X86 Assembly/Shift and Rotate
Logical Shift Instructions[edit]
In a logical shift instruction (also referred to as unsigned shift), the bits that slide off the end disappear (except for the last, which goes into the carry flag), and the spaces are always filled with zeros. Logical shifts are best used with unsigned numbers.
shr src, dest | GAS Syntax |
shr dest, src | Intel Syntax |
Logical shift dest
to the right by src
bits.
shl src, dest | GAS Syntax |
shl dest, src | Intel Syntax |
Logical shift dest
to the left by src
bits.
Examples (GAS Syntax):
movw $ff00,%ax # ax=1111.1111.0000.0000 (0xff00, unsigned 65280, signed -256) shrw $3,%ax # ax=0001.1111.1110.0000 (0x1fe0, signed and unsigned 8160) # (logical shifting unsigned numbers right by 3 # is like integer division by 8) shlw $1,%ax # ax=0011.1111.1100.0000 (0x3fc0, signed and unsigned 16320) # (logical shifting unsigned numbers left by 1 # is like multiplication by 2)
Arithmetic Shift Instructions[edit]
In an arithmetic shift (also referred to as signed shift), like a logical shift, the bits that slide off the end disappear (except for the last, which goes into the carry flag). But in an arithmetic shift, the spaces are filled in such a way to preserve the sign of the number being slid. For this reason, arithmetic shifts are better suited for signed numbers in two's complement format.
sar src, dest | GAS Syntax |
sar dest, src | Intel Syntax |
Arithmetic shift dest
to the right by src
bits. Spaces are filled with sign bit (to maintain sign of original value), which is the original highest bit.
sal src, dest | GAS Syntax |
sal dest, src | Intel Syntax |
Arithmetic shift dest
to the left by src
bits. The bottom bits do not affect the sign, so the bottom bits are filled with zeros. This instruction is synonymous with SHL.
Examples (GAS Syntax):
movw $ff00,%ax # ax=1111.1111.0000.0000 (0xff00, unsigned 65280, signed -256) salw $2,%ax # ax=1111.1100.0000.0000 (0xfc00, unsigned 64512, signed -1024) # (arithmetic shifting left by 2 is like multiplication by 4 for # negative numbers, but has an impact on positives with most # significant bit set (i.e. set bits shifted out)) sarw $5,%ax # ax=1111.1111.1110.0000 (0xffe0, unsigned 65504, signed -32) # (arithmetic shifting right by 5 is like integer division by 32 # for negative numbers)
Extended Shift Instructions[edit]
The names of the double precision shift operations are somewhat misleading, hence they are listed as extended shift instructions on this page.
They are available for use with 16- and 32-bit data entities (registers/memory locations). The src
operand is always a register, the dest
operand can be a register or memory location, the cnt
operand is an immediate byte value or the CL register. In 64-bit mode it is possible to address 64-bit data as well.
shld cnt, src, dest | GAS Syntax |
shld dest, src, cnt | Intel Syntax |
The operation performed by shld
is to shift the most significant cnt
bits out of dest
, but instead of filling up the least significant bits with zeros, they are filled with the most significant cnt
bits of src
.
shrd cnt, src, dest | GAS Syntax |
shrd dest, src, cnt | Intel Syntax |
Likewise, the shrd
operation shifts the least significant cnt
bits out of dest
, and fills up the most significant cnt
bits with the least significant bits of the src
operand.
Intel's nomenclature is misleading, in that the shift does not operate on double the basic operand size (i.e. specifying 32-bit operands doesn't make it a 64-bit shift): the src
operand always remains unchanged.
Also, Intel's manual^{[1]} states that the results are undefined when cnt
is greater than the operand size, but at least for 32- and 64-bit data sizes it has been observed that shift operations are performed by (cnt mod n
), with n being the data size.
Examples (GAS Syntax):
xorw %ax,%ax # ax=0000.0000.0000.0000 (0x0000) notw %ax # ax=1111.1111.1111.1111 (0xffff) movw $0x5500,%bx # bx=0101.0101.0000.0000 shrdw $4,%ax,%bx # bx=1111.0101.0101.0000 (0xf550), ax is still 0xffff shldw $8,%bx,%ax # ax=1111.1111.1111.0101 (0xfff5), bx is still 0xf550
Other examples (decimal numbers are used instead of binary number to explain the concept)
# ax = 1234 5678 # bx = 8765 4321 shrd $3, %ax, %bx # ax = 1234 5678 bx = 6788 7654
# ax = 1234 5678 # bx = 8765 4321 shld $3, %ax, %bx # bx = 5432 1123 ax = 1234 5678
Rotate Instructions[edit]
Rotate Right[edit]
In a rotate instruction, the bits that slide off the end of the register are fed back into the spaces.
ror offset, variable | GAS Syntax |
ror variable, offset | Intel Syntax |
Rotate variable
to the right by offset
bits.
Here is a graphical representation how this looks like:
╭─────────╮ %al old │ 0 1 1 1 │ │ │ │ │ ╰─╯ │ │ │ ╰─╮ ror 1, %al │ │ ╰─╮ │ │ ╰─╮ │ │ ╰─╮ │ │ │ %al new 1 0 1 1
The number of bits to rotate offset
is masked to the lower 5 bits (or 6 bits in 64-bit mode).
This is equivalent to a operation, i. e. the remainder of integer division (note: ).
Operands[edit]
Variable
has to be a register or memory location.Offset
can be either- an immediate value (where the value
1
has a dedicated opcode), - or the
cl
register (that is the lower byte ofecx
).
- an immediate value (where the value
Modified Flags[edit]
ror
only alters flags if the masked offset
is non-zero.
The CF becomes the result’s MSB, so the “sign”.
Furthermore, if the masked offset
= 1, OF ≔ result[MSB] ⊻ result[MSB−1], so the OF tells us, whether “the sign” has changed.
Rotate Left[edit]
rol src, dest | GAS Syntax |
rol dest, src | Intel Syntax |
Rotate dest
to the left by src
bits.
Rotate With Carry Instructions[edit]
Like with shifts, the rotate can use the carry bit as the "extra" bit that it shifts through.
rcr src, dest | GAS Syntax |
rcr dest, src | Intel Syntax |
Rotate dest
to the right by src
bits with carry.
rcl src, dest | GAS Syntax |
rcl dest, src | Intel Syntax |
Rotate dest
to the left by src
bits with carry.
Number of arguments[edit]
Unless stated, these instructions can take either one or two arguments. If only one is supplied, it is assumed to be a register or memory location and the number of bits to shift/rotate is one (this may be dependent on the assembler in use, however).
shrl $1, %eax
is equivalent to shrl %eax
(GAS syntax).