1
//! \file
2
/*
3
**  Copyright (C) - Triton
4
**
5
**  This program is under the terms of the Apache License 2.0.
6
*/
7

8
#include <triton/cpuSize.hpp>
9
#include <triton/exceptions.hpp>
10
#include <triton/x86Semantics.hpp>
11
#include <triton/x86Specifications.hpp>
12
#include <triton/astContext.hpp>
13

14

15

16
/*! \page SMT_Semantics_Supported_page SMT Semantics Supported
17
    \brief [**internal**] All information about the supported semantics.
18

19
- \ref SMT_aarch64_Semantics_Supported_page
20
- \ref SMT_arm32_Semantics_Supported_page
21
- \ref SMT_x86_Semantics_Supported_page
22

23
*/
24

25

26
/*! \page SMT_x86_Semantics_Supported_page x86 and x86-64 SMT semantics supported
27
    \brief [**internal**] List of the supported semantics for the x86 and x86-64 architectures.
28

29

30
Mnemonic                     | Extensions | Description
31
-----------------------------|------------|------------
32
AAA                          |            | ASCII Adjust After Addition
33
AAD                          |            | ASCII Adjust AX Before Division
34
AAM                          |            | ASCII Adjust AX After Multiply
35
AAS                          |            | ASCII Adjust AL After Subtraction
36
ADC                          |            | Add with Carry
37
ADCX                         | adx        | Unsigned Integer Addition of Two Operands with Carry Flag
38
ADD                          |            | Add
39
AND                          |            | Logical AND
40
ANDN                         | bmi1       | Logical AND NOT
41
ANDNPD                       | sse2       | Bitwise Logical AND NOT of Packed Double-Precision Floating-Point Values
42
ANDNPS                       | sse1       | Bitwise Logical AND NOT of Packed Single-Precision Floating-Point Values
43
ANDPD                        | sse2       | Bitwise Logical AND of Packed Double-Precision Floating-Point Values
44
ANDPS                        | sse1       | Bitwise Logical AND of Packed Single-Precision Floating-Point Values
45
BEXTR                        | bmi1/tbm   | Bit Field Extract
46
BLSI                         | bmi1       | Extract Lowest Set Isolated Bit
47
BLSMSK                       | bmi1       | Get Mask Up to Lowest Set Bit
48
BLSR                         | bmi1       | Reset Lowest Set Bit
49
BSF                          |            | Bit Scan Forward
50
BSR                          |            | Bit Scan Reverse
51
BSWAP                        |            | Byte Swap
52
BT                           |            | Bit Test
53
BTC                          |            | Bit Test and Complement
54
BTR                          |            | Bit Test and Reset
55
BTS                          |            | Bit Test and Set
56
CALL                         |            | Call Procedure
57
CBW                          |            | Convert byte (al) to word (ax)
58
CDQ                          |            | Convert dword (eax) to qword (edx:eax)
59
CDQE                         |            | Convert dword (eax) to qword (rax)
60
CLC                          |            | Clear Carry Flag
61
CLD                          |            | Clear Direction Flag
62
CLFLUSH                      | sse2       | Flush Cache Line
63
CLI                          |            | Clear Interrupt Flag
64
CLTS                         |            | Clear Task-Switched Flag in CR0
65
CMC                          |            | Complement Carry Flag
66
CMOVA                        |            | Move if not below
67
CMOVAE                       |            | Move if not below or equal
68
CMOVB                        |            | Move if below
69
CMOVBE                       |            | Move if below or equal
70
CMOVE                        |            | Move if zero
71
CMOVG                        |            | Move if not less
72
CMOVGE                       |            | Move if not less or equal
73
CMOVL                        |            | Move if less
74
CMOVLE                       |            | Move if less or equal
75
CMOVNE                       |            | Move if not zero
76
CMOVNO                       |            | Move if not overflow
77
CMOVNP                       |            | Move if not parity
78
CMOVNS                       |            | Move if not sign
79
CMOVO                        |            | Move if overflow
80
CMOVP                        |            | Move if parity
81
CMOVS                        |            | Move if sign
82
CMP                          |            | Compare Two Operands
83
CMPSB                        |            | Compare byte at address
84
CMPSD                        |            | Compare doubleword at address
85
CMPSQ                        |            | Compare quadword at address
86
CMPSW                        |            | Compare word at address
87
CMPXCHG                      |            | Compare and Exchange
88
CMPXCHG16B                   |            | Compare and Exchange 16 Bytes
89
CMPXCHG8B                    |            | Compare and Exchange 8 Bytes
90
CPUID                        |            | CPU Identification
91
CQO                          |            | Convert qword (rax) to oword (rdx:rax)
92
CWD                          |            | Convert word (ax) to dword (dx:ax)
93
CWDE                         |            | Convert word (ax) to dword (eax)
94
DEC                          |            | Decrement by 1
95
DIV                          |            | Unsigned Divide
96
ENDBR32                      |            | No Operation
97
ENDBR64                      |            | No Operation
98
EXTRACTPS                    | sse4.1     | Extract Packed Single Precision Floating-Point Value
99
IDIV                         |            | Signed Divide
100
IMUL                         |            | Signed Multiply
101
INC                          |            | Increment by 1
102
INVD                         |            | Invalidate Internal Caches
103
INVLPG                       |            | Invalidate TLB Entry
104
JA                           |            | Jump if not below (Jump if above)
105
JAE                          |            | Jump if not below or equal (Jump if above or equal)
106
JB                           |            | Jump if below
107
JBE                          |            | Jump if below or equal
108
JCXZ                         |            | Jump if cx is zero
109
JE                           |            | Jump if zero (Jump if equal)
110
JECXZ                        |            | Jump if ecx is zero
111
JG                           |            | Jump if not less or equal (Jump if greater)
112
JGE                          |            | Jump if not less (Jump if not less)
113
JL                           |            | Jump if less
114
JLE                          |            | Jump if less or equal
115
JMP                          |            | Jump
116
JNE                          |            | Jump if not equal
117
JNO                          |            | Jump if not overflow
118
JNP                          |            | Jump if not parity
119
JNS                          |            | Jump if not sign
120
JO                           |            | Jump if overflow
121
JP                           |            | Jump if parity
122
JRCXZ                        |            | Jump if rcx is zero
123
JS                           |            | Jump if sign
124
LAHF                         |            | Load Status Flags into AH Register
125
LDDQU                        | sse3       | Load Unaligned Integer 128 Bits
126
LDMXCSR                      | sse1       | Load MXCSR Register
127
LEA                          |            | Load Effective Address
128
LEAVE                        |            | High Level Procedure Exit
129
LFENCE                       | sse2       | Load Fence
130
LODSB                        |            | Load byte at address
131
LODSD                        |            | Load doubleword at address
132
LODSQ                        |            | Load quadword at address
133
LODSW                        |            | Load word at address
134
LOOP                         |            | Loop According to ECX Counter
135
LZCNT                        |            | Count the Number of Leading Zero Bits
136
MFENCE                       | sse2       | Memory Fence
137
MOV                          |            | Move
138
MOVABS                       |            | Move
139
MOVAPD                       | sse2       | Move Aligned Packed Double-Precision Floating-Point Values
140
MOVAPS                       | sse1       | Move Aligned Packed Single-Precision Floating-Point Values
141
MOVBE                        | mmx/sse2   | Move Data After Swapping Bytes
142
MOVD                         | mmx/sse2   | Move Doubleword
143
MOVDDUP                      | sse3       | Move One Double-FP and Duplicate
144
MOVDQ2Q                      | sse2       | Move Quadword from XMM to MMX Technology Register
145
MOVDQA                       | sse2       | Move Aligned Double Quadword
146
MOVDQU                       | sse2       | Move Unaligned Double Quadword
147
MOVHLPS                      | sse1       | Move Packed Single-Precision Floating-Point Values High to Low
148
MOVHPD                       | sse2       | Move High Packed Double-Precision Floating-Point Values
149
MOVHPS                       | sse1       | Move High Packed Single-Precision Floating-Point Values
150
MOVLHPS                      | sse1       | Move Packed Single-Precision Floating-Point Values Low to High
151
MOVLPD                       | sse2       | Move Low Packed Double-Precision Floating-Point Values
152
MOVLPS                       | sse1       | Move Low Packed Single-Precision Floating-Point Values
153
MOVMSKPD                     | sse2       | Extract Packed Double-Precision Floating-Point Sign Mask
154
MOVMSKPS                     | sse1       | Extract Packed Single-Precision Floating-Point Sign Mask
155
MOVNTDQ                      | sse2       | Store Double Quadword Using Non-Temporal Hint
156
MOVNTI                       | sse2       | Store Doubleword Using Non-Temporal Hint
157
MOVNTPD                      | sse2       | Store Packed Double-Precision Floating-Point Values Using Non-Temporal Hint
158
MOVNTPS                      | sse1       | Store Packed Single-Precision Floating-Point Values Using Non-Temporal Hint
159
MOVNTQ                       | sse1       | Store of Quadword Using Non-Temporal Hint
160
MOVQ                         | mmx/sse2   | Move Quadword
161
MOVQ2DQ                      | sse2       | Move Quadword from MMX Technology to XMM Register
162
MOVSB                        |            | Move byte at address
163
MOVSD                        |            | Move doubleword at address
164
MOVSHDUP                     | sse3       | Move Packed Single-FP High and Duplicate
165
MOVSLDUP                     | sse3       | Move Packed Single-FP Low and Duplicate
166
MOVSQ                        |            | Move quadword at address
167
MOVSW                        |            | Move word at address
168
MOVSX                        |            | Move with Sign-Extension
169
MOVSXD                       |            | Move with Sign-Extension
170
MOVUPD                       | see2       | Move Unaligned Packed Double-Precision Floating- Point Values
171
MOVUPS                       | see1       | Move Unaligned Packed Single-Precision Floating- Point Values
172
MOVSS                        | sse1       | Move Scalar Single-Precision Floating- Point Values
173
MOVZX                        |            | Move with Zero-Extend
174
MUL                          |            | Unsigned Multiply
175
MULX                         | bmi2       | Unsigned Multiply Without Affecting Flags
176
NEG                          |            | Two's Complement Negation
177
NOP                          |            | No Operation
178
NOT                          |            | One's Complement Negation
179
OR                           |            | Logical Inclusive OR
180
ORPD                         | sse2       | Bitwise Logical OR of Double-Precision Floating-Point Values
181
ORPS                         | sse1       | Bitwise Logical OR of Single-Precision Floating-Point Values
182
PADDB                        | mmx/sse2   | Add packed byte integers
183
PADDD                        | mmx/sse2   | Add packed doubleword integers
184
PADDQ                        | mmx/sse2   | Add packed quadword integers
185
PADDW                        | mmx/sse2   | Add packed word integers
186
PAND                         | mmx/sse2   | Logical AND
187
PANDN                        | mmx/sse2   | Logical AND NOT
188
PAUSE                        | sse2       | Spin Loop Hint
189
PAVGB                        | sse1       | Average Packed Unsigned Byte Integers
190
PAVGW                        | sse1       | Average Packed Unsigned Word Integers
191
PCMPEQB                      | mmx/sse2   | Compare Packed Data for Equal (bytes)
192
PCMPEQD                      | mmx/sse2   | Compare Packed Data for Equal (dwords)
193
PCMPEQW                      | mmx/sse2   | Compare Packed Data for Equal (words)
194
PCMPGTB                      | mmx/sse2   | Compare Packed Data for Greater Than (bytes)
195
PCMPGTD                      | mmx/sse2   | Compare Packed Data for Greater Than (dwords)
196
PCMPGTW                      | mmx/sse2   | Compare Packed Data for Greater Than (words)
197
PEXTRB                       | sse4.1     | Extract Byte
198
PEXTRD                       | sse4.1     | Extract Dword
199
PEXTRQ                       | sse4.1     | Extract Qword
200
PEXTRW                       | sse4.1     | Extract Word
201
PINSRB                       | sse4.1     | Insert Byte
202
PINSRD                       | sse4.1     | Insert Dword
203
PINSRQ                       | sse4.1     | Insert Qword
204
PINSRW                       | sse2       | Insert Word
205
PMAXSB                       | sse4.1     | Maximum of Packed Signed Byte Integers
206
PMAXSD                       | sse4.1     | Maximum of Packed Signed Doubleword Integers
207
PMAXSW                       | sse1       | Maximum of Packed Signed Word Integers
208
PMAXUB                       | sse1       | Maximum of Packed Unsigned Byte Integers
209
PMAXUD                       | sse4.1     | Maximum of Packed Unsigned Doubleword Integers
210
PMAXUW                       | sse4.1     | Maximum of Packed Unsigned Word Integers
211
PMINSB                       | sse4.1     | Minimum of Packed Signed Byte Integers
212
PMINSD                       | sse4.1     | Minimum of Packed Signed Doubleword Integers
213
PMINSW                       | sse1       | Minimum of Packed Signed Word Integers
214
PMINUB                       | sse1       | Minimum of Packed Unsigned Byte Integers
215
PMINUD                       | sse4.1     | Minimum of Packed Unsigned Doubleword Integers
216
PMINUW                       | sse4.1     | Minimum of Packed Unsigned Word Integers
217
PMOVMSKB                     | sse1       | Move Byte Mask
218
PMOVSXBD                     | sse4.1     | Sign Extend 4 Packed Signed 8-bit Integers
219
PMOVSXBQ                     | sse4.1     | Sign Extend 2 Packed Signed 8-bit Integers
220
PMOVSXBW                     | sse4.1     | Sign Extend 8 Packed Signed 8-bit Integers
221
PMOVSXDQ                     | sse4.1     | Sign Extend 2 Packed Signed 32-bit Integers
222
PMOVSXWD                     | sse4.1     | Sign Extend 4 Packed Signed 16-bit Integers
223
PMOVSXWQ                     | sse4.1     | Sign Extend 2 Packed Signed 16-bit Integers
224
PMOVZXBD                     | sse4.1     | Zero Extend 4 Packed Signed 8-bit Integers
225
PMOVZXBQ                     | sse4.1     | Zero Extend 2 Packed Signed 8-bit Integers
226
PMOVZXBW                     | sse4.1     | Zero Extend 8 Packed Signed 8-bit Integers
227
PMOVZXDQ                     | sse4.1     | Zero Extend 2 Packed Signed 32-bit Integers
228
PMOVZXWD                     | sse4.1     | Zero Extend 4 Packed Signed 16-bit Integers
229
PMOVZXWQ                     | sse4.1     | Zero Extend 2 Packed Signed 16-bit Integers
230
POP                          |            | Pop a Value from the Stack
231
POPAL/POPAD                  |            | Pop All General-Purpose Registers
232
POPF                         |            | Pop Stack into lower 16-bit of EFLAGS Register
233
POPFD                        |            | Pop Stack into EFLAGS Register
234
POPFQ                        |            | Pop Stack into RFLAGS Register
235
POR                          | mmx/sse2   | Bitwise Logical OR
236
PREFETCH                     | 3DNow      | Move data from m8 closer to the processor without expecting to write back
237
PREFETCHNTA                  | mmx/sse1   | Move data from m8 closer to the processor using NTA hint
238
PREFETCHT0                   | mmx/sse1   | Move data from m8 closer to the processor using T0 hint
239
PREFETCHT1                   | mmx/sse1   | Move data from m8 closer to the processor using T1 hint
240
PREFETCHT2                   | mmx/sse1   | Move data from m8 closer to the processor using T2 hint
241
PREFETCHW                    | 3DNow      | Move data from m8 closer to the processor in anticipation of a write
242
PSHUFD                       | sse2       | Shuffle Packed Doublewords
243
PSHUFHW                      | sse2       | Shuffle Packed High Words
244
PSHUFLW                      | sse2       | Shuffle Packed Low Words
245
PSHUFW                       | sse1       | Shuffle Packed Words
246
PSLLD                        | mmx/ssed2  | Shift Doubleword Left Logical
247
PSLLDQ                       | sse2       | Shift Double Quadword Left Logical
248
PSLLQ                        | mmx/ssed2  | Shift Quadword Left Logical
249
PSLLW                        | mmx/ssed2  | Shift Word Left Logical
250
PSRLDQ                       | sse2       | Shift Double Quadword Right Logical
251
PSUBB                        | mmx/sse2   | Subtract packed byte integers
252
PSUBD                        | mmx/sse2   | Subtract packed doubleword integers
253
PSUBQ                        | mmx/sse2   | Subtract packed quadword integers
254
PSUBW                        | mmx/sse2   | Subtract packed word integers
255
PTEST                        | sse4.1     | Logical Compare
256
PUNPCKHBW                    | mmx,sse2   | Unpack High Data (Unpack and interleave high-order bytes)
257
PUNPCKHDQ                    | mmx,sse2   | Unpack High Data (Unpack and interleave high-order doublewords)
258
PUNPCKHQDQ                   | sse2       | Unpack High Data (Unpack and interleave high-order quadwords)
259
PUNPCKHWD                    | mmx,sse2   | Unpack High Data (Unpack and interleave high-order words)
260
PUNPCKLBW                    | mmx,sse2   | Unpack Low Data (Unpack and interleave low-order bytes)
261
PUNPCKLDQ                    | mmx,sse2   | Unpack Low Data (Unpack and interleave low-order doublewords)
262
PUNPCKLQDQ                   | sse2       | Unpack Low Data (Unpack and interleave low-order quadwords)
263
PUNPCKLWD                    | mmx,sse2   | Unpack Low Data (Unpack and interleave low-order words)
264
PUSH                         |            | Push a Value onto the Stack
265
PUSHAL/PUSHAD                |            | Push All General-Purpose Registers
266
PUSHFD                       |            | Push EFLAGS Register onto the Stack
267
PUSHFQ                       |            | Push RFLAGS Register onto the Stack
268
PXOR                         | mmx/sse2   | Logical Exclusive OR
269
RCL                          |            | Rotate Left with Carry
270
RCR                          |            | Rotate Right with Carry
271
RDTSC                        |            | Read Time-Stamp Counter
272
RET                          |            | Return from Procedure
273
ROL                          |            | Rotate Left
274
ROR                          |            | Rotate Right
275
RORX                         | bmi2       | Rotate Right Logical Without Affecting Flags
276
SAHF                         |            | Store AH into Flags
277
SAL                          |            | Shift Left
278
SAR                          |            | Shift Right Signed
279
SARX                         | bmi2       | Shift arithmetic right without affecting flags
280
SBB                          |            | Integer Subtraction with Borrow
281
SCASB                        |            | Scan byte at address
282
SCASD                        |            | Scan doubleword at address
283
SCASQ                        |            | Scan quadword at address
284
SCASW                        |            | Scan word at address
285
SETA                         |            | Set byte if above
286
SETAE                        |            | Set byte if above or equal
287
SETB                         |            | Set byte if below
288
SETBE                        |            | Set byte if below or equal
289
SETE                         |            | Set byte if zero
290
SETG                         |            | Set byte if greater
291
SETGE                        |            | Set byte if greater or equal
292
SETL                         |            | Set byte if less
293
SETLE                        |            | Set byte if less or equal
294
SETNE                        |            | Set byte if not zero
295
SETNO                        |            | Set byte if not overflow
296
SETNP                        |            | Set byte if not parity
297
SETNS                        |            | Set byte if not sign
298
SETO                         |            | Set byte if overflow
299
SETP                         |            | Set byte if parity
300
SETS                         |            | Set byte if sign
301
SFENCE                       | sse1       | Store Fence
302
SHL                          |            | Shift Left
303
SHLD                         |            | Double-precision Shift Left
304
SHLX                         | bmi2       | Shift Logical Left Without Affecting Flags
305
SHR                          |            | Shift Right Unsigned
306
SHRD                         |            | Double Precision Shift Right
307
SHRX                         | bmi2       | Shift Logical Right Without Affecting Flags
308
STC                          |            | Set Carry Flag
309
STD                          |            | Set Direction Flag
310
STI                          |            | Set Interrupt Flag
311
STMXCSR                      | sse1       | Store MXCSR Register State
312
STOSB                        |            | Store byte at address
313
STOSD                        |            | Store doubleword at address
314
STOSQ                        |            | Store quadword at address
315
STOSW                        |            | Store word at address
316
SUB                          |            | Subtract
317
SYSCALL                      |            | Fast System Call
318
SYSENTER                     |            | Fast System Call
319
TEST                         |            | Logical Compare
320
TZCNT                        | bmi1       | Count the Number of Trailing Zero Bits
321
UNPCKHPD                     | sse2       | Unpack and Interleave High Packed Double- Precision Floating-Point Values
322
UNPCKHPS                     | sse1       | Unpack and Interleave High Packed Single-Precision Floating-Point Values
323
UNPCKLPD                     | sse2       | Unpack and Interleave Low Packed Double-Precision Floating-Point Values
324
UNPCKLPS                     | sse1       | Unpack and Interleave Low Packed Single-Precision Floating-Point Values
325
VMOVD                        | avx        | VEX Move Doubleword
326
VMOVDQA                      | avx        | VEX Move aligned packed integer values
327
VMOVDQU                      | avx        | VEX Move unaligned packed integer values
328
VMOVQ                        | avx        | VEX Move Quadword
329
VPAND                        | avx/avx2   | VEX Logical AND
330
VPANDN                       | avx/avx2   | VEX Logical AND NOT
331
VPEXTRB                      | avx/avx2   | VEX Extract Byte
332
VPEXTRD                      | avx/avx2   | VEX Extract Dword
333
VPEXTRQ                      | avx/avx2   | VEX Extract Qword
334
VPEXTRW                      | avx/avx2   | VEX Extract Word
335
VPCMPEQB                     | avx/avx2   | VEX Compare packed Bytes for equality
336
VPCMPEQD                     | avx/avx2   | VEX Compare packed Doublewords for equality
337
VPCMPEQQ                     | avx/avx2   | VEX Compare packed Quadwords for equality
338
VPCMPEQW                     | avx/avx2   | VEX Compare packed Words for equality
339
VPMOVMSKB                    | avx/avx2   | VEX Move Byte Mask
340
VPMINUB                      | avx/avx2   | VEX Minimum of Packed Unsigned Byte Integers
341
VPOR                         | avx/avx2   | VEX Logical OR
342
VPSHUFD                      | avx/avx2   | VEX Shuffle Packed Doublewords
343
VPTEST                       | avx        | VEX Logical Compare
344
VPXOR                        | avx/avx2   | VEX Logical XOR
345
WAIT                         |            | Wait
346
WBINVD                       |            | Write Back and Invalidate Cache
347
XADD                         |            | Exchange and Add
348
XCHG                         |            | Exchange Register/Memory with Register
349
XOR                          |            | Logical Exclusive OR
350
XORPD                        | sse2       | Bitwise Logical XOR for Double-Precision Floating-Point Values
351
XORPS                        | sse1       | Bitwise Logical XOR for Single-Precision Floating-Point Values
352

