Changeset 101516 in vbox

Timestamp:

Oct 20, 2023 1:07:03 PM (19 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

159593

Message:

VMM/IEM: Deal with unconditional relative jumps (sans flag checking). bugref:10371

Location:

trunk

Files:

• include/iprt/armv8.h (modified) (13 diffs)
• include/iprt/x86.h (modified) (1 diff)
• src/VBox/VMM/VMMAll/IEMAllInstOneByte.cpp.h (modified) (1 diff)
• src/VBox/VMM/VMMAll/IEMAllN8vePython.py (modified) (1 diff)
• src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp (modified) (19 diffs)
• src/VBox/VMM/include/IEMN8veRecompiler.h (modified) (11 diffs)

trunk/include/iprt/armv8.h

@@ -2232 +2232 @@
     /** Add @a iImm7*sizeof(reg) to @a iBaseReg after the store/load,
      * and update the register. */
-    kArm64InstrStLdPairType_kPostIndex = 1,
+    kArm64InstrStLdPairType_PostIndex = 1,
     /** Add @a iImm7*sizeof(reg) to @a iBaseReg before the store/load,
      * but don't update the register. */
-    kArm64InstrStLdPairType_kSigned    = 2,
+    kArm64InstrStLdPairType_Signed    = 2,
     /** Add @a iImm7*sizeof(reg) to @a iBaseReg before the store/load,
      * and update the register. */
-    kArm64InstrStLdPairType_kPreIndex  = 3
+    kArm64InstrStLdPairType_PreIndex  = 3
 } ARM64INSTRSTLDPAIRTYPE;
 
@@ -2533 +2533 @@
 typedef enum
 {
-    kArmv8A64InstrShift_kLsl = 0,
-    kArmv8A64InstrShift_kLsr,
-    kArmv8A64InstrShift_kAsr,
-    kArmv8A64InstrShift_kRor
+    kArmv8A64InstrShift_Lsl = 0,
+    kArmv8A64InstrShift_Lsr,
+    kArmv8A64InstrShift_Asr,
+    kArmv8A64InstrShift_Ror
 } ARMV8A64INSTRSHIFT;
 
@@ -2576 +2576 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrAnd(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(0, false /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2585 +2585 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrBic(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(0, true /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2594 +2594 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrOrr(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(1, false /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2603 +2603 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrOrn(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(1, true /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2612 +2612 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrEor(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(2, false /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2621 +2621 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrEon(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                               uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(2, true /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2630 +2630 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrAnds(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                                uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                                uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(3, false /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2639 +2639 @@
  * @see Armv8A64MkInstrLogicalShiftedReg for parameter details.  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrBics(uint32_t iRegResult, uint32_t iReg1, uint32_t iReg2Shifted, bool f64Bit = true,
-                                                uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                                uint32_t offShift6 = 0, ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     return Armv8A64MkInstrLogicalShiftedReg(3, true /*fNot*/, iRegResult, iReg1, iReg2Shifted, f64Bit, offShift6, enmShift);
@@ -2708 +2708 @@
 {
     return Armv8A64MkInstrLogicalImm(3, iRegResult, iRegSrc, uImm7SizeLen, uImm6Rotations, f64Bit);
+}
+
+
+/**
+ * A64: Encodes a bitfield instruction.
+ *
+ * @returns The encoded instruction.
+ * @param   u2Opc           The bitfield operation to perform.
+ * @param   iRegResult      The output register.
+ * @param   iRegSrc         The 1st register operand.
+ * @param   cImm6Ror        The right rotation count.
+ * @param   uImm6S          The leftmost bit to be moved.
+ * @param   f64Bit          true for 64-bit GPRs, @c false for 32-bit GPRs.
+ * @param   uN1             This must match @a f64Bit for all instructions
+ *                          currently specified.
+ * @see https://dinfuehr.github.io/blog/encoding-of-immediate-values-on-aarch64/
+ *      https://gist.githubusercontent.com/dinfuehr/51a01ac58c0b23e4de9aac313ed6a06a/raw/1892a274aa3238d55f83eec5b3828da2aec5f229/aarch64-logical-immediates.txt
+ */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrBitfieldImm(uint32_t u2Opc, uint32_t iRegResult, uint32_t iRegSrc,
+                                                       uint32_t cImm6Ror, uint32_t uImm6S, bool f64Bit, uint32_t uN1)
+{
+    Assert(cImm6Ror < (f64Bit ? UINT32_C(0x3f) : UINT32_C(0x1f))); Assert(iRegResult < 32); Assert(u2Opc < 4);
+    Assert(uImm6S < (f64Bit ? UINT32_C(0x3f) : UINT32_C(0x1f))); Assert(iRegSrc    < 32); Assert(uN1 <= (unsigned)f64Bit);
+    return ((uint32_t)f64Bit   << 31)
+         | (u2Opc              << 29)
+         | UINT32_C(0x13000000)
+         | (uN1                << 22)
+         | (cImm6Ror           << 16)
+         | (uImm6S             << 10)
+         | (iRegSrc            <<  5)
+         | iRegResult;
+}
+
+
+/** A64: Encodes a SBFM instruction immediates.
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrSbfmImm(uint32_t iRegResult, uint32_t iRegSrc, uint32_t cImm6Ror, uint32_t uImm6S,
+                                                   bool f64Bit = true, uint32_t uN1 = UINT32_MAX)
+{
+    return Armv8A64MkInstrBitfieldImm(0, iRegResult, iRegSrc, cImm6Ror, uImm6S, f64Bit, uN1 == UINT32_MAX ? f64Bit : uN1);
+}
+
+
+/** A64: Encodes a BFM instruction immediates.
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrBfmImm(uint32_t iRegResult, uint32_t iRegSrc, uint32_t cImm6Ror, uint32_t uImm6S,
+                                                  bool f64Bit = true, uint32_t uN1 = UINT32_MAX)
+{
+    return Armv8A64MkInstrBitfieldImm(1, iRegResult, iRegSrc, cImm6Ror, uImm6S, f64Bit, uN1 == UINT32_MAX ? f64Bit : uN1);
+}
+
+
+/** A64: Encodes an UBFM instruction immediates.
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrUbfmImm(uint32_t iRegResult, uint32_t iRegSrc, uint32_t cImm6Ror, uint32_t uImm6S,
+                                                   bool f64Bit = true, uint32_t uN1 = UINT32_MAX)
+{
+    return Armv8A64MkInstrBitfieldImm(2, iRegResult, iRegSrc, cImm6Ror, uImm6S, f64Bit, uN1 == UINT32_MAX ? f64Bit : uN1);
+}
+
+
+/** A64: Encodes an LSL instruction w/ immediate shift value.
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrLslImm(uint32_t iRegResult, uint32_t iRegSrc, uint32_t cShift, bool f64Bit = true)
+{
+    uint32_t const cWidth = f64Bit ? 63 : 31;
+    Assert(cShift > 0); Assert(cShift <= cWidth);
+    return Armv8A64MkInstrBitfieldImm(2, iRegResult, iRegSrc, (uint32_t)-cShift & cWidth, cWidth - cShift /*uImm6S*/, false, 0);
+}
+
+
+/** A64: Encodes an LSR instruction w/ immediate shift value.
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrLsrImm(uint32_t iRegResult, uint32_t iRegSrc, uint32_t cShift, bool f64Bit = true)
+{
+    uint32_t const cWidth = f64Bit ? 63 : 31;
+    Assert(cShift > 0); Assert(cShift <= cWidth);
+    return Armv8A64MkInstrBitfieldImm(2, iRegResult, iRegSrc, cShift, cWidth /*uImm6S*/, f64Bit, f64Bit);
+}
+
+
+/** A64: Encodes an UXTB instruction - zero extend byte (8-bit).
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrUxtb(uint32_t iRegResult, uint32_t iRegSrc, bool f64Bit = false)
+{
+    return Armv8A64MkInstrBitfieldImm(2, iRegResult, iRegSrc, 0, 7, f64Bit, f64Bit);
+}
+
+
+/** A64: Encodes an UXTH instruction - zero extend half word (16-bit).
+ * @see Armv8A64MkInstrBitfieldImm for parameter details.  */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrUxth(uint32_t iRegResult, uint32_t iRegSrc, bool f64Bit = false)
+{
+    return Armv8A64MkInstrBitfieldImm(2, iRegResult, iRegSrc, 0, 15, f64Bit, f64Bit);
 }
 
