The x86 instruction set defines the commands that x86-compatible microprocessors can execute. These instructions are typically part of an executable program, stored as a computer file. Over time, the x86 instruction set has been extended with wider registers, new datatypes, and enhanced functionality, allowing for greater computing power and versatility in modern processors.
x86 integer instructions
Main article: x86 assembly language
Below is the full 8086/8088 instruction set of Intel (81 instructions total).2 These instructions are also available in 32-bit mode, in which they operate on 32-bit registers (eax, ebx, etc.) and values instead of their 16-bit (ax, bx, etc.) counterparts. The updated instruction set is grouped according to architecture (i186, i286, i386, i486, i586/i686) and is referred to as (32-bit) x86 and (64-bit) x86-64 (also known as AMD64).
Original 8086/8088 instructions
This is the original instruction set. In the 'Notes' column, r means register, m means memory address and imm means immediate (i.e. a value).
Original 8086/8088 instruction set| In-struc-tion | Meaning | Notes | Opcode |
|---|---|---|---|
| AAA | ASCII adjust AL after addition | used with unpacked binary-coded decimal | 0x37 |
| AAD | ASCII adjust AX before division | 8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode 0xD5 0x0A), but any other base will work. Later Intel's documentation has the generic form too. NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities | 0xD5 |
| AAM | ASCII adjust AX after multiplication | Only base 10 version (Operand is 0xA) is documented, see notes for AAD | 0xD4 |
| AAS | ASCII adjust AL after subtraction | 0x3F | |
| ADC | Add with carry | (1) r += (r/m/imm+CF); (2) m += (r/imm+CF); | 0x10...0x15, 0x80...0x81/2, 0x83/2 |
| ADD | Add | (1) r += r/m/imm; (2) m += r/imm; | 0x00...0x05, 0x80/0...0x81/0, 0x83/0 |
| AND | Logical AND | (1) r &= r/m/imm; (2) m &= r/imm; | 0x20...0x25, 0x80...0x81/4, 0x83/4 |
| CALL | Call procedure | push eip; eip points to the instruction directly after the call | 0x9A, 0xE8, 0xFF/2, 0xFF/3 |
| CBW | Convert byte to word | AX = AL ; sign extended | 0x98 |
| CLC | Clear carry flag | CF = 0; | 0xF8 |
| CLD | Clear direction flag | DF = 0; | 0xFC |
| CLI | Clear interrupt flag | IF = 0; | 0xFA |
| CMC | Complement carry flag | CF = !CF; | 0xF5 |
| CMP | Compare operands | (1) r - r/m/imm; (2) m - r/imm; | 0x38...0x3D, 0x80...0x81/7, 0x83/7 |
| CMPSB | Compare bytes in memory. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | if (DF==0) *(byte*)SI++ - *(byte*)ES:DI++;else *(byte*)SI-- - *(byte*)ES:DI--; | 0xA6 |
| CMPSW | Compare words. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | if (DF==0) *(word*)SI++ - *(word*)ES:DI++;else *(word*)SI-- - *(word*)ES:DI--; | 0xA7 |
| CWD | Convert word to doubleword | 0x99 | |
| DAA | Decimal adjust AL after addition | (used with packed binary-coded decimal) | 0x27 |
| DAS | Decimal adjust AL after subtraction | 0x2F | |
| DEC | Decrement by 1 | 0x48...0x4F, 0xFE/1, 0xFF/1 | |
| DIV | Unsigned divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder | 0xF7/6, 0xF6/6 |
| ESC | Used with floating-point unit | 0xD8..0xDF | |
| HLT | Enter halt state | 0xF4 | |
| IDIV | Signed divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder | 0xF7/7, 0xF6/7 |
| IMUL | Signed multiply in One-operand form | (1) DX:AX = AX * r/m; (2) AX = AL * r/m | 0xF7/5, 0xF6/5 |
| IN | Input from port | (1) AL = port[imm]; (2) AL = port[DX]; (3) AX = port[imm]; (4) AX = port[DX]; | 0xE4, 0xE5, 0xEC, 0xED |
| INC | Increment by 1 | 0x40...0x47, 0xFE/0, 0xFF/0 | |
| INT | Call to interrupt | 0xCC, 0xCD | |
| INTO | Call to interrupt if overflow | 0xCE | |
| IRET | Return from interrupt | 0xCF | |
| Jcc | Jump if condition | JA, JAE, JB, JBE, JC (same as JB), JE, JG, JGE, JL, JLE, JNA (same as JBE), JNAE (same as JB), JNB (same as JAE), JNBE, JNC (same as JAE), JNE, JNG (same as JLE), JNGE (same as JL), JNL (same as JGE), JNLE (same as JG), JNO, JNP, JNS, JNZ (same as JNE), JO, JP, JPE (same as JP), JPO (same as JNP), JS, JZ (same as JE)3 | 0x70...0x7F |
| JCXZ | Jump if CX is zero | JECXZ for ECX instead of CX in 32 bit mode (same opcode). | 0xE3 |
| JMP | Jump | 0xE9...0xEB, 0xFF/4, 0xFF/5 | |
| LAHF | Load FLAGS into AH register | 0x9F | |
| LDS | Load DS:r with far pointer | r = m; DS = 2 + m; | 0xC5 |
| LEA | Load Effective Address | 0x8D | |
| LES | Load ES:r with far pointer | r = m; ES = 2 + m; | 0xC4 |
| LOCK | Assert BUS LOCK# signal | (for multiprocessing) | 0xF0 |
| LODSB | Load string byte. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) AL = *SI++; else AL = *SI--; | 0xAC |
| LODSW | Load string word. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) AX = *SI++; else AX = *SI--; | 0xAD |
| LOOP/LOOPx | Loop control | (LOOPE, LOOPNE, LOOPNZ, LOOPZ) if (x && --CX) goto lbl; | 0xE0...0xE2 |
| MOV | Move | (1) r = r/m/imm; (2) m = r/imm; (3) r/m = sreg; (4) sreg = r/m; | 0xA0...0xA3, 0x8C, 0x8E |
| MOVSB | Move byte from string to string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *(byte*)ES:DI++ = *(byte*)SI++;else *(byte*)ES:DI-- = *(byte*)SI--;. | 0xA4 |
| MOVSW | Move word from string to string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *(word*)ES:DI++ = *(word*)SI++;else *(word*)ES:DI-- = *(word*)SI--; | 0xA5 |
| MUL | Unsigned multiply | (1) DX:AX = AX * r/m; (2) AX = AL * r/m; | 0xF7/4, 0xF6/4 |
| NEG | Two's complement negation | r/m = 0 – r/m; | 0xF6/3...0xF7/3 |
| NOP | No operation | opcode equivalent to XCHG EAX, EAX | 0x90 |
| NOT | Negate the operand, logical NOT | r/m ^= -1; | 0xF6/2...0xF7/2 |
| OR | Logical OR | (1) r ∣= r/m/imm; (2) m ∣= r/imm; | 0x08...0x0D, 0x80...0x81/1, 0x83/1 |
| OUT | Output to port | (1) port[imm] = AL; (2) port[DX] = AL; (3) port[imm] = AX; (4) port[DX] = AX; | 0xE6, 0xE7, 0xEE, 0xEF |
| POP | Pop data from stack | r/m/sreg = *SP++; | 0x07, 0x17, 0x1F, 0x58...0x5F, 0x8F/0 |
| POPF | Pop FLAGS register from stack | FLAGS = *SP++; | 0x9D |
| PUSH | Push data onto stack | *--SP = r/m/sreg; | 0x06, 0x0E, 0x16, 0x1E, 0x50...0x57, 0xFF/6 |
| PUSHF | Push FLAGS onto stack | *--SP = FLAGS; | 0x9C |
| RCL | Rotate left (with carry) | 0xC0...0xC1/2 (186+), 0xD0...0xD3/2 | |
| RCR | Rotate right (with carry) | 0xC0...0xC1/3 (186+), 0xD0...0xD3/3 | |
| REPxx | Repeat MOVS/STOS/CMPS/LODS/SCAS | (REP, REPE, REPNE, REPNZ, REPZ) | 0xF2, 0xF3 |
| RET | Return from procedure | Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system. | |
| RETN | Return from near procedure | 0xC2, 0xC3 | |
| RETF | Return from far procedure | 0xCA, 0xCB | |
| ROL | Rotate left | 0xC0...0xC1/0 (186+), 0xD0...0xD3/0 | |
| ROR | Rotate right | 0xC0...0xC1/1 (186+), 0xD0...0xD3/1 | |
| SAHF | Store AH into FLAGS | 0x9E | |
| SAL | Shift Arithmetically left (signed shift left) | (1) r/m <<= 1; (2) r/m <<= CL; | 0xC0...0xC1/4 (186+), 0xD0...0xD3/4 |
| SAR | Shift Arithmetically right (signed shift right) | (1) (signed) r/m >>= 1; (2) (signed) r/m >>= CL; | 0xC0...0xC1/7 (186+), 0xD0...0xD3/7 |
| SBB | Subtraction with borrow | (1) r -= (r/m/imm+CF); (2) m -= (r/imm+CF); alternative 1-byte encoding of SBB AL, AL is available via undocumented SALC instruction | 0x18...0x1D, 0x80...0x81/3, 0x83/3 |
| SCASB | Compare byte string. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | if (DF==0) AL - *ES:DI++; else AL - *ES:DI--; | 0xAE |
| SCASW | Compare word string. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | if (DF==0) AX - *ES:DI++; else AX - *ES:DI--; | 0xAF |
| SHL | Shift left (unsigned shift left) | Same opcode as SAL, since logical left shifts are equal to arithmetical left shifts. | 0xC0...0xC1/4 (186+), 0xD0...0xD3/4 |
| SHR | Shift right (unsigned shift right) | 0xC0...0xC1/5 (186+), 0xD0...0xD3/5 | |
| STC | Set carry flag | CF = 1; | 0xF9 |
| STD | Set direction flag | DF = 1; | 0xFD |
| STI | Set interrupt flag | IF = 1; | 0xFB |
| STOSB | Store byte in string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *ES:DI++ = AL; else *ES:DI-- = AL; | 0xAA |
| STOSW | Store word in string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *ES:DI++ = AX; else *ES:DI-- = AX; | 0xAB |
| SUB | Subtraction | (1) r -= r/m/imm; (2) m -= r/imm; | 0x28...0x2D, 0x80...0x81/5, 0x83/5 |
| TEST | Logical compare (AND) | (1) r & r/m/imm; (2) m & r/imm; | 0x84, 0x85, 0xA8, 0xA9, 0xF6/0, 0xF7/0 |
| WAIT | Wait until not busy | Waits until BUSY# pin is inactive (used with floating-point unit) | 0x9B |
| XCHG | Exchange data | r :=: r/m; A spinlock typically uses xchg as an atomic operation. (coma bug). | 0x86, 0x87, 0x91...0x97 |
| XLAT | Table look-up translation | behaves like MOV AL, [BX+AL] | 0xD7 |
| XOR | Exclusive OR | (1) r ^+= r/m/imm; (2) m ^= r/imm; | 0x30...0x35, 0x80...0x81/6, 0x83/6 |
Added in specific processors
Added with 80186/80188
| Instruction | Opcode | Meaning | Notes |
|---|---|---|---|
| BOUND | 62 /r | Check array index against bounds | raises software interrupt 5 if test fails |
| ENTER | C8 iw ib | Enter stack frame | Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure. |
| INSB/INSW | 6C | Input from port to string. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:IN AL, DXMOV ES:[DI], ALINC DI ; adjust DI according to operand size and DF |
| 6D | |||
| LEAVE | C9 | Leave stack frame | Releases the local stack storage created by the previous ENTER instruction. |
| OUTSB/OUTSW | 6E | Output string to port. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:MOV AL, DS:[SI]OUT DX, ALINC SI ; adjust SI according to operand size and DF |
| 6F | |||
| POPA | 61 | Pop all general purpose registers from stack | equivalent to:POP DIPOP SIPOP BPPOP AX ; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later)POP BXPOP DXPOP CXPOP AX |
| PUSHA | 60 | Push all general purpose registers onto stack | equivalent to:PUSH AXPUSH CXPUSH DXPUSH BXPUSH SP ; The value stored is the initial SP valuePUSH BPPUSH SIPUSH DI |
| PUSH immediate | 6A ib | Push an immediate byte/word value onto the stack | example:PUSH 12hPUSH 1200h |
| 68 iw | |||
| IMUL immediate | 6B /r ib | Signed and unsigned multiplication of immediate byte/word value | example:IMUL BX,12hIMUL DX,1200hIMUL CX, DX, 12hIMUL BX, SI, 1200hIMUL DI, word ptr [BX+SI], 12hIMUL SI, word ptr [BP-4], 1200h Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well. |
| 69 /r iw | |||
| SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate | C0 | Rotate/shift bits with an immediate value greater than 1 | example:ROL AX,3SHR BL,3 |
| C1 |
Added with 80286
The new instructions added in 80286 add support for x86 protected mode. Some but not all of the instructions are available in real mode as well.
| Instruction | Opcode | Instruction description | Real mode | Ring |
|---|---|---|---|---|
| LGDT m16&324 | 0F 01 /2 | Load GDTR (Global Descriptor Table Register) from memory.5 | Yes | 0 |
| LIDT m16&326 | 0F 01 /3 | Load IDTR (Interrupt Descriptor Table Register) from memory.7The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well. | ||
| LMSW r/m16 | 0F 01 /6 | Load MSW (Machine Status Word) from 16-bit register or memory.89 | ||
| CLTS | 0F 06 | Clear task-switched flag in the MSW. | ||
| LLDT r/m16 | 0F 00 /2 | Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.10 | #UD | |
| LTR r/m16 | 0F 00 /3 | Load TR (Task Register) from 16-bit register or memory.11 The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done. | ||
| SGDT m16&3212 | 0F 01 /0 | Store GDTR to memory. | Yes | Usually 313 |
| SIDT m16&3214 | 0F 01 /1 | Store IDTR to memory. | ||
| SMSW r/m16 | 0F 01 /4 | Store MSW to register or 16-bit memory.15 | ||
| SLDT r/m16 | 0F 00 /0 | Store LDTR to register or 16-bit memory.16 | #UD | |
| STR r/m16 | 0F 00 /1 | Store TR to register or 16-bit memory.17 | ||
| ARPL r/m16,r16 | 63 /r18 | Adjust RPL (Requested Privilege Level) field of selector. The operation performed is:if (dst & 3) < (src & 3) then dst = (dst & 0xFFFC) | (src & 3) eflags.zf = 1else eflags.zf = 0 | #UD19 | 3 |
| LAR r,r/m16 | 0F 02 /r | Load access rights byte from the specified segment descriptor.Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00,20 then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.21 | #UD | |
| LSL r,r/m16 | 0F 03 /r | Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.22 | ||
| VERR r/m16 | 0F 00 /4 | Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise. | ||
| VERW r/m16 | 0F 00 /5 | Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.23 | ||
| LOADALL24 | 0F 05 | Load all CPU registers from a 102-byte data structure starting at physical address 800h, including "hidden" part of segment descriptor registers. | Yes | 0 |
| STOREALL25 | F1 0F 04 | Store all CPU registers to a 102-byte data structure starting at physical address 800h, then shut down CPU. | ||
Added with 80386
The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts of OperandSize and AddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)
The default OperandSize and AddressSize to use for each instruction is given by the D bit of the segment descriptor of the current code segment - D=0 makes both 16-bit, D=1 makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:
- 66h: OperandSize override. Will change OperandSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.
- 67h: AddressSize override. Will change AddressSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.
The 80386 also introduced the two new segment registers FS and GS as well as the x86 control, debug and test registers.
The new instructions introduced in the 80386 can broadly be subdivided into two classes:
- Pre-existing opcodes that needed new mnemonics for their 32-bit OperandSize variants (e.g. CWDE, LODSD)
- New opcodes that introduced new functionality (e.g. SHLD, SETcc)
For instruction forms where the operand size can be inferred from the instruction's arguments (e.g. ADD EAX,EBX can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.