353
*/
354

355

356

357
namespace triton {
358
  namespace arch {
359
    namespace x86 {
360

361 1
      x86Semantics::x86Semantics(triton::arch::Architecture* architecture,
362
                                 triton::engines::symbolic::SymbolicEngine* symbolicEngine,
363
                                 triton::engines::taint::TaintEngine* taintEngine,
364
                                 const triton::modes::SharedModes& modes,
365 1
                                 const triton::ast::SharedAstContext& astCtxt) : modes(modes), astCtxt(astCtxt) {
366

367 1
        this->architecture    = architecture;
368 1
        this->symbolicEngine  = symbolicEngine;
369 1
        this->taintEngine     = taintEngine;
370

371 1
        if (architecture == nullptr)
372 0
          throw triton::exceptions::Semantics("x86Semantics::x86Semantics(): The architecture API must be defined.");
373

374 1
        if (this->symbolicEngine == nullptr)
375 0
          throw triton::exceptions::Semantics("x86Semantics::x86Semantics(): The symbolic engine API must be defined.");
376

377 1
        if (this->taintEngine == nullptr)
378 0
          throw triton::exceptions::Semantics("x86Semantics::x86Semantics(): The taint engines API must be defined.");
379
      }
380

381

382 1
      bool x86Semantics::buildSemantics(triton::arch::Instruction& inst) {
383 1
        switch (inst.getType()) {
384 1
          case ID_INS_AAA:            this->aaa_s(inst);          break;
385 1
          case ID_INS_AAD:            this->aad_s(inst);          break;
386 1
          case ID_INS_AAM:            this->aam_s(inst);          break;
387 1
          case ID_INS_AAS:            this->aas_s(inst);          break;
388 1
          case ID_INS_ADC:            this->adc_s(inst);          break;
389 1
          case ID_INS_ADCX:           this->adcx_s(inst);         break;
390 1
          case ID_INS_ADD:            this->add_s(inst);          break;
391 1
          case ID_INS_AND:            this->and_s(inst);          break;
392 1
          case ID_INS_ANDN:           this->andn_s(inst);         break;
393 1
          case ID_INS_ANDNPD:         this->andnpd_s(inst);       break;
394 1
          case ID_INS_ANDNPS:         this->andnps_s(inst);       break;
395 1
          case ID_INS_ANDPD:          this->andpd_s(inst);        break;
396 1
          case ID_INS_ANDPS:          this->andps_s(inst);        break;
397 1
          case ID_INS_BEXTR:          this->bextr_s(inst);        break;
398 1
          case ID_INS_BLSI:           this->blsi_s(inst);         break;
399 1
          case ID_INS_BLSMSK:         this->blsmsk_s(inst);       break;
400 1
          case ID_INS_BLSR:           this->blsr_s(inst);         break;
401 1
          case ID_INS_BSF:            this->bsf_s(inst);          break;
402 1
          case ID_INS_BSR:            this->bsr_s(inst);          break;
403 1
          case ID_INS_BSWAP:          this->bswap_s(inst);        break;
404 1
          case ID_INS_BT:             this->bt_s(inst);           break;
405 1
          case ID_INS_BTC:            this->btc_s(inst);          break;
406 1
          case ID_INS_BTR:            this->btr_s(inst);          break;
407 1
          case ID_INS_BTS:            this->bts_s(inst);          break;
408 1
          case ID_INS_CALL:           this->call_s(inst);         break;
409 1
          case ID_INS_CBW:            this->cbw_s(inst);          break;
410 1
          case ID_INS_CDQ:            this->cdq_s(inst);          break;
411 1
          case ID_INS_CDQE:           this->cdqe_s(inst);         break;
412 1
          case ID_INS_CLC:            this->clc_s(inst);          break;
413 1
          case ID_INS_CLD:            this->cld_s(inst);          break;
414 1
          case ID_INS_CLFLUSH:        this->clflush_s(inst);      break;
415 1
          case ID_INS_CLTS:           this->clts_s(inst);         break;
416 1
          case ID_INS_CLI:            this->cli_s(inst);          break;
417 1
          case ID_INS_CMC:            this->cmc_s(inst);          break;
418 1
          case ID_INS_CMOVA:          this->cmova_s(inst);        break;
419 1
          case ID_INS_CMOVAE:         this->cmovae_s(inst);       break;
420 1
          case ID_INS_CMOVB:          this->cmovb_s(inst);        break;
421 1
          case ID_INS_CMOVBE:         this->cmovbe_s(inst);       break;
422 1
          case ID_INS_CMOVE:          this->cmove_s(inst);        break;
423 1
          case ID_INS_CMOVG:          this->cmovg_s(inst);        break;
424 1
          case ID_INS_CMOVGE:         this->cmovge_s(inst);       break;
425 1
          case ID_INS_CMOVL:          this->cmovl_s(inst);        break;
426 1
          case ID_INS_CMOVLE:         this->cmovle_s(inst);       break;
427 1
          case ID_INS_CMOVNE:         this->cmovne_s(inst);       break;
428 1
          case ID_INS_CMOVNO:         this->cmovno_s(inst);       break;
429 1
          case ID_INS_CMOVNP:         this->cmovnp_s(inst);       break;
430 1
          case ID_INS_CMOVNS:         this->cmovns_s(inst);       break;
431 1
          case ID_INS_CMOVO:          this->cmovo_s(inst);        break;
432 1
          case ID_INS_CMOVP:          this->cmovp_s(inst);        break;
433 1
          case ID_INS_CMOVS:          this->cmovs_s(inst);        break;
434 1
          case ID_INS_CMP:            this->cmp_s(inst);          break;
435 1
          case ID_INS_CMPSB:          this->cmpsb_s(inst);        break;
436 1
          case ID_INS_CMPSD:          this->cmpsd_s(inst);        break;
437 1
          case ID_INS_CMPSQ:          this->cmpsq_s(inst);        break;
438 1
          case ID_INS_CMPSW:          this->cmpsw_s(inst);        break;
439 1
          case ID_INS_CMPXCHG:        this->cmpxchg_s(inst);      break;
440 1
          case ID_INS_CMPXCHG16B:     this->cmpxchg16b_s(inst);   break;
441 1
          case ID_INS_CMPXCHG8B:      this->cmpxchg8b_s(inst);    break;
442 1
          case ID_INS_CPUID:          this->cpuid_s(inst);        break;
443 1
          case ID_INS_CQO:            this->cqo_s(inst);          break;
444 1
          case ID_INS_CWD:            this->cwd_s(inst);          break;
445 1
          case ID_INS_CWDE:           this->cwde_s(inst);         break;
446 1
          case ID_INS_DEC:            this->dec_s(inst);          break;
447 1
          case ID_INS_DIV:            this->div_s(inst);          break;
448 0
          case ID_INS_ENDBR32:        this->endbr32_s(inst);      break;
449 0
          case ID_INS_ENDBR64:        this->endbr64_s(inst);      break;
450 1
          case ID_INS_EXTRACTPS:      this->extractps_s(inst);    break;
451 1
          case ID_INS_IDIV:           this->idiv_s(inst);         break;
452 1
          case ID_INS_IMUL:           this->imul_s(inst);         break;
453 1
          case ID_INS_INC:            this->inc_s(inst);          break;
454 1
          case ID_INS_INVD:           this->invd_s(inst);         break;
455 1
          case ID_INS_INVLPG:         this->invlpg_s(inst);       break;
456 1
          case ID_INS_JA:             this->ja_s(inst);           break;
457 1
          case ID_INS_JAE:            this->jae_s(inst);          break;
458 1
          case ID_INS_JB:             this->jb_s(inst);           break;
459 1
          case ID_INS_JBE:            this->jbe_s(inst);          break;
460 0
          case ID_INS_JCXZ:           this->jcxz_s(inst);         break;
461 1
          case ID_INS_JE:             this->je_s(inst);           break;
462 1
          case ID_INS_JECXZ:          this->jecxz_s(inst);        break;
463 1
          case ID_INS_JG:             this->jg_s(inst);           break;
464 1
          case ID_INS_JGE:            this->jge_s(inst);          break;
465 1
          case ID_INS_JL:             this->jl_s(inst);           break;
466 1
          case ID_INS_JLE:            this->jle_s(inst);          break;
467 1
          case ID_INS_JMP:            this->jmp_s(inst);          break;
468 1
          case ID_INS_JNE:            this->jne_s(inst);          break;
469 1
          case ID_INS_JNO:            this->jno_s(inst);          break;
470 1
          case ID_INS_JNP:            this->jnp_s(inst);          break;
471 1
          case ID_INS_JNS:            this->jns_s(inst);          break;
472 1
          case ID_INS_JO:             this->jo_s(inst);           break;
473 1
          case ID_INS_JP:             this->jp_s(inst);           break;
474 1
          case ID_INS_JRCXZ:          this->jrcxz_s(inst);        break;
475 1
          case ID_INS_JS:             this->js_s(inst);           break;
476 1
          case ID_INS_LAHF:           this->lahf_s(inst);         break;
477 1
          case ID_INS_LDDQU:          this->lddqu_s(inst);        break;
478 1
          case ID_INS_LDMXCSR:        this->ldmxcsr_s(inst);      break;
479 1
          case ID_INS_LEA:            this->lea_s(inst);          break;
480 1
          case ID_INS_LEAVE:          this->leave_s(inst);        break;
481 1
          case ID_INS_LFENCE:         this->lfence_s(inst);       break;
482 1
          case ID_INS_LODSB:          this->lodsb_s(inst);        break;
483 1
          case ID_INS_LODSD:          this->lodsd_s(inst);        break;
484 1
          case ID_INS_LODSQ:          this->lodsq_s(inst);        break;
485 1
          case ID_INS_LODSW:          this->lodsw_s(inst);        break;
486 0
          case ID_INS_LOOP:           this->loop_s(inst);         break;
487 1
          case ID_INS_LZCNT:          this->lzcnt_s(inst);        break;
488 1
          case ID_INS_MFENCE:         this->mfence_s(inst);       break;
489 1
          case ID_INS_MOV:            this->mov_s(inst);          break;
490 1
          case ID_INS_MOVABS:         this->movabs_s(inst);       break;
491 1
          case ID_INS_MOVAPD:         this->movapd_s(inst);       break;
492 1
          case ID_INS_MOVAPS:         this->movaps_s(inst);       break;
493 0
          case ID_INS_MOVBE:          this->movbe_s(inst);        break;
494 1
          case ID_INS_MOVD:           this->movd_s(inst);         break;
495 1
          case ID_INS_MOVDDUP:        this->movddup_s(inst);      break;
496 1
          case ID_INS_MOVDQ2Q:        this->movdq2q_s(inst);      break;
497 1
          case ID_INS_MOVDQA:         this->movdqa_s(inst);       break;
498 1
          case ID_INS_MOVDQU:         this->movdqu_s(inst);       break;
499 1
          case ID_INS_MOVHLPS:        this->movhlps_s(inst);      break;
500 1
          case ID_INS_MOVHPD:         this->movhpd_s(inst);       break;
501 1
          case ID_INS_MOVHPS:         this->movhps_s(inst);       break;
502 1
          case ID_INS_MOVLHPS:        this->movlhps_s(inst);      break;
503 1
          case ID_INS_MOVLPD:         this->movlpd_s(inst);       break;
504 1
          case ID_INS_MOVLPS:         this->movlps_s(inst);       break;
505 1
          case ID_INS_MOVMSKPD:       this->movmskpd_s(inst);     break;
506 1
          case ID_INS_MOVMSKPS:       this->movmskps_s(inst);     break;
507 1
          case ID_INS_MOVNTDQ:        this->movntdq_s(inst);      break;
508 1
          case ID_INS_MOVNTI:         this->movnti_s(inst);       break;
509 1
          case ID_INS_MOVNTPD:        this->movntpd_s(inst);      break;
510 1
          case ID_INS_MOVNTPS:        this->movntps_s(inst);      break;
511 1
          case ID_INS_MOVNTQ:         this->movntq_s(inst);       break;
512 1
          case ID_INS_MOVQ2DQ:        this->movq2dq_s(inst);      break;
513 1
          case ID_INS_MOVQ:           this->movq_s(inst);         break;
514 1
          case ID_INS_MOVSB:          this->movsb_s(inst);        break;
515 1
          case ID_INS_MOVSD:          this->movsd_s(inst);        break;
516 1
          case ID_INS_MOVSHDUP:       this->movshdup_s(inst);     break;
517 1
          case ID_INS_MOVSLDUP:       this->movsldup_s(inst);     break;
518 1
          case ID_INS_MOVUPD:         this->movupd_s(inst);       break;
519 1
          case ID_INS_MOVUPS:         this->movups_s(inst);       break;
520 1
          case ID_INS_MOVSS:          this->movss_s(inst);        break;
521 1
          case ID_INS_MOVSQ:          this->movsq_s(inst);        break;
522 1
          case ID_INS_MOVSW:          this->movsw_s(inst);        break;
523 1
          case ID_INS_MOVSX:          this->movsx_s(inst);        break;
524 1
          case ID_INS_MOVSXD:         this->movsxd_s(inst);       break;
525 1
          case ID_INS_MOVZX:          this->movzx_s(inst);        break;
526 1
          case ID_INS_MUL:            this->mul_s(inst);          break;
527 1
          case ID_INS_MULX:           this->mulx_s(inst);         break;
528 1
          case ID_INS_NEG:            this->neg_s(inst);          break;
529 1
          case ID_INS_NOP:            this->nop_s(inst);          break;
530 1
          case ID_INS_NOT:            this->not_s(inst);          break;
531 1
          case ID_INS_OR:             this->or_s(inst);           break;
532 1
          case ID_INS_ORPD:           this->orpd_s(inst);         break;
533 1
          case ID_INS_ORPS:           this->orps_s(inst);         break;
534 1
          case ID_INS_PADDB:          this->paddb_s(inst);        break;
535 1
          case ID_INS_PADDD:          this->paddd_s(inst);        break;
536 1
