   mod_reg_rm &= 0xC7;               /* is now XX000YYY */
   mod_reg_rm |= (mod_reg_rm >> 3);  /* is now XX0XXYYY */
   mod_reg_rm &= 0x1F;               /* is now 000XXYYY */
   switch (mod_reg_rm) {

      /* (%eax) .. (%edi), not including (%esp) or (%ebp). */
      case 0x00: case 0x01: case 0x02: case 0x03: 
      /* ! 04 */ /* ! 05 */ case 0x06: case 0x07:
         return 1;

      /* d8(%eax) ... d8(%edi), not including d8(%esp). */ 
      case 0x08: case 0x09: case 0x0A: case 0x0B: 
      /* ! 0C */ case 0x0D: case 0x0E: case 0x0F:
         return 2;

      /* d32(%eax) ... d32(%edi), not including d32(%esp). */
      case 0x10: case 0x11: case 0x12: case 0x13: 
      /* ! 14 */ case 0x15: case 0x16: case 0x17:
         return 5;

      /* a register, %eax .. %edi.  (Not an addr, but still handled.) */
      case 0x18: case 0x19: case 0x1A: case 0x1B:
      case 0x1C: case 0x1D: case 0x1E: case 0x1F:
         return 1;

      /* a 32-bit literal address. */
      case 0x05: return 5;

      /* SIB, no displacement.  */
      case 0x04: {
         UChar sib     = *eip++;
         UChar base_r  = sib & 7;
         if (base_r == R_EBP) return 6; else return 2;
      }
      /* SIB, with 8-bit displacement.  */
      case 0x0C: return 3;

      /* SIB, with 32-bit displacement.  */
      case 0x14: return 6;

      default:
         VG_(core_panic)("amode_from_RM");
         return 0; /*notreached*/
   }
}


/* Extract the reg field from a modRM byte. */
static __inline__ Int gregOfRM ( UChar mod_reg_rm )
{
   return (Int)( (mod_reg_rm >> 3) & 7 );
}

/* Figure out whether the mod and rm parts of a modRM byte refer to a
   register or memory.  If so, the byte will have the form 11XXXYYY,
   where YYY is the register number. */
static __inline__ Bool epartIsReg ( UChar mod_reg_rm )
{
   return (0xC0 == (mod_reg_rm & 0xC0));
}

/* ... and extract the register number ... */
static __inline__ Int eregOfRM ( UChar mod_reg_rm )
{
   return (Int)(mod_reg_rm & 0x7);
}


/*------------------------------------------------------------*/
/*--- Disassembling common idioms                          ---*/
/*------------------------------------------------------------*/

static
void codegen_XOR_reg_with_itself ( UCodeBlock* cb, Int size, 
                                   Int ge_reg, Int tmp )
{
   DIP("xor%c %s, %s\n", nameISize(size),
                         nameIReg(size,ge_reg), nameIReg(size,ge_reg) );
   uInstr2(cb, MOV, size, Literal, 0, TempReg, tmp);
   uLiteral(cb, 0);
   uInstr2(cb, XOR, size, TempReg, tmp, TempReg, tmp);
   setFlagsFromUOpcode(cb, XOR);
   uInstr2(cb, PUT, size, TempReg, tmp, ArchReg, ge_reg);
}

/* Handle binary integer instructions of the form
      op E, G  meaning
      op reg-or-mem, reg
   Is passed the a ptr to the modRM byte, the actual operation, and the
   data size.  Returns the address advanced completely over this
   instruction.

   E(src) is reg-or-mem
   G(dst) is reg.

   If E is reg, -->    GET %G,  tmp
                       OP %E,   tmp
                       PUT tmp, %G
 
   If E is mem and OP is not reversible, 
                -->    (getAddr E) -> tmpa
                       LD (tmpa), tmpa
                       GET %G, tmp2
                       OP tmpa, tmp2
                       PUT tmp2, %G

   If E is mem and OP is reversible
                -->    (getAddr E) -> tmpa
                       LD (tmpa), tmpa
                       OP %G, tmpa
                       PUT tmpa, %G
*/
static
Addr dis_op2_E_G ( UCodeBlock* cb,
                   UChar       sorb,
                   Opcode      opc, 
                   Bool        keep,
                   Int         size, 
                   Addr        eip0,
                   Char*       t_x86opc )
{
   Bool  reversible;
   UChar rm = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmp = newTemp(cb);

      /* Specially handle XOR reg,reg, because that doesn't really
         depend on reg, and doing the obvious thing potentially
         generates a spurious value check failure due to the bogus
         dependency. */
      if (opc == XOR && gregOfRM(rm) == eregOfRM(rm)) {
         codegen_XOR_reg_with_itself ( cb, size, gregOfRM(rm), tmp );
         return 1+eip0;
      }

      uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, tmp);
      if (opc == AND || opc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, GET, size, ArchReg, eregOfRM(rm), TempReg, tao); 
         uInstr2(cb, opc, size, TempReg, tao, TempReg, tmp);
         setFlagsFromUOpcode(cb, opc);
      } else {
         uInstr2(cb, opc, size, ArchReg, eregOfRM(rm), TempReg, tmp);
         setFlagsFromUOpcode(cb, opc);
      }
      if (keep)
         uInstr2(cb, PUT, size, TempReg, tmp, ArchReg, gregOfRM(rm));
      DIP("%s%c %s,%s\n", t_x86opc, nameISize(size), 
                          nameIReg(size,eregOfRM(rm)),
                          nameIReg(size,gregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   reversible
      = (opc == ADD || opc == OR || opc == AND || opc == XOR || opc == ADC)
           ? True : False;
   if (reversible) {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf);
      Int  tmpa = LOW24(pair);
      uInstr2(cb, LOAD, size, TempReg, tmpa, TempReg, tmpa);

      if (opc == AND || opc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, tao); 
         uInstr2(cb, opc, size, TempReg, tao, TempReg, tmpa);
         setFlagsFromUOpcode(cb, opc);
      } else {
         uInstr2(cb, opc,  size, ArchReg, gregOfRM(rm), TempReg, tmpa);
         setFlagsFromUOpcode(cb, opc);
      }
      if (keep)
         uInstr2(cb, PUT,  size, TempReg, tmpa, ArchReg, gregOfRM(rm));
      DIP("%s%c %s,%s\n", t_x86opc, nameISize(size), 
                          dis_buf,nameIReg(size,gregOfRM(rm)));
      return HI8(pair)+eip0;
   } else {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf);
      Int  tmpa = LOW24(pair);
      Int  tmp2 = newTemp(cb);
      uInstr2(cb, LOAD, size, TempReg, tmpa, TempReg, tmpa);
      uInstr2(cb, GET,  size, ArchReg, gregOfRM(rm), TempReg, tmp2);
      uInstr2(cb, opc,  size, TempReg, tmpa, TempReg, tmp2);
      setFlagsFromUOpcode(cb, opc);
      if (keep)
         uInstr2(cb, PUT,  size, TempReg, tmp2, ArchReg, gregOfRM(rm));
      DIP("%s%c %s,%s\n", t_x86opc, nameISize(size), 
                          dis_buf,nameIReg(size,gregOfRM(rm)));
      return HI8(pair)+eip0;
   }
}



/* Handle binary integer instructions of the form
      op G, E  meaning
      op reg, reg-or-mem
   Is passed the a ptr to the modRM byte, the actual operation, and the
   data size.  Returns the address advanced completely over this
   instruction.

   G(src) is reg.
   E(dst) is reg-or-mem

   If E is reg, -->    GET %E,  tmp
                       OP %G,   tmp
                       PUT tmp, %E
 
   If E is mem, -->    (getAddr E) -> tmpa
                       LD (tmpa), tmpv
                       OP %G, tmpv
                       ST tmpv, (tmpa)
*/
static
Addr dis_op2_G_E ( UCodeBlock* cb, 
                   UChar       sorb,
                   Opcode      opc, 
                   Bool        keep,
                   Int         size, 
                   Addr        eip0,
                   Char*       t_x86opc )
{
   UChar rm = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmp = newTemp(cb);

      /* Specially handle XOR reg,reg, because that doesn't really
         depend on reg, and doing the obvious thing potentially
         generates a spurious value check failure due to the bogus
         dependency. */
      if (opc == XOR && gregOfRM(rm) == eregOfRM(rm)) {
         codegen_XOR_reg_with_itself ( cb, size, gregOfRM(rm), tmp );
         return 1+eip0;
      }

      /* gcc sometimes generates "sbbl %reg,%reg" to convert the carry
         flag into 0 or -1 in reg.  This has no actual dependency on
         reg, but memcheck can't see that, and so will yelp if reg
         contains garbage.  A simple fix is to put zero into reg
         before we start, zapping any undefinedness it might otherwise
         contain.
      */
      if (opc == SBB && gregOfRM(rm) == eregOfRM(rm)) {
         Int tzero = newTemp(cb);
         uInstr2(cb, MOV, size, Literal, 0, TempReg, tzero);
         uLiteral(cb, 0);
         uInstr2(cb, PUT, size, TempReg, tzero, ArchReg, eregOfRM(rm));
      }

      uInstr2(cb, GET, size, ArchReg, eregOfRM(rm), TempReg, tmp);

      if (opc == AND || opc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, tao); 
         uInstr2(cb, opc, size, TempReg, tao, TempReg, tmp);
         setFlagsFromUOpcode(cb, opc);
      } else {
         uInstr2(cb, opc, size, ArchReg, gregOfRM(rm), TempReg, tmp);
         setFlagsFromUOpcode(cb, opc);
      }
      if (keep)
         uInstr2(cb, PUT, size, TempReg, tmp, ArchReg, eregOfRM(rm));
      DIP("%s%c %s,%s\n", t_x86opc, nameISize(size), 
                          nameIReg(size,gregOfRM(rm)),
                          nameIReg(size,eregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf);
      Int  tmpa = LOW24(pair);
      Int  tmpv = newTemp(cb);
      uInstr2(cb, LOAD,  size, TempReg, tmpa, TempReg, tmpv);

      if (opc == AND || opc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, tao); 
         uInstr2(cb, opc, size, TempReg, tao, TempReg, tmpv);
         setFlagsFromUOpcode(cb, opc);
      } else {
         uInstr2(cb, opc, size, ArchReg, gregOfRM(rm), TempReg, tmpv);
         setFlagsFromUOpcode(cb, opc);
      }
      if (keep) {
         uInstr2(cb, STORE, size, TempReg, tmpv, TempReg, tmpa);
      }
      DIP("%s%c %s,%s\n", t_x86opc, nameISize(size), 
                          nameIReg(size,gregOfRM(rm)), dis_buf);
      return HI8(pair)+eip0;
   }
}


/* Handle move instructions of the form
      mov E, G  meaning
      mov reg-or-mem, reg
   Is passed the a ptr to the modRM byte, and the data size.  Returns
   the address advanced completely over this instruction.

   E(src) is reg-or-mem
   G(dst) is reg.

   If E is reg, -->    GET %E,  tmpv
                       PUT tmpv, %G
 
   If E is mem  -->    (getAddr E) -> tmpa
                       LD (tmpa), tmpb
                       PUT tmpb, %G
*/
static
Addr dis_mov_E_G ( UCodeBlock* cb, 
                   UChar       sorb,
                   Int         size, 
                   Addr        eip0 )
{
   UChar rm  = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmpv = newTemp(cb);
      uInstr2(cb, GET, size, ArchReg, eregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, PUT, size, TempReg, tmpv, ArchReg, gregOfRM(rm));
      DIP("mov%c %s,%s\n", nameISize(size), 
                           nameIReg(size,eregOfRM(rm)),
                           nameIReg(size,gregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf);
      Int  tmpa = LOW24(pair);
      Int  tmpb = newTemp(cb);
      uInstr2(cb, LOAD, size, TempReg, tmpa, TempReg, tmpb);
      uInstr2(cb, PUT,  size, TempReg, tmpb, ArchReg, gregOfRM(rm));
      DIP("mov%c %s,%s\n", nameISize(size), 
                           dis_buf,nameIReg(size,gregOfRM(rm)));
      return HI8(pair)+eip0;
   }
}


/* Handle move instructions of the form
      mov G, E  meaning
      mov reg, reg-or-mem
   Is passed the a ptr to the modRM byte, and the data size.  Returns
   the address advanced completely over this instruction.

   G(src) is reg.
   E(dst) is reg-or-mem

   If E is reg, -->    GET %G,  tmp
                       PUT tmp, %E
 
   If E is mem, -->    (getAddr E) -> tmpa
                       GET %G, tmpv
                       ST tmpv, (tmpa) 
*/
static
Addr dis_mov_G_E ( UCodeBlock* cb, 
                   UChar       sorb,
                   Int         size, 
                   Addr        eip0 )
{
   UChar rm = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmpv = newTemp(cb);
      uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, PUT, size, TempReg, tmpv, ArchReg, eregOfRM(rm));
      DIP("mov%c %s,%s\n", nameISize(size), 
                           nameIReg(size,gregOfRM(rm)),
                           nameIReg(size,eregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf);
      Int  tmpa = LOW24(pair);
      Int  tmpv = newTemp(cb);
      uInstr2(cb, GET,   size, ArchReg, gregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, STORE, size, TempReg, tmpv, TempReg, tmpa);
      DIP("mov%c %s,%s\n", nameISize(size), 
                           nameIReg(size,gregOfRM(rm)), dis_buf);
      return HI8(pair)+eip0;
   }
}


/* op $immediate, AL/AX/EAX. */
static
Addr dis_op_imm_A ( UCodeBlock* cb, 
                    Int         size,
                    Opcode      opc,
                    Bool        keep,
                    Addr        eip,
                    Char*       t_x86opc )
{
   Int  tmp = newTemp(cb);
   UInt lit = getUDisp(size,eip);
   uInstr2(cb, GET, size, ArchReg, R_EAX, TempReg, tmp);
   if (opc == AND || opc == OR) {
      Int tao = newTemp(cb);
      uInstr2(cb, MOV, size, Literal, 0, TempReg, tao);
      uLiteral(cb, lit);
      uInstr2(cb, opc, size, TempReg, tao, TempReg, tmp);
      setFlagsFromUOpcode(cb, opc);
   } else {
      uInstr2(cb, opc, size, Literal, 0, TempReg, tmp);
      uLiteral(cb, lit);
      setFlagsFromUOpcode(cb, opc);
   }
   if (keep)
      uInstr2(cb, PUT, size, TempReg, tmp, ArchReg, R_EAX);
   DIP("%s%c $0x%x, %s\n", t_x86opc, nameISize(size), 
                           lit, nameIReg(size,R_EAX));
   return eip+size;
}


/* Sign- and Zero-extending moves. */
static
Addr dis_movx_E_G ( UCodeBlock* cb, 
                    UChar       sorb,
                    Addr eip, Int szs, Int szd, Bool sign_extend )
{
   UChar dis_buf[50];
   UChar rm = getUChar(eip);
   if (epartIsReg(rm)) {
      Int tmpv = newTemp(cb);
      uInstr2(cb, GET, szs, ArchReg, eregOfRM(rm), TempReg, tmpv);
      uInstr1(cb, WIDEN, szd, TempReg, tmpv);
      uWiden(cb, szs, sign_extend);
      uInstr2(cb, PUT, szd, TempReg, tmpv, ArchReg, gregOfRM(rm));
      DIP("mov%c%c%c %s,%s\n", sign_extend ? 's' : 'z',
                               nameISize(szs), nameISize(szd),
                               nameIReg(szs,eregOfRM(rm)),
                               nameIReg(szd,gregOfRM(rm)));
      return 1+eip;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf);
      Int  tmpa = LOW24(pair);
      uInstr2(cb, LOAD, szs, TempReg, tmpa, TempReg, tmpa);
      uInstr1(cb, WIDEN, szd, TempReg, tmpa);
      uWiden(cb, szs, sign_extend);
      uInstr2(cb, PUT, szd, TempReg, tmpa, ArchReg, gregOfRM(rm));
      DIP("mov%c%c%c %s,%s\n", sign_extend ? 's' : 'z',
                               nameISize(szs), nameISize(szd),
                               dis_buf, nameIReg(szd,gregOfRM(rm)));
      return HI8(pair)+eip;
   }
}


/* Generate code to divide ArchRegs EDX:EAX / DX:AX / AX by the 32 /
   16 / 8 bit quantity in the given TempReg.  */
static
void codegen_div ( UCodeBlock* cb, Int sz, Int t, Bool signed_divide )
{
   Int  helper;
   Int  ta = newTemp(cb);
   Int  td = newTemp(cb);

   switch (sz) {
      case 4: helper = (signed_divide ? VGOFF_(helper_idiv_64_32) 
                                      : VGOFF_(helper_div_64_32));
              break;
      case 2: helper = (signed_divide ? VGOFF_(helper_idiv_32_16) 
                                      : VGOFF_(helper_div_32_16));
              break;
      case 1: helper = (signed_divide ? VGOFF_(helper_idiv_16_8)
                                      : VGOFF_(helper_div_16_8));
              break;
      default: VG_(core_panic)("codegen_div");
   }
   uInstr0(cb, CALLM_S, 0);
   if (sz == 4 || sz == 2) {
      uInstr1(cb, PUSH,  sz, TempReg, t);
      uInstr2(cb, GET,   sz, ArchReg, R_EAX,  TempReg, ta);
      uInstr1(cb, PUSH,  sz, TempReg, ta);
      uInstr2(cb, GET,   sz, ArchReg, R_EDX,  TempReg, td);
      uInstr1(cb, PUSH,  sz, TempReg, td);
      uInstr1(cb, CALLM,  0, Lit16,   helper);
      uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsOSZACP);
      uInstr1(cb, POP,   sz, TempReg, t);
      uInstr2(cb, PUT,   sz, TempReg, t,      ArchReg, R_EDX);
      uInstr1(cb, POP,   sz, TempReg, t);
      uInstr2(cb, PUT,   sz, TempReg, t,      ArchReg, R_EAX);
      uInstr1(cb, CLEAR,  0, Lit16,   4);
   } else {
      uInstr1(cb, PUSH,  1, TempReg, t);
      uInstr2(cb, GET,   2, ArchReg, R_EAX,  TempReg, ta);
      uInstr1(cb, PUSH,  2, TempReg, ta);
      uInstr2(cb, MOV,   1, Literal, 0,      TempReg, td);
      uLiteral(cb, 0);
      uInstr1(cb, PUSH,  1, TempReg, td);
      uInstr1(cb, CALLM, 0, Lit16,   helper);
      uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsOSZACP);
      uInstr1(cb, POP,   1, TempReg, t);
      uInstr2(cb, PUT,   1, TempReg, t,      ArchReg, R_AL);
      uInstr1(cb, POP,   1, TempReg, t);
      uInstr2(cb, PUT,   1, TempReg, t,      ArchReg, R_AH);
      uInstr1(cb, CLEAR, 0, Lit16,   4);
   }
   uInstr0(cb, CALLM_E, 0);
}


static 
Addr dis_Grp1 ( UCodeBlock* cb, 
                UChar       sorb,
                Addr eip, UChar modrm, 
                Int am_sz, Int d_sz, Int sz, UInt d32 )
{
   Int   t1, t2, uopc;
   UInt  pair;
   UChar dis_buf[50];
   if (epartIsReg(modrm)) {
      vg_assert(am_sz == 1);
      t1  = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: uopc = ADD; break;  case 1: uopc = OR;  break;
         case 2: uopc = ADC; break;  case 3: uopc = SBB; break;
         case 4: uopc = AND; break;  case 5: uopc = SUB; break;
         case 6: uopc = XOR; break;  case 7: uopc = SUB; break;
         default: VG_(core_panic)("dis_Grp1(Reg): unhandled case");
      }
      if (uopc == AND || uopc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, MOV, sz, Literal, 0, TempReg, tao);
         uLiteral(cb, d32);
         uInstr2(cb, uopc, sz, TempReg, tao, TempReg, t1);
         setFlagsFromUOpcode(cb, uopc);
      } else {
         uInstr2(cb, uopc, sz, Literal, 0, TempReg, t1);
         uLiteral(cb, d32);
         setFlagsFromUOpcode(cb, uopc);
      }
      if (gregOfRM(modrm) < 7)
         uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
      eip += (am_sz + d_sz);
      DIP("%s%c $0x%x, %s\n", nameGrp1(gregOfRM(modrm)), nameISize(sz), d32, 
                              nameIReg(sz,eregOfRM(modrm)));
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf);
      t1   = LOW24(pair);
      t2   = newTemp(cb);
      eip  += HI8(pair);
      eip  += d_sz;
      uInstr2(cb, LOAD, sz, TempReg, t1, TempReg, t2);
      switch (gregOfRM(modrm)) {
         case 0: uopc = ADD; break;  case 1: uopc = OR;  break;
         case 2: uopc = ADC; break;  case 3: uopc = SBB; break;
         case 4: uopc = AND; break;  case 5: uopc = SUB; break;
         case 6: uopc = XOR; break;  case 7: uopc = SUB; break;
         default: VG_(core_panic)("dis_Grp1(Mem): unhandled case");
      }
      if (uopc == AND || uopc == OR) {
         Int tao = newTemp(cb);
         uInstr2(cb, MOV, sz, Literal, 0, TempReg, tao);
         uLiteral(cb, d32);
         uInstr2(cb, uopc, sz, TempReg, tao, TempReg, t2);
         setFlagsFromUOpcode(cb, uopc);
      } else {
         uInstr2(cb, uopc, sz, Literal, 0, TempReg, t2);
         uLiteral(cb, d32);
         setFlagsFromUOpcode(cb, uopc);
      }
      if (gregOfRM(modrm) < 7) {
         uInstr2(cb, STORE, sz, TempReg, t2, TempReg, t1);
      }
      DIP("%s%c $0x%x, %s\n", nameGrp1(gregOfRM(modrm)), nameISize(sz),
                              d32, dis_buf);
   }
   return eip;
}


/* Group 2 extended opcodes. */
static
Addr dis_Grp2 ( UCodeBlock* cb, 
                UChar       sorb,
                Addr eip, UChar modrm,
                Int am_sz, Int d_sz, Int sz, 
                Tag orig_src_tag, UInt orig_src_val )
{
   /* orig_src_tag and orig_src_val denote either ArchReg(%CL) or a
      Literal.  And eip on entry points at the modrm byte. */
   Int   t1, t2, uopc;
   UInt  pair;
   UChar dis_buf[50];
   UInt  src_val;
   Tag   src_tag;

   /* Get the amount to be shifted by into src_tag/src_val. */
   if (orig_src_tag == ArchReg) {
      src_val = newTemp(cb);
      src_tag = TempReg;
      uInstr2(cb, GET, 1, orig_src_tag, orig_src_val, TempReg, src_val);
   } else {
      src_val = orig_src_val;
      src_tag = Literal;
   }

   if (epartIsReg(modrm)) {
      vg_assert(am_sz == 1);
      t1  = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: uopc = ROL; break;  case 1: uopc = ROR; break;
         case 2: uopc = RCL; break;  case 3: uopc = RCR; break;
         case 4: uopc = SHL; break;  case 5: uopc = SHR; break;
         case 7: uopc = SAR; break;
         default: VG_(core_panic)("dis_Grp2(Reg): unhandled case");
      }
      if (src_tag == Literal) {
          uInstr2(cb, uopc, sz, Literal, 0, TempReg, t1);
	  uLiteral(cb, src_val);
      } else {
          uInstr2(cb, uopc, sz, src_tag, src_val, TempReg, t1);
      }
      setFlagsFromUOpcode(cb, uopc);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
      eip += (am_sz + d_sz);
      if (VG_(print_codegen)) {
         if (orig_src_tag == Literal)
            VG_(printf)("%s%c $0x%x, %s\n",
                        nameGrp2(gregOfRM(modrm)), nameISize(sz), 
                        orig_src_val, nameIReg(sz,eregOfRM(modrm)));
         else
            VG_(printf)("%s%c %s, %s\n",
                        nameGrp2(gregOfRM(modrm)), nameISize(sz),
                        nameIReg(1,orig_src_val),
                        nameIReg(sz,eregOfRM(modrm)));
      }
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf);
      t1   = LOW24(pair);
      t2   = newTemp(cb);
      eip  += HI8(pair);
      eip  += d_sz;
      uInstr2(cb, LOAD, sz, TempReg, t1, TempReg, t2);
      switch (gregOfRM(modrm)) {
         case 0: uopc = ROL; break;  case 1: uopc = ROR; break;
         case 2: uopc = RCL; break;  case 3: uopc = RCR; break;
         case 4: uopc = SHL; break;  case 5: uopc = SHR; break;
         case 7: uopc = SAR; break;
         default: VG_(core_panic)("dis_Grp2(Reg): unhandled case");
      }
      if (src_tag == Literal) {
         uInstr2(cb, uopc, sz, Literal, 0, TempReg, t2);
	 uLiteral(cb, src_val);
      } else {
         uInstr2(cb, uopc, sz, src_tag, src_val, TempReg, t2);
      }
      setFlagsFromUOpcode(cb, uopc);
      uInstr2(cb, STORE, sz, TempReg, t2, TempReg, t1);
      if (VG_(print_codegen)) {
         if (orig_src_tag == Literal)
            VG_(printf)("%s%c $0x%x, %s\n",
                        nameGrp2(gregOfRM(modrm)), nameISize(sz), 
                        orig_src_val, dis_buf);
         else 
            VG_(printf)("%s%c %s, %s\n",
                        nameGrp2(gregOfRM(modrm)), nameISize(sz), 
                        nameIReg(1,orig_src_val),
                        dis_buf);
      }
   }
   return eip;
}



/* Group 8 extended opcodes (but BT/BTS/BTC/BTR only). */
static
Addr dis_Grp8_BT ( UCodeBlock* cb, 
                   UChar       sorb,
                   Addr eip, UChar modrm,
                   Int am_sz, Int sz, UInt src_val )
{
#  define MODIFY_t2_AND_SET_CARRY_FLAG					\
      /* t2 is the value to be op'd on.  Copy to t_fetched, then	\
         modify t2, if non-BT. */					\
      uInstr2(cb, MOV,   4,  TempReg, t2, TempReg, t_fetched);		\
      uInstr2(cb, MOV,  sz,  Literal, 0,  TempReg, t_mask);		\
      uLiteral(cb, v_mask);						\
      switch (gregOfRM(modrm)) {					\
         case 4: /* BT */  break;					\
         case 5: /* BTS */ 						\
            uInstr2(cb, OR, sz, TempReg, t_mask, TempReg, t2); break;	\
         case 6: /* BTR */						\
            uInstr2(cb, AND, sz, TempReg, t_mask, TempReg, t2); break;	\
         case 7: /* BTC */ 						\
            uInstr2(cb, XOR, sz, TempReg, t_mask, TempReg, t2); break;	\
      }									\
      /* Copy relevant bit from t_fetched into carry flag. */		\
      uInstr2(cb, SHR, sz, Literal, 0, TempReg, t_fetched);		\
      uLiteral(cb, src_val);						\
      uInstr2(cb, MOV, sz, Literal, 0, TempReg, t_mask);		\
      uLiteral(cb, 1);							\
      uInstr2(cb, AND, sz, TempReg, t_mask, TempReg, t_fetched);	\
      uInstr1(cb, NEG, sz, TempReg, t_fetched);				\
      setFlagsFromUOpcode(cb, NEG);


   /* src_val denotes a d8.
      And eip on entry points at the modrm byte. */
   Int   t1, t2, t_fetched, t_mask;
   UInt  pair;
   Char  dis_buf[50];
   UInt  v_mask;

   /* There is no 1-byte form of this instruction, AFAICS. */
   vg_assert(sz == 2 || sz == 4);

   /* Limit src_val -- the bit offset -- to something within a word.
      The Intel docs say that literal offsets larger than a word are
      masked in this way. */
   switch (sz) {
      case 2: src_val &= 15; break;
      case 4: src_val &= 31; break;
      default: VG_(core_panic)("dis_Grp8_BT: invalid size");
   }

   /* Invent a mask suitable for the operation. */

   switch (gregOfRM(modrm)) {
      case 4: /* BT */  v_mask = 0; break;
      case 5: /* BTS */ v_mask = 1 << src_val; break;
      case 6: /* BTR */ v_mask = ~(1 << src_val); break;
      case 7: /* BTC */ v_mask = 1 << src_val; break;
         /* If this needs to be extended, probably simplest to make a
            new function to handle the other cases (0 .. 3).  The
            Intel docs do however not indicate any use for 0 .. 3, so
            we don't expect this to happen. */
      default: VG_(core_panic)("dis_Grp8_BT");
   }
   /* Probably excessively paranoid. */
   if (sz == 2)
      v_mask &= 0x0000FFFF;

   t1        = INVALID_TEMPREG;
   t_fetched = newTemp(cb);
   t_mask    = newTemp(cb);

   if (epartIsReg(modrm)) {
      vg_assert(am_sz == 1);
      t2 = newTemp(cb);