@@ -2767 +2861 @@
  * @param   cShift                  The shift count to apply to @a iRegSrc2.
  * @param   enmShift                The shift type to apply to the @a iRegSrc2
- *                                  register. kArmv8A64InstrShift_kRor is
+ *                                  register. kArmv8A64InstrShift_Ror is
  *                                  reserved.
  */
 DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrAddSubReg(bool fSub, uint32_t iRegResult, uint32_t iRegSrc1, uint32_t iRegSrc2,
                                                      bool f64Bit = true, bool fSetFlags = false, uint32_t cShift = 0,
-                                                     ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_kLsl)
+                                                     ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsl)
 {
     Assert(iRegResult < 32); Assert(iRegSrc1 < 32); Assert(iRegSrc2 < 32);
-    Assert(cShift < (f64Bit ? 64U : 32U)); Assert(enmShift != kArmv8A64InstrShift_kRor);
+    Assert(cShift < (f64Bit ? 64U : 32U)); Assert(enmShift != kArmv8A64InstrShift_Ror);
 
     return ((uint32_t)f64Bit       << 31)
@@ -2859 +2953 @@
 }
 
+/** Armv8 Condition codes.    */
+typedef enum ARMV8INSTRCOND
+{
+    kArmv8InstrCond_Eq = 0,                     /**< Equal - Zero set. */
+    kArmv8InstrCond_Cs,                         /**< Carry set (also known as 'HS'). */
+    kArmv8InstrCond_Hs = kArmv8InstrCond_Cs,    /**< Unsigned higher or same. */
+    kArmv8InstrCond_Mi,                         /**< Negative result (minus). */
+    kArmv8InstrCond_Vs,                         /**< Overflow set. */
+    kArmv8InstrCond_Hi,                         /**< Unsigned higher. */
+    kArmv8InstrCond_Ge,                         /**< Signed greater or equal. */
+    kArmv8InstrCond_Le,                         /**< Signed less or equal. */
+
+    kArmv8InstrCond_Ne,                         /**< Not equal - Zero clear. */
+    kArmv8InstrCond_Cc,                         /**< Carry clear (also known as 'LO'). */
+    kArmv8InstrCond_Lo = kArmv8InstrCond_Cc,    /**< Unsigned lower. */
+    kArmv8InstrCond_Pl,                         /**< Positive or zero result (plus). */
+    kArmv8InstrCond_Vc,                         /**< Overflow clear. */
+    kArmv8InstrCond_Ls,                         /**< Unsigned lower or same. */
+    kArmv8InstrCond_Lt,                         /**< Signed less than. */
+    kArmv8InstrCond_Al                          /**< Condition is always true. */
+} ARMV8INSTRCOND;
+
+/**
+ * A64: Encodes conditional branch instruction w/ immediate target.
+ *
+ * @returns The encoded instruction.
+ * @param   enmCond         The branch condition.
+ * @param   iImm19          Signed number of instruction to jump (i.e. *4).
+ */
+DECL_FORCE_INLINE(uint32_t) Armv8A64MkInstrBCond(ARMV8INSTRCOND enmCond, int32_t iImm19)
+{
+    Assert(enmCond >= 0 && enmCond < 16);
+    return UINT32_C(0x54000000)
+         | (((uint32_t)iImm19 & 0x7ffff) <<  5)
+         | (uint32_t)enmCond;
+}
+
+
 /**
  * A64: Encodes the BRK instruction.

trunk/include/iprt/x86.h

@@ -4975 +4975 @@
 #define X86_OP_PRF_REPZ         UINT8_C(0xf3)
 #define X86_OP_PRF_REPNZ        UINT8_C(0xf2)
+#define X86_OP_REX              UINT8_C(0x40)
 #define X86_OP_REX_B            UINT8_C(0x41)
 #define X86_OP_REX_X            UINT8_C(0x42)

trunk/src/VBox/VMM/VMMAll/IEMAllInstOneByte.cpp.h

@@ -8035 +8035 @@
 {
     uint8_t bRm; IEM_OPCODE_GET_NEXT_U8(&bRm);
-    if ((bRm & X86_MODRM_REG_MASK) != (0 << X86_MODRM_REG_SHIFT)) /* only mov Eb,Ib in this group. */
+    if ((bRm & X86_MODRM_REG_MASK) != (0 << X86_MODRM_REG_SHIFT)) /* only mov Eb,Iz in this group. */
         IEMOP_RAISE_INVALID_OPCODE_RET();
     IEMOP_MNEMONIC(mov_Ev_Iz, "mov Ev,Iz");

trunk/src/VBox/VMM/VMMAll/IEMAllN8vePython.py

@@ -75 +75 @@
     'IEM_MC_CALL_CIMPL_5_THREADED':                              (None, True,  False, ),
 
-    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC16':                (None, True,  False, ),
-    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC32':                (None, True,  False,  ),
-    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC64':                (None, True,  False, ),
-    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC16':               (None, True,  False, ),
-    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC32':               (None, True,  False, ),
-    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC64':               (None, True,  False, ),
-    'IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC32':               (None, True,  False, ),
-    'IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC64':               (None, True,  False, ),
+    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC16':                (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC32':                (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC64':                (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC16':               (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC32':               (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC64':               (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC32':               (None, True,  True,  ),
+    'IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC64':               (None, True,  True,  ),
 
     'IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC16_WITH_FLAGS':     (None, True,  False, ),

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp

@@ -1544 +1544 @@
 
 /**
+ * Used by TB code when it wants to raise a \#GP(0).
+ */
+IEM_DECL_IMPL_DEF(int, iemNativeHlpExecRaiseGp0,(PVMCPUCC pVCpu, uint8_t idxInstr))
+{
+    pVCpu->iem.s.cInstructions += idxInstr;
+    iemRaiseGeneralProtectionFault0Jmp(pVCpu);
+    return VINF_IEM_RAISED_XCPT; /* not reached */
+}
+
+
+/**
  * Reinitializes the native recompiler state.
  *
@@ -1550 +1561 @@
 static PIEMRECOMPILERSTATE iemNativeReInit(PIEMRECOMPILERSTATE pReNative, PCIEMTB pTb)
 {
-    pReNative->cLabels   = 0;
-    pReNative->cFixups   = 0;
-    pReNative->pTbOrg    = pTb;
+    pReNative->cLabels                = 0;
+    pReNative->bmLabelTypes           = 0;
+    pReNative->cFixups                = 0;
+    pReNative->pTbOrg                 = pTb;
 
     pReNative->bmHstRegs              = IEMNATIVE_REG_FIXED_MASK
@@ -1709 +1721 @@
     paLabels[cLabels].uData   = uData;
     pReNative->cLabels = cLabels + 1;
+
+    Assert(enmType >= 0 && enmType < 64);
+    pReNative->bmLabelTypes |= RT_BIT_64(enmType);
     return cLabels;
 }
@@ -1721 +1736 @@
                                    uint32_t offWhere = UINT32_MAX, uint16_t uData = 0) RT_NOEXCEPT
 {
-    PIEMNATIVELABEL paLabels = pReNative->paLabels;
-    uint32_t const  cLabels  = pReNative->cLabels;
-    for (uint32_t i = 0; i < cLabels; i++)
-        if (   paLabels[i].enmType == enmType
-            && paLabels[i].uData   == uData
-            && (   paLabels[i].off == offWhere
-                || offWhere        == UINT32_MAX
-                || paLabels[i].off == UINT32_MAX))
-            return i;
+    Assert(enmType >= 0 && enmType < 64);
+    if (RT_BIT_64(enmType) & pReNative->bmLabelTypes)
+    {
+        PIEMNATIVELABEL paLabels = pReNative->paLabels;
+        uint32_t const  cLabels  = pReNative->cLabels;
+        for (uint32_t i = 0; i < cLabels; i++)
+            if (   paLabels[i].enmType == enmType
+                && paLabels[i].uData   == uData
+                && (   paLabels[i].off == offWhere
+                    || offWhere        == UINT32_MAX
+                    || paLabels[i].off == UINT32_MAX))
+                return i;
+    }
     return UINT32_MAX;
 }
@@ -1796 +1815 @@
 
     uint32_t const cbNew = cNew * sizeof(IEMNATIVEINSTR);
+#if RT_ARCH_ARM64
+    AssertReturn(cbNew <= _1M, NULL); /* Limited by the branch instruction range (18+2 bits). */
+#else
     AssertReturn(cbNew <= _2M, NULL);
+#endif
 