80386: new instruction mnemonics for 32-bit variants of older opcodes| Type | Instruction mnemonic | Opcode | Description | Mnemonic for older 16-bit variant | Ring |
|---|---|---|---|---|---|
| String instructions2627 | LODSD | AD | Load string doubleword: EAX := DS:[rSI±±] | LODSW | 3 |
| STOSD | AB | Store string doubleword: ES:[rDI±±] := EAX | STOSW | ||
| MOVSD | A5 | Move string doubleword: ES:[rDI±±] := DS:[rSI±±] | MOVSW | ||
| CMPSD | A7 | Compare string doubleword: temp1 := DS:[rSI±±]temp2 := ES:[rDI±±]CMP temp1, temp2 /* 32-bit compare and set EFLAGS */ | CMPSW | ||
| SCASD | AF | Scan string doubleword: temp1 := ES:[rDI±±]CMP EAX, temp1 /* 32-bit compare and set EFLAGS */ | SCASW | ||
| INSD | 6D | Input string from doubleword I/O port:ES:[rDI±±] := port[DX]28 | INSW | Usually 029 | |
| OUTSD | 6F | Output string to doubleword I/O port:port[DX] := DS:[rSI±±] | OUTSW | ||
| Other | CWDE | 98 | Sign-extend 16-bit value in AX to 32-bit value in EAX30 | CBW | 3 |
| CDQ | 99 | Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX. Mainly used to prepare a dividend for the 32-bit IDIV (signed divide) instruction. | CWD | ||
| JECXZ rel8 | E3 cb31 | Jump if ECX is zero | JCXZ | ||
| PUSHAD | 60 | Push all 32-bit registers onto stack32 | PUSHA | ||
| POPAD | 61 | Pop all 32-bit general-purpose registers off stack33 | POPA | ||
| PUSHFD | 9C | Push 32-bit EFLAGS register onto stack | PUSHF | Usually 334 | |
| POPFD | 9D | Pop 32-bit EFLAGS register off stack | POPF | ||
| IRETD | CF | 32-bit interrupt return. Differs from the older 16-bit IRET instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP35 and SS if there is a CPL change; and also ES,DS,FS,GS if returning to virtual 8086 mode) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bit IDT interrupt/trap gate. Instruction is serializing. | IRET | ||
| Instruction mnemonics | Opcode | Description | Ring |
|---|---|---|---|
| BT r/m, r | 0F A3 /r | Bit Test.36 Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF. | 3 |
| BT r/m, imm8 | 0F BA /4 ib | ||
| BTS r/m, r | 0F AB /r | Bit Test-and-set.3738 Second operand specifies which bit of the first operand to test and set. | |
| BTS r/m, imm8 | 0F BA /5 ib | ||
| BTR r/m, r | 0F B3 /r | Bit Test and Reset.3940 Second operand specifies which bit of the first operand to test and clear. | |
| BTR r/m, imm8 | 0F BA /6 ib | ||
| BTC r/m, r | 0F BB /r | Bit Test and Complement.4142 Second operand specifies which bit of the first operand to test and toggle. | |
| BTC r/m, imm8 | 0F BA /7 ib | ||
| BSF r, r/m | NFx 0F BC /r43 | Bit scan forward. Returns bit index of lowest set bit in input.44 | 3 |
| BSR r, r/m | NFx 0F BD /r45 | Bit scan reverse. Returns bit index of highest set bit in input.46 | |
| SHLD r/m, r, imm8 | 0F A4 /r ib | Shift Left Double.The operation of SHLD arg1,arg2,shamt is:arg1 := (arg1<<shamt) | (arg2>>(operand_size - shamt))47 | |
| SHLD r/m, r, CL | 0F A5 /r | ||
| SHRD r/m, r, imm8 | 0F AC /r ib | Shift Right Double.The operation of SHRD arg1,arg2,shamt is:arg1 := (arg1>>shamt) | (arg2<<(operand_size - shamt))48 | |
| SHRD r/m, r, CL | 0F AD /r | ||
| MOVZX reg, r/m8 | 0F B6 /r | Move from 8/16-bit source to 16/32-bit register with zero-extension. | 3 |
| MOVZX reg, r/m16 | 0F B7 /r | ||
| MOVSX reg, r/m8 | 0F BE /r | Move from 8/16-bit source to 16/32/64-bit register with sign-extension. | |
| MOVSX reg, r/m16 | 0F BF /r | ||
| SETcc r/m8 | 0F 9x /04950 | Set byte to 1 if condition is satisfied, 0 otherwise. | |
| Jcc rel16Jcc rel32 | 0F 8x cw0F 8x cd51 | Conditional jump near. Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset. | |
| IMUL r, r/m | 0F AF /r | Two-operand non-widening integer multiply. | |
| FS: | 64 | Segment-override prefixes for FS and GS segment registers. | 3 |
| GS: | 65 | ||
| PUSH FS | 0F A0 | Push/pop FS and GS segment registers. | |
| POP FS | 0F A1 | ||
| PUSH GS | 0F A8 | ||
| POP GS | 0F A9 | ||
| LFS r16, m16&16LFS r32, m32&16 | 0F B4 /r | Load far pointer from memory. Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.52 | |
| LGS r16, m16&16LGS r32, m32&16 | 0F B5 /r | ||
| LSS r16, m16&16LSS r32, m32&16 | 0F B2 /r | ||
| MOV reg,CRx | 0F 20 /r53 | Move from control register to general register.54 | 0 |
| MOV CRx,reg | 0F 22 /r55 | Move from general register to control register.56 Moves to the CR3 control register are serializing and will flush the TLB.57 On Pentium and later processors, moves to the CR0 and CR4 control registers are also serializing.58 | |
| MOV reg,DRx | 0F 21 /r59 | Move from x86 debug register to general register.60 | |
| MOV DRx,reg | 0F 23 /r61 | Move from general register to x86 debug register.62 On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing. | |
| MOV reg,TRx | 0F 24 /r63 | Move from x86 test register to general register.64 | |
| MOV TRx,reg | 0F 26 /r65 | Move from general register to x86 test register.66 | |
| ICEBP, INT01, INT167 | F1 | In-circuit emulation breakpoint. Performs software interrupt #1 if executed when not using in-circuit emulation.68 | 3 |
| UMOV r/m, r8 | 0F 10 /r | User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode. Performs same operation as MOV if executed when not doing in-circuit emulation.69 | |
| UMOV r/m, r16/32 | 0F 11 /r | ||
| UMOV r8, r/m | 0F 12 /r | ||
| UMOV r16/32, r/m | 0F 13 /r | ||
| XBTS reg,r/m | 0F A6 /r | Bitfield extract (early 386 only).7071 | |
| IBTS r/m,reg | 0F A7 /r | Bitfield insert (early 386 only).7273 | |
| LOADALLD, LOADALL38674 | 0F 07 | Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers. | 0 |
Added with 80486
| Instruction | Opcode | Description | Ring |
|---|---|---|---|
| BSWAP r32 | 0F C8+r | Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:r = (r << 24) | ((r << 8) & 0x00FF0000) | ((r >> 8) & 0x0000FF00) | (r >> 24); Using BSWAP with a 16-bit register argument produces an undefined result.75 | 3 |
| CMPXCHG r/m8,r8 | 0F B0 /r76 | Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand,77 then EFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise, EFLAGS.ZF is set to 0, and first operand is copied into the accumulator. Instruction atomic only if used with LOCK prefix. | |
| CMPXCHG r/m,r16CMPXCHG r/m,r32 | 0F B1 /r78 | ||
| XADD r/m,r8 | 0F C0 /r | eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand. Instruction atomic only if used with LOCK prefix. | |
| XADD r/m,r16XADD r/m,r32 | 0F C1 /r | ||
| INVLPG m8 | 0F 01 /7 | Invalidate the TLB entries that would be used for the 1-byte memory operand.79 Instruction is serializing. | 0 |
| INVD | 0F 08 | Invalidate Internal Caches.80 Modified data in the cache are not written back to memory, potentially causing data loss.81 | |
| WBINVD | NFx 0F 0982 | Write Back and Invalidate Cache.83 Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches. |
Added in P5/P6-class processors
Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)
| Instruction | Opcode | Description | Ring | Added in |
|---|---|---|---|---|
| RDMSR | 0F 32 | Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX.84 | 0 | IBM 386SLC,85Intel Pentium,AMD K5,Cyrix 6x86MX,MediaGXm,IDT WinChip C6,Transmeta Crusoe,DM&P Vortex86DX3 |
| WRMSR | 0F 30 | Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.86 Instruction is, with some exceptions, serializing.87 | ||
| RSM88 | 0F AA | Resume from System Management Mode. Instruction is serializing. | -2(SMM) | Intel 386SL,8990 486SL,91Intel Pentium,AMD 5x86,Cyrix 486SLC/e,92IDT WinChip C6,Transmeta Crusoe,Rise mP6 |
| CPUID | 0F A2 | CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.93 Instruction is serializing, and causes a mandatory #VMEXIT under virtualization. Support for CPUID can be checked by toggling bit 21 of EFLAGS (EFLAGS.ID) – if this bit can be toggled, CPUID is present. | Usually 394 | Intel Pentium,95AMD 5x86,96Cyrix 5x86,97IDT WinChip C6,Transmeta Crusoe,Rise mP6,NexGen Nx586,98UMC Green CPU |
| CMPXCHG8B m64 | 0F C7 /1 | Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF99 and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX. Instruction atomic only if used with LOCK prefix.100 | 3 | Intel Pentium,AMD K5,Cyrix 6x86L,MediaGXm,IDT WinChip C6,101Transmeta Crusoe,102Rise mP6103 |
| RDTSC | 0F 31 | Read 64-bit Time Stamp Counter (TSC) into EDX:EAX.104105 In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.106 | Usually 3107 | Intel Pentium,AMD K5,Cyrix 6x86MX,MediaGXm,IDT WinChip C6,Transmeta Crusoe,Rise mP6 |
| RDPMC | 0F 33 | Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX.108109 | Usually 3110 | Intel Pentium MMX,Intel Pentium Pro,AMD K7,Cyrix 6x86MX,IDT WinChip C6,AMD Geode LX,VIA Nano111 |
| CMOVcc reg,r/m | 0F 4x /r112 | Conditional move to register. The source operand may be either register or memory.113 | 3 | Intel Pentium Pro,AMD K7,Cyrix 6x86MX,MediaGXm,Transmeta Crusoe,VIA C3 "Nehemiah",114DM&P Vortex86DX3 |
| NOP r/m,NOPL r/m | NFx 0F 1F /0115 | Official long NOP. Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.116117 | 3 | Intel Pentium Pro,118AMD K7, x86-64,119VIA C7120 |
| UD2,121UD2A122 | 0F 0B | Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes.123 These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose. | (3) | (80186),124Intel Pentium125 |
| UD1 reg,r/m,126UD2B reg,r/m127 | 0F B9,0F B9 /r128 | |||
| OIO,UD0,UD0 reg,r/m129 | 0F FF,0F FF /r130 | (80186),131Cyrix 6x86,132AMD K5133 | ||
| SYSCALL | 0F 05 | Fast System call. | 3 | AMD K6,134x86-64135136 |
| SYSRET | 0F 07137 | Fast Return from System Call. Designed to be used together with SYSCALL. | 0138 | |
| SYSENTER | 0F 34 | Fast System call. | 3139 | Intel Pentium II,140AMD K7,141142Transmeta Crusoe,143NatSemi Geode GX2,VIA C3 "Nehemiah",144DM&P Vortex86DX3 |
| SYSEXIT | 0F 35145 | Fast Return from System Call. Designed to be used together with SYSENTER. | 0146 | |
Added as instruction set extensions
Added with x86-64
These instructions can only be encoded in 64 bit mode. They fall in four groups:
- original instructions that reuse existing opcodes for a different purpose (MOVSXD replacing ARPL)
- original instructions with new opcodes (SWAPGS)
- existing instructions extended to a 64 bit address size (JRCXZ)
- existing instructions extended to a 64 bit operand size (remaining instructions)
Most instructions with a 64 bit operand size encode this using a REX.W prefix; in the absence of the REX.W prefix, the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operand size. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.
| Instruction | Encoding | Meaning | Ring |
|---|---|---|---|
| CDQE | REX.W 98 | Sign extend EAX into RAX | 3 |
| CQO | REX.W 99 | Sign extend RAX into RDX:RAX | |
| CMPSQ | REX.W A7 | CoMPare String Quadword | |
| CMPXCHG16B m128147148 | REX.W 0F C7 /1 | CoMPare and eXCHanGe 16 Bytes.Atomic only if used with LOCK prefix. | |
| IRETQ | REX.W CF | 64-bit Return from Interrupt | |
| JRCXZ rel8 | E3 cb | Jump if RCX is zero | |
| LODSQ | REX.W AD | LoaD String Quadword | |
| MOVSXD r64,r/m32 | REX.W 63 /r149 | MOV with Sign Extend 32-bit to 64-bit | |
| MOVSQ | REX.W A5 | Move String Quadword | |
| POPFQ | 9D | POP RFLAGS Register | |
| PUSHFQ | 9C | PUSH RFLAGS Register | |
| SCASQ | REX.W AF | SCAn String Quadword | |
| STOSQ | REX.W AB | STOre String Quadword | |
| SWAPGS | 0F 01 F8 | Exchange GS base with KernelGSBase MSR | 0 |
Bit manipulation extensions
Main article: X86 Bit manipulation instruction set
Bit manipulation instructions. For all of the VEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants. The VEX-encoded instructions are not available in Real Mode and Virtual-8086 mode - other than that, the bit manipulation instructions are available in all operating modes on supported CPUs.
| Bit Manipulation Extension | Instructionmnemonics | Opcode | Instruction description | Added in |
|---|---|---|---|---|
| ABM (LZCNT)150Advanced Bit Manipulation | POPCNT r16,r/m16POPCNT r32,r/m32 | F3 0F B8 /r | Population Count. Counts the number of bits that are set to 1 in its source argument. | K10,Bobcat,Haswell,ZhangJiang,Gracemont |
| POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | |||
| LZCNT r16,r/m16LZCNT r32,r/m32 | F3 0F BD /r | Count Leading zeroes.151If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1. | ||
| LZCNT r64,r/m64 | F3 REX.W 0F BD /r | |||
| BMI1Bit Manipulation Instruction Set 1 | TZCNT r16,r/m16TZCNT r32,r/m32 | F3 0F BC /r | Count Trailing zeroes.152If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1. | Haswell,Piledriver,Jaguar,ZhangJiang,Gracemont |
| TZCNT r64,r/m64 | F3 REX.W 0F BC /r | |||
| ANDN ra,rb,r/m | VEX.LZ.0F38 F2 /r | Bitwise AND-NOT: ra = r/m AND NOT(rb) | ||
| BEXTR ra,r/m,rb | VEX.LZ.0F38 F7 /r | Bitfield extract. Bitfield start position is specified in bits [7:0] of rb, length in bits[15:8] of rb. The bitfield is then extracted from the r/m value with zero-extension, then stored in ra. Equivalent to153mask = (1 << rb[15:8]) - 1ra = (r/m >> rb[7:0]) AND mask | ||
| BLSI reg,r/m | VEX.LZ.0F38 F3 /3 | Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent todst = (-src) AND src | ||
| BLSMSK reg,r/m | VEX.LZ.0F38 F3 /2 | Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to dst = (src-1) XOR src | ||
| BLSR reg,r/m | VEX.LZ.0F38 F3 /1 | Copy all bits of the source argument, then clear the lowest set bit. Equivalent todst = (src-1) AND src | ||
| BMI2Bit Manipulation Instruction Set 2 | BZHI ra,r/m,rb | VEX.LZ.0F38 F5 /r | Zero out high-order bits in r/m starting from the bit position specified in rb, then write result to rd. Equivalent tora = r/m AND NOT(-1 << rb[7:0]) | Haswell,Excavator,154ZhangJiang,Gracemont |
| MULX ra,rb,r/m | VEX.LZ.F2.0F38 F6 /r | Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with r/m, then stores the low half of the multiplication result in ra and the high half in rb. If ra and rb specify the same register, only the high half of the result is stored. | ||
| PDEP ra,rb,r/m | VEX.LZ.F2.0F38 F5 /r | Parallel Bit Deposit. Scatters contiguous bits from rb to the bit positions set in r/m, then stores result to ra. Operation performed is:ra=0; k=0; mask=r/mfor i=0 to opsize-1 do if (mask[i] == 1) then ra[i]=rb[k]; k=k+1 | ||
| PEXT ra,rb,r/m | VEX.LZ.F3.0F38 F5 /r | Parallel Bit Extract. Uses r/m argument as a bit mask to select bits in rb, then compacts the selected bits into a contiguous bit-vector. Operation performed is:ra=0; k=0; mask=r/mfor i=0 to opsize-1 do if (mask[i] == 1) then ra[k]=rb[i]; k=k+1 | ||
| RORX reg,r/m,imm8 | VEX.LZ.F2.0F3A F0 /r ib | Rotate right by immediate without affecting flags. | ||
| SARX ra,r/m,rb | VEX.LZ.F3.0F38 F7 /r | Arithmetic shift right without updating flags.For SARX, SHRX and SHLX, the shift-amount specified in rb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size. | ||
| SHRX ra,r/m,rb | VEX.LZ.F2.0F38 F7 /r | Logical shift right without updating flags. | ||
| SHLX ra,r/m,rb | VEX.LZ.66.0F38 F7 /r | Shift left without updating flags. | ||
Added with Intel TSX
Main article: Transactional Synchronization Extensions
| TSX Subset | Instruction | Opcode | Description | Added in |
|---|---|---|---|---|
| RTMRestricted Transactional memory | XBEGIN rel16XBEGIN rel32 | C7 F8 cwC7 F8 cd | Start transaction. If transaction fails, perform a branch to the given relative offset. | Haswell(Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids)) |
| XABORT imm8 | C6 F8 ib | Abort transaction with 8-bit immediate as error code. | ||
| XEND | NP 0F 01 D5 | End transaction. | ||
| XTEST | NP 0F 01 D6 | Test if in transactional execution. Sets EFLAGS.ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise. | ||
| HLEHardware Lock Elision | XACQUIRE | F2 | Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the F2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation. | Haswell(Discontinued – the last processors to support HLE were Coffee Lake and Cascade Lake) |
| XRELEASE | F3 | Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the F3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic. | ||
| TSXLDTRKLoad Address Tracking suspend/resume | XSUSLDTRK | F2 0F 01 E8 | Suspend Tracking Load Addresses | Sapphire Rapids |
| XRESLDTRK | F2 0F 01 E9 | Resume Tracking Load Addresses | ||
Added with Intel CET
Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such as return-oriented programming: a shadow stack (CET_SS), and indirect branch tracking (CET_IBT).
| CET Subset | Instruction | Opcode | Description | Ring | Added in |
|---|---|---|---|---|---|
| CET_SSShadow stack.When shadow stacks are enabled, return addresses are pushed on both the regular stack and the shadow stack when a function call is made. They are then both popped on return from the function call – if they do not match, then the stack is assumed to be corrupted, and a #CP exception is issued.The shadow stack is additionally required to be stored in specially marked memory pages which cannot be modified by normal memory store instructions. | INCSSPD r32 | F3 0F AE /5 | Increment shadow stack pointer | 3 | Tiger Lake,Zen 3 |
| INCSSPQ r64 | F3 REX.W 0F AE /5 | ||||
| RDSSPD r32 | F3 0F 1E /1 | Read shadow stack pointer into register (low 32 bits)155 | |||
| RDSSPQ r64 | F3 REX.W 0F 1E /1 | Read shadow stack pointer into register (full 64 bits)156 | |||
| SAVEPREVSSP | F3 0F 01 EA | Save previous shadow stack pointer | |||
| RSTORSSP m64 | F3 0F 01 /5 | Restore saved shadow stack pointer | |||
| WRSSD m32,r32 | NP 0F 38 F6 /r | Write 4 bytes to shadow stack | |||
| WRSSQ m64,r64 | NP REX.W 0F 38 F6 /r | Write 8 bytes to shadow stack | |||
| WRUSSD m32,r32 | 66 0F 38 F5 /r | Write 4 bytes to user shadow stack | 0 | ||
| WRUSSQ m64,r64 | 66 REX.W 0F 38 F5 /r | Write 8 bytes to user shadow stack | |||
| SETSSBSY | F3 0F 01 E8 | Mark shadow stack busy | |||
| CLRSSBSY m64 | F3 0F AE /6 | Clear shadow stack busy flag | |||
| CET_IBTIndirect Branch Tracking.When IBT is enabled, an indirect branch (jump, call, return) to any instruction that is not an ENDBR32/64 instruction will cause a #CP exception. | ENDBR32 | F3 0F 1E FB | Terminate indirect branch in 32-bit mode157 | 3 | Tiger Lake |
| ENDBR64 | F3 0F 1E FA | Terminate indirect branch in 64-bit mode158 | |||
| NOTRACK | 3E159 | Prefix used with indirect CALL/JMP near instructions (opcodes FF /2 and FF /4) to indicate that the branch target is not required to start with an ENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set. | |||
Added with XSAVE
The XSAVE instruction set extensions are designed to save/restore CPU extended state (typically for the purpose of context switching) in a manner that can be extended to cover new instruction set extensions without the OS context-switching code needing to understand the specifics of the new extensions. This is done by defining a series of state-components, each with a size and offset within a given save area, and each corresponding to a subset of the state needed for one CPU extension or another. The EAX=0Dh CPUID leaf is used to provide information about which state-components the CPU supports and what their sizes/offsets are, so that the OS can reserve the proper amount of space and set the associated enable-bits.