      /* Fetch the value to be tested and modified. */
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t2);
      /* Do it! */
      MODIFY_t2_AND_SET_CARRY_FLAG;
      /* Dump the result back, if non-BT. */
      if (gregOfRM(modrm) != 4 /* BT */)
         uInstr2(cb, PUT, sz, TempReg, t2, ArchReg, eregOfRM(modrm));

      eip += (am_sz + 1);
      DIP("%s%c $0x%x, %s\n", nameGrp8(gregOfRM(modrm)), nameISize(sz),
                              src_val, nameIReg(sz,eregOfRM(modrm)));
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf);
      t1   = LOW24(pair);
      t2   = newTemp(cb);
      eip  += HI8(pair);
      eip  += 1;

      /* Fetch the value to be tested and modified. */
      uInstr2(cb, LOAD,  sz, TempReg, t1, TempReg, t2);
      /* Do it! */
      MODIFY_t2_AND_SET_CARRY_FLAG;
      /* Dump the result back, if non-BT. */
      if (gregOfRM(modrm) != 4 /* BT */) {
         uInstr2(cb, STORE, sz, TempReg, t2, TempReg, t1);
      }
      DIP("%s%c $0x%x, %s\n", nameGrp8(gregOfRM(modrm)), nameISize(sz),
                              src_val, dis_buf);
   }
   return eip;

#  undef MODIFY_t2_AND_SET_CARRY_FLAG
}



/* Generate ucode to multiply the value in EAX/AX/AL by the register
   specified by the ereg of modrm, and park the result in
   EDX:EAX/DX:AX/AX. */
static void codegen_mul_A_D_Reg ( UCodeBlock* cb, Int sz, 
                                  UChar modrm, Bool signed_multiply )
{
   Int helper = signed_multiply 
                ?
                   (sz==1 ? VGOFF_(helper_imul_8_16) 
                          : (sz==2 ? VGOFF_(helper_imul_16_32) 
                                   : VGOFF_(helper_imul_32_64)))
                :
                   (sz==1 ? VGOFF_(helper_mul_8_16)
                          : (sz==2 ? VGOFF_(helper_mul_16_32) 
                                   : VGOFF_(helper_mul_32_64)));
   Int t1 = newTemp(cb);
   Int ta = newTemp(cb);
   uInstr0(cb, CALLM_S, 0);
   uInstr2(cb, GET,   sz, ArchReg, eregOfRM(modrm), TempReg, t1);
   uInstr1(cb, PUSH,  sz, TempReg, t1);
   uInstr2(cb, GET,   sz, ArchReg, R_EAX,  TempReg, ta);
   uInstr1(cb, PUSH,  sz, TempReg, ta);
   uInstr1(cb, CALLM, 0,  Lit16,   helper);
   uFlagsRWU(cb, FlagsEmpty, FlagsOC, FlagsSZAP);
   if (sz > 1) {
      uInstr1(cb, POP, sz, TempReg, t1);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, R_EDX);
      uInstr1(cb, POP, sz, TempReg, t1);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, R_EAX);
   } else {
      uInstr1(cb, CLEAR, 0, Lit16,   4);
      uInstr1(cb, POP,   2, TempReg, t1);
      uInstr2(cb, PUT,   2, TempReg, t1, ArchReg, R_EAX);
   }
   uInstr0(cb, CALLM_E, 0);
   DIP("%s%c %s\n", signed_multiply ? "imul" : "mul",
                    nameISize(sz), nameIReg(sz, eregOfRM(modrm)));

}


/* Generate ucode to multiply the value in EAX/AX/AL by the value in
   TempReg temp, and park the result in EDX:EAX/DX:AX/AX. */
static void codegen_mul_A_D_Temp ( UCodeBlock* cb, Int sz, 
                                   Int temp, Bool signed_multiply,
                                   UChar* dis_buf )
{
   Int helper = signed_multiply 
                ?
                   (sz==1 ? VGOFF_(helper_imul_8_16) 
                          : (sz==2 ? VGOFF_(helper_imul_16_32) 
                                   : VGOFF_(helper_imul_32_64)))
                :
                   (sz==1 ? VGOFF_(helper_mul_8_16) 
                          : (sz==2 ? VGOFF_(helper_mul_16_32)
                                   : VGOFF_(helper_mul_32_64)));
   Int t1 = newTemp(cb);
   uInstr0(cb, CALLM_S, 0);
   uInstr1(cb, PUSH,  sz, TempReg, temp);
   uInstr2(cb, GET,   sz, ArchReg, R_EAX,  TempReg, t1);
   uInstr1(cb, PUSH,  sz, TempReg, t1);
   uInstr1(cb, CALLM, 0,  Lit16,   helper);
   uFlagsRWU(cb, FlagsEmpty, FlagsOC, FlagsSZAP);
   if (sz > 1) {
      uInstr1(cb, POP, sz, TempReg, t1);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, R_EDX);
      uInstr1(cb, POP, sz, TempReg, t1);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, R_EAX);
   } else {
      uInstr1(cb, CLEAR, 0, Lit16,   4);
      uInstr1(cb, POP,   2, TempReg, t1);
      uInstr2(cb, PUT,   2, TempReg, t1, ArchReg, R_EAX);
   }
   uInstr0(cb, CALLM_E, 0);
   DIP("%s%c %s\n", signed_multiply ? "imul" : "mul",
                    nameISize(sz), dis_buf);
}


/* Group 3 extended opcodes. */
static 
Addr dis_Grp3 ( UCodeBlock* cb, 
                UChar       sorb,
                Int sz, Addr eip )
{
   Int   t1, t2;
   UInt  pair, d32;
   UChar modrm;
   UChar dis_buf[50];
   t1 = t2 = INVALID_TEMPREG;
   modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      t1 = newTemp(cb);
      switch (gregOfRM(modrm)) {
         case 0: { /* TEST */
            Int tao = newTemp(cb);
            eip++; d32 = getUDisp(sz, eip); eip += sz;
            uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
	    uInstr2(cb, MOV, sz, Literal, 0, TempReg, tao);
	    uLiteral(cb, d32);
            uInstr2(cb, AND, sz, TempReg, tao, TempReg, t1);
            setFlagsFromUOpcode(cb, AND);
            DIP("test%c $0x%x, %s\n",
                nameISize(sz), d32, nameIReg(sz, eregOfRM(modrm)));
            break;
         }
         case 2: /* NOT */
            eip++;
            uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
            uInstr1(cb, NOT, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, NOT);
            uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
            DIP("not%c %s\n", nameISize(sz), nameIReg(sz, eregOfRM(modrm)));
            break;
         case 3: /* NEG */
            eip++;
            uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
            uInstr1(cb, NEG, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, NEG);
            uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
            DIP("neg%c %s\n", nameISize(sz), nameIReg(sz, eregOfRM(modrm)));
            break;
         case 4: /* MUL */
            eip++;
            codegen_mul_A_D_Reg ( cb, sz, modrm, False );
            break;
         case 5: /* IMUL */
            eip++;
            codegen_mul_A_D_Reg ( cb, sz, modrm, True );
            break;
         case 6: /* DIV */
            eip++;
            uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
            codegen_div ( cb, sz, t1, False );
            DIP("div%c %s\n", nameISize(sz), nameIReg(sz, eregOfRM(modrm)));
            break;
         case 7: /* IDIV */
            eip++;
            uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
            codegen_div ( cb, sz, t1, True );
            DIP("idiv%c %s\n", nameISize(sz), nameIReg(sz, eregOfRM(modrm)));
            break;
         default: 
            VG_(printf)(
               "unhandled Grp3(R) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp3");
      }
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      t2   = LOW24(pair);
      t1   = newTemp(cb);
      eip  += HI8(pair);
      uInstr2(cb, LOAD, sz, TempReg, t2, TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: { /* TEST */
            Int tao = newTemp(cb);
            d32 = getUDisp(sz, eip); eip += sz;
            uInstr2(cb, MOV, sz, Literal, 0, TempReg, tao);
            uLiteral(cb, d32);
            uInstr2(cb, AND, sz, TempReg, tao, TempReg, t1);
            setFlagsFromUOpcode(cb, AND);
            DIP("test%c $0x%x, %s\n", nameISize(sz), d32, dis_buf);
            break;
         }
         case 2: /* NOT */
            uInstr1(cb, NOT, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, NOT);
            uInstr2(cb, STORE, sz, TempReg, t1, TempReg, t2);
            DIP("not%c %s\n", nameISize(sz), dis_buf);
            break;
         case 3: /* NEG */
            uInstr1(cb, NEG, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, NEG);
            uInstr2(cb, STORE, sz, TempReg, t1, TempReg, t2);
            DIP("neg%c %s\n", nameISize(sz), dis_buf);
            break;
         case 4: /* MUL */
            codegen_mul_A_D_Temp ( cb, sz, t1, False, 
                                   dis_buf );
            break;
         case 5: /* IMUL */
            codegen_mul_A_D_Temp ( cb, sz, t1, True, dis_buf );
            break;
         case 6: /* DIV */
            codegen_div ( cb, sz, t1, False );
            DIP("div%c %s\n", nameISize(sz), dis_buf);
            break;
         case 7: /* IDIV */
            codegen_div ( cb, sz, t1, True );
            DIP("idiv%c %s\n", nameISize(sz), dis_buf);
            break;
         default: 
            VG_(printf)(
               "unhandled Grp3(M) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp3");
      }
   }
   return eip;
}


/* Group 4 extended opcodes. */
static
Addr dis_Grp4 ( UCodeBlock* cb, 
                UChar       sorb,
                Addr eip )
{
   Int   t1, t2;
   UInt  pair;
   UChar modrm;
   UChar dis_buf[50];
   t1 = t2 = INVALID_TEMPREG;

   modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      t1 = newTemp(cb);
      uInstr2(cb, GET, 1, ArchReg, eregOfRM(modrm), TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: /* INC */
            uInstr1(cb, INC, 1, TempReg, t1);
            setFlagsFromUOpcode(cb, INC);
            uInstr2(cb, PUT, 1, TempReg, t1, ArchReg, eregOfRM(modrm));
            break;
         case 1: /* DEC */
            uInstr1(cb, DEC, 1, TempReg, t1);
            setFlagsFromUOpcode(cb, DEC);
            uInstr2(cb, PUT, 1, TempReg, t1, ArchReg, eregOfRM(modrm));
            break;
         default: 
            VG_(printf)(
               "unhandled Grp4(R) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp4");
      }
      eip++;
      DIP("%sb %s\n", nameGrp4(gregOfRM(modrm)),
                      nameIReg(1, eregOfRM(modrm)));
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      t2   = LOW24(pair);
      t1   = newTemp(cb);
      uInstr2(cb, LOAD, 1, TempReg, t2, TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: /* INC */ 
            uInstr1(cb, INC, 1, TempReg, t1);
            setFlagsFromUOpcode(cb, INC);
            uInstr2(cb, STORE, 1, TempReg, t1, TempReg, t2);
            break;
         case 1: /* DEC */
            uInstr1(cb, DEC, 1, TempReg, t1);
            setFlagsFromUOpcode(cb, DEC);
            uInstr2(cb, STORE, 1, TempReg, t1, TempReg, t2);
            break;
         default: 
            VG_(printf)(
               "unhandled Grp4(M) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp4");
      }
      eip += HI8(pair);
      DIP("%sb %s\n", nameGrp4(gregOfRM(modrm)), dis_buf);
   }
   return eip;
}


/* Group 5 extended opcodes. */
static
Addr dis_Grp5 ( UCodeBlock* cb, 
                UChar       sorb,
                Int sz, Addr eip, Bool* isEnd )
{
   Int   t1, t2, t3, t4;
   UInt  pair;
   UChar modrm;
   UChar dis_buf[50];
   t1 = t2 = t3 = t4 = INVALID_TEMPREG;

   modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      t1 = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: /* INC */
            uInstr1(cb, INC, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, INC);
            uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
            break;
         case 1: /* DEC */
            uInstr1(cb, DEC, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, DEC);
            uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
            break;
         case 2: /* call Ev */
            t3 = newTemp(cb); t4 = newTemp(cb);
            uInstr2(cb, GET,   4, ArchReg, R_ESP, TempReg, t3);
            uInstr2(cb, SUB,   4, Literal, 0,     TempReg, t3);
	    uLiteral(cb, 4);
            uInstr2(cb, PUT,   4, TempReg, t3,    ArchReg, R_ESP);
            uInstr2(cb, MOV,   4, Literal, 0,     TempReg, t4);
	    uLiteral(cb, eip+1);
            uInstr2(cb, STORE, 4, TempReg, t4,    TempReg, t3);
            jmp_treg(cb, t1);
            LAST_UINSTR(cb).jmpkind = JmpCall;
            *isEnd = True;
            break;
         case 4: /* jmp Ev */
            jmp_treg(cb, t1);
            *isEnd = True;
            break;
         default: 
            VG_(printf)(
               "unhandled Grp5(R) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp5");
      }
      eip++;
      DIP("%s%c %s\n", nameGrp5(gregOfRM(modrm)),
                       nameISize(sz), nameIReg(sz, eregOfRM(modrm)));
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      t2   = LOW24(pair);
      t1   = newTemp(cb);
      uInstr2(cb, LOAD, sz, TempReg, t2, TempReg, t1);
      switch (gregOfRM(modrm)) {
         case 0: /* INC */ 
            uInstr1(cb, INC, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, INC);
            uInstr2(cb, STORE, sz, TempReg, t1, TempReg, t2);
            break;
         case 1: /* DEC */
            uInstr1(cb, DEC, sz, TempReg, t1);
            setFlagsFromUOpcode(cb, DEC);
            uInstr2(cb, STORE, sz, TempReg, t1, TempReg, t2);
            break;
         case 2: /* call Ev */
            t3 = newTemp(cb); t4 = newTemp(cb);
            uInstr2(cb, GET,   4, ArchReg, R_ESP, TempReg, t3);
            uInstr2(cb, SUB,   4, Literal, 0,     TempReg, t3);
            uLiteral(cb, 4);
            uInstr2(cb, PUT,   4, TempReg, t3,    ArchReg, R_ESP);
            uInstr2(cb, MOV,   4, Literal, 0,     TempReg, t4);
	         uLiteral(cb, eip+HI8(pair));
            uInstr2(cb, STORE, 4, TempReg, t4,    TempReg, t3);
            jmp_treg(cb, t1);
            LAST_UINSTR(cb).jmpkind = JmpCall;
            *isEnd = True;
            break;
         case 4: /* JMP Ev */
            jmp_treg(cb, t1);
            *isEnd = True;
            break;
         case 6: /* PUSH Ev */
            t3 = newTemp(cb);
            uInstr2(cb, GET,    4, ArchReg, R_ESP, TempReg, t3);
            uInstr2(cb, SUB,    4, Literal, 0,     TempReg, t3);
	    uLiteral(cb, sz);
            uInstr2(cb, PUT,    4, TempReg, t3,    ArchReg, R_ESP);
            uInstr2(cb, STORE, sz, TempReg, t1,    TempReg, t3);
            break;
         default: 
            VG_(printf)(
               "unhandled Grp5(M) case %d\n", (UInt)gregOfRM(modrm));
            VG_(core_panic)("Grp5");
      }
      eip += HI8(pair);
      DIP("%s%c %s\n", nameGrp5(gregOfRM(modrm)),
                       nameISize(sz), dis_buf);
   }
   return eip;
}

/*------------------------------------------------------------*/
/*--- Disassembling string ops (including REP prefixes)    ---*/
/*------------------------------------------------------------*/

/* Code shared by all the string ops */
static
void dis_string_op_increment(UCodeBlock* cb, Int sz, Int t_inc)
{
   uInstr0 (cb, CALLM_S, 0);
   uInstr2 (cb, MOV,   4, Literal, 0, TempReg, t_inc);
   uLiteral(cb, 0);
   uInstr1 (cb, PUSH,  4, TempReg, t_inc);

   uInstr1  (cb, CALLM, 0, Lit16, VGOFF_(helper_get_dirflag));
   uFlagsRWU(cb, FlagD, FlagsEmpty, FlagsEmpty);

   uInstr1(cb, POP,   4, TempReg, t_inc);
   uInstr0(cb, CALLM_E, 0);

   if (sz == 4 || sz == 2) {
      uInstr2(cb, SHL, 4, Literal, 0, TempReg, t_inc);
      uLiteral(cb, sz/2);
   }
}

static
void dis_string_op( UCodeBlock* cb, void (*dis_OP)( UCodeBlock*, Int, Int ), 
                    Int sz, Char* name, UChar sorb )
{
   Int t_inc = newTemp(cb);
   vg_assert(sorb == 0);
   dis_string_op_increment(cb, sz, t_inc);
   dis_OP( cb, sz, t_inc );
   DIP("%s%c\n", name, nameISize(sz));
}


static 
void dis_MOVS ( UCodeBlock* cb, Int sz, Int t_inc )
{
   Int tv = newTemp(cb);   /* value being copied */
   Int td = newTemp(cb);   /* EDI */
   Int ts = newTemp(cb);   /* ESI */

   uInstr2(cb, GET,   4, ArchReg, R_EDI, TempReg, td);
   uInstr2(cb, GET,   4, ArchReg, R_ESI, TempReg, ts);

   uInstr2(cb, LOAD, sz, TempReg, ts,    TempReg, tv);
   uInstr2(cb, STORE,sz, TempReg, tv,    TempReg, td);

   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, td);
   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, ts);

   uInstr2(cb, PUT,   4, TempReg, td,    ArchReg, R_EDI);
   uInstr2(cb, PUT,   4, TempReg, ts,    ArchReg, R_ESI);
}

static 
void dis_LODS ( UCodeBlock* cb, Int sz, Int t_inc )
{
   Int ta = newTemp(cb);   /* EAX */
   Int ts = newTemp(cb);   /* ESI */

   uInstr2(cb, GET,    4, ArchReg, R_ESI, TempReg, ts);
   uInstr2(cb, LOAD,  sz, TempReg, ts,    TempReg, ta);
   uInstr2(cb, PUT,   sz, TempReg, ta,    ArchReg, R_EAX);

   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, ts);
   uInstr2(cb, PUT,   4, TempReg, ts,    ArchReg, R_ESI);
}

static 
void dis_STOS ( UCodeBlock* cb, Int sz, Int t_inc )
{
   Int ta = newTemp(cb);   /* EAX */
   Int td = newTemp(cb);   /* EDI */

   uInstr2(cb, GET,   sz, ArchReg, R_EAX, TempReg, ta);
   uInstr2(cb, GET,    4, ArchReg, R_EDI, TempReg, td);
   uInstr2(cb, STORE, sz, TempReg, ta,    TempReg, td);

   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, td);
   uInstr2(cb, PUT,   4, TempReg, td,    ArchReg, R_EDI);
}

static 
void dis_CMPS ( UCodeBlock* cb, Int sz, Int t_inc )
{
   Int tdv = newTemp(cb);  /* (EDI) */
   Int tsv = newTemp(cb);  /* (ESI) */
   Int td  = newTemp(cb);  /*  EDI  */
   Int ts  = newTemp(cb);  /*  ESI  */

   uInstr2(cb, GET,   4, ArchReg, R_EDI, TempReg, td);
   uInstr2(cb, GET,   4, ArchReg, R_ESI, TempReg, ts);

   uInstr2(cb, LOAD, sz, TempReg, td,    TempReg, tdv);
   uInstr2(cb, LOAD, sz, TempReg, ts,    TempReg, tsv);

   uInstr2(cb, SUB,  sz, TempReg, tdv,   TempReg, tsv); 
   setFlagsFromUOpcode(cb, SUB);

   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, td);
   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, ts);

   uInstr2(cb, PUT,   4, TempReg, td,    ArchReg, R_EDI);
   uInstr2(cb, PUT,   4, TempReg, ts,    ArchReg, R_ESI);
}

static 
void dis_SCAS ( UCodeBlock* cb, Int sz, Int t_inc )
{
   Int ta  = newTemp(cb);  /*  EAX  */
   Int td  = newTemp(cb);  /*  EDI  */
   Int tdv = newTemp(cb);  /* (EDI) */

   uInstr2(cb, GET,  sz, ArchReg, R_EAX, TempReg, ta);
   uInstr2(cb, GET,   4, ArchReg, R_EDI, TempReg, td);
   uInstr2(cb, LOAD, sz, TempReg, td,    TempReg, tdv);
   /* next uinstr kills ta, but that's ok -- don't need it again */
   uInstr2(cb, SUB,  sz, TempReg, tdv,   TempReg, ta);
   setFlagsFromUOpcode(cb, SUB);

   uInstr2(cb, ADD,   4, TempReg, t_inc, TempReg, td);
   uInstr2(cb, PUT,   4, TempReg, td,    ArchReg, R_EDI);
}


/* Wrap the appropriate string op inside a REP/REPE/REPNE.
   We assume the insn is the last one in the basic block, and so emit a jump
   to the next insn, rather than just falling through. */
static 
void dis_REP_op ( UCodeBlock* cb, Int cond,
                  void (*dis_OP)(UCodeBlock*, Int, Int),
                  Int sz, Addr eip, Addr eip_next, Char* name )
{
   Int t_inc = newTemp(cb);
   Int tc    = newTemp(cb);  /*  ECX  */

   dis_string_op_increment(cb, sz, t_inc);

   uInstr2 (cb, GET,   4, ArchReg, R_ECX, TempReg, tc);
   uInstr2 (cb, JIFZ,  4, TempReg, tc,    Literal, 0);
   uLiteral(cb, eip_next);
   uInstr1 (cb, DEC,   4, TempReg, tc);
   uInstr2 (cb, PUT,   4, TempReg, tc,    ArchReg, R_ECX);

   dis_OP  (cb, sz, t_inc);

   if (cond == CondAlways) {
      jmp_lit(cb, eip);
   } else {
      jcc_lit(cb, eip, cond);
      jmp_lit(cb, eip_next);
   }
   DIP("%s%c\n", name, nameISize(sz));
}

/*------------------------------------------------------------*/
/*--- Arithmetic, etc.                                     ---*/
/*------------------------------------------------------------*/

/* (I)MUL E, G.  Supplied eip points to the modR/M byte. */
static
Addr dis_mul_E_G ( UCodeBlock* cb, 
                   UChar       sorb,
                   Int         size, 
                   Addr        eip0,
                   Bool        signed_multiply )
{
   Int ta, tg, te;
   UChar dis_buf[50];
   UChar rm = getUChar(eip0);
   ta = INVALID_TEMPREG;
   te = newTemp(cb);
   tg = newTemp(cb);

   if (epartIsReg(rm)) {
      vg_assert(signed_multiply);
      uInstr2(cb, GET,  size, ArchReg, gregOfRM(rm), TempReg, tg);
      uInstr2(cb, MUL,	size, ArchReg, eregOfRM(rm), TempReg, tg);
      setFlagsFromUOpcode(cb, MUL);
      uInstr2(cb, PUT,  size, TempReg, tg, ArchReg, gregOfRM(rm));
      DIP("%smul%c %s, %s\n", signed_multiply ? "i" : "",
                              nameISize(size), 
                              nameIReg(size,eregOfRM(rm)),
                              nameIReg(size,gregOfRM(rm)));
      return 1+eip0;
   } else {
      UInt pair;
      vg_assert(signed_multiply);
      pair = disAMode ( cb, sorb, eip0, dis_buf );
      ta = LOW24(pair);
      uInstr2(cb, LOAD,  size, TempReg, ta, TempReg, te);
      uInstr2(cb, GET,   size, ArchReg, gregOfRM(rm), TempReg, tg);
      uInstr2(cb, MUL,	size, TempReg, te, TempReg, tg);
      setFlagsFromUOpcode(cb, MUL);
      uInstr2(cb, PUT,  size, TempReg, tg,    ArchReg, gregOfRM(rm));

      DIP("%smul%c %s, %s\n", signed_multiply ? "i" : "",
                              nameISize(size), 
                              dis_buf, nameIReg(size,gregOfRM(rm)));
      return HI8(pair)+eip0;
   }
}


/* IMUL I * E -> G.  Supplied eip points to the modR/M byte. */
static
Addr dis_imul_I_E_G ( UCodeBlock* cb, 
                      UChar       sorb,
                      Int         size, 
                      Addr        eip,
                      Int         litsize )
{
   Int ta, te, tl, d32;
    Char dis_buf[50];
   UChar rm = getUChar(eip);
   ta = INVALID_TEMPREG;
   te = newTemp(cb);
   tl = newTemp(cb);

   if (epartIsReg(rm)) {
      uInstr2(cb, GET,   size, ArchReg, eregOfRM(rm), TempReg, te);
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      ta = LOW24(pair);
      uInstr2(cb, LOAD,  size, TempReg, ta, TempReg, te);
      eip += HI8(pair);
   }

   d32 = getSDisp(litsize,eip);
   eip += litsize;

   uInstr2(cb, MOV,   size, Literal, 0,   TempReg, tl);
   uLiteral(cb, d32);
   uInstr2(cb, MUL,   size, TempReg, tl,   TempReg, te);
   setFlagsFromUOpcode(cb, MUL);
   uInstr2(cb, PUT,   size, TempReg, te,   ArchReg, gregOfRM(rm));

   DIP("imul %d, %s, %s\n", d32, 
       ( epartIsReg(rm) ? nameIReg(size,eregOfRM(rm)) : dis_buf ),
       nameIReg(size,gregOfRM(rm)) );

   return eip;
}   


/* Handle FPU insns which read/write memory.  On entry, eip points to
   the second byte of the insn (the one following D8 .. DF). */
static 
Addr dis_fpu_mem ( UCodeBlock* cb, 
                   UChar       sorb,
                   Int size, Bool is_write, 
                   Addr eip, UChar first_byte )
{
   Int   ta;
   UInt  pair;
   UChar dis_buf[50];
   UChar second_byte = getUChar(eip);
   vg_assert(second_byte < 0xC0);
   second_byte &= 0x38;
   pair = disAMode ( cb, sorb, eip, dis_buf );
   ta   = LOW24(pair);
   eip  += HI8(pair);
   uInstr2(cb, is_write ? FPU_W : FPU_R, size,
               Lit16, 
               (((UShort)first_byte) << 8) | ((UShort)second_byte),
               TempReg, ta);
   if (is_write) {
      DIP("fpu_w_%d 0x%x:0x%x, %s\n",
          size, (UInt)first_byte, (UInt)second_byte, dis_buf );
   } else {
      DIP("fpu_r_%d %s, 0x%x:0x%x\n",
          size, dis_buf, (UInt)first_byte, (UInt)second_byte );
   }
   return eip;
}


/* Handle FPU insns which don't reference memory.  On entry, eip points to
   the second byte of the insn (the one following D8 .. DF). */
static 
Addr dis_fpu_no_mem ( UCodeBlock* cb, Addr eip, UChar first_byte )
{
   Bool  sets_ZCP    = False;
   Bool  uses_ZCP    = False;
   UChar second_byte = getUChar(eip); eip++;
   vg_assert(second_byte >= 0xC0);

   /* Does the insn write any integer condition codes (%EIP) ? */

   if (first_byte == 0xDB && second_byte >= 0xF0 && second_byte <= 0xF7) {
      /* FCOMI */
      sets_ZCP = True;
   } else
   if (first_byte == 0xDF && second_byte >= 0xF0 && second_byte <= 0xF7) {
      /* FCOMIP */
      sets_ZCP = True;
   } else
   if (first_byte == 0xDB && second_byte >= 0xE8 && second_byte <= 0xEF) {
      /* FUCOMI */
      sets_ZCP = True;
   } else
   if (first_byte == 0xDF && second_byte >= 0xE8 && second_byte <= 0xEF) {
      /* FUCOMIP */
      sets_ZCP = True;
   } 

   /* Dually, does the insn read any integer condition codes (%EIP) ? */

   if (first_byte == 0xDA && second_byte >= 0xC0 && second_byte <= 0xDF) {
      /* FCMOVB  %st(n), %st(0)
         FCMOVE  %st(n), %st(0)
         FCMOVBE %st(n), %st(0)
         FCMOVU  %st(n), %st(0)
      */
      uses_ZCP = True;
   } else
   if (first_byte == 0xDB && second_byte >= 0xC0 && second_byte <= 0xDF) {
      /* FCMOVNB  %st(n), %st(0)
         FCMOVNE  %st(n), %st(0)
         FCMOVNBE %st(n), %st(0)
         FCMOVNU  %st(n), %st(0)
      */
      uses_ZCP = True;
   }

   uInstr1(cb, FPU, 0,
               Lit16,
               (((UShort)first_byte) << 8) | ((UShort)second_byte)
          );
   if (uses_ZCP) {
      /* VG_(printf)("!!! --- FPU insn which reads %EFLAGS\n"); */
      uFlagsRWU(cb, FlagsZCP, FlagsEmpty, FlagsEmpty);
      vg_assert(!sets_ZCP);
   }
   if (sets_ZCP) {
      /* VG_(printf)("!!! --- FPU insn which writes %EFLAGS\n"); */
      uFlagsRWU(cb, FlagsEmpty, FlagsZCP, FlagsEmpty);
      vg_assert(!uses_ZCP);
   }

