| Part of a series on |
| x86 instruction listings |
|---|
|
Thex86instruction set refers to the set of instructions thatx86-compatiblemicroprocessors support. The instructions are usually part of anexecutable program, often stored as acomputer file and executed on the processor.
The x86 instruction set has been extended several times, introducing widerregisters and datatypes as well as new functionality.[1]
Below is the full8086/8088 instruction set of Intel (81 instructions total).[2] These instructions are also available in 32-bit mode, in which they operate on 32-bit registers (eax,ebx, etc.) and values instead of their 16-bit (ax,bx, etc.) counterparts. The updated instruction set is grouped according to architecture (i186,i286,i386,i486,i586/i686) and is referred to as (32-bit)x86 and (64-bit)x86-64 (also known asAMD64).
This is the original instruction set. In the 'Notes' column,r meansregister,m meansmemory address andimm meansimmediate (i.e. a value).
| In- struc- tion | Meaning | Notes | Opcode |
|---|---|---|---|
| AAA | ASCII adjust AL after addition | used with unpackedbinary-coded decimal | 0x37 |
| AAD | ASCII adjust AX before division | 8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode0xD50x0A), but any other base will work. Later Intel's documentation has the generic form too.NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities | 0xD5 |
| AAM | ASCII adjust AX after multiplication | Only base 10 version (Operand is 0xA) is documented, see notes for AAD | 0xD4 |
| AAS | ASCII adjust AL after subtraction | 0x3F | |
| ADC | Add with carry | (1) r += (r/m/imm+CF); (2)m += (r/imm+CF); | 0x10...0x15,0x80...0x81/2,0x83/2 |
| ADD | Add | (1) r += r/m/imm; (2)m += r/imm; | 0x00...0x05,0x80/0...0x81/0,0x83/0 |
| AND | Logical AND | (1) r &= r/m/imm; (2)m &= r/imm; | 0x20...0x25,0x80...0x81/4,0x83/4 |
| CALL | Call procedure | pusheip; eip points to the instruction directly after the call | 0x9A,0xE8,0xFF/2,0xFF/3 |
| CBW | Convert byte to word | AX = AL ; sign extended | 0x98 |
| CLC | Clearcarry flag | CF = 0; | 0xF8 |
| CLD | Cleardirection flag | DF = 0; | 0xFC |
| CLI | Clearinterrupt flag | IF = 0; | 0xFA |
| CMC | Complement carry flag | CF = !CF; | 0xF5 |
| CMP | Compare operands | (1) r - r/m/imm; (2)m - r/imm; | 0x38...0x3D,0x80...0x81/7,0x83/7 |
| CMPSB | Compare bytes in memory. May be used with aREPE orREPNE prefix to test and repeat the instructionCX times. | if(DF==0)*(byte*)SI++-*(byte*)ES:DI++;else*(byte*)SI---*(byte*)ES:DI--; | 0xA6 |
| CMPSW | Compare words. May be used with aREPE orREPNE prefix to test and repeat the instructionCX times. | if(DF==0)*(word*)SI++-*(word*)ES:DI++;else*(word*)SI---*(word*)ES:DI--; | 0xA7 |
| CWD | Convert word to doubleword | 0x99 | |
| DAA | Decimal adjust AL after addition | (used with packedbinary-coded decimal) | 0x27 |
| DAS | Decimal adjust AL after subtraction | 0x2F | |
| DEC | Decrement by 1 | 0x48...0x4F,0xFE/1,0xFF/1 | |
| DIV | Unsigned divide | (1)AX = DX:AX / r/m; resultingDX = remainder (2)AL = AX / r/m; resultingAH = remainder | 0xF7/6,0xF6/6 |
| ESC | Used withfloating-point unit | 0xD8..0xDF | |
| HLT | Enter halt state | 0xF4 | |
| IDIV | Signed divide | (1)AX = DX:AX / r/m; resultingDX = remainder (2)AL = AX / r/m; resultingAH = remainder | 0xF7/7,0xF6/7 |
| IMUL | Signed multiply in One-operand form | (1)DX:AX = AX * r/m; (2)AX = AL * r/m | 0xF7/5,0xF6/5 |
| IN | Input from port | (1)AL = port[imm]; (2)AL = port[DX]; (3)AX = port[imm]; (4)AX = port[DX]; | 0xE4,0xE5,0xEC,0xED |
| INC | Increment by 1 | 0x40...0x47,0xFE/0,0xFF/0 | |
| INT | Call tointerrupt | 0xCC,0xCD | |
| INTO | Call to interrupt if overflow | 0xCE | |
| IRET | Return from interrupt | 0xCF | |
| Jcc | Jump if condition | (JA, JAE, JB, JBE, JC, JE, JG, JGE, JL, JLE, JNA, JNAE, JNB, JNBE, JNC, JNE, JNG, JNGE, JNL, JNLE, JNO, JNP, JNS, JNZ, JO, JP, JPE, JPO, JS, JZ) | 0x70...0x7F |
| JCXZ | Jump if CX is zero | 0xE3 | |
| JMP | Jump | 0xE9...0xEB,0xFF/4,0xFF/5 | |
| LAHF | Load FLAGS into AH register | 0x9F | |
| LDS | Load DS:r with far pointer | r = m; DS = 2 + m; | 0xC5 |
| LEA | Load Effective Address | 0x8D | |
| LES | Load ES:r with far pointer | r = m; ES = 2 + m; | 0xC4 |
| LOCK | Assert BUS LOCK# signal | (for multiprocessing) | 0xF0 |
| LODSB | Load string byte. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)AL=*SI++;elseAL=*SI--; | 0xAC |
| LODSW | Load string word. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)AX=*SI++;elseAX=*SI--; | 0xAD |
| LOOP/ LOOPx | Loop control | (LOOPE, LOOPNE, LOOPNZ, LOOPZ)if(x&&--CX)gotolbl; | 0xE0...0xE2 |
| MOV | Move | (1) r = r/m/imm; (2)m = r/imm; (3) r/m = sreg; (4) sreg = r/m; | 0xA0...0xA3,0x8C,0x8E |
| MOVSB | Move byte from string to string. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)*(byte*)ES:DI++=*(byte*)SI++;else*(byte*)ES:DI--=*(byte*)SI--; | 0xA4 |
| MOVSW | Move word from string to string. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)*(word*)ES:DI++=*(word*)SI++;else*(word*)ES:DI--=*(word*)SI--; | 0xA5 |
| MUL | Unsigned multiply | (1)DX:AX = AX * r/m; (2)AX = AL * r/m; | 0xF7/4,0xF6/4 |