          case ID_INS_PADDQ:          this->paddq_s(inst);        break;
537 1
          case ID_INS_PADDW:          this->paddw_s(inst);        break;
538 1
          case ID_INS_PAND:           this->pand_s(inst);         break;
539 1
          case ID_INS_PANDN:          this->pandn_s(inst);        break;
540 1
          case ID_INS_PAUSE:          this->pause_s(inst);        break;
541 1
          case ID_INS_PAVGB:          this->pavgb_s(inst);        break;
542 1
          case ID_INS_PAVGW:          this->pavgw_s(inst);        break;
543 1
          case ID_INS_PCMPEQB:        this->pcmpeqb_s(inst);      break;
544 1
          case ID_INS_PCMPEQD:        this->pcmpeqd_s(inst);      break;
545 1
          case ID_INS_PCMPEQW:        this->pcmpeqw_s(inst);      break;
546 1
          case ID_INS_PCMPGTB:        this->pcmpgtb_s(inst);      break;
547 1
          case ID_INS_PCMPGTD:        this->pcmpgtd_s(inst);      break;
548 1
          case ID_INS_PCMPGTW:        this->pcmpgtw_s(inst);      break;
549 1
          case ID_INS_PEXTRB:         this->pextrb_s(inst);       break;
550 1
          case ID_INS_PEXTRD:         this->pextrd_s(inst);       break;
551 1
          case ID_INS_PEXTRQ:         this->pextrq_s(inst);       break;
552 1
          case ID_INS_PEXTRW:         this->pextrw_s(inst);       break;
553 1
          case ID_INS_PINSRB:         this->pinsrb_s(inst);       break;
554 1
          case ID_INS_PINSRD:         this->pinsrd_s(inst);       break;
555 1
          case ID_INS_PINSRQ:         this->pinsrq_s(inst);       break;
556 1
          case ID_INS_PINSRW:         this->pinsrw_s(inst);       break;
557 1
          case ID_INS_PMAXSB:         this->pmaxsb_s(inst);       break;
558 1
          case ID_INS_PMAXSD:         this->pmaxsd_s(inst);       break;
559 1
          case ID_INS_PMAXSW:         this->pmaxsw_s(inst);       break;
560 1
          case ID_INS_PMAXUB:         this->pmaxub_s(inst);       break;
561 1
          case ID_INS_PMAXUD:         this->pmaxud_s(inst);       break;
562 1
          case ID_INS_PMAXUW:         this->pmaxuw_s(inst);       break;
563 1
          case ID_INS_PMINSB:         this->pminsb_s(inst);       break;
564 1
          case ID_INS_PMINSD:         this->pminsd_s(inst);       break;
565 1
          case ID_INS_PMINSW:         this->pminsw_s(inst);       break;
566 1
          case ID_INS_PMINUB:         this->pminub_s(inst);       break;
567 1
          case ID_INS_PMINUD:         this->pminud_s(inst);       break;
568 1
          case ID_INS_PMINUW:         this->pminuw_s(inst);       break;
569 1
          case ID_INS_PMOVMSKB:       this->pmovmskb_s(inst);     break;
570 1
          case ID_INS_PMOVSXBD:       this->pmovsxbd_s(inst);     break;
571 1
          case ID_INS_PMOVSXBQ:       this->pmovsxbq_s(inst);     break;
572 1
          case ID_INS_PMOVSXBW:       this->pmovsxbw_s(inst);     break;
573 1
          case ID_INS_PMOVSXDQ:       this->pmovsxdq_s(inst);     break;
574 1
          case ID_INS_PMOVSXWD:       this->pmovsxwd_s(inst);     break;
575 1
          case ID_INS_PMOVSXWQ:       this->pmovsxwq_s(inst);     break;
576 1
          case ID_INS_PMOVZXBD:       this->pmovzxbd_s(inst);     break;
577 1
          case ID_INS_PMOVZXBQ:       this->pmovzxbq_s(inst);     break;
578 1
          case ID_INS_PMOVZXBW:       this->pmovzxbw_s(inst);     break;
579 1
          case ID_INS_PMOVZXDQ:       this->pmovzxdq_s(inst);     break;
580 1
          case ID_INS_PMOVZXWD:       this->pmovzxwd_s(inst);     break;
581 1
          case ID_INS_PMOVZXWQ:       this->pmovzxwq_s(inst);     break;
582 1
          case ID_INS_POP:            this->pop_s(inst);          break;
583 1
          case ID_INS_POPAL:          this->popal_s(inst);        break;
584 1
          case ID_INS_POPF:           this->popf_s(inst);         break;
585 1
          case ID_INS_POPFD:          this->popfd_s(inst);        break;
586 1
          case ID_INS_POPFQ:          this->popfq_s(inst);        break;
587 1
          case ID_INS_POR:            this->por_s(inst);          break;
588 0
          case ID_INS_PREFETCH:       this->prefetchx_s(inst);    break;
589 1
          case ID_INS_PREFETCHNTA:    this->prefetchx_s(inst);    break;
590 1
          case ID_INS_PREFETCHT0:     this->prefetchx_s(inst);    break;
591 1
          case ID_INS_PREFETCHT1:     this->prefetchx_s(inst);    break;
592 1
          case ID_INS_PREFETCHT2:     this->prefetchx_s(inst);    break;
593 1
          case ID_INS_PREFETCHW:      this->prefetchx_s(inst);    break;
594 1
          case ID_INS_PSHUFD:         this->pshufd_s(inst);       break;
595 1
          case ID_INS_PSHUFHW:        this->pshufhw_s(inst);      break;
596 1
          case ID_INS_PSHUFLW:        this->pshuflw_s(inst);      break;
597 1
          case ID_INS_PSHUFW:         this->pshufw_s(inst);       break;
598 0
          case ID_INS_PSLLD:          this->pslld_s(inst);        break;
599 1
          case ID_INS_PSLLDQ:         this->pslldq_s(inst);       break;
600 0
          case ID_INS_PSLLQ:          this->psllq_s(inst);        break;
601 0
          case ID_INS_PSLLW:          this->psllw_s(inst);        break;
602 1
          case ID_INS_PSRLDQ:         this->psrldq_s(inst);       break;
603 1
          case ID_INS_PSUBB:          this->psubb_s(inst);        break;
604 1
          case ID_INS_PSUBD:          this->psubd_s(inst);        break;
605 1
          case ID_INS_PSUBQ:          this->psubq_s(inst);        break;
606 1
          case ID_INS_PSUBW:          this->psubw_s(inst);        break;
607 1
          case ID_INS_PTEST:          this->ptest_s(inst);        break;
608 1
          case ID_INS_PUNPCKHBW:      this->punpckhbw_s(inst);    break;
609 1
          case ID_INS_PUNPCKHDQ:      this->punpckhdq_s(inst);    break;
610 1
          case ID_INS_PUNPCKHQDQ:     this->punpckhqdq_s(inst);   break;
611 1
          case ID_INS_PUNPCKHWD:      this->punpckhwd_s(inst);    break;
612 1
          case ID_INS_PUNPCKLBW:      this->punpcklbw_s(inst);    break;
613 1
          case ID_INS_PUNPCKLDQ:      this->punpckldq_s(inst);    break;
614 1
          case ID_INS_PUNPCKLQDQ:     this->punpcklqdq_s(inst);   break;
615 1
          case ID_INS_PUNPCKLWD:      this->punpcklwd_s(inst);    break;
616 1
          case ID_INS_PUSH:           this->push_s(inst);         break;
617 1
          case ID_INS_PUSHAL:         this->pushal_s(inst);       break;
618 1
          case ID_INS_PUSHFD:         this->pushfd_s(inst);       break;
619 1
          case ID_INS_PUSHFQ:         this->pushfq_s(inst);       break;
620 1
          case ID_INS_PXOR:           this->pxor_s(inst);         break;
621 1
          case ID_INS_RCL:            this->rcl_s(inst);          break;
622 1
          case ID_INS_RCR:            this->rcr_s(inst);          break;
623 1
          case ID_INS_RDTSC:          this->rdtsc_s(inst);        break;
624 1
          case ID_INS_RET:            this->ret_s(inst);          break;
625 1
          case ID_INS_ROL:            this->rol_s(inst);          break;
626 1
          case ID_INS_ROR:            this->ror_s(inst);          break;
627 1
          case ID_INS_RORX:           this->rorx_s(inst);         break;
628 1
          case ID_INS_SAHF:           this->sahf_s(inst);         break;
629 0
          case ID_INS_SAL:            this->shl_s(inst);          break;
630 1
          case ID_INS_SAR:            this->sar_s(inst);          break;
631 1
          case ID_INS_SARX:           this->sarx_s(inst);         break;
632 1
          case ID_INS_SBB:            this->sbb_s(inst);          break;
633 1
          case ID_INS_SCASB:          this->scasb_s(inst);        break;
634 1
          case ID_INS_SCASD:          this->scasd_s(inst);        break;
635 1
          case ID_INS_SCASQ:          this->scasq_s(inst);        break;
636 1
          case ID_INS_SCASW:          this->scasw_s(inst);        break;
637 1
          case ID_INS_SETA:           this->seta_s(inst);         break;
638 1
          case ID_INS_SETAE:          this->setae_s(inst);        break;
639 1
          case ID_INS_SETB:           this->setb_s(inst);         break;
640 1
          case ID_INS_SETBE:          this->setbe_s(inst);        break;
641 1
          case ID_INS_SETE:           this->sete_s(inst);         break;
642 1
          case ID_INS_SETG:           this->setg_s(inst);         break;
643 1
          case ID_INS_SETGE:          this->setge_s(inst);        break;
644 1
          case ID_INS_SETL:           this->setl_s(inst);         break;
645 1
          case ID_INS_SETLE:          this->setle_s(inst);        break;
646 1
          case ID_INS_SETNE:          this->setne_s(inst);        break;
647 1
          case ID_INS_SETNO:          this->setno_s(inst);        break;
648 1
          case ID_INS_SETNP:          this->setnp_s(inst);        break;
649 1
          case ID_INS_SETNS:          this->setns_s(inst);        break;
650 1
          case ID_INS_SETO:           this->seto_s(inst);         break;
651 1
          case ID_INS_SETP:           this->setp_s(inst);         break;
652 1
          case ID_INS_SETS:           this->sets_s(inst);         break;
653 1
          case ID_INS_SFENCE:         this->sfence_s(inst);       break;
654 1
          case ID_INS_SHL:            this->shl_s(inst);          break;
655 1
          case ID_INS_SHLD:           this->shld_s(inst);         break;
656 1
          case ID_INS_SHLX:           this->shlx_s(inst);         break;
657 1
          case ID_INS_SHR:            this->shr_s(inst);          break;
658 1
          case ID_INS_SHRD:           this->shrd_s(inst);         break;
659 1
          case ID_INS_SHRX:           this->shrx_s(inst);         break;
660 1
          case ID_INS_STC:            this->stc_s(inst);          break;
661 1
          case ID_INS_STD:            this->std_s(inst);          break;
662 1
          case ID_INS_STI:            this->sti_s(inst);          break;
663 1
          case ID_INS_STMXCSR:        this->stmxcsr_s(inst);      break;
664 1
          case ID_INS_STOSB:          this->stosb_s(inst);        break;
665 1
          case ID_INS_STOSD:          this->stosd_s(inst);        break;
666 1
          case ID_INS_STOSQ:          this->stosq_s(inst);        break;
667 1
          case ID_INS_STOSW:          this->stosw_s(inst);        break;
668 1
          case ID_INS_SUB:            this->sub_s(inst);          break;
669 0
          case ID_INS_SYSCALL:        this->syscall_s(inst);      break;
670 0
          case ID_INS_SYSENTER:       this->sysenter_s(inst);     break;
671 1
          case ID_INS_TEST:           this->test_s(inst);         break;
672 1
          case ID_INS_TZCNT:          this->tzcnt_s(inst);        break;
673 1
          case ID_INS_UNPCKHPD:       this->unpckhpd_s(inst);     break;
674 1
          case ID_INS_UNPCKHPS:       this->unpckhps_s(inst);     break;
675 1
          case ID_INS_UNPCKLPD:       this->unpcklpd_s(inst);     break;
676 1
          case ID_INS_UNPCKLPS:       this->unpcklps_s(inst);     break;
677 0
          case ID_INS_VMOVD:          this->vmovd_s(inst);        break;
678 1
          case ID_INS_VMOVDQA:        this->vmovdqa_s(inst);      break;
679 1
          case ID_INS_VMOVDQU:        this->vmovdqu_s(inst);      break;
680 0
          case ID_INS_VMOVQ:          this->vmovq_s(inst);        break;
681 1
          case ID_INS_VPAND:          this->vpand_s(inst);        break;
682 1
          case ID_INS_VPANDN:         this->vpandn_s(inst);       break;
683 1
          case ID_INS_VPEXTRB:        this->vpextrb_s(inst);      break;
684 1
          case ID_INS_VPEXTRD:        this->vpextrd_s(inst);      break;
685 1
          case ID_INS_VPEXTRQ:        this->vpextrq_s(inst);      break;
686 1
          case ID_INS_VPEXTRW:        this->vpextrw_s(inst);      break;
687 0
          case ID_INS_VPBROADCASTB:   this->vpbroadcastb_s(inst); break;
688 0
          case ID_INS_VPCMPEQB:       this->vpcmpeqb_s(inst);     break;
689 0
          case ID_INS_VPCMPEQD:       this->vpcmpeqd_s(inst);     break;
690 0
          case ID_INS_VPCMPEQQ:       this->vpcmpeqq_s(inst);     break;
691 0
          case ID_INS_VPCMPEQW:       this->vpcmpeqw_s(inst);     break;
692 0
          case ID_INS_VPMOVMSKB:      this->vpmovmskb_s(inst);    break;
693 0
          case ID_INS_VPMINUB:        this->vpminub_s(inst);      break;
694 1
          case ID_INS_VPOR:           this->vpor_s(inst);         break;
695 1
          case ID_INS_VPSHUFD:        this->vpshufd_s(inst);      break;
696 1
          case ID_INS_VPTEST:         this->vptest_s(inst);       break;
697 1
          case ID_INS_VPXOR:          this->vpxor_s(inst);        break;
698 1
          case ID_INS_WAIT:           this->wait_s(inst);         break;
699 1
          case ID_INS_WBINVD:         this->wbinvd_s(inst);       break;
700 1
          case ID_INS_XADD:           this->xadd_s(inst);         break;
701 1
          case ID_INS_XCHG:           this->xchg_s(inst);         break;
702 1
          case ID_INS_XOR:            this->xor_s(inst);          break;
703 1
          case ID_INS_XORPD:          this->xorpd_s(inst);        break;
704 1
          case ID_INS_XORPS:          this->xorps_s(inst);        break;
705
          default:
706
            return false;
707
        }
708
        return true;
709
      }
710