   DIP("fpu 0x%x:0x%x%s%s\n", (UInt)first_byte, (UInt)second_byte,
                              uses_ZCP ? " -rZCP" : "",
                              sets_ZCP ? " -wZCP" : "" );
   return eip;
}


/* Top-level handler for all FPU insns.  On entry, eip points to the
   second byte of the insn. */
static
Addr dis_fpu ( UCodeBlock* cb, 
               UChar       sorb,
               UChar first_byte, Addr eip )
{
   const Bool rd = False; 
   const Bool wr = True;
   UChar second_byte = getUChar(eip);

   /* Handle FSTSW %ax specially. */
   if (first_byte == 0xDF && second_byte == 0xE0) {
      Int t1 = newTemp(cb);
      uInstr0(cb, CALLM_S, 0);
      uInstr2(cb, MOV,   4, Literal, 0,  TempReg, t1);
      uLiteral(cb, 0);
      uInstr1(cb, PUSH,  4, TempReg, t1);
      uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_fstsw_AX) );
      uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsEmpty);
      uInstr1(cb, POP,   2,  TempReg, t1);
      uInstr2(cb, PUT,   2,  TempReg, t1, ArchReg, R_EAX);
      uInstr0(cb, CALLM_E, 0);
      DIP("fstsw %%ax\n");
      eip++;
      return eip;
   }

   /* Handle all non-memory FPU ops simply. */
   if (second_byte >= 0xC0)
      return dis_fpu_no_mem ( cb, eip, first_byte );

   /* The insn references memory; need to determine 
      whether it reads or writes, and at what size. */
   switch (first_byte) {

      case 0xD8:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FADDs */
            case 1: /* FMULs */
            case 2: /* FCOMs */
            case 3: /* FCOMPs */
            case 4: /* FSUBs */
            case 5: /* FSUBRs */
            case 6: /* FDIVs */
            case 7: /* FDIVRs */
               return dis_fpu_mem(cb, sorb, 4, rd, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xD9:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FLDs */
               return dis_fpu_mem(cb, sorb, 4, rd, eip, first_byte); 
            case 2: /* FSTs */
            case 3: /* FSTPs */
               return dis_fpu_mem(cb, sorb, 4, wr, eip, first_byte); 
            case 4: /* FLDENV */
               return dis_fpu_mem(cb, sorb, 28, rd, eip, first_byte);
            case 5: /* FLDCW */
               return dis_fpu_mem(cb, sorb, 2, rd, eip, first_byte); 
            case 6: /* FNSTENV */
               return dis_fpu_mem(cb, sorb, 28, wr, eip, first_byte);
            case 7: /* FSTCW */
               /* HACK!  FSTCW actually writes 2 bytes, not 4.  glibc
                  gets lots of moaning in __floor() if we do the right
                  thing here. */
               /* Later ... hack disabled .. we do do the Right Thing. */
               return dis_fpu_mem(cb, sorb, /*4*/ 2, wr, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xDA:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FIADD dword-integer */
            case 1: /* FIMUL dword-integer */
            case 2: /* FICOM dword-integer */
            case 3: /* FICOMP dword-integer */
            case 4: /* FISUB dword-integer */
            case 5: /* FISUBR dword-integer */
            case 6: /* FIDIV dword-integer */
            case 7: /* FIDIVR dword-integer */
               return dis_fpu_mem(cb, sorb, 4, rd, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xDB:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FILD dword-integer */
               return dis_fpu_mem(cb, sorb, 4, rd, eip, first_byte); 
            case 2: /* FIST dword-integer */
               return dis_fpu_mem(cb, sorb, 4, wr, eip, first_byte); 
            case 3: /* FISTPl */
               return dis_fpu_mem(cb, sorb, 4, wr, eip, first_byte); 
            case 5: /* FLD extended-real */
               return dis_fpu_mem(cb, sorb, 10, rd, eip, first_byte); 
            case 7: /* FSTP extended-real */
               return dis_fpu_mem(cb, sorb, 10, wr, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xDC:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FADD double-real */
            case 1: /* FMUL double-real */
            case 2: /* FCOM double-real */
            case 3: /* FCOMP double-real */
            case 4: /* FSUB double-real */
            case 5: /* FSUBR double-real */
            case 6: /* FDIV double-real */
            case 7: /* FDIVR double-real */
               return dis_fpu_mem(cb, sorb, 8, rd, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xDD:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FLD double-real */
               return dis_fpu_mem(cb, sorb, 8, rd, eip, first_byte); 
            case 2: /* FST double-real */
            case 3: /* FSTP double-real */
               return dis_fpu_mem(cb, sorb, 8, wr, eip, first_byte);
            case 4: /* FRSTOR */
               return dis_fpu_mem(cb, sorb, 108, rd, eip, first_byte);
            case 6: /* FSAVE */
               return dis_fpu_mem(cb, sorb, 108, wr, eip, first_byte);
            case 7: /* FSTSW */
               return dis_fpu_mem(cb, sorb, 2, wr, eip, first_byte);
            default: 
               goto unhandled;
         }
         break;

      case 0xDE:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FIADD word-integer */
            case 1: /* FIMUL word-integer */
            case 2: /* FICOM word-integer */
            case 3: /* FICOMP word-integer */
            case 4: /* FISUB word-integer */
            case 5: /* FISUBR word-integer */
            case 6: /* FIDIV word-integer */
            case 7: /* FIDIVR word-integer */
               return dis_fpu_mem(cb, sorb, 2, rd, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      case 0xDF:
         switch ((second_byte >> 3) & 7) {
            case 0: /* FILD word-integer */
               return dis_fpu_mem(cb, sorb, 2, rd, eip, first_byte); 
            case 2: /* FIST word-integer */
               return dis_fpu_mem(cb, sorb, 2, wr, eip, first_byte); 
            case 3: /* FISTP word-integer */
               return dis_fpu_mem(cb, sorb, 2, wr, eip, first_byte); 
            case 4: /* FBLD extended-real */
               return dis_fpu_mem(cb, sorb, 10, rd, eip, first_byte);
            case 5: /* FILD qword-integer */
               return dis_fpu_mem(cb, sorb, 8, rd, eip, first_byte); 
            case 6: /* FBSTP extended-real */
               return dis_fpu_mem(cb, sorb, 10, wr, eip, first_byte);
            case 7: /* FISTP qword-integer */
               return dis_fpu_mem(cb, sorb, 8, wr, eip, first_byte); 
            default: 
               goto unhandled;
         }
         break;

      default: goto unhandled;
   }

  unhandled: 
   VG_(printf)("dis_fpu: unhandled memory case 0x%2x:0x%2x(%d)\n",
               (UInt)first_byte, (UInt)second_byte, 
               (UInt)((second_byte >> 3) & 7) );
   VG_(core_panic)("dis_fpu: unhandled opcodes");
}


/* Double length left shifts.  Apparently only required in v-size (no
   b- variant). */
static
Addr dis_SHLRD_Gv_Ev ( UCodeBlock* cb,
                       UChar sorb,
                       Addr eip, UChar modrm,
                       Int sz, 
                       Tag amt_tag, UInt amt_val,
                       Bool left_shift )
{
   /* amt_tag and amt_val denote either ArchReg(%CL) or a Literal.
      And eip on entry points at the modrm byte. */
   Int   t, t1, t2, ta, helper;
   UInt  pair;
   UChar dis_buf[50];

   vg_assert(sz == 2 || sz == 4);

   helper = left_shift 
               ? (sz==4 ? VGOFF_(helper_shldl) 
                        : VGOFF_(helper_shldw))
               : (sz==4 ? VGOFF_(helper_shrdl) 
                        : VGOFF_(helper_shrdw));

   /* Get the amount to be shifted by onto the stack. */
   t = newTemp(cb);
   t1 = newTemp(cb);
   t2 = newTemp(cb);
   if (amt_tag == ArchReg) {
      vg_assert(amt_val == R_CL);
      uInstr2(cb, GET, 1, ArchReg, amt_val, TempReg, t);
   } else {
      uInstr2(cb, MOV, 1, Literal, 0, TempReg, t);
      uLiteral(cb, amt_val);
   }

   uInstr0(cb, CALLM_S, 0);
   uInstr1(cb, PUSH, 1, TempReg, t);

   /* The E-part is the destination; this is shifted.  The G-part
      supplies bits to be shifted into the E-part, but is not
      changed. */

   uInstr2(cb, GET,  sz, ArchReg, gregOfRM(modrm), TempReg, t1);
   uInstr1(cb, PUSH, sz, TempReg, t1);

   if (epartIsReg(modrm)) {
      eip++;
      uInstr2(cb, GET,   sz, ArchReg, eregOfRM(modrm), TempReg, t2);
      uInstr1(cb, PUSH,  sz, TempReg, t2);
      uInstr1(cb, CALLM, 0,  Lit16,   helper);
      uFlagsRWU(cb, FlagsEmpty, FlagsOSZACP, FlagsEmpty);
      uInstr1(cb, POP,   sz, TempReg, t);
      uInstr2(cb, PUT,   sz, TempReg, t, ArchReg, eregOfRM(modrm));
      DIP("sh%cd%c %%cl, %s, %s\n",
          ( left_shift ? 'l' : 'r' ), nameISize(sz), 
          nameIReg(sz, gregOfRM(modrm)), nameIReg(sz, eregOfRM(modrm)));
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      ta   = LOW24(pair);
      eip  += HI8(pair);
      uInstr2(cb, LOAD,  sz, TempReg, ta,     TempReg, t2);
      uInstr1(cb, PUSH,  sz, TempReg, t2);
      uInstr1(cb, CALLM, 0,  Lit16,   helper);
      uFlagsRWU(cb, FlagsEmpty, FlagsOSZACP, FlagsEmpty);
      uInstr1(cb, POP,   sz, TempReg, t);
      uInstr2(cb, STORE, sz, TempReg, t,      TempReg, ta);
      DIP("sh%cd%c %%cl, %s, %s\n", ( left_shift ? 'l' : 'r' ),
          nameISize(sz), nameIReg(sz, gregOfRM(modrm)), dis_buf);
   }
  
   if (amt_tag == Literal) eip++;
   uInstr1(cb, CLEAR, 0, Lit16, 8);

   uInstr0(cb, CALLM_E, 0);
   return eip;
}


/* Handle BT/BTS/BTR/BTC Gv, Ev.  Apparently b-size is not
   required. */

typedef enum { BtOpNone, BtOpSet, BtOpReset, BtOpComp } BtOp;

static Char* nameBtOp ( BtOp op )
{
   switch (op) {
      case BtOpNone:  return "";
      case BtOpSet:   return "s";
      case BtOpReset: return "r";
      case BtOpComp:  return "c";
      default: VG_(core_panic)("nameBtOp");
   }
}


static
Addr dis_bt_G_E ( UCodeBlock* cb, 
                  UChar       sorb,
                  Int sz, Addr eip, BtOp op )
{
   UInt  pair;
    Char dis_buf[50];
   UChar modrm;

   Int t_addr, t_bitno, t_mask, t_fetched, t_esp, temp, lit;

   vg_assert(sz == 2 || sz == 4);

   t_addr = t_bitno = t_mask 
          = t_fetched = t_esp = temp = INVALID_TEMPREG;

   t_fetched = newTemp(cb);
   t_bitno   = newTemp(cb);
   temp      = newTemp(cb);
   lit       = newTemp(cb);

   modrm = getUChar(eip);

   uInstr2(cb, GET,  sz, ArchReg, gregOfRM(modrm), TempReg, t_bitno);

   if (sz == 2) {
      uInstr1(cb, WIDEN, 4, TempReg, t_bitno);
      uWiden(cb, 2, False);
   }
   
   if (epartIsReg(modrm)) {
      eip++;
      /* Get it onto the client's stack. */
      t_esp = newTemp(cb);
      t_addr = newTemp(cb);
      uInstr2(cb, GET,   4, ArchReg,  R_ESP, TempReg, t_esp);
      uInstr2(cb, SUB,   4, Literal,  0,     TempReg, t_esp);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,   4, TempReg,  t_esp, ArchReg, R_ESP);
      uInstr2(cb, GET,   sz, ArchReg, eregOfRM(modrm), TempReg, temp);
      uInstr2(cb, STORE, sz, TempReg, temp, TempReg, t_esp);
      /* Make t_addr point at it. */
      uInstr2(cb, MOV,   4,  TempReg, t_esp, TempReg, t_addr);
      /* Mask out upper bits of the shift amount, since we're doing a
         reg. */
      uInstr2(cb, MOV, 4, Literal, 0, TempReg, lit);
      uLiteral(cb, sz == 4 ? 31 : 15);
      uInstr2(cb, AND, 4, TempReg, lit, TempReg, t_bitno);
   } else {
      pair   = disAMode ( cb, sorb, eip, dis_buf );
      t_addr = LOW24(pair);
      eip   += HI8(pair);
   }
  
   /* At this point: t_addr points to the address being operated on.  If
      it was a reg, we will have pushed it onto the client's stack.
      t_bitno is the bit number, suitable masked in the case of a reg.  */
   
   /* Now the main sequence. */

   uInstr2(cb, MOV, 4, TempReg, t_bitno, TempReg, temp);
   uInstr2(cb, SAR, 4, Literal, 0, TempReg, temp);
   uLiteral(cb, 3);
   uInstr2(cb, ADD, 4, TempReg, temp, TempReg, t_addr);
   /* t_addr now holds effective address */

   uInstr2(cb, MOV, 4, Literal, 0, TempReg, lit);
   uLiteral(cb, 7);
   uInstr2(cb, AND, 4, TempReg, lit, TempReg, t_bitno);
   /* t_bitno contains offset of bit within byte */

   if (op != BtOpNone) {
      t_mask = newTemp(cb);
      uInstr2(cb, MOV, 4, Literal, 0, TempReg, t_mask);
      uLiteral(cb, 1);
      uInstr2(cb, SHL, 4, TempReg, t_bitno, TempReg, t_mask);
   }
   /* t_mask is now a suitable byte mask */

   uInstr2(cb, LOAD, 1, TempReg, t_addr, TempReg, t_fetched);
   if (op != BtOpNone) {
      uInstr2(cb, MOV, 4, TempReg, t_fetched, TempReg, temp);
      switch (op) {
         case BtOpSet: 
            uInstr2(cb, OR, 4, TempReg, t_mask, TempReg, temp); 
            break;
         case BtOpComp: 
            uInstr2(cb, XOR, 4, TempReg, t_mask, TempReg, temp); 
            break;
         case BtOpReset: 
            uInstr1(cb, NOT, 4, TempReg, t_mask);
            uInstr2(cb, AND, 4, TempReg, t_mask, TempReg, temp); 
            break;
         default: 
            VG_(core_panic)("dis_bt_G_E");
      }
      uInstr2(cb, STORE, 1, TempReg, temp, TempReg, t_addr);
   }

   /* Side effect done; now get selected bit into Carry flag */

   uInstr2(cb, SHR, 4, TempReg, t_bitno, TempReg, t_fetched);
   /* at bit 0 of fetched */

   uInstr2(cb, MOV, 4, Literal, 0, TempReg, lit);
   uLiteral(cb, 1);
   uInstr2(cb, AND, 4, TempReg, lit, TempReg, t_fetched);
   /* t_fetched is now 1 or 0 */

   /* NEG is a handy way to convert zero/nonzero into the carry
      flag. */
   uInstr1(cb, NEG, 4, TempReg, t_fetched);
   setFlagsFromUOpcode(cb, NEG);
   /* t_fetched is now in carry flag */

   /* Move reg operand from stack back to reg */
   if (epartIsReg(modrm)) {
      /* t_esp still points at it. */
      uInstr2(cb, LOAD, sz, TempReg, t_esp, TempReg, temp);
      uInstr2(cb, PUT,  sz, TempReg, temp, ArchReg, eregOfRM(modrm));
      uInstr2(cb, ADD,  4,  Literal, 0, TempReg, t_esp);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,  4,  TempReg, t_esp, ArchReg, R_ESP);
   }

   DIP("bt%s%c %s, %s\n",
       nameBtOp(op), nameISize(sz), nameIReg(sz, gregOfRM(modrm)), 
       ( epartIsReg(modrm) ? nameIReg(sz, eregOfRM(modrm)) : dis_buf ) );
 
   return eip;
}



/* Handle BSF/BSR.  Only v-size seems necessary. */
static
Addr dis_bs_E_G ( UCodeBlock* cb, 
                  UChar       sorb,
                  Int sz, Addr eip, Bool fwds )
{
   Int   t, t1, ta, helper;
   UInt  pair;
    Char dis_buf[50];
   UChar modrm;
   Bool  isReg;

   vg_assert(sz == 2 || sz == 4);

   if (fwds)
      helper = sz == 2 ? VGOFF_(helper_bsfw) : VGOFF_(helper_bsfl);
   else
      helper = sz == 2 ? VGOFF_(helper_bsrw) : VGOFF_(helper_bsrl);
   
   modrm  = getUChar(eip);
   t1     = newTemp(cb);
   t      = newTemp(cb);

   uInstr0(cb, CALLM_S, 0);
   uInstr2(cb, GET,  sz, ArchReg, gregOfRM(modrm), TempReg, t1);
   uInstr1(cb, PUSH, sz, TempReg, t1);

   isReg = epartIsReg(modrm);
   if (isReg) {
      eip++;
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t);
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      ta   = LOW24(pair);
      eip  += HI8(pair);
      uInstr2(cb, LOAD, sz, TempReg, ta, TempReg, t);
   }
   DIP("bs%c%c %s, %s\n",
       fwds ? 'f' : 'r', nameISize(sz), 
       ( isReg ? nameIReg(sz, eregOfRM(modrm)) : dis_buf ), 
       nameIReg(sz, gregOfRM(modrm)));

   uInstr1(cb, PUSH,  sz,  TempReg, t);
   uInstr1(cb, CALLM, 0,   Lit16, helper);
   uFlagsRWU(cb, FlagsEmpty, FlagZ, FlagsOSACP);
   uInstr1(cb, POP,   sz,  TempReg, t);
   uInstr1(cb, POP,   sz,  TempReg, t);
   uInstr2(cb, PUT,   sz,  TempReg, t, ArchReg, gregOfRM(modrm));
   uInstr0(cb, CALLM_E, 0);

   return eip;
}


static 
void codegen_xchg_eAX_Reg ( UCodeBlock* cb, Int sz, Int reg )
{
   Int t1, t2;
   vg_assert(sz == 2 || sz == 4);
   t1 = newTemp(cb);
   t2 = newTemp(cb);
   uInstr2(cb, GET, sz, ArchReg, R_EAX, TempReg, t1);
   uInstr2(cb, GET, sz, ArchReg, reg,   TempReg, t2);
   uInstr2(cb, PUT, sz, TempReg, t2,    ArchReg, R_EAX);
   uInstr2(cb, PUT, sz, TempReg, t1,    ArchReg, reg);
   DIP("xchg%c %s, %s\n", 
       nameISize(sz), nameIReg(sz, R_EAX), nameIReg(sz, reg));
}


static 
void codegen_SAHF ( UCodeBlock* cb )
{
   Int t   = newTemp(cb);
   Int t2  = newTemp(cb);
   uInstr2(cb, GET,   4, ArchReg, R_EAX, TempReg, t);

   /* Mask out parts of t not corresponding to %AH.  This stops the
      instrumenter complaining if they are undefined.  Otherwise, the
      instrumenter would check all 32 bits of t at the PUSH, which
      could be the cause of incorrect warnings.  Discovered by Daniel
      Veillard <veillard@redhat.com>. 
   */
   uInstr2(cb, MOV, 4, Literal, 0, TempReg, t2);
   uLiteral(cb, 0x0000FF00);
   uInstr2(cb, AND, 4, TempReg, t2, TempReg, t);
   /* We deliberately don't set the condition codes here, since this
      AND is purely internal to Valgrind and nothing to do with the
      client's state. */

   uInstr0(cb, CALLM_S, 0);
   uInstr1(cb, PUSH,  4, TempReg, t);
   uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_SAHF));
   uFlagsRWU(cb, FlagsEmpty, FlagsSZACP, FlagsEmpty);
   uInstr1(cb, CLEAR, 0, Lit16, 4);
   uInstr0(cb, CALLM_E, 0);
}

static 
void codegen_LAHF ( UCodeBlock* cb )
{
   Int t = newTemp(cb);

   /* Pushed arg is ignored, it just provides somewhere to put the
      return value. */
   uInstr2(cb, GET,   4, ArchReg, R_EAX, TempReg, t);
   uInstr0(cb, CALLM_S, 0);
   uInstr1(cb, PUSH,  4, TempReg, t);
   uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_LAHF));
   uFlagsRWU(cb, FlagsSZACP, FlagsEmpty, FlagsEmpty);
   uInstr1(cb, POP,   4, TempReg, t);
   uInstr0(cb, CALLM_E, 0);

   /* At this point, the %ah sub-register in %eax has been updated,
      the rest is the same, so do a PUT of the whole thing. */
   uInstr2(cb, PUT,   4,  TempReg, t,   ArchReg, R_EAX);
}


static
Addr dis_cmpxchg_G_E ( UCodeBlock* cb, 
                       UChar       sorb,
                       Int         size, 
                       Addr        eip0 )
{
   Int   ta, junk, dest, src, acc;
   UChar dis_buf[50];
   UChar rm;

   rm   = getUChar(eip0);
   acc  = newTemp(cb);
   src  = newTemp(cb);
   dest = newTemp(cb);
   junk = newTemp(cb);
   /* Only needed to get gcc's dataflow analyser off my back. */
   ta   = INVALID_TEMPREG;

   if (epartIsReg(rm)) {
     uInstr2(cb, GET, size, ArchReg, eregOfRM(rm), TempReg, dest);
     eip0++;
     DIP("cmpxchg%c %s,%s\n", nameISize(size),
                              nameIReg(size,gregOfRM(rm)),
                              nameIReg(size,eregOfRM(rm)) );
   } else {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf );
      ta        = LOW24(pair);
      uInstr2(cb, LOAD, size, TempReg, ta, TempReg, dest);
      eip0 += HI8(pair);
      DIP("cmpxchg%c %s,%s\n", nameISize(size), 
                               nameIReg(size,gregOfRM(rm)), dis_buf);
   }

   uInstr2(cb, GET, size, ArchReg, gregOfRM(rm), TempReg, src);
   uInstr2(cb, GET, size, ArchReg, R_EAX,        TempReg, acc);
   uInstr2(cb, MOV, 4,    TempReg, acc,          TempReg, junk);
   uInstr2(cb, SUB, size, TempReg, dest,         TempReg, junk);
   setFlagsFromUOpcode(cb, SUB);

   uInstr2(cb, CMOV, 4, TempReg, src,  TempReg, dest);
   uCond(cb, CondZ);
   uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
   uInstr2(cb, CMOV, 4, TempReg, dest, TempReg, acc);
   uCond(cb, CondNZ);
   uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);

   uInstr2(cb, PUT, size, TempReg, acc, ArchReg, R_EAX);
   if (epartIsReg(rm)) {
     uInstr2(cb, PUT,   size, TempReg, dest, ArchReg, eregOfRM(rm));
   } else {
     uInstr2(cb, STORE, size, TempReg, dest, TempReg, ta);
   }

   return eip0;
}


static
Addr dis_cmpxchg8b ( UCodeBlock* cb, 
                     UChar       sorb,
                     Addr        eip0 )
{
   Int   tal, tah, junkl, junkh, destl, desth, srcl, srch, accl, acch;
   UChar dis_buf[50];
   UChar rm;
   UInt  pair;

   rm    = getUChar(eip0);
   accl  = newTemp(cb);
   acch  = newTemp(cb);
   srcl  = newTemp(cb);
   srch  = newTemp(cb);
   destl = newTemp(cb);
   desth = newTemp(cb);
   junkl = newTemp(cb);
   junkh = newTemp(cb);

   vg_assert(!epartIsReg(rm));

   pair = disAMode ( cb, sorb, eip0, dis_buf );
   tal = LOW24(pair);
   tah = newTemp(cb);
   uInstr2(cb, MOV, 4, TempReg, tal, TempReg, tah);
   uInstr2(cb, ADD, 4, Literal, 0, TempReg, tah);
   uLiteral(cb, 4);
   eip0 += HI8(pair);
   DIP("cmpxchg8b %s\n", dis_buf);
   
   uInstr0(cb, CALLM_S, 0);

   uInstr2(cb, LOAD,  4, TempReg, tah, TempReg, desth);
   uInstr1(cb, PUSH,  4, TempReg, desth);
   uInstr2(cb, LOAD,  4, TempReg, tal, TempReg, destl);
   uInstr1(cb, PUSH,  4, TempReg, destl);
   uInstr2(cb, GET,   4, ArchReg, R_ECX, TempReg, srch);
   uInstr1(cb, PUSH,  4, TempReg, srch);
   uInstr2(cb, GET,   4, ArchReg, R_EBX, TempReg, srcl);
   uInstr1(cb, PUSH,  4, TempReg, srcl);
   uInstr2(cb, GET,   4, ArchReg, R_EDX, TempReg, acch);
   uInstr1(cb, PUSH,  4, TempReg, acch);
   uInstr2(cb, GET,   4, ArchReg, R_EAX, TempReg, accl);
   uInstr1(cb, PUSH,  4, TempReg, accl);
   
   uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_cmpxchg8b));
   uFlagsRWU(cb, FlagsEmpty, FlagZ, FlagsEmpty);
   
   uInstr1(cb, POP,   4, TempReg, accl);
   uInstr2(cb, PUT,   4, TempReg, accl, ArchReg, R_EAX);
   uInstr1(cb, POP,   4, TempReg, acch);
   uInstr2(cb, PUT,   4, TempReg, acch, ArchReg, R_EDX);
   uInstr1(cb, POP,   4, TempReg, srcl);
   uInstr2(cb, PUT,   4, TempReg, srcl, ArchReg, R_EBX);
   uInstr1(cb, POP,   4, TempReg, srch);
   uInstr2(cb, PUT,   4, TempReg, srch, ArchReg, R_ECX);
   uInstr1(cb, POP,   4, TempReg, destl);
   uInstr2(cb, STORE, 4, TempReg, destl, TempReg, tal);
   uInstr1(cb, POP,   4, TempReg, desth);
   uInstr2(cb, STORE, 4, TempReg, desth, TempReg, tah);

   uInstr0(cb, CALLM_E, 0);
   
   return eip0;
}


/* Handle conditional move instructions of the form
      cmovcc E(reg-or-mem), G(reg)

   E(src) is reg-or-mem
   G(dst) is reg.