| XSAVE Extension | Instructionmnemonics | Opcode160 | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| XSAVEProcessor Extended State Save/Restore. | XSAVE memXSAVE64 mem | NP 0F AE /4NP REX.W 0F AE /4 | Save state components specified by bitmap in EDX:EAX to memory. | 3 | Penryn,161Bulldozer,Jaguar,Goldmont,ZhangJiang |
| XRSTOR memXRSTOR64 mem | NP 0F AE /5NP REX.W 0F AE /5 | Restore state components specified by EDX:EAX from memory. | |||
| XGETBV | NP 0F 01 D0 | Get value of Extended Control Register.Reads an XCR specified by ECX into EDX:EAX.162 | |||
| XSETBV | NP 0F 01 D1 | Set Extended Control Register.163Write the value in EDX:EAX to the XCR specified by ECX. | 0 | ||
| XSAVEOPTProcessor Extended State Save/Restore Optimized | XSAVEOPT memXSAVEOPT64 mem | NP 0F AE /6NP REX.W 0F AE /6 | Save state components specified by EDX:EAX to memory.Unlike the older XSAVE instruction, XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding XRSTOR. | 3 | Sandy Bridge,Steamroller,Puma,Goldmont,ZhangJiang |
| XSAVECProcessor Extended State save/restore with compaction. | XSAVEC memXSAVEC64 mem | NP 0F C7 /4NP REX.W 0F C7 /4 | Save processor extended state components specified by EDX:EAX to memory with compaction. | 3 | Skylake,Goldmont,Zen 1 |
| XSSProcessor Extended State save/restore, including supervisor state. | XSAVES memXSAVES64 mem | NP 0F C7 /5NP REX.W 0F C7 /5 | Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible. | 0 | Skylake,Goldmont,Zen 1 |
| XRSTORS memXRSTORS64 mem | NP 0F C7 /3NP REX.W 0F C7 /3 | Restore state components specified by EDX:EAX from memory. | |||
Added with other cross-vendor extensions
| Instruction Set Extension | Instructionmnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| SSE164(non-SIMD) | PREFETCHNTA m8 | 0F 18 /0 | Prefetch with Non-Temporal Access.Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.165 | 3 | Pentium III,(K7),166(Geode GX2),167Nehemiah,Efficeon |
| PREFETCHT0 m8 | 0F 18 /1 | Prefetch data to all levels of the cache hierarchy.168 | |||
| PREFETCHT1 m8 | 0F 18 /2 | Prefetch data to all levels of the cache hierarchy except L1 cache.169 | |||
| PREFETCHT2 m8 | 0F 18 /3 | Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.170 | |||
| SFENCE | NP 0F AE F8+x171 | Store Fence.172 | |||
| SSE2(non-SIMD) | LFENCE | NP 0F AE E8+x173 | Load Fence and Dispatch Serialization.174 | 3 | Pentium 4,K8,Efficeon,C7 Esther |
| MFENCE | NP 0F AE F0+x175 | Memory Fence.176 | |||
| MOVNTI m32,r32MOVNTI m64,r64 | NP 0F C3 /rNP REX.W 0F C3 /r | Non-Temporal Memory Store. | |||
| PAUSE | F3 90177 | Pauses CPU thread for a short time period.178Intended for use in spinlocks.179 | |||
| CLFSH180Cache Line Flush. | CLFLUSH m8 | NP 0F AE /7 | Flush one cache line to memory.In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them. | 3 | (SSE2),Geode LX |
| MONITOR181Monitor a memory location for memory writes. | MONITOR182MONITOR EAX,ECX,EDX | NP 0F 01 C8 | Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.183 ECX and EDX are reserved for extra extension and hint flags, respectively.184 | Usually 0185 | Prescott,Yonah,Bonnell,K10,Nano |
| MWAIT186MWAIT EAX,ECX | NP 0F 01 C9 | Wait for a write to a monitored memory location previously specified with MONITOR.187ECX and EAX are used to provide extra extension188 and hint189 flags, respectively. MWAIT hints are commonly used for CPU power management. | |||
| SMXSafer Mode Extensions.Load, authenticate and execute a digitally signed "Authenticated Code Module" as part of Intel Trusted Execution Technology. | GETSEC | NP 0F 37190 | Perform an SMX function. The leaf function to perform is given in EAX.191Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX. | Usually 0192 | Conroe/Merom,WuDaoKou,193Tremont |
| RDTSCPRead Time Stamp Counter and Processor ID. | RDTSCP | 0F 01 F9 | Read Time Stamp Counter and processor core ID.194The TSC value is placed in EDX:EAX and the core ID in ECX.195 | Usually 3196 | K8,197Nehalem,Silvermont,Nano |
| POPCNT198Population Count. | POPCNT r16,r/m16POPCNT r32,r/m32 | F3 0F B8 /r | Count the number of bits that are set to 1 in its source argument. | 3 | K10,Nehalem,Nano 3000 |
| POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | ||||
| SSE4.2(non-SIMD) | CRC32 r32,r/m8 | F2 0F 38 F0 /r | Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits. | 3 | Nehalem,Bulldozer,ZhangJiang |
| CRC32 r32,r/m16CRC32 r32,r/m32 | F2 0F 38 F1 /r | ||||
| CRC32 r64,r/m64 | F2 REX.W 0F 38 F1 /r | ||||
| FSGSBASERead/write base address of FS and GS segments from user-mode.Available in 64-bit mode only. | RDFSBASE r32RDFSBASE r64 | F3 0F AE /0F3 REX.W 0F AE /0 | Read base address of FS: segment. | 3 | Ivy Bridge,Steamroller,Goldmont,ZhangJiang |
| RDGSBASE r32RDGSBASE r64 | F3 0F AE /1F3 REX.W 0F AE /1 | Read base address of GS: segment. | |||
| WRFSBASE r32WRFSBASE r64 | F3 0F AE /2F3 REX.W 0F AE /2 | Write base address of FS: segment. | |||
| WRGSBASE r32WRGSBASE r64 | F3 0F AE /3F3 REX.W 0F AE /3 | Write base address of GS: segment. | |||
| MOVBEMove to/from memory with byte order swap. | MOVBE r16,m16MOVBE r32,m32 | NFx 0F 38 F0 /r | Load from memory to register with byte-order swap. | 3 | Bonnell,Haswell,Jaguar,Steamroller,ZhangJiang |
| MOVBE r64,m64 | NP REX.W 0F 38 F0 /r199 | ||||
| MOVBE m16,r16MOVBE m32,r32 | NFx 0F 38 F1 /r | Store to memory from register with byte-order swap. | |||
| MOVBE m64,r64 | NP REX.W 0F 38 F1 /r200 | ||||
| INVPCIDInvalidate TLB entries by Process-context identifier. | INVPCID reg,m128 | 66 0F 38 82 /r | Invalidate entries in TLB and paging-structure caches based on invalidation type in register201 and descriptor in m128. The descriptor contains a memory address and a PCID.202 Instruction is serializing on AMD but not Intel CPUs. | 0 | Haswell,ZhangJiang,Zen 3,Gracemont |
| PREFETCHW203Cache-line prefetch with intent to write. | PREFETCHW m8 | 0F 0D /1 | Prefetch cache line with intent to write.204 | 3 | K6-2,(Cedar Mill),205Silvermont,Broadwell,ZhangJiang |
| PREFETCH m8206 | 0F 0D /0 | Prefetch cache line.207 | |||
| ADXEnhanced variants of add-with-carry. | ADCX r32,r/m32ADCX r64,r/m64 | 66 0F 38 F6 /r66 REX.W 0F 38 F6 /r | Add-with-carry. Differs from the older ADC instruction in that it leaves flags other than EFLAGS.CF unchanged. | 3 | Broadwell,Zen 1,ZhangJiang,Gracemont |
| ADOX r32,r/m32ADOX r64,r/m64 | F3 0F 38 F6 /rF3 REX.W 0F 38 F6 /r | Add-with-carry, with the overflow-flag EFLAGS.OF serving as carry input and output, with other flags left unchanged. | |||
| SMAPSupervisor Mode Access Prevention.Repurposes the EFLAGS.AC (alignment check) flag to a flag that prevents access to user-mode memory while in ring 0, 1 or 2. | CLAC | NP 0F 01 CA | Clear EFLAGS.AC. | 0 | Broadwell,Goldmont,Zen 1,LuJiaZui208 |
| STAC | NP 0F 01 CB | Set EFLAGS.AC. | |||
| CLFLUSHOPTOptimized Cache Line Flush. | CLFLUSHOPT m8 | NFx 66 0F AE /7 | Flush cache line.Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance. | 3 | Skylake,Goldmont,Zen 1 |
| PREFETCHWT1Cache-line prefetch into L2 cache with intent to write. | PREFETCHWT1 m8 | 0F 0D /2 | Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint.209 | 3 | Knights Landing,YongFeng |
| PKUProtection Keys for user pages. | RDPKRU | NP 0F 01 EE | Read User Page Key register into EAX. | 3 | Skylake-X,Comet Lake,Gracemont,Zen 3,LuJiaZui210 |
| WRPKRU | NP 0F 01 EF | Write data from EAX into User Page Key Register, and perform a Memory Fence. | |||
| CLWBCache Line Writeback to memory. | CLWB m8 | NFx 66 0F AE /6 | Write one cache line back to memory without invalidating the cache line. | 3 | Skylake-X,Zen 2,Tiger Lake,Tremont |
| RDPIDRead processor core ID. | RDPID r32 | F3 0F C7 /7 | Read processor core ID into register.211 | 3212 | Goldmont Plus,Zen 2,Ice Lake,LuJiaZui213 |
| MOVDIRIMove to memory as Direct Store. | MOVDIRI m32,r32MOVDIRI m64,r64 | NP 0F 38 F9 /rNP REX.W 0F 38 F9 /r | Store to memory using Direct Store (memory store that is not cached or write-combined with other stores). | 3 | Tiger Lake,Tremont,Zen 5 |
| MOVDIR64BMove 64 bytes as Direct Store. | MOVDIR64B reg,m512 | 66 0F 38 F8 /r | Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store.214 | 3 | Tiger Lake,Tremont,Zen 5 |
| WBNOINVDWhole Cache Writeback without invalidate. | WBNOINVD | F3 0F 09 | Write back all dirty cache lines to memory without invalidation.215 Instruction is serializing. | 0 | Zen 2,Ice Lake-SP |
| PREFETCHIInstruction prefetch. | PREFETCHIT0 m8 | 0F 18 /7 | Prefetch code to all levels of the cache hierarchy.216 | 3 | Zen 5,Granite Rapids |
| PREFETCHIT1 m8 | 0F 18 /6 | Prefetch code to all levels of the cache hierarchy except first-level cache.217 | |||
Added with other Intel-specific extensions
| Instruction Set Extension | Instructionmnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| SSE2 branch hintsInstruction prefixes that can be used with the Jcc instructions to provide branch taken/not-taken hints. | HWNT,hint-not-taken218 | 2E219 | Instruction prefix: branch hint weakly not taken. | 3 | Pentium 4,220Meteor Lake221 |
| HST,hint-taken222 | 3E223 | Instruction prefix: branch hint strongly taken. | |||
| SGXSoftware Guard Extensions.Set up an encrypted enclave in which a guest can execute code that a compromised or malicious host cannot inspect or tamper with. | ENCLS | NP 0F 01 CF | Perform an SGX Supervisor function. The function to perform is given in EAX224 — depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data in RBX and/or an error code in EAX. | 0 | SGX1Skylake,225Goldmont PlusSGX2Goldmont Plus,Ice Lake-SP226OVERSUB227Ice Lake-SP,Tremont |
| ENCLU | NP 0F 01 D7 | Perform an SGX User function. The function to perform is given in EAX228 — depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data/status information in EAX and/or RCX. | 3229 | ||
| ENCLV | NP 0F 01 C0 | Perform an SGX Virtualization function. The function to perform is given in EAX230 — depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Instruction returns status information in EAX. | 0231 | ||
| PTWRITEWrite data to a Processor Trace Packet. | PTWRITE r/m32PTWRITE r/m64 | F3 0F AE /4F3 REX.W 0F AE /4 | Read data from register or memory to encode into a PTW packet.232 | 3 | Kaby Lake,Goldmont Plus |
| PCONFIGPlatform Configuration, including TME-MK ("Total Memory Encryption – Multi-Key") and TSE ("Total Storage Encryption"). | PCONFIG | NP 0F 01 C5 | Perform a platform feature configuration function. The function to perform is specified in EAX233 - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. | 0 | Ice Lake-SP |
| CLDEMOTECache Line Demotion Hint. | CLDEMOTE m8 | NP 0F 1C /0 | Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy.234 | 3 | (Tremont),(Alder Lake),Sapphire Rapids235 |
| WAITPKGUser-mode memory monitoring and waiting. | UMONITOR r16/32/64 | F3 0F AE /6 | Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument.236 | 3 | Tremont,Alder Lake |
| UMWAIT r32UMWAIT r32,EDX,EAX | F2 0F AE /6 | Timed wait for a write to a monitored memory location previously specified with UMONITOR. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time.237 | Usually 3238 | ||
| TPAUSE r32TPAUSE r32,EDX,EAX | 66 0F AE /6 | Wait until the Time Stamp Counter reaches the value specified in EDX:EAX.239 The register argument to the UMWAIT and TPAUSE instructions specifies extra flags to control the operation of the instruction.240 | |||
| SERIALIZEInstruction Execution Serialization. | SERIALIZE | NP 0F 01 E8 | Serialize instruction fetch and execution.241 | 3 | Alder Lake |
| HRESETProcessor History Reset. | HRESET imm8 | F3 0F 3A F0 C0 ib | Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored).242 | 0 | Alder Lake |
| UINTRUser Interprocessor interrupt.Available in 64-bit mode only. | SENDUIPI reg | F3 0F C7 /6 | Send Interprocessor User Interrupt.243 | 3 | Sapphire Rapids |
| UIRET | F3 0F 01 EC | User Interrupt Return. | |||
| TESTUI | F3 0F 01 ED | Test User Interrupt Flag.Copies UIF to EFLAGS.CF . | |||
| CLUI | F3 0F 01 EE | Clear User Interrupt Flag. | |||
| STUI | F3 0F 01 EF | Set User Interrupt Flag. | |||
| ENQCMDEnqueue Store. Part of Intel DSA (Data Streaming Accelerator Architecture).245 | ENQCMD reg,m512 | F2 0F 38 F8 /r | Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.246) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.) | 3 | Sapphire Rapids |
| ENQCMDS reg,m512 | F3 0F 38 F8 /r | Enqueue Command Supervisor. Differs from ENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue. | 0 | ||
| WRMSRNSNon-serializing Write to Model-specific register. | WRMSRNS | NP 0F 01 C6 | Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX. The instruction differs from the older WRMSR instruction in that it is not serializing. | 0 | Sierra Forest |
| MSRLISTRead/write multiple Model-specific registers.Available in 64-bit mode only. | RDMSRLIST | F2 0F 01 C6 | Read multiple MSRs. RSI points to a table of up to 64 MSR indexes to read (64 bits each), RDI points to a table of up to 64 data items that the MSR read-results will be written to (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR read for.247 | 0 | Sierra Forest |
| WRMSRLIST | F3 0F 01 C6 | Write multiple MSRs. RSI points to a table of up to 64 MSR indexes to write (64 bits each), RDI points to a table of up to 64 data items to write into the MSRs (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR write for.248 The MSRs are written in table order. The instruction is not serializing. | |||
| CMPCCXADDAtomically perform a compare - and a fetch-and-add if the condition is met.Available in 64-bit mode only. | CMPccXADD m32,r32,r32CMPccXADD m64,r64,r64 | VEX.128.66.0F38.W0 Ex /rVEX.128.66.0F38.W1 Ex /r249250 | Read value from memory, then compare to first register operand. If the comparison passes, then add the second register operand to the memory value. The instruction as a whole is performed atomically.The operation of CMPccXADD [mem],reg1,reg2 is:temp1 := [mem]EFLAGS := CMP temp1, reg1 // sets EFLAGS like regular comparereg1 := temp1if( condition ) [mem] := temp1 + reg2 | 3 | Sierra Forest,Lunar Lake |
| PBNDKBPlatform Bind Key to Binary Large Object. Part of Intel TSE (Total Storage Encryption), and available in 64-bit mode only. | PBNDKB | NP 0F 01 C7 | Bind information to a platform by encrypting it with a platform-specific wrapping key. The instruction takes as input the addresses to two 256-byte-aligned "bind structures" in RBX and RCX, reads the structure pointed to by RBX and writes a modified structure to the address given in RCX. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. | 0 | Lunar Lake |
Added with other AMD-specific extensions
| Instruction Set Extension | Instructionmnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| AltMovCr8Alternative mechanism to access the CR8 control register.251 | MOV reg,CR8 | F0 0F 20 /0252 | Read the CR8 register. | 0 | K8253 |
| MOV CR8,reg | F0 0F 22 /0254 | Write to the CR8 register. | |||
| MONITORXMonitor a memory location for writes in user mode. | MONITORX | NP 0F 01 FA | Start monitoring a memory location for memory writes. Similar to older MONITOR, except available in user mode. | 3 | Excavator |
| MWAITX | NP 0F 01 FB | Wait for a write to a monitored memory location previously specified with MONITORX.MWAITX differs from the older MWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.) | |||
| CLZEROZero out full cache line. | CLZERO rAX | NP 0F 01 FC | Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX.255 | 3 | Zen 1 |
| RDPRURead processor register in user mode. | RDPRU | NP 0F 01 FD | Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read.256 The value of the MSR is returned in EDX:EAX. | Usually 3257 | Zen 2 |
| MCOMMITCommit Stores To Memory. | MCOMMIT | F3 0F 01 FA | Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific.Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise. | 3 | Zen 2 |
| INVLPGBInvalidate TLB Entries with broadcast. | INVLPGB | NP 0F 01 FE | Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system.rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for. | 0 | Zen 3 |
| TLBSYNC | NP 0F 01 FF | Synchronize TLB invalidations.Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing. | |||
x87 floating-point instructions
The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1), st(2), ...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0, C1, C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.