     void *pvNew = RTMemRealloc(pReNative->pInstrBuf, cbNew);
@@ -2085 +2108 @@
     }
     return iemNativeRegMarkAllocated(pReNative, idxReg, kIemNativeWhat_Tmp);
+}
+
+
+/**
+ * Allocates a temporary register for loading an immediate value into.
+ *
+ * This will emit code to load the immediate, unless there happens to be an
+ * unused register with the value already loaded.
+ *
+ * The caller will not modify the returned register, it must be considered
+ * read-only.  Free using iemNativeRegFreeTmpImm.
+ *
+ * @returns The host register number, UINT8_MAX on failure.
+ * @param   pReNative       The native recompile state.
+ * @param   poff            Pointer to the variable with the code buffer position.
+ * @param   uImm            The immediate value that the register must hold upon
+ *                          return.
+ * @param   fPreferVolatile Wheter to prefer volatile over non-volatile
+ *                          registers (@c true, default) or the other way around
+ *                          (@c false).
+ *
+ * @note    Reusing immediate values has not been implemented yet.
+ */
+DECLHIDDEN(uint8_t) iemNativeRegAllocTmpImm(PIEMRECOMPILERSTATE pReNative, uint32_t *poff, uint64_t uImm,
+                                            bool fPreferVolatile /*= true*/) RT_NOEXCEPT
+{
+    uint8_t idxReg = iemNativeRegAllocTmp(pReNative, poff, fPreferVolatile);
+    if (idxReg < RT_ELEMENTS(pReNative->aHstRegs))
+    {
+        uint32_t off = *poff;
+        *poff = off = iemNativeEmitLoadGprImm64(pReNative, off, idxReg, uImm);
+        AssertReturnStmt(off != UINT32_MAX, iemNativeRegFreeTmp(pReNative, idxReg), UINT8_MAX);
+    }
+    return idxReg;
 }
 
@@ -2677 +2734 @@
 
 /**
+ * Frees a temporary immediate register.
+ *
+ * It is assumed that the call has not modified the register, so it still hold
+ * the same value as when it was allocated via iemNativeRegAllocTmpImm().
+ */
+DECLHIDDEN(void) iemNativeRegFreeTmpImm(PIEMRECOMPILERSTATE pReNative, uint8_t idxHstReg) RT_NOEXCEPT
+{
+    iemNativeRegFreeTmp(pReNative, idxHstReg);
+}
+
+
+/**
  * Called right before emitting a call instruction to move anything important
  * out of call-volatile registers, free and flush the call-volatile registers,
@@ -2858 +2927 @@
 
 /**
+ * Flushes any delayed guest register writes.
+ *
+ * This must be called prior to calling CImpl functions and any helpers that use
+ * the guest state (like raising exceptions) and such.
+ *
+ * This optimization has not yet been implemented.  The first target would be
+ * RIP updates, since these are the most common ones.
+ */
+DECLHIDDEN(uint32_t) iemNativeRegFlushPendingWrites(PIEMRECOMPILERSTATE pReNative, uint32_t off) RT_NOEXCEPT
+{
+    RT_NOREF(pReNative, off);
+    return off;
+}
+
+
+/**
  * Emits a code for checking the return code of a call and rcPassUp, returning
  * from the code if either are non-zero.
@@ -2916 +3001 @@
 # error "port me"
 #endif
+    return off;
+}
+
+
+/**
+ * Emits code to check if the content of @a idxAddrReg is a canonical address,
+ * raising a \#GP(0) if it isn't.
+ *
+ * @returns New code buffer offset, UINT32_MAX on failure.
+ * @param   pReNative       The native recompile state.
+ * @param   off             The code buffer offset.
+ * @param   idxAddrReg      The host register with the address to check.
+ * @param   idxInstr        The current instruction.
+ */
+DECLHIDDEN(uint32_t) iemNativeEmitCheckGprCanonicalMaybeRaiseGp0(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                                 uint8_t idxAddrReg, uint8_t idxInstr)
+{
+    RT_NOREF(idxInstr);
+
+    /*
+     * Make sure we don't have any outstanding guest register writes as we may
+     * raise an #GP(0) and all guest register must be up to date in CPUMCTX.
+     */
+    off = iemNativeRegFlushPendingWrites(pReNative, off);
+
+#ifdef RT_ARCH_AMD64
+    /*
+     * if ((((uint32_t)(a_u64Addr >> 32) + UINT32_C(0x8000)) >> 16) != 0)
+     *     return raisexcpt();
+     * ---- this wariant avoid loading a 64-bit immediate, but is an instruction longer.
+     */
+    uint8_t const iTmpReg = iemNativeRegAllocTmp(pReNative, &off);
+    AssertReturn(iTmpReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+    off = iemNativeEmitLoadGprFromGpr(pReNative, off, iTmpReg, idxAddrReg);
+    off = iemNativeEmitShiftGprRight(pReNative, off, iTmpReg, 32);
+    off = iemNativeEmitAddGpr32Imm(pReNative, off, iTmpReg, (int32_t)0x8000);
+    off = iemNativeEmitShiftGprRight(pReNative, off, iTmpReg, 16);
+
+# ifndef IEMNATIVE_WITH_INSTRUCTION_COUNTING
+    off = iemNativeEmitJnzToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+# else
+    uint32_t const offFixup = off;
+    off = iemNativeEmitJzToFixed(pReNative, off, 0);
+    off = iemNativeEmitLoadGpr8Imm(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, idxInstr);
+    off = iemNativeEmitJmpToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+    iemNativeFixupFixedJump(pReNative, offFixup, off /*offTarget*/);
+# endif
+
+    iemNativeRegFreeTmp(pReNative, iTmpReg);
+
+#elif defined(RT_ARCH_ARM64)
+    /*
+     * if ((((uint64_t)(a_u64Addr) + UINT64_C(0x800000000000)) >> 48) != 0)
+     *     return raisexcpt();
+     * ----
+     *     mov     x1, 0x800000000000
+     *     add     x1, x0, x1
+     *     cmp     xzr, x1, lsr 48
+     * and either:
+     *     b.ne    .Lraisexcpt
+     * or:
+     *     b.eq    .Lnoexcept
+     *     movz    x1, #instruction-number
+     *     b       .Lraisexcpt
+     * .Lnoexcept:
+     */
+    uint8_t const iTmpReg = iemNativeRegAllocTmp(pReNative, &off);
+    AssertReturn(iTmpReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+    off = iemNativeEmitLoadGprImm64(pReNative, off, iTmpReg, UINT64_C(0x800000000000));
+    off = iemNativeEmitAddTwoGprs(pReNative, off, iTmpReg, idxAddrReg);
+    off = iemNativeEmitCmpArm64(pReNative, off, ARMV8_A64_REG_XZR, idxAddrReg, true /*f64Bit*/, 48 /*cShift*/, kArmv8A64InstrShift_Lsr);
+
+# ifndef IEMNATIVE_WITH_INSTRUCTION_COUNTING
+    off = iemNativeEmitJnzToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+# else
+    uint32_t const offFixup = off;
+    off = iemNativeEmitJzToFixed(pReNative, off, 0);
+    off = iemNativeEmitLoadGpr8Imm(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, idxInstr);
+    off = iemNativeEmitJmpToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+    iemNativeFixupFixedJump(pReNative, offFixup, off /*offTarget*/);
+# endif
+
+    iemNativeRegFreeTmp(pReNative, iTmpReg);
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits code to check if the content of @a idxAddrReg is within the limit of
+ * idxSegReg, raising a \#GP(0) if it isn't.
+ *
+ * @returns New code buffer offset, UINT32_MAX on failure.
+ * @param   pReNative       The native recompile state.
+ * @param   off             The code buffer offset.
+ * @param   idxAddrReg      The host register (32-bit) with the address to
+ *                          check.
+ * @param   idxSegReg       The segment register (X86_SREG_XXX) to check
+ *                          against.
+ * @param   idxInstr        The current instruction.
+ */
+DECLHIDDEN(uint32_t) iemNativeEmitCheckGpr32AgainstSegLimitMaybeRaiseGp0(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                                         uint8_t idxAddrReg, uint8_t idxSegReg, uint8_t idxInstr)
+{
+    /*
+     * Make sure we don't have any outstanding guest register writes as we may
+     * raise an #GP(0) and all guest register must be up to date in CPUMCTX.
+     */
+    off = iemNativeRegFlushPendingWrites(pReNative, off);
+
+    /** @todo implement expand down/whatnot checking */
+    AssertReturn(idxSegReg == X86_SREG_CS, UINT32_MAX);
+
+    uint8_t const iTmpLimReg = iemNativeRegAllocTmpForGuestReg(pReNative, &off,
+                                                               (IEMNATIVEGSTREG)(kIemNativeGstReg_SegLimitFirst + idxSegReg),
+                                                               kIemNativeGstRegUse_ForUpdate);
+    AssertReturn(iTmpLimReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+    off = iemNativeEmitCmpGpr32WithGpr(pReNative, off, idxAddrReg, iTmpLimReg);
+
+#ifndef IEMNATIVE_WITH_INSTRUCTION_COUNTING
+    off = iemNativeEmitJaToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+    RT_NOREF(idxInstr);
+#else
+    uint32_t const offFixup = off;
+    off = iemNativeEmitJbeToFixed(pReNative, off, 0);
+    off = iemNativeEmitLoadGpr8Imm(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, idxInstr);
+    off = iemNativeEmitJmpToNewLabel(pReNative, off, kIemNativeLabelType_RaiseGp0);
+    iemNativeFixupFixedJump(pReNative, offFixup, off /*offTarget*/);
+#endif
+
+    iemNativeRegFreeTmp(pReNative, iTmpLimReg);
     return off;
 }
@@ -2998 +3220 @@
  * Emits a call to a threaded worker function.
  */
-static int32_t iemNativeEmitThreadedCall(PIEMRECOMPILERSTATE pReNative, uint32_t off, PCIEMTHRDEDCALLENTRY pCallEntry)
+static uint32_t iemNativeEmitThreadedCall(PIEMRECOMPILERSTATE pReNative, uint32_t off, PCIEMTHRDEDCALLENTRY pCallEntry)
 {
     iemNativeRegFlushGuestShadows(pReNative, UINT64_MAX); /** @todo optimize this */
@@ -3080 +3302 @@
 