   If E is reg, -->    GET %E, tmps
                       GET %G, tmpd
                       CMOVcc tmps, tmpd
                       PUT tmpd, %G
 
   If E is mem  -->    (getAddr E) -> tmpa
                       LD (tmpa), tmps
                       GET %G, tmpd
                       CMOVcc tmps, tmpd
                       PUT tmpd, %G
*/
static
Addr dis_cmov_E_G ( UCodeBlock* cb, 
                    UChar       sorb,
                    Int         size, 
                    Condcode    cond,
                    Addr        eip0 )
{
   UChar rm  = getUChar(eip0);
   UChar dis_buf[50];

   Int tmps = newTemp(cb);
   Int tmpd = newTemp(cb);   

   if (epartIsReg(rm)) {
      uInstr2(cb, GET,  size, ArchReg, eregOfRM(rm), TempReg, tmps);
      uInstr2(cb, GET,  size, ArchReg, gregOfRM(rm), TempReg, tmpd);
      uInstr2(cb, CMOV,    4, TempReg, tmps, TempReg, tmpd);
      uCond(cb, cond);
      uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
      uInstr2(cb, PUT, size, TempReg, tmpd, ArchReg, gregOfRM(rm));
      DIP("cmov%c%s %s,%s\n", nameISize(size), 
                              VG_(name_UCondcode)(cond),
                              nameIReg(size,eregOfRM(rm)),
                              nameIReg(size,gregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf );
      Int  tmpa = LOW24(pair);
      uInstr2(cb, LOAD, size, TempReg, tmpa, TempReg, tmps);
      uInstr2(cb, GET,  size, ArchReg, gregOfRM(rm), TempReg, tmpd);
      uInstr2(cb, CMOV,    4, TempReg, tmps, TempReg, tmpd);
      uCond(cb, cond);
      uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
      uInstr2(cb, PUT, size, TempReg, tmpd, ArchReg, gregOfRM(rm));
      DIP("cmov%c%s %s,%s\n", nameISize(size), 
                              VG_(name_UCondcode)(cond),
                              dis_buf,
                              nameIReg(size,gregOfRM(rm)));
      return HI8(pair)+eip0;
   }
}


static
Addr dis_xadd_G_E ( UCodeBlock* cb, 
                    UChar       sorb,
                    Int         sz, 
                    Addr        eip0 )
{
   UChar rm  = getUChar(eip0);
   UChar dis_buf[50];

   Int tmpd = newTemp(cb);   
   Int tmpt = newTemp(cb);

   if (epartIsReg(rm)) {
      uInstr2(cb, GET, sz, ArchReg, eregOfRM(rm), TempReg, tmpd);
      uInstr2(cb, GET, sz, ArchReg, gregOfRM(rm), TempReg, tmpt);
      uInstr2(cb, ADD, sz, TempReg, tmpd, TempReg, tmpt);
      setFlagsFromUOpcode(cb, ADD);
      uInstr2(cb, PUT, sz, TempReg, tmpd, ArchReg, gregOfRM(rm));
      uInstr2(cb, PUT, sz, TempReg, tmpt, ArchReg, eregOfRM(rm));
      DIP("xadd%c %s, %s\n", 
          nameISize(sz), nameIReg(sz,gregOfRM(rm)), nameIReg(sz,eregOfRM(rm)));
      return 1+eip0;
   } else {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf );
      Int  tmpa  = LOW24(pair);
      uInstr2(cb, LOAD, sz, TempReg, tmpa,          TempReg, tmpd);
      uInstr2(cb, GET,  sz, ArchReg, gregOfRM(rm),  TempReg, tmpt);
      uInstr2(cb,  ADD, sz, TempReg, tmpd, TempReg, tmpt);
      setFlagsFromUOpcode(cb, ADD);
      uInstr2(cb, STORE, sz, TempReg, tmpt, TempReg, tmpa);
      uInstr2(cb, PUT, sz, TempReg, tmpd, ArchReg, gregOfRM(rm));
      DIP("xadd%c %s, %s\n", 
          nameISize(sz), nameIReg(sz,gregOfRM(rm)), dis_buf);
      return HI8(pair)+eip0;
   }
}


/* Moves of Ew into a segment register.
      mov Ew, Sw  meaning
      mov reg-or-mem, reg
   Is passed the a ptr to the modRM byte, and the data size.  Returns
   the address advanced completely over this instruction.

   Ew(src) is reg-or-mem
   Sw(dst) is seg reg.

   If E is reg, -->    GETw   %Ew,  tmpv
                       PUTSEG tmpv, %Sw
 
   If E is mem  -->    (getAddr E) -> tmpa
                       LDw (tmpa), tmpb
                       PUTSEG tmpb, %Sw
*/
static
Addr dis_mov_Ew_Sw ( UCodeBlock* cb, 
                     UChar       sorb,
                     Addr        eip0 )
{
   UChar rm  = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmpv = newTemp(cb);
      uInstr2(cb, GET,    2, ArchReg, eregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, PUTSEG, 2, TempReg, tmpv, ArchRegS, gregOfRM(rm));
      DIP("movw %s,%s\n", nameIReg(2,eregOfRM(rm)), nameSReg(gregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf );
      Int  tmpa = LOW24(pair);
      Int  tmpb = newTemp(cb);
      uInstr2(cb, LOAD,   2, TempReg, tmpa, TempReg, tmpb);
      uInstr2(cb, PUTSEG, 2, TempReg, tmpb, ArchRegS, gregOfRM(rm));
      DIP("movw %s,%s\n", dis_buf,nameSReg(gregOfRM(rm)));
      return HI8(pair)+eip0;
   }
}


/* Moves of a segment register to Ew.
      mov Sw, Ew  meaning
      mov reg, reg-or-mem
   Is passed the a ptr to the modRM byte, and the data size.  Returns
   the address advanced completely over this instruction.

   Sw(src) is seg reg.
   Ew(dst) is reg-or-mem

   If E is reg, -->    GETSEG %Sw,  tmp
                       PUTW tmp, %Ew
 
   If E is mem, -->    (getAddr E) -> tmpa
                       GETSEG %Sw, tmpv
                       STW tmpv, (tmpa) 
*/
static
Addr dis_mov_Sw_Ew ( UCodeBlock* cb, 
                     UChar       sorb,
                     Addr        eip0 )
{
   UChar rm = getUChar(eip0);
   UChar dis_buf[50];

   if (epartIsReg(rm)) {
      Int tmpv = newTemp(cb);
      uInstr2(cb, GETSEG, 2, ArchRegS, gregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, PUT,    2, TempReg, tmpv, ArchReg, eregOfRM(rm));
      DIP("movw %s,%s\n", nameSReg(gregOfRM(rm)), nameIReg(2,eregOfRM(rm)));
      return 1+eip0;
   }

   /* E refers to memory */    
   {
      UInt pair = disAMode ( cb, sorb, eip0, dis_buf );
      Int  tmpa = LOW24(pair);
      Int  tmpv = newTemp(cb);
      uInstr2(cb, GETSEG, 2, ArchRegS, gregOfRM(rm), TempReg, tmpv);
      uInstr2(cb, STORE,  2, TempReg, tmpv, TempReg, tmpa);
      DIP("mov %s,%s\n", nameSReg(gregOfRM(rm)), dis_buf);
      return HI8(pair)+eip0;
   }
}



/* Simple MMX operations, either 
       op   (src)mmxreg, (dst)mmxreg
   or
       op   (src)address, (dst)mmxreg
   opc is the byte following the 0x0F prefix.
*/
static 
Addr dis_MMXop_regmem_to_reg ( UCodeBlock* cb, 
                               UChar sorb,
                               Addr eip,
                               UChar opc,
                               Char* name,
                               Bool show_granularity )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      eip++;
      uInstr1(cb, MMX2, 0, 
                  Lit16, 
                  (((UShort)(opc)) << 8) | ((UShort)modrm) );
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr2(cb, MMX2_MemRd, 8, 
                  Lit16, 
                  (((UShort)(opc)) << 8) | ((UShort)modrm),
                  TempReg, tmpa);
   }

   DIP("%s%s %s, %s\n", 
       name, show_granularity ? nameMMXGran(opc & 3) : (Char*)"",
       ( isReg ? nameMMXReg(eregOfRM(modrm)) : dis_buf ),
       nameMMXReg(gregOfRM(modrm)) );

   return eip;
}


/* Simple MMX operations, either 
       op   (src)mmxreg, (dst)mmxreg
   or
       op   (src)address, (dst)mmxreg
   opc is the byte following the 0x0F prefix.
*/
static 
Addr dis_MMXop_regmem_to_reg_Imm8 ( UCodeBlock* cb, 
                                    UChar sorb,
                                    Addr eip,
                                    UChar opc,
                                    Char* name,
                                    Bool show_granularity )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   UChar imm8;
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      eip++;
      imm8 = getUChar(eip);
      eip++;
      uInstr2(cb, MMX3, 0, 
                  Lit16, 
                  (((UShort)(opc)) << 8) | ((UShort)modrm),
                  Lit16,
                  ((UShort)imm8));
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      imm8 = getUChar(eip);
      eip++;
      uInstr3(cb, MMX2a1_MemRd, 8, 
                  Lit16, 
                  (((UShort)(opc)) << 8) | ((UShort)modrm),
                  Lit16,
                  ((UShort)imm8),
                  TempReg, tmpa);
   }

   DIP("%s%s %s, %s, $%d\n", 
       name, show_granularity ? nameMMXGran(opc & 3) : (Char*)"",
       ( isReg ? nameMMXReg(eregOfRM(modrm)) : dis_buf ),
       nameMMXReg(gregOfRM(modrm)), (Int)imm8 );

   return eip;
}



/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   3 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE3_reg_or_mem ( UCodeBlock* cb, 
                           UChar sorb, 
			   Addr eip,
			   Int sz,
                           Char* name, 
                           UChar opc1, 
                           UChar opc2, 
                           UChar opc3 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE4, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (((UShort)opc3) << 8) | (UShort)modrm );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE3a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (((UShort)(opc3)) << 8) | ((UShort)modrm),
                  TempReg, tmpa);
   }

   DIP("%s %s, %s\n", 
       name, 
       ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ),
       nameXMMReg(gregOfRM(modrm)) );

   return eip;
}


/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   2 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE2_reg_or_mem ( UCodeBlock* cb, 
                           UChar sorb, 
                           Addr eip,
                           Int sz, 
                           Char* name,
                           UChar opc1, 
                           UChar opc2 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE3, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (UShort)modrm );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE2a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (UShort)modrm,
                  TempReg, tmpa);
   }
   DIP("%s %s, %s\n", 
       name, 
       ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ), 
       nameXMMReg(gregOfRM(modrm)) );

   return eip;
}


/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   2 opcode bytes and an 8-bit immediate after the amode.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE2_reg_or_mem_Imm8 ( UCodeBlock* cb, 
                                UChar sorb, 
				Addr eip,
                                Int sz, 
                                Char* name,
				UChar opc1, 
				UChar opc2 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   UChar imm8;
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      /* Completely internal SSE insn. */
      eip++;
      imm8 = getUChar(eip);
      uInstr2(cb, SSE4, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (((UShort)modrm) << 8) | (UShort)imm8 );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      imm8 = getUChar(eip);
      eip++;
      uInstr3(cb, SSE2a1_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (((UShort)(modrm)) << 8) | ((UShort)imm8),
                  TempReg, tmpa);
   }
   DIP("%s %s, %s, $%d\n", 
       name, ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ), 
       nameXMMReg(gregOfRM(modrm)), (Int)imm8 );
   return eip;
}


/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   3 opcode bytes and an 8-bit immediate after the amode.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE3_reg_or_mem_Imm8 ( UCodeBlock* cb, 
                                UChar sorb, 
				Addr eip,
                                Int sz, 
                                Char* name,
				UChar opc1, 
				UChar opc2,
                                UChar opc3 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   UChar imm8;
   Bool  isReg = epartIsReg(modrm);

   if (isReg) {
      /* Completely internal SSE insn. */
      eip++;
      imm8 = getUChar(eip);
      uInstr3(cb, SSE5, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (((UShort)opc3) << 8) | (UShort)modrm,
                  Lit16, (UShort)imm8 );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      imm8 = getUChar(eip);
      eip++;
      uInstr3(cb, SSE3a1_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (((UShort)(opc3)) << 8) | ((UShort)modrm),
                  TempReg, tmpa);
      uLiteral(cb, imm8);
   }
   DIP("%s %s, %s, $%d\n", 
       name, ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ), 
       nameXMMReg(gregOfRM(modrm)), (Int)imm8 );
   return eip;
}


/* Disassemble an SSE insn which is either a simple reg-reg move or a
   move between registers and memory.  Supplied eip points to the
   first address mode byte.
*/
static
Addr dis_SSE3_load_store_or_mov ( UCodeBlock* cb, 
                                  UChar sorb,
                                  Addr eip, 
                                  Int sz,
				  Bool is_store, 
                                  Char* name,
                                  UChar insn0, 
                                  UChar insn1, 
                                  UChar insn2 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   Bool  isReg = epartIsReg(modrm);
   UInt  pair;
   Int   t1;

   if (isReg) {
      /* Completely internal; we can issue SSE4. */
      eip++;
      uInstr2(cb, SSE4, 0, /* ignore sz for internal ops */
                  Lit16, (((UShort)insn0) << 8) | (UShort)insn1,
                  Lit16, (((UShort)insn2) << 8) | (UShort)modrm );
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      t1   = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, is_store ? SSE3a_MemWr : SSE3a_MemRd, sz,
                  Lit16, (((UShort)insn0) << 8) | (UShort)insn1,
                  Lit16, (((UShort)insn2) << 8) | (UShort)modrm,
                  TempReg, t1 );
   }

   if (is_store) {
      DIP("%s %s, %s\n", 
          name,
          nameXMMReg(gregOfRM(modrm)),
          ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ) );
   } else {
      DIP("%s %s, %s\n", 
          name,
          ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ),
          nameXMMReg(gregOfRM(modrm)) );
   }
   return eip;
}


/* Disassemble an SSE insn which is either a simple reg-reg move or a
   move between registers and memory.  Supplied eip points to the
   first address mode byte. */
static
Addr dis_SSE2_load_store_or_mov ( UCodeBlock* cb, 
                                  UChar sorb,
                                  Addr eip, 
                                  Int sz,
				  Bool is_store, 
                                  Char* name,
                                  UChar insn0, 
                                  UChar insn1 )
{
    Char dis_buf[50];
   UChar modrm = getUChar(eip);
   Bool  isReg = epartIsReg(modrm);
   UInt  pair;
   Int   t1;

   if (isReg) {
      /* Completely internal; we can issue SSE3. */
      eip++;
      uInstr2(cb, SSE3, 0, /* ignore sz for internal ops */
                  Lit16, (((UShort)insn0) << 8) | (UShort)insn1,
                  Lit16, (UShort)modrm );
   } else {
      pair = disAMode ( cb, sorb, eip, dis_buf );
      t1   = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, is_store ? SSE2a_MemWr : SSE2a_MemRd, sz,
                  Lit16, (((UShort)insn0) << 8) | (UShort)insn1,
                  Lit16, (UShort)modrm,
                  TempReg, t1 );
   }

   if (is_store) {
      DIP("%s %s, %s\n",
          name,
          nameXMMReg(gregOfRM(modrm)),
          ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ) );
   } else {
      DIP("%s %s, %s\n",
          name,
          ( isReg ? nameXMMReg(eregOfRM(modrm)) : dis_buf ),
          nameXMMReg(gregOfRM(modrm)) );
   }
   return eip;
}


/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)mmxreg
   or
       op   (src)address, (dst)mmxreg
   2 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE2_to_MMX ( UCodeBlock *cb,
                       UChar sorb,
                       Addr eip,
                       Int sz, 
                       Char* name, 
                       UChar opc1, 
                       UChar opc2 )
{
   UChar dis_buf[50];
   UChar modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE3, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (UShort)modrm );
      DIP("%s %s, %s\n",
          name, nameXMMReg(eregOfRM(modrm)), nameMMXReg(gregOfRM(modrm)) );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE2a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, ((UShort)modrm),
                  TempReg, tmpa);
      DIP("%s %s, %s\n", name, dis_buf, nameMMXReg(gregOfRM(modrm)));
   }
   return eip;
}


/* Simple SSE operations, either 
       op   (src)mmxreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   2 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE2_from_MMX ( UCodeBlock *cb,
                         UChar sorb,
                         Addr eip,
                         Int sz, 
                         Char* name, 
                         UChar opc1, 
                         UChar opc2 )
{
   UChar dis_buf[50];
   UChar modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE3, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (UShort)modrm );
      DIP("%s %s, %s\n",
          name, nameMMXReg(eregOfRM(modrm)), nameXMMReg(gregOfRM(modrm)) );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE2a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, ((UShort)modrm),
                  TempReg, tmpa);
      DIP("%s %s, %s\n", name, dis_buf, nameXMMReg(gregOfRM(modrm)));
   }
   return eip;
}


/* Simple SSE operations, either 
       op   (src)xmmreg, (dst)mmxreg
   or
       op   (src)address, (dst)mmxreg
   3 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE3_to_MMX ( UCodeBlock *cb,
                       UChar sorb,
                       Addr eip,
                       Int sz,
                       Char* name, 
                       UChar opc1, 
                       UChar opc2, 
                       UChar opc3 )
{
   UChar dis_buf[50];
   UChar modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE4, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (((UShort)opc3) << 8) | (UShort)modrm );
      DIP("%s %s, %s\n",
          name, nameXMMReg(eregOfRM(modrm)), nameMMXReg(gregOfRM(modrm)) );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE3a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (((UShort)(opc3)) << 8) | ((UShort)modrm),
                  TempReg, tmpa);
      DIP("%s %s, %s\n", name, dis_buf, nameMMXReg(gregOfRM(modrm)));
   }
   return eip;
}


/* Simple SSE operations, either 
       op   (src)mmxreg, (dst)xmmreg
   or
       op   (src)address, (dst)xmmreg
   3 opcode bytes.
   Supplied eip points to the first address mode byte.
*/
static
Addr dis_SSE3_from_MMX ( UCodeBlock *cb,
                         UChar sorb,
                         Addr eip,
                         Int sz,
                         Char* name, 
                         UChar opc1, 
                         UChar opc2, 
                         UChar opc3 )
{
   UChar dis_buf[50];
   UChar modrm = getUChar(eip);
   if (epartIsReg(modrm)) {
      /* Completely internal SSE insn. */
      uInstr2(cb, SSE4, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)opc1) << 8) | (UShort)opc2,
                  Lit16, (((UShort)opc3) << 8) | (UShort)modrm );
      DIP("%s %s, %s\n",
          name, nameMMXReg(eregOfRM(modrm)), nameXMMReg(gregOfRM(modrm)) );
      eip++;
   } else {
      UInt pair = disAMode ( cb, sorb, eip, dis_buf );
      Int  tmpa = LOW24(pair);
      eip += HI8(pair);
      uInstr3(cb, SSE3a_MemRd, sz,
                  Lit16, (((UShort)(opc1)) << 8) | ((UShort)opc2),
                  Lit16, (((UShort)(opc3)) << 8) | ((UShort)modrm),
                  TempReg, tmpa);
      DIP("%s %s, %s\n", name, dis_buf, nameXMMReg(gregOfRM(modrm)));
   }
   return eip;
}


static 
void dis_push_segreg ( UCodeBlock* cb, UInt sreg, Int sz )
{
    Int t1 = newTemp(cb), t2 = newTemp(cb);
    vg_assert(sz == 2 || sz == 4);
    uInstr2(cb, GETSEG, 2, ArchRegS, sreg,  TempReg, t1);
    uInstr2(cb, GET,    4, ArchReg,  R_ESP, TempReg, t2);
    uInstr2(cb, SUB,    4, Literal,  0,     TempReg, t2);
    uLiteral(cb, sz);
    uInstr2(cb, PUT,    4, TempReg,  t2,    ArchReg, R_ESP);
    uInstr2(cb, STORE,  2, TempReg,  t1,    TempReg, t2);
    DIP("push %s\n", VG_(name_of_seg_reg)(sreg));
}

static
void dis_pop_segreg ( UCodeBlock* cb, UInt sreg, Int sz )
{
   Int t1 = newTemp(cb), t2 = newTemp(cb);
   vg_assert(sz == 2 || sz == 4);
   uInstr2(cb, GET,    4, ArchReg, R_ESP,    TempReg,  t2);
   uInstr2(cb, LOAD,   2, TempReg, t2,       TempReg,  t1);
   uInstr2(cb, ADD,    4, Literal, 0,        TempReg,  t2);
   uLiteral(cb, sz);
   uInstr2(cb, PUT,    4, TempReg, t2,       ArchReg,  R_ESP);
   uInstr2(cb, PUTSEG, 2, TempReg, t1,       ArchRegS, sreg);
   DIP("pop %s\n", VG_(name_of_seg_reg)(sreg));
}

static
void dis_ret ( UCodeBlock* cb, UInt d32 )
{
   Int t1 = newTemp(cb), t2 = newTemp(cb);
   uInstr2(cb, GET,  4, ArchReg, R_ESP, TempReg, t1);
   uInstr2(cb, LOAD, 4, TempReg, t1,    TempReg, t2);
   uInstr2(cb, ADD,  4, Literal, 0,     TempReg, t1);
   uLiteral(cb, 4+d32);
   uInstr2(cb, PUT,  4, TempReg, t1,    ArchReg, R_ESP);
   jmp_treg(cb, t2);
   LAST_UINSTR(cb).jmpkind = JmpRet;
}

/*------------------------------------------------------------*/
/*--- Disassembling entire basic blocks                    ---*/
/*------------------------------------------------------------*/

/* Disassemble a single instruction into ucode, returning the updated
   eip, and setting *isEnd to True if this is the last insn in a basic
   block.  Also do debug printing if necessary. */

static Addr disInstr ( UCodeBlock* cb, Addr eip, Bool* isEnd )
{
   UChar opc, modrm, abyte;
   UInt  d32, pair;
   Int   t1, t2, t3, t4;
   UChar dis_buf[50];
   Int   am_sz, d_sz;
   static Char  loc_buf[M_VG_ERRTXT];

   /* Holds eip at the start of the insn, so that we can print
      consistent error messages for unimplemented insns. */
   UChar* eip_start = (UChar*)eip;

   /* sz denotes the nominal data-op size of the insn; we change it to
      2 if an 0x66 prefix is seen */
   Int sz = 4;

   /* sorb holds the segment-override-prefix byte, if any.  Zero if no
      prefix has been seen, else one of {0x26, 0x3E, 0x64, 0x65}
      indicating the prefix.  */
   UChar sorb = 0;

   Int first_uinstr = cb->used;
   *isEnd = False;
   t1 = t2 = t3 = t4 = INVALID_TEMPREG;

   DIP("\t0x%x:  ", eip);

   /* Spot the client-request magic sequence. */
   {
      UChar* myeip = (UChar*)eip;
      /* Spot this:
         C1C01D                roll $29, %eax
         C1C003                roll $3,  %eax
         C1C81B                rorl $27, %eax
         C1C805                rorl $5,  %eax
         C1C00D                roll $13, %eax
         C1C013                roll $19, %eax      
      */
      if (myeip[ 0] == 0xC1 && myeip[ 1] == 0xC0 && myeip[ 2] == 0x1D &&
          myeip[ 3] == 0xC1 && myeip[ 4] == 0xC0 && myeip[ 5] == 0x03 &&
          myeip[ 6] == 0xC1 && myeip[ 7] == 0xC8 && myeip[ 8] == 0x1B &&
          myeip[ 9] == 0xC1 && myeip[10] == 0xC8 && myeip[11] == 0x05 &&
          myeip[12] == 0xC1 && myeip[13] == 0xC0 && myeip[14] == 0x0D &&
          myeip[15] == 0xC1 && myeip[16] == 0xC0 && myeip[17] == 0x13
         ) {
         eip += 18;
         jmp_lit(cb, eip);
         LAST_UINSTR(cb).jmpkind = JmpClientReq;
         *isEnd = True;
         DIP("%%edx = client_request ( %%eax )\n");
         return eip;
      }
   }

   /* Skip a LOCK prefix. */
   if (getUChar(eip) == 0xF0) { 
      /* VG_(printf)("LOCK LOCK LOCK LOCK LOCK \n"); */
      uInstr0(cb, LOCK, 0);
      eip++;
   }

   /* Detect operand-size overrides. */
   if (getUChar(eip) == 0x66) { sz = 2; eip++; };

   /* segment override prefixes come after the operand-size override,
      it seems */
   switch (getUChar(eip)) {
      case 0x3E: /* %DS: */
      case 0x26: /* %ES: */
      case 0x64: /* %FS: */
      case 0x65: /* %GS: */
         sorb = getUChar(eip); eip++; 
         break;
      case 0x2E: /* %CS: */
         /* 2E prefix on a conditional branch instruction is a
            branch-prediction hint, which can safely be ignored.  */
         {
            UChar op1 = getUChar(eip+1);
            UChar op2 = getUChar(eip+2);
            if ((op1 >= 0x70 && op1 <= 0x7F)
                || (op1 == 0xE3)
                || (op1 == 0x0F && op2 >= 0x80 && op2 <= 0x8F)) {
               sorb = getUChar(eip); eip++;
               break;
            }
         }
         VG_(unimplemented)("x86 segment override (SEG=CS) prefix");
         /*NOTREACHED*/
         break;
      case 0x36: /* %SS: */
         VG_(unimplemented)("x86 segment override (SEG=SS) prefix");
         /*NOTREACHED*/
         break;
      default:
         break;
   }

   /* ---------------------------------------------------- */
   /* --- The SSE/SSE2 decoder.                        --- */
   /* ---------------------------------------------------- */

   /* If it looks like this CPU might support SSE, try decoding SSE
      insns.  */
   if (VG_(have_ssestate)) {
   UChar* insn = (UChar*)eip;

   /* FXSAVE/FXRSTOR m32 -- load/store the FPU/MMX/SSE state. */
   if (insn[0] == 0x0F && insn[1] == 0xAE 
       && (!epartIsReg(insn[2]))
       && (gregOfRM(insn[2]) == 1 || gregOfRM(insn[2]) == 0) ) {
      Bool store = gregOfRM(insn[2]) == 0;
      vg_assert(sz == 4);
      pair = disAMode ( cb, sorb, eip+2, dis_buf );
      t1   = LOW24(pair);
      eip += 2+HI8(pair);
      uInstr3(cb, store ? SSE2a_MemWr : SSE2a_MemRd, 512,
                  Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                  Lit16, (UShort)insn[2],
                  TempReg, t1 );
      DIP("fx%s %s\n", store ? "save" : "rstor", dis_buf );
      goto decode_success;
   }

   /* STMXCSR/LDMXCSR m32 -- load/store the MXCSR register. */
   if (insn[0] == 0x0F && insn[1] == 0xAE 
       && (!epartIsReg(insn[2]))
       && (gregOfRM(insn[2]) == 3 || gregOfRM(insn[2]) == 2) ) {
      Bool store = gregOfRM(insn[2]) == 3;
      vg_assert(sz == 4);
      pair = disAMode ( cb, sorb, eip+2, dis_buf );
      t1   = LOW24(pair);
      eip += 2+HI8(pair);
      uInstr3(cb, store ? SSE2a_MemWr : SSE2a_MemRd, 4,
                  Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                  Lit16, (UShort)insn[2],
                  TempReg, t1 );
      DIP("%smxcsr %s\n", store ? "st" : "ld", dis_buf );
      goto decode_success;
   }

   /* LFENCE/MFENCE -- flush pending operations to memory */
   if (insn[0] == 0x0F && insn[1] == 0xAE
       && (epartIsReg(insn[2]))
       && (gregOfRM(insn[2]) >= 5 && gregOfRM(insn[2]) <= 6))
   {
      vg_assert(sz == 4);
      eip += 3;
      uInstr2(cb, SSE3, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)0x0F) << 8) | (UShort)0xAE,
                  Lit16, (UShort)insn[2] );
      DIP("%sfence\n", gregOfRM(insn[2]) == 5 ? "l" : "m");
      goto decode_success;
   }

   /* CLFLUSH -- flush cache line */
   if (insn[0] == 0x0F && insn[1] == 0xAE
       && (!epartIsReg(insn[2]))
       && (gregOfRM(insn[2]) == 7))
   {
      vg_assert(sz == 4);
      pair = disAMode ( cb, sorb, eip+2, dis_buf );
      t1   = LOW24(pair);
      eip += 2+HI8(pair);
      uInstr3(cb, SSE2a_MemRd, 0,  /* ignore sz for internal ops */
                  Lit16, (((UShort)0x0F) << 8) | (UShort)0xAE,
                  Lit16, (UShort)insn[2],
                  TempReg, t1 );
      DIP("clflush %s\n", dis_buf);
      goto decode_success;
   }