711

712 1
      triton::uint64 x86Semantics::alignAddStack_s(triton::arch::Instruction& inst, triton::uint32 delta) {
713 1
        auto dst = triton::arch::OperandWrapper(this->architecture->getStackPointer());
714

715
        /* Create symbolic operands */
716 1
        auto op1 = this->symbolicEngine->getOperandAst(inst, dst);
717 1
        auto op2 = this->astCtxt->bv(delta, dst.getBitSize());
718

719
        /* Create the semantics */
720 1
        auto node = this->astCtxt->bvadd(op1, op2);
721

722
        /* Create symbolic expression */
723 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "Stack alignment");
724

725
        /* Spread taint */
726 1
        expr->isTainted = this->taintEngine->taintUnion(dst, dst);
727

728
        /* Return the new stack value */
729 1
        return node->evaluate().convert_to<triton::uint64>();
730
      }
731

732

733 1
      triton::uint64 x86Semantics::alignSubStack_s(triton::arch::Instruction& inst, triton::uint32 delta) {
734 1
        auto dst = triton::arch::OperandWrapper(this->architecture->getStackPointer());
735

736
        /* Create symbolic operands */
737 1
        auto op1 = this->symbolicEngine->getOperandAst(inst, dst);
738 1
        auto op2 = this->astCtxt->bv(delta, dst.getBitSize());
739

740
        /* Create the semantics */
741 1
        auto node = this->astCtxt->bvsub(op1, op2);
742

743
        /* Create symbolic expression */
744 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "Stack alignment");
745

746
        /* Spread taint */
747 1
        expr->isTainted = this->taintEngine->taintUnion(dst, dst);
748

749
        /* Return the new stack value */
750 1
        return node->evaluate().convert_to<triton::uint64>();
751
      }
752

753

754 1
      void x86Semantics::clearFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
755
        /* Create the semantics */
756 1
        auto node = this->astCtxt->bv(0, 1);
757

758
        /* Create symbolic expression */
759 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
760

761
        /* Spread taint */
762 1
        expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
763
      }
764

765

766 1
      void x86Semantics::setFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
767
        /* Create the semantics */
768 1
        auto node = this->astCtxt->bv(1, 1);
769

770
        /* Create symbolic expression */
771 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
772

773
        /* Spread taint */
774 1
        expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
775
      }
776

777

778 1
      void x86Semantics::undefined_s(triton::arch::Instruction& inst, const triton::arch::Register& reg) {
779 1
        if (this->modes->isModeEnabled(triton::modes::CONCRETIZE_UNDEFINED_REGISTERS)) {
780 1
          this->symbolicEngine->concretizeRegister(reg);
781
        }
782
        /* Tell that the instruction defines a register as undefined and untaint */
783 1
        inst.setUndefinedRegister(reg);
784 1
        this->taintEngine->setTaintRegister(reg, triton::engines::taint::UNTAINTED);
785
      }
786

787

788 1
      void x86Semantics::controlFlow_s(triton::arch::Instruction& inst) {
789 1
        auto pc      = triton::arch::OperandWrapper(this->architecture->getProgramCounter());
790 1
        auto counter = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_X86_CX));
791 1
        auto zf      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_ZF));
792

793 1
        switch (inst.getPrefix()) {
794

795
          case triton::arch::x86::ID_PREFIX_REP: {
796
            /* Create symbolic operands */
797 1
            auto op1 = this->symbolicEngine->getOperandAst(inst, counter);
798

799
            /* Create the semantics for Counter */
800
            auto node1 = this->astCtxt->ite(
801 1
                           this->astCtxt->equal(op1, this->astCtxt->bv(0, counter.getBitSize())),
802
                           op1,
803 1
                           this->astCtxt->bvsub(op1, this->astCtxt->bv(1, counter.getBitSize()))
804 1
                         );
805

806
            /* Create the semantics for PC */
807
            auto node2 = this->astCtxt->ite(
808 1
                           this->astCtxt->equal(node1, this->astCtxt->bv(0, counter.getBitSize())),
809 1
                           this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize()),
810 1
                           this->astCtxt->bv(inst.getAddress(), pc.getBitSize())
811 1
                         );
812

813
            /* Create symbolic expression */
814 1
            auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, counter, "Counter operation");
815 1
            auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, pc, "Program Counter");
816

817
            /* Spread taint for PC */
818 1
            expr1->isTainted = this->taintEngine->taintUnion(counter, counter);
819 1
            expr2->isTainted = this->taintEngine->taintAssignment(pc, counter);
820
            break;
821
          }
822

823
          case triton::arch::x86::ID_PREFIX_REPE: {
824
            /* Create symbolic operands */
825 1
            auto op1 = this->symbolicEngine->getOperandAst(inst, counter);
826 1
            auto op2 = this->symbolicEngine->getOperandAst(inst, zf);
827

828
            /* Create the semantics for Counter */
829
            auto node1 = this->astCtxt->ite(
830 1
                           this->astCtxt->equal(op1, this->astCtxt->bv(0, counter.getBitSize())),
831
                           op1,
832 1
                           this->astCtxt->bvsub(op1, this->astCtxt->bv(1, counter.getBitSize()))
833 1
                         );
834

835
            /* Create the semantics for PC */
836
            auto node2 = this->astCtxt->ite(
837 1
                           this->astCtxt->lor(
838 1
                             this->astCtxt->equal(node1, this->astCtxt->bv(0, counter.getBitSize())),
839 1
                             this->astCtxt->equal(op2, this->astCtxt->bvfalse())
840
                           ),
841 1
                           this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize()),
842 1
                           this->astCtxt->bv(inst.getAddress(), pc.getBitSize())
843 1
                         );
844

845
            /* Create symbolic expression */
846 1
            auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, counter, "Counter operation");
847 1
            auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, pc, "Program Counter");
848

849
            /* Spread taint */
850 1
            expr1->isTainted = this->taintEngine->taintUnion(counter, counter);
851 1
            expr2->isTainted = this->taintEngine->taintAssignment(pc, counter);
852
            break;
853
          }
854

855
          case triton::arch::x86::ID_PREFIX_REPNE: {
856
            /* Create symbolic operands */
857 1
            auto op1 = this->symbolicEngine->getOperandAst(inst, counter);
858 1
            auto op2 = this->symbolicEngine->getOperandAst(inst, zf);
859

860
            /* Create the semantics for Counter */
861
            auto node1 = this->astCtxt->ite(
862 1
                           this->astCtxt->equal(op1, this->astCtxt->bv(0, counter.getBitSize())),
863
                           op1,
864 1
                           this->astCtxt->bvsub(op1, this->astCtxt->bv(1, counter.getBitSize()))
865 1
                         );
866

867
            /* Create the semantics for PC */
868
            auto node2 = this->astCtxt->ite(
869 1
                           this->astCtxt->lor(
870 1
                             this->astCtxt->equal(node1, this->astCtxt->bv(0, counter.getBitSize())),
871 1
                             this->astCtxt->equal(op2, this->astCtxt->bvtrue())
872
                           ),
873 1
                           this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize()),
874 1
                           this->astCtxt->bv(inst.getAddress(), pc.getBitSize())
875 1
                         );
876

877
            /* Create symbolic expression */
878 1
            auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, counter, "Counter operation");
879 1
            auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, pc, "Program Counter");
880

881
            /* Spread taint */
882 1
            expr1->isTainted = this->taintEngine->taintUnion(counter, counter);
883 1
            expr2->isTainted = this->taintEngine->taintAssignment(pc, counter);
884
            break;
885
          }
886

887
          default: {
888
            /* Create the semantics */
889 1
            auto node = this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize());
890

891
            /* Create symbolic expression */
892 1
            auto expr = this->symbolicEngine->createSymbolicRegisterExpression(inst, node, this->architecture->getProgramCounter(), "Program Counter");
893

894
            /* Spread taint */
895 1
            expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getProgramCounter(), triton::engines::taint::UNTAINTED);
896
            break;
897
          }
898
        }
899
      }
900

901

902 1
      void x86Semantics::af_s(triton::arch::Instruction& inst,
903
                              const triton::engines::symbolic::SharedSymbolicExpression& parent,
904
                              triton::arch::OperandWrapper& dst,
905
                              const triton::ast::SharedAbstractNode& op1,
906
                              const triton::ast::SharedAbstractNode& op2,
907
                              bool vol) {
908

909 1
        auto bvSize = dst.getBitSize();
910 1
        auto low    = vol ? 0 : dst.getLow();
911 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
912