 /**
+ * Emits the code at the RaiseGP0 label.
+ */
+static uint32_t iemNativeEmitRaiseGp0(PIEMRECOMPILERSTATE pReNative, uint32_t off)
+{
+    uint32_t idxLabel = iemNativeFindLabel(pReNative, kIemNativeLabelType_RaiseGp0);
+    if (idxLabel != UINT32_MAX)
+    {
+        Assert(pReNative->paLabels[idxLabel].off == UINT32_MAX);
+        pReNative->paLabels[idxLabel].off = off;
+
+        /* iemNativeHlpExecRaiseGp0(PVMCPUCC pVCpu, uint8_t idxInstr) */
+        off = iemNativeEmitLoadGprFromGpr(pReNative, off, IEMNATIVE_CALL_ARG0_GREG, IEMNATIVE_REG_FIXED_PVMCPU);
+#ifndef IEMNATIVE_WITH_INSTRUCTION_COUNTING
+        off = iemNativeEmitLoadGpr8Imm(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, 0);
+#endif
+#ifdef RT_ARCH_AMD64
+        off = iemNativeEmitLoadGprImm64(pReNative, off, X86_GREG_xAX, (uintptr_t)iemNativeHlpExecRaiseGp0);
+        AssertReturn(off != UINT32_MAX, UINT32_MAX);
+
+        /* call rax */
+        uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 2);
+        AssertReturn(pbCodeBuf, UINT32_MAX);
+        pbCodeBuf[off++] = 0xff;
+        pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 2, X86_GREG_xAX);
+
+#elif defined(RT_ARCH_ARM64)
+        off = iemNativeEmitLoadGprImm64(pReNative, off, IEMNATIVE_REG_FIXED_TMP0, (uintptr_t)iemNativeHlpExecRaiseGp0);
+        AssertReturn(off != UINT32_MAX, UINT32_MAX);
+        pu32CodeBuf[off++] = Armv8A64MkInstrBlr(IEMNATIVE_REG_FIXED_TMP0);
+#else
+# error "Port me"
+#endif
+
+        /* jump back to the return sequence. */
+        off = iemNativeEmitJmpToLabel(pReNative, off, iemNativeFindLabel(pReNative, kIemNativeLabelType_Return));
+
+#ifdef RT_ARCH_AMD64
+        /* int3 poison */
+        pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        AssertReturn(pbCodeBuf, UINT32_MAX);
+        pbCodeBuf[off++] = 0xcc;
+#endif
+    }
+    return off;
+}
+
+
+/**
  * Emits the RC fiddling code for handling non-zero return code or rcPassUp.
  */
@@ -3142 +3412 @@
             pbCodeBuf[off++] = RT_BYTE4(offRel);
         }
-        pbCodeBuf[off++] = 0xcc;                    /*  int3 poison */
-
-#elif RT_ARCH_ARM64
+        pbCodeBuf[off++] = 0xcc;                    /* int3 poison */
+
+#elif defined(RT_ARCH_ARM64)
         /*
          * ARM64:
@@ -3225 +3495 @@
     /* ldp x19, x20, [sp #IEMNATIVE_FRAME_VAR_SIZE]! ; Unallocate the variable space and restore x19+x20. */
     AssertCompile(IEMNATIVE_FRAME_VAR_SIZE < 64*8);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kPreIndex,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_PreIndex,
                                                  ARMV8_A64_REG_X19, ARMV8_A64_REG_X20, ARMV8_A64_REG_SP,
                                                  IEMNATIVE_FRAME_VAR_SIZE / 8);
     /* Restore x21 thru x28 + BP and LR (ret address) (SP remains unchanged in the kSigned variant). */
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X21, ARMV8_A64_REG_X22, ARMV8_A64_REG_SP, 2);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X23, ARMV8_A64_REG_X24, ARMV8_A64_REG_SP, 4);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X25, ARMV8_A64_REG_X26, ARMV8_A64_REG_SP, 6);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X27, ARMV8_A64_REG_X28, ARMV8_A64_REG_SP, 8);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(true /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_BP,  ARMV8_A64_REG_LR,  ARMV8_A64_REG_SP, 10);
     AssertCompile(IEMNATIVE_FRAME_SAVE_REG_SIZE / 8 == 12);
@@ -3332 +3602 @@
     /* stp x19, x20, [sp, #-IEMNATIVE_FRAME_SAVE_REG_SIZE] ; Allocate space for saving registers and place x19+x20 at the bottom. */
     AssertCompile(IEMNATIVE_FRAME_SAVE_REG_SIZE < 64*8);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kPreIndex,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_PreIndex,
                                                  ARMV8_A64_REG_X19, ARMV8_A64_REG_X20, ARMV8_A64_REG_SP,
                                                  -IEMNATIVE_FRAME_SAVE_REG_SIZE / 8);
     /* Save x21 thru x28 (SP remains unchanged in the kSigned variant). */
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X21, ARMV8_A64_REG_X22, ARMV8_A64_REG_SP, 2);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X23, ARMV8_A64_REG_X24, ARMV8_A64_REG_SP, 4);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X25, ARMV8_A64_REG_X26, ARMV8_A64_REG_SP, 6);
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_X27, ARMV8_A64_REG_X28, ARMV8_A64_REG_SP, 8);
     /* Save the BP and LR (ret address) registers at the top of the frame. */
-    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_kSigned,
+    pu32CodeBuf[off++] = Armv8A64MkInstrStLdPair(false /*fLoad*/, 2 /*64-bit*/, kArm64InstrStLdPairType_Signed,
                                                  ARMV8_A64_REG_BP,  ARMV8_A64_REG_LR,  ARMV8_A64_REG_SP, 10);
     AssertCompile(IEMNATIVE_FRAME_SAVE_REG_SIZE / 8 == 12);
@@ -3365 +3635 @@
     return off;
 }
+
+
+
+/*********************************************************************************************************************************
+*   Emitters for IEM_MC_XXXX                                                                                                     *
+*********************************************************************************************************************************/
 
 
@@ -3429 +3705 @@
 }
 
+
 /** Same as iemRegAddToEip32AndFinishingNoFlags. */
 DECLINLINE(uint32_t) iemNativeEmitAddToEip32AndFinishingNoFlags(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t cbInstr)
@@ -3466 +3743 @@
 