   /* CVTPI2PS (0x0F,0x2A) -- mm/m64, xmm */
   /* CVTPI2PD (0x66,0x0F,0x2A) -- mm/m64, xmm */
   if (insn[0] == 0x0F && insn[1] == 0x2A) {
      if (sz == 4) {
         eip = dis_SSE2_from_MMX
                  ( cb, sorb, eip+2, 8, "cvtpi2ps",
                        insn[0], insn[1] );
      } else {
         eip = dis_SSE3_from_MMX
                  ( cb, sorb, eip+2, 8, "cvtpi2pd",
                        0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* CVTTPS2PI (0x0F,0x2C) -- xmm/m64, mm */
   /* CVTPS2PI (0x0F,0x2D) -- xmm/m64, mm */
   /* CVTTPD2PI (0x66,0x0F,0x2C) -- xmm/m128, mm */
   /* CVTPD2PI (0x66,0x0F,0x2D) -- xmm/m128, mm */
   if (insn[0] == 0x0F
       && (insn[1] == 0x2C || insn[1] == 0x2D)) {
      if (sz == 4) {
         eip = dis_SSE2_to_MMX
                  ( cb, sorb, eip+2, 8, "cvt{t}ps2pi",
                        insn[0], insn[1] );
      } else {
         eip = dis_SSE3_to_MMX
                  ( cb, sorb, eip+2, 16, "cvt{t}pd2pi",
                        0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* CVTTSD2SI (0xF2,0x0F,0x2C) -- convert a double-precision float
      value in memory or xmm reg to int and put it in an ireg.
      Truncate. */
   /* CVTTSS2SI (0xF3,0x0F,0x2C) -- convert a single-precision float
      value in memory or xmm reg to int and put it in an ireg.
      Truncate. */
   /* CVTSD2SI (0xF2,0x0F,0x2D) -- convert a double-precision float
      value in memory or xmm reg to int and put it in an ireg.  Round
      as per MXCSR. */
   /* CVTSS2SI (0xF3,0x0F,0x2D) -- convert a single-precision float
      value in memory or xmm reg to int and put it in an ireg.  Round
      as per MXCSR. */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3)
       && insn[1] == 0x0F 
       && (insn[2] == 0x2C || insn[2] == 0x2D)) {
      vg_assert(sz == 4);
      modrm = insn[3];
      if (epartIsReg(modrm)) {
         /* We're moving a value in an xmm reg to an ireg. */
         eip += 4;
	 t1 = newTemp(cb);
         /* sz is 4 for all 4 insns. */
         vg_assert(epartIsReg(modrm));
         uInstr3(cb, SSE3g_RegWr, 4,
                     Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                     Lit16, (((UShort)insn[2]) << 8) | (UShort)modrm,
                     TempReg, t1 );
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
         DIP("cvt{t}s{s,d}2si %s, %s\n", 
             nameXMMReg(eregOfRM(modrm)), nameIReg(4,gregOfRM(modrm)) );
      } else {
         /* So, we're reading memory and writing an ireg.  This calls
            for the ultra-horrible SSE3ag_MemRd_RegWr uinstr.  We
            can't do it in a roundabout route because it does some
            kind of conversion on the way, which we need to have
            happen too.  So our only choice is to re-emit a suitably
            rehashed version of the instruction. */
 	 /* Destination ireg is GREG.  Address goes as EREG as
	    usual. */
         t1 = newTemp(cb); /* t1 holds value on its way to ireg */
         pair = disAMode ( cb, sorb, eip+3, dis_buf );
         t2   = LOW24(pair); /* t2 holds addr */
         eip += 3+HI8(pair);
         uInstr2(cb, SSE3ag_MemRd_RegWr, insn[0]==0xF2 ? 8 : 4,
                     TempReg, t2, /* address */
                     TempReg, t1 /* dest */);
         uLiteral(cb  , (((UInt)insn[0]) << 24)
                      | (((UInt)insn[1]) << 16)
                      | (((UInt)insn[2]) << 8) 
                      | ((UInt)modrm) );
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
         DIP("cvt{t}s{s,d}2si %s, %s\n", 
             dis_buf, nameIReg(4,gregOfRM(modrm)) );
      }
      goto decode_success;
   }

   /* CVTSI2SS -- convert int reg, or int value in memory, to low 4
      bytes of XMM reg. */
   /* CVTSI2SD -- convert int reg, or int value in memory, to low 8
      bytes of XMM reg. */
   if ((insn[0] == 0xF3 /*CVTSI2SS*/ || insn[0] == 0xF2 /* CVTSI2SD*/)
       && insn[1] == 0x0F && insn[2] == 0x2A) {
      Char* s_or_d = insn[0]==0xF3 ? "s" : "d";
      vg_assert(sz == 4);
      modrm = insn[3];
      t1 = newTemp(cb);
      if (epartIsReg(modrm)) { 
         uInstr2(cb, GET, 4, ArchReg, eregOfRM(modrm), TempReg, t1);
         vg_assert(epartIsReg(modrm));
         uInstr3(cb, SSE3e_RegRd, 4,
                     Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                     Lit16, (((UShort)insn[2]) << 8) | (UShort)modrm,
                     TempReg, t1 );
         eip += 4;
         DIP("cvtsi2s%s %s, %s\n", s_or_d,
             nameIReg(4,eregOfRM(modrm)), nameXMMReg(gregOfRM(modrm)));
      } else {
         pair = disAMode ( cb, sorb, eip+3, dis_buf );
         t2   = LOW24(pair);
         eip += 3+HI8(pair);
	 uInstr3(cb, SSE3a_MemRd, 4,
                     Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                     Lit16, (((UShort)insn[2]) << 8) | (UShort)modrm,
                     TempReg, t2 );
         DIP("cvtsi2s%s %s, %s\n",
             s_or_d, dis_buf, nameXMMReg(gregOfRM(modrm)));
      }
      goto decode_success;
   }

   /* CVTPS2PD -- convert two packed floats to two packed doubles. */
   /* 0x66: CVTPD2PS -- convert two packed doubles to two packed floats. */
   if (insn[0] == 0x0F && insn[1] == 0x5A) {
      vg_assert(sz == 2 || sz == 4);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 8, "cvtps2pd",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "cvtpd2ps",
                                     0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* CVTSS2SD -- convert one single float to double. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x5A) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 4, "cvtss2sd",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CVTSD2SS -- convert one single double. to float. */
   if (insn[0] == 0xF2 && insn[1] == 0x0F && insn[2] == 0x5A) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 8, "cvtsd2ss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CVTDQ2PS -- convert four ints to four packed floats. */
   /* 0x66: CVTPS2DQ -- convert four packed floats to four ints. */
   if (insn[0] == 0x0F && insn[1] == 0x5B) {
      vg_assert(sz == 2 || sz == 4);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "cvtdq2ps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "cvtps2dq",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* CVTPD2DQ -- convert two packed doubles to two ints. */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xE6) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 8, "cvtpd2dq",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* CVTTPD2DQ -- convert two packed doubles to two ints with truncation. */
   if (insn[0] == 0xF2 && insn[1] == 0x0F && insn[2] == 0xE6) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 8, "cvttpd2dq",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CVTDQ2PD -- convert two ints to two packed doubles. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0xE6) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 8, "cvtdq2pd",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CVTTPS2DQ -- convert four packed floats to four ints with truncation. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x5B) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 16, "cvttps2dq",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CMPSS -- compare scalar floats. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0xC2) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+3, 8, "cmpss",
                                       insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* CMPSD -- compare scalar doubles. */
   if (insn[0] == 0xF2 && insn[1] == 0x0F && insn[2] == 0xC2) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+3, 8, "cmpsd",
                                       insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* sz==4: CMPPS -- compare packed floats */
   /* sz==2: CMPPD -- compare packed doubles */
   if (insn[0] == 0x0F && insn[1] == 0xC2) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem_Imm8 ( cb, sorb, eip+2, 16, "cmpps",
                                          insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+2, 16, "cmppd",
                                          0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* PSHUFD */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0x70) {
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+2, 16, 
                                           "pshufd",
                                           0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* PSHUFLW */
   if (insn[0] == 0xF2 && insn[1] == 0x0F && insn[2] == 0x70) {
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+3, 16, 
                                           "pshuflw",
                                           insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* PSHUFHW */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x70) {
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+3, 16, 
                                           "pshufhw",
                                           insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* SHUFPD */
   if (sz == 2 && insn[0] == 0x0F && insn[1] == 0xC6) {
      eip = dis_SSE3_reg_or_mem_Imm8 ( cb, sorb, eip+2, 16, "shufpd",
                                           0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* SHUFPS */
   if (insn[0] == 0x0F && insn[1] == 0xC6) {
      vg_assert(sz == 4);
      eip = dis_SSE2_reg_or_mem_Imm8 ( cb, sorb, eip+2, 16, "shufps",
                                           insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xF2: MULSD */
   /* 0xF3: MULSS -- multiply low 4 bytes of XMM reg. */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3)
       && insn[1] == 0x0F && insn[2] == 0x59) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "mulss" : "mulsd",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MULPS */
   /* 0x66: MULPD */
   if (insn[0] == 0x0F && insn[1] == 0x59) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "mulps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "mulpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* 0xF2: DIVSD */
   /* 0xF3: DIVSS -- divide low 4 bytes of XMM reg. */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3)
       && insn[1] == 0x0F && insn[2] == 0x5E) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "divsd" : "divss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* DIVPS */
   /* 0x66: DIVPD */
   if (insn[0] == 0x0F && insn[1] == 0x5E) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "divps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "divpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* 0xF2: SUBSD */
   /* 0xF3: SUBSS */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3)
       && insn[1] == 0x0F && insn[2] == 0x5C) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "subsd" : "subss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* SUBPS */
   /* 0x66: SUBPD */
   if (insn[0] == 0x0F && insn[1] == 0x5C) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "subps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "subpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* 0xF2: ADDSD */
   /* 0xF3: ADDSS */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3)
       && insn[1] == 0x0F && insn[2] == 0x58) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "addsd" : "addss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* ADDPS */
   /* 0x66: ADDPD */
   if (insn[0] == 0x0F && insn[1] == 0x58) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "addps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "addpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* 0xF2: MINSD */
   /* 0xF3: MINSS */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3) 
       && insn[1] == 0x0F && insn[2] == 0x5D) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "minsd" : "minss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MINPS */
   /* 0x66: MINPD */
   if (insn[0] == 0x0F && insn[1] == 0x5D) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "minps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "minpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* 0xF3: MAXSD */
   /* 0xF3: MAXSS */
   if ((insn[0] == 0xF2 || insn[0] == 0xF3) 
       && insn[1] == 0x0F && insn[2] == 0x5F) {
      Bool sz8 = insn[0] == 0xF2;
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, sz8 ? 8 : 4, 
                                      sz8 ? "maxsd" : "maxss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MAXPS */
   /* 0x66: MAXPD */
   if (insn[0] == 0x0F && insn[1] == 0x5F) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "maxps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "maxpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* RCPPS -- reciprocal of packed floats */
   if (insn[0] == 0x0F && insn[1] == 0x53) {
      vg_assert(sz == 4);
      eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "rcpps",
                                      insn[0], insn[1] );
      goto decode_success;
   }

   /* XORPS */
   /* 0x66: XORPD (src)xmmreg-or-mem, (dst)xmmreg */
   if (insn[0] == 0x0F && insn[1] == 0x57) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "xorps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "xorpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* ANDPS */
   /* 0x66: ANDPD (src)xmmreg-or-mem, (dst)xmmreg */
   if (insn[0] == 0x0F && insn[1] == 0x54) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "andps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "andpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* ORPS */
   /* 0x66: ORPD (src)xmmreg-or-mem, (dst)xmmreg */
   if (insn[0] == 0x0F && insn[1] == 0x56) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "orps",
                                         insn[0], insn[1] );
      } else {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "orpd",
                                      0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* PXOR (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xEF) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pxor",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* PAND (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xDB) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pand",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* PANDN (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xDF) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pandn",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* POR (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xEB) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "por",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xDA: PMINUB(src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xEA: PMINSW(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xDA || insn[1] == 0xEA)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pmin{ub,sw}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xDE: PMAXUB(src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xEE: PMAXSW(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xDE || insn[1] == 0xEE)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pmax{ub,sw}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xE0: PAVGB(src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xE3: PAVGW(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xE0 || insn[1] == 0xE3)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pavg{b,w}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }
 
   /* 0xF6: PSADBW(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xF6) {
     eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psadbw",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }
 
   /* 0x60: PUNPCKLBW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x61: PUNPCKLWD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x62: PUNPCKLDQ (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x6C: PUNPCKQLQDQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x60 || insn[1] == 0x61
           || insn[1] == 0x62 || insn[1] == 0x6C)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, 
                                      "punpckl{bw,wd,dq,qdq}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x68: PUNPCKHBW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x69: PUNPCKHWD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x6A: PUNPCKHDQ (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x6D: PUNPCKHQDQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x68 || insn[1] == 0x69
           || insn[1] == 0x6A || insn[1] == 0x6D)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, 
                                      "punpckh{bw,wd,dq,qdq}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x14: UNPCKLPD (src)xmmreg-or-mem, (dst)xmmreg.  Reads a+0
      .. a+7, so we can say size 8 */
   /* 0x15: UNPCKHPD (src)xmmreg-or-mem, (dst)xmmreg.  Reads a+8
      .. a+15, but we have no way to express this, so better say size
      16.  Sigh. */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x14 || insn[1] == 0x15)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 
                                      insn[1]==0x14 ? 8 : 16, 
                                      "unpck{l,h}pd",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x14: UNPCKLPS (src)xmmreg-or-mem, (dst)xmmreg  Reads a+0
      .. a+7, so we can say size 8 */
   /* 0x15: UNPCKHPS (src)xmmreg-or-mem, (dst)xmmreg  Reads a+8
      .. a+15, but we have no way to express this, so better say size
      16.  Sigh.  */
   if (sz == 4
       && insn[0] == 0x0F
       && (insn[1] == 0x14 || insn[1] == 0x15)) {
      eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 
                                      insn[1]==0x14 ? 8 : 16, 
                                      "unpck{l,h}ps",
                                      insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xFC: PADDB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xFD: PADDW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xFE: PADDD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xD4: PADDQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xFC || insn[1] == 0xFD 
           || insn[1] == 0xFE || insn[1] == 0xD4)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "padd{b,w,d,q}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xEC: PADDSB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xED: PADDSW (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xEC || insn[1] == 0xED)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "padds{b,w}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xDC: PADDUSB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xDD: PADDUSW (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xDC || insn[1] == 0xDD)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "paddus{b,w}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xF8: PSUBB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xF9: PSUBW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xFA: PSUBD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xFB: PSUBQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xF8 || insn[1] == 0xF9 
           || insn[1] == 0xFA || insn[1] == 0xFB)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psub{b,w,d,q}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xE8: PSUBSB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xE9: PSUBSW (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xE8 || insn[1] == 0xE9)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psubs{b,w}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xD8: PSUBUSB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xD9: PSUBUSW (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xD8 || insn[1] == 0xD9)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psubus{b,w}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xE4: PMULHUW(src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xE5: PMULHW(src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xD5: PMULLW(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xE4 || insn[1] == 0xE5 || insn[1] == 0xD5)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pmul{hu,h,l}w",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xD5: PMULUDQ(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0xF4) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pmuludq",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xF5: PMADDWD(src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && insn[1] == 0xF5) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pmaddwd",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x74: PCMPEQB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x75: PCMPEQW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x76: PCMPEQD (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x74 || insn[1] == 0x75 || insn[1] == 0x76)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pcmpeq{b,w,d}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x64: PCMPGTB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x65: PCMPGTW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x66: PCMPGTD (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x64 || insn[1] == 0x65 || insn[1] == 0x66)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "pcmpgt{b,w,d}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x63: PACKSSWB (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0x6B: PACKSSDW (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0x63 || insn[1] == 0x6B)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "packss{wb,dw}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0x67: PACKUSWB (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && insn[1] == 0x67) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "packuswb",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xF1: PSLLW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xF2: PSLLD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xF3: PSLLQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xF1 || insn[1] == 0xF2 || insn[1] == 0xF3)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psll{b,w,d}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xD1: PSRLW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xD2: PSRLD (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xD3: PSRLQ (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xD1 || insn[1] == 0xD2 || insn[1] == 0xD3)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psrl{b,w,d}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* 0xE1: PSRAW (src)xmmreg-or-mem, (dst)xmmreg */
   /* 0xE2: PSRAD (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F 
       && (insn[1] == 0xE1 || insn[1] == 0xE2)) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "psra{w,d}",
                                      0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* (U)COMISD (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 2
       && insn[0] == 0x0F
       && ( insn[1] == 0x2E || insn[1] == 0x2F ) ) {
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 8, "{u}comisd",
                                      0x66, insn[0], insn[1] );
      vg_assert(LAST_UINSTR(cb).opcode == SSE3a_MemRd 
                || LAST_UINSTR(cb).opcode == SSE4);
      uFlagsRWU(cb, FlagsEmpty, FlagsOSZACP, FlagsEmpty);
      goto decode_success;
   }

   /* (U)COMISS (src)xmmreg-or-mem, (dst)xmmreg */
   if (sz == 4
       && insn[0] == 0x0F
       && ( insn[1] == 0x2E || insn[ 1 ] == 0x2F )) {
      eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 4, "{u}comiss",
                                      insn[0], insn[1] );
      vg_assert(LAST_UINSTR(cb).opcode == SSE2a_MemRd 
                || LAST_UINSTR(cb).opcode == SSE3);
      uFlagsRWU(cb, FlagsEmpty, FlagsOSZACP, FlagsEmpty);
      goto decode_success;
   }

   /* MOVSD -- move 8 bytes of XMM reg to/from XMM reg or mem. */
   if (insn[0] == 0xF2
       && insn[1] == 0x0F 
       && (insn[2] == 0x11 || insn[2] == 0x10)) {
      vg_assert(sz == 4);
      eip = dis_SSE3_load_store_or_mov 
               ( cb, sorb, eip+3, 8, insn[2]==0x11, "movsd",
		 insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVQ -- move 8 bytes of XMM reg to XMM reg or mem.  How
      does this differ from MOVSD ?? */
   if (sz == 2
       && insn[0] == 0x0F
       && insn[1] == 0xD6) {
      eip = dis_SSE3_load_store_or_mov 
               ( cb, sorb, eip+2, 8, True /*store*/, "movq",
                     0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* MOVQ -- move 8 bytes of XMM reg or mem to XMM reg.  How
      does this differ from MOVSD ?? */
   if (insn[0] == 0xF3
       && insn[1] == 0x0F
       && insn[2] == 0x7E) {
      eip = dis_SSE3_load_store_or_mov
               ( cb, sorb, eip+3, 8, False /*load*/, "movq",
                     insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVDQ2Q -- move low 4 bytes of XMM reg to MMX reg. */
   if (insn[0] == 0xF2
       && insn[1] == 0x0F
       && insn[2] == 0xD6) {
      eip = dis_SSE3_to_MMX
               ( cb, sorb, eip+3, 8, "movdq2q",
                     insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVQ2DQ -- move MMX reg to low 4 bytes of XMM reg. */
   if (insn[0] == 0xF3
       && insn[1] == 0x0F
       && insn[2] == 0xD6) {
      eip = dis_SSE3_from_MMX
               ( cb, sorb, eip+3, 8, "movq2dq",
                     insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVSS -- move 4 bytes of XMM reg to/from XMM reg or mem. */
   if (insn[0] == 0xF3
       && insn[1] == 0x0F 
       && (insn[2] == 0x11 || insn[2] == 0x10)) {
      vg_assert(sz == 4);
      eip = dis_SSE3_load_store_or_mov 
               ( cb, sorb, eip+3, 4, insn[2]==0x11, "movss",
                     insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* I don't understand how MOVAPD differs from MOVAPS. */
   /* MOVAPD (28,29) -- aligned load/store of xmm reg, or xmm-xmm reg
      move */
   if (sz == 2
       && insn[0] == 0x0F && insn[1] == 0x28) {
      UChar* name = "movapd";
                    //(insn[1] == 0x10 || insn[1] == 0x11)
                    // ? "movups" : "movaps";
      Bool store = False; //insn[1] == 0x29 || insn[1] == 0x11;
      eip = dis_SSE3_load_store_or_mov
               ( cb, sorb, eip+2, 16, store, name,
                     0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* sz==4: MOVAPS (28,29) -- aligned load/store of xmm reg, or
      xmm-xmm reg move */
   /* sz==4: MOVUPS (10,11) -- unaligned load/store of xmm reg, or
      xmm-xmm reg move */
   /* sz==2: MOVAPD (28,29) -- aligned load/store of xmm reg, or
      xmm-xmm reg move */
   /* sz==2: MOVUPD (10,11) -- unaligned load/store of xmm reg, or
      xmm-xmm reg move */
   if (insn[0] == 0x0F && (insn[1] == 0x28
                           || insn[1] == 0x29
                           || insn[1] == 0x10
                           || insn[1] == 0x11)) {
      UChar* name = (insn[1] == 0x10 || insn[1] == 0x11)
                    ? "movups" : "movaps";
      Bool store = insn[1] == 0x29 || insn[1] == 0x11;
      vg_assert(sz == 2 || sz == 4);
      if (sz == 4) {
         eip = dis_SSE2_load_store_or_mov
                  ( cb, sorb, eip+2, 16, store, name,
                        insn[0], insn[1] );
      } else {
         eip = dis_SSE3_load_store_or_mov
                  ( cb, sorb, eip+2, 16, store, name,
                        0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* MOVDQA -- aligned 16-byte load/store. */
   if (sz == 2 
       && insn[0] == 0x0F 
       && (insn[1] == 0x6F || insn[1] == 0x7F)) {
      Bool is_store = insn[1]==0x7F;
      eip = dis_SSE3_load_store_or_mov
               (cb, sorb, eip+2, 16, is_store, "movdqa", 
                    0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* MOVDQU -- unaligned 16-byte load/store. */
   if (insn[0] == 0xF3
       && insn[1] == 0x0F 
       && (insn[2] == 0x6F || insn[2] == 0x7F)) {
      Bool is_store = insn[2]==0x7F;
      eip = dis_SSE3_load_store_or_mov
               (cb, sorb, eip+3, 16, is_store, "movdqu", 
                    insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVNTDQ -- 16-byte store with temporal hint (which we
      ignore). */
   if (sz == 2
       && insn[0] == 0x0F
       && insn[1] == 0xE7) {
      eip = dis_SSE3_load_store_or_mov 
               (cb, sorb, eip+2, 16, True /* is_store */, "movntdq",
                    0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* MOVNTPS -- 16-byte store with temporal hint (which we
      ignore). */
   if (insn[0] == 0x0F
       && insn[1] == 0x2B) {
      eip = dis_SSE2_load_store_or_mov 
               (cb, sorb, eip+2, 16, True /* is_store */, "movntps",
                    insn[0], insn[1] );
      goto decode_success;
   }

   /* MOVNTPD -- 16-byte store with temporal hint (which we
      ignore). */
   if (sz == 2
       && insn[0] == 0x0F
       && insn[1] == 0x2B) {
      eip = dis_SSE3_load_store_or_mov 
               (cb, sorb, eip+2, 16, True /* is_store */, "movntpd",
                    0x66, insn[0], insn[1] );
      goto decode_success;
   }

   /* MOVD -- 4-byte move between xmmregs and (ireg or memory). */
   if (sz == 2 
       && insn[0] == 0x0F 
       && (insn[1] == 0x6E || insn[1] == 0x7E)) {
      Bool is_store = insn[1]==0x7E;
      modrm = insn[2];
      if (epartIsReg(modrm) && is_store) {
         t1 = newTemp(cb);
         uInstr3(cb, SSE3e_RegWr, 4,
                     Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                     Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                     TempReg, t1 );
	 uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, eregOfRM(modrm));
	 DIP("movd %s, %s\n", 
             nameXMMReg(gregOfRM(modrm)), nameIReg(4,eregOfRM(modrm)));
         eip += 3;
      } else
      if (epartIsReg(modrm) && !is_store) {
         t1 = newTemp(cb);
	 uInstr2(cb, GET, 4, ArchReg, eregOfRM(modrm), TempReg, t1);
         uInstr3(cb, SSE3e_RegRd, 4,
                     Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                     Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                     TempReg, t1 );
	 DIP("movd %s, %s\n", 
             nameIReg(4,eregOfRM(modrm)), nameXMMReg(gregOfRM(modrm)));
         eip += 3;
      } else {
         eip = dis_SSE3_load_store_or_mov
                  (cb, sorb, eip+2, 4, is_store, "movd", 
                       0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* PEXTRW from SSE register; writes ireg */
   if (sz == 2 && insn[0] == 0x0F && insn[1] == 0xC5) {
      t1 = newTemp(cb);
      modrm = insn[2];
      vg_assert(epartIsReg(modrm));
      vg_assert((modrm & 0xC0) == 0xC0);
      uInstr3(cb, SSE3g1_RegWr, 4,
                  Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                  Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                  TempReg, t1 );
      uLiteral(cb, insn[3]);
      uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
      DIP("pextrw %s, %d, %s\n",
          nameXMMReg(eregOfRM(modrm)), (Int)insn[3], 
          nameIReg(4, gregOfRM(modrm)));
      eip += 4;
      goto decode_success;
   }

   /* PINSRW to SSE register; reads mem or ireg */
   if (sz == 2 && insn[0] == 0x0F && insn[1] == 0xC4) {
      t1 = newTemp(cb);
      modrm = insn[2];
      if (epartIsReg(modrm)) {
         uInstr2(cb, GET, 2, ArchReg, eregOfRM(modrm), TempReg, t1);
         vg_assert(epartIsReg(modrm));
         uInstr3(cb, SSE3e1_RegRd, 2,
                     Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                     Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                     TempReg, t1 );
         uLiteral(cb, insn[3]);
         DIP("pinsrw %s, %d, %s\n",
             nameIReg(2, eregOfRM(modrm)), (Int)insn[3],
             nameXMMReg(gregOfRM(modrm)));
         eip += 4;
      } else {
	 VG_(core_panic)("PINSRW mem");
      }
      goto decode_success;
   }

   /* SQRTSD: square root of scalar double. */
   if (insn[0] == 0xF2 && insn[1] == 0x0F && insn[2] == 0x51) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 8, 
                                      "sqrtsd",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* SQRTSS: square root of scalar float. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x51) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 4,
                                      "sqrtss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* RSQRTSS: square root reciprocal of scalar float. */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x52) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 4,
                                      "sqrtss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* 0xF3: RCPSS -- reciprocal of scalar float */
   if (insn[0] == 0xF3 && insn[1] == 0x0F && insn[2] == 0x53) {
      vg_assert(sz == 4);
      eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+3, 4, 
                                      "rcpss",
                                      insn[0], insn[1], insn[2] );
      goto decode_success;
   }

   /* MOVMSKPD -- extract 2 sign bits from a xmm reg and copy them to 
      an ireg.  Top 30 bits of ireg are set to zero. */
   /* MOVMSKPS -- extract 4 sign bits from a xmm reg and copy them to 
      an ireg.  Top 28 bits of ireg are set to zero. */
   if (insn[0] == 0x0F && insn[1] == 0x50) {
      vg_assert(sz == 4 || sz == 2);
      modrm = insn[2];
      /* Intel docs don't say anything about a memory source being
	 allowed here. */
      vg_assert(epartIsReg(modrm));
      t1 = newTemp(cb);
      if (sz == 4) {
         uInstr3(cb, SSE2g_RegWr, 4,
                     Lit16, (((UShort)insn[0]) << 8) | (UShort)insn[1],
                     Lit16, (UShort)modrm,
                     TempReg, t1 );
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
      } else {
         uInstr3(cb, SSE3g_RegWr, 4,
                     Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                     Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                     TempReg, t1 );
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
      }
      DIP("movmskp%c %s, %s\n", sz == 4 ? 's' : 'd',
          nameXMMReg(eregOfRM(modrm)), nameIReg(4,gregOfRM(modrm)));
      eip += 3;
      goto decode_success;
   }

   /* ANDNPS */
   /* 0x66: ANDNPD (src)xmmreg-or-mem, (dst)xmmreg */
   if (insn[0] == 0x0F && insn[1] == 0x55) {
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "andnps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, "andnpd",
                                         0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* MOVHLPS -- move two packed floats from high quadword to low quadword */
   /* MOVLPS -- load/store two packed floats to/from low quadword. */
   /* MOVLPD -- load/store packed double to/from low quadword. */
   if (insn[0] == 0x0F 
       && (insn[1] == 0x12 || insn[1] == 0x13)) {
      Bool is_store = insn[1]==0x13;
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         if (epartIsReg(insn[2])) {
            vg_assert(insn[1]==0x12);
            eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "movhlps",
                                            insn[0], insn[1] );
         } else {
            eip = dis_SSE2_load_store_or_mov
                     (cb, sorb, eip+2, 8, is_store, "movlps", 
                          insn[0], insn[1] );
         }
      } else {
         vg_assert(!epartIsReg(insn[2]));
         eip = dis_SSE3_load_store_or_mov
                  (cb, sorb, eip+2, 8, is_store, "movlpd", 
                       0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* MOVLHPS -- move two packed floats from low quadword to high quadword */
   /* MOVHPS -- load/store two packed floats to/from high quadword. */
   /* MOVHPD -- load/store packed double to/from high quadword. */
   if (insn[0] == 0x0F 
       && (insn[1] == 0x16 || insn[1] == 0x17)) {
      Bool is_store = insn[1]==0x17;
      vg_assert(sz == 4 || sz == 2);
      if (sz == 4) {
         if (epartIsReg(insn[2])) {
            vg_assert(insn[1]==0x16);
            eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, "movlhps",
                                            insn[0], insn[1] );
         } else {
            eip = dis_SSE2_load_store_or_mov
                     (cb, sorb, eip+2, 8, is_store, "movhps", 
                          insn[0], insn[1] );
         }
      } else {
      vg_assert(!epartIsReg(insn[2]));
      eip = dis_SSE3_load_store_or_mov
               (cb, sorb, eip+2, 8, is_store, "movhpd", 
                    0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* PMOVMSKB -- extract 16 sign bits from a xmm reg and copy them to 
      an ireg.  Top 16 bits of ireg are set to zero. */
   if (sz == 2 && insn[0] == 0x0F && insn[1] == 0xD7) {
      modrm = insn[2];
      /* Intel docs don't say anything about a memory source being
	 allowed here. */
      vg_assert(epartIsReg(modrm));
      t1 = newTemp(cb);
      uInstr3(cb, SSE3g_RegWr, 4,
                  Lit16, (((UShort)0x66) << 8) | (UShort)insn[0],
                  Lit16, (((UShort)insn[1]) << 8) | (UShort)modrm,
                  TempReg, t1 );
      uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
      DIP("pmovmskb %s, %s\n", 
          nameXMMReg(eregOfRM(modrm)), nameIReg(4,gregOfRM(modrm)));
      eip += 3;
      goto decode_success;
   }