913
        /*
914
         * Create the semantic.
915
         * af = 0x10 == (0x10 & (regDst ^ op1 ^ op2))
916
         */
917
        auto node = this->astCtxt->ite(
918 1
                      this->astCtxt->equal(
919 1
                        this->astCtxt->bv(0x10, bvSize),
920 1
                        this->astCtxt->bvand(
921 1
                          this->astCtxt->bv(0x10, bvSize),
922 1
                          this->astCtxt->bvxor(
923 1
                            this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
924 1
                            this->astCtxt->bvxor(op1, op2)
925
                          )
926
                        )
927
                      ),
928 1
                      this->astCtxt->bv(1, 1),
929 1
                      this->astCtxt->bv(0, 1)
930 1
                    );
931

932
        /* Create the symbolic expression */
933 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_AF), "Adjust flag");
934

935
        /* Spread the taint from the parent to the child */
936 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_AF), parent->isTainted);
937
      }
938

939

940 1
      void x86Semantics::afAaa_s(triton::arch::Instruction& inst,
941
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
942
                                 triton::arch::OperandWrapper& dst,
943
                                 const triton::ast::SharedAbstractNode& op1,
944
                                 const triton::ast::SharedAbstractNode& op3,
945
                                 bool vol) {
946

947 1
        auto bvSize = dst.getBitSize();
948

949
        /*
950
         * Create the semantic.
951
         * af = 1 if ((AL AND 0FH) > 9) or (AF = 1) then 0
952
         */
953
        auto node = this->astCtxt->ite(
954 1
                      this->astCtxt->lor(
955 1
                        this->astCtxt->bvugt(
956 1
                          this->astCtxt->bvand(op1, this->astCtxt->bv(0xf, bvSize)),
957 1
                          this->astCtxt->bv(9, bvSize)
958
                        ),
959 1
                        this->astCtxt->equal(op3, this->astCtxt->bvtrue())
960
                      ),
961 1
                      this->astCtxt->bv(1, 1),
962 1
                      this->astCtxt->bv(0, 1)
963 1
                    );
964

965
        /* Create the symbolic expression */
966 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_AF), "Adjust flag");
967

968
        /* Spread the taint from the parent to the child */
969 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_AF), parent->isTainted);
970
      }
971

972

973 1
      void x86Semantics::afNeg_s(triton::arch::Instruction& inst,
974
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
975
                                 triton::arch::OperandWrapper& dst,
976
                                 const triton::ast::SharedAbstractNode& op1,
977
                                 bool vol) {
978

979 1
        auto bvSize = dst.getBitSize();
980 1
        auto low    = vol ? 0 : dst.getLow();
981 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
982

983
        /*
984
         * Create the semantic.
985
         * af = 0x10 == (0x10 & (op1 ^ regDst))
986
         */
987
        auto node = this->astCtxt->ite(
988 1
                      this->astCtxt->equal(
989 1
                        this->astCtxt->bv(0x10, bvSize),
990 1
                        this->astCtxt->bvand(
991 1
                          this->astCtxt->bv(0x10, bvSize),
992 1
                          this->astCtxt->bvxor(
993
                            op1,
994 1
                            this->astCtxt->extract(high, low, this->astCtxt->reference(parent))
995
                          )
996
                        )
997
                      ),
998 1
                      this->astCtxt->bv(1, 1),
999 1
                      this->astCtxt->bv(0, 1)
1000 1
                    );
1001

1002
        /* Create the symbolic expression */
1003 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_AF), "Adjust flag");
1004

1005
        /* Spread the taint from the parent to the child */
1006 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_AF), parent->isTainted);
1007
      }
1008

1009

1010 1
      void x86Semantics::cfAaa_s(triton::arch::Instruction& inst,
1011
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1012
                                 triton::arch::OperandWrapper& dst,
1013
                                 const triton::ast::SharedAbstractNode& op1,
1014
                                 const triton::ast::SharedAbstractNode& op3,
1015
                                 bool vol) {
1016

1017 1
        auto bvSize = dst.getBitSize();
1018

1019
        /*
1020
         * Create the semantic.
1021
         * cf = 1 if ((AL AND 0FH) > 9) or (AF = 1) then 0
1022
         */
1023
        auto node = this->astCtxt->ite(
1024 1
                      this->astCtxt->lor(
1025 1
                        this->astCtxt->bvugt(
1026 1
                          this->astCtxt->bvand(op1, this->astCtxt->bv(0xf, bvSize)),
1027 1
                          this->astCtxt->bv(9, bvSize)
1028
                        ),
1029 1
                        this->astCtxt->equal(op3, this->astCtxt->bvtrue())
1030
                      ),
1031 1
                      this->astCtxt->bv(1, 1),
1032 1
                      this->astCtxt->bv(0, 1)
1033 1
                    );
1034

1035
        /* Create the symbolic expression */
1036 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1037

1038
        /* Spread the taint from the parent to the child */
1039 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1040
      }
1041

1042

1043 1
      void x86Semantics::cfAdd_s(triton::arch::Instruction& inst,
1044
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1045
                                 triton::arch::OperandWrapper& dst,
1046
                                 const triton::ast::SharedAbstractNode& op1,
1047
                                 const triton::ast::SharedAbstractNode& op2,
1048
                                 bool vol) {
1049

1050 1
        auto bvSize = dst.getBitSize();
1051 1
        auto low    = vol ? 0 : dst.getLow();
1052 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1053

1054
        /*
1055
         * Create the semantic.
1056
         * cf = MSB((op1 & op2) ^ ((op1 ^ op2 ^ parent) & (op1 ^ op2)));
1057
         */
1058
        auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
1059 1
                      this->astCtxt->bvxor(
1060 1
                        this->astCtxt->bvand(op1, op2),
1061 1
                        this->astCtxt->bvand(
1062 1
                          this->astCtxt->bvxor(
1063 1
                            this->astCtxt->bvxor(op1, op2),
1064 1
                            this->astCtxt->extract(high, low, this->astCtxt->reference(parent))
1065
                          ),
1066 1
                        this->astCtxt->bvxor(op1, op2))
1067
                      )
1068 1
                    );
1069

1070
        /* Create the symbolic expression */
1071 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1072

1073
        /* Spread the taint from the parent to the child */
1074 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1075
      }
1076

1077

1078 1
      void x86Semantics::cfBlsi_s(triton::arch::Instruction& inst,
1079
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1080
                                  triton::arch::OperandWrapper& dst,
1081
                                  const triton::ast::SharedAbstractNode& op1,
1082
                                  bool vol) {
1083

1084
        /*
1085
         * Create the semantic.
1086
         * cf = 0 if op1 == 0 else 1
1087
         */
1088
        auto node = this->astCtxt->ite(
1089 1
                      this->astCtxt->equal(
1090
                        op1,
1091 1
                        this->astCtxt->bv(0, dst.getBitSize())
1092
                      ),
1093 1
                      this->astCtxt->bv(0, 1),
1094 1
                      this->astCtxt->bv(1, 1)
1095 1
                    );
1096

1097
        /* Create the symbolic expression */
1098 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1099

1100
        /* Spread the taint from the parent to the child */
1101 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1102
      }
1103

1104

1105 1
      void x86Semantics::cfBlsmsk_s(triton::arch::Instruction& inst,
1106
                                    const triton::engines::symbolic::SharedSymbolicExpression& parent,
1107
                                    triton::arch::OperandWrapper& dst,
1108
                                    const triton::ast::SharedAbstractNode& op1,
1109
                                    bool vol) {
1110

1111
        /*
1112
         * Create the semantic.
1113
         * cf = 1 if op1 == 0 else 0
1114
         */
1115
        auto node = this->astCtxt->ite(
1116 1
                      this->astCtxt->equal(
1117
                        op1,
1118 1
                        this->astCtxt->bv(0, dst.getBitSize())
1119
                      ),
1120 1
                      this->astCtxt->bv(1, 1),
1121 1
                      this->astCtxt->bv(0, 1)
1122 1
                    );
1123

1124
        /* Create the symbolic expression */
1125 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1126

1127
        /* Spread the taint from the parent to the child */
1128 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1129
      }
1130

1131

1132 1
      void x86Semantics::cfBlsr_s(triton::arch::Instruction& inst,
1133
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1134
                                  triton::arch::OperandWrapper& dst,
1135
                                  const triton::ast::SharedAbstractNode& op1,
1136
                                  bool vol) {
1137

1138
        /*
1139
         * Create the semantic.
1140
         * cf = 1 if op1 == 0 else 0
1141
         */
1142
        auto node = this->astCtxt->ite(
1143 1
                      this->astCtxt->equal(
1144
                        op1,
1145 1
                        this->astCtxt->bv(0, dst.getBitSize())
1146
                      ),
1147 1
                      this->astCtxt->bv(1, 1),
1148 1
                      this->astCtxt->bv(0, 1)
1149 1
                    );
1150

1151
        /* Create the symbolic expression */
1152 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1153

1154
        /* Spread the taint from the parent to the child */
1155 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1156
      }
1157

1158

1159 1
      void x86Semantics::cfImul_s(triton::arch::Instruction& inst,
1160
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1161
                                  triton::arch::OperandWrapper& dst,
1162
                                  const triton::ast::SharedAbstractNode& op1,
1163
                                  const triton::ast::SharedAbstractNode& res,
1164
                                  bool vol) {
1165

1166
        /*
1167
         * Create the semantic.
1168
         * cf = 0 if sx(dst) == node else 1
1169
         */
1170
        auto node = this->astCtxt->ite(
1171 1
                      this->astCtxt->equal(
1172 1
                        this->astCtxt->sx(dst.getBitSize(), op1),
1173
                        res
1174
                      ),
1175 1
                      this->astCtxt->bv(0, 1),
1176 1
                      this->astCtxt->bv(1, 1)
1177 1
                    );
1178

1179
        /* Create the symbolic expression */
1180 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1181

1182
        /* Spread the taint from the parent to the child */
1183 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1184
      }
1185

1186

1187 1
      void x86Semantics::cfLzcnt_s(triton::arch::Instruction& inst,
1188
                                   const triton::engines::symbolic::SharedSymbolicExpression& parent,
1189
                                   triton::arch::OperandWrapper& src,
1190
                                   const triton::ast::SharedAbstractNode& op1,
1191
                                   bool vol) {
1192

1193 1
        auto bvSize = src.getBitSize();
1194 1
        auto low    = vol ? 0 : src.getLow();
1195 1
        auto high   = vol ? bvSize-1 : src.getHigh();
1196

1197
        /*
1198
         * Create the semantic.
1199
         * cf = 0 == parent
1200
         */
1201
        auto node = this->astCtxt->ite(
1202 1
                      this->astCtxt->equal(
1203 1
                        this->astCtxt->extract(high, low, op1),
1204 1
                        this->astCtxt->bv(0, bvSize)
1205
                      ),
1206 1
                      this->astCtxt->bv(1, 1),
1207 1
                      this->astCtxt->bv(0, 1)
1208 1
                    );
1209

1210
        /* Create the symbolic expression */
1211 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1212

1213
        /* Spread the taint from the parent to the child */
1214 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1215
      }
1216

1217

1218 1
      void x86Semantics::cfMul_s(triton::arch::Instruction& inst,
1219
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1220
                                 triton::arch::OperandWrapper& dst,
1221
                                 const triton::ast::SharedAbstractNode& op1,
1222
                                 bool vol) {
1223

1224
        /*
1225
         * Create the semantic.
1226
         * cf = 0 if op1 == 0 else 1
1227
         */
1228
        auto node = this->astCtxt->ite(
1229 1
                      this->astCtxt->equal(
1230
                        op1,
1231 1
                        this->astCtxt->bv(0, dst.getBitSize())
1232
                      ),
1233 1
                      this->astCtxt->bv(0, 1),
1234 1
                      this->astCtxt->bv(1, 1)
1235 1
                    );
1236

1237
        /* Create the symbolic expression */
1238 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1239

1240
        /* Spread the taint from the parent to the child */
1241 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1242
      }
1243

1244

1245 1
      void x86Semantics::cfNeg_s(triton::arch::Instruction& inst,
1246
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1247
                                 triton::arch::OperandWrapper& dst,
1248
                                 const triton::ast::SharedAbstractNode& op1,
1249
                                 bool vol) {
1250

1251
        /*
1252
         * Create the semantic.
1253
         * cf = 0 if op1 == 0 else 1
1254
         */
1255
        auto node = this->astCtxt->ite(
1256 1
                      this->astCtxt->equal(
1257
                        op1,
1258 1
                        this->astCtxt->bv(0, dst.getBitSize())
1259
                      ),
1260 1
                      this->astCtxt->bv(0, 1),
1261 1
                      this->astCtxt->bv(1, 1)
1262 1
                    );
1263

1264
        /* Create the symbolic expression */
1265 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1266

1267
        /* Spread the taint from the parent to the child */
1268 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1269
      }
1270

1271

1272 1
      void x86Semantics::cfPtest_s(triton::arch::Instruction& inst,
1273
                                   const triton::engines::symbolic::SharedSymbolicExpression& parent,
1274
                                   triton::arch::OperandWrapper& dst,
1275
                                   bool vol) {
1276

1277 1
        auto bvSize = dst.getBitSize();
1278 1
        auto low    = vol ? 0 : dst.getLow();
1279 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1280

1281
        /*
1282
         * Create the semantic.
1283
         * cf = 0 == regDst
1284
         */
1285
        auto node = this->astCtxt->ite(
1286 1
                      this->astCtxt->equal(
1287 1
                        this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
1288 1
                        this->astCtxt->bv(0, bvSize)
1289
                      ),
1290 1
                      this->astCtxt->bv(1, 1),
1291 1
                      this->astCtxt->bv(0, 1)
1292 1
                    );
1293

1294
        /* Create the symbolic expression */
1295 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1296

1297
        /* Spread the taint from the parent to the child */
1298 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1299
      }
1300

1301

1302 1
      void x86Semantics::cfRcl_s(triton::arch::Instruction& inst,
1303
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1304
                                 const triton::ast::SharedAbstractNode& result,
1305
                                 const triton::ast::SharedAbstractNode& op2,
1306
                                 bool vol) {
1307

1308 1
        auto bvSize = op2->getBitvectorSize();
1309 1
        auto high   = result->getBitvectorSize() - 1;
1310 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1311

1312
        auto node = this->astCtxt->ite(
1313 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1314 1
                      this->symbolicEngine->getOperandAst(cf),
1315 1
                      this->astCtxt->extract(high, high, result)
1316 1
                    );
1317

1318
        /* Create the symbolic expression */
1319 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1320

1321 1
        if (op2->evaluate()) {
1322
          /* Spread the taint from the parent to the child */
1323 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1324
        }
1325
        else {
1326 1
          inst.removeWrittenRegister(cf.getConstRegister());
1327
        }
1328
      }
1329

1330

1331 1
      void x86Semantics::cfRcr_s(triton::arch::Instruction& inst,
1332
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1333
                                 triton::arch::OperandWrapper& dst,
1334
                                 const triton::ast::SharedAbstractNode& result,
1335
                                 const triton::ast::SharedAbstractNode& op2,
1336
                                 bool vol) {
1337

1338 1
        auto bvSize = op2->getBitvectorSize();
1339 1
        auto high   = result->getBitvectorSize() - 1;
1340 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1341