 
-/*
- * MC definitions for the native recompiler.
- */
+/** Same as iemRegRip64RelativeJumpS8AndFinishNoFlags,
+ *  iemRegRip64RelativeJumpS16AndFinishNoFlags and
+ *  iemRegRip64RelativeJumpS32AndFinishNoFlags. */
+DECLINLINE(uint32_t) iemNativeEmitRip64RelativeJumpAndFinishingNoFlags(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                                       uint8_t cbInstr, int32_t offDisp, IEMMODE enmEffOpSize,
+                                                                       uint8_t idxInstr)
+{
+    Assert(enmEffOpSize == IEMMODE_64BIT || enmEffOpSize == IEMMODE_16BIT);
+
+    /* We speculatively modify PC and may raise #GP(0), so make sure the right value is in CPUMCTX. */
+    off = iemNativeRegFlushPendingWrites(pReNative, off);
+
+    /* Allocate a temporary PC register. */
+    uint8_t const idxPcReg = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_Pc, kIemNativeGstRegUse_ForUpdate);
+    AssertReturn(idxPcReg != UINT8_MAX, UINT32_MAX);
+
+    /* Perform the addition. */
+    off = iemNativeEmitAddGprImm(pReNative, off, idxPcReg, (int64_t)offDisp + cbInstr);
+
+    if (RT_LIKELY(enmEffOpSize == IEMMODE_64BIT))
+    {
+        /* Check that the address is canonical, raising #GP(0) + exit TB if it isn't. */
+        off = iemNativeEmitCheckGprCanonicalMaybeRaiseGp0(pReNative, off, idxPcReg, idxInstr);
+    }
+    else
+    {
+        /* Just truncate the result to 16-bit IP. */
+        Assert(enmEffOpSize == IEMMODE_16BIT);
+        off = iemNativeEmitClear16UpGpr(pReNative, off, idxPcReg);
+    }
+    off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxPcReg, RT_UOFFSETOF(VMCPU, cpum.GstCtx.rip));
+
+    /* Free but don't flush the PC register. */
+    iemNativeRegFreeTmp(pReNative, idxPcReg);
+
+    return off;
+}
+
+
+/** Same as iemRegEip32RelativeJumpS8AndFinishNoFlags,
+ *  iemRegEip32RelativeJumpS16AndFinishNoFlags and
+ *  iemRegEip32RelativeJumpS32AndFinishNoFlags. */
+DECLINLINE(uint32_t) iemNativeEmitEip32RelativeJumpAndFinishingNoFlags(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                                       uint8_t cbInstr, int32_t offDisp, IEMMODE enmEffOpSize,
+                                                                       uint8_t idxInstr)
+{
+    Assert(enmEffOpSize == IEMMODE_32BIT || enmEffOpSize == IEMMODE_16BIT);
+
+    /* We speculatively modify PC and may raise #GP(0), so make sure the right value is in CPUMCTX. */
+    off = iemNativeRegFlushPendingWrites(pReNative, off);
+
+    /* Allocate a temporary PC register. */
+    uint8_t const idxPcReg = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_Pc, kIemNativeGstRegUse_ForUpdate);
+    AssertReturn(idxPcReg != UINT8_MAX, UINT32_MAX);
+
+    /* Perform the addition. */
+    off = iemNativeEmitAddGpr32Imm(pReNative, off, idxPcReg, offDisp + cbInstr);
+
+    /* Truncate the result to 16-bit IP if the operand size is 16-bit. */
+    if (enmEffOpSize == IEMMODE_16BIT)
+    {
+        Assert(enmEffOpSize == IEMMODE_16BIT);
+        off = iemNativeEmitClear16UpGpr(pReNative, off, idxPcReg);
+    }
+
+    /* Perform limit checking, potentially raising #GP(0) and exit the TB. */
+    off = iemNativeEmitCheckGpr32AgainstSegLimitMaybeRaiseGp0(pReNative, off, idxPcReg, X86_SREG_CS, idxInstr);
+
+    off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxPcReg, RT_UOFFSETOF(VMCPU, cpum.GstCtx.rip));
+
+    /* Free but don't flush the PC register. */
+    iemNativeRegFreeTmp(pReNative, idxPcReg);
+
+    return off;
+}
+
+
+/** Same as iemRegIp16RelativeJumpS8AndFinishNoFlags. */
+DECLINLINE(uint32_t) iemNativeEmitIp16RelativeJumpAndFinishingNoFlags(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                                      uint8_t cbInstr, int32_t offDisp, uint8_t idxInstr)
+{
+    /* We speculatively modify PC and may raise #GP(0), so make sure the right value is in CPUMCTX. */
+    off = iemNativeRegFlushPendingWrites(pReNative, off);
+
+    /* Allocate a temporary PC register. */
+    uint8_t const idxPcReg = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_Pc, kIemNativeGstRegUse_ForUpdate);
+    AssertReturn(idxPcReg != UINT8_MAX, UINT32_MAX);
+
+    /* Perform the addition, clamp the result, check limit (may #GP(0) + exit TB) and store the result. */
+    off = iemNativeEmitAddGpr32Imm(pReNative, off, idxPcReg, offDisp + cbInstr);
+    off = iemNativeEmitClear16UpGpr(pReNative, off, idxPcReg);
+    off = iemNativeEmitCheckGpr32AgainstSegLimitMaybeRaiseGp0(pReNative, off, idxPcReg, X86_SREG_CS, idxInstr);
+    off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxPcReg, RT_UOFFSETOF(VMCPU, cpum.GstCtx.rip));
+
+    /* Free but don't flush the PC register. */
+    iemNativeRegFreeTmp(pReNative, idxPcReg);
+
+    return off;
+}
+
+
+
+/*********************************************************************************************************************************
+*   MC definitions for the native recompiler                                                                                     *
+*********************************************************************************************************************************/
 
 #define IEM_MC_DEFER_TO_CIMPL_0_RET_THREADED(a_cbInstr, a_fFlags, a_pfnCImpl) \
@@ -3489 +3868 @@
     } AssertFailedReturn(UINT32_MAX /* shouldn't be reached! */)
 
+
 #define IEM_MC_ADVANCE_RIP_AND_FINISH_THREADED_PC16(a_cbInstr) \
-    return iemNativeEmitAddToIp16AndFinishingNoFlags(pReNative, off, a_cbInstr)
+    return iemNativeEmitAddToIp16AndFinishingNoFlags(pReNative, off, (a_cbInstr))
 
 #define IEM_MC_ADVANCE_RIP_AND_FINISH_THREADED_PC32(a_cbInstr) \
-    return iemNativeEmitAddToEip32AndFinishingNoFlags(pReNative, off, a_cbInstr)
+    return iemNativeEmitAddToEip32AndFinishingNoFlags(pReNative, off, (a_cbInstr))
 
 #define IEM_MC_ADVANCE_RIP_AND_FINISH_THREADED_PC64(a_cbInstr) \
-    return iemNativeEmitAddToRip64AndFinishingNoFlags(pReNative, off, a_cbInstr)
+    return iemNativeEmitAddToRip64AndFinishingNoFlags(pReNative, off, (a_cbInstr))
+
+
+#define IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC16(a_i8, a_cbInstr) \
+    return iemNativeEmitIp16RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int8_t)(a_i8), pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC32(a_i8, a_cbInstr, a_enmEffOpSize) \
+    return iemNativeEmitEip32RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int8_t)(a_i8), (a_enmEffOpSize), pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S8_AND_FINISH_THREADED_PC64(a_i8, a_cbInstr, a_enmEffOpSize) \
+    return iemNativeEmitRip64RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int8_t)(a_i8), (a_enmEffOpSize), pCallEntry->idxInstr)
+
+
+#define IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC16(a_i16, a_cbInstr) \
+    return iemNativeEmitIp16RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int16_t)(a_i16), pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC32(a_i16, a_cbInstr) \
+    return iemNativeEmitEip32RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int16_t)(a_i16), IEMMODE_16BIT, pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S16_AND_FINISH_THREADED_PC64(a_i16, a_cbInstr) \
+    return iemNativeEmitRip64RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (int16_t)(a_i16), IEMMODE_16BIT, pCallEntry->idxInstr)
+
+
+#define IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC16(a_i32, a_cbInstr) \
+    return iemNativeEmitIp16RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (a_i32), pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC32(a_i32, a_cbInstr) \
+    return iemNativeEmitEip32RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (a_i32), IEMMODE_32BIT, pCallEntry->idxInstr)
+
+#define IEM_MC_REL_JMP_S32_AND_FINISH_THREADED_PC64(a_i32, a_cbInstr) \
+    return iemNativeEmitRip64RelativeJumpAndFinishingNoFlags(pReNative, off, (a_cbInstr), (a_i32), IEMMODE_64BIT, pCallEntry->idxInstr)
+
 