   /* sz==4: SQRTPS: square root of packed float. */
   /* sz==2: SQRTPD: square root of packed double. */
   if (insn[0] == 0x0F && insn[1] == 0x51) {
      vg_assert(sz == 2 || sz == 4);
      if (sz == 4) {
         eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, 
                                         "sqrtps",
                                         insn[0], insn[1] );
      } else {
         eip = dis_SSE3_reg_or_mem ( cb, sorb, eip+2, 16, 
                                         "sqrtpd",
                                 0x66, insn[0], insn[1] );
      }
      goto decode_success;
   }

   /* RSQRTPS: square root reciprocal of packed float. */
   if (insn[0] == 0x0F && insn[1] == 0x52) {
      vg_assert(sz == 4);
      eip = dis_SSE2_reg_or_mem ( cb, sorb, eip+2, 16, 
                                      "rsqrtps",
                                      insn[0], insn[1] );
      goto decode_success;
   }

   /* Fall through into the non-SSE decoder. */

   } /* if (VG_(have_ssestate)) */


   /* ---------------------------------------------------- */
   /* --- end of the SSE/SSE2 decoder.                 --- */
   /* ---------------------------------------------------- */

   /* Get the primary opcode. */
   opc = getUChar(eip); eip++;

   /* We get here if the current insn isn't SSE, or this CPU doesn't
      support SSE. */

   switch (opc) {

   /* ------------------------ Control flow --------------- */

   case 0xC2: /* RET imm16 */
      d32 = getUDisp16(eip); eip += 2;
      dis_ret(cb, d32);
      *isEnd = True;
      DIP("ret %d\n", d32);
      break;
   case 0xC3: /* RET */
      dis_ret(cb, 0);
      *isEnd = True;
      DIP("ret\n");
      break;
      
   case 0xE8: /* CALL J4 */
      d32 = getUDisp32(eip); eip += 4;
      d32 += eip; /* eip now holds return-to addr, d32 is call-to addr */
      if (d32 == eip && getUChar(eip) >= 0x58 
                     && getUChar(eip) <= 0x5F) {
         /* Specially treat the position-independent-code idiom 
                 call X
              X: popl %reg
            as 
                 movl %eip, %reg.
            since this generates better code, but for no other reason. */
         Int archReg = getUChar(eip) - 0x58;
         /* VG_(printf)("-- fPIC thingy\n"); */
         t1 = newTemp(cb);
         uInstr2(cb, MOV, 4, Literal, 0, TempReg, t1);
         uLiteral(cb, eip);
         uInstr2(cb, PUT, 4, TempReg, t1,  ArchReg, archReg);
         eip++; /* Step over the POP */
         DIP("call 0x%x ; popl %s\n",d32,nameIReg(4,archReg));
      } else {
         /* The normal sequence for a call. */
         t1 = newTemp(cb); t2 = newTemp(cb); t3 = newTemp(cb);
         uInstr2(cb, GET,   4, ArchReg, R_ESP, TempReg, t3);
         uInstr2(cb, MOV,   4, TempReg, t3,    TempReg, t1);
         uInstr2(cb, SUB,   4, Literal, 0,     TempReg, t1);
	 uLiteral(cb, 4);
         uInstr2(cb, PUT,   4, TempReg, t1,    ArchReg, R_ESP);
         uInstr2(cb, MOV,   4, Literal, 0,     TempReg, t2);
	 uLiteral(cb, eip);
         uInstr2(cb, STORE, 4, TempReg, t2,    TempReg, t1);
         jmp_lit(cb, d32);
         LAST_UINSTR(cb).jmpkind = JmpCall;
         *isEnd = True;
         DIP("call 0x%x\n",d32);
      }
      break;

   case 0xC8: /* ENTER */ 
      d32 = getUDisp16(eip); eip += 2;
      abyte = getUChar(eip); eip++;

      vg_assert(sz == 4);           
      vg_assert(abyte == 0);

      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,   sz, ArchReg, R_EBP, TempReg, t1);
      uInstr2(cb, GET,    4, ArchReg, R_ESP, TempReg, t2);
      uInstr2(cb, SUB,    4, Literal, 0,     TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t2,    ArchReg, R_ESP);
      uInstr2(cb, STORE,  4, TempReg, t1,    TempReg, t2);
      uInstr2(cb, PUT,    4, TempReg, t2,    ArchReg, R_EBP);
      if (d32) {
         uInstr2(cb, SUB,    4, Literal, 0,     TempReg, t2);
	 uLiteral(cb, d32);
	 uInstr2(cb, PUT,    4, TempReg, t2,    ArchReg, R_ESP);
      }
      DIP("enter 0x%x, 0x%x", d32, abyte);
      break;

   case 0xC9: /* LEAVE */
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,  4, ArchReg, R_EBP, TempReg, t1);
      /* First PUT ESP looks redundant, but need it because ESP must
         always be up-to-date for Memcheck to work... */
      uInstr2(cb, PUT,  4, TempReg, t1, ArchReg, R_ESP);
      uInstr2(cb, LOAD, 4, TempReg, t1, TempReg, t2);
      uInstr2(cb, PUT,  4, TempReg, t2, ArchReg, R_EBP);
      uInstr2(cb, ADD,  4, Literal, 0, TempReg, t1);
      uLiteral(cb, 4);
      uInstr2(cb, PUT,  4, TempReg, t1, ArchReg, R_ESP);
      DIP("leave");
      break;

   /* ---------------- Misc weird-ass insns --------------- */

   case 0x27: /* DAA */
   case 0x2F: /* DAS */
      t1 = newTemp(cb);
      uInstr2(cb, GET, 1, ArchReg, R_AL, TempReg, t1);
      /* Widen %AL to 32 bits, so it's all defined when we push it. */
      uInstr1(cb, WIDEN, 4, TempReg, t1);
      uWiden(cb, 1, False);
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, PUSH, 4, TempReg, t1);
      uInstr1(cb, CALLM, 0, Lit16, 
                  opc == 0x27 ? VGOFF_(helper_DAA) : VGOFF_(helper_DAS) );
      uFlagsRWU(cb, FlagsAC, FlagsSZACP, FlagO);
      uInstr1(cb, POP, 4, TempReg, t1);
      uInstr0(cb, CALLM_E, 0);
      uInstr2(cb, PUT, 1, TempReg, t1, ArchReg, R_AL);
      DIP(opc == 0x27 ? "daa\n" : "das\n");
      break;

   case 0x37: /* AAA */
   case 0x3F: /* AAS */
      t1 = newTemp(cb);
      uInstr2(cb, GET, 2, ArchReg, R_EAX, TempReg, t1);
      /* Widen %AL to 32 bits, so it's all defined when we push it. */
      uInstr1(cb, WIDEN, 4, TempReg, t1);
      uWiden(cb, 2, False);
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, PUSH, 4, TempReg, t1);
      uInstr1(cb, CALLM, 0, Lit16, 
                  opc == 0x37 ? VGOFF_(helper_AAA) : VGOFF_(helper_AAS) );
      uFlagsRWU(cb, FlagA, FlagsAC, FlagsEmpty);
      uInstr1(cb, POP, 4, TempReg, t1);
      uInstr0(cb, CALLM_E, 0);
      uInstr2(cb, PUT, 2, TempReg, t1, ArchReg, R_EAX);
      DIP(opc == 0x37 ? "aaa\n" : "aas\n");
      break;

   case 0xD4: /* AAM */
   case 0xD5: /* AAD */
      d32 = getUChar(eip); eip++;
      if (d32 != 10) VG_(core_panic)("disInstr: AAM/AAD but base not 10 !");
      t1 = newTemp(cb);
      uInstr2(cb, GET, 2, ArchReg, R_EAX, TempReg, t1);
      /* Widen %AX to 32 bits, so it's all defined when we push it. */
      uInstr1(cb, WIDEN, 4, TempReg, t1);
      uWiden(cb, 2, False);
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, PUSH, 4, TempReg, t1);
      uInstr1(cb, CALLM, 0, Lit16, 
                  opc == 0xD4 ? VGOFF_(helper_AAM) : VGOFF_(helper_AAD) );
      uFlagsRWU(cb, FlagsEmpty, FlagsSZP, FlagsEmpty);
      uInstr1(cb, POP, 4, TempReg, t1);
      uInstr0(cb, CALLM_E, 0);
      uInstr2(cb, PUT, 2, TempReg, t1, ArchReg, R_EAX);
      DIP(opc == 0xD4 ? "aam\n" : "aad\n");
      break;

   /* ------------------------ CWD/CDQ -------------------- */

   case 0x98: /* CBW */
      t1 = newTemp(cb);
      if (sz == 4) {
         uInstr2(cb, GET,   2, ArchReg, R_EAX, TempReg, t1);
         uInstr1(cb, WIDEN, 4, TempReg, t1); /* 4 == dst size */
         uWiden(cb, 2, True);
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, R_EAX);
         DIP("cwd\n");
      } else {
         vg_assert(sz == 2);
         uInstr2(cb, GET,   1, ArchReg, R_EAX, TempReg, t1);
         uInstr1(cb, WIDEN, 2, TempReg, t1); /* 2 == dst size */
         uWiden(cb, 1, True);
         uInstr2(cb, PUT, 2, TempReg, t1, ArchReg, R_EAX);
         DIP("cbw\n");
      }
      break;

   case 0x99: /* CWD/CDQ */
      t1 = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, R_EAX, TempReg, t1);
      uInstr2(cb, SAR, sz, Literal, 0,     TempReg, t1);
      uLiteral(cb, sz == 2 ? 15  : 31);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, R_EDX);
      DIP(sz == 2 ? "cwdq\n" : "cdqq\n");
      break;

   /* ------------------------ FPU ops -------------------- */

   case 0x9E: /* SAHF */
      codegen_SAHF ( cb );
      DIP("sahf\n");
      break;

   case 0x9F: /* LAHF */
      codegen_LAHF ( cb );
      DIP("lahf\n");
      break;

   case 0x9B: /* FWAIT */
      /* ignore? */
      DIP("fwait\n");
      break;

   case 0xD8:
   case 0xD9:
   case 0xDA:
   case 0xDB:
   case 0xDC:
   case 0xDD:
   case 0xDE:
   case 0xDF:
      eip = dis_fpu ( cb, sorb, opc, eip );
      break;

   /* ------------------------ INC & DEC ------------------ */

   case 0x40: /* INC eAX */
   case 0x41: /* INC eCX */
   case 0x42: /* INC eDX */
   case 0x43: /* INC eBX */
   case 0x44: /* INC eSP */
   case 0x45: /* INC eBP */
   case 0x46: /* INC eSI */
   case 0x47: /* INC eDI */
      t1 = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, (UInt)(opc - 0x40),
                             TempReg, t1);
      uInstr1(cb, INC, sz, TempReg, t1);
      setFlagsFromUOpcode(cb, INC);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg,
                             (UInt)(opc - 0x40));
      DIP("inc%c %s\n", nameISize(sz), nameIReg(sz,opc-0x40));
      break;

   case 0x48: /* DEC eAX */
   case 0x49: /* DEC eCX */
   case 0x4A: /* DEC eDX */
   case 0x4B: /* DEC eBX */
   case 0x4C: /* DEC eSP */
   case 0x4D: /* DEC eBP */
   case 0x4E: /* DEC eSI */
   case 0x4F: /* DEC eDI */
      t1 = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, (UInt)(opc - 0x48),
                             TempReg, t1);
      uInstr1(cb, DEC, sz, TempReg, t1);
      setFlagsFromUOpcode(cb, DEC);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg,
                             (UInt)(opc - 0x48));
      DIP("dec%c %s\n", nameISize(sz), nameIReg(sz,opc-0x48));
      break;

   /* ------------------------ INT ------------------------ */

   case 0xCD: /* INT imm8 */
      d32 = getUChar(eip); eip++;
      if (d32 != 0x80) goto decode_failure;
      /* It's important that all ArchRegs carry their up-to-date value
         at this point.  So we declare an end-of-block here, which
         forces any TempRegs caching ArchRegs to be flushed. */
      jmp_lit(cb, eip);
      LAST_UINSTR(cb).jmpkind = JmpSyscall;
      *isEnd = True;
      DIP("int $0x80\n");
      break;

   /* ------------------------ Jcond, byte offset --------- */

   case 0xEB: /* Jb (jump, byte offset) */
      d32 = (eip+1) + getSDisp8(eip); eip++;
      jmp_lit(cb, d32);
      *isEnd = True;
      DIP("jmp-8 0x%x\n", d32);
      break;

   case 0xE9: /* Jv (jump, 16/32 offset) */
      d32 = (eip+sz) + getSDisp(sz,eip); eip += sz;
      jmp_lit(cb, d32);
      *isEnd = True;
      DIP("jmp 0x%x\n", d32);
      break;

   case 0x70:
   case 0x71:
   case 0x72: /* JBb/JNAEb (jump below) */
   case 0x73: /* JNBb/JAEb (jump not below) */
   case 0x74: /* JZb/JEb (jump zero) */
   case 0x75: /* JNZb/JNEb (jump not zero) */
   case 0x76: /* JBEb/JNAb (jump below or equal) */
   case 0x77: /* JNBEb/JAb (jump not below or equal) */
   case 0x78: /* JSb (jump negative) */
   case 0x79: /* JSb (jump not negative) */
   case 0x7A: /* JP (jump parity even) */
   case 0x7B: /* JNP/JPO (jump parity odd) */
   case 0x7C: /* JLb/JNGEb (jump less) */
   case 0x7D: /* JGEb/JNLb (jump greater or equal) */
   case 0x7E: /* JLEb/JNGb (jump less or equal) */
   case 0x7F: /* JGb/JNLEb (jump greater) */
      d32 = (eip+1) + getSDisp8(eip); eip++;
      jcc_lit(cb, d32, (Condcode)(opc - 0x70));
      /* It's actually acceptable not to end this basic block at a
         control transfer, reducing the number of jumps through
         vg_dispatch, at the expense of possibly translating the insns
         following this jump twice.  This does give faster code, but
         on the whole I don't think the effort is worth it. */
      jmp_lit(cb, eip);
      *isEnd = True;
      /* The above 3 lines would be removed if the bb was not to end
         here. */
      DIP("j%s-8 0x%x\n", VG_(name_UCondcode)(opc - 0x70), d32);
      break;

   case 0xE3: /* JECXZ or perhaps JCXZ, depending on OSO ?  Intel
                 manual says it depends on address size override,
                 which doesn't sound right to me. */
      d32 = (eip+1) + getSDisp8(eip); eip++;
      t1 = newTemp(cb);
      uInstr2(cb, GET,  4,  ArchReg, R_ECX, TempReg, t1);
      uInstr2(cb, JIFZ, 4,  TempReg, t1,    Literal, 0);
      uLiteral(cb, d32);
      DIP("j%sz 0x%x\n", nameIReg(sz, R_ECX), d32);
      break;

   case 0xE0: /* LOOPNE disp8 */
   case 0xE1: /* LOOPE  disp8 */
   case 0xE2: /* LOOP   disp8 */
      /* Again, the docs say this uses ECX/CX as a count depending on
         the address size override, not the operand one.  Since we
         don't handle address size overrides, I guess that means
         ECX. */
      d32 = (eip+1) + getSDisp8(eip); eip++;
      t1 = newTemp(cb);
      uInstr2(cb, GET,  4, ArchReg, R_ECX, TempReg, t1);
      uInstr1(cb, DEC,  4, TempReg, t1);
      uInstr2(cb, PUT,  4, TempReg, t1,    ArchReg, R_ECX);
      uInstr2(cb, JIFZ, 4, TempReg, t1,    Literal, 0);
      uLiteral(cb, eip);
      if (opc == 0xE0 || opc == 0xE1) {   /* LOOPE/LOOPNE */
         jcc_lit(cb, eip, (opc == 0xE1 ? CondNZ : CondZ));
      }
      jmp_lit(cb, d32);
      *isEnd = True;
      DIP("loop 0x%x\n", d32);
      break;

   /* ------------------------ IMUL ----------------------- */

   case 0x69: /* IMUL Iv, Ev, Gv */
      eip = dis_imul_I_E_G ( cb, sorb, sz, eip, sz );
      break;
   case 0x6B: /* IMUL Ib, Ev, Gv */
      eip = dis_imul_I_E_G ( cb, sorb, sz, eip, 1 );
      break;

   /* ------------------------ MOV ------------------------ */

   case 0x88: /* MOV Gb,Eb */
      eip = dis_mov_G_E(cb, sorb, 1, eip);
      break;

   case 0x89: /* MOV Gv,Ev */
      eip = dis_mov_G_E(cb, sorb, sz, eip);
      break;

   case 0x8A: /* MOV Eb,Gb */
      eip = dis_mov_E_G(cb, sorb, 1, eip);
      break;
 
   case 0x8B: /* MOV Ev,Gv */
      eip = dis_mov_E_G(cb, sorb, sz, eip);
      break;
 
   case 0x8D: /* LEA M,Gv */
      modrm = getUChar(eip);
      if (epartIsReg(modrm)) 
         VG_(core_panic)("LEA M,Gv: modRM refers to register");
      /* NOTE!  this is the one place where a segment override prefix
         has no effect on the address calculation.  Therefore we pass
         zero instead of sorb here. */
      pair = disAMode ( cb, /*sorb*/ 0, eip, dis_buf );
      eip  += HI8(pair);
      t1   = LOW24(pair);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, gregOfRM(modrm));
      DIP("lea%c %s, %s\n", nameISize(sz), dis_buf, 
                            nameIReg(sz,gregOfRM(modrm)));
      break;

   case 0x8C: /* MOV Sw,Ew -- MOV from a SEGMENT REGISTER */
      eip = dis_mov_Sw_Ew(cb, sorb, eip);
      break;

   case 0x8E: /* MOV Ew,Sw -- MOV to a SEGMENT REGISTER */
      eip = dis_mov_Ew_Sw(cb, sorb, eip);
      break;

   case 0xA0: /* MOV Ob,AL */
      sz = 1;
      /* Fall through ... */
   case 0xA1: /* MOV Ov,eAX */
      d32 = getUDisp32(eip); eip += 4;
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, MOV,   4, Literal, 0,   TempReg, t2);
      uLiteral(cb, d32);
      handleSegOverride(cb, sorb, t2);
      uInstr2(cb, LOAD, sz, TempReg, t2,  TempReg, t1);
      uInstr2(cb, PUT,  sz, TempReg, t1,  ArchReg, R_EAX);
      DIP("mov%c %s0x%x, %s\n", nameISize(sz), sorbTxt(sorb),
                                d32, nameIReg(sz,R_EAX));
      break;

   case 0xA2: /* MOV AL,Ob */
      sz = 1;
      /* Fall through ... */
   case 0xA3: /* MOV eAX,Ov */
      d32 = getUDisp32(eip); eip += 4;
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,   sz, ArchReg, R_EAX, TempReg, t1);
      uInstr2(cb, MOV,    4, Literal, 0,     TempReg, t2);
      uLiteral(cb, d32);
      handleSegOverride(cb, sorb, t2);
      uInstr2(cb, STORE, sz, TempReg, t1,    TempReg, t2);
      DIP("mov%c %s, %s0x%x\n", nameISize(sz), nameIReg(sz,R_EAX),
                                sorbTxt(sorb), d32);
      break;

   case 0xB0: /* MOV imm,AL */
   case 0xB1: /* MOV imm,CL */
   case 0xB2: /* MOV imm,DL */
   case 0xB3: /* MOV imm,BL */
   case 0xB4: /* MOV imm,AH */
   case 0xB5: /* MOV imm,CH */
   case 0xB6: /* MOV imm,DH */
   case 0xB7: /* MOV imm,BH */
      d32 = getUChar(eip); eip += 1;
      t1 = newTemp(cb);
      uInstr2(cb, MOV, 1, Literal, 0,  TempReg, t1);
      uLiteral(cb, d32);
      uInstr2(cb, PUT, 1, TempReg, t1, ArchReg, opc-0xB0);
      DIP("movb $0x%x,%s\n", d32, nameIReg(1,opc-0xB0));
      break;

   case 0xB8: /* MOV imm,eAX */
   case 0xB9: /* MOV imm,eCX */
   case 0xBA: /* MOV imm,eDX */
   case 0xBB: /* MOV imm,eBX */
   case 0xBC: /* MOV imm,eSP */
   case 0xBD: /* MOV imm,eBP */
   case 0xBE: /* MOV imm,eSI */
   case 0xBF: /* MOV imm,eDI */
      d32 = getUDisp(sz,eip); eip += sz;
      t1 = newTemp(cb);
      uInstr2(cb, MOV, sz, Literal, 0,  TempReg, t1);
      uLiteral(cb, d32);
      uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, opc-0xB8);
      DIP("mov%c $0x%x,%s\n", nameISize(sz), d32, nameIReg(sz,opc-0xB8));
      break;

   case 0xC6: /* MOV Ib,Eb */
      sz = 1;
      goto do_Mov_I_E;
   case 0xC7: /* MOV Iv,Ev */
      goto do_Mov_I_E;

   do_Mov_I_E:
      modrm = getUChar(eip);
      if (epartIsReg(modrm)) {
         eip++; /* mod/rm byte */
         d32 = getUDisp(sz,eip); eip += sz;
         t1 = newTemp(cb);
         uInstr2(cb, MOV, sz, Literal, 0,  TempReg, t1);
	 uLiteral(cb, d32);
         uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, eregOfRM(modrm));
         DIP("mov%c $0x%x, %s\n", nameISize(sz), d32, 
                                  nameIReg(sz,eregOfRM(modrm)));
      } else {
         pair = disAMode ( cb, sorb, eip, dis_buf );
         eip += HI8(pair);
         d32 = getUDisp(sz,eip); eip += sz;
         t1 = newTemp(cb);
         t2 = LOW24(pair);
         uInstr2(cb, MOV, sz, Literal, 0, TempReg, t1);
	 uLiteral(cb, d32);
         uInstr2(cb, STORE, sz, TempReg, t1, TempReg, t2);
         DIP("mov%c $0x%x, %s\n", nameISize(sz), d32, dis_buf);
      }
      break;

   /* ------------------------ opl imm, A ----------------- */

   case 0x04: /* ADD Ib, AL */
      eip = dis_op_imm_A(cb, 1, ADD, True, eip, "add" );
      break;
   case 0x05: /* ADD Iv, eAX */
      eip = dis_op_imm_A(cb, sz, ADD, True, eip, "add" );
      break;

   case 0x0C: /* OR Ib, AL */
      eip = dis_op_imm_A(cb, 1, OR, True, eip, "or" );
      break;
   case 0x0D: /* OR Iv, eAX */
      eip = dis_op_imm_A(cb, sz, OR, True, eip, "or" );
      break;

   case 0x14: /* ADC Ib, AL */
      eip = dis_op_imm_A(cb, 1, ADC, True, eip, "adc" );
      break;
   case 0x15: /* ADC Iv, eAX */
      eip = dis_op_imm_A(cb, sz, ADC, True, eip, "adc" );
      break;

   case 0x1C: /* SBB Ib, AL */
      eip = dis_op_imm_A(cb, 1, SBB, True, eip, "sbb" );
      break;
   case 0x1D: /* SBB Iv, eAX */
      eip = dis_op_imm_A(cb, sz, SBB, True, eip, "sbb" );
      break;

   case 0x24: /* AND Ib, AL */
      eip = dis_op_imm_A(cb, 1, AND, True, eip, "and" );
      break;
   case 0x25: /* AND Iv, eAX */
      eip = dis_op_imm_A(cb, sz, AND, True, eip, "and" );
      break;

   case 0x2C: /* SUB Ib, AL */
      eip = dis_op_imm_A(cb, 1, SUB, True, eip, "sub" );
      break;
   case 0x2D: /* SUB Iv, eAX */
      eip = dis_op_imm_A(cb, sz, SUB, True, eip, "sub" );
      break;

   case 0x34: /* XOR Ib, AL */
      eip = dis_op_imm_A(cb, 1, XOR, True, eip, "xor" );
      break;
   case 0x35: /* XOR Iv, eAX */
      eip = dis_op_imm_A(cb, sz, XOR, True, eip, "xor" );
      break;

   case 0x3C: /* CMP Ib, AL */
      eip = dis_op_imm_A(cb, 1, SUB, False, eip, "cmp" );
      break;
   case 0x3D: /* CMP Iv, eAX */
      eip = dis_op_imm_A(cb, sz, SUB, False, eip, "cmp" );
      break;

   case 0xA8: /* TEST Ib, AL */
      eip = dis_op_imm_A(cb, 1, AND, False, eip, "test" );
      break;
   case 0xA9: /* TEST Iv, eAX */
      eip = dis_op_imm_A(cb, sz, AND, False, eip, "test" );
      break;

   /* ------------------------ opl Ev, Gv ----------------- */

   case 0x02: /* ADD Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, ADD, True, 1, eip, "add" );
      break;
   case 0x03: /* ADD Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, ADD, True, sz, eip, "add" );
      break;

   case 0x0A: /* OR Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, OR, True, 1, eip, "or" );
      break;
   case 0x0B: /* OR Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, OR, True, sz, eip, "or" );
      break;

   case 0x12: /* ADC Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, ADC, True, 1, eip, "adc" );
      break;
   case 0x13: /* ADC Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, ADC, True, sz, eip, "adc" );
      break;

   case 0x1A: /* SBB Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, SBB, True, 1, eip, "sbb" );
      break;
   case 0x1B: /* SBB Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, SBB, True, sz, eip, "sbb" );
      break;

   case 0x22: /* AND Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, AND, True, 1, eip, "and" );
      break;
   case 0x23: /* AND Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, AND, True, sz, eip, "and" );
      break;

   case 0x2A: /* SUB Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, SUB, True, 1, eip, "sub" );
      break;
   case 0x2B: /* SUB Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, SUB, True, sz, eip, "sub" );
      break;

   case 0x32: /* XOR Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, XOR, True, 1, eip, "xor" );
      break;
   case 0x33: /* XOR Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, XOR, True, sz, eip, "xor" );
      break;

   case 0x3A: /* CMP Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, SUB, False, 1, eip, "cmp" );
      break;
   case 0x3B: /* CMP Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, SUB, False, sz, eip, "cmp" );
      break;

   case 0x84: /* TEST Eb,Gb */
      eip = dis_op2_E_G ( cb, sorb, AND, False, 1, eip, "test" );
      break;
   case 0x85: /* TEST Ev,Gv */
      eip = dis_op2_E_G ( cb, sorb, AND, False, sz, eip, "test" );
      break;

   /* ------------------------ opl Gv, Ev ----------------- */

   case 0x00: /* ADD Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, ADD, True, 1, eip, "add" );
      break;
   case 0x01: /* ADD Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, ADD, True, sz, eip, "add" );
      break;

   case 0x08: /* OR Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, OR, True, 1, eip, "or" );
      break;
   case 0x09: /* OR Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, OR, True, sz, eip, "or" );
      break;

   case 0x10: /* ADC Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, ADC, True, 1, eip, "adc" );
      break;
   case 0x11: /* ADC Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, ADC, True, sz, eip, "adc" );
      break;

   case 0x18: /* SBB Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, SBB, True, 1, eip, "sbb" );
      break;
   case 0x19: /* SBB Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, SBB, True, sz, eip, "sbb" );
      break;

   case 0x20: /* AND Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, AND, True, 1, eip, "and" );
      break;
   case 0x21: /* AND Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, AND, True, sz, eip, "and" );
      break;

   case 0x28: /* SUB Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, SUB, True, 1, eip, "sub" );
      break;
   case 0x29: /* SUB Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, SUB, True, sz, eip, "sub" );
      break;

   case 0x30: /* XOR Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, XOR, True, 1, eip, "xor" );
      break;
   case 0x31: /* XOR Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, XOR, True, sz, eip, "xor" );
      break;

   case 0x38: /* CMP Gb,Eb */
      eip = dis_op2_G_E ( cb, sorb, SUB, False, 1, eip, "cmp" );
      break;
   case 0x39: /* CMP Gv,Ev */
      eip = dis_op2_G_E ( cb, sorb, SUB, False, sz, eip, "cmp" );
      break;