1342
        auto node = this->astCtxt->ite(
1343 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1344 1
                      this->symbolicEngine->getOperandAst(cf),
1345 1
                      this->astCtxt->extract(high, high, result) /* yes it's should be LSB, but here it's a trick :-) */
1346 1
                    );
1347

1348
        /* Create the symbolic expression */
1349 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1350

1351 1
        if (op2->evaluate()) {
1352
          /* Spread the taint from the parent to the child */
1353 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1354
        }
1355
        else {
1356 1
          inst.removeWrittenRegister(cf.getConstRegister());
1357
        }
1358
      }
1359

1360

1361 1
      void x86Semantics::cfRol_s(triton::arch::Instruction& inst,
1362
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1363
                                 triton::arch::OperandWrapper& dst,
1364
                                 const triton::ast::SharedAbstractNode& op2,
1365
                                 bool vol) {
1366

1367 1
        auto bvSize = op2->getBitvectorSize();
1368 1
        auto low    = vol ? 0 : dst.getLow();
1369 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1370

1371
        auto node = this->astCtxt->ite(
1372 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1373 1
                      this->symbolicEngine->getOperandAst(cf),
1374 1
                      this->astCtxt->extract(low, low, this->astCtxt->reference(parent))
1375 1
                    );
1376

1377
        /* Create the symbolic expression */
1378 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1379

1380 1
        if (op2->evaluate()) {
1381
          /* Spread the taint from the parent to the child */
1382 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1383
        }
1384
        else {
1385 1
          inst.removeWrittenRegister(cf.getConstRegister());
1386
        }
1387
      }
1388

1389

1390 1
      void x86Semantics::cfRor_s(triton::arch::Instruction& inst,
1391
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1392
                                 triton::arch::OperandWrapper& dst,
1393
                                 const triton::ast::SharedAbstractNode& op2,
1394
                                 bool vol) {
1395

1396 1
        auto bvSize = op2->getBitvectorSize();
1397 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1398 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1399

1400
        auto node = this->astCtxt->ite(
1401 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1402 1
                      this->symbolicEngine->getOperandAst(cf),
1403 1
                      this->astCtxt->extract(high, high, this->astCtxt->reference(parent))
1404 1
                    );
1405

1406
        /* Create the symbolic expression */
1407 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1408

1409 1
        if (op2->evaluate()) {
1410
          /* Spread the taint from the parent to the child */
1411 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1412
        }
1413
        else {
1414 1
          inst.removeWrittenRegister(cf.getConstRegister());
1415
        }
1416
      }
1417

1418

1419 1
      void x86Semantics::cfSar_s(triton::arch::Instruction& inst,
1420
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1421
                                 triton::arch::OperandWrapper& dst,
1422
                                 const triton::ast::SharedAbstractNode& op1,
1423
                                 const triton::ast::SharedAbstractNode& op2,
1424
                                 bool vol) {
1425

1426 1
        auto bvSize = dst.getBitSize();
1427 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1428

1429
        /*
1430
         * Create the semantic.
1431
         * if op2 != 0:
1432
         *   if op2 > bvSize:
1433
         *     cf.id = ((op1 >> (bvSize - 1)) & 1)
1434
         *   else:
1435
         *     cf.id = ((op1 >> (op2 - 1)) & 1)
1436
         */
1437
        auto node = this->astCtxt->ite(
1438 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1439 1
                      this->symbolicEngine->getOperandAst(cf),
1440 1
                      this->astCtxt->ite(
1441 1
                        this->astCtxt->bvugt(op2, this->astCtxt->bv(bvSize, bvSize)),
1442 1
                        this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, this->astCtxt->bvsub(this->astCtxt->bv(bvSize, bvSize), this->astCtxt->bv(1, bvSize)))),
1443 1
                        this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, this->astCtxt->bvsub(op2, this->astCtxt->bv(1, bvSize))))
1444
                      )
1445 1
                    );
1446

1447
        /* Create the symbolic expression */
1448 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1449

1450 1
        if (op2->evaluate()) {
1451
          /* Spread the taint from the parent to the child */
1452 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1453
        }
1454
        else {
1455 1
          inst.removeWrittenRegister(cf.getConstRegister());
1456
        }
1457
      }
1458

1459

1460 1
      void x86Semantics::cfShl_s(triton::arch::Instruction& inst,
1461
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1462
                                 triton::arch::OperandWrapper& dst,
1463
                                 const triton::ast::SharedAbstractNode& op1,
1464
                                 const triton::ast::SharedAbstractNode& op2,
1465
                                 bool vol) {
1466

1467 1
        auto bvSize = dst.getBitSize();
1468 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1469

1470
        /*
1471
         * Create the semantic.
1472
         * cf = (op1 >> ((bvSize - op2) & 1) if op2 != 0
1473
         */
1474
        auto node = this->astCtxt->ite(
1475 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1476 1
                      this->symbolicEngine->getOperandAst(cf),
1477 1
                      this->astCtxt->extract(0, 0,
1478 1
                        this->astCtxt->bvlshr(
1479
                          op1,
1480 1
                          this->astCtxt->bvsub(
1481 1
                            this->astCtxt->bv(bvSize, bvSize),
1482
                            op2
1483
                          )
1484
                        )
1485
                      )
1486 1
                    );
1487

1488
        /* Create the symbolic expression */
1489 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1490

1491 1
        if (op2->evaluate()) {
1492
          /* Spread the taint from the parent to the child */
1493 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1494
        }
1495
        else {
1496 1
          inst.removeWrittenRegister(cf.getConstRegister());
1497
        }
1498
      }
1499

1500

1501 1
      void x86Semantics::cfShld_s(triton::arch::Instruction& inst,
1502
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1503
                                  triton::arch::OperandWrapper& dst,
1504
                                  const triton::ast::SharedAbstractNode& op1,
1505
                                  const triton::ast::SharedAbstractNode& op2,
1506
                                  const triton::ast::SharedAbstractNode& op3,
1507
                                  bool vol) {
1508

1509 1
        auto bv1Size = op1->getBitvectorSize();
1510 1
        auto bv2Size = op2->getBitvectorSize();
1511 1
        auto bv3Size = op3->getBitvectorSize();
1512 1
        auto cf      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1513

1514
        /*
1515
         * Create the semantic.
1516
         * cf = MSB(rol(op3, concat(op2,op1))) if op3 != 0
1517
         */
1518
        auto node = this->astCtxt->ite(
1519 1
                      this->astCtxt->equal(op3, this->astCtxt->bv(0, bv3Size)),
1520 1
                      this->symbolicEngine->getOperandAst(cf),
1521 1
                      this->astCtxt->extract(
1522
                        dst.getBitSize(), dst.getBitSize(),
1523 1
                        this->astCtxt->bvrol(
1524 1
                          this->astCtxt->concat(op2, op1),
1525 1
                          this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
1526
                        )
1527
                      )
1528 1
                    );
1529

1530
        /* Create the symbolic expression */
1531 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1532

1533 1
        if (op3->evaluate()) {
1534
          /* Spread the taint from the parent to the child */
1535 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1536
        }
1537
        else {
1538 1
          inst.removeWrittenRegister(cf.getConstRegister());
1539
        }
1540
      }
1541

1542

1543 1
      void x86Semantics::cfShr_s(triton::arch::Instruction& inst,
1544
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1545
                                 triton::arch::OperandWrapper& dst,
1546
                                 const triton::ast::SharedAbstractNode& op1,
1547
                                 const triton::ast::SharedAbstractNode& op2,
1548
                                 bool vol) {
1549

1550 1
        auto bvSize = dst.getBitSize();
1551 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1552

1553
        /*
1554
         * Create the semantic.
1555
         * cf = ((op1 >> (op2 - 1)) & 1) if op2 != 0
1556
         */
1557
        auto node = this->astCtxt->ite(
1558 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
1559 1
                      this->symbolicEngine->getOperandAst(cf),
1560 1
                      this->astCtxt->extract(0, 0,
1561 1
                        this->astCtxt->bvlshr(
1562
                          op1,
1563 1
                          this->astCtxt->bvsub(
1564
                            op2,
1565 1
                            this->astCtxt->bv(1, bvSize))
1566
                        )
1567
                      )
1568 1
                    );
1569

1570
        /* Create the symbolic expression */
1571 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1572

1573 1
        if (op2->evaluate()) {
1574
          /* Spread the taint from the parent to the child */
1575 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1576
        }
1577
        else {
1578 1
          inst.removeWrittenRegister(cf.getConstRegister());
1579
        }
1580
      }
1581

1582

1583 1
      void x86Semantics::cfShrd_s(triton::arch::Instruction& inst,
1584
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1585
                                  triton::arch::OperandWrapper& dst,
1586
                                  const triton::ast::SharedAbstractNode& op1,
1587
                                  const triton::ast::SharedAbstractNode& op2,
1588
                                  const triton::ast::SharedAbstractNode& op3,
1589
                                  bool vol) {
1590

1591 1
        auto bvSize  = dst.getBitSize();
1592 1
        auto bv1Size = op1->getBitvectorSize();
1593 1
        auto bv2Size = op2->getBitvectorSize();
1594 1
        auto bv3Size = op3->getBitvectorSize();
1595 1
        auto cf      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1596

1597
        /*
1598
         * Create the semantic.
1599
         * cf = MSB(ror(op3, concat(op2,op1))) if op3 != 0
1600
         */
1601
        auto node = this->astCtxt->ite(
1602 1
                      this->astCtxt->equal(op3, this->astCtxt->bv(0, bv3Size)),
1603 1
                      this->symbolicEngine->getOperandAst(cf),
1604 1
                      this->astCtxt->extract(
1605 1
                        (bvSize * 2) - 1, (bvSize * 2) - 1,
1606 1
                        this->astCtxt->bvror(
1607 1
                          this->astCtxt->concat(op2, op1),
1608 1
                          this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
1609
                        )
1610
                      )
1611 1
                    );
1612

1613
        /* Create the symbolic expression */
1614 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf.getConstRegister(), "Carry flag");
1615

1616 1
        if (op3->evaluate()) {
1617
          /* Spread the taint from the parent to the child */
1618 1
          expr->isTainted = this->taintEngine->setTaintRegister(cf.getConstRegister(), parent->isTainted);
1619
        }
1620
        else {
1621 1
          inst.removeWrittenRegister(cf.getConstRegister());
1622
        }
1623
      }
1624

1625

1626 1
      void x86Semantics::cfSub_s(triton::arch::Instruction& inst,
1627
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1628
                                 triton::arch::OperandWrapper& dst,
1629
                                 const triton::ast::SharedAbstractNode& op1,
1630
                                 const triton::ast::SharedAbstractNode& op2,
1631
                                 bool vol) {
1632

1633 1
        auto bvSize = dst.getBitSize();
1634 1
        auto low    = vol ? 0 : dst.getLow();
1635 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1636

1637
        /*
1638
         * Create the semantic.
1639
         * cf = extract(bvSize, bvSize (((op1 ^ op2 ^ res) ^ ((op1 ^ res) & (op1 ^ op2)))))
1640
         */
1641
        auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
1642 1
                      this->astCtxt->bvxor(
1643 1
                        this->astCtxt->bvxor(op1, this->astCtxt->bvxor(op2, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))),
1644 1
                        this->astCtxt->bvand(
1645 1
                          this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent))),
1646 1
                          this->astCtxt->bvxor(op1, op2)
1647
                        )
1648
                      )
1649 1
                    );
1650

1651
        /* Create the symbolic expression */
1652 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1653

1654
        /* Spread the taint from the parent to the child */
1655 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1656
      }
1657

1658

1659 1
      void x86Semantics::cfTzcnt_s(triton::arch::Instruction& inst,
1660
                                   const triton::engines::symbolic::SharedSymbolicExpression& parent,
1661
                                   triton::arch::OperandWrapper& src,
1662
                                   const triton::ast::SharedAbstractNode& op1,
1663
                                   bool vol) {
1664

1665 1
        auto bvSize = src.getBitSize();
1666 1
        auto low    = vol ? 0 : src.getLow();
1667 1
        auto high   = vol ? bvSize-1 : src.getHigh();
1668

1669
        /*
1670
         * Create the semantic.
1671
         * cf = 0 == parent
1672
         */
1673
        auto node = this->astCtxt->ite(
1674 1
                      this->astCtxt->equal(
1675 1
                        this->astCtxt->extract(high, low, op1),
1676 1
                        this->astCtxt->bv(0, bvSize)
1677
                      ),
1678 1
                      this->astCtxt->bv(1, 1),
1679 1
                      this->astCtxt->bv(0, 1)
1680 1
                    );
1681

1682
        /* Create the symbolic expression */
1683 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_CF), "Carry flag");
1684

1685
        /* Spread the taint from the parent to the child */
1686 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_CF), parent->isTainted);
1687
      }
1688

1689

1690 1
      void x86Semantics::ofAdd_s(triton::arch::Instruction& inst,
1691
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1692
                                 triton::arch::OperandWrapper& dst,
1693
                                 const triton::ast::SharedAbstractNode& op1,
1694
                                 const triton::ast::SharedAbstractNode& op2,
1695
                                 bool vol) {
1696

1697 1
        auto bvSize = dst.getBitSize();
1698 1
        auto low    = vol ? 0 : dst.getLow();
1699 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1700

1701
        /*
1702
         * Create the semantic.
1703
         * of = MSB((op1 ^ ~op2) & (op1 ^ regDst))
1704
         */
1705
        auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
1706 1
                      this->astCtxt->bvand(
1707 1
                        this->astCtxt->bvxor(op1, this->astCtxt->bvnot(op2)),
1708 1
                        this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
1709
                      )
1710 1
                    );
1711

1712
        /* Create the symbolic expression */
1713 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_OF), "Overflow flag");
1714

1715
        /* Spread the taint from the parent to the child */
1716 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_OF), parent->isTainted);
1717
      }
1718

1719

1720 1
      void x86Semantics::ofImul_s(triton::arch::Instruction& inst,
1721
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1722
                                  triton::arch::OperandWrapper& dst,
1723
                                  const triton::ast::SharedAbstractNode& op1,
1724
                                  const triton::ast::SharedAbstractNode& res,
1725
                                  bool vol) {
1726
        /*
1727
         * Create the semantic.
1728
         * of = 0 if sx(dst) == node else 1
1729
         */
1730
        auto node = this->astCtxt->ite(
1731 1
                      this->astCtxt->equal(
1732 1
                        this->astCtxt->sx(dst.getBitSize(), op1),
1733
                        res
1734
                      ),
1735 1
                      this->astCtxt->bv(0, 1),
1736 1
                      this->astCtxt->bv(1, 1)
1737 1
                    );
1738

1739
        /* Create the symbolic expression */
1740 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_OF), "Overflow flag");
1741

1742
        /* Spread the taint from the parent to the child */
1743 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_OF), parent->isTainted);
1744
      }
1745

1746

1747 1
      void x86Semantics::ofMul_s(triton::arch::Instruction& inst,
1748
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1749
                                 triton::arch::OperandWrapper& dst,
1750
                                 const triton::ast::SharedAbstractNode& op1,
1751
                                 bool vol) {
1752