 
@@ -3584 +3995 @@
     off = iemNativeEmitEpilog(pReNative, off);
     AssertReturn(off != UINT32_MAX, pTb);
+
+    /*
+     * Generate special jump labels.
+     */
+    if (pReNative->bmLabelTypes & RT_BIT_64(kIemNativeLabelType_RaiseGp0))
+    {
+        off = iemNativeEmitRaiseGp0(pReNative, off);
+        AssertReturn(off != UINT32_MAX, pTb);
+    }
 
     /*

trunk/src/VBox/VMM/include/IEMN8veRecompiler.h

@@ -258 +258 @@
     kIemNativeLabelType_Return,
     kIemNativeLabelType_NonZeroRetOrPassUp,
+    kIemNativeLabelType_RaiseGp0,
     kIemNativeLabelType_End
 } IEMNATIVELABELTYPE;
@@ -476 +477 @@
     PIEMNATIVEINSTR             pInstrBuf;
 
+    /** Bitmaps with the label types used. */
+    uint64_t                    bmLabelTypes;
     /** Actual number of labels in paLabels. */
     uint32_t                    cLabels;
@@ -558 +561 @@
 DECLHIDDEN(uint8_t)         iemNativeRegAllocTmp(PIEMRECOMPILERSTATE pReNative, uint32_t *poff,
                                                  bool fPreferVolatile = true) RT_NOEXCEPT;
+DECLHIDDEN(uint8_t)         iemNativeRegAllocTmpImm(PIEMRECOMPILERSTATE pReNative, uint32_t *poff, uint64_t uImm,
+                                                    bool fPreferVolatile = true) RT_NOEXCEPT;
 DECLHIDDEN(uint8_t)         iemNativeRegAllocTmpForGuest(PIEMRECOMPILERSTATE pReNative, uint32_t *poff,
                                                          IEMNATIVEGSTREG enmGstReg) RT_NOEXCEPT;
@@ -565 +570 @@
 DECLHIDDEN(void)            iemNativeRegFree(PIEMRECOMPILERSTATE pReNative, uint8_t idxHstReg) RT_NOEXCEPT;
 DECLHIDDEN(void)            iemNativeRegFreeTmp(PIEMRECOMPILERSTATE pReNative, uint8_t idxHstReg) RT_NOEXCEPT;
+DECLHIDDEN(void)            iemNativeRegFreeTmpImm(PIEMRECOMPILERSTATE pReNative, uint8_t idxHstReg) RT_NOEXCEPT;
 DECLHIDDEN(void)            iemNativeRegFreeAndFlushMask(PIEMRECOMPILERSTATE pReNative, uint32_t fHstRegMask) RT_NOEXCEPT;
+DECLHIDDEN(uint32_t)        iemNativeRegFlushPendingWrites(PIEMRECOMPILERSTATE pReNative, uint32_t off) RT_NOEXCEPT;
 
 DECLHIDDEN(uint32_t)        iemNativeEmitCheckCallRetAndPassUp(PIEMRECOMPILERSTATE pReNative, uint32_t off,
@@ -755 +762 @@
 
 
+/**
+ * Emits loading a constant into a 8-bit GPR
+ * @note The AMD64 version does *NOT* clear any bits in the 8..63 range,
+ *       only the ARM64 version does that.
+ */
+DECLINLINE(uint32_t) iemNativeEmitLoadGpr8Imm(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGpr, uint8_t uImm8)
+{
+#ifdef RT_ARCH_AMD64
+    /* mov gpr, imm8 */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    if (iGpr >= 8)
+        pbCodeBuf[off++] = X86_OP_REX_B;
+    else if (iGpr >= 4)
+        pbCodeBuf[off++] = X86_OP_REX;
+    pbCodeBuf[off++] = 0xb0 + (iGpr & 7);
+    pbCodeBuf[off++] = RT_BYTE1(uImm8);
+
+#elif RT_ARCH_ARM64
+    /* movz gpr, imm16, lsl #0 */
+    uint32_t * const pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    pu32CodeBuf[off++] = UINT32_C(0xd2800000) | (UINT32_C(0) << 21) | ((uint32_t)uImm8 << 5) | iGpr;
+
+#else
+# error "port me"
+#endif
+    return off;
+}
+
+
 #ifdef RT_ARCH_AMD64
 /**
@@ -793 +831 @@
         uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
         AssertReturn(pu32CodeBuf, UINT32_MAX);
-        pu32CodeBuf[off++] = Armv8A64MkInstrStLdRUOff(enmOperation, iGrp, IEMNATIVE_REG_FIXED_PVMCPU, offVCpu / cbData);
+        pu32CodeBuf[off++] = Armv8A64MkInstrStLdRUOff(enmOperation, iGpr, IEMNATIVE_REG_FIXED_PVMCPU, offVCpu / cbData);
     }
     else if (offVCpu - RT_UOFFSETOF(VMCPU, cpum.GstCtx) < (unsigned)(_4K * cbData) && !(offVCpu & (cbData - 1)))
@@ -799 +837 @@
         uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
         AssertReturn(pu32CodeBuf, UINT32_MAX);
-        pu32CodeBuf[off++] = Armv8A64MkInstrStLdRUOff(enmOperation, iGrp, IEMNATIVE_REG_FIXED_PCPUMCTX,
+        pu32CodeBuf[off++] = Armv8A64MkInstrStLdRUOff(enmOperation, iGpr, IEMNATIVE_REG_FIXED_PCPUMCTX,
                                                       (offVCpu - RT_UOFFSETOF(VMCPU, cpum.GstCtx)) / cbData);
     }
@@ -1257 +1295 @@
 