   /* ------------------------ POP ------------------------ */

   case 0x58: /* POP eAX */
   case 0x59: /* POP eCX */
   case 0x5A: /* POP eDX */
   case 0x5B: /* POP eBX */
   case 0x5D: /* POP eBP */
   case 0x5E: /* POP eSI */
   case 0x5F: /* POP eDI */
   case 0x5C: /* POP eSP */
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,    4, ArchReg, R_ESP,    TempReg, t2);
      uInstr2(cb, LOAD,  sz, TempReg, t2,       TempReg, t1);
      uInstr2(cb, ADD,    4, Literal, 0,        TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t2,       ArchReg, R_ESP);
      uInstr2(cb, PUT,   sz, TempReg, t1,       ArchReg, opc-0x58);
      DIP("pop%c %s\n", nameISize(sz), nameIReg(sz,opc-0x58));
      break;

   case 0x9D: /* POPF */
      vg_assert(sz == 2 || sz == 4);
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,    4, ArchReg, R_ESP,    TempReg, t2);
      uInstr2(cb, LOAD,  sz, TempReg, t2,       TempReg, t1);
      uInstr2(cb, ADD,    4, Literal, 0,        TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t2,       ArchReg, R_ESP);
      uInstr1(cb, PUTF,  sz, TempReg, t1);
      /* PUTF writes all the flags we are interested in */
      uFlagsRWU(cb, FlagsEmpty, FlagsALL, FlagsEmpty);
      DIP("popf%c\n", nameISize(sz));
      break;

   case 0x61: /* POPA */
    { Int reg;
      /* Just to keep things sane, we assert for a size 4.  It's
         probably OK for size 2 as well, but I'd like to find a test
         case; ie, have the assertion fail, before committing to it.
         If it fails for you, uncomment the sz == 2 bit, try again,
         and let me know whether or not it works.  (jseward@acm.org).  */
      vg_assert(sz == 4 /* || sz == 2 */);

      /* Eight values are popped, one per register, but the value of
         %esp on the stack is ignored and instead incremented (in one
         hit at the end) for each of the values. */
      t1 = newTemp(cb); t2 = newTemp(cb); t3 = newTemp(cb);
      uInstr2(cb, GET,    4, ArchReg, R_ESP, TempReg, t2);
      uInstr2(cb, MOV,    4, TempReg, t2,    TempReg, t3);

      /* Do %edi, %esi, %ebp */
      for (reg = 7; reg >= 5; reg--) {
          uInstr2(cb, LOAD,  sz, TempReg, t2, TempReg, t1);
          uInstr2(cb, ADD,    4, Literal, 0,  TempReg, t2);
          uLiteral(cb, sz);
          uInstr2(cb, PUT,   sz, TempReg, t1, ArchReg, reg);
      }
      /* Ignore (skip) value of %esp on stack. */
      uInstr2(cb, ADD,    4, Literal, 0,  TempReg, t2);
      uLiteral(cb, sz);
      /* Do %ebx, %edx, %ecx, %eax */
      for (reg = 3; reg >= 0; reg--) {
          uInstr2(cb, LOAD,  sz, TempReg, t2, TempReg, t1);
          uInstr2(cb, ADD,    4, Literal, 0,  TempReg, t2);
          uLiteral(cb, sz);
          uInstr2(cb, PUT,   sz, TempReg, t1, ArchReg, reg);
      }
      uInstr2(cb, ADD,    4, Literal, 0,  TempReg, t3);
      uLiteral(cb, sz * 8);             /* One 'sz' per register */
      uInstr2(cb, PUT,    4, TempReg, t3, ArchReg, R_ESP);
      DIP("popa%c\n", nameISize(sz));
      break;
    }

   case 0x8F: /* POPL/POPW m32 */
     { UInt pair1;
       Int  tmpa;
       UChar rm = getUChar(eip);

       /* make sure this instruction is correct POP */
       vg_assert(!epartIsReg(rm) && (gregOfRM(rm) == 0));
       /* and has correct size */
       vg_assert(sz == 4);      
       
       t1 = newTemp(cb); t3 = newTemp(cb);
       /* set t1 to ESP: t1 = ESP */
       uInstr2(cb, GET,  4, ArchReg, R_ESP,    TempReg, t1);
       /* load M[ESP] to virtual register t3: t3 = M[t1] */
       uInstr2(cb, LOAD, 4, TempReg, t1, TempReg, t3);
       
       /* increase ESP; must be done before the STORE.  Intel manual says:
            If the ESP register is used as a base register for addressing
            a destination operand in memory, the POP instruction computes
            the effective address of the operand after it increments the
            ESP register.
       */
       uInstr2(cb, ADD,    4, Literal, 0,        TempReg, t1);
       uLiteral(cb, sz);
       uInstr2(cb, PUT,    4, TempReg, t1,       ArchReg, R_ESP);

       /* resolve MODR/M */
       pair1 = disAMode ( cb, sorb, eip, dis_buf );              
       
       tmpa = LOW24(pair1);
       /*  uInstr2(cb, LOAD, sz, TempReg, tmpa, TempReg, tmpa); */
       /* store value from stack in memory, M[m32] = t3 */       
       uInstr2(cb, STORE, 4, TempReg, t3, TempReg, tmpa);

       DIP("popl %s\n", dis_buf);

       eip += HI8(pair1);
       break;
     }

   case 0x1F: /* POP %DS */
      dis_pop_segreg( cb, R_DS, sz ); break;
   case 0x07: /* POP %ES */
      dis_pop_segreg( cb, R_ES, sz ); break;
   case 0x17: /* POP %SS */
      dis_pop_segreg( cb, R_SS, sz ); break;

   /* ------------------------ PUSH ----------------------- */

   case 0x50: /* PUSH eAX */
   case 0x51: /* PUSH eCX */
   case 0x52: /* PUSH eDX */
   case 0x53: /* PUSH eBX */
   case 0x55: /* PUSH eBP */
   case 0x56: /* PUSH eSI */
   case 0x57: /* PUSH eDI */
   case 0x54: /* PUSH eSP */
      /* This is the Right Way, in that the value to be pushed is
         established before %esp is changed, so that pushl %esp
         correctly pushes the old value. */
      t1 = newTemp(cb); t2 = newTemp(cb); t3 = newTemp(cb);
      uInstr2(cb, GET,   sz, ArchReg, opc-0x50, TempReg, t1);
      uInstr2(cb, GET,    4, ArchReg, R_ESP,    TempReg, t3);
      uInstr2(cb, MOV,    4, TempReg, t3,       TempReg, t2);
      uInstr2(cb, SUB,    4, Literal, 0,        TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t2,       ArchReg, R_ESP);
      uInstr2(cb, STORE, sz, TempReg, t1,       TempReg, t2);
      DIP("push%c %s\n", nameISize(sz), nameIReg(sz,opc-0x50));
      break;

   case 0x68: /* PUSH Iv */
      d32 = getUDisp(sz,eip); eip += sz;
      goto do_push_I;
   case 0x6A: /* PUSH Ib, sign-extended to sz */
      d32 = getSDisp8(eip); eip += 1;
      goto do_push_I;
   do_push_I:
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET,    4, ArchReg, R_ESP, TempReg, t1);
      uInstr2(cb, SUB,    4, Literal, 0,     TempReg, t1);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t1,    ArchReg, R_ESP);
      uInstr2(cb, MOV,   sz, Literal, 0,     TempReg, t2);
      uLiteral(cb, d32);
      uInstr2(cb, STORE, sz, TempReg, t2,    TempReg, t1);
      DIP("push%c $0x%x\n", nameISize(sz), d32);
      break;

   case 0x9C: /* PUSHF */
      vg_assert(sz == 2 || sz == 4);
      t1 = newTemp(cb); t2 = newTemp(cb); t3 = newTemp(cb);
      uInstr1(cb, GETF,  sz, TempReg, t1);
      /* GETF reads all the flags we are interested in */
      uFlagsRWU(cb, FlagsALL, FlagsEmpty, FlagsEmpty);
      uInstr2(cb, GET,    4, ArchReg, R_ESP,    TempReg, t3);
      uInstr2(cb, MOV,    4, TempReg, t3,       TempReg, t2);
      uInstr2(cb, SUB,    4, Literal, 0,        TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, PUT,    4, TempReg, t2,       ArchReg, R_ESP);
      uInstr2(cb, STORE, sz, TempReg, t1,       TempReg, t2);
      DIP("pushf%c\n", nameISize(sz));
      break;

   case 0x60: /* PUSHA */
    { Int reg;
      /* Just to keep things sane, we assert for a size 4.  It's
         probably OK for size 2 as well, but I'd like to find a test
         case; ie, have the assertion fail, before committing to it.
         If it fails for you, uncomment the sz == 2 bit, try again,
         and let me know whether or not it works.  (jseward@acm.org).  */
      vg_assert(sz == 4 /* || sz == 2 */);

      /* This is the Right Way, in that the value to be pushed is
         established before %esp is changed, so that pusha
         correctly pushes the old %esp value.  New value of %esp is
         pushed at start. */
      t1 = newTemp(cb); t2 = newTemp(cb); t3 = newTemp(cb);
      t4 = newTemp(cb);
      uInstr2(cb, GET,    4, ArchReg, R_ESP, TempReg, t3);
      uInstr2(cb, MOV,    4, TempReg, t3,    TempReg, t2);
      uInstr2(cb, MOV,    4, TempReg, t3,    TempReg, t4);
      uInstr2(cb, SUB,    4, Literal, 0,     TempReg, t4);
      uLiteral(cb, sz * 8);             /* One 'sz' per register. */
      uInstr2(cb, PUT,    4, TempReg, t4,  ArchReg, R_ESP);
      /* Do %eax, %ecx, %edx, %ebx */
      for (reg = 0; reg <= 3; reg++) {
         uInstr2(cb, GET,   sz, ArchReg, reg, TempReg, t1);
         uInstr2(cb, SUB,    4, Literal,   0, TempReg, t2);
         uLiteral(cb, sz);
         uInstr2(cb, STORE, sz, TempReg,  t1, TempReg, t2);
      }
      /* Push old value of %esp */
      uInstr2(cb, SUB,    4, Literal,   0, TempReg, t2);
      uLiteral(cb, sz);
      uInstr2(cb, STORE, sz, TempReg,  t3, TempReg, t2);
      /* Do %ebp, %esi, %edi */
      for (reg = 5; reg <= 7; reg++) {
         uInstr2(cb, GET,   sz, ArchReg, reg, TempReg, t1);
         uInstr2(cb, SUB,    4, Literal,   0, TempReg, t2);
         uLiteral(cb, sz);
         uInstr2(cb, STORE, sz, TempReg,  t1, TempReg, t2);
      }
      DIP("pusha%c\n", nameISize(sz));
      break;
   }

   case 0x0E: /* PUSH %CS */
      dis_push_segreg( cb, R_CS, sz ); break;
   case 0x1E: /* PUSH %DS */
      dis_push_segreg( cb, R_DS, sz ); break;
   case 0x06: /* PUSH %ES */
      dis_push_segreg( cb, R_ES, sz ); break;
   case 0x16: /* PUSH %SS */
      dis_push_segreg( cb, R_SS, sz ); break;

   /* ------------------------ SCAS et al ----------------- */

   case 0xA4: /* MOVS, no REP prefix */
   case 0xA5: 
      dis_string_op( cb, dis_MOVS, ( opc == 0xA4 ? 1 : sz ), "movs", sorb );
      break;

   case 0xA6: /* CMPSb, no REP prefix */
   case 0xA7:
      dis_string_op( cb, dis_CMPS, ( opc == 0xA6 ? 1 : sz ), "cmps", sorb );
      break;

   case 0xAA: /* STOS, no REP prefix */
   case 0xAB:
      dis_string_op( cb, dis_STOS, ( opc == 0xAA ? 1 : sz ), "stos", sorb );
      break;
   
   case 0xAC: /* LODS, no REP prefix */
   case 0xAD:
      dis_string_op( cb, dis_LODS, ( opc == 0xAC ? 1 : sz ), "lods", sorb );
      break;

   case 0xAE: /* SCAS, no REP prefix */
   case 0xAF:
      dis_string_op( cb, dis_SCAS, ( opc == 0xAE ? 1 : sz ), "scas", sorb );
      break;


   case 0xFC: /* CLD */
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, CALLM, 0, Lit16, VGOFF_(helper_CLD));
      uFlagsRWU(cb, FlagsEmpty, FlagD, FlagsEmpty);
      uInstr0(cb, CALLM_E, 0);
      DIP("cld\n");
      break;

   case 0xFD: /* STD */
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, CALLM, 0, Lit16, VGOFF_(helper_STD));
      uFlagsRWU(cb, FlagsEmpty, FlagD, FlagsEmpty);
      uInstr0(cb, CALLM_E, 0);
      DIP("std\n");
      break;

   case 0xF8: /* CLC */
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, CALLM, 0, Lit16, VGOFF_(helper_CLC));
      uFlagsRWU(cb, FlagsEmpty, FlagC, FlagsOSZAP);
      uInstr0(cb, CALLM_E, 0);
      DIP("clc\n");
      break;

   case 0xF9: /* STC */
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, CALLM, 0, Lit16, VGOFF_(helper_STC));
      uFlagsRWU(cb, FlagsEmpty, FlagC, FlagsOSZAP);
      uInstr0(cb, CALLM_E, 0);
      DIP("stc\n");
      break;

   case 0xF5: /* CMC */
      uInstr0(cb, CALLM_S, 0);
      uInstr1(cb, CALLM, 0, Lit16, VGOFF_(helper_CMC));
      uFlagsRWU(cb, FlagC, FlagC, FlagsOSZAP);
      uInstr0(cb, CALLM_E, 0);
      DIP("cmc\n");
      break;

   /* REPNE prefix insn */
   case 0xF2: { 
      Addr eip_orig = eip - 1;
      vg_assert(sorb == 0);
      abyte = getUChar(eip); eip++;

      if (abyte == 0x66) { sz = 2; abyte = getUChar(eip); eip++; }
      *isEnd = True;         

      switch (abyte) {
      /* According to the Intel manual, "repne movs" should never occur, but
       * in practice it has happened, so allow for it here... */
      case 0xA4: sz = 1;   /* REPNE MOVS<sz> */
      case 0xA5: 
         dis_REP_op ( cb, CondNZ, dis_MOVS, sz, eip_orig, eip, "repne movs" );
         break;

      case 0xA6: sz = 1;   /* REPNE CMPS<sz> */
      case 0xA7:
         dis_REP_op ( cb, CondNZ, dis_CMPS, sz, eip_orig, eip, "repne cmps" );
         break;

      case 0xAE: sz = 1;   /* REPNE SCAS<sz> */
      case 0xAF:
         dis_REP_op ( cb, CondNZ, dis_SCAS, sz, eip_orig, eip, "repne scas" );
         break;

      default:
         goto decode_failure;
      }
      break;
   }

   /* REP/REPE prefix insn (for SCAS and CMPS, 0xF3 means REPE,
      for the rest, it means REP) */
   case 0xF3: { 
      Addr eip_orig = eip - 1;
      vg_assert(sorb == 0);
      abyte = getUChar(eip); eip++;

      if (abyte == 0x66) { sz = 2; abyte = getUChar(eip); eip++; }
      *isEnd = True;

      switch (abyte) {
      case 0xA4: sz = 1;   /* REP MOVS<sz> */
      case 0xA5:
         dis_REP_op ( cb, CondAlways, dis_MOVS, sz, eip_orig, eip, "rep movs" );
         break;

      case 0xA6: sz = 1;   /* REPE CMP<sz> */
      case 0xA7:
         dis_REP_op ( cb, CondZ, dis_CMPS, sz, eip_orig, eip, "repe cmps" );
         break;

      case 0xAA: sz = 1;   /* REP STOS<sz> */
      case 0XAB:
         dis_REP_op ( cb, CondAlways, dis_STOS, sz, eip_orig, eip, "rep stos" );
         break;

      case 0xAE: sz = 1;   /* REPE SCAS<sz> */
      case 0xAF: 
         dis_REP_op ( cb, CondZ, dis_SCAS, sz, eip_orig, eip, "repe scas" );
         break;
      
      case 0x90:           /* REP NOP (PAUSE) */
         /* a hint to the P4 re spin-wait loop */
         DIP("rep nop (P4 pause)\n");
         jmp_lit(cb, eip);
         LAST_UINSTR(cb).jmpkind = JmpYield;
         break;

      case 0xC3:           /* REP RET */
         /* AMD K7/K8-specific optimisation; faster than vanilla RET */
         dis_ret(cb, 0);
         DIP("rep ret\n");
         break;

      default:
         goto decode_failure;
      }
      break;
   }

   /* ------------------------ XCHG ----------------------- */

   case 0x86: /* XCHG Gb,Eb */
      sz = 1;
      /* Fall through ... */
   case 0x87: /* XCHG Gv,Ev */
      modrm = getUChar(eip);
      t1 = newTemp(cb); t2 = newTemp(cb);
      if (epartIsReg(modrm)) {
         uInstr2(cb, GET, sz, ArchReg, eregOfRM(modrm), TempReg, t1);
         uInstr2(cb, GET, sz, ArchReg, gregOfRM(modrm), TempReg, t2);
         uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, gregOfRM(modrm));
         uInstr2(cb, PUT, sz, TempReg, t2, ArchReg, eregOfRM(modrm));
         eip++;
         DIP("xchg%c %s, %s\n", 
             nameISize(sz), nameIReg(sz,gregOfRM(modrm)), 
                            nameIReg(sz,eregOfRM(modrm)));
      } else {
         pair = disAMode ( cb, sorb, eip, dis_buf );
         t3   = LOW24(pair);
         uInstr2(cb, LOAD, sz, TempReg, t3, TempReg, t1);
         uInstr2(cb, GET, sz, ArchReg, gregOfRM(modrm), TempReg, t2);
         uInstr2(cb, STORE, sz, TempReg, t2, TempReg, t3);
         uInstr2(cb, PUT, sz, TempReg, t1, ArchReg, gregOfRM(modrm));
         eip += HI8(pair);
         DIP("xchg%c %s, %s\n", nameISize(sz), 
                                nameIReg(sz,gregOfRM(modrm)), dis_buf);
      }
      break;

   case 0x90: /* XCHG eAX,eAX */
      DIP("nop\n");
      break;
   case 0x91: /* XCHG eAX,eCX */
   case 0x92: /* XCHG eAX,eDX */
   case 0x93: /* XCHG eAX,eBX */
   case 0x94: /* XCHG eAX,eSP */
   case 0x95: /* XCHG eAX,eBP */
   case 0x96: /* XCHG eAX,eSI */
   case 0x97: /* XCHG eAX,eDI */
      codegen_xchg_eAX_Reg ( cb, sz, opc - 0x90 );
      break;

   /* ------------------------ XLAT ----------------------- */

   case 0xD7: /* XLAT */
      t1 = newTemp(cb); t2 = newTemp(cb);
      uInstr2(cb, GET, sz, ArchReg, R_EBX, TempReg, t1); /* get eBX */
      handleSegOverride( cb, sorb, t1 );               /* make t1 DS:eBX */
      uInstr2(cb, GET, 1, ArchReg, R_AL, TempReg, t2); /* get AL */
      /* Widen %AL to 32 bits, so it's all defined when we add it. */
      uInstr1(cb, WIDEN, 4, TempReg, t2);
      uWiden(cb, 1, False);
      uInstr2(cb, ADD, sz, TempReg, t2, TempReg, t1);  /* add AL to eBX */
      uInstr2(cb, LOAD, 1, TempReg, t1,  TempReg, t2); /* get byte at t1 into t2 */
      uInstr2(cb, PUT, 1, TempReg, t2, ArchReg, R_AL); /* put byte into AL */

      DIP("xlat%c [ebx]\n", nameISize(sz));
      break;

   /* ------------------------ IN / OUT ----------------------- */

   case 0xE4: /* IN ib, %al        */
   case 0xE5: /* IN ib, %{e}ax     */
   case 0xEC: /* IN (%dx),%al      */
   case 0xED: /* IN (%dx),%{e}ax   */
      t1 = newTemp(cb);
      t2 = newTemp(cb);
      t3 = newTemp(cb);

      uInstr0(cb, CALLM_S, 0);
      /* operand size? */
      uInstr2(cb, MOV,   4, Literal, 0, TempReg, t1);
      uLiteral(cb, ( opc == 0xE4 || opc == 0xEC ) ? 1 : sz);
      uInstr1(cb, PUSH,  4, TempReg, t1);
      /* port number ? */
      if ( opc == 0xE4 || opc == 0xE5 ) {
         abyte = getUChar(eip); eip++;
         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t2);
         uLiteral(cb, abyte);
      }
      else
         uInstr2(cb, GET,   4, ArchReg, R_EDX, TempReg, t2);

      uInstr1(cb, PUSH,  4, TempReg, t2);
      uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_IN));
      uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsEmpty);
      uInstr1(cb, POP,   4, TempReg, t2);
      uInstr1(cb, CLEAR, 0, Lit16,   4);
      uInstr0(cb, CALLM_E, 0);
      uInstr2(cb, PUT,   4, TempReg, t2, ArchReg, R_EAX);
      if ( opc == 0xE4 || opc == 0xE5 ) {
         DIP("in 0x%x, %%eax/%%ax/%%al\n", getUChar(eip-1) );
      } else {
         DIP("in (%%dx), %%eax/%%ax/%%al\n");
      }
      break;
   case 0xE6: /* OUT %al,ib       */
   case 0xE7: /* OUT %{e}ax,ib    */
   case 0xEE: /* OUT %al,(%dx)    */
   case 0xEF: /* OUT %{e}ax,(%dx) */
      t1 = newTemp(cb);
      t2 = newTemp(cb);
      t3 = newTemp(cb);

      uInstr0(cb, CALLM_S, 0);
      /* operand size? */
      uInstr2(cb, MOV,   4, Literal, 0, TempReg, t1);
      uLiteral(cb, ( opc == 0xE6 || opc == 0xEE ) ? 1 : sz);
      uInstr1(cb, PUSH,  4, TempReg, t1);
      /* port number ? */
      if ( opc == 0xE6 || opc == 0xE7 ) {
         abyte = getUChar(eip); eip++;
         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t2);
         uLiteral(cb, abyte);
      }
      else
         uInstr2(cb, GET,   4, ArchReg, R_EDX, TempReg, t2);
      uInstr1(cb, PUSH,  4, TempReg, t2);
      uInstr2(cb, GET,   4, ArchReg, R_EAX, TempReg, t3);
      uInstr1(cb, PUSH,  4, TempReg, t3);
      uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_OUT));
      uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsEmpty);
      uInstr1(cb, CLEAR,  0, Lit16,  12);
      uInstr0(cb, CALLM_E, 0);
      if ( opc == 0xE4 || opc == 0xE5 ) {
         DIP("out %%eax/%%ax/%%al, 0x%x\n", getUChar(eip-1) );
      } else {
         DIP("out %%eax/%%ax/%%al, (%%dx)\n");
      }
      break;

   /* ------------------------ (Grp1 extensions) ---------- */

   case 0x80: /* Grp1 Ib,Eb */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      sz    = 1;
      d_sz  = 1;
      d32   = getSDisp8(eip + am_sz);
      eip   = dis_Grp1 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, d32 );
      break;

   case 0x81: /* Grp1 Iv,Ev */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = sz;
      d32   = getUDisp(d_sz, eip + am_sz);
      eip   = dis_Grp1 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, d32 );
      break;

   case 0x83: /* Grp1 Ib,Ev */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 1;
      d32   = getSDisp8(eip + am_sz);
      eip   = dis_Grp1 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, d32 );
      break;

   /* ------------------------ (Grp2 extensions) ---------- */

   case 0xC0: /* Grp2 Ib,Eb */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 1;
      d32   = getSDisp8(eip + am_sz);
      sz    = 1;
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, Literal, d32 );
      break;

   case 0xC1: /* Grp2 Ib,Ev */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 1;
      d32   = getSDisp8(eip + am_sz);
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, Literal, d32 );
      break;

   case 0xD0: /* Grp2 1,Eb */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 0;
      d32   = 1;
      sz    = 1;
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, Literal, d32 );
      break;

   case 0xD1: /* Grp2 1,Ev */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 0;
      d32   = 1;
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, Literal, d32 );
      break;

   case 0xD2: /* Grp2 CL,Eb */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 0;
      sz    = 1;
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, ArchReg, R_ECX );
      break;

   case 0xD3: /* Grp2 CL,Ev */
      modrm = getUChar(eip);
      am_sz = lengthAMode(eip);
      d_sz  = 0;
      eip   = dis_Grp2 ( cb, sorb, eip, modrm, am_sz, d_sz, sz, ArchReg, R_ECX );
      break;

   /* ------------------------ (Grp3 extensions) ---------- */

   case 0xF6: /* Grp3 Eb */
      eip = dis_Grp3 ( cb, sorb, 1, eip );
      break;
   case 0xF7: /* Grp3 Ev */
      eip = dis_Grp3 ( cb, sorb, sz, eip );
      break;

   /* ------------------------ (Grp4 extensions) ---------- */

   case 0xFE: /* Grp4 Eb */
      eip = dis_Grp4 ( cb, sorb, eip );
      break;

   /* ------------------------ (Grp5 extensions) ---------- */

   case 0xFF: /* Grp5 Ev */
      eip = dis_Grp5 ( cb, sorb, sz, eip, isEnd );
      break;

   /* ------------------------ Escapes to 2-byte opcodes -- */

   case 0x0F: {
      opc = getUChar(eip); eip++;
      switch (opc) {

      /* =-=-=-=-=-=-=-=-=- Grp8 =-=-=-=-=-=-=-=-=-=-=-= */

      case 0xBA: /* Grp8 Ib,Ev */
         modrm = getUChar(eip);
         am_sz = lengthAMode(eip);
         d32   = getSDisp8(eip + am_sz);
         eip = dis_Grp8_BT ( cb, sorb, eip, modrm, am_sz, sz, d32 );
         break;

      /* =-=-=-=-=-=-=-=-=- BSF/BSR -=-=-=-=-=-=-=-=-=-= */

      case 0xBC: /* BSF Gv,Ev */
         eip = dis_bs_E_G ( cb, sorb, sz, eip, True );
         break;
      case 0xBD: /* BSR Gv,Ev */
         eip = dis_bs_E_G ( cb, sorb, sz, eip, False );
         break;

      /* =-=-=-=-=-=-=-=-=- BSWAP -=-=-=-=-=-=-=-=-=-=-= */

      case 0xC8: /* BSWAP %eax */
      case 0xC9:
      case 0xCA:
      case 0xCB:
      case 0xCC:
      case 0xCD:
      case 0xCE:
      case 0xCF: /* BSWAP %edi */
         /* AFAICS from the Intel docs, this only exists at size 4. */
         vg_assert(sz == 4);
         t1 = newTemp(cb);
         uInstr2(cb, GET,   4, ArchReg, opc-0xC8, TempReg, t1);
	 uInstr1(cb, BSWAP, 4, TempReg, t1);
         uInstr2(cb, PUT,   4, TempReg, t1, ArchReg, opc-0xC8);
         DIP("bswapl %s\n", nameIReg(4, opc-0xC8));
         break;

      /* =-=-=-=-=-=-=-=-=- BT/BTS/BTR/BTC =-=-=-=-=-=-= */

      case 0xA3: /* BT Gv,Ev */
         eip = dis_bt_G_E ( cb, sorb, sz, eip, BtOpNone );
         break;
      case 0xB3: /* BTR Gv,Ev */
         eip = dis_bt_G_E ( cb, sorb, sz, eip, BtOpReset );
         break;
      case 0xAB: /* BTS Gv,Ev */
         eip = dis_bt_G_E ( cb, sorb, sz, eip, BtOpSet );
         break;
      case 0xBB: /* BTC Gv,Ev */
         eip = dis_bt_G_E ( cb, sorb, sz, eip, BtOpComp );
         break;