Original 8087 instructions
| Instruction description | Mnemonic | Opcode | Additional items | |
|---|---|---|---|---|
| x87 Non-Waiting258 FPU Control Instructions | Waitingmnemonic259 | |||
| Initialize x87 FPU | FNINIT | DB E3 | FINIT | |
| Load x87 Control Word | FLDCW m16 | D9 /5 | (none) | |
| Store x87 Control Word | FNSTCW m16 | D9 /7 | FSTCW | |
| Store x87 Status Word | FNSTSW m16260 | DD /7 | FSTSW | |
| Clear x87 Exception Flags | FNCLEX | DB E2 | FCLEX | |
| Load x87 FPU Environment | FLDENV m112/m224261 | D9 /4 | (none) | |
| Store x87 FPU Environment | FNSTENV m112/m224262 | D9 /6 | FSTENV | |
| Save x87 FPU State, then initialize x87 FPU | FNSAVE m752/m864263 | DD /6 | FSAVE | |
| Restore x87 FPU State | FRSTOR m752/m864264 | DD /4 | (none) | |
| Enable Interrupts (8087 only)265 | FNENI | DB E0 | FENI | |
| Disable Interrupts (8087 only)266 | FNDISI | DB E1 | FDISI | |
| x87 Floating-point Load/Store/Move Instructions | precisioncontrol | roundingcontrol | ||
| Load floating-point value onto stack | FLD m32 | D9 /0 | No | — |
| FLD m64 | DD /0 | |||
| FLD m80 | DB /5 | |||
| FLD st(i) | D9 C0+i | |||
| Store top-of-stack floating-point value to memory or stack register | FST m32 | D9 /2 | No | Yes |
| FST m64 | DD /2 | |||
| FST st(i)267 | DD D0+i | No | — | |
| Store top-of-stack floating-point value to memory or stack register, then pop | FSTP m32 | D9 /3 | No | Yes |
| FSTP m64 | DD /3 | |||
| FSTP m80268 | DB /7 | No | — | |
| FSTP st(i)269270 | DD D8+i | |||
| DF D0+i271 | ||||
| DF D8+i272 | ||||
| Push +0.0 onto stack | FLDZ | D9 EE | No | — |
| Push +1.0 onto stack | FLD1 | D9 E8 | ||
| Push π (approximately 3.14159) onto stack | FLDPI | D9 EB | No | 387273 |
| Push log 2 ( 10 ) {\displaystyle \log _{2}\left(10\right)} (approximately 3.32193) onto stack | FLDL2T | D9 E9 | ||
| Push log 2 ( e ) {\displaystyle \log _{2}\left(e\right)} (approximately 1.44269) onto stack | FLDL2E | D9 EA | ||
| Push log 10 ( 2 ) {\displaystyle \log _{10}\left(2\right)} (approximately 0.30103) onto stack | FLDLG2 | D9 EC | ||
| Push ln ( 2 ) {\displaystyle \ln \left(2\right)} (approximately 0.69315) onto stack | FLDLN2 | D9 ED | ||
| Exchange top-of-stack register with other stack register | FXCH st(i)274275 | D9 C8+i | No | — |
| DD C8+i276 | ||||
| DF C8+i277 | ||||
| x87 Integer Load/Store Instructions | precisioncontrol | roundingcontrol | ||
| Load signed integer value onto stack from memory, with conversion to floating-point | FILD m16 | DF /0 | No | — |
| FILD m32 | DB /0 | |||
| FILD m64 | DF /5 | |||
| Store top-of-stack value to memory, with conversion to signed integer | FIST m16 | DF /2 | No | Yes |
| FIST m32 | DB /2 | |||
| Store top-of-stack value to memory, with conversion to signed integer, then pop stack | FISTP m16 | DF /3 | No | Yes |
| FISTP m32 | DB /3 | |||
| FISTP m64 | DF /7 | |||
| Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point278 | FBLD m80 | DF /4 | No | — |
| Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack | FBSTP m80 | DF /6 | No | 387279 |
| x87 Basic Arithmetic Instructions | precisioncontrol | roundingcontrol | ||
| Floating-point adddst <- dst + src | FADD m32 | D8 /0 | Yes | Yes |
| FADD m64 | DC /0 | |||
| FADD st,st(i) | D8 C0+i | |||
| FADD st(i),st | DC C0+i | |||
| Floating-point multiplydst <- dst * src | FMUL m32 | D8 /1 | Yes | Yes |
| FMUL m64 | DC /1 | |||
| FMUL st,st(i) | D8 C8+i | |||
| FMUL st(i),st | DC C8+i | |||
| Floating-point subtractdst <- dst – src | FSUB m32 | D8 /4 | Yes | Yes |
| FSUB m64 | DC /4 | |||
| FSUB st,st(i) | D8 E0+i | |||
| FSUB st(i),st | DC E8+i | |||
| Floating-point reverse subtractdst <- src – dst | FSUBR m32 | D8 /5 | Yes | Yes |
| FSUBR m64 | DC /5 | |||
| FSUBR st,st(i) | D8 E8+i | |||
| FSUBR st(i),st | DC E0+i | |||
| Floating-point divide280dst <- dst / src | FDIV m32 | D8 /6 | Yes | Yes |
| FDIV m64 | DC /6 | |||
| FDIV st,st(i) | D8 F0+i | |||
| FDIV st(i),st | DC F8+i | |||
| Floating-point reverse dividedst <- src / dst | FDIVR m32 | D8 /7 | Yes | Yes |
| FDIVR m64 | DC /7 | |||
| FDIVR st,st(i) | D8 F8+i | |||
| FDIVR st(i),st | DC F0+i | |||
| Floating-point compareCC <- result_of( st(0) – src )Same operation as subtract, except that it updates the x87 CC status register instead of any of the FPU stack registers | FCOM m32 | D8 /2 | No | — |
| FCOM m64 | DC /2 | |||
| FCOM st(i)281 | D8 D0+i | |||
| DC D0+i282 | ||||
| x87 Basic Arithmetic Instructions with Stack Pop | precisioncontrol | roundingcontrol | ||
| Floating-point add and pop | FADDP st(i),st283 | DE C0+i | Yes | Yes |
| Floating-point multiply and pop | FMULP st(i),st284 | DE C8+i | Yes | Yes |
| Floating-point subtract and pop | FSUBP st(i),st285 | DE E8+i | Yes | Yes |
| Floating-point reverse-subtract and pop | FSUBRP st(i),st286 | DE E0+i | Yes | Yes |
| Floating-point divide and pop | FDIVP st(i),st287 | DE F8+i | Yes | Yes |
| Floating-point reverse-divide and pop | FDIVRP st(i),st288 | DE F0+i | Yes | Yes |
| Floating-point compare and pop | FCOMP m32 | D8 /3 | No | — |
| FCOMP m64 | DC /3 | |||
| FCOMP st(i)289 | D8 D8+i | |||
| DC D8+i290 | ||||
| DE D0+i291 | ||||
| Floating-point compare to st(1), then pop twice | FCOMPP | DE D9 | No | — |
| x87 Basic Arithmetic Instructions with Integer Source Argument | precisioncontrol | roundingcontrol | ||
| Floating-point add by integer | FIADD m16 | DA /0 | Yes | Yes |
| FIADD m32 | DE /0 | |||
| Floating-point multiply by integer | FIMUL m16 | DA /1 | Yes | Yes |
| FIMUL m32 | DE /1 | |||
| Floating-point subtract by integer | FISUB m16 | DA /4 | Yes | Yes |
| FISUB m32 | DE /4 | |||
| Floating-point reverse-subtract by integer | FISUBR m16 | DA /5 | Yes | Yes |
| FISUBR m32 | DE /5 | |||
| Floating-point divide by integer | FIDIV m16 | DA /6 | Yes | Yes |
| FIDIV m32 | DE /6 | |||
| Floating-point reverse-divide by integer | FIDIVR m16 | DA /7 | Yes | Yes |
| FIDIVR m32 | DE /7 | |||
| Floating-point compare to integer | FICOM m16 | DA /2 | No | — |
| FICOM m32 | DE /2 | |||
| Floating-point compare to integer, and stack pop | FICOMP m16 | DA /3 | No | — |
| FICOMP m32 | DE /3 | |||
| x87 Additional Arithmetic Instructions | precisioncontrol | roundingcontrol | ||
| Floating-point change sign | FCHS | D9 E0 | No | — |
| Floating-point absolute value | FABS | D9 E1 | No | — |
| Floating-point compare top-of-stack value to 0 | FTST | D9 E4 | No | — |
| Classify top-of-stack st(0) register value.The classification result is stored in the x87 CC register.292 | FXAM | D9 E5 | No | — |
| Split the st(0) value into two values E and M representing the exponent and mantissa of st(0).The split is done such that M ∗ 2 E = s t ( 0 ) {\displaystyle M*2^{E}=st(0)} , where E is an integer and M is a number whose absolute value is within the range 1 ≤ | M | < 2 {\displaystyle 1\leq \left|M\right|<2} . 293st(0) is then replaced with E, after which M is pushed onto the stack. | FXTRACT | D9 F4 | No | — |
| Floating-point partial294 remainder (not IEEE 754 compliant): Q ← I n t e g e r R o u n d T o Z e r o ( s t ( 0 ) s t ( 1 ) ) {\displaystyle Q\leftarrow {\mathtt {IntegerRoundToZero}}\left({\frac {st(0)}{st(1)}}\right)} s t ( 0 ) ← s t ( 0 ) − s t ( 1 ) ∗ Q {\displaystyle st(0)\leftarrow st(0)-st(1)*Q} | FPREM | D9 F8 | No | —295 |
| Floating-point square root | FSQRT | D9 FA | Yes | Yes |
| Floating-point round to integer | FRNDINT | D9 FC | No | Yes |
| Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0):296 s t ( 0 ) ← s t ( 0 ) ∗ 2 I n t e g e r R o u n d T o Z e r o ( s t ( 1 ) ) {\displaystyle st(0)\leftarrow st(0)*2^{{\mathtt {IntegerRoundToZero}}\left(st(1)\right)}} | FSCALE | D9 FD | No | Yes297 |
| x87 Transcendental Instructions298 | Source operandrange restriction | |||
| Base-2 exponential minus 1, with extra precision for st(0) close to 0: s t ( 0 ) ← 2 s t ( 0 ) − 1 {\displaystyle st(0)\leftarrow 2^{st(0)}-1} | F2XM1 | D9 F0 | 8087: 0 ≤ s t ( 0 ) ≤ 1 2 {\displaystyle 0\leq st(0)\leq {\frac {1}{2}}} 80387: − 1 ≤ s t ( 0 ) ≤ 1 {\displaystyle -1\leq st(0)\leq 1} | |
| Base-2 Logarithm and multiply:299 s t ( 1 ) ← s t ( 1 ) ∗ log 2 ( s t ( 0 ) ) {\displaystyle st(1)\leftarrow st(1)*\log _{2}\left(st(0)\right)} followed by stack pop | FYL2X | D9 F1 | no restrictions | |
| Partial Tangent: Computes from st(0) a pair of values X and Y, such that tan ( s t ( 0 ) ) = Y X {\displaystyle \tan \left(st(0)\right)={\frac {Y}{X}}} The Y value replaces the top-of-stack value, and then X is pushed onto the stack.On 80387 and later x87, but not original 8087, X is always 1.0 | FPTAN | D9 F2 | 8087: 0 ≤ | s t ( 0 ) | ≤ π 4 {\displaystyle 0\leq \left|st(0)\right|\leq {\frac {\pi }{4}}} 80387: 0 ≤ | s t ( 0 ) | < 2 63 {\displaystyle 0\leq \left|st(0)\right|<2^{63}} | |
| Two-argument arctangent with quadrant adjustment:300 s t ( 1 ) ← arctan ( s t ( 1 ) s t ( 0 ) ) {\displaystyle st(1)\leftarrow \arctan \left({\frac {st(1)}{st(0)}}\right)} followed by stack pop | FPATAN | D9 F3 | 8087: | s t ( 1 ) | ≤ | s t ( 0 ) | < ∞ {\displaystyle \left|st(1)\right|\leq \left|st(0)\right|<\infty } 80387: no restrictions | |
| Base-2 Logarithm plus 1 with extra precision for st(0) close to 0, followed by multiply:301 s t ( 1 ) ← s t ( 1 ) ∗ log 2 ( s t ( 0 ) + 1 ) {\displaystyle st(1)\leftarrow st(1)*\log _{2}\left(st(0)+1\right)} followed by stack pop | FYL2XP1 | D9 F9 | Intel: | s t ( 0 ) | < ( 1 − 1 2 ) {\displaystyle \left|st(0)\right|<\left(1-{\sqrt {\frac {1}{2}}}\right)} AMD: ( 1 2 − 1 ) < s t ( 0 ) < ( 2 − 1 ) {\displaystyle \left({\sqrt {\frac {1}{2}}}-1\right)<st(0)<\left({\sqrt {2}}-1\right)} | |
| Other x87 Instructions | ||||
| No operation302 | FNOP | D9 D0 | ||
| Decrement x87 FPU Register Stack Pointer | FDECSTP | D9 F6 | ||
| Increment x87 FPU Register Stack Pointer | FINCSTP | D9 F7 | ||
| Free x87 FPU Register | FFREE st(i) | DD C0+i | ||
| Check and handle pending unmasked x87 FPU exceptions | WAIT,FWAIT | 9B | ||
| Floating-point store and pop, without stack underflow exception303 | FSTPNCE st(i) | D9 D8+i304 | ||
| Free x87 register, then stack pop | FFREEP st(i) | DF C0+i305 | ||
x87 instructions added in later processors
| Instruction description | Mnemonic | Opcode | Additional items |
|---|---|---|---|
| x87 Non-Waiting Control Instructions added in 80287 | Waitingmnemonic | ||
| Notify FPU of entry into Protected Mode306 | FNSETPM | DB E4 | FSETPM |
| Store x87 Status Word to AX | FNSTSW AX | DF E0 | FSTSW AX |
| x87 Instructions added in 80387307 | Source operandrange restriction | ||
| Floating-point unordered compare.Similar to the regular floating-point compare instruction FCOM, except will not produce an exception in response to any qNaN operands. | FUCOM st(i)308 | DD E0+i | no restrictions |
| Floating-point unordered compare and pop | FUCOMP st(i)309 | DD E8+i | |
| Floating-point unordered compare to st(1), then pop twice | FUCOMPP | DA E9 | |
| IEEE 754 compliant floating-point partial remainder.310 | FPREM1 | D9 F5 | |
| Floating-point sine and cosine.Computes two values S = sin ( k ∗ s t ( 0 ) ) {\displaystyle S=\sin \left(k*st(0)\right)} and C = cos ( k ∗ s t ( 0 ) ) {\displaystyle C=\cos \left(k*st(0)\right)} 311Top-of-stack st(0) is replaced with S, after which C is pushed onto the stack. | FSINCOS | D9 FB | | s t ( 0 ) | < 2 63 {\displaystyle \left|st(0)\right|<2^{63}} 312 |
| Floating-point sine.313 s t ( 0 ) ← sin ( k ∗ s t ( 0 ) ) {\displaystyle st(0)\leftarrow \sin \left(k*st(0)\right)} | FSIN | D9 FE | |
| Floating-point cosine.314 s t ( 0 ) ← cos ( k ∗ s t ( 0 ) ) {\displaystyle st(0)\leftarrow \cos \left(k*st(0)\right)} | FCOS | D9 FF | |
| x87 Instructions added in Pentium Pro | Condition forconditional moves | ||
| Floating-point conditional move to st(0) based on EFLAGS | FCMOVB st(0),st(i) | DA C0+i | below (CF=1) |
| FCMOVE st(0),st(i) | DA C8+i | equal (ZF=1) | |
| FCMOVBE st(0),st(i) | DA D0+i | below or equal(CF=1 or ZF=1) | |
| FCMOVU st(0),st(i) | DA D8+i | unordered (PF=1) | |
| FCMOVNB st(0),st(i) | DB C0+i | not below (CF=0) | |
| FCMOVNE st(0),st(i) | DB C8+i | not equal (ZF=0) | |
| FCMOVNBE st(0),st(i) | DB D0+i | not below or equal(CF=0 and ZF=0) | |
| FCMOVNU st(0),st(i) | DB D8+i | not unordered (PF=0) | |
| Floating-point compare and set EFLAGS.Differs from the older FCOM floating-point compare instruction in that it puts its result in the integer EFLAGS register rather than the x87 CC register.315 | FCOMI st(0),st(i) | DB F0+i | |
| Floating-point compare and set EFLAGS, then pop | FCOMIP st(0),st(i) | DF F0+i | |
| Floating-point unordered compare and set EFLAGS | FUCOMI st(0),st(i) | DB E8+i | |
| Floating-point unordered compare and set EFLAGS, then pop | FUCOMIP st(0),st(i) | DF E8+i | |
| x87 Non-Waiting Instructions added in Pentium II, AMD K7 and SSE316 | 64-bit mnemonic(REX.W prefix) | ||
| Save x87, MMX and SSE state to a 464-byte data structure317318319 | FXSAVE m464byte | NP 0F AE /0 | FXSAVE64 m464byte320 |
| Restore x87, MMX and SSE state from 464-byte data structure321322 | FXRSTOR m464byte | NP 0F AE /1 | FXRSTOR64 m464byte323 |
| x87 Instructions added as part of SSE3 | |||
| Floating-point store integer and pop, with round-to-zero | FISTTP m16 | DF /1 | |
| FISTTP m32 | DB /1 | ||
| FISTTP m64 | DD /1 | ||
SIMD instructions
Main article: x86 SIMD instruction listings
Cryptographic instructions
Main article: List of x86 cryptographic instructions
Virtualization instructions
Main article: List of x86 virtualization instructions
Other instructions
See also: List of discontinued x86 instructions
x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.
Undocumented x86 instructions
The x86 CPUs contain undocumented instructions which are implemented on the chips but not listed in some official documents. They can be found in various sources across the Internet, such as Ralf Brown's Interrupt List and at sandpile.org
Some of these instructions are widely available across many/most x86 CPUs, while others are specific to a narrow range of CPUs.
Undocumented instructions that are widely available across many x86 CPUs include
| Mnemonics | Opcodes | Description | Status |
|---|---|---|---|
| AAM imm8 | D4 ib | ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD. The actual operation is AH ← AL/imm8; AL ← AL mod imm8 for any imm8 value (except zero, which produces a divide-by-zero exception).324 | Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments). |
| AAD imm8 | D5 ib | ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction. The actual operation is AL ← (AL+(AH*imm8)) & 0FFh; AH ← 0 for any imm8 value. | |
| SALC,SETALC | D6 | Set AL depending on the value of the Carry Flag (a 1-byte alternative of SBB AL, AL) | Available beginning with 8086, but only documented since Pentium Pro. |
| ICEBP,INT1 | F1 | Single byte single-step exception / Invoke ICE | Available beginning with 80386, documented (as INT1) since Pentium Pro. Executes as undocumented instruction prefix on 8086 and 80286.325 |
| TEST r/m8,imm8 | F6 /1 ib | Undocumented variants of the TEST instruction.326 Performs the same operation as the documented F6 /0 and F7 /0 variants, respectively. | Available since the 8086. |
| TEST r/m16,imm16,TEST r/m32,imm32 | F7 /1 iw,F7 /1 id | ||
| SHL, SAL | (D0..D3) /6,(C0..C1) /6 ib | Undocumented variants of the SHL instruction.329 Performs the same operation as the documented (D0..D3) /4 and (C0..C1) /4 ib variants, respectively. | Available since the 80186 (performs different operation on the 8086)330 |
| (multiple) | 82 /(0..7) ib | Alias of opcode 80h, which provides variants of 8-bit integer instructions (ADD, OR, ADC, SBB, AND, SUB, XOR, CMP) with an 8-bit immediate argument.331 | Available since the 8086.332 Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.333 |
| OR/AND/XOR r/m16,imm8 | 83 /(1,4,6) ib | 16-bit OR/AND/XOR with a sign-extended 8-bit immediate. | Available on 8086, but only documented from 80386 onwards.334335 |
| REPNZ MOVS | F2 (A4..A5) | The behavior of the F2 prefix (REPNZ, REPNE) when used with string instructions other than CMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22336) that rely on it to behave in the same way as the documented F3 (REP) prefix. | Available since the 8086. |
| REPNZ STOS | F2 (AA..AB) | ||
| REP RET | F3 C3 | The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the F3 C3 encoding as a way to encode a two-byte RET instruction – this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions.337 At least some versions of gcc are known to use this encoding.338 | Executes as RET on all known x86 CPUs. |
| NOP | 67 90 | NOP with address-size override prefix. The use of the 67h prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.339340 | Executes as NOP on 80386 and later. |
| NOP r/m | 0F 1F /0 | Official long NOP. Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.341342343 | Available on Pentium Pro and AMD K7344 and later. Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.345 |
| NOP r/m | 0F 0D /r | Reserved-NOP. Introduced in 65 nm Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005.346347 From Broadwell onwards, 0F 0D /1 has been documented as PREFETCHW, while 0F 0D /0 and /2../7 have been reported to exhibit undocumented prefetch functionality.348 On AMD CPUs, 0F 0D /r with a memory argument is documented as PREFETCH/PREFETCHW since K6-2 – originally as part of 3Dnow!, but has been kept in later AMD CPUs even after the rest of 3Dnow! was dropped. | Available on Intel CPUs since 65 nm Pentium 4. |
| UD1 | 0F B9 /r | Intentionally undefined instructions, but unlike UD2 (0F 0B) these instructions were left unpublished until December 2016.349350 Microsoft Windows 95 Setup is known to depend on 0F FF being invalid351352 – it is used as a self check to test that its #UD exception handler is working properly. Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include FF FF (DIF-2,353 LaserLok354) and C4 C4 ("BOP"355356), however as of January 2022 they are not published as intentionally invalid opcodes. | All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least 0F FF to the NEC-specific BRKEM instruction.) |
| UD0 | 0F FF | ||
Undocumented instructions that appear only in a limited subset of x86 CPUs include
| Mnemonics | Opcodes | Description | Status | |
|---|---|---|---|---|
| REP MUL | F3 F6 /4, F3 F7 /4 | On 8086/8088, a REP or REPNZ prefix on a MUL or IMUL instruction causes the result to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the result. | 8086/8088 only.357 | |
| REP IMUL | F3 F6 /5, F3 F7 /5 | |||
| REP IDIV | F3 F6 /7, F3 F7 /7 | On 8086/8088, a REP or REPNZ prefix on an IDIV (but not DIV) instruction causes the quotient to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the quotient. | 8086/8088 only.358 | |
| SAVEALL, STOREALL | (F1) 0F 04 | Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.359 In some implementations, emulated through BIOS as a halting sequence.360 In a forum post at the Vintage Computing Federation, this instruction (with F1 prefix) is explained as SAVEALL. It interacts with ICE mode. | Only available on 80286. | |
| LOADALL | 0F 05 | Loads All Registers from Memory Address 0x000800H | Only available on 80286. Opcode reused for SYSCALL in AMD K6 and later CPUs. | |
| LOADALLD | 0F 07 | Loads All Registers from Memory Address ES:EDI | Only available on 80386. Opcode reused for SYSRET in AMD K6 and later CPUs. | |
| CL1INVMB | 0F 0A361 | On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The mnemonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.362 | Available on the SCC only. | |
| PATCH2 | 0F 0E | On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel363 | Only available in Red unlock state (0F 0F too) | |
| PATCH3 | 0F 0F | Write uarch | Can change RAM part of microcode on Intel | |
| UMOV r,r/m,UMOV r/m,r | 0F (10..13) /r | Moves data to/from user memory when operating in ICE HALT mode.364 Acts as regular MOV otherwise. | Available on some 386 and 486 processors only. Opcodes reused for SSE instructions in later CPUs. | |
| NXOP | 0F 55 | NexGen hypercode interface.365 | Available on NexGen Nx586 only. | |
| (multiple) | 0F (E0..FB)366 | NexGen Nx586 "hyper mode" instructions. The NexGen Nx586 CPU uses "hyper code"367 (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode and Intel's XuCode368) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation. | Available in Nx586 hyper mode only. | |
| PSWAPW mm,mm/m64 | 0F 0F /r BB | Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.369370 Instruction known to be recognized by MASM 6.13 and 6.14. | Available on K6-2 and K6-3 only. Opcode reused for documented PSWAPD instruction from AMD K7 onwards. | |
| Unknown mnemonic | 64 D6 | Using the 64 (FS: segment) prefix with the undocumented D6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07.371372 | Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs. | |
| FS: Jcc | 64 (70..7F) rel8, 64 0F (80..8F) rel16/32 | On Intel NetBurst (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.373 Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. | Available on NetBurst CPUs only. Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs. | |
| JMPAI | 0F 3F | Jump and execute instructions in the undocumented Alternate Instruction Set. | Only available on some x86 processors made by VIA Technologies. | |
| (FMA4) | VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8 | On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.374 | Removed from Zen2 onwards. | |
| (unknown, multiple) | 0F 0F /r ?? | The whitepapers for SandSifter375 and UISFuzz376 report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known. On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented PF2IW, PI2FW and PSWAPW instructions) are reported to execute as equivalents of POR (MMX bitwise-OR instruction).377 | Present on some AMD CPUs with 3DNow!. | |
| MOVDB, GP2MEM | Unknown | Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM – and also mentions that Cyrix did not intend to publish specifications for these instructions.378 | Unknown. No specification known to have been published. | |
| REP XSHA512 | F3 0F A6 E0 | Perform SHA-512 hashing. Supported by OpenSSL379 as part of its VIA PadLock support, and listed in a Zhaoxin-supplied Linux kernel patch,380 but not documented by the VIA PadLock Programming Guide. | Only available on some x86 processors made by VIA Technologies and Zhaoxin. | |
| REP XMODEXP | F3 0F A6 F8 | Instructions to perform modular exponentiation and random number generation, respectively. Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,381 but not documented by the VIA PadLock Programming Guide. | ||
| XRNG2 | F3 0F A7 F8 | |||
| Unknown mnemonic | 0F A7 (C1..C7) | Detected by CPU fuzzing tools such as SandSifter382 and UISFuzz383 as executing without causing #UD on several different VIA and Zhaoxin CPUs. Unknown operation, may be related to the documented XSTORE (0F A7 C0) instruction. | ||
| Unknown mnemonic | F2 0F A6 C0 | Zhaoxin SM2 instruction. CPUID flags listed in a Linux kernel patch for OpenEuler,384 description and opcode (but no instruction mnemonic) provided in a Zhaoxin patent application385 and a Zhaoxin-provided Linux kernel patch.386 | Present in Zhaoxin KX-6000G.387 | |
| ZXPAUSE | F2 0F A6 D0 | Pause the processor until the Time Stamp Counter reaches or exceeds the value specified in EDX:EAX. Low-power processor C-state can be requested in ECX. Listed in OpenEuler kernel patch.388 | Present in Zhaoxin KX-7000. | |
| MONTMUL2 | Unknown | Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,389 but opcodes and instruction descriptions are not available. | Unknown. Some Zhaoxin CPUs390 have the CPUID flags for these instructions set. | |
Undocumented x87 instructions
| Mnemonics | Opcodes | Description | Status |
|---|---|---|---|
| FENI, FENI8087_NOP | DB E0 | FPU Enable Interrupts (8087) | Documented for the Intel 80287.391 Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for FENI/FDISI and 80287 for FSETPM), they act as NOPs. These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. Intel SDM 325462-077, April 2022 mentions them twice without opcodes). The opcodes are, however, recognized by Intel XED.392 |
| FDISI, FDISI8087_NOP | DB E1 | FPU Disable Interrupts (8087) | |
| FSETPM, FSETPM287_NOP | DB E4 | FPU Set Protected Mode (80287) | |
| (no mnemonic) | D9 D7, D9 E2,D9 E7, DD FC,DE D8, DE DA,DE DC, DE DD,DE DE, DF FC | "Reserved by Cyrix" opcodes | These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,393 6x86MX, MII, MediaGX, and AMD Geode GX/LX.394 (The documentation for these CPUs all list the same ten opcodes.) Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs. |
See also
- CLMUL
- RDRAND
- Advanced Vector Extensions 2
- AVX-512
- x86 Bit manipulation instruction set
- CPUID
- List of discontinued x86 instructions
- Intel Corporation (April 2022). "Intel 64 and IA-32 Architectures Software Developer's Manual, Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D and 4". Intel. Retrieved 21 June 2022.