 /**
+ * Emits adding a 64-bit GPR to another, storing the result in the frist.
+ * @note The AMD64 version sets flags.
+ */
+DECLINLINE(uint32_t ) iemNativeEmitAddTwoGprs(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, uint8_t iGprAddend)
+{
+#if defined(RT_ARCH_AMD64)
+    /* add Gv,Ev */
+    uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    pbCodeBuf[off++] = (iGprDst < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_R)
+                     | (iGprAddend < 8 ? 0 : X86_OP_REX_B);
+    pbCodeBuf[off++] = 0x04;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprDst & 7, iGprAddend & 7);
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrAddSubReg(false /*fSub*/, iGprDst, iGprDst, iGprAddend);
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+/**
  * Emits a 64-bit GPR additions with a 8-bit signed immediate.
  */
@@ -1324 +1389 @@
     else
         pu32CodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(true /*fSub*/, iGprDst, iGprDst, (uint8_t)-iImm8, false /*f64Bit*/);
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a 64-bit GPR additions with a 64-bit signed addend.
+ */
+DECLINLINE(uint32_t ) iemNativeEmitAddGprImm(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, int64_t iAddend)
+{
+#if defined(RT_ARCH_AMD64)
+    if (iAddend <= INT8_MAX && iAddend >= INT8_MIN)
+        return iemNativeEmitAddGprImm8(pReNative, off, iGprDst, (int8_t)iAddend);
+
+    if (iAddend <= INT32_MAX && iAddend >= INT32_MIN)
+    {
+        /* add grp, imm32 */
+        uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 7);
+        AssertReturn(pbCodeBuf, UINT32_MAX);
+        pbCodeBuf[off++] = iGprDst < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_B;
+        pbCodeBuf[off++] = 0x81;
+        pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 0, iGprDst & 7);
+        pbCodeBuf[off++] = RT_BYTE1((uint32_t)iAddend);
+        pbCodeBuf[off++] = RT_BYTE2((uint32_t)iAddend);
+        pbCodeBuf[off++] = RT_BYTE3((uint32_t)iAddend);
+        pbCodeBuf[off++] = RT_BYTE4((uint32_t)iAddend);
+    }
+    else
+    {
+        /* Best to use a temporary register to deal with this in the simplest way: */
+        uint8_t iTmpReg = iemNativeRegAllocTmpImm(pReNative, &off, (uint64_t)iAddend);
+        AssertReturn(iTmpReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+        /* add dst, tmpreg  */
+        uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
+        AssertReturn(pbCodeBuf, UINT32_MAX);
+        pbCodeBuf[off++] = (iGprDst < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_R)
+                         | (iTmpReg < 8 ? 0 : X86_OP_REX_B);
+        pbCodeBuf[off++] = 0x03;
+        pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprDst & 7, iTmpReg & 7);
+
+        iemNativeRegFreeTmpImm(pReNative, iTmpReg);
+    }
+
+#elif defined(RT_ARCH_ARM64)
+    if ((uint64_t)RT_ABS(iAddend) < RT_BIT_32(12))
+    {
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        AssertReturn(pu32CodeBuf, UINT32_MAX);
+        if (iAddend >= 0)
+            pu32CodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(false /*fSub*/, iGprDst, iGprDst, (uint32_t)iAddend);
+        else
+            pu32CodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(true /*fSub*/, iGprDst, iGprDst, (uint32_t)-iAddend);
+    }
+    else
+    {
+        /* Use temporary register for the immediate. */
+        uint8_t iTmpReg = iemNativeRegAllocTmpImm(pReNative, &off, (uint64_t)iAddend);
+        AssertReturn(iTmpReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+        /* add gprdst, gprdst, tmpreg */
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        AssertReturn(pu32CodeBuf, UINT32_MAX);
+        pu32CodeBuf[off++] = Armv8A64MkInstrAddSubReg(false /*fSub*/, iGprDst, iGprDst, iTmpReg);
+
+        iemNativeRegFreeTmpImm(pReNative, iTmpReg);
+    }
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a 32-bit GPR additions with a 32-bit signed immediate.
+ * @note Bits 32 thru 63 in the GPR will be zero after the operation.
+ */
+DECLINLINE(uint32_t ) iemNativeEmitAddGpr32Imm(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, int32_t iAddend)
+{
+#if defined(RT_ARCH_AMD64)
+    if (iAddend <= INT8_MAX && iAddend >= INT8_MIN)
+        return iemNativeEmitAddGpr32Imm8(pReNative, off, iGprDst, (int8_t)iAddend);
+
+    /* add grp, imm32 */
+    uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 7);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    if (iGprDst >= 8)
+        pbCodeBuf[off++] = X86_OP_REX_B;
+    pbCodeBuf[off++] = 0x81;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 0, iGprDst & 7);
+    pbCodeBuf[off++] = RT_BYTE1((uint32_t)iAddend);
+    pbCodeBuf[off++] = RT_BYTE2((uint32_t)iAddend);
+    pbCodeBuf[off++] = RT_BYTE3((uint32_t)iAddend);
+    pbCodeBuf[off++] = RT_BYTE4((uint32_t)iAddend);
+
+#elif defined(RT_ARCH_ARM64)
+    if ((uint64_t)RT_ABS(iAddend) < RT_BIT_32(12))
+    {
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        AssertReturn(pu32CodeBuf, UINT32_MAX);
+        if (iAddend >= 0)
+            pu32CodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(false /*fSub*/, iGprDst, iGprDst, (uint32_t)iAddend, false /*f64Bit*/);
+        else
+            pu32CodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(true /*fSub*/, iGprDst, iGprDst, (uint32_t)-iAddend, false /*f64Bit*/);
+    }
+    else
+    {
+        /* Use temporary register for the immediate. */
+        uint8_t iTmpReg = iemNativeRegAllocTmpImm(pReNative, &off, (uint32_t)iAddend);
+        AssertReturn(iTmpReg < RT_ELEMENTS(pReNative->aHstRegs), UINT32_MAX);
+
+        /* add gprdst, gprdst, tmpreg */
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        AssertReturn(pu32CodeBuf, UINT32_MAX);
+        pu32CodeBuf[off++] = Armv8A64MkInstrAddSubReg(false /*fSub*/, iGprDst, iGprDst, iTmpReg, false /*f64Bit*/);
+
+        iemNativeRegFreeTmpImm(pReNative, iTmpReg);
+    }
 
 #else
@@ -1350 +1538 @@
     uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
     AssertReturn(pu32CodeBuf, UINT32_MAX);
-    /* This produces 0xffff; 0x4f: N=1 imms=001111 (immr=0) => size=64 length=15 */
-    pu32CodeBuf[off++] = Armv8A64MkInstrAndImm(iGrpDst, iGrpDst, 0x4f);
+# if 1
+    pu32CodeBuf[off++] = Armv8A64MkInstrUxth(iGprDst, iGprDst);
+# else
+    ///* This produces 0xffff; 0x4f: N=1 imms=001111 (immr=0) => size=64 length=15 */
+    //pu32CodeBuf[off++] = Armv8A64MkInstrAndImm(iGprDst, iGprDst, 0x4f);
+# endif
 #else
 # error "Port me"
@@ -1358 +1550 @@
 }
 