| NEG | Two's complement negation | r/m=0–r/m; | 0xF6/3...0xF7/3 |
| NOP | No operation | opcode equivalent toXCHG EAX, EAX | 0x90 |
| NOT | Negate the operand,logical NOT | r/m^=-1; | 0xF6/2...0xF7/2 |
| OR | Logical OR | (1) r ∣= r/m/imm; (2)m ∣= r/imm; | 0x08...0x0D,0x80...0x81/1,0x83/1 |
| OUT | Output to port | (1)port[imm] = AL; (2)port[DX] = AL; (3)port[imm] = AX; (4)port[DX] = AX; | 0xE6,0xE7,0xEE,0xEF |
| POP | Pop data fromstack | r/m/sreg = *SP++; | 0x07,0x17,0x1F,0x58...0x5F,0x8F/0 |
| POPF | PopFLAGS register from stack | FLAGS = *SP++; | 0x9D |
| PUSH | Push data onto stack | *--SP=r/m/sreg; | 0x06,0x0E,0x16,0x1E,0x50...0x57,0xFF/6 |
| PUSHF | Push FLAGS onto stack | *--SP=FLAGS; | 0x9C |
| RCL | Rotate left (with carry) | 0xC0...0xC1/2 (186+),0xD0...0xD3/2 | |
| RCR | Rotate right (with carry) | 0xC0...0xC1/3 (186+),0xD0...0xD3/3 | |
| REPxx | Repeat MOVS/STOS/CMPS/LODS/SCAS | (REP, REPE, REPNE, REPNZ, REPZ) | 0xF2,0xF3 |
| RET | Return from procedure | Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system. | |
| RETN | Return from near procedure | 0xC2,0xC3 | |
| RETF | Return from far procedure | 0xCA,0xCB | |
| ROL | Rotate left | 0xC0...0xC1/0 (186+),0xD0...0xD3/0 | |
| ROR | Rotate right | 0xC0...0xC1/1 (186+),0xD0...0xD3/1 | |
| SAHF | Store AH into FLAGS | 0x9E | |
| SAL | Shift Arithmetically left (signed shift left) | (1)r/m <<= 1; (2)r/m <<= CL; | 0xC0...0xC1/4 (186+),0xD0...0xD3/4 |
| SAR | Shift Arithmetically right (signed shift right) | (1)(signed) r/m >>= 1; (2)(signed) r/m >>= CL; | 0xC0...0xC1/7 (186+),0xD0...0xD3/7 |
| SBB | Subtraction with borrow | (1) r -= (r/m/imm+CF); (2)m -= (r/imm+CF); alternative 1-byte encoding ofSBB AL, AL is available viaundocumented SALC instruction | 0x18...0x1D,0x80...0x81/3,0x83/3 |
| SCASB | Compare byte string. May be used with aREPE orREPNE prefix to test and repeat the instructionCX times. | if(DF==0)AL-*ES:DI++;elseAL-*ES:DI--; | 0xAE |
| SCASW | Compare word string. May be used with aREPE orREPNE prefix to test and repeat the instructionCX times. | if(DF==0)AX-*ES:DI++;elseAX-*ES:DI--; | 0xAF |
| SHL | Shift left (unsigned shift left) | 0xC0...0xC1/4 (186+),0xD0...0xD3/4 | |
| SHR | Shift right (unsigned shift right) | 0xC0...0xC1/5 (186+),0xD0...0xD3/5 | |
| STC | Set carry flag | CF = 1; | 0xF9 |
| STD | Set direction flag | DF = 1; | 0xFD |
| STI | Set interrupt flag | IF = 1; | 0xFB |
| STOSB | Store byte in string. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)*ES:DI++=AL;else*ES:DI--=AL; | 0xAA |
| STOSW | Store word in string. May be used with aREP prefix to repeat the instructionCX times. | if(DF==0)*ES:DI++=AX;else*ES:DI--=AX; | 0xAB |
| SUB | Subtraction | (1) r -= r/m/imm; (2)m -= r/imm; | 0x28...0x2D,0x80...0x81/5,0x83/5 |
| TEST | Logical compare (AND) | (1) r & r/m/imm; (2)m & r/imm; | 0x84,0x85,0xA8,0xA9,0xF6/0,0xF7/0 |
| WAIT | Wait until not busy | Waits until BUSY# pin is inactive (used withfloating-point unit) | 0x9B |
| XCHG | Exchange data | r:=:r/m; Aspinlock typically uses xchg as anatomic operation. (coma bug). | 0x86,0x87,0x91...0x97 |
| XLAT | Table look-up translation | behaves likeMOV AL, [BX+AL] | 0xD7 |
| XOR | Exclusive OR | (1) r ^+= r/m/imm; (2)m ^= r/imm; | 0x30...0x35,0x80...0x81/6,0x83/6 |
| Instruction | Opcode | Meaning | Notes |
|---|---|---|---|
| BOUND | 62/r | Check array index against bounds | raises software interrupt 5 if test fails |
| ENTER | C8iw ib | Enter stack frame | Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure. |
| INSB/INSW | 6C | Input from port to string. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:INAL,DXMOVES:[DI],ALINCDI; adjust DI according to operand size and DF |
| 6D | |||
| LEAVE | C9 | Leave stack frame | Releases the local stack storage created by the previous ENTER instruction. |
| OUTSB/OUTSW | 6E | Output string to port. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:MOVAL,DS:[SI]OUTDX,ALINCSI; adjust SI according to operand size and DF |
| 6F | |||
| POPA | 61 | Pop all general purpose registers from stack | equivalent to:POPDIPOPSIPOPBPPOPAX; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later)POPBXPOPDXPOPCXPOPAX |
| PUSHA | 60 | Push all general purpose registers onto stack | equivalent to:PUSHAXPUSHCXPUSHDXPUSHBXPUSHSP; The value stored is the initial SP valuePUSHBPPUSHSIPUSHDI |
| PUSH immediate | 6Aib | Push an immediate byte/word value onto the stack | example:PUSH12hPUSH1200h |
| 68iw | |||
| IMUL immediate | 6B/r ib | Signed and unsigned multiplication of immediate byte/word value | example:IMULBX,12hIMULDX,1200hIMULCX,DX,12hIMULBX,SI,1200hIMULDI,wordptr[BX+SI],12hIMULSI,wordptr[BP-4],1200h Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well. |
| 69/r iw | |||
| SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate | C0 | Rotate/shift bits with an immediate value greater than 1 | example:ROLAX,3SHRBL,3 |
| C1 |
The new instructions added in 80286 add support for x86protected mode. Some but not all of the instructions are available inreal mode as well.