External links
The Wikibook x86 Assembly has a page on the topic of: X86 Instructions- Free IA-32 and x86-64 documentation, provided by Intel
- AMD64 Architecture Programmer's Manual, Volumes 1-5, provided by AMD
- x86 Opcode and Instruction Reference
- x86 and amd64 instruction reference
- Instruction tables: Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs
- Netwide Assembler Instruction List (from Netwide Assembler)
References
"Re: Intel Processor Identification and the CPUID Instruction". Retrieved 2013-04-21. http://www.intel.com/content/www/us/en/processors/processor-identification-cpuid-instruction-note.html?wapkw=processor-identification-cpuid-instruction ↩
"Intel 80x86 Instruction Set Summary" (PDF). eecs.wsu.edu. https://eecs.wsu.edu/~ee314/handouts/x86ref.pdf ↩
"Intel x85 JUMP quick reference". Retrieved 2025-04-01.. http://unixwiz.net/techtips/x86-jumps.html ↩
The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[4] ↩
The LGDT, LIDT, LLDT and LTR instructions are serializing on Pentium and later processors. /wiki/Pentium_(original) ↩
The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[4] ↩
The LGDT, LIDT, LLDT and LTR instructions are serializing on Pentium and later processors. /wiki/Pentium_(original) ↩
The LMSW instruction is serializing on Intel processors from Pentium onwards, but not on AMD processors. /wiki/Pentium_(original) ↩
On 80386 and later, the "Machine Status Word" is the same as the CR0 control register – however, the LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW can be used to enter but not leave x86 Protected Mode.On 80286, it is not possible to leave Protected Mode at all (neither with LMSW nor with LOADALL[5]) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV to CR0 instruction. /wiki/Control_register#CR0 ↩
The LGDT, LIDT, LLDT and LTR instructions are serializing on Pentium and later processors. /wiki/Pentium_(original) ↩
The LGDT, LIDT, LLDT and LTR instructions are serializing on Pentium and later processors. /wiki/Pentium_(original) ↩
The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[4] ↩
If CR4.UMIP=1 is set, then the SGDT, SIDT, SLDT, SMSW and STR instructions can only run in Ring 0.These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017.[6] This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.[7] /wiki/Control_register#CR4 ↩
The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[4] ↩
The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows: SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise. SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors. STR: Zero-extends 16-bit argument. /wiki/Control_register#CR0 ↩
The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows: SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise. SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors. STR: Zero-extends 16-bit argument. /wiki/Control_register#CR0 ↩
The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows: SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise. SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors. STR: Zero-extends 16-bit argument. /wiki/Control_register#CR0 ↩
In 64-bit long mode, the ARPL instruction is not available – the 63 /r opcode has been reassigned to the 64-bit-mode-only MOVSXD instruction. /wiki/Long_mode ↩
The ARPL instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.[8][9] /wiki/Real_mode ↩
Bits 19:16 of this mask are documented as "undefined" on Intel CPUs.[10] On AMD CPUs, the mask is documented as 0x00FFFF00. ↩
For the LAR and LSL instructions, if the specified segment descriptor could not be loaded, then the instruction's destination register is left unmodified. ↩
For the LAR and LSL instructions, if the specified segment descriptor could not be loaded, then the instruction's destination register is left unmodified. ↩
On some Intel CPU/microcode combinations from 2019 onwards, the VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.[11][12] Some of the microarchitectural buffer-flushing functions that have been added to VERW may require the instruction to be executed with a memory operand.[13] /wiki/Microarchitectural_Data_Sampling ↩
Undocumented, 80286 only.[5][14][15] (A different variant of LOADALL with a different opcode and memory layout exists on 80386.) ↩
Undocumented, 80286 only.[5][14][15] (A different variant of LOADALL with a different opcode and memory layout exists on 80386.) ↩
For the 32-bit string instructions, the ±± notation is used to indicate that the indicated register is post-decremented by 4 if EFLAGS.DF=1 and post-incremented by 4 otherwise.For the operands where the DS segment is indicated, the DS segment can be overridden by a segment-override prefix – where the ES segment is indicated, the segment is always ES and cannot be overridden.The choice of whether to use the 16-bit SI/DI registers or the 32-bit ESI/EDI registers as the address registers to use is made by AddressSize, overridable with the 67 prefix. ↩
The 32-bit string instructions accept repeat-prefixes in the same way as older 8/16-bit string instructions.For LODSD, STOSD, MOVSD, INSD and OUTSD, the REP prefix (F3) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).For CMPSD and SCASD, the REPE (F3) and REPNE (F2) prefixes are available, which will repeat the instruction, decrementing rCX for each iteration, but only as long as the flag condition (ZF=1 for REPE, ZF=0 for REPNE) holds true AND rCX ≠ 0. ↩
For the INSB/W/D instructions, the memory access rights for the ES:[rDI] memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read. ↩
I/O port access is only allowed when CPL≤IOPL or the I/O port permission bitmap bits for the port to access are all set to 0. /wiki/Protection_ring#Privilege_level ↩
The CWDE instruction differs from the older CWD instruction in that CWD would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair. ↩
For the E3 opcode (JCXZ/JECXZ), the choice of whether the instruction will use CX or ECX for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).This also applies to the loop instructions LOOP,LOOPE,LOOPNE (opcodes E0,E1,E2), however, unlike JCXZ/JECXZ, these instructions have not been given new mnemonics for their ECX-using variants. ↩
For PUSHA(D), the value of SP/ESP pushed onto the stack is the value it had just before the PUSHA(D) instruction started executing. ↩
For POPA/POPAD, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP. ↩
The PUSHFD and POPFD instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.The PUSHF, POPF, IRET and IRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled. /wiki/Virtual_8086_mode ↩
If IRETD is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stack segment indicated by SS is a 16-bit segment, then the IRETD instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before the IRETD. This has necessitated complex workarounds on both Linux ("ESPFIX")[16] and Windows.[17] This issue also affects the later 64-bit IRETQ instruction. /wiki/X86_memory_segmentation ↩
For the BT, BTS, BTR and BTC instructions: If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.) If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test. ↩
For the BT, BTS, BTR and BTC instructions: If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.) If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test. ↩
The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically. ↩
For the BT, BTS, BTR and BTC instructions: If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.) If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test. ↩
The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically. ↩
For the BT, BTS, BTR and BTC instructions: If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.) If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test. ↩
The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically. ↩
If the F3 prefix is used with the 0F BC /r opcode, then the instruction will execute as TZCNT on systems that support the BMI1 extension. TZCNT differs from BSF in that TZCNT but not BSR is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result (except for flags). ↩
BSF and BSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.If the source argument was all-0s, then the destination register is documented as being left unchanged on AMD processors, but set to an undefined value on Intel processors. ↩
If the F3 prefix is used with the 0F BD /r opcode, then the instruction will execute as LZCNT on systems that support the ABM or LZCNT extensions. LZCNT produces a different result from BSR for most input values. ↩
BSF and BSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.If the source argument was all-0s, then the destination register is documented as being left unchanged on AMD processors, but set to an undefined value on Intel processors. ↩
For SHLD and SHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.SHLD and SHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.[18]) ↩
For SHLD and SHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.SHLD and SHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.[18]) ↩
The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are: xccCondition (EFLAGS)0OOF=1: "Overflow"1NOOF=0: "Not Overflow"2C,B,NAECF=1: "Carry", "Below", "Not Above or Equal"3NC,NB,AECF=0: "Not Carry", "Not Below", "Above or Equal"4Z,EZF=1: "Zero", "Equal"5NZ,NEZF=0: "Not Zero", "Not Equal"6NA,BE(CF=1 or ZF=1): "Not Above", "Below or Equal"7A,NBE(CF=0 and ZF=0): "Above", "Not Below or Equal"8SSF=1: "Sign"9NSSF=0: "Not Sign"AP,PEPF=1: "Parity", "Parity Even"BNP,POPF=0: "Not Parity", "Parity Odd"CL,NGESF≠OF: "Less", "Not Greater Or Equal"DNL,GESF=OF: "Not Less", "Greater Or Equal"ELE,NG(ZF=1 or SF≠OF): "Less or Equal", "Not Greater"FNLE,G(ZF=0 and SF=OF): "Not Less or Equal", "Greater" /wiki/FLAGS_register ↩
For SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc regardless of the contents of these bits. /wiki/ModR/M ↩
The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are: xccCondition (EFLAGS)0OOF=1: "Overflow"1NOOF=0: "Not Overflow"2C,B,NAECF=1: "Carry", "Below", "Not Above or Equal"3NC,NB,AECF=0: "Not Carry", "Not Below", "Above or Equal"4Z,EZF=1: "Zero", "Equal"5NZ,NEZF=0: "Not Zero", "Not Equal"6NA,BE(CF=1 or ZF=1): "Not Above", "Below or Equal"7A,NBE(CF=0 and ZF=0): "Above", "Not Below or Equal"8SSF=1: "Sign"9NSSF=0: "Not Sign"AP,PEPF=1: "Parity", "Parity Even"BNP,POPF=0: "Not Parity", "Parity Odd"CL,NGESF≠OF: "Less", "Not Greater Or Equal"DNL,GESF=OF: "Not Less", "Greater Or Equal"ELE,NG(ZF=1 or SF≠OF): "Less or Equal", "Not Greater"FNLE,G(ZF=0 and SF=OF): "Not Less or Equal", "Greater" /wiki/FLAGS_register ↩
For LFS, LGS and LSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors. /wiki/Far_pointer ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise. ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise. ↩
On processors that support global pages (Pentium and later), global page table entries will not be flushed by a MOV to CR3 − instead, these entries can be flushed by toggling the CR4.PGE bit.On processors that support PCIDs, writing to CR3 while PCIDs are enabled will only flush TLB entries belonging to the PCID specified in bits 11:0 of the value written to CR3 (this flush can be suppressed by setting bit 63 of the written value to 1). Flushing pages belonging to other PCIDs can instead be done by toggling the CR4.PGE bit, clearing the CR4.PCIDE bit, or using the INVPCID instruction. /wiki/Process-context_identifier ↩
On processors prior to Pentium, moves to CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump[19] immediately after a MOV to CR0 if such a MOV is used to enable/disable protected mode and/or memory paging.MOV to CR2 is architecturally listed as serializing, but has been reported to be non-serializing on at least some Intel Core-i7 processors.[20]MOV to CR8 (introduced with x86-64) is serializing on AMD but not Intel processors. /wiki/Pentium_(original) ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise. ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise. ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
The MOV TRx instructions were discontinued from Pentium onwards. ↩
For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b. /wiki/ModR/M ↩
The MOV TRx instructions were discontinued from Pentium onwards. ↩
The INT1/ICEBP (F1) instruction is present on all known Intel x86 processors from the 80386 onwards,[21] but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards.[22] Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.[23]For AMD processors, the instruction has been documented since 2002.[24] ↩
The operation of the F1(ICEBP) opcode differs from the operation of the regular software interrupt opcode CD 01 in several ways:In protected mode, CD 01 will check CPL against the interrupt descriptor's DPL field as an access-rights check, while F1 will not.In virtual-8086 mode, CD 01 will also check CPL against IOPL as an access-rights check, while F1 will not.In virtual-8086 mode with VME enabled, interrupt redirection is supported for CD 01 but not F1. ↩
The UMOV instruction is present on 386 and 486 processors only.[21] ↩
The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386. They have been used by software mainly for detection of the buggy[25] B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.[26] ↩
For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.[27] ↩
The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386. They have been used by software mainly for detection of the buggy[25] B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.[26] ↩
For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.[27] ↩
Undocumented, 80386 only.[28] ↩
Using BSWAP with 16-bit registers is not disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,[29] 586, and Bochs/QEMU.[30] ↩
On Intel 80486 stepping A,[31] the CMPXCHG instruction uses a different encoding - 0F A6 /r for 8-bit variant, 0F A7 /r for 16/32-bit variant. The 0F B0/B1 encodings are used on 80486 stepping B and later.[32][33] ↩
The CMPXCHG instruction sets EFLAGS in the same way as a CMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do. ↩
On Intel 80486 stepping A,[31] the CMPXCHG instruction uses a different encoding - 0F A6 /r for 8-bit variant, 0F A7 /r for 16/32-bit variant. The 0F B0/B1 encodings are used on 80486 stepping B and later.[32][33] ↩
INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).INVLPG can be used to invalidate TLB entries for individual global pages. ↩
The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.These instructions are serializing – on some processors, they may block interrupts until completion as well. ↩
Under Intel VT-x virtualization, the INVD instruction will cause a mandatory #VMEXIT. Also, on processors that support Intel SGX, if the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then the INVD instruction is not permitted and will cause a #GP(0) exception.[34] /wiki/Intel_VT-x ↩
If the F3 prefix is used with the 0F 09 opcode, then the instruction will execute as WBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache. ↩
The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.These instructions are serializing – on some processors, they may block interrupts until completion as well. ↩
In 64-bit mode, the RDMSR, RDTSC and RDPMC instructions will set the top 32 bits of RDX and RAX to zero. ↩
Frank van Gilluwe, "The Undocumented PC, second edition", 1997, ISBN 0-201-47950-8, page 55 /wiki/ISBN_(identifier) ↩
On Intel and AMD CPUs, the WRMSR instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h on Intel CPUs and MSR C001_0020h[36] on AMD CPUs. /wiki/Intel_Microcode#Update_facility ↩
Writes to the following MSRs are not serializing:[37][38] NumberName48hSPEC_CTRL49hPRED_CMD10BhFLUSH_CMD122hTSX_CTRL6E0hTSC_DEADLINE6E1hPKRS774hHWP_REQUEST(non-serializing only if the FAST_IA32_HWP_REQUEST bit it set)802h to 83Fh(x2APIC MSRs)1B01hUARCH_MISC_CTLC001_0100hFS_BASE (non-serializing on AMD Zen 4 and later)[39]C001_0101hGS_BASE (Zen 4 and later)C001_0102hKernelGSbase (Zen 4 and later)C001_011BhDoorbell Register (AMD-specific) WRMSR to the x2APIC ICR (Interrupt Command Register; MSR 830h) is commonly used to produce an IPI (Inter-processor interrupt) - on Intel[40] but not AMD[41] CPUs, such an IPI can be reordered before an older memory store. ↩
"RSM—Resume from System Management Mode". Archived from the original on 2012-03-12. https://web.archive.org/web/20120312224625/http://www.softeng.rl.ac.uk/st/archive/SoftEng/SESP/html/SoftwareTools/vtune/users_guide/mergedProjects/analyzer_ec/mergedProjects/reference_olh/mergedProjects/instructions/instruct32_hh/vc279.htm ↩
Microprocessor Report, System Management Mode Explained (vol 6, no. 8, june 17, 1992). Archived on Jun 29, 2022. http://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/060805.PDF ↩
Ellis, Simson C., "The 386 SL Microprocessor in Notebook PCs", Intel Corporation, Microcomputer Solutions, March/April 1991, page 20 ↩
System Management Mode and the RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993. /wiki/System_Management_Mode ↩
Cyrix 486SLC/e Data Sheet (1992), section 2.6.4 http://www.bitsavers.org/components/cyrix/Cyrix_Cx486SLCe_Data_Sheet_1992.pdf ↩
On some older 32-bit processors, executing CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID.Processors noted to exhibit this behavior include Cyrix MII[46] and IDT WinChip 2.[47]In 64-bit mode, CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero. ↩
On some Intel processors starting from Ivy Bridge, there exists MSRs that can be used to restrict CPUID to ring 0. Such MSRs are documented for at least Ivy Bridge[48] and Denverton.[49]The ability to restrict CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).[50] /wiki/Ivy_Bridge_(microarchitecture) ↩
CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium. ↩
CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium. ↩
On the Cyrix 5x86 and 6x86 CPUs, CPUID is not enabled by default and must be enabled through a Cyrix configuration register. ↩
On NexGen CPUs, CPUID is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.[51] ↩
Unlike the older CMPXCHG instruction, the CMPXCHG8B instruction does not modify any EFLAGS bits other than ZF. /wiki/FLAGS_register ↩
LOCK CMPXCHG8B with a register operand (which is an invalid encoding) will, on some Intel Pentium CPUs, cause a hang rather than the expected #UD exception - this is known as the Pentium F00F bug. /wiki/Pentium_(original) ↩
On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.[52] ↩
On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.[52] ↩
On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.[52] ↩
The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.[53] ↩
In 64-bit mode, the RDMSR, RDTSC and RDPMC instructions will set the top 32 bits of RDX and RAX to zero. ↩
Fixed-rate TSC was introduced in two stages: Constant TSCTSC running at a fixed rate as long as the processor core is not in a deep-sleep (C2 or deeper) mode, but not synchronized between CPU cores. Introduced in Intel Prescott, Yonah and Bonnell. Also present in all Transmeta and VIA Nano[54] CPUs. Does not have a CPUID bit.Invariant TSCTSC running at a fixed rate, and remaining synchronized between CPU cores in all P-,C- and T-states (but not necessarily S-states).Present in AMD K10 and later; Intel Nehalem/Saltwell[55] and later; Zhaoxin WuDaoKou[56] and later. Indicated with a CPUID bit (leaf 8000_0007:EDX[8]). /wiki/ACPI#Power_states ↩
