STOS/STOSB/STOSW/STOSD/STOSQ

Store String

Opcodes

Hex Mnemonic Encoding Long Mode Legacy Mode Description
REX.W + AB STOSQ A Valid N.E. Store RAX at address RDI or EDI.
AB STOSD A Valid Valid For legacy mode, store EAX at address ES:(E)DI; For 64bit mode store EAX at address RDI or EDI.
AB STOSW A Valid Valid For legacy mode, store AX at address ES:(E)DI; For 64bit mode store AX at address RDI or EDI.
AA STOSB A Valid Valid For legacy mode, store AL at address ES:(E)DI; For 64-bit mode store AL at address RDI or EDI.
REX.W + AB STOS m64 A Valid N.E. Store RAX at address RDI or EDI.
AB STOS m32 A Valid Valid For legacy mode, store EAX at address ES:(E)DI; For 64bit mode store EAX at address RDI or EDI.
AB STOS m16 A Valid Valid For legacy mode, store AX at address ES:(E)DI; For 64bit mode store AX at address RDI or EDI.
AA STOS m8 A Valid Valid For legacy mode, store AL at address ES:(E)DI; For 64-bit mode store AL at address RDI or EDI.

Instruction Operand Encoding

Op/En Operand 0 Operand 1 Operand 2 Operand 3
A NA NA NA NA

Description

In non-64-bit and default 64-bit mode; stores a byte, word, or doubleword from the AL, AX, or EAX register (respectively) into the destination operand. The destination operand is a memory location, the address of which is read from either the ES:EDI or ES:DI register (depending on the address-size attribute of the instruction and the

STOS/STOSB/STOSW/STOSD/STOSQ—Store String Vol. 2B 4-467

mode of operation). The ES segment cannot be overridden with a segment override prefix.

At the assembly-code level, two forms of the instruction are allowed: the "explicitoperands" form and the "no-operands" form. The explicit-operands form (specified with the STOS mnemonic) allows the destination operand to be specified explicitly. Here, the destination operand should be a symbol that indicates the size and location of the destination value. The source operand is then automatically selected to match the size of the destination operand (the AL register for byte operands, AX for word operands, EAX for doubleword operands). The explicit-operands form is provided to allow documentation; however, note that the documentation provided by this form can be misleading. That is, the destination operand symbol must specify the correct type (size) of the operand (byte, word, or doubleword), but it does not have to specify the correct location. The location is always specified by the ES:(E)DI register. These must be loaded correctly before the store string instruction is executed.

The no-operands form provides "short forms" of the byte, word, doubleword, and quadword versions of the STOS instructions. Here also ES:(E)DI is assumed to be the destination operand and AL, AX, or EAX is assumed to be the source operand. The size of the destination and source operands is selected by the mnemonic: STOSB (byte read from register AL), STOSW (word from AX), STOSD (doubleword from EAX).

After the byte, word, or doubleword is transferred from the register to the memory location, the (E)DI register is incremented or decremented according to the setting of the DF flag in the EFLAGS register. If the DF flag is 0, the register is incremented; if the DF flag is 1, the register is decremented (the register is incremented or decremented by 1 for byte operations, by 2 for word operations, by 4 for doubleword operations).

In 64-bit mode, the default address size is 64 bits, 32-bit address size is supported using the prefix 67H. Using a REX prefix in the form of REX.W promotes operation on doubleword operand to 64 bits. The promoted no-operand mnemonic is STOSQ. STOSQ (and its explicit operands variant) store a quadword from the RAX register into the destination addressed by RDI or EDI. See the summary chart at the beginning of this section for encoding data and limits.

The STOS, STOSB, STOSW, STOSD, STOSQ instructions can be preceded by the REP prefix for block loads of ECX bytes, words, or doublewords. More often, however, these instructions are used within a LOOP construct because data needs to be moved into the AL, AX, or EAX register before it can be stored. See "REP/REPE/REPZ /REPNE/REPNZ—Repeat String Operation Prefix" in this chapter for a description of the REP prefix.

Pseudo Code

(* Non-64-bit Mode: *)
IF (Byte store)
	DEST = AL;
	IF DF = 0
		(E)DI = (E)DI + 1;
	ELSE
		(E)DI = (E)DI - 1;
	FI;
ELSE
	IF (Word store)
		DEST = AX;
		IF DF = 0
			(E)DI = (E)DI + 2;
		ELSE
			(E)DI = (E)DI - 2;
		FI;
	FI;
ELSE
	IF (Doubleword store)
		DEST = EAX;
		IF DF = 0
			(E)DI = (E)DI + 4;
		ELSE
			(E)DI = (E)DI - 4;
		FI;
	FI;
FI;
(* 64-bit Mode: *)
IF (Byte store)
	DEST = AL;
	IF DF = 0
		(R|E)DI = (R|E)DI + 1;
	ELSE
		(R|E)DI = (R|E)DI - 1;
	FI;
ELSE
	IF (Word store)
		DEST = AX;
		IF DF = 0
			(R|E)DI = (R|E)DI + 2;
		ELSE
			(R|E)DI = (R|E)DI - 2;
		FI;
	FI;
ELSE
	IF (Doubleword store)
		DEST = EAX;
		IF DF = 0
			(R|E)DI = (R|E)DI + 4;
		ELSE
			(R|E)DI = (R|E)DI - 4;
		FI;
	FI;
ELSE
	IF (Quadword store using REX.W)
		DEST = RAX;
		IF DF = 0
			(R|E)DI = (R|E)DI + 8;
		ELSE
			(R|E)DI = (R|E)DI - 8;
		FI;
	FI;
FI;

Flags Affected

None.

Exceptions

64-Bit Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.
#PF(fault-code) If a page fault occurs.
#GP(0) If the memory address is in a non-canonical form.

Compatibility Mode Exceptions

Same exceptions as in protected mode.

Virtual-8086 Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#AC(0) If alignment checking is enabled and an unaligned memory reference is made.
#PF(fault-code) If a page fault occurs.
#GP(0) If a memory operand effective address is outside the ES segment limit.

Real-Address Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#GP If a memory operand effective address is outside the ES segment limit.

Protected Mode Exceptions

Exception Description
#UD If the LOCK prefix is used.
#AC(0) If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.
#PF(fault-code) If a page fault occurs.
#GP(0) If the destination is located in a non-writable segment. If a memory operand effective address is outside the limit of the ES segment. If the ES register contains a NULL segment selector.