1753
        /*
1754
         * Create the semantic.
1755
         * of = 0 if up == 0 else 1
1756
         */
1757
        auto node = this->astCtxt->ite(
1758 1
                      this->astCtxt->equal(
1759
                        op1,
1760 1
                        this->astCtxt->bv(0, dst.getBitSize())
1761
                      ),
1762 1
                      this->astCtxt->bv(0, 1),
1763 1
                      this->astCtxt->bv(1, 1)
1764 1
                    );
1765

1766
        /* Create the symbolic expression */
1767 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_OF), "Overflow flag");
1768

1769
        /* Spread the taint from the parent to the child */
1770 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_OF), parent->isTainted);
1771
      }
1772

1773

1774 1
      void x86Semantics::ofNeg_s(triton::arch::Instruction& inst,
1775
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1776
                                 triton::arch::OperandWrapper& dst,
1777
                                 const triton::ast::SharedAbstractNode& op1,
1778
                                 bool vol) {
1779

1780 1
        auto bvSize = dst.getBitSize();
1781 1
        auto low    = vol ? 0 : dst.getLow();
1782 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1783

1784
        /*
1785
         * Create the semantic.
1786
         * of = (res & op1) >> (bvSize - 1) & 1
1787
         */
1788
        auto node = this->astCtxt->extract(0, 0,
1789 1
                      this->astCtxt->bvlshr(
1790 1
                        this->astCtxt->bvand(this->astCtxt->extract(high, low, this->astCtxt->reference(parent)), op1),
1791 1
                        this->astCtxt->bvsub(this->astCtxt->bv(bvSize, bvSize), this->astCtxt->bv(1, bvSize))
1792
                      )
1793 1
                    );
1794

1795
        /* Create the symbolic expression */
1796 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_OF), "Overflow flag");
1797

1798
        /* Spread the taint from the parent to the child */
1799 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_OF), parent->isTainted);
1800
      }
1801

1802

1803 1
      void x86Semantics::ofRol_s(triton::arch::Instruction& inst,
1804
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1805
                                 triton::arch::OperandWrapper& dst,
1806
                                 const triton::ast::SharedAbstractNode& op2,
1807
                                 bool vol) {
1808

1809 1
        auto bvSize = dst.getBitSize();
1810 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1811 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1812 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
1813

1814
        auto node = this->astCtxt->ite(
1815 1
                      this->astCtxt->equal(this->astCtxt->zx(bvSize - op2->getBitvectorSize(), op2), this->astCtxt->bv(1, bvSize)),
1816 1
                      this->astCtxt->bvxor(
1817 1
                        this->astCtxt->extract(high, high, this->astCtxt->reference(parent)),
1818 1
                        this->symbolicEngine->getOperandAst(inst, cf)
1819
                      ),
1820 1
                      this->symbolicEngine->getOperandAst(of)
1821 1
                    );
1822

1823
        /* Create the symbolic expression */
1824 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
1825

1826 1
        if (op2->evaluate()) {
1827
          /* Spread the taint from the parent to the child */
1828 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
1829
        }
1830
        else {
1831 1
          inst.removeReadRegister(cf.getConstRegister());
1832 1
          inst.removeWrittenRegister(of.getConstRegister());
1833
        }
1834
      }
1835

1836

1837 1
      void x86Semantics::ofRor_s(triton::arch::Instruction& inst,
1838
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1839
                                 triton::arch::OperandWrapper& dst,
1840
                                 const triton::ast::SharedAbstractNode& op2,
1841
                                 bool vol) {
1842

1843 1
        auto bvSize = op2->getBitvectorSize();
1844 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
1845 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
1846

1847
        auto node = this->astCtxt->ite(
1848 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(1, bvSize)),
1849 1
                      this->astCtxt->bvxor(
1850 1
                        this->astCtxt->extract(high, high, this->astCtxt->reference(parent)),
1851 1
                        this->astCtxt->extract(high-1, high-1, this->astCtxt->reference(parent))
1852
                      ),
1853 1
                      this->symbolicEngine->getOperandAst(of)
1854 1
                    );
1855

1856
        /* Create the symbolic expression */
1857 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
1858

1859 1
        if (op2->evaluate()) {
1860
          /* Spread the taint from the parent to the child */
1861 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
1862
        }
1863
        else {
1864 1
          inst.removeWrittenRegister(of.getConstRegister());
1865
        }
1866
      }
1867

1868

1869 1
      void x86Semantics::ofRcr_s(triton::arch::Instruction& inst,
1870
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1871
                                 triton::arch::OperandWrapper& dst,
1872
                                 const triton::ast::SharedAbstractNode& op1,
1873
                                 const triton::ast::SharedAbstractNode& op2,
1874
                                 bool vol) {
1875

1876 1
        auto bvSize = op2->getBitvectorSize();
1877 1
        auto high   = dst.getBitSize()-1;
1878 1
        auto cf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_CF));
1879 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
1880

1881
        auto node = this->astCtxt->ite(
1882 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(1, bvSize)),
1883 1
                      this->astCtxt->bvxor(
1884 1
                        this->astCtxt->extract(high, high, op1),
1885 1
                        this->symbolicEngine->getOperandAst(inst, cf)
1886
                      ),
1887 1
                      this->symbolicEngine->getOperandAst(of)
1888 1
                    );
1889

1890
        /* Create the symbolic expression */
1891 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
1892

1893 1
        if (op2->evaluate()) {
1894
          /* Spread the taint from the parent to the child */
1895 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
1896
        }
1897
        else {
1898 1
          inst.removeReadRegister(cf.getConstRegister());
1899 1
          inst.removeWrittenRegister(of.getConstRegister());
1900
        }
1901
      }
1902

1903

1904 1
      void x86Semantics::ofSar_s(triton::arch::Instruction& inst,
1905
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1906
                                 triton::arch::OperandWrapper& dst,
1907
                                 const triton::ast::SharedAbstractNode& op2,
1908
                                 bool vol) {
1909

1910 1
        auto bvSize = dst.getBitSize();
1911 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
1912

1913
        /*
1914
         * Create the semantic.
1915
         * of = 0 if op2 == 1
1916
         */
1917
        auto node = this->astCtxt->ite(
1918 1
                      this->astCtxt->land(
1919 1
                        this->astCtxt->equal(
1920
                          /* #672 */
1921 1
                          this->astCtxt->reference(parent),
1922 1
                          this->astCtxt->reference(parent)
1923
                          /* ---- */
1924
                        ),
1925 1
                        this->astCtxt->equal(
1926
                          op2,
1927 1
                          this->astCtxt->bv(1, bvSize)
1928
                        )
1929
                      ),
1930 1
                      this->astCtxt->bv(0, 1),
1931 1
                      this->symbolicEngine->getOperandAst(of)
1932 1
                    );
1933

1934
        /* Create the symbolic expression */
1935 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
1936

1937 1
        if (op2->evaluate()) {
1938
          /* Spread the taint from the parent to the child */
1939 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
1940
        }
1941
        else {
1942 1
          inst.removeWrittenRegister(of.getConstRegister());
1943
        }
1944
      }
1945

1946

1947 1
      void x86Semantics::ofShl_s(triton::arch::Instruction& inst,
1948
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
1949
                                 triton::arch::OperandWrapper& dst,
1950
                                 const triton::ast::SharedAbstractNode& op1,
1951
                                 const triton::ast::SharedAbstractNode& op2,
1952
                                 bool vol) {
1953

1954 1
        auto bvSize = dst.getBitSize();
1955 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
1956

1957
        /*
1958
         * Create the semantic.
1959
         * of = ((op1 >> (bvSize - 1)) ^ (op1 >> (bvSize - 2))) & 1; if op2 == 1
1960
         */
1961
        auto node = this->astCtxt->ite(
1962 1
                      this->astCtxt->equal(
1963
                        op2,
1964 1
                        this->astCtxt->bv(1, bvSize)),
1965 1
                      this->astCtxt->extract(0, 0,
1966 1
                        this->astCtxt->bvxor(
1967 1
                          this->astCtxt->bvlshr(op1, this->astCtxt->bvsub(this->astCtxt->bv(bvSize, bvSize), this->astCtxt->bv(1, bvSize))),
1968 1
                          this->astCtxt->bvlshr(op1, this->astCtxt->bvsub(this->astCtxt->bv(bvSize, bvSize), this->astCtxt->bv(2, bvSize)))
1969
                        )
1970
                      ),
1971 1
                      this->symbolicEngine->getOperandAst(of)
1972 1
                    );
1973

1974
        /* Create the symbolic expression */
1975 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
1976

1977 1
        if (op2->evaluate()) {
1978
          /* Spread the taint from the parent to the child */
1979 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
1980
        }
1981
        else {
1982 1
          inst.removeWrittenRegister(of.getConstRegister());
1983
        }
1984
      }
1985

1986

1987 1
      void x86Semantics::ofShld_s(triton::arch::Instruction& inst,
1988
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
1989
                                  triton::arch::OperandWrapper& dst,
1990
                                  const triton::ast::SharedAbstractNode& op1,
1991
                                  const triton::ast::SharedAbstractNode& op2,
1992
                                  const triton::ast::SharedAbstractNode& op3,
1993
                                  bool vol) {
1994

1995 1
        auto bvSize  = dst.getBitSize();
1996 1
        auto bv1Size = op1->getBitvectorSize();
1997 1
        auto bv2Size = op2->getBitvectorSize();
1998 1
        auto bv3Size = op3->getBitvectorSize();
1999 1
        auto of      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
2000

2001
        /*
2002
         * Create the semantic.
2003
         * of = MSB(rol(op3, concat(op2,op1))) ^ MSB(op1); if op3 == 1
2004
         */
2005
        auto node = this->astCtxt->ite(
2006 1
                      this->astCtxt->equal(
2007 1
                        this->astCtxt->zx(bvSize - bv3Size, op3),
2008 1
                        this->astCtxt->bv(1, bvSize)),
2009 1
                      this->astCtxt->bvxor(
2010 1
                        this->astCtxt->extract(
2011
                          bvSize-1, bvSize-1,
2012 1
                          this->astCtxt->bvrol(
2013 1
                            this->astCtxt->concat(op2, op1),
2014 1
                            this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
2015
                          )
2016
                        ),
2017 1
                        this->astCtxt->extract(bvSize-1, bvSize-1, op1)
2018
                      ),
2019 1
                      this->symbolicEngine->getOperandAst(of)
2020 1
                    );
2021

2022
        /* Create the symbolic expression */
2023 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
2024

2025 1
        if (op3->evaluate()) {
2026
          /* Spread the taint from the parent to the child */
2027 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
2028
        }
2029
        else {
2030 1
          inst.removeWrittenRegister(of.getConstRegister());
2031
        }
2032
      }
2033

2034

2035 1
      void x86Semantics::ofShr_s(triton::arch::Instruction& inst,
2036
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2037
                                 triton::arch::OperandWrapper& dst,
2038
                                 const triton::ast::SharedAbstractNode& op1,
2039
                                 const triton::ast::SharedAbstractNode& op2,
2040
                                 bool vol) {
2041

2042 1
        auto bvSize = dst.getBitSize();
2043 1
        auto of     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
2044

2045
        /*
2046
         * Create the semantic.
2047
         * of = ((op1 >> (bvSize - 1)) & 1) if op2 == 1
2048
         */
2049
        auto node = this->astCtxt->ite(
2050 1
                      this->astCtxt->equal(
2051
                        op2,
2052 1
                        this->astCtxt->bv(1, bvSize)),
2053 1
                      this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, this->astCtxt->bvsub(this->astCtxt->bv(bvSize, bvSize), this->astCtxt->bv(1, bvSize)))),
2054 1
                      this->symbolicEngine->getOperandAst(of)
2055 1
                    );
2056

2057
        /* Create the symbolic expression */
2058 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
2059

2060 1
        if (op2->evaluate()) {
2061
          /* Spread the taint from the parent to the child */
2062 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
2063
        }
2064
        else {
2065 1
          inst.removeWrittenRegister(of.getConstRegister());
2066
        }
2067
      }
2068

2069

2070 1
      void x86Semantics::ofShrd_s(triton::arch::Instruction& inst,
2071
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
2072
                                  triton::arch::OperandWrapper& dst,
2073
                                  const triton::ast::SharedAbstractNode& op1,
2074
                                  const triton::ast::SharedAbstractNode& op2,
2075
                                  const triton::ast::SharedAbstractNode& op3,
2076
                                  bool vol) {
2077

2078 1
        auto bvSize  = dst.getBitSize();
2079 1
        auto bv1Size = op1->getBitvectorSize();
2080 1
        auto bv2Size = op2->getBitvectorSize();
2081 1
        auto bv3Size = op3->getBitvectorSize();
2082 1
        auto of      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_OF));
2083

2084
        /*
2085
         * Create the semantic.
2086
         * of = MSB(ror(op3, concat(op2,op1))) ^ MSB(op1); if op3 == 1
2087
         */
2088
        auto node = this->astCtxt->ite(
2089 1
                      this->astCtxt->equal(
2090 1
                        this->astCtxt->zx(bvSize - op3->getBitvectorSize(), op3),
2091 1
                        this->astCtxt->bv(1, bvSize)),
2092 1
                      this->astCtxt->bvxor(
2093 1
                        this->astCtxt->extract(
2094
                          bvSize - 1, bvSize - 1,
2095 1
                          this->astCtxt->bvror(
2096 1
                            this->astCtxt->concat(op2, op1),
2097 1
                            this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
2098
                          )
2099
                        ),
2100 1
                        this->astCtxt->extract(dst.getBitSize()-1, dst.getBitSize()-1, op1)
2101
                      ),
2102 1
                      this->symbolicEngine->getOperandAst(of)
2103 1
                    );
2104

2105
        /* Create the symbolic expression */
2106 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, of.getConstRegister(), "Overflow flag");
2107

2108 1
        if (op3->evaluate()) {
2109
          /* Spread the taint from the parent to the child */
2110 1
          expr->isTainted = this->taintEngine->setTaintRegister(of.getConstRegister(), parent->isTainted);
2111
        }
2112
        else {
2113 1
          inst.removeWrittenRegister(of.getConstRegister());
2114
        }
2115
      }
2116

2117

2118 1
      void x86Semantics::ofSub_s(triton::arch::Instruction& inst,
2119
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2120
                                 triton::arch::OperandWrapper& dst,
2121
                                 const triton::ast::SharedAbstractNode& op1,
2122
                                 const triton::ast::SharedAbstractNode& op2,
2123
                                 bool vol) {
2124

2125 1
        auto bvSize = dst.getBitSize();
2126 1
        auto low    = vol ? 0 : dst.getLow();
2127 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
2128

2129
        /*
2130
         * Create the semantic.
2131
         * of = high:bool((op1 ^ op2) & (op1 ^ regDst))
2132
         */
2133
        auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
2134 1
                      this->astCtxt->bvand(
2135 1
                        this->astCtxt->bvxor(op1, op2),
2136 1
                        this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
2137
                      )
2138 1
                    );
2139

2140
        /* Create the symbolic expression */
2141 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_OF), "Overflow flag");
2142

2143
        /* Spread the taint from the parent to the child */
2144 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_OF), parent->isTainted);
2145
      }
2146