RDTSC can be run outside Ring 0 only if CR4.TSD=0.On Intel Pentium and AMD K5, RDTSC cannot be run in Virtual-8086 mode.[57] Later processors removed this restriction. /wiki/Control_register#CR4 ↩
The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.[53] ↩
In 64-bit mode, the RDMSR, RDTSC and RDPMC instructions will set the top 32 bits of RDX and RAX to zero. ↩
RDPMC can be run outside Ring 0 only if CR4.PCE=1. /wiki/Control_register#CR4 ↩
The RDPMC instruction is not present in VIA processors prior to the Nano. ↩
The condition codes supported for CMOVcc instruction (opcode 0F 4x /r, with the x nibble specifying the condition) are: xccCondition (EFLAGS)0OOF=1: "Overflow"1NOOF=0: "Not Overflow"2C,B,NAECF=1: "Carry", "Below", "Not Above or Equal"3NC,NB,AECF=0: "Not Carry", "Not Below", "Above or Equal"4Z,EZF=1: "Zero", "Equal"5NZ,NEZF=0: "Not Zero", "Not Equal"6NA,BE(CF=1 or ZF=1): "Not Above", "Below or Equal"7A,NBE(CF=0 and ZF=0): "Above", "Not Below or Equal"8SSF=1: "Sign"9NSSF=0: "Not Sign"AP,PEPF=1: "Parity", "Parity Even"BNP,POPF=0: "Not Parity", "Parity Odd"CL,NGESF≠OF: "Less", "Not Greater Or Equal"DNL,GESF=OF: "Not Less", "Greater Or Equal"ELE,NG(ZF=1 or SF≠OF): "Less or Equal", "Not Greater"FNLE,G(ZF=0 and SF=OF): "Not Less or Equal", "Greater" /wiki/FLAGS_register ↩
In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.For CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines a set of new EVEX-encoded variants of CMOVcc that will suppress memory exceptions if the condition is false.) /wiki/X86#APX_(Advanced_Performance_Extensions) ↩
On pre-Nehemiah VIA C3 variants ("Samuel"/"Ezra"), the reg,reg but not reg,[mem] forms of the CMOVcc instructions have been reported to be present as undocumented instructions.[58] ↩
Intel's recommended byte encodings for multi-byte NOPs of lengths 2 to 9 bytes in 32/64-bit mode are (in hex):[59] LengthByte Sequence266 9030F 1F 0040F 1F 40 0050F 1F 44 00 00666 0F 1F 44 00 0070F 1F 80 00 00 00 0080F 1F 84 00 00 00 00 00966 0F 1F 84 00 00 00 00 00 For cases where there is a need to use more than 9 bytes of NOP padding, it is recommended to use multiple NOPs. ↩
Unlike other instructions added in Pentium Pro, long NOP does not have a CPUID feature bit. /wiki/Pentium_Pro ↩
JookWiki, "nopl", sep 24, 2022 – provides a lengthy account of the history of the long NOP and the issues around it. Archived on oct 28, 2022. https://www.jookia.org/wiki/Nopl ↩
0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.[61] The whole 0F 18..1F opcode range was NOP in Pentium Pro. However, except for 0F 1F /0, Intel does not guarantee that these opcodes will remain NOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.[62] ↩
Documented for AMD x86-64 since 2002.[63] ↩
Debian bug report logs, -686 build uses long noops, that are unsupported by Transmeta Crusoe, immediate crash on boot, see messages 148 and 158 for NOPL on VIA C7. Archived on 1 Aug 2019 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464962#148 ↩
While the 0F 0B opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonic UD2 from Pentium Pro onwards.[65] /wiki/Pentium_Pro ↩
GNU Binutils have used the UD2A and UD2B mnemonics for the 0F 0B and 0F B9 opcodes since version 2.7.[66]Neither UD2A nor UD2B originally took any arguments - UD2B was later modified to accept a ModR/M byte, in Binutils version 2.30.[67] /wiki/GNU_Binutils ↩
The UD2 (0F 0B) instruction will additionally stop subsequent bytes from being decoded as instructions, even speculatively. For this reason, if an indirect branch instruction is followed by something that is not code, it is recommended to place an UD2 instruction after the indirect branch.[68] ↩
The UD0/1/2 opcodes - 0F 0B, 0F B9 and 0F FF - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors. /wiki/Intel_80186 ↩
Intel, Pentium® Processor Family Developer's Manual Volume 3, 1995. order no. 241430-004, appendix A, page 943 – reserves the opcodes 0F 0B and 0F B9. https://www.ardent-tool.com/CPU/docs/Intel/Pentium/241430-004.pdf ↩
While the 0F B9 opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonic UD1 much later – AMD APM started listing UD1 in its opcode maps from rev 3.17 onwards,[70] while Intel SDM started listing it from rev 061 onwards.[71] ↩
GNU Binutils have used the UD2A and UD2B mnemonics for the 0F 0B and 0F B9 opcodes since version 2.7.[66]Neither UD2A nor UD2B originally took any arguments - UD2B was later modified to accept a ModR/M byte, in Binutils version 2.30.[67] /wiki/GNU_Binutils ↩
For both the 0F B9 and 0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.[72][73][74] /wiki/ModR/M ↩
For the 0F FF opcode, the OIO mnemonic was introduced by Cyrix,[75] while the UD0 menmonic (without arguments) was introduced by AMD and Intel at the same time as the UD1 mnemonic for 0F B9.[70][71] Later Intel (but not AMD) documentation modified its description of UD0 to add a ModR/M byte and take two arguments.[76] ↩
For both the 0F B9 and 0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.[72][73][74] /wiki/ModR/M ↩
The UD0/1/2 opcodes - 0F 0B, 0F B9 and 0F FF - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors. /wiki/Intel_80186 ↩
Cyrix, 6x86 processor data book, 1996, order no. 94175-01, table 6-20, page 209 – uses the mnemonic OIO ("Official invalid opcode") for the 0F FF opcode. https://ardent-tool.com/CPU/docs/Cyrix/6x86/94175.pdf ↩
AMD, AMD-K5 Processor Technical Reference Manual, Nov 1996, order no. 18524C/0, section 3.3.7, page 90 – reserves the 0F FF opcode without assigning it a mnemonic. https://www.ardent-tool.com/CPU/docs/AMD/K5/18524c.pdf ↩
On K6, the SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.[78] ↩
SYSCALL and SYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.Outside 64-bit mode, the instructions are available on AMD processors only. ↩
The exact semantics of SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.[79] ↩
For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code — for return to 16-bit code, IRET/IRETD/IRETQ should be used.) ↩
The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.) /wiki/Real_mode ↩
The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.) /wiki/Real_mode ↩
The CPUID flags that indicate support for SYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.[80]Third party testing indicates that the opcodes are present on the Pentium Pro but too buggy to be usable.[81] ↩
AMD, Athlon Processor x86 Code Optimization Guide, publication no. 22007, rev K, feb 2002, appendix F, page 284. Archived on 13 Apr 2017. https://pdf.datasheetcatalog.com/datasheet/AdvancedMicroDevices/mXvyvs.pdf ↩
On AMD CPUs, the SYSENTER and SYSEXIT instructions are not available in x86-64 long mode (#UD). /wiki/Long_mode ↩
On Transmeta CPUs, the SYSENTER and SYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.[83] ↩
On Nehemiah, SYSENTER and SYSEXIT are available only on stepping 8 and later.[84] ↩
For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code — for return to 16-bit code, IRET/IRETD/IRETQ should be used.) ↩
The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.) /wiki/Real_mode ↩
The memory operand to CMPXCHG16B must be 16-byte aligned. ↩
The CMPXCHG16B instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing from Xeon "Nocona" stepping D,[85] but added in stepping E.[86] On AMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.[87]For this reason, CMPXCHG16B has its own CPUID flag, separate from the rest of x86-64. /wiki/List_of_Intel_Xeon_processors_(NetBurst-based)#"Nocona"_(90_nm) ↩
Encodings of MOVSXD without REX.W prefix are permitted but discouraged[88] – such encodings behave identically to 16/32-bit MOV (8B /r). ↩
On AMD CPUs, the "ABM" extension provides both POPCNT and LZCNT. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of the LZCNT instruction and is listed as "LZCNT", while POPCNT has its own separate CPUID feature bit.However, all known processors that implement the "ABM"/"LZCNT" extensions also implement POPCNT and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.(The converse is not true – there exist processors that support POPCNT but not ABM, such as Intel Nehalem and VIA Nano 3000.) /wiki/Nehalem_(microarchitecture) ↩
The LZCNT instruction will execute as BSR on systems that do not support the LZCNT or ABM extensions. BSR computes the index of the highest set bit in the source operand, producing a different result from LZCNT for most input values. ↩
The TZCNT instruction will execute as BSF on systems that do not support the BMI1 extension. BSF produces the same result as TZCNT for all input operand values except zero – for which TZCNT returns input operand size, but BSF produces undefined behavior (leaves destination unmodified on most modern CPUs). ↩
For BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m argument (which has the usual 32/64-bit operand size), then the out-of-bounds bits are read out as 0. ↩
On AMD processors before Zen 3, the PEXT and PDEP instructions are quite slow[89] and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.[90][91] ↩
The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported. ↩
The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported. ↩
ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled. ↩
ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled. ↩
This prefix has the same encoding as the DS: segment override prefix – as of April 2022, Intel documentation does not appear to specify whether this prefix also retains its old segment-override function when used as a no-track prefix, nor does it provide an official mnemonic for this prefix.[92][93] (GNU binutils use "notrack"[94]) ↩
Under Intel APX, the XSAVE* and XRSTOR* instructions cannot be encoded with the REX2 prefix. ↩
XSAVE was added in steppings E0/R0 of Penryn and is not available in earlier steppings. ↩
On some processors (starting with Skylake, Goldmont and Zen 1), executing XGETBV with ECX=1 is permitted – this will not return XCR1 (no such register exists) but instead return XCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).The presence of this functionality of XGETBV is indicated by CPUID.(EAX=0Dh,ECX=1):EAX[bit 2]. /wiki/Skylake_(microarchitecture) ↩
The XSETBV instruction will cause a mandatory #VMEXIT if executed under Intel VT-x virtualization. /wiki/Intel_VT-x ↩
AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".[95] These extensions (without full SSE) are also present on Geode GX2 and later Geode processors. /wiki/Athlon ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".[95] These extensions (without full SSE) are also present on Geode GX2 and later Geode processors. /wiki/Athlon ↩
AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".[95] These extensions (without full SSE) are also present on Geode GX2 and later Geode processors. /wiki/Athlon ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction. ↩
The SFENCE instruction ensures that all memory stores after the SFENCE instruction are made globally observable after all memory stores before the SFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.[96]On Intel CPUs, as well as AMD CPUs from Zen1 onwards (but not older AMD CPUs), SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH, CLFLUSHOPT and CLWB instructions. (Older AMD CPUs require MFENCE to order CLFLUSH.)SFENCE is not ordered with respect to LFENCE, and an SFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store.[97] To prevent such reordering, it is necessary to execute an MFENCE, LOCK or a serializing instruction. ↩
For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction. ↩
The LFENCE instruction ensures that all memory loads after the LFENCE instruction are made globally observable after all memory loads before the LFENCE.On all Intel CPUs that support SSE2, the LFENCE instruction provides a stronger ordering guarantee:[98] it is dispatch-serializing, meaning that instructions after the LFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC or RDPMC) and x2apic MSRs.On AMD CPUs, LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029.[99] ↩
For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction. ↩
The MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE.On Intel CPUs, MFENCE is not dispatch-serializing, and therefore cannot be used on its own to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE is still ordered with respect to LFENCE, so if there is a need to enforce ordering between memory stores and subsequent non-memory accesses, then such an ordering can be obtained by issuing an MFENCE followed by an LFENCE.[53][100]On AMD CPUs, MFENCE is serializing. ↩
The operation of the PAUSE instruction in 64-bit mode is, unlike NOP, unaffected by the presence of the REX.R prefix. Neither NOP nor PAUSE are affected by the other bits of the REX prefix. A few examples of how opcode 90 interacts with various prefixes in 64-bit mode are:90 is NOP41 90 is XCHG R8D,EAX4E 90 is NOP49 90 is XCHG R8,RAXF3 90 is PAUSEF3 41 90 is PAUSEF3 4F 90 is PAUSE ↩
The actual length of the pause performed by the PAUSE instruction is implementation-dependent.On systems without SSE2, PAUSE will execute as NOP. ↩
Under VT-x or AMD-V virtualization, executing PAUSE many times in a short time interval may cause a #VMEXIT. The number of PAUSE executions and interval length that can trigger #VMEXIT are platform-specific. ↩
While the CLFLUSH instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMD Geode LX supports CLFLUSH but not SSE2.) /wiki/Geode_(processor) ↩
While the MONITOR and MWAIT instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g. Athlon 64 X2 and VIA C7 supported SSE3 but not MONITOR.) /wiki/Athlon_64_X2 ↩
For the MONITOR and MWAIT instructions, older Intel documentation[101] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.[102] ↩
For MONITOR, the DS: segment can be overridden with a segment prefix.The memory area that will be monitored will be not just the single byte specified by DS:rAX, but a linear memory region containing the byte – the size and alignment of this memory region is implementation-dependent and can be queried through CPUID.The memory location to monitor should have memory type WB (write-back cacheable), or else monitoring may fail. ↩
As of April 2024, no extensions or hints have been defined for the MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX. ↩
On some processors, such as Intel Xeon Phi x200[103] and AMD K10[104] and later, there exist documented MSRs that can be used to enable MONITOR and MWAIT to run in Ring 3. /wiki/Xeon_Phi ↩
For the MONITOR and MWAIT instructions, older Intel documentation[101] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.[102] ↩
The wait performed by MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.Regardless of whether the wait was ended by a memory write or some other event, monitoring will have ended and it will be necessary to set up monitoring again with MONITOR before using MWAIT to wait for memory writes again. ↩
The extension flags available for MWAIT in the ECX register are: BitsMWAIT Extension0Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of MWAIT.)1Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)[105]2Monitorless MWAIT[106]31:3Not used, must be set to zero. /wiki/FLAGS_register ↩
The hint flags available for MWAIT in the EAX register are: BitsMWAIT Hint3:0Sub-state within a C-state (see bits 7:4) (Intel processors only)7:4Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0)31:8Not used. The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states. /wiki/ACPI#Processor_states ↩
For the GETSEC instruction, the REX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction. ↩
The leaf functions defined for GETSEC (selected by EAX) are: EAXFunction0 (CAPABILITIES)Report SMX capabilities2 (ENTERACCES)Enter execution of authenticated code module3 (EXITAC)Exit execution of authenticated code module4 (SENTER)Enter measured environment5 (SEXIT)Exit measured environment6 (PARAMETERS)Report SMX parameters7 (SMCTRL)SMX Mode Control8 (WAKEUP)Wake up sleeping processors in measured environment Any unsupported value in EAX causes an #UD exception. ↩
For GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3. ↩
Guru3D, VIA Zhaoxin x86 4 and 8-core SoC processors launch, Jan 22, 2018 https://www.guru3d.com/news-story/via-zhaoxin-x86-4-and-8-core-processors-launched.html ↩
The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention. ↩
Unlike the older RDTSC instruction, RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP is not ordered with respect to subsequent instructions, though. ↩
RDTSCP can be run outside Ring 0 only if CR4.TSD=0. /wiki/Control_register#CR4 ↩
Support for RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings. ↩
While the POPCNT instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.On AMD processors, it is considered to be a part of the ABM extension, but still has its own CPUID flag. ↩
For the MOVBE instruction, encodings that use both the 66h prefix and the REX.W prefix will cause #UD on some processors (e.g. Haswell[108]) and should therefore be avoided. ↩
For the MOVBE instruction, encodings that use both the 66h prefix and the REX.W prefix will cause #UD on some processors (e.g. Haswell[108]) and should therefore be avoided. ↩
The invalidation types defined for INVPCID (selected by register argument) are: ValueFunction0Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries1Invalidate TLB entries matching PCID in descriptor, excluding global entries2Invalidate all TLB entries, including global entries3Invalidate all TLB entries, excluding global entries Any unsupported value in the register argument causes a #GP exception. ↩
Unlike the older INVLPG instruction, INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.[109] ↩
The PREFETCH and PREFETCHW instructions are mandatory parts of the 3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow! /wiki/3DNow! ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
The opcodes for PREFETCH and PREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW gaining prefetch functionality from Broadwell onwards. /wiki/Pentium_4 ↩
The PREFETCH (0F 0D /0) instruction is a 3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.On AMD CPUs with PREFETCHW, opcode 0F 0D /0 as well as opcodes 0F 0D /2../7 are all documented to be performing prefetch.On Intel processors with PREFETCHW, these opcodes are documented as performing reserved-NOPs[110] (except 0F 0D /2 being PREFETCHWT1 m8 on Xeon Phi only) – third party testing[111] indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs. /wiki/3DNow! ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2[112] and later of Zhaoxin LuJiaZui, but not on earlier steppings. ↩
All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated. ↩
The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2[112] and later of Zhaoxin LuJiaZui, but not on earlier steppings. ↩
The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention. ↩
Unlike the older RDTSCP instruction which can also be used to read the processor ID, user-mode RDPID is not disabled by CR4.TSD=1. /wiki/Control_register#CR4 ↩
The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2[112] and later of Zhaoxin LuJiaZui, but not on earlier steppings. ↩
For MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.The operand size for the register argument is given by the address size, which may be overridden by the 67h prefix.The 64-byte memory source argument does not need to be 64-byte aligned, and is not guaranteed to be read atomically. ↩
The WBNOINVD instruction will execute as WBINVD if run on a system that doesn't support the WBNOINVD extension.WBINVD differs from WBNOINVD in that WBINVD will invalidate all cache lines after writeback. ↩
In initial implementations, the PREFETCHIT0 and PREFETCHIT1 instructions will perform code prefetch only when using the RIP-relative addressing mode and act as NOPs otherwise.The PREFETCHI instructions are hint instructions only - if an attempt is made to prefetch an invalid address, the instructions will act as NOPs with no exceptions generated. On processors that support Long-NOP but do not support the PREFETCHI instructions, these instructions will always act as NOPs. ↩
In initial implementations, the PREFETCHIT0 and PREFETCHIT1 instructions will perform code prefetch only when using the RIP-relative addressing mode and act as NOPs otherwise.The PREFETCHI instructions are hint instructions only - if an attempt is made to prefetch an invalid address, the instructions will act as NOPs with no exceptions generated. On processors that support Long-NOP but do not support the PREFETCHI instructions, these instructions will always act as NOPs. ↩
The branch hint mnemonics HWNT and HST are listed in early Willamette documentation only[113] - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.[114]Intel XED uses the mnemonics hint-taken and hint-not-taken for these branch hints.[115] /wiki/Pentium_4#Willamette ↩
The 2E and 3E prefixes are interpreted as branch hints only when used with the Jcc conditional branch instructions (opcodes 70..7F and 0F 80..8F) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixes CS: and DS:, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used with Jcc. ↩
Branch hints are supported on all NetBurst (Pentium 4 family) processors - but not supported on any other known processor prior to their re-introduction in "Redwood Cove" CPUs, starting with "Meteor Lake" in 2023. /wiki/NetBurst ↩
Intel, Intel 64 and IA-32 Architectures Optimization Reference Manual: Volume 1, order no. 248966-050US, April 2024, chapter 2.1.1.1, page 46. Archived on 25 Jan 2025. https://cdrdv2-public.intel.com/814198/248966-Optimization-Reference-Manual-V1-050.pdf ↩
The branch hint mnemonics HWNT and HST are listed in early Willamette documentation only[113] - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.[114]Intel XED uses the mnemonics hint-taken and hint-not-taken for these branch hints.[115] /wiki/Pentium_4#Willamette ↩
The 2E and 3E prefixes are interpreted as branch hints only when used with the Jcc conditional branch instructions (opcodes 70..7F and 0F 80..8F) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixes CS: and DS:, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used with Jcc. ↩
The leaf functions defined for ENCLS (selected by EAX) are: EAXFunction0 (ECREATE)Create an enclave1 (EADD)Add a page2 (EINIT)Initialize an enclave3 (EREMOVE)Remove a page from EPC (Enclave Page Cache)4 (EDBGRD)Read data by debugger5 (EDBGWR)Write data by debugger6 (EEXTEND)Extend EPC page measurement7 (ELDB)Load an EPC page as blocked8 (ELDU)Load an EPC page as unblocked9 (EBLOCK)Block an EPC pageA (EPA)Add version arrayB (EWB)Writeback/invalidate EPC pageC (ETRACK)Activate EBLOCK checksAdded with SGX2D (EAUG)Add page to initialized enclaveE (EMODPTR)Restrict permissions of EPC pageF (EMODT)Change type of EPC pageAdded with OVERSUB[117]10 (ERDINFO)Read EPC page type/status info11 (ETRACKC)Activate EBLOCK checks12 (ELDBC)Load EPC page as blocked with enhanced error reporting13 (ELDUC)Load EPC page as unblocked with enhanced error reportingOther18 (EUPDATESVN)Update SVN (Security Version Number) after live microcode update[118] Any unsupported value in EAX causes a #GP exception. ↩
SGX is deprecated on desktop/laptop processors from 11th generation (Rocket Lake, Tiger Lake) onwards,[119] but continues to be available on Xeon-branded server parts. /wiki/Rocket_Lake ↩
Intel, Which Platforms Support Intel® Software Guard Extensions (Intel® SGX) SGX2? Archived on 5 May 2022. https://www.intel.com/content/www/us/en/support/articles/000058764/software/intel-security-products.html ↩
Intel, Intel® Software Guard Extensions (Intel® SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment, 25 Jun 2017. Archived on 31 Mar 2023. https://cdrdv2-public.intel.com/671471/sgx-oversubscription.pdf ↩
The leaf functions defined for ENCLU (selected by EAX) are: EAXFunction0 (EREPORT)Create a cryptographic report1 (EGETKEY)Create a cryptographic key2 (EENTER)Enter an Enclave3 (ERESUME)Re-enter an Enclave4 (EEXIT)Exit an EnclaveAdded with SGX25 (EACCEPT)Accept changes to EPC page6 (EMODPE)Extend EPC page permissions7 (EACCEPTCOPY)Initialize pending pageAdded with TDX[121]8 (EVERIFYREPORT2)Verify a cryptographic report of a trust domainAdded with AEX-Notify[122]9 (EDECCSSA)Decrement TCS.CSSAAdded with 256BITSGX[123]A (EREPORT2)Create a cryptographic report that contains SHA384 measurementsB (EGETKEY256)Create a 256-bit cryptographic key Any unsupported value in EAX causes a #GP exception.The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave. ↩
ENCLU can only be executed in ring 3, not rings 0/1/2. ↩
The leaf functions defined for ENCLV (selected by EAX) are: EAXFunctionAdded with OVERSUB[117]0 (EDECVIRTCHILD)Decrement VIRTCHILDCNT in SECS1 (EINCVIRTCHILD)Increment VIRTCHILDCNT in SECS2 (ESETCONTEXT)Set ENCLAVECONTEXT field in SECS Any unsupported value in EAX causes a #GP exception.The ENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB"). ↩
ENCLV is only available if Intel VMX operation is enabled with VMXON, and will produce #UD otherwise. ↩
For PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS MSR and the "PTWEn" bit of the RTIT_CTL MSR) are all set to 1.The PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes. ↩
The leaf functions defined for PCONFIG (selected by EAX) are: EAXFunction0MKTME_KEY_PROGRAM:Program key and encryption mode to use with an TME-MK Key ID.Added with TSE1TSE_KEY_PROGRAM:Direct key programming for TSE.2TSE_KEY_PROGRAM_WRAPPED:Wrapped key programming for TSE. Any unsupported value in EAX causes a #GP(0) exception. ↩
For CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.Since the instruction is considered a hint, it will execute as a NOP without any exceptions if the provided memory address is invalid or not in the L1 cache. It may also execute as a NOP under other implementation-dependent circumstances as well.On systems that do not support the CLDEMOTE extension, it executes as a NOP. ↩
Intel documentation lists Tremont and Alder Lake as the processors in which CLDEMOTE was introduced. However, as of May 2022, no Tremont or Alder Lake models have been observed to have the CPUID feature bit for CLDEMOTE set, while several of them have the CPUID bit cleared.[124]As of April 2023, the CPUID feature bit for CLDEMOTE has been observed to be set for Sapphire Rapids.[125] ↩
For UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the 67h prefix. The default segment used is DS:, which can be overridden with a segment prefix. ↩
For the UMWAIT and TPAUSE instructions, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT/TPAUSE invocation is permitted to wait. The UMWAIT and TPAUSE instructions will set RFLAGS.CF to 1 if they reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise. ↩
TPAUSE and UMWAIT can be run outside Ring 0 only if CR4.TSD=0. /wiki/Control_register#CR4 ↩
For the UMWAIT and TPAUSE instructions, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT/TPAUSE invocation is permitted to wait. The UMWAIT and TPAUSE instructions will set RFLAGS.CF to 1 if they reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise. ↩
For the register argument to the UMWAIT and TPAUSE instructions, the following flag bits are supported: BitsUsage0Preferred optimization state.0 = C0.2 (slower wakeup, improves performance of other SMT threads on same core)1 = C0.1 (faster wakeup)31:1(Reserved) ↩
While serialization can be performed with older instructions such as e.g. CPUID and IRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE instruction performs serialization only, avoiding these added costs. ↩
A bitmap of CPU history components that can be reset through HRESET is provided by CPUID.(EAX=20h,ECX=0):EBX.As of July 2023, the following bits are defined: BitUsage0Intel Thread Director history31:1(Reserved) ↩
The register argument to SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT and UINT_MISC MSRs.) /wiki/Model-specific_register ↩
On Sapphire Rapids processors, the UIRET instruction always sets UIF (User Interrupt Flag) to 1. On Sierra Forest and later processors, UIRET will set UIF to the value of bit 1 of the value popped off the stack for RFLAGS - this functionality is indicated by CPUID.(EAX=7,ECX=1):EDX[17]. /wiki/Sapphire_Rapids_(microprocessor) ↩
Intel, Intel Data Streaming Accelerator Architecture Specification, order no. 341204-004, Sep 2022, pages 13 and 23. Archived on 20 Jul 2023. https://cdrdv2-public.intel.com/671116/341204-intel-data-streaming-accelerator-spec.pdf ↩
For ENQCMD and EMQCMDS, the operand-size of the register argument is given by the current address-size, which can be overridden with the 67h prefix. ↩
For the RDMSRLIST and WRMSRLIST instructions, the addresses specified in the RSI and RDI registers must be 8-byte aligned. ↩
For the RDMSRLIST and WRMSRLIST instructions, the addresses specified in the RSI and RDI registers must be 8-byte aligned. ↩
The condition codes supported for the CMPccXADD instructions (opcode VEX.128.66.0F38 Ex /r with the x nibble specifying the condition) are: xccCondition (EFLAGS)0OOF=1: "Overflow"1NOOF=0: "Not Overflow"2BCF=1: "Below"3NBCF=0: "Not Below"4ZZF=1: "Zero"5NZZF=0: "Not Zero"6BE(CF=1 or ZF=1): "Below or Equal"7NBE(CF=0 and ZF=0): "Not Below or Equal"8SSF=1: "Sign"9NSSF=0: "Not Sign"APPF=1: "Parity"BNPPF=0: "Not Parity"CLSF≠OF: "Less"DNLSF=OF: "Not Less"ELE(ZF=1 or SF≠OF): "Less or Equal"FNLE(ZF=0 and SF=OF): "Not Less or Equal" /wiki/FLAGS_register ↩
Even though the CMPccXADD instructions perform a locked memory operation, they do not require or accept the LOCK (F0h) prefix - attempting to use this prefix results in #UD. ↩
The standard way to access the CR8 register is to use an encoding that makes use of the REX.R prefix, e.g. 44 0F 20 07 (MOV RDI,CR8). However, the REX.R prefix is only available in 64-bit mode.The AltMovCr8 extension adds an additional method to access CR8, using the F0 (LOCK) prefix instead of REX.R – this provides access to CR8 outside 64-bit mode. ↩
Like other variants of MOV to/from the CRx registers, the AltMovCr8 encodings ignore the top 2 bits of the instruction's ModR/M byte, and always execute as if these two bits are set to 11b.The AltMovCr8 encodings are available in 64-bit mode. However, combining the LOCK prefix with the REX.R prefix is not permitted and will cause an #UD exception. ↩
Support for AltMovCR8 was added in stepping F of the AMD K8, and is not available on earlier steppings. ↩
Like other variants of MOV to/from the CRx registers, the AltMovCr8 encodings ignore the top 2 bits of the instruction's ModR/M byte, and always execute as if these two bits are set to 11b.The AltMovCr8 encodings are available in 64-bit mode. However, combining the LOCK prefix with the REX.R prefix is not permitted and will cause an #UD exception. ↩
For CLZERO, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.The CLZERO instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.[127] ↩
The register numbering used by RDPRU does not necessarily match that of RDMSR/WRMSR.The registers supported by RDPRU as of December 2022 are: ECXRegister0MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count)1APERF (MSR 0E8h: Actual Performance Frequency Clock Count) Unsupported values in ECX return 0. ↩
If CR4.TSD=1, then the RDPRU instruction can only run in ring 0. /wiki/Control_register#CR4 ↩
x87 coprocessors (other than the 8087) handle exceptions in a fairly unusual way. When an x87 instruction generates an unmasked arithmetic exception, it will still complete without causing a CPU fault – instead of causing a fault, it will record within the coprocessor information needed to handle the exception (instruction pointer, opcode, data pointer if the instruction had a memory operand) and set FPU status-word flag to indicate that a pending exception is present. This pending exception will then cause a CPU fault when the next x87, MMX or WAIT instruction is executed.The exception to this is x87's "Non-Waiting" instructions, which will execute without causing such a fault even if a pending exception is present (with some caveats, see application note AP-578[128]). These instructions are mostly control instructions that can inspect and/or modify the pending-exception state of the x87 FPU. ↩
For each non-waiting x87 instruction whose mnemonic begins with FN, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of a WAIT instruction (opcode 9B) followed by the corresponding non-waiting x87 instruction. For example:FNCLEX is an instruction with the opcode DB E2. The corresponding pseudo-instruction FCLEX is then encoded as 9B DB E2.FNSAVE ES:[BX+6] is an instruction with the opcode 26 DD 77 06. The corresponding pseudo-instruction FSAVE ES:[BX+6] is then encoded as 9B 26 DD 77 06These pseudo-instructions are commonly recognized by x86 assemblers and disassemblers and treated as single instructions, even though all x86 CPUs with x87 coprocessors execute them as a sequence of two instructions. ↩
F(N)STSW with the AX register as a destination is available on 80287 and later, but not on the 8087. ↩
On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired. ↩
On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired. ↩
On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired. ↩
On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired. ↩
In the case of an x87 instruction producing an unmasked FPU exception, the 8087 FPU will signal an IRQ some indeterminate time after the instruction was issued. This may not always be possible to handle,[129] and so the FPU offers the F(N)DISI and F(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,[130] to control the interrupt.Later x87 FPUs, from 80287 onwards, changed the FPU exception mechanism to instead produce a CPU exception on the next x87 instruction. This made the Interrupt Mask bit unnecessary, so it was removed.[131] In later Intel x87 FPUs, the F(N)ENI and F(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state. /wiki/Interrupt_Request ↩
In the case of an x87 instruction producing an unmasked FPU exception, the 8087 FPU will signal an IRQ some indeterminate time after the instruction was issued. This may not always be possible to handle,[129] and so the FPU offers the F(N)DISI and F(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,[130] to control the interrupt.Later x87 FPUs, from 80287 onwards, changed the FPU exception mechanism to instead produce a CPU exception on the next x87 instruction. This made the Interrupt Mask bit unnecessary, so it was removed.[131] In later Intel x87 FPUs, the F(N)ENI and F(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state. /wiki/Interrupt_Request ↩
FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value is documented to produce exceptions on AMD but not Intel FPUs. ↩
FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value is documented to produce exceptions on AMD but not Intel FPUs. ↩
FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value is documented to produce exceptions on AMD but not Intel FPUs. ↩
FSTP ST(0) is a commonly used idiom for popping a single register off the x87 register stack. ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
On the 8087 and 80287, FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
On Intel Pentium and later processors, FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors. ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
The result of executing the FBLD instruction on non-BCD data is undefined. ↩
On the 8087 and 80287, FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register. ↩
On early Intel Pentium processors, floating-point divide was subject to the Pentium FDIV bug. This also affected instructions that perform divide as part of their operations, such as FPREM and FPATAN.[137] /wiki/Pentium_(original) ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
The FXAM instruction will set C0, C2 and C3 based on value type in st(0) as follows: C3C2C0Classification000Unsupported (unnormal or pseudo-NaN)001NaN010Normal finite number011Infinity100Zero101Empty110Denormal number111Empty (may occur on 8087/80287 only) C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not. /wiki/NaN ↩
For FXTRACT, the behavior that results from st(0) being zero or ±∞, differs between 8087 and 80387: If st(0) is ±0, then on 8087/80287, E and M are both set equal to st(0) with no exception reported — on 80387 and later, M is set equal to st(0), E is set to -∞, and a zero-divide exception is raised. If st(0) is ±∞, then on 8087/80287, an invalid-operation exception is raised and both M and E are set to NaN — on 80387 and later, M is set equal to st(0) and E is set to +∞ with no exception reported.[138] ↩
For FPREM, if the quotient Q is larger than 2 63 {\displaystyle 2^{63}} , then the remainder calculation may have been done only partially – in this case, the FPREM instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction setting C2 to 1.If the instruction did complete the remainder calculation, it will set C2 to 0 and set the three bits {C0,C3,C1} to the bottom three bits of the quotient Q.On 80387 and later, if the instruction didn't complete the remainder calculation, then the computed remainder Q used for argument reduction will have been rounded to a multiple of 8 (or larger power-of-2), so that the bottom 3 bits of the quotient can still be correctly retrieved in a later pass that does complete the remainder calculation. ↩
The remainder computation done by the FPREM instruction is always exact with no roundoff errors. ↩
For the FSCALE instruction on 8087 and 80287, st(1) is required to be in the range − 2 15 ≤ s t ( 1 ) < 2 15 {\displaystyle -2^{15}\leq st(1)<2^{15}} . Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.These restrictions were removed in the 80387. ↩
For FSCALE, rounding is only applied in the case of overflow, underflow or subnormal result. ↩
The x87 transcendental instructions do not obey PC or RC, but instead compute full 80-bit results. These results are not necessarily correctly rounded (see Table-maker's dilemma) – they may have an error of up to ±1 ulp on Pentium or later, or up to ±1.5 ulps on earlier x87 coprocessors. /wiki/Table-maker%27s_dilemma ↩
For the FYL2X and FYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.FYL2X can produce a #Z (divide-by-zero exception) if st(0)=0 and st(1) is a finite nonzero value. FYL2XP1, however, cannot produce #Z. ↩