+
+/**
+ * Emits code for (unsigned) shifting a GPR a fixed number of bits to the right.
+ */
+DECLINLINE(uint32_t ) iemNativeEmitShiftGprRight(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, uint8_t cShift)
+{
+#if defined(RT_ARCH_AMD64)
+    /* shr dst, cShift */
+    uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 4);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    pbCodeBuf[off++] = iGprDst < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_B;
+    pbCodeBuf[off++] = 0xc0;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 5, iGprDst & 7);
+    pbCodeBuf[off++] = cShift;
+    Assert(cShift > 0 && cShift < 64);
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrLsrImm(iGprDst, iGprDst, cShift);
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+#ifdef RT_ARCH_ARM64
+/**
+ * Emits an ARM64 compare instruction.
+ */
+DECLINLINE(uint32_t) iemNativeEmitCmpArm64(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprLeft, uint8_t iGprRight,
+                                           bool f64Bit = true, uint32_t cShift = 0,
+                                           ARMV8A64INSTRSHIFT enmShift = kArmv8A64InstrShift_Lsr)
+{
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrAddSubReg(true /*fSub*/, ARMV8_A64_REG_XZR /*iRegResult*/, iGprLeft, iGprRight,
+                                                  f64Bit, true /*fSetFlags*/, cShift, enmShift);
+    return off;
+}
+#endif
+
+
+/**
+ * Emits a compare of two 64-bit GPRs, settings status flags/whatever for use
+ * with conditional instruction.
+ */
+DECLINLINE(uint32_t) iemNativeEmitCmpGprWithGpr(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprLeft, uint8_t iGprRight)
+{
+#ifdef RT_ARCH_AMD64
+    /* cmp Gv, Ev */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    pbCodeBuf[off++] = X86_OP_REX_W | (iGprLeft >= 8 ? X86_OP_REX_R : 0) | (iGprRight >= 8 ? X86_OP_REX_B : 0);
+    pbCodeBuf[off++] = 0x3b;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprLeft & 7, iGprRight & 7);
+
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitCmpArm64(pReNative, off, iGprLeft, iGprRight, false /*f64Bit*/);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a compare of two 32-bit GPRs, settings status flags/whatever for use
+ * with conditional instruction.
+ */
+DECLINLINE(uint32_t) iemNativeEmitCmpGpr32WithGpr(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                  uint8_t iGprLeft, uint8_t iGprRight)
+{
+#ifdef RT_ARCH_AMD64
+    /* cmp Gv, Ev */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    if (iGprLeft >= 8 || iGprRight >= 8)
+        pbCodeBuf[off++] = (iGprLeft >= 8 ? X86_OP_REX_R : 0) | (iGprRight >= 8 ? X86_OP_REX_B : 0);
+    pbCodeBuf[off++] = 0x3b;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprLeft & 7, iGprRight & 7);
+
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitCmpArm64(pReNative, off, iGprLeft, iGprRight, false /*f64Bit*/);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a JMP rel32 / B imm19 to the given label (ASSUMED requiring fixup).
+ */
+DECLINLINE(uint32_t) iemNativeEmitJmpToLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint32_t idxLabel)
+{
+#ifdef RT_ARCH_AMD64
+    /* jnz rel32 */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 5);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    pbCodeBuf[off++] = 0xe9;
+    AssertReturn(iemNativeAddFixup(pReNative, off, idxLabel, kIemNativeFixupType_Rel32, -4), UINT32_MAX);
+    pbCodeBuf[off++] = 0xfe;
+    pbCodeBuf[off++] = 0xff;
+    pbCodeBuf[off++] = 0xff;
+    pbCodeBuf[off++] = 0xff;
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    AssertReturn(iemNativeAddFixup(pReNative, off, idxLabel, kIemNativeFixupType_RelImm19At5), UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrB(-1);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a JMP rel32 / B imm19 to a new undefined label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJmpToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                IEMNATIVELABELTYPE enmLabelType, uint16_t uData = 0)
+{
+    uint32_t const idxLabel = iemNativeMakeLabel(pReNative, enmLabelType, UINT32_MAX /*offWhere*/, uData);
+    AssertReturn(idxLabel != UINT32_MAX, UINT32_MAX);
+    return iemNativeEmitJmpToLabel(pReNative, off, idxLabel);
+}
+
+/** Condition type. */
+#ifdef RT_ARCH_AMD64
+typedef uint8_t         IEMNATIVEINSTRCOND;
+#elif defined(RT_ARCH_ARM64)
+typedef ARMV8INSTRCOND  IEMNATIVEINSTRCOND;
+#else
+# error "Port me!"
+#endif
+
+
+/**
+ * Emits a Jcc rel32 / B.cc imm19 to the given label (ASSUMED requiring fixup).
+ */
+DECLINLINE(uint32_t) iemNativeEmitJccToLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                             uint32_t idxLabel, IEMNATIVEINSTRCOND enmCond)
+{
+#ifdef RT_ARCH_AMD64
+    /* jcc rel32 */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 6);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    pbCodeBuf[off++] = 0x0f;
+    pbCodeBuf[off++] = enmCond | 0x80;
+    AssertReturn(iemNativeAddFixup(pReNative, off, idxLabel, kIemNativeFixupType_Rel32, -4), UINT32_MAX);
+    pbCodeBuf[off++] = 0x00;
+    pbCodeBuf[off++] = 0x00;
+    pbCodeBuf[off++] = 0x00;
+    pbCodeBuf[off++] = 0x00;
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    AssertReturn(iemNativeAddFixup(pReNative, off, idxLabel, kIemNativeFixupType_RelImm19At5), UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrBCond(enmCond, -1);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a Jcc rel32 / B.cc imm19 to a new label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJccToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                IEMNATIVELABELTYPE enmLabelType, uint16_t uData, IEMNATIVEINSTRCOND enmCond)
+{
+    uint32_t const idxLabel = iemNativeMakeLabel(pReNative, enmLabelType, UINT32_MAX /*offWhere*/, uData);
+    AssertReturn(idxLabel != UINT32_MAX, UINT32_MAX);
+    return iemNativeEmitJccToLabel(pReNative, off, idxLabel, enmCond);
+}
+
+
+/**
+ * Emits a JZ/JE rel32 / B.EQ imm19 to a new label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJzToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                               IEMNATIVELABELTYPE enmLabelType, uint16_t uData = 0)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, 0x4);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, kArmv8InstrCond_Eq);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JNZ/JNE rel32 / B.NE imm19 to a new label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJnzToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                IEMNATIVELABELTYPE enmLabelType, uint16_t uData = 0)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, 0x5);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, kArmv8InstrCond_Ne);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JBE/JNA rel32 / B.LS imm19 to a new label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJbeToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                                IEMNATIVELABELTYPE enmLabelType, uint16_t uData = 0)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, 0x6);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, kArmv8InstrCond_Ls);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JA/JNBE rel32 / B.HI imm19 to a new label.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJaToNewLabel(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                               IEMNATIVELABELTYPE enmLabelType, uint16_t uData = 0)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, 0x7);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToNewLabel(pReNative, off, enmLabelType, uData, kArmv8InstrCond_Hi);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a Jcc rel32 / B.cc imm19 with a fixed displacement.
+ * How @a offJmp is applied is are target specific.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJccToFixed(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                             int32_t offTarget, IEMNATIVEINSTRCOND enmCond)
+{
+#ifdef RT_ARCH_AMD64
+    /* jcc rel32 */
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 6);
+    AssertReturn(pbCodeBuf, UINT32_MAX);
+    if (offTarget < 128 && offTarget >= -128)
+    {
+        pbCodeBuf[off++] = 0x0f;
+        pbCodeBuf[off++] = enmCond | 0x70;
+        pbCodeBuf[off++] = RT_BYTE1((uint32_t)offTarget);
+    }
+    else
+    {
+        pbCodeBuf[off++] = 0x0f;
+        pbCodeBuf[off++] = enmCond | 0x80;
+        pbCodeBuf[off++] = RT_BYTE1((uint32_t)offTarget);
+        pbCodeBuf[off++] = RT_BYTE2((uint32_t)offTarget);
+        pbCodeBuf[off++] = RT_BYTE3((uint32_t)offTarget);
+        pbCodeBuf[off++] = RT_BYTE4((uint32_t)offTarget);
+    }
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    AssertReturn(pu32CodeBuf, UINT32_MAX);
+    pu32CodeBuf[off++] = Armv8A64MkInstrBCond(enmCond, offTarget);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a JZ/JE rel32 / B.EQ imm19 with a fixed displacement.
+ * How @a offJmp is applied is are target specific.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJzToFixed(PIEMRECOMPILERSTATE pReNative, uint32_t off, int32_t offTarget)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, 0x4);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, kArmv8InstrCond_Eq);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JNZ/JNE rel32 / B.NE imm19 with a fixed displacement.
+ * How @a offJmp is applied is are target specific.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJnzToFixed(PIEMRECOMPILERSTATE pReNative, uint32_t off, int32_t offTarget)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, 0x5);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, kArmv8InstrCond_Ne);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JBE/JNA rel32 / B.LS imm19 with a fixed displacement.
+ * How @a offJmp is applied is are target specific.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJbeToFixed(PIEMRECOMPILERSTATE pReNative, uint32_t off, int32_t offTarget)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, 0x6);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, kArmv8InstrCond_Ls);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Emits a JA/JNBE rel32 / B.EQ imm19 with a fixed displacement.
+ * How @a offJmp is applied is are target specific.
+ */
+DECLINLINE(uint32_t) iemNativeEmitJaToFixed(PIEMRECOMPILERSTATE pReNative, uint32_t off, int32_t offTarget)
+{
+#ifdef RT_ARCH_AMD64
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, 0x7);
+#elif defined(RT_ARCH_ARM64)
+    return iemNativeEmitJccToFixed(pReNative, off, offTarget, kArmv8InstrCond_Hi);
+#else
+# error "Port me!"
+#endif
+}
+
+
+/**
+ * Fixes up a conditional jump to a fixed label.
+ * @see  iemNativeEmitJnzToFixed, iemNativeEmitJzToFixed, ...
+ */
+DECLINLINE(void) iemNativeFixupFixedJump(PIEMRECOMPILERSTATE pReNative, uint32_t offFixup, uint32_t offTarget)
+{
+# if defined(RT_ARCH_AMD64)
+    uint8_t * const pbCodeBuf = pReNative->pInstrBuf;
+    if (pbCodeBuf[offFixup] != 0x0f)
+    {
+        Assert((uint8_t)(pbCodeBuf[offFixup] - 0x70) <= 0x10);
+        pbCodeBuf[offFixup + 1] = (uint8_t)(offTarget - (offFixup + 2));
+        Assert(pbCodeBuf[offFixup + 1] == offTarget - (offFixup + 2));
+    }
+    else
+    {
+        Assert((uint8_t)(pbCodeBuf[offFixup + 1] - 0x80) <= 0x10);
+        uint32_t const offRel32 = offTarget - (offFixup + 6);
+        pbCodeBuf[offFixup + 2] = RT_BYTE1(offRel32);
+        pbCodeBuf[offFixup + 3] = RT_BYTE2(offRel32);
+        pbCodeBuf[offFixup + 4] = RT_BYTE3(offRel32);
+        pbCodeBuf[offFixup + 5] = RT_BYTE4(offRel32);
+    }
+
+# elif defined(RT_ARCH_ARM64)
+    uint32_t * const pu32CodeBuf = pReNative->pInstrBuf;
+    Assert(RT_ABS((int32_t)(offTarget - offFixup)) < RT_BIT_32(18)); /* off by one for negative jumps, but not relevant here */
+    pu32CodeBuf[offFixup] = (pu32CodeBuf[offFixup] & ~((RT_BIT_32(19) - 1U) << 5))
+                          | (((offTarget - offFixup) & (RT_BIT_32(19) - 1U)) << 5);
+
+# endif
+}
+
+
+
 /** @} */