2147

2148 1
      void x86Semantics::pf_s(triton::arch::Instruction& inst,
2149
                              const triton::engines::symbolic::SharedSymbolicExpression& parent,
2150
                              triton::arch::OperandWrapper& dst,
2151
                              bool vol) {
2152

2153 1
        auto low    = vol ? 0 : dst.getLow();
2154 1
        auto high   = vol ? triton::bitsize::byte-1 : !low ? triton::bitsize::byte-1 : triton::bitsize::word-1;
2155

2156
        /*
2157
         * Create the semantics.
2158
         *
2159
         * pf is set to one if there is an even number of bit set to 1 in the least
2160
         * significant byte of the result.
2161
         */
2162 1
        auto node = this->astCtxt->bv(1, 1);
2163 1
        for (triton::uint32 counter = 0; counter <= triton::bitsize::byte-1; counter++) {
2164 1
          node = this->astCtxt->bvxor(
2165
                   node,
2166 1
                   this->astCtxt->extract(0, 0,
2167 1
                     this->astCtxt->bvlshr(
2168 1
                       this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
2169 1
                       this->astCtxt->bv(counter, triton::bitsize::byte)
2170
                     )
2171
                  )
2172 1
                );
2173
        }
2174

2175
        /* Create the symbolic expression */
2176 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_PF), "Parity flag");
2177

2178
        /* Spread the taint from the parent to the child */
2179 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_PF), parent->isTainted);
2180
      }
2181

2182

2183 1
      void x86Semantics::pfShl_s(triton::arch::Instruction& inst,
2184
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2185
                                 triton::arch::OperandWrapper& dst,
2186
                                 const triton::ast::SharedAbstractNode& op2,
2187
                                 bool vol) {
2188

2189 1
        auto bvSize = dst.getBitSize();
2190 1
        auto low    = vol ? 0 : dst.getLow();
2191 1
        auto high   = vol ? triton::bitsize::byte-1 : !low ? triton::bitsize::byte-1 : triton::bitsize::word-1;
2192 1
        auto pf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_PF));
2193

2194
        /*
2195
         * Create the semantics.
2196
         * pf if op2 != 0
2197
         */
2198 1
        auto node1 = this->astCtxt->bv(1, 1);
2199 1
        for (triton::uint32 counter = 0; counter <= triton::bitsize::byte-1; counter++) {
2200 1
          node1 = this->astCtxt->bvxor(
2201
                   node1,
2202 1
                   this->astCtxt->extract(0, 0,
2203 1
                     this->astCtxt->bvlshr(
2204 1
                       this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
2205 1
                       this->astCtxt->bv(counter, triton::bitsize::byte)
2206
                     )
2207
                  )
2208 1
                );
2209
        }
2210

2211
        auto node2 = this->astCtxt->ite(
2212 1
                       this->astCtxt->equal(this->astCtxt->zx(bvSize - op2->getBitvectorSize(), op2), this->astCtxt->bv(0, bvSize)),
2213 1
                       this->symbolicEngine->getOperandAst(pf),
2214
                       node1
2215 1
                     );
2216

2217
        /* Create the symbolic expression */
2218 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node2, pf.getConstRegister(), "Parity flag");
2219

2220 1
        if (op2->evaluate()) {
2221
          /* Spread the taint from the parent to the child */
2222 1
          expr->isTainted = this->taintEngine->setTaintRegister(pf.getConstRegister(), parent->isTainted);
2223
        }
2224
        else {
2225 1
          inst.removeWrittenRegister(pf.getConstRegister());
2226
        }
2227
      }
2228

2229

2230 1
      void x86Semantics::sf_s(triton::arch::Instruction& inst,
2231
                              const triton::engines::symbolic::SharedSymbolicExpression& parent,
2232
                              triton::arch::OperandWrapper& dst,
2233
                              bool vol) {
2234

2235 1
        auto bvSize = dst.getBitSize();
2236 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
2237

2238
        /*
2239
         * Create the semantic.
2240
         * sf = high:bool(regDst)
2241
         */
2242 1
        auto node = this->astCtxt->extract(high, high, this->astCtxt->reference(parent));
2243

2244
        /* Create the symbolic expression */
2245 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_SF), "Sign flag");
2246

2247
        /* Spread the taint from the parent to the child */
2248 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_SF), parent->isTainted);
2249
      }
2250

2251

2252 1
      void x86Semantics::sfShl_s(triton::arch::Instruction& inst,
2253
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2254
                                 triton::arch::OperandWrapper& dst,
2255
                                 const triton::ast::SharedAbstractNode& op2,
2256
                                 bool vol) {
2257

2258 1
        auto bvSize = dst.getBitSize();
2259 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
2260 1
        auto sf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_SF));
2261

2262
        /*
2263
         * Create the semantic.
2264
         * sf if op2 != 0
2265
         */
2266
        auto node = this->astCtxt->ite(
2267 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, bvSize)),
2268 1
                      this->symbolicEngine->getOperandAst(sf),
2269 1
                      this->astCtxt->extract(high, high, this->astCtxt->reference(parent))
2270 1
                    );
2271

2272
        /* Create the symbolic expression */
2273 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, sf.getConstRegister(), "Sign flag");
2274

2275 1
        if (op2->evaluate()) {
2276
          /* Spread the taint from the parent to the child */
2277 1
          expr->isTainted = this->taintEngine->setTaintRegister(sf.getConstRegister(), parent->isTainted);
2278
        }
2279
        else {
2280 1
          inst.removeWrittenRegister(sf.getConstRegister());
2281
        }
2282
      }
2283

2284

2285 1
      void x86Semantics::sfShld_s(triton::arch::Instruction& inst,
2286
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
2287
                                  triton::arch::OperandWrapper& dst,
2288
                                  const triton::ast::SharedAbstractNode& op1,
2289
                                  const triton::ast::SharedAbstractNode& op2,
2290
                                  const triton::ast::SharedAbstractNode& op3,
2291
                                  bool vol) {
2292

2293 1
        auto bvSize  = dst.getBitSize();
2294 1
        auto bv1Size = op1->getBitvectorSize();
2295 1
        auto bv2Size = op2->getBitvectorSize();
2296 1
        auto bv3Size = op3->getBitvectorSize();
2297 1
        auto sf      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_SF));
2298

2299
        /*
2300
         * Create the semantic.
2301
         * MSB(rol(op3, concat(op2,op1))) if op3 != 0
2302
         */
2303
        auto node = this->astCtxt->ite(
2304 1
                      this->astCtxt->equal(op3, this->astCtxt->bv(0, bv3Size)),
2305 1
                      this->symbolicEngine->getOperandAst(sf),
2306 1
                      this->astCtxt->extract(
2307
                        bvSize-1, bvSize-1,
2308 1
                        this->astCtxt->bvrol(
2309 1
                          this->astCtxt->concat(op2, op1),
2310 1
                          this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
2311
                        )
2312
                      )
2313 1
                    );
2314

2315
        /* Create the symbolic expression */
2316 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, sf.getConstRegister(), "Sign flag");
2317

2318 1
        if (op3->evaluate()) {
2319
          /* Spread the taint from the parent to the child */
2320 1
          expr->isTainted = this->taintEngine->setTaintRegister(sf.getConstRegister(), parent->isTainted);
2321
        }
2322
        else {
2323 1
          inst.removeWrittenRegister(sf.getConstRegister());
2324
        }
2325
      }
2326

2327

2328 1
      void x86Semantics::sfShrd_s(triton::arch::Instruction& inst,
2329
                                  const triton::engines::symbolic::SharedSymbolicExpression& parent,
2330
                                  triton::arch::OperandWrapper& dst,
2331
                                  const triton::ast::SharedAbstractNode& op1,
2332
                                  const triton::ast::SharedAbstractNode& op2,
2333
                                  const triton::ast::SharedAbstractNode& op3,
2334
                                  bool vol) {
2335

2336 1
        auto bvSize  = dst.getBitSize();
2337 1
        auto bv1Size = op1->getBitvectorSize();
2338 1
        auto bv2Size = op2->getBitvectorSize();
2339 1
        auto bv3Size = op3->getBitvectorSize();
2340 1
        auto sf      = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_SF));
2341

2342
        /*
2343
         * Create the semantic.
2344
         * MSB(ror(op3, concat(op2,op1))) if op3 != 0
2345
         */
2346
        auto node = this->astCtxt->ite(
2347 1
                      this->astCtxt->equal(op3, this->astCtxt->bv(0, bv3Size)),
2348 1
                      this->symbolicEngine->getOperandAst(sf),
2349 1
                      this->astCtxt->extract(
2350
                        bvSize - 1, bvSize - 1,
2351 1
                        this->astCtxt->bvror(
2352 1
                          this->astCtxt->concat(op2, op1),
2353 1
                          this->astCtxt->zx(((bv1Size + bv2Size) - bv3Size), op3)
2354
                        )
2355
                      )
2356 1
                    );
2357

2358
        /* Create the symbolic expression */
2359 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, sf.getConstRegister(), "Sign flag");
2360

2361 1
        if (op3->evaluate()) {
2362
          /* Spread the taint from the parent to the child */
2363 1
          expr->isTainted = this->taintEngine->setTaintRegister(sf.getConstRegister(), parent->isTainted);
2364
        }
2365
        else {
2366 1
          inst.removeWrittenRegister(sf.getConstRegister());
2367
        }
2368
      }
2369

2370

2371 1
      void x86Semantics::zf_s(triton::arch::Instruction& inst,
2372
                              const triton::engines::symbolic::SharedSymbolicExpression& parent,
2373
                              triton::arch::OperandWrapper& dst,
2374
                              bool vol) {
2375

2376 1
        auto bvSize = dst.getBitSize();
2377 1
        auto low    = vol ? 0 : dst.getLow();
2378 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
2379

2380
        /*
2381
         * Create the semantic.
2382
         * zf = 0 == regDst
2383
         */
2384
        auto node = this->astCtxt->ite(
2385 1
                      this->astCtxt->equal(
2386 1
                        this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
2387 1
                        this->astCtxt->bv(0, bvSize)
2388
                      ),
2389 1
                      this->astCtxt->bv(1, 1),
2390 1
                      this->astCtxt->bv(0, 1)
2391 1
                    );
2392

2393
        /* Create the symbolic expression */
2394 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_ZF), "Zero flag");
2395

2396
        /* Spread the taint from the parent to the child */
2397 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_ZF), parent->isTainted);
2398
      }
2399

2400

2401 1
      void x86Semantics::zfBsf_s(triton::arch::Instruction& inst,
2402
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2403
                                 triton::arch::OperandWrapper& src,
2404
                                 const triton::ast::SharedAbstractNode& op2,
2405
                                 bool vol) {
2406

2407
        /*
2408
         * Create the semantic.
2409
         * zf = 1 if op2 == 0 else 0
2410
         */
2411
        auto node = this->astCtxt->ite(
2412 1
                      this->astCtxt->equal(op2, this->astCtxt->bv(0, src.getBitSize())),
2413 1
                      this->astCtxt->bvtrue(),
2414 1
                      this->astCtxt->bvfalse()
2415 1
                    );
2416

2417
        /* Create the symbolic expression */
2418 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, this->architecture->getRegister(ID_REG_X86_ZF), "Zero flag");
2419

2420
        /* Spread the taint from the parent to the child */
2421 1
        expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getRegister(ID_REG_X86_ZF), parent->isTainted);
2422
      }
2423

2424

2425 1
      void x86Semantics::zfShl_s(triton::arch::Instruction& inst,
2426
                                 const triton::engines::symbolic::SharedSymbolicExpression& parent,
2427
                                 triton::arch::OperandWrapper& dst,
2428
                                 const triton::ast::SharedAbstractNode& op2,
2429
                                 bool vol) {
2430

2431 1
        auto bvSize = dst.getBitSize();
2432 1
        auto low    = vol ? 0 : dst.getLow();
2433 1
        auto high   = vol ? bvSize-1 : dst.getHigh();
2434 1
        auto zf     = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_ZF));
2435

2436
        /*
2437
         * Create the semantic.
2438
         * zf if op2 != 0
2439
         */
2440
        auto node = this->astCtxt->ite(
2441 1
                      this->astCtxt->equal(this->astCtxt->zx(bvSize - op2->getBitvectorSize(), op2), this->astCtxt->bv(0, bvSize)),
2442 1
                      this->symbolicEngine->getOperandAst(zf),
2443 1
                      this->astCtxt->ite(
2444 1
                        this->astCtxt->equal(
2445 1
                          this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
2446 1
                          this->astCtxt->bv(0, bvSize)
2447
                        ),
2448 1
                        this->astCtxt->bv(1, 1),
2449 1
                        this->astCtxt->bv(0, 1)
2450
                      )
2451 1
                    );
2452

2453
        /* Create the symbolic expression */
2454 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, zf.getConstRegister(), "Zero flag");
2455

2456 1
        if (op2->evaluate()) {
2457
          /* Spread the taint from the parent to the child */
2458 1
          expr->isTainted = this->taintEngine->setTaintRegister(zf.getConstRegister(), parent->isTainted);
2459
        }
2460
        else {
2461 1
          inst.removeWrittenRegister(zf.getConstRegister());
2462
        }
2463
      }
2464

2465

2466 1
      void x86Semantics::aaa_s(triton::arch::Instruction& inst) {
2467 1
        auto  src1   = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_AL));
2468 1
        auto  src2   = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_AH));
2469 1
        auto  src3   = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_AF));
2470 1
        auto  dst    = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_AX));
2471 1
        auto  dsttmp = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_X86_AL));
2472

2473
        /* Create symbolic operands */
2474 1
        auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
2475 1
        auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
2476 1
        auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
2477

2478
        /* Create the semantics */
2479
        auto node = this->astCtxt->ite(
2480
                      // if
2481 1
                      this->astCtxt->lor(
2482 1
                        this->astCtxt->bvugt(
2483 1
                          this->astCtxt->bvand(op1, this->astCtxt->bv(0xf, src1.getBitSize())),
2484 1
                          this->astCtxt->bv(9, src1.getBitSize())
2485
                        ),
2486 1
                        this->astCtxt->equal(op3, this->astCtxt->bvtrue())
2487
                      ),
2488
                      // then
2489 1
                      this->astCtxt->concat(
2490 1
                        this->astCtxt->bvadd(op2, this->astCtxt->bv(1, src2.getBitSize())),
2491 1
                        this->astCtxt->bvand(
2492 1
                          this->astCtxt->bvadd(op1, this->astCtxt->bv(6, src1.getBitSize())),
2493 1
                          this->astCtxt->bv(0xf, src1.getBitSize())
2494
                        )
2495
                      ),
2496
                      // else
2497 1
                      this->astCtxt->concat(
2498
                        op2,
2499 1
                        this->astCtxt->bvand(op1, this->astCtxt->bv(0xf, src1.getBitSize()))
2500
                      )
2501 1
                    );
2502

2503
        /* Create symbolic expression */
2504 1
        auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "AAA operation");
2505

2506
        /* Spread taint */
2507 1
        expr->isTainted = this->taintEngine->taintUnion(dst, dst);
2508

2509
        /* Update symbolic flags */