For FPATAN, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio s t ( 1 ) s t ( 0 ) {\displaystyle {\frac {st(1)}{st(0)}}} :If both st(0) and st(1) are ±∞, then the arctangent is computed as if each of st(0) and st(1) had been replaced with ±1 of the same sign. This produces a result that is an odd multiple of π 4 {\displaystyle {\frac {\pi }{4}}} .If both st(0) and st(1) are ±0, then the arctangent is computed as if st(0) but not st(1) had been replaced with ±1 of the same sign, producing a result of ±0 or ± π {\displaystyle \pm \pi } .If st(0) is negative (has sign bit set), then an addend of ± π {\displaystyle \pm \pi } with the same sign as st(1) is added to the result. ↩
For the FYL2X and FYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.FYL2X can produce a #Z (divide-by-zero exception) if st(0)=0 and st(1) is a finite nonzero value. FYL2XP1, however, cannot produce #Z. ↩
While FNOP is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present. ↩
If the top-of-stack register st(0) is Empty, then the FSTPNCE instruction will behave like FINCSTP, incrementing the stack pointer with no data movement and no exceptions reported. ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
Intel x87 alias opcode. Use of this opcode is not recommended.On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087[132] and 80287,[133] but then omitted from later manuals until the October 2017 update of the Intel SDM.[134]They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86[135] and NexGen 586PF.[136] ↩
The x87 FPU needs to know whether it is operating in Real Mode or Protected Mode because the floating-point environment accessed by the F(N)SAVE, FRSTOR, FLDENV and F(N)STENV instructions has different formats in Real Mode and Protected Mode. On 80287, the F(N)SETPM instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are handled automatically between the CPU and the FPU without the need for any dedicated instructions – therefore, on these FPUs, FNSETPM executes as a NOP that does not modify any FPU state. /wiki/Real_Mode ↩
Not including discontinued instructions specific to particular 80387-compatible FPU models. /wiki/List_of_discontinued_x86_instructions#Instructions_present_in_specific_80387_clones ↩
For the FUCOM and FUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
For the FUCOM and FUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument. ↩
The 80387 FPREM1 instruction differs from the older FPREM (D9 F8) instruction in that the quotient Q is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used by FPREM. Like FPREM, FPREM1 always computes an exact result with no roundoff errors. Like FPREM, it may also perform a partial computation if the quotient is too large, in which case it must be run again. ↩
Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by[139][140][138] k = 2 66 ∗ π ⌊ 2 66 ∗ π ⌋ ≈ 1.0000000000000000000012874 {\displaystyle k{=}{\frac {2^{66}*\pi }{\lfloor 2^{66}*\pi \rfloor }}\approx 1.0000000000000000000012874} This argument reduction inaccuracy also affects the FPTAN instruction. ↩
If st(0) is finite and its absolute value is 2 63 {\displaystyle 2^{63}} or greater, then the top-of-stack value st(0) is left unmodified and C2 is set, with no exception raised. This applies to the FSIN, FCOS and FSINCOS instructions, as well as FPTAN on 80387 and later.In this case, the FSINCOS and FPTAN instructions will also abstain from pushing a value onto the x87 register-stack. ↩
Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by[139][140][138] k = 2 66 ∗ π ⌊ 2 66 ∗ π ⌋ ≈ 1.0000000000000000000012874 {\displaystyle k{=}{\frac {2^{66}*\pi }{\lfloor 2^{66}*\pi \rfloor }}\approx 1.0000000000000000000012874} This argument reduction inaccuracy also affects the FPTAN instruction. ↩
Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by[139][140][138] k = 2 66 ∗ π ⌊ 2 66 ∗ π ⌋ ≈ 1.0000000000000000000012874 {\displaystyle k{=}{\frac {2^{66}*\pi }{\lfloor 2^{66}*\pi \rfloor }}\approx 1.0000000000000000000012874} This argument reduction inaccuracy also affects the FPTAN instruction. ↩
The FCOMI, FCOMIP, FUCOMI and FUCOMIP instructions write their results to the ZF, CF and PF bits of the EFLAGS register. On Intel but not AMD processors, the SF, AF and OF bits of EFLAGS are also zeroed out by these instructions. ↩
The FXSAVE and FXRSTOR instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.They are also present in AMD K7.They are also considered an integral part of SSE and are therefore present in all processors with SSE. ↩
The FXSAVE and FXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.The x87 section of the state saved/restored by FXSAVE(64)/FXRSTOR(64) has a completely different layout than the data structure of the older F(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.FXSAVE and FXRSTOR require their memory argument to be 16-byte aligned. ↩
When floating-point emulation is enabled with CR0.EM=1, FXSAVE(64) and FXRSTOR(64) are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT, these are the only opcodes outside the D8..DF ESC opcode space that exhibit this behavior.Except on Netburst (Pentium 4 family) CPUs, all opcodes in D8..DF will produce #NM if CR0.EM=1, even for undefined opcodes that would produce #UD otherwise. ↩
Unlike the older F(N)SAVE instruction, FXSAVE will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified. ↩
The FXSAVE64/FXRSTOR64 instruction differ from the FXSAVE/FXRSTOR instructions in that: FXSAVE/FXRSTOR will save/restore FIP and FDP as 32-bit items, and will also save/restore FCS and FDS as 16-bit items. FXSAVE64/FXRSTOR64 will save/restore FIP and FDP as 64-bit items while not saving/restoring FCS and FDS. This difference also applies to the later XSAVE/XRSTOR vs XSAVE64/XRSTOR64 instructions.As a result, saving both FCS/FDS and the top 32 bits of 64-bit FIP/FDP cannot be accomplished with 1 instruction, but instead requires running both (F)XSAVE and (F)XSAVE64. This has been known to cause problems, especially for 64-bit hypervisors running 16/32-bit guests.[141][142] ↩
The FXSAVE and FXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.The x87 section of the state saved/restored by FXSAVE(64)/FXRSTOR(64) has a completely different layout than the data structure of the older F(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.FXSAVE and FXRSTOR require their memory argument to be 16-byte aligned. ↩
When floating-point emulation is enabled with CR0.EM=1, FXSAVE(64) and FXRSTOR(64) are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT, these are the only opcodes outside the D8..DF ESC opcode space that exhibit this behavior.Except on Netburst (Pentium 4 family) CPUs, all opcodes in D8..DF will produce #NM if CR0.EM=1, even for undefined opcodes that would produce #UD otherwise. ↩
The FXSAVE64/FXRSTOR64 instruction differ from the FXSAVE/FXRSTOR instructions in that: FXSAVE/FXRSTOR will save/restore FIP and FDP as 32-bit items, and will also save/restore FCS and FDS as 16-bit items. FXSAVE64/FXRSTOR64 will save/restore FIP and FDP as 64-bit items while not saving/restoring FCS and FDS. This difference also applies to the later XSAVE/XRSTOR vs XSAVE64/XRSTOR64 instructions.As a result, saving both FCS/FDS and the top 32 bits of 64-bit FIP/FDP cannot be accomplished with 1 instruction, but instead requires running both (F)XSAVE and (F)XSAVE64. This has been known to cause problems, especially for 64-bit hypervisors running 16/32-bit guests.[141][142] ↩
Robert Collins, Undocumented OpCodes: AAM. Archived on 21 Feb 2001 http://www.rcollins.org/secrets/opcodes/AAM.html ↩
Retrocomputing StackExchange, 0F1h opcode-prefix on i80286. Archived on 13 Apr 2023. https://retrocomputing.stackexchange.com/questions/12004/0f1h-opcode-prefix-on-i80286 ↩
Frank van Gilluwe, "The Undocumented PC – Second Edition", p. 93-95 ↩
Michal Necasek, Intel 486 Errata?, 6 Dec 2015. Archived on 29 Nov 2023. http://www.os2museum.com/wp/intel-486-errata/ ↩
Robert Hummel, "PC Magazine Programmer's Technical Reference" (ISBN 1-56276-016-5) p.728 /wiki/ISBN_(identifier) ↩
Frank van Gilluwe, "The Undocumented PC – Second Edition", p. 93-95 ↩
Raúl Gutiérrez Sanz, Undocumented 8086 Opcodes, Part I, 27 Dec 2017. Archived on 29 Nov 2023. http://www.os2museum.com/wp/undocumented-8086-opcodes-part-i/ ↩
"Asm, opcode 82h". 24 Dec 1998. Archived from the original on 14 Apr 2023. http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm ↩
"Asm, opcode 82h". 24 Dec 1998. Archived from the original on 14 Apr 2023. http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm ↩
Intel Corporation 2022, p. 3698. - Intel Corporation (April 2022). "Intel 64 and IA-32 Architectures Software Developer's Manual, Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D and 4". Intel. Retrieved 21 June 2022. https://cdrdv2.intel.com/v1/dl/getContent/671200 ↩
Intel, The 8086 Family User's Manual, October 1979, opcodes omitted on pages 4-25 and 4-31 http://bitsavers.org/components/intel/8086/9800722-03_The_8086_Family_Users_Manual_Oct79.pdf ↩
Retrocomputing StackExchange, Undocumented instructions in x86 CPU prior to 80386?, 4 Jun 2021. Archived on 18 Jul 2023. https://retrocomputing.stackexchange.com/questions/20031/undocumented-instructions-in-x86-cpu-prior-to-80386 ↩
Daniel B. Sedory, An Examination of the Standard MBR, 2000. Archived on 6 Oct 2023. https://thestarman.pcministry.com/asm/mbr/STDMBR.htm#REP ↩
AMD, Software Optimization Guide for AMD64 Processors (publication 25112, revision 3.06, sep 2005), section 6.2, p.128 https://www.amd.com/system/files/TechDocs/25112.PDF ↩
GCC bugzilla, Bug 48227 – "rep ret" generated for -march=core2. Archived on 9 Apr 2023. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48227 ↩
Raymond Chen, My, what strange NOPs you have!, 12 Jan 2011. Archived on 20 May 2023. https://devblogs.microsoft.com/oldnewthing/20110112-00/?p=11773 ↩
Jeff Parsons, Intel 80386 CPU information (B1 errata section, item #7). Archived on 13 Nov 2023. https://www.pcjs.org/documents/manuals/intel/80386/#b1-errata ↩
Intel Community: Multibyte NOP Made Official. Archived on 7 Apr 2022. https://community.intel.com/t5/Software-Archive/Multi-byte-NOP-opcode-made-official/td-p/932580 ↩
Intel Software Developers Manual, volume 2B (Jan 2006, order no 235667-018, does not have long NOP) https://kib.kiev.ua/x86docs/Intel/SDMs/253667-018.pdf ↩
Intel Software Developers Manual, volume 2B (March 2006, order no 235667-019, has long NOP) https://kib.kiev.ua/x86docs/Intel/SDMs/253667-019.pdf ↩
Agner Fog, Instruction Tables, AMD K7 section. https://www.agner.org/optimize/instruction_tables.pdf ↩
"579838 – glibc not compatible with AMD Geode LX". Archived from the original on 30 Jul 2023. https://web.archive.org/web/20230730214505/https://bugzilla.redhat.com/show_bug.cgi?id=579838#c46 ↩
Intel Software Developers Manual, volume 2B (April 2005, order no 235667-015, does not list 0F0D-nop) https://kib.kiev.ua/x86docs/Intel/SDMs/253667-015.pdf ↩
Intel Software Developers Manual, volume 2B (June 2005, order no 235667-016, lists 0F0D-nop in opcode table but not under NOP instruction description.) https://kib.kiev.ua/x86docs/Intel/SDMs/253667-016.pdf ↩
Catherine Easdon, Undocumented CPU Behaviour on x86 and RISC-V Microarchitectures: A Security Perspective, 10 May 2019, page 39 https://www.cattius.com/images/thesis-unsigned.pdf ↩
Intel Software Developers Manual, volume 2B (order no. 253667-060, September 2016) does not list UD0 and UD1. https://kib.kiev.ua/x86docs/Intel/SDMs/253667-060.pdf ↩
Intel, Software Developer's Manual, vol 2B, order no. 253667-061, dec 2016 – lists UD1 (with ModR/M byte) and UD0 (without ModR/M byte) on page 4-687. https://kib.kiev.ua/x86docs/Intel/SDMs/253667-061.pdf ↩
"PCJS : pcjs/x86op0F.js (two-byte x86 opcode handlers), lines 1647–1651". GitHub. 17 April 2022. Archived from the original on 13 Apr 2023. https://web.archive.org/web/20230413012542/https://github.com/jeffpar/pcjs/blob/e565ffa65d8ee5d600ec04e62c6651dabb4894cb/machines/pcx86/lib/x86op0f.js#L1647 ↩
"80486 paging protection faults? \ VOGONS". Archived from the original on 9 April 2022. https://www.vogons.org/viewtopic.php?t=62949 ↩
"Invalid opcode handling \ VOGONS". Archived from the original on 9 April 2022. https://www.vogons.org/viewtopic.php?t=13379 ↩
"Invalid instructions cause exit even if Int 6 is hooked \ VOGONS". Archived from the original on 9 April 2022. https://www.vogons.org/viewtopic.php?t=21418 ↩
"Tutorial – Calling Win32 from DOS". Ragestorm. 17 Sep 2005. Archived from the original on 9 April 2022. https://www.ragestorm.net/tutorial?id=27 ↩
"Accessing Windows device drivers from DOS programs". Archived from the original on 8 Nov 2011. https://web.archive.org/web/20111108011230/https://sta.c64.org/blog/dosvddaccess.html ↩
"8086 microcode disassembled". Reenigne blog. 2020-09-03. Archived from the original on 8 Dec 2023. Retrieved 2022-07-26. Using the REP or REPNE prefix with a MUL or IMUL instruction negates the product. Using the REP or REPNE prefix with an IDIV instruction negates the quotient. https://www.reenigne.org/blog/8086-microcode-disassembled/ ↩
"8086 microcode disassembled". Reenigne blog. 2020-09-03. Archived from the original on 8 Dec 2023. Retrieved 2022-07-26. Using the REP or REPNE prefix with a MUL or IMUL instruction negates the product. Using the REP or REPNE prefix with an IDIV instruction negates the quotient. https://www.reenigne.org/blog/8086-microcode-disassembled/ ↩
"Re: Undocumented opcodes (HINT_NOP)". Archived from the original on 2004-11-06. Retrieved 2010-11-07. https://web.archive.org/web/20041106070621/http://www.sandpile.org/post/msgs/20004129.htm ↩
"Re: Also some undocumented 0Fh opcodes". Archived from the original on 2003-06-26. Retrieved 2010-11-07. https://web.archive.org/web/20030626044017/http://www.sandpile.org/post/msgs/20003986.htm ↩
Intel's RCCE library for the SCC used opcode 0F 0A for SCC's message invalidation instruction. https://web.archive.org/web/20220424231054/https://github.com/Intel-SCC/RCCE/blob/master/src/RCCE_admin.c#L87 ↩
Intel Labs, SCC External Architecture Specification (EAS), Revision 0.94, p.29. Archived on May 22, 2022. https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/intel-labs-single-chip-cloud-architecture-brief.pdf ↩
"Undocumented x86 instructions to control the CPU at the microarchitecture level in modern Intel processors" (PDF). 9 July 2021. https://raw.githubusercontent.com/chip-red-pill/udbgInstr/main/paper/undocumented_x86_insts_for_uarch_control.pdf ↩
Robert R. Collins, Undocumented OpCodes: UMOV. Archived on Feb 21, 2001. http://www.rcollins.org/secrets/opcodes/UMOV.html ↩
Herbert Oppmann, NXOP (Opcode 0Fh 55h) https://www.memotech.franken.de/NexGen/Opcode0F55.html ↩
Herbert Oppmann, NexGen Nx586 Hypercode Source, see COMMON.INC. Archived on 9 Apr 2023. https://www.memotech.franken.de/NexGen/Source/index.html ↩
Herbert Oppmann, Inside the NexGen Nx586 System BIOS. Archived on 29 Dec 2023. https://www.memotech.franken.de/NexGen/Bios.html ↩
Intel, XuCode: An Innovative Technology for Implementing Complex Instruction Flows, May 6, 2021. Archived on Jul 19, 2022. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html ↩
Grzegorz Mazur, AMD 3DNow! undocumented instructions https://web.archive.org/web/20000121143428/http://x86.ddj.com/articles/3dnow/amd_3dnow.htm ↩
"Undocumented 3DNow! Instructions". grafi.ii.pw.edu.pl. Archived from the original on 30 January 2003. Retrieved 22 February 2022. https://web.archive.org/web/20030130030723/http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html ↩
Potemkin's Hacker Group's OPCODE.LST, v4.51, 15 Oct 1999. Archived on 21 May 2001. http://phg.chat.ru/opcode.txt ↩
"[UCA CPU Analysis] Prototype UMC Green CPU U5S-SUPER33". 25 May 2020. Archived from the original on 9 Jun 2023. https://x86.fr/uca-cpu-analysis-prototype-umc-green-cpu-u5s-super33 ↩
Agner Fog, The Microarchitecture of Intel, AMD and VIA CPUs, section 3.4 "Branch Prediction in P4 and P4E". Archived on 7 Jan 2024. https://www.agner.org/optimize/microarchitecture.pdf ↩
Reddit /r/Amd discussion thread: Ryzen has undocumented support for FMA4 https://www.reddit.com/r/Amd/comments/68s4bj/ryzen_has_undocumented_support_for_fma4/dh0y353/ ↩
Christopher Domas, Breaking the x86 ISA, 27 July 2017. Archived on 27 Dec 2023. https://raw.githubusercontent.com/xoreaxeaxeax/sandsifter/dff63246fed84d90118441b8ba5b5d3bdd094427/references/domas_breaking_the_x86_isa_wp.pdf ↩
Xixing Li et al, UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching, 9 Oct 2019. Archived on 27 Dec 2023. https://ieeexplore.ieee.org/abstract/document/8863327 ↩
"Undocumented 3DNow! Instructions". grafi.ii.pw.edu.pl. Archived from the original on 30 January 2003. Retrieved 22 February 2022. https://web.archive.org/web/20030130030723/http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html ↩
Microprocessor Report, MediaGX Targets Low-Cost PCs (vol 11, no. 3, mar 10, 1997). Archived on 6 Jun 2022. http://www.cecs.uci.edu/~papers/mpr/MPR/ARTICLES/110301.PDF ↩
"Welcome to the OpenSSL Project". GitHub. 21 April 2022. Archived from the original on 4 Jan 2022. https://github.com/openssl/openssl/blob/1aa89a7a3afb053d0c0b7fad8d3ea1b0a5447289/engines/asm/e_padlock-x86.pl#L597 ↩
https://lkml.iu.edu/2308.0/02183.html https://lkml.iu.edu/2308.0/02183.html ↩
Kary Jin, PATCH: Update PadLock engine for VIA C7 and Nano CPUs, openssl-dev mailing list, 10 Jun 2011. Archived on 11 Feb 2022. https://marc.info/?l=openssl-dev&m=130767391615291&w=2 ↩
Christopher Domas, Breaking the x86 ISA, 27 July 2017. Archived on 27 Dec 2023. https://raw.githubusercontent.com/xoreaxeaxeax/sandsifter/dff63246fed84d90118441b8ba5b5d3bdd094427/references/domas_breaking_the_x86_isa_wp.pdf ↩
Xixing Li et al, UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching, 9 Oct 2019. Archived on 27 Dec 2023. https://ieeexplore.ieee.org/abstract/document/8863327 ↩
https://gitee.com/openeuler/kernel/pulls/85 https://gitee.com/openeuler/kernel/pulls/85 ↩
USPTO/Zhaoxin, Patent application US2023/006718: Processor with a hash cryptographic algorithm and data processing thereof, pages 13 and 45, Mar 2, 2023. Archived on Sep 12, 2023. https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20230066718 ↩
https://lwn.net/Articles/950884/ https://lwn.net/Articles/950884/ ↩
InstLatx64, CPUID dump for Zhaoxin KaiXian KX-6000G – has the SM2 and xmodx feature bits set (CPUID leaf C0000001:EDX:bits 0 and 29). Archived on Jul 25, 2023. http://users.atw.hu/instlatx64/CentaurHauls/CentaurHauls00307B2_KX6000_01_CPUID.txt ↩
OpenEuler kernel pull request 2602: x86/delay: add support for Zhaoxin ZXPAUSE instruction. Gitee. 26 Oct 2023. Archived on 22 Jan 2024. https://gitee.com/openeuler/kernel/pulls/2602/files ↩
https://gitee.com/openeuler/kernel/pulls/85 https://gitee.com/openeuler/kernel/pulls/85 ↩
InstLatx64, CPUID dump for Zhaoxin KaiXian KX-6000G – has the SM2 and xmodx feature bits set (CPUID leaf C0000001:EDX:bits 0 and 29). Archived on Jul 25, 2023. http://users.atw.hu/instlatx64/CentaurHauls/CentaurHauls00307B2_KX6000_01_CPUID.txt ↩
Intel 80286 and 80287 Programmers Reference Manual, 1987 (order no. 210498-005), p. 485 http://bitsavers.trailing-edge.com/components/intel/80286/210498-005_80286_and_80287_Programmers_Reference_Manual_1987.pdf ↩
ISA datafile for Intel XED (April 17, 2022), lines 916-944 https://github.com/intelxed/xed/blob/ef19f00de14a9c2c253c1c9b1119e1617280e3f2/datafiles/xed-isa.txt#L916 ↩
Cyrix 6x86 processor data book, page 6-34 https://www.ardent-tool.com/CPU/docs/Cyrix/6x86/94175.pdf ↩
AMD Geode LX Processors Data Book, publication 33234H, p.670 https://www.amd.com/system/files/TechDocs/33234H_LX_databook.pdf ↩