| Instruction | Opcode | Instruction description | Real mode | Ring |
|---|---|---|---|---|
LGDT m16&32[a] | 0F 01 /2 | Load GDTR (Global Descriptor Table Register) from memory.[b] | Yes | 0 |
LIDT m16&32[a] | 0F 01 /3 | Load IDTR (Interrupt Descriptor Table Register) from memory.[b] The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) inprotected mode, but the IVT (Interrupt Vector Table) inreal mode as well. | ||
LMSW r/m16 | 0F 01 /6 | Load MSW (Machine Status Word) from 16-bit register or memory.[c][d] | ||
CLTS | 0F 06 | Clear task-switched flag in the MSW. | ||
LLDT r/m16 | 0F 00 /2 | Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.[b] | #UD | |
LTR r/m16 | 0F 00 /3 | Load TR (Task Register) from 16-bit register or memory.[b] The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done. | ||
SGDT m16&32[a] | 0F 01 /0 | Store GDTR to memory. | Yes | Usually 3[e] |
SIDT m16&32[a] | 0F 01 /1 | Store IDTR to memory. | ||
SMSW r/m16 | 0F 01 /4 | Store MSW to register or 16-bit memory.[f] | ||
SLDT r/m16 | 0F 00 /0 | Store LDTR to register or 16-bit memory.[f] | #UD | |
STR r/m16 | 0F 00 /1 | Store TR to register or 16-bit memory.[f] | ||
ARPL r/m16,r16 | 63 /r[g] | Adjust RPL (RequestedPrivilege Level) field of selector. The operation performed is:if (dst & 3) < (src & 3) then dst = (dst & 0xFFFC) | (src & 3) eflags.zf = 1else eflags.zf = 0 | #UD[h] | 3 |
LAR r,r/m16 | 0F 02 /r | Load access rights byte from the specifiedsegment descriptor. Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00,[i] then stores the bottom 16/32 bits of the result in destination register. SetsEFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.[j] | #UD | |
LSL r,r/m16 | 0F 03 /r | Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.[j] | ||
VERR r/m16 | 0F 00 /4 | Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise. | ||
VERW r/m16 | 0F 00 /5 | Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.[k] | ||
| LOADALL[l] | 0F 05 | Load all CPU registers from a 102-byte data structure starting at physical address800h, including "hidden" part of segment descriptor registers. | Yes | 0 |
| STOREALL[l] | F1 0F 04 | Store all CPU registers to a 102-byte data structure starting at physical address800h, then shut down CPU. | ||
LGDT,LIDT,SGDT andSIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.LGDT andLIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh.On Intel (but not AMD) CPUs, theSGDT andSIDT instructions with a 16-bit operand size is – as ofIntel SDM revision 079, March 2023 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[3]LGDT,LIDT,LLDT andLTR instructions are serializing onPentium and later processors.LMSW instruction is serializing on Intel processors fromPentium onwards, but not on AMD processors.LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means thatLMSW can be used to enter but not leave x86Protected Mode.LMSW nor withLOADALL[4]) without aCPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-laterMOV toCR0 instruction.CR4.UMIP=1 is set, then theSGDT,SIDT,SLDT,SMSW andSTR instructions can only run in Ring 0.SMSW,SLDT andSTR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:SMSW: Stores fullCR0 in x86-64long mode, undefined otherwise.SLDT: Zero-extends 16-bit argument onPentium Pro and later processors, undefined on earlier processors.STR: Zero-extends 16-bit argument.ARPL instruction is not available – the63 /r opcode has been reassigned to the 64-bit-mode-onlyMOVSXD instruction.ARPL instruction causes #UD inReal mode andVirtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.[8][9]0x00FFFF00.LAR andLSL instructions, if the specified segment descriptor could not be loaded, then the instruction's destination register is left unmodified.VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds forMicroarchitectural Data Sampling security vulnerabilities.[11][12] Some of the microarchitectural buffer-flushing functions that have been added toVERW may require the instruction to be executed with a memory operand.[13]LOADALL with a different opcode and memory layout exists on 80386.)The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts ofOperandSize andAddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)
The default OperandSize and AddressSize to use for each instruction is given by the D bit of thesegment descriptor of the current code segment -D=0 makes both 16-bit,D=1 makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:
66h: OperandSize override. Will change OperandSize from 16-bit to 32-bit ifCS.D=0, or from 32-bit to 16-bit ifCS.D=1.67h: AddressSize override. Will change AddressSize from 16-bit to 32-bit ifCS.D=0, or from 32-bit to 16-bit ifCS.D=1.The 80386 also introduced the two new segment registersFS andGS as well as the x86control,debug andtest registers.
The new instructions introduced in the 80386 can broadly be subdivided into two classes:
CWDE,LODSD)SHLD,SETcc)For instruction forms where the operand size can be inferred from the instruction's arguments (e.g.ADD EAX,EBX can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.
| Type | Instruction mnemonic | Opcode | Description | Mnemonic for older 16-bit variant | Ring |
|---|---|---|---|---|---|
| String instructions[a][b] | LODSD | AD | Load string doubleword:EAX := DS:[rSI±±] | LODSW | 3 |
STOSD | AB | Store string doubleword:ES:[rDI±±] := EAX | STOSW | ||
MOVSD | A5 | Move string doubleword:ES:[rDI±±] := DS:[rSI±±] | MOVSW | ||
CMPSD | A7 | Compare string doubleword:temp1 := DS:[rSI±±]temp2 := ES:[rDI±±]CMP temp1, temp2 /* 32-bit compare and set EFLAGS */ | CMPSW | ||
SCASD | AF | Scan string doubleword:temp1 := ES:[rDI±±]CMP EAX, temp1 /* 32-bit compare and set EFLAGS */ | SCASW | ||
INSD | 6D | Input string from doubleword I/O port:ES:[rDI±±] := port[DX][c] | INSW | Usually 0[d] | |
OUTSD | 6F | Output string to doubleword I/O port:port[DX] := DS:[rSI±±] | OUTSW | ||
| Other | CWDE | 98 | Sign-extend 16-bit value in AX to 32-bit value in EAX[e] | CBW | 3 |
CDQ | 99 | Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX. Mainly used to prepare a dividend for the 32-bit | CWD | ||
JECXZ rel8 | E3cb[f] | Jump if ECX is zero | JCXZ | ||
PUSHAD | 60 | Push all 32-bit registers onto stack[g] | PUSHA | ||
POPAD | 61 | Pop all 32-bit general-purpose registers off stack[h] | POPA | ||
PUSHFD | 9C | Push 32-bit EFLAGS register onto stack | PUSHF | Usually 3[i] | |
POPFD | 9D | Pop 32-bit EFLAGS register off stack | POPF | ||
IRETD | CF | 32-bit interrupt return. Differs from the older 16-bitIRET instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP[j] and SS if there is aCPL change; and also ES,DS,FS,GS if returning tovirtual 8086 mode) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bitIDT interrupt/trap gate.Instruction is serializing. | IRET | ||
EFLAGS.DF=1 and post-incremented by 4 otherwise.67 prefix.LODSD,STOSD,MOVSD,INSD andOUTSD, theREP prefix (F3) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).CMPSD andSCASD, theREPE (F3) andREPNE (F2) prefixes are available, which will repeat the instruction, decrementing rCX for each iteration, but only as long as the flag condition (ZF=1 forREPE, ZF=0 forREPNE) holds true AND rCX ≠ 0.INSB/W/D instructions, the memory access rights for theES:[rDI] memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read.CWDE instruction differs from the olderCWD instruction in thatCWD would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair.E3 opcode (JCXZ/JECXZ), the choice of whether the instruction will useCX orECX for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).LOOP,LOOPE,LOOPNE (opcodesE0,E1,E2), however, unlikeJCXZ/JECXZ, these instructions have not been given new mnemonics for their ECX-using variants.PUSHA(D), the value of SP/ESP pushed onto the stack is the value it had just before thePUSHA(D) instruction started executing.POPA/POPAD, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP.PUSHFD andPOPFD instructions will cause a #GP exception if executed invirtual 8086 mode if IOPL is not 3.PUSHF,POPF,IRET andIRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.IRETD is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stacksegment indicated by SS is a 16-bit segment, then theIRETD instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before theIRETD. This has necessitated complex workarounds on both Linux ("ESPFIX")[16] and Windows.[17] This issue also affects the later 64-bitIRETQ instruction.| Instruction mnemonics | Opcode | Description | Ring |
|---|---|---|---|
BT r/m, r | 0F A3 /r | Bit Test.[a] Second operand specifies which bit of the first operand to test. The bit to test is copied toEFLAGS.CF. | 3 |
BT r/m, imm8 | 0F BA /4ib | ||
BTS r/m, r | 0F AB /r | BitTest-and-set.[a][b] Second operand specifies which bit of the first operand to test and set. | |
BTS r/m, imm8 | 0F BA /5ib | ||
BTR r/m, r | 0F B3 /r | Bit Test and Reset.[a][b] Second operand specifies which bit of the first operand to test and clear. | |
BTR r/m, imm8 | 0F BA /6ib | ||
BTC r/m, r | 0F BB /r | Bit Test and Complement.[a][b] Second operand specifies which bit of the first operand to test and toggle. | |
BTC r/m, imm8 | 0F BA /7ib | ||
BSF r, r/m | NFx 0F BC /r[c] | Bit scan forward. Returns bit index of lowest set bit in input.[d] | 3 |
BSR r, r/m | NFx 0F BD /r[e] | Bit scan reverse. Returns bit index of highest set bit in input.[d] | |
SHLD r/m, r, imm8 | 0F A4 /rib | Shift Left Double. The operation of SHLD arg1,arg2,shamt is:arg1 := (arg1<<shamt) | (arg2>>(operand_size - shamt))[f] | |
SHLD r/m, r, CL | 0F A5 /r | ||
SHRD r/m, r, imm8 | 0F AC /rib | Shift Right Double. The operation of SHRD arg1,arg2,shamt is:arg1 := (arg1>>shamt) | (arg2<<(operand_size - shamt))[f] | |
SHRD r/m, r, CL | 0F AD /r | ||
MOVZX reg, r/m8 | 0F B6 /r | Move from 8/16-bit source to 16/32-bit register with zero-extension. | 3 |
MOVZX reg, r/m16 | 0F B7 /r | ||
MOVSX reg, r/m8 | 0F BE /r | Move from 8/16-bit source to 16/32/64-bit register withsign-extension. | |
MOVSX reg, r/m16 | 0F BF /r | ||
SETcc r/m8 | 0F 9x /0[g][h] | Set byte to 1 if condition is satisfied, 0 otherwise. | |
Jccrel16Jccrel32 | 0F 8xcw0F 8xcd[g] | Conditional jump near. Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset. | |
IMUL r, r/m | 0F AF /r | Two-operand non-widening integer multiply. | |
FS: | 64 | Segment-override prefixes for FS and GS segment registers. | 3 |
GS: | 65 | ||
PUSH FS | 0F A0 | Push/pop FS and GS segment registers. | |
POP FS | 0F A1 | ||
PUSH GS | 0F A8 | ||
POP GS | 0F A9 | ||
LFS r16, m16&16LFS r32, m32&16 | 0F B4 /r | Loadfar pointer from memory. Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.[i] | |
LGS r16, m16&16LGS r32, m32&16 | 0F B5 /r | ||
LSS r16, m16&16LSS r32, m32&16 | 0F B2 /r | ||
MOV reg,CRx | 0F 20 /r[j] | Move fromcontrol register to general register.[k] | 0 |
MOV CRx,reg | 0F 22 /r[j] | Move from general register to control register.[k] Moves to the On Pentium and later processors, moves to the | |
MOV reg,DRx | 0F 21 /r[j] | Move fromx86 debug register to general register.[k] | |
MOV DRx,reg | 0F 23 /r[j] | Move from general register to x86 debug register.[k] On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing. | |
MOV reg,TRx | 0F 24 /r[j] | Move from x86test register to general register.[n] | |
MOV TRx,reg | 0F 26 /r[j] | Move from general register to x86 test register.[n] | |
| ICEBP, INT01, INT1[o] | F1 | In-circuit emulation breakpoint. Performs software interrupt #1 if executed when not using in-circuit emulation.[p] | 3 |
| UMOV r/m, r8 | 0F 10 /r | User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode. Performs same operation as | |
| UMOV r/m, r16/32 | 0F 11 /r | ||
| UMOV r8, r/m | 0F 12 /r | ||
| UMOV r16/32, r/m | 0F 13 /r | ||
| XBTS reg,r/m | 0F A6 /r | Bitfield extract (early 386 only).[r][s] | |
| IBTS r/m,reg | 0F A7 /r | Bitfield insert (early 386 only).[r][s] | |
| LOADALLD, LOADALL386[t] | 0F 07 | Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers. | 0 |
BT,BTS,BTR andBTC instructions:BTS,BTC andBTR instructions accept theLOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically.F3 prefix is used with the0F BC /r opcode, then the instruction will execute asTZCNT on systems that support the BMI1 extension.TZCNT differs fromBSF in thatTZCNT but notBSR is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result (except for flags).BSF andBSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.F3 prefix is used with the0F BD /r opcode, then the instruction will execute asLZCNT on systems that support the ABM or LZCNT extensions.LZCNT produces a different result fromBSR for most input values.SHLD andSHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.SHLD andSHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.[18])SETcc andJcc near instructions (opcodes0F 9x /0 and0F 8x respectively, with thex nibble specifying the condition) are:| x | cc | Condition (EFLAGS) |
|---|---|---|
| 0 | O | OF=1: "Overflow" |
| 1 | NO | OF=0:"Not Overflow" |
| 2 | C,B,NAE | CF=1: "Carry", "Below","Not Above or Equal" |
| 3 | NC,NB,AE | CF=0:"Not Carry","Not Below","Above or Equal" |
| 4 | Z,E | ZF=1: "Zero", "Equal" |
| 5 | NZ,NE | ZF=0:"Not Zero","Not Equal" |
| 6 | NA,BE | (CF=1 or ZF=1):"Not Above","Below or Equal" |
| 7 | A,NBE | (CF=0 and ZF=0): "Above","Not Below or Equal" |
| 8 | S | SF=1: "Sign" |
| 9 | NS | SF=0:"Not Sign" |
| A | P,PE | PF=1: "Parity","Parity Even" |
| B | NP,PO | PF=0:"Not Parity","Parity Odd" |
| C | L,NGE | SF≠OF: "Less","Not Greater Or Equal" |
| D | NL,GE | SF=OF:"Not Less","Greater Or Equal" |
| E | LE,NG | (ZF=1 or SF≠OF):"Less or Equal","Not Greater" |
| F | NLE,G | (ZF=0 and SF=OF):"Not Less or Equal","Greater" |
SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction'sModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction asSETcc regardless of the contents of these bits.LFS,LGS andLSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using theREX.W prefix with these instructions will cause them to load afar pointer with a 64-bit offset on Intel but not AMD processors.MOV to/from theCRx,DRx andTRx registers, the reg part of theModR/M byte is used to indicateCRx/DRx/TRx register and r/m part the general-register.Uniquely for theMOV CRx/DRx/TRx opcodes, the top two bits of theModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are11b.CRx andDRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise.MOV toCR3 − instead, these entries can be flushed by toggling the CR4.PGE bit.INVPCID instruction.CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump[19] immediately after aMOV toCR0 if such aMOV is used to enable/disableprotected mode and/ormemory paging.MOV toCR2 is architecturally listed as serializing, but has been reported to benon-serializing on at least some Intel Core-i7 processors.[20]MOV toCR8 (introduced with x86-64) is serializing on AMD but not Intel processors.MOV TRx instructions were discontinued from Pentium onwards.INT1/ICEBP (F1) instruction is present on all known Intel x86 processors from the 80386 onwards,[21] but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards.[22] Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.[23]F1(ICEBP) opcode differs from the operation of the regular software interrupt opcodeCD 01 in several ways:CD 01 will check CPL against the interrupt descriptor's DPL field as an access-rights check, whileF1 will not.CD 01 will also check CPL against IOPL as an access-rights check, whileF1 will not.CD 01 but notF1.XBTS andIBTS instructions were discontinued with the B1 stepping of 80386.XBTS instruction as part of its CPU detection ifCPUID is not present, and will refuse to boot ifXBTS is found to be working.[26]XBTS andIBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.[27]| Instruction | Opcode | Description | Ring |
|---|---|---|---|
BSWAP r32 | 0F C8+r | Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:r = (r << 24) | ((r << 8) & 0x00FF0000) | ((r >> 8) & 0x0000FF00) | (r >> 24); Using | 3 |
CMPXCHG r/m8,r8 | 0F B0 /r[b] | Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand,[c] thenEFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise,EFLAGS.ZF is set to 0, and first operand is copied into the accumulator.Instruction atomic only if used with | |
CMPXCHG r/m,r16CMPXCHG r/m,r32 | 0F B1 /r[b] | ||
XADD r/m,r8 | 0F C0 /r | eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand. Instruction atomic only if used with | |
XADD r/m,r16XADD r/m,r32 | 0F C1 /r | ||
INVLPG m8 | 0F 01 /7 | Invalidate theTLB entries that would be used for the 1-byte memory operand.[d] Instruction is serializing. | 0 |
INVD | 0F 08 | Invalidate Internal Caches.[e] Modified data in the cache are not written back to memory, potentially causing data loss.[f] | |
WBINVD | NFx 0F 09[g] | Write Back and Invalidate Cache.[e] Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches. |
BSWAP with 16-bit registers is not disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,[29] 586, andBochs/QEMU.[30]CMPXCHG instruction uses a different encoding -0F A6 /r for 8-bit variant,0F A7 /r for 16/32-bit variant. The0F B0/B1 encodings are used on 80486 stepping B and later.[32][33]CMPXCHG instruction setsEFLAGS in the same way as aCMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).INVLPG can be used to invalidate TLB entries for individual global pages.INVD andWBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.INVD instruction will cause a mandatory #VMEXIT. Also, on processors that supportIntel SGX, if the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then theINVD instruction is not permitted and will cause a #GP(0) exception.[34]F3 prefix is used with the0F 09 opcode, then the instruction will execute asWBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache.Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)
| Instruction | Opcode | Description | Ring | Added in |
|---|---|---|---|---|
RDMSR | 0F 32 | ReadModel-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX.[a] | 0 | IBM386SLC,[35] IntelPentium, AMDK5, Cyrix6x86MX,MediaGXm, IDTWinChip C6, TransmetaCrusoe, DM&PVortex86DX3 |
WRMSR | 0F 30 | WriteModel-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.[b] Instruction is, with some exceptions, serializing.[c] | ||
RSM[42] | 0F AA | Resume fromSystem Management Mode. Instruction is serializing. | -2 (SMM) | Intel 386SL,[43][44]486SL,[d] IntelPentium, AMD5x86, Cyrix486SLC/e,[45] IDTWinChip C6, TransmetaCrusoe, RisemP6 |
CPUID | 0F A2 | CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.[e] Instruction is serializing, and causes a mandatory #VMEXIT under virtualization. Support for | Usually 3[f] | IntelPentium,[g] AMD5x86,[g] Cyrix5x86,[h] IDTWinChip C6, TransmetaCrusoe, RisemP6, NexGenNx586,[i] UMCGreen CPU |
CMPXCHG8B m64 | 0F C7 /1 | Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF[j] and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX. Instruction atomic only if used with | 3 | IntelPentium, AMDK5, Cyrix6x86L,MediaGXm, IDTWinChip C6,[l] TransmetaCrusoe,[l] RisemP6[l] |
RDTSC | 0F 31 | Read 64-bitTime Stamp Counter (TSC) into EDX:EAX.[m][a] In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.[n] | Usually 3[o] | IntelPentium, AMDK5, Cyrix6x86MX,MediaGXm, IDTWinChip C6, TransmetaCrusoe, RisemP6 |
RDPMC | 0F 33 | ReadPerformance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX.[m][a] | Usually 3[p] | IntelPentium MMX, IntelPentium Pro, AMDK7, Cyrix6x86MX, IDTWinChip C6, AMDGeode LX, VIANano[q] |
CMOVcc reg,r/m | 0F 4x /r[r] | Conditional move to register. The source operand may be either register or memory.[s] | 3 | IntelPentium Pro, AMDK7, Cyrix6x86MX,MediaGXm, TransmetaCrusoe, VIAC3 "Nehemiah",[t] DM&PVortex86DX3 |
NOP r/m,NOPL r/m | NFx 0F 1F /0[u] | Official longNOP. Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.[v][60] | 3 | IntelPentium Pro,[w] AMDK7,x86-64,[x] VIAC7[64] |
UD2,[y]UD2A[z] | 0F 0B | Undefined Instructions – will generate aninvalid opcode (#UD) exception in all operating modes.[aa] These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose. | (3) | (80186),[ab] IntelPentium[69] |
UD1 reg,r/m,[ac]UD2B reg,r/m[z] | 0F B9,0F B9 /r[ad] | |||
OIO,UD0,UD0 reg,r/m[ae] | 0F FF,0F FF /r[ad] | (80186),[ab] Cyrix 6x86,[75] AMD K5[77] | ||
SYSCALL | 0F 05 | FastSystem call. | 3 | AMDK6,[af] x86-64[ag][ah] |
SYSRET | 0F 07[ai] | Fast Return from System Call. Designed to be used together withSYSCALL. | 0[aj] | |
SYSENTER | 0F 34 | FastSystem call. | 3[aj] | IntelPentium II,[ak] AMDK7,[82][al] TransmetaCrusoe,[am] NatSemiGeode GX2, VIAC3 "Nehemiah",[an] DM&PVortex86DX3 |
SYSEXIT | 0F 35[ai] | Fast Return from System Call. Designed to be used together withSYSENTER. | 0[aj] | |
RDMSR,RDTSC andRDPMC instructions will set the top 32 bits of RDX and RAX to zero.WRMSR instruction is also used to update theCPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR79h on Intel CPUs and MSRC001_0020h[36] on AMD CPUs.| Number | Name |
|---|---|
48h | SPEC_CTRL |
49h | PRED_CMD |
10Bh | FLUSH_CMD |
122h | TSX_CTRL |
6E0h | TSC_DEADLINE |
6E1h | PKRS |
774h | HWP_REQUEST (non-serializing only if the FAST_IA32_HWP_REQUEST bit it set) |
802h to83Fh | (x2APIC MSRs) |
1B01h | UARCH_MISC_CTL |
C001_0100h | FS_BASE (non-serializing on AMDZen 4 and later)[39] |
C001_0101h | GS_BASE (Zen 4 and later) |
C001_0102h | KernelGSbase (Zen 4 and later) |
C001_011Bh | Doorbell Register (AMD-specific) |
WRMSR to the x2APIC ICR (Interrupt Command Register; MSR830h) is commonly used to produce an IPI (Inter-processor interrupt) - on Intel[40] but not AMD[41] CPUs, such an IPI can be reordered before an older memory store.
RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executingCPUID.CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero.CPUID to ring 0. Such MSRs are documented for at least Ivy Bridge[48] and Denverton.[49]CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).[50]CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.CPUID is not enabled by default and must be enabled through a Cyrix configuration register.CPUID is only supported with some system BIOSes. On some NexGen CPUs that do supportCPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.[51]CMPXCHG instruction, theCMPXCHG8B instruction does not modify anyEFLAGS bits other than ZF.LOCK CMPXCHG8B with a register operand (which is an invalid encoding) will, on some IntelPentium CPUs, cause ahang rather than the expected #UD exception - this is known as thePentium F00F bug.CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.[52]RDTSC andRDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations ofRDPMC (but notRDTSC) may be reordered relative to each other even for reads of the same counter.LFENCE or serializing instructions (e.g.CPUID) are needed.[53]8000_0007:EDX[8]).RDTSC can be run outside Ring 0 only ifCR4.TSD=0.RDTSC cannot be run in Virtual-8086 mode.[57] Later processors removed this restriction.RDPMC can be run outside Ring 0 only ifCR4.PCE=1.RDPMC instruction is not present in VIA processors prior to the Nano.CMOVcc instruction (opcode0F 4x /r, with thex nibble specifying the condition) are:| x | cc | Condition (EFLAGS) |
|---|---|---|
| 0 | O | OF=1: "Overflow" |
| 1 | NO | OF=0:"Not Overflow" |
| 2 | C,B,NAE | CF=1: "Carry", "Below","Not Above or Equal" |
| 3 | NC,NB,AE | CF=0:"Not Carry","Not Below","Above or Equal" |
| 4 | Z,E | ZF=1: "Zero", "Equal" |
| 5 | NZ,NE | ZF=0:"Not Zero","Not Equal" |
| 6 | NA,BE | (CF=1 or ZF=1):"Not Above","Below or Equal" |
| 7 | A,NBE | (CF=0 and ZF=0): "Above","Not Below or Equal" |
| 8 | S | SF=1: "Sign" |
| 9 | NS | SF=0:"Not Sign" |
| A | P,PE | PF=1: "Parity","Parity Even" |
| B | NP,PO | PF=0:"Not Parity","Parity Odd" |
| C | L,NGE | SF≠OF: "Less","Not Greater Or Equal" |
| D | NL,GE | SF=OF:"Not Less","Greater Or Equal" |
| E | LE,NG | (ZF=1 or SF≠OF):"Less or Equal","Not Greater" |
| F | NLE,G | (ZF=0 and SF=OF):"Not Less or Equal","Greater" |
CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The IntelAPX extension defines a set of newEVEX-encoded variants ofCMOVcc that will suppress memory exceptions if the condition is false.)reg,reg but notreg,[mem] forms of theCMOVcc instructions have been reported to be present as undocumented instructions.[58]| Length | Byte Sequence |
|---|---|
| 2 | 66 90 |
| 3 | 0F 1F 00 |
| 4 | 0F 1F 40 00 |
| 5 | 0F 1F 44 00 00 |
| 6 | 66 0F 1F 44 00 00 |
| 7 | 0F 1F 80 00 00 00 00 |
| 8 | 0F 1F 84 00 00 00 00 00 |
| 9 | 66 0F 1F 84 00 00 00 00 00 |
For cases where there is a need to use more than 9 bytes of NOP padding, it is recommended to use multiple NOPs.
0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.[61]The whole0F 18..1F opcode range wasNOP in Pentium Pro. However, except for0F 1F /0, Intel does not guarantee that these opcodes will remainNOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.[62]0F 0B opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonicUD2 fromPentium Pro onwards.[65]UD2A andUD2B mnemonics for the0F 0B and0F B9 opcodes since version 2.7.[66]UD2A norUD2B originally took any arguments -UD2B was later modified to accept aModR/M byte, in Binutils version 2.30.[67]UD2 (0F 0B) instruction will additionally stop subsequent bytes from being decoded as instructions, even speculatively. For this reason, if an indirect branch instruction is followed by something that is not code, it is recommended to place anUD2 instruction after the indirect branch.[68]0F 0B,0F B9 and0F FF - will cause an #UD exception on all x86 processors from the80186 onwards (exceptNEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.0F B9 opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonicUD1 much later – AMD APM started listingUD1 in its opcode maps from rev 3.17 onwards,[70] while Intel SDM started listing it from rev 061 onwards.[71]0F B9 and0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept aModR/M byte.[72][73][74]0F FF opcode, theOIO mnemonic was introduced by Cyrix,[75] while theUD0 menmonic (without arguments) was introduced by AMD and Intel at the same time as theUD1 mnemonic for0F B9.[70][71] Later Intel (but not AMD) documentation modified its description ofUD0 to add aModR/M byte and take two arguments.[76]SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.[78]SYSCALL andSYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.[79]SYSRET andSYSEXIT instructions under x86-64, it is necessary to add theREX.W prefix for variants that will return to 64-bit user-mode code.REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code — for return to 16-bit code,IRET/IRETD/IRETQ should be used.)SYSRET,SYSENTER andSYSEXIT instructions are unavailable inReal mode. (SYSENTER is, however, available inVirtual 8086 mode.)CPUID flags that indicate support forSYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.[80]SYSENTER andSYSEXIT instructions are not available in x86-64long mode (#UD).SYSENTER andSYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.[83]SYSENTER andSYSEXIT are available only on stepping 8 and later.[84]These instructions can only be encoded in 64 bit mode. They fall in four groups:
MOVSXD replacingARPL)SWAPGS)JRCXZ)Most instructions with a 64 bit operand size encode this using aREX.W prefix; in the absence of theREX.W prefix,the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operandsize. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.
| Instruction | Encoding | Meaning | Ring |
|---|---|---|---|
CDQE | REX.W 98 | Sign extend EAX into RAX | 3 |
CQO | REX.W 99 | Sign extend RAX into RDX:RAX | |
CMPSQ | REX.W A7 | CoMPare String Quadword | |
CMPXCHG16B m128[a][b] | REX.W 0F C7 /1 | CoMPare and eXCHanGe 16 Bytes. Atomic only if used with LOCK prefix. | |
IRETQ | REX.W CF | 64-bit Return from Interrupt | |
JRCXZ rel8 | E3cb | Jump if RCX is zero | |
LODSQ | REX.W AD | LoaD String Quadword | |
MOVSXD r64,r/m32 | REX.W 63 /r[c] | MOV with Sign Extend 32-bit to 64-bit | |
MOVSQ | REX.W A5 | Move String Quadword | |
POPFQ | 9D | POP RFLAGS Register | |
PUSHFQ | 9C | PUSH RFLAGS Register | |
SCASQ | REX.W AF | SCAn String Quadword | |
STOSQ | REX.W AB | STOre String Quadword | |
SWAPGS | 0F 01 F8 | Exchange GS base with KernelGSBase MSR | 0 |
CMPXCHG16B must be 16-byte aligned.CMPXCHG16B instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing fromXeon "Nocona" stepping D,[85] but added in stepping E.[86] OnAMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.[87]CMPXCHG16B has its own CPUID flag, separate from the rest of x86-64.MOVSXD without REX.W prefix are permitted but discouraged[88] – such encodings behave identically to 16/32-bitMOV (8B /r).Bit manipulation instructions. For all of theVEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants. The VEX-encoded instructions are not available in Real Mode and Virtual-8086 mode - other than that, the bit manipulation instructions are available in all operating modes on supported CPUs.
| Bit Manipulation Extension | Instruction mnemonics | Opcode | Instruction description | Added in |
|---|---|---|---|---|
POPCNT r16,r/m16POPCNT r32,r/m32 | F3 0F B8 /r | Population Count. Counts the number of bits that are set to 1 in its source argument. | K10, Bobcat, Haswell, ZhangJiang, Gracemont | |
POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | |||
LZCNT r16,r/m16LZCNT r32,r/m32 | F3 0F BD /r | Count Leading zeroes.[b] If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1. | ||
LZCNT r64,r/m64 | F3 REX.W 0F BD /r | |||
| TZCNT r16,r/m16TZCNT r32,r/m32 | F3 0F BC /r | Count Trailing zeroes.[c] If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1. | Haswell, Piledriver, Jaguar, ZhangJiang, Gracemont |
TZCNT r64,r/m64 | F3 REX.W 0F BC /r | |||
ANDN ra,rb,r/m | VEX.LZ.0F38 F2 /r | Bitwise AND-NOT:ra = r/m AND NOT(rb) | ||
BEXTR ra,r/m,rb | VEX.LZ.0F38 F7 /r | Bitfield extract. Bitfield start position is specified in bits [7:0] ofrb, length in bits[15:8] ofrb. The bitfield is then extracted from ther/m value with zero-extension, then stored inra. Equivalent to[d]mask = (1 << rb[15:8]) - 1ra = (r/m >> rb[7:0]) AND mask | ||
BLSI reg,r/m | VEX.LZ.0F38 F3 /3 | Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent todst = (-src) AND src | ||
BLSMSK reg,r/m | VEX.LZ.0F38 F3 /2 | Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent todst = (src-1) XOR src | ||
BLSR reg,r/m | VEX.LZ.0F38 F3 /1 | Copy all bits of the source argument, then clear the lowest set bit. Equivalent todst = (src-1) AND src | ||
| BZHI ra,r/m,rb | VEX.LZ.0F38 F5 /r | Zero out high-order bits inr/m starting from the bit position specified inrb, then write result tord. Equivalent tora = r/m AND NOT(-1 << rb[7:0]) | Haswell, Excavator,[e] ZhangJiang, Gracemont |
MULX ra,rb,r/m | VEX.LZ.F2.0F38 F6 /r | Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX withr/m, then stores the low half of the multiplication result inra and the high half inrb. Ifra andrb specify the same register, only the high half of the result is stored. | ||
PDEP ra,rb,r/m | VEX.LZ.F2.0F38 F5 /r | Parallel Bit Deposit. Scatters contiguous bits fromrb to the bit positions set inr/m, then stores result tora. Operation performed is:ra=0; k=0; mask=r/mfor i=0 to opsize-1 do if (mask[i] == 1) then ra[i]=rb[k]; k=k+1 | ||
PEXT ra,rb,r/m | VEX.LZ.F3.0F38 F5 /r | Parallel Bit Extract. Usesr/m argument as a bit mask to select bits inrb, then compacts the selected bits into a contiguous bit-vector. Operation performed is:ra=0; k=0; mask=r/mfor i=0 to opsize-1 do if (mask[i] == 1) then ra[k]=rb[i]; k=k+1 | ||
RORX reg,r/m,imm8 | VEX.LZ.F2.0F3A F0 /rib | Rotate right by immediate without affecting flags. | ||
SARX ra,r/m,rb | VEX.LZ.F3.0F38 F7 /r | Arithmetic shift right without updating flags. For SARX,SHRX andSHLX, the shift-amount specified inrb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size. | ||
SHRX ra,r/m,rb | VEX.LZ.F2.0F38 F7 /r | Logical shift right without updating flags. | ||
SHLX ra,r/m,rb | VEX.LZ.66.0F38 F7 /r | Shift left without updating flags. | ||
POPCNT andLZCNT. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of theLZCNT instruction and is listed as "LZCNT", whilePOPCNT has its own separate CPUID feature bit.POPCNT and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.POPCNT but not ABM, such as IntelNehalem andVIA Nano 3000.)LZCNT instruction will execute asBSR on systems that do not support the LZCNT or ABM extensions.BSR computes the index of the highest set bit in the source operand, producing a different result fromLZCNT for most input values.TZCNT instruction will execute asBSF on systems that do not support the BMI1 extension.BSF produces the same result asTZCNT for all input operand values except zero – for whichTZCNT returns input operand size, butBSF produces undefined behavior (leaves destination unmodified on most modern CPUs).BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of ther/m argument (which has the usual 32/64-bit operand size), then the out-of-bounds bits are read out as 0.PEXT andPDEP instructions are quite slow[89] and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.[90][91]| TSX Subset | Instruction | Opcode | Description | Added in |
|---|---|---|---|---|
| XBEGIN rel16XBEGIN rel32 | C7 F8cwC7 F8cd | Start transaction. If transaction fails, perform a branch to the given relative offset. | Haswell (Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake,Comet Lake) onwards, but continues to be available onXeon-branded server parts (e.g.Ice Lake-SP,Sapphire Rapids)) |
XABORT imm8 | C6 F8ib | Abort transaction with 8-bit immediate as error code. | ||
XEND | NP 0F 01 D5 | End transaction. | ||
XTEST | NP 0F 01 D6 | Test if in transactional execution. SetsEFLAGS.ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise. | ||
| XACQUIRE | F2 | Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, theF2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation. | Haswell (Discontinued – the last processors to support HLE wereCoffee Lake andCascade Lake) |
XRELEASE | F3 | Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, theF3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic. | ||
| XSUSLDTRK | F2 0F 01 E8 | Suspend Tracking Load Addresses | Sapphire Rapids |
XRESLDTRK | F2 0F 01 E9 | Resume Tracking Load Addresses | ||
Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such asreturn-oriented programming: ashadow stack (CET_SS), andindirect branch tracking (CET_IBT).
| CET Subset | Instruction | Opcode | Description | Ring | Added in |
|---|---|---|---|---|---|
| INCSSPD r32 | F3 0F AE /5 | Increment shadow stack pointer | 3 | Tiger Lake, Zen 3 |
INCSSPQ r64 | F3 REX.W 0F AE /5 | ||||
RDSSPD r32 | F3 0F 1E /1 | Read shadow stack pointer into register (low 32 bits)[a] | |||
RDSSPQ r64 | F3 REX.W 0F 1E /1 | Read shadow stack pointer into register (full 64 bits)[a] | |||
SAVEPREVSSP | F3 0F 01 EA | Save previous shadow stack pointer | |||
RSTORSSP m64 | F3 0F 01 /5 | Restore saved shadow stack pointer | |||
WRSSD m32,r32 | NP 0F 38 F6 /r | Write 4 bytes to shadow stack | |||
WRSSQ m64,r64 | NP REX.W 0F 38 F6 /r | Write 8 bytes to shadow stack | |||
WRUSSD m32,r32 | 66 0F 38 F5 /r | Write 4 bytes to user shadow stack | 0 | ||
WRUSSQ m64,r64 | 66 REX.W 0F 38 F5 /r | Write 8 bytes to user shadow stack | |||
SETSSBSY | F3 0F 01 E8 | Mark shadow stack busy | |||
CLRSSBSY m64 | F3 0F AE /6 | Clear shadow stack busy flag | |||
| ENDBR32 | F3 0F 1E FB | Terminate indirect branch in 32-bit mode[b] | 3 | Tiger Lake |
ENDBR64 | F3 0F 1E FA | Terminate indirect branch in 64-bit mode[b] | |||
NOTRACK | 3E[c] | Prefix used with indirectCALL/JMP near instructions (opcodesFF /2 andFF /4) to indicate that the branch target is not required to start with anENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set. | |||
RDSSPD andRDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.ENDBR32 andENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled.The XSAVE instruction set extensions are designed to save/restore CPU extended state (typically for the purpose ofcontext switching) in a manner that can be extended to cover new instruction set extensions without the OS context-switching code needing to understand the specifics of the new extensions. This is done by defining a series ofstate-components, each with a size and offset within a given save area, and each corresponding to a subset of the state needed for one CPU extension or another. TheEAX=0DhCPUID leaf is used to provide information about which state-components the CPU supports and what their sizes/offsets are, so that the OS can reserve the proper amount of space and set the associated enable-bits.
| XSAVE Extension