      /* =-=-=-=-=-=-=-=-=- CMOV =-=-=-=-=-=-=-=-=-=-=-= */

      case 0x40:
      case 0x41:
      case 0x42: /* CMOVBb/CMOVNAEb (cmov below) */
      case 0x43: /* CMOVNBb/CMOVAEb (cmov not below) */
      case 0x44: /* CMOVZb/CMOVEb (cmov zero) */
      case 0x45: /* CMOVNZb/CMOVNEb (cmov not zero) */
      case 0x46: /* CMOVBEb/CMOVNAb (cmov below or equal) */
      case 0x47: /* CMOVNBEb/CMOVAb (cmov not below or equal) */
      case 0x48: /* CMOVSb (cmov negative) */
      case 0x49: /* CMOVSb (cmov not negative) */
      case 0x4A: /* CMOVP (cmov parity even) */
      case 0x4B: /* CMOVNP (cmov parity odd) */
      case 0x4C: /* CMOVLb/CMOVNGEb (cmov less) */
      case 0x4D: /* CMOVGEb/CMOVNLb (cmov greater or equal) */
      case 0x4E: /* CMOVLEb/CMOVNGb (cmov less or equal) */
      case 0x4F: /* CMOVGb/CMOVNLEb (cmov greater) */
         eip = dis_cmov_E_G(cb, sorb, sz, (Condcode)(opc - 0x40), eip);
         break;

      /* =-=-=-=-=-=-=-=-=- CMPXCHG -=-=-=-=-=-=-=-=-=-= */

      case 0xB0: /* CMPXCHG Gv,Ev */
         eip = dis_cmpxchg_G_E ( cb, sorb, 1, eip );
         break;
      case 0xB1: /* CMPXCHG Gv,Ev */
         eip = dis_cmpxchg_G_E ( cb, sorb, sz, eip );
         break;
      case 0xC7: /* CMPXCHG8B Gv */
         eip = dis_cmpxchg8b ( cb, sorb, eip );
         break;

      /* =-=-=-=-=-=-=-=-=- CPUID -=-=-=-=-=-=-=-=-=-=-= */

      case 0xA2: /* CPUID */
	 if (!VG_(cpu_has_feature)(VG_X86_FEAT_CPUID))
	    goto decode_failure;

         t1 = newTemp(cb);
         t2 = newTemp(cb);
         t3 = newTemp(cb);
         t4 = newTemp(cb);
         uInstr0(cb, CALLM_S, 0);

         uInstr2(cb, GET,   4, ArchReg, R_EAX, TempReg, t1);
         uInstr1(cb, PUSH,  4, TempReg, t1);

         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t2);
         uLiteral(cb, 0);
         uInstr1(cb, PUSH,  4, TempReg, t2);

         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t3);
         uLiteral(cb, 0);
         uInstr1(cb, PUSH,  4, TempReg, t3);

         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t4);
         uLiteral(cb, 0);
         uInstr1(cb, PUSH,  4, TempReg, t4);

         uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_CPUID));
         uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsEmpty);

         uInstr1(cb, POP,   4, TempReg, t4);
         uInstr2(cb, PUT,   4, TempReg, t4, ArchReg, R_EDX);

         uInstr1(cb, POP,   4, TempReg, t3);
         uInstr2(cb, PUT,   4, TempReg, t3, ArchReg, R_ECX);

         uInstr1(cb, POP,   4, TempReg, t2);
         uInstr2(cb, PUT,   4, TempReg, t2, ArchReg, R_EBX);

         uInstr1(cb, POP,   4, TempReg, t1);
         uInstr2(cb, PUT,   4, TempReg, t1, ArchReg, R_EAX);

         uInstr0(cb, CALLM_E, 0);
         DIP("cpuid\n");
         break;

      /* =-=-=-=-=-=-=-=-=- MOVZX, MOVSX =-=-=-=-=-=-=-= */

      case 0xB6: /* MOVZXb Eb,Gv */
         eip = dis_movx_E_G ( cb, sorb, eip, 1, 4, False );
         break;
      case 0xB7: /* MOVZXw Ew,Gv */
         eip = dis_movx_E_G ( cb, sorb, eip, 2, 4, False );
         break;

      case 0xBE: /* MOVSXb Eb,Gv */
         eip = dis_movx_E_G ( cb, sorb, eip, 1, 4, True );
         break;
      case 0xBF: /* MOVSXw Ew,Gv */
         eip = dis_movx_E_G ( cb, sorb, eip, 2, 4, True );
         break;

      /* =-=-=-=-=-=-=-=-=-=-= MOVNTI -=-=-=-=-=-=-=-=-= */

      case 0xC3: /* MOVNTI Gv,Ev */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         vg_assert(!epartIsReg(modrm));
         t1 = newTemp(cb);
         uInstr2(cb, GET, 4, ArchReg, gregOfRM(modrm), TempReg, t1);
         pair = disAMode ( cb, sorb, eip, dis_buf );
         t2 = LOW24(pair);
         eip += HI8(pair);
         uInstr2(cb, STORE, 4, TempReg, t1, TempReg, t2);
         DIP("movnti %s,%s\n", nameIReg(4,gregOfRM(modrm)), dis_buf);
         break;

      /* =-=-=-=-=-=-=-=-=- MUL/IMUL =-=-=-=-=-=-=-=-=-= */

      case 0xAF: /* IMUL Ev, Gv */
         eip = dis_mul_E_G ( cb, sorb, sz, eip, True );
         break;

      /* =-=-=-=-=-=-=-=-=- Jcond d32 -=-=-=-=-=-=-=-=-= */
      case 0x80:
      case 0x81:
      case 0x82: /* JBb/JNAEb (jump below) */
      case 0x83: /* JNBb/JAEb (jump not below) */
      case 0x84: /* JZb/JEb (jump zero) */
      case 0x85: /* JNZb/JNEb (jump not zero) */
      case 0x86: /* JBEb/JNAb (jump below or equal) */
      case 0x87: /* JNBEb/JAb (jump not below or equal) */
      case 0x88: /* JSb (jump negative) */
      case 0x89: /* JSb (jump not negative) */
      case 0x8A: /* JP (jump parity even) */
      case 0x8B: /* JNP/JPO (jump parity odd) */
      case 0x8C: /* JLb/JNGEb (jump less) */
      case 0x8D: /* JGEb/JNLb (jump greater or equal) */
      case 0x8E: /* JLEb/JNGb (jump less or equal) */
      case 0x8F: /* JGb/JNLEb (jump greater) */
         d32 = (eip+4) + getUDisp32(eip); eip += 4;
         jcc_lit(cb, d32, (Condcode)(opc - 0x80));
         jmp_lit(cb, eip);
         *isEnd = True;
         DIP("j%s-32 0x%x\n", VG_(name_UCondcode)(opc - 0x80), d32);
         break;

      /* =-=-=-=-=-=-=-=-=- RDTSC -=-=-=-=-=-=-=-=-=-=-= */

      case 0x31: /* RDTSC */
         t1 = newTemp(cb);
         t2 = newTemp(cb);
         t3 = newTemp(cb);
         uInstr0(cb, CALLM_S, 0);
         // Nb: even though these args aren't used by RDTSC_helper, need
         // them to be defined (for Memcheck).  The TempRegs pushed must
         // also be distinct.
         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t1);
         uLiteral(cb, 0);
         uInstr1(cb, PUSH,  4, TempReg, t1);
         uInstr2(cb, MOV,   4, Literal, 0, TempReg, t2);
         uLiteral(cb, 0);
         uInstr1(cb, PUSH,  4, TempReg, t2);
         uInstr1(cb, CALLM, 0, Lit16,   VGOFF_(helper_RDTSC));
         uFlagsRWU(cb, FlagsEmpty, FlagsEmpty, FlagsEmpty);
         uInstr1(cb, POP,   4, TempReg, t3);
         uInstr2(cb, PUT,   4, TempReg, t3, ArchReg, R_EDX);
         uInstr1(cb, POP,   4, TempReg, t3);
         uInstr2(cb, PUT,   4, TempReg, t3, ArchReg, R_EAX);
         uInstr0(cb, CALLM_E, 0);
         DIP("rdtsc\n");
         break;

      /* =-=-=-=-=-=-=-=-=- SETcc Eb =-=-=-=-=-=-=-=-=-= */
      case 0x90:
      case 0x91:
      case 0x92: /* set-Bb/set-NAEb (jump below) */
      case 0x93: /* set-NBb/set-AEb (jump not below) */
      case 0x94: /* set-Zb/set-Eb (jump zero) */
      case 0x95: /* set-NZb/set-NEb (jump not zero) */
      case 0x96: /* set-BEb/set-NAb (jump below or equal) */
      case 0x97: /* set-NBEb/set-Ab (jump not below or equal) */
      case 0x98: /* set-Sb (jump negative) */
      case 0x99: /* set-Sb (jump not negative) */
      case 0x9A: /* set-P (jump parity even) */
      case 0x9B: /* set-NP (jump parity odd) */
      case 0x9C: /* set-Lb/set-NGEb (jump less) */
      case 0x9D: /* set-GEb/set-NLb (jump greater or equal) */
      case 0x9E: /* set-LEb/set-NGb (jump less or equal) */
      case 0x9F: /* set-Gb/set-NLEb (jump greater) */
         modrm = getUChar(eip);
         t1 = newTemp(cb);
         if (epartIsReg(modrm)) {
            eip++;
            uInstr1(cb, CC2VAL, 1, TempReg, t1);
            uCond(cb, (Condcode)(opc-0x90));
            uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
            uInstr2(cb, PUT, 1, TempReg, t1, ArchReg, eregOfRM(modrm));
            DIP("set%s %s\n", VG_(name_UCondcode)(opc-0x90), 
                              nameIReg(1,eregOfRM(modrm)));
         } else {
            pair = disAMode ( cb, sorb, eip, dis_buf );
            t2 = LOW24(pair);
            eip += HI8(pair);
            uInstr1(cb, CC2VAL, 1, TempReg, t1);
            uCond(cb, (Condcode)(opc-0x90));
            uFlagsRWU(cb, FlagsOSZACP, FlagsEmpty, FlagsEmpty);
            uInstr2(cb, STORE, 1, TempReg, t1, TempReg, t2);
            DIP("set%s %s\n", VG_(name_UCondcode)(opc-0x90), dis_buf);
         }
         break;

      /* =-=-=-=-=-=-=-=-=- SHLD/SHRD -=-=-=-=-=-=-=-=-= */

      case 0xA4: /* SHLDv imm8,Gv,Ev */
         modrm = getUChar(eip);
         eip = dis_SHLRD_Gv_Ev ( 
                  cb, sorb, eip, modrm, sz, 
                  Literal, getUChar(eip + lengthAMode(eip)),
                  True );
         break;
      case 0xA5: /* SHLDv %cl,Gv,Ev */
         modrm = getUChar(eip);
         eip = dis_SHLRD_Gv_Ev ( 
                  cb, sorb, eip, modrm, sz, ArchReg, R_CL, True );
         break;

      case 0xAC: /* SHRDv imm8,Gv,Ev */
         modrm = getUChar(eip);
         eip = dis_SHLRD_Gv_Ev ( 
                  cb, sorb, eip, modrm, sz, 
                  Literal, getUChar(eip + lengthAMode(eip)),
                  False );
         break;
      case 0xAD: /* SHRDv %cl,Gv,Ev */
         modrm = getUChar(eip);
         eip = dis_SHLRD_Gv_Ev ( 
                  cb, sorb, eip, modrm, sz, ArchReg, R_CL, False );
         break;

      /* =-=-=-=-=-=-=-=-=- CMPXCHG -=-=-=-=-=-=-=-=-=-= */

      case 0xC0: /* XADD Gb,Eb */
         eip = dis_xadd_G_E ( cb, sorb, 1, eip );
         break;
      case 0xC1: /* XADD Gv,Ev */
         eip = dis_xadd_G_E ( cb, sorb, sz, eip );
         break;

      /* =-=-=-=-=-=-=-=-=- MMXery =-=-=-=-=-=-=-=-=-=-= */

      case 0x0D: /* PREFETCH / PREFETCHW - 3Dnow!ery*/
      case 0x18: /* PREFETCHT0/PREFETCHT1/PREFETCHT2/PREFETCHNTA */
      
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (epartIsReg(modrm)) {
            goto decode_failure;
         }
         if (gregOfRM(modrm) > 3) {
            goto decode_failure;
         }
         eip += lengthAMode(eip);
         if (VG_(print_codegen)) {
            UChar* hintstr;
            if (opc == 0x0D) {
               switch (gregOfRM(modrm)) {
                  case 0: hintstr = ""; break;
                  case 1: hintstr = "w"; break;
                  default: goto decode_failure;
               }
            }
            else {
               switch (gregOfRM(modrm)) {
                  case 0: hintstr = "nta"; break;
                  case 1: hintstr = "t0"; break;
                  case 2: hintstr = "t1"; break;
                  case 3: hintstr = "t2"; break;
                 default: goto decode_failure;
               }
            }
            VG_(printf)("prefetch%s ...\n", hintstr);
         }
         break;

      case 0xAE: /* SFENCE */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (!epartIsReg(modrm)) {
            goto decode_failure;
         }
         if (gregOfRM(modrm) != 7) {
            goto decode_failure;
         }
         eip += lengthAMode(eip);
         uInstr2(cb, SSE3, 0,  /* ignore sz for internal ops */
                     Lit16, (((UShort)0x0F) << 8) | (UShort)0xAE,
                     Lit16, (UShort)modrm );
         DIP("sfence\n");
         break;

      case 0x71: case 0x72: case 0x73: {
         /* (sz==4): PSLL/PSRA/PSRL mmxreg by imm8 */
         /* (sz==2): PSLL/PSRA/PSRL xmmreg by imm8 */
         UChar byte1, byte2, byte3, subopc, mmreg;
         vg_assert(sz == 4 || sz == 2);
         byte1 = opc;                   /* 0x71/72/73 */
         byte2 = getUChar(eip); eip++;  /* amode / sub-opcode */
         byte3 = getUChar(eip); eip++;  /* imm8 */
         mmreg = byte2 & 7;
         subopc = (byte2 >> 3) & 7;
         if (subopc == 2 || subopc == 6 || subopc == 4) {  
            /* 2 == 010 == SRL, 6 == 110 == SLL, 4 == 100 == SRA */
            /* ok */
         } else
         if (sz == 2 && opc == 0x73 && (subopc == 7 || subopc == 3)) {
            /* 3 == PSRLDQ, 7 == PSLLDQ */
            /* This is allowable in SSE.  Because sz==2 we fall thru to
               SSE5 below. */
         } else {
            eip -= (sz==2 ? 3 : 2);
            goto decode_failure;
         }
         if (sz == 4) {
            /* The leading 0x0F is implied for MMX*, so we don't
	       include it. */
            uInstr2(cb, MMX3, 0, 
                        Lit16, (((UShort)byte1) << 8) | ((UShort)byte2),
                        Lit16, ((UShort)byte3) );
            DIP("ps%s%s $%d, %s\n",
                ( subopc == 2 ? "rl" 
                : subopc == 6 ? "ll" 
                : subopc == 4 ? "ra"
                : "??"),
                nameMMXGran(opc & 3), (Int)byte3, nameMMXReg(mmreg) );
	 } else {
            /* Whereas we have to include it for SSE. */
            uInstr3(cb, SSE5, 0, 
                        Lit16, (((UShort)0x66) << 8) | ((UShort)0x0F),
                        Lit16, (((UShort)byte1) << 8) | ((UShort)byte2),
                        Lit16, ((UShort)byte3) );
            DIP("ps%s%s $%d, %s\n",
                ( subopc == 2 ? "rl" 
                : subopc == 6 ? "ll" 
                : subopc == 4 ? "ra"
                : subopc == 3 ? "(PSRLDQ)"
                : subopc == 7 ? "(PSLLDQ)"
                : "??"),
                nameMMXGran(opc & 3), (Int)byte3, nameXMMReg(mmreg) );
	 }
         break;
      }

      case 0x77: /* EMMS */
         vg_assert(sz == 4);
         uInstr1(cb, MMX1, 0, Lit16, ((UShort)(opc)) );
         DIP("emms\n");
         break;

      case 0x7E: /* MOVD (src)mmxreg, (dst)ireg-or-mem */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (epartIsReg(modrm)) {
            eip++;
            t1 = newTemp(cb);
            uInstr2(cb, MMX2_ERegWr, 4, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, t1 );
            uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, eregOfRM(modrm));
            DIP("movd %s, %s\n", 
                nameMMXReg(gregOfRM(modrm)), nameIReg(4,eregOfRM(modrm)));
         } else {
            Int tmpa;
            pair = disAMode ( cb, sorb, eip, dis_buf );
            tmpa = LOW24(pair);
            eip += HI8(pair);
            uInstr2(cb, MMX2_MemWr, 4, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, tmpa);
            DIP("movd %s, %s\n", nameMMXReg(gregOfRM(modrm)), dis_buf);
         }
         break;

      case 0x6E: /* MOVD (src)ireg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (epartIsReg(modrm)) {
            eip++;
            t1 = newTemp(cb);
            uInstr2(cb, GET, 4, ArchReg, eregOfRM(modrm), TempReg, t1);
            uInstr2(cb, MMX2_ERegRd, 4, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, t1 );
            DIP("movd %s, %s\n", 
                nameIReg(4,eregOfRM(modrm)), nameMMXReg(gregOfRM(modrm)));
         } else {
            Int tmpa;
            pair = disAMode ( cb, sorb, eip, dis_buf );
            tmpa = LOW24(pair);
            eip += HI8(pair);
            uInstr2(cb, MMX2_MemRd, 4, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, tmpa);
            DIP("movd %s, %s\n", dis_buf, nameMMXReg(gregOfRM(modrm)));
         }
         break;

      case 0x6F: /* MOVQ (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (epartIsReg(modrm)) {
            eip++;
            uInstr1(cb, MMX2, 0, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm) );
            DIP("movq %s, %s\n", 
                nameMMXReg(eregOfRM(modrm)), nameMMXReg(gregOfRM(modrm)));
         } else {
            Int tmpa;
            pair = disAMode ( cb, sorb, eip, dis_buf );
            tmpa = LOW24(pair);
            eip += HI8(pair);
            uInstr2(cb, MMX2_MemRd, 8, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, tmpa);
            DIP("movq %s, %s\n", 
                dis_buf, nameMMXReg(gregOfRM(modrm)));
         }
         break;

      case 0x7F: /* MOVQ (src)mmxreg, (dst)mmxreg-or-mem */
      case 0xE7: /* MOVNTQ (src)mmxreg, (dst)mmxreg-or-mem */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         if (epartIsReg(modrm)) {
            eip++;
            uInstr1(cb, MMX2, 0, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm) );
            DIP("movq %s, %s\n", 
                nameMMXReg(gregOfRM(modrm)), nameMMXReg(eregOfRM(modrm)));
         } else {
            Int tmpa;
            pair = disAMode ( cb, sorb, eip, dis_buf );
            tmpa = LOW24(pair);
            eip += HI8(pair);
            uInstr2(cb, MMX2_MemWr, 8, 
                        Lit16, 
                        (((UShort)(opc)) << 8) | ((UShort)modrm),
                        TempReg, tmpa);
            DIP("mov(nt)q %s, %s\n", 
                nameMMXReg(gregOfRM(modrm)), dis_buf);
         }
         break;

      case 0xFC: case 0xFD: case 0xFE: 
         /* PADDgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "padd", True );
         break;

      case 0xD4: 
         /* PADDQ (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "paddq", False );
         break;

      case 0xEC: case 0xED:
         /* PADDSgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "padds", True );
         break;

      case 0xDC: case 0xDD:
         /* PADDUSgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "paddus", True );
         break;

      case 0xF8: case 0xF9: case 0xFA: case 0xFB:
         /* PSUBgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psub", True );
         break;

      case 0xE8: case 0xE9:
         /* PSUBSgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psubs", True );
         break;

      case 0xD8: case 0xD9:
         /* PSUBUSgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psubus", True );
         break;

      case 0xE4: /* PMULHUW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmulhuw", False );
         break;

      case 0xE5: /* PMULHW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmulhw", False );
         break;

      case 0xD5: /* PMULLW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmullw", False );
         break;

      case 0xF4: /* PMULUDQ (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmuludq", False );
         break;

      case 0xF5: /* PMADDWD (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmaddwd", False );
         break;

      case 0x74: case 0x75: case 0x76: 
         /* PCMPEQgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pcmpeq", True );
         break;

      case 0x64: case 0x65: case 0x66: 
         /* PCMPGTgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pcmpgt", True );
         break;

      case 0x6B: /* PACKSSDW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "packssdw", False );
         break;

      case 0x63: /* PACKSSWB (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "packsswb", False );
         break;

      case 0x67: /* PACKUSWB (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "packuswb", False );
         break;

      case 0x68: case 0x69: case 0x6A: 
         /* PUNPCKHgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "punpckh", True );
         break;

      case 0x60: case 0x61: case 0x62:
         /* PUNPCKLgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "punpckl", True );
         break;

      case 0xDB: /* PAND (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pand", False );
         break;

      case 0xDF: /* PANDN (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pandn", False );
         break;

      case 0xEB: /* POR (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "por", False );
         break;

      case 0xEF: /* PXOR (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pxor", False );
         break;

      case 0xF1: case 0xF2: case 0xF3:
         /* PSLLgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psll", True );
         break;

      case 0xD1: case 0xD2: case 0xD3:
         /* PSRLgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psrl", True );
         break;

      case 0xE1: case 0xE2:
         /* PSRAgg (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psra", True );
         break;

      case 0xDA:
         /* PMINUB (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pminub", False );
         break;

      case 0xDE:
         /* PMAXUB (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmaxub", False );
         break;

      case 0xEA:
         /* PMINSW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pminsw", False );
         break;

      case 0xEE:
         /* PMAXSW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pmaxsw", False );
         break;

      case 0xE0:
         /* PAVGB (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pavgb", False );
         break;

      case 0xE3:
         /* PAVGW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "pavgw", False );
         break;

      case 0xF6:
         /* PSADBW (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg ( cb, sorb, eip, opc, "psadbw", False );
         break;

      case 0x70:
         /* PSHUFW imm8, (src)mmxreg-or-mem, (dst)mmxreg */
         vg_assert(sz == 4);
         eip = dis_MMXop_regmem_to_reg_Imm8 ( cb, sorb, eip, opc, "pshufw", False );
         break;

      case 0xD7:
         /* PMOVMSKB (src)mmxreg, (dst)ireg */
         vg_assert(sz == 4);
         modrm = getUChar(eip);
         vg_assert(epartIsReg(modrm));
         t1 = newTemp(cb);
         uInstr3(cb, SSE2g_RegWr, 4,
                     Lit16, (((UShort)(0x0F)) << 8) | (UShort)(opc),
                     Lit16, (UShort)modrm,
                     TempReg, t1 );
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
         DIP("pmovmskb %s, %s\n", 
             nameMMXReg(eregOfRM(modrm)), nameIReg(4,gregOfRM(modrm)));
         eip++;         
         break;

      case 0xC5:
         /* PEXTRW (src)mmxreg, (dst)ireg */
         vg_assert(sz == 4);
         t1 = newTemp(cb);
         modrm = getUChar(eip); eip++;
         abyte = getUChar(eip); eip++;
         vg_assert(epartIsReg(modrm));
         uInstr3(cb, SSE2g1_RegWr, 4,
                     Lit16, (((UShort)(0x0F)) << 8) | (UShort)(opc),
                     Lit16, (UShort)modrm,
                     TempReg, t1 );
         uLiteral(cb, abyte);
         uInstr2(cb, PUT, 4, TempReg, t1, ArchReg, gregOfRM(modrm));
         DIP("pextrw %s, %d, %s\n",
             nameMMXReg(eregOfRM(modrm)), (Int)abyte, 
             nameIReg(4, gregOfRM(modrm)));
         break;

      case 0xC4:
         /* PINSRW (src)ireg, (dst)mmxreg */
         vg_assert(sz == 4);
         t1 = newTemp(cb);
         modrm = getUChar(eip); eip++;
         abyte = getUChar(eip); eip++;
         vg_assert(epartIsReg(modrm));
         uInstr2(cb, GET, 2, ArchReg, eregOfRM(modrm), TempReg, t1);
         uInstr3(cb, SSE2e1_RegRd, 2,
                     Lit16, (((UShort)(0x0F)) << 8) | (UShort)(opc),
                     Lit16, (UShort)modrm,
                     TempReg, t1 );
         uLiteral(cb, abyte);
         DIP("pinsrw %s, %d, %s\n", nameIReg(2, eregOfRM(modrm)),
                        (Int)abyte, nameMMXReg(gregOfRM(modrm)));
         break;

      case 0xA1: /* POP %FS */
         dis_pop_segreg( cb, R_FS, sz ); break;
      case 0xA9: /* POP %GS */
         dis_pop_segreg( cb, R_GS, sz ); break;

      case 0xA0: /* PUSH %FS */
         dis_push_segreg( cb, R_FS, sz ); break;
      case 0xA8: /* PUSH %GS */
         dis_push_segreg( cb, R_GS, sz ); break;

      /* =-=-=-=-=-=-=-=-=- unimp2 =-=-=-=-=-=-=-=-=-=-= */

      default:
         goto decode_failure;
   } /* switch (opc) for the 2-byte opcodes */
   goto decode_success;
   } /* case 0x0F: of primary opcode */

   /* ------------------------ ??? ------------------------ */
  
  default:
  decode_failure:
   /* All decode failures end up here. */
   VG_(printf)("disInstr: unhandled instruction bytes: "
               "0x%x 0x%x 0x%x 0x%x\n",
               (Int)eip_start[0],
               (Int)eip_start[1],
               (Int)eip_start[2],
               (Int)eip_start[3] );

   /* Print address of failing instruction. */
   VG_(describe_eip)((Addr)eip_start, loc_buf, M_VG_ERRTXT);
   VG_(printf)("          at %s\n", loc_buf);

   uInstr0(cb, CALLM_S, 0);
   uInstr1(cb, CALLM,   0, Lit16, 
               VGOFF_(helper_undefined_instruction));
   uInstr0(cb, CALLM_E, 0);

   /* just because everything else insists the last instruction of
      a BB is a jmp */
   jmp_lit(cb, eip);
   *isEnd = True;
   break;
   return eip;

   } /* switch (opc) for the main (primary) opcode switch. */

  decode_success:
   /* All decode successes end up here. */
   DIP("\n");
   for (; first_uinstr < cb->used; first_uinstr++) {
      VG_(sanity_check_UInstr)( first_uinstr, &cb->instrs[first_uinstr] );
      if (VG_(print_codegen)) 
         VG_(pp_UInstr)(first_uinstr, &cb->instrs[first_uinstr]);
   }
   return eip;
}


/* Disassemble a complete basic block, starting at eip, and dumping
   the ucode into cb.  Returns the size, in bytes, of the basic
   block. */

Int VG_(disBB) ( UCodeBlock* cb, Addr eip0 )
{
   Addr eip   = eip0;
   Bool isEnd = False;
   Int delta = 0;

   DIP("Original x86 code to UCode:\n\n");

   /* After every x86 instruction do an INCEIP, except for the final one
    * in the basic block.  For them we patch in the x86 instruction size 
    * into the `extra4b' field of the basic-block-ending JMP. 
    *
    * The INCEIPs and JMP.extra4b fields allows a tool to track x86
    * instruction sizes, important for some tools (eg. Cachegrind).
    */
   if (VG_(clo_single_step)) {
      eip = disInstr ( cb, eip, &isEnd );

      /* Add a JMP to the next (single x86 instruction) BB if it doesn't
       * already end with a JMP instr. We also need to check for no UCode,
       * which occurs if the x86 instr was a nop */
      if (cb->used == 0 || LAST_UINSTR(cb).opcode != JMP) {
         jmp_lit(cb, eip);
         /* Print added JMP */
         if (VG_(print_codegen)) 
            VG_(pp_UInstr)(cb->used-1, &cb->instrs[cb->used-1]);
      }
      DIP("\n");
      delta = eip - eip0;

   } else {
      Addr eip2;
      while (!isEnd) {
         eip2 = disInstr ( cb, eip, &isEnd );
         delta = (eip2 - eip);
         eip = eip2;
         /* Split up giant basic blocks into pieces, so the
            translations fall within 64k. */
         if (eip - eip0 > 2000 && !isEnd) {
            if (VG_(clo_verbosity) > 2)
               VG_(message)(Vg_DebugMsg,
			    "Warning: splitting giant basic block into pieces at %p %(y",
			    eip, eip);
            jmp_lit(cb, eip);
            /* Print added JMP */
            if (VG_(print_codegen))
               VG_(pp_UInstr)(cb->used-1, &cb->instrs[cb->used-1]);
            isEnd = True;

         } else if (!isEnd) {
            uInstr1(cb, INCEIP, 0, Lit16, delta);
            /* Print added INCEIP */
            if (VG_(print_codegen)) 
               VG_(pp_UInstr)(cb->used-1, &cb->instrs[cb->used-1]);
         }
         DIP("\n");
      }
   }

   /* Patch instruction size into final JMP. */
   LAST_UINSTR(cb).extra4b = delta;

   return eip - eip0;
}

#undef DIP
#undef DIS

/*--------------------------------------------------------------------*/
/*--- end                                            vg_to_ucode.c ---*/
/*--------------------------------------------------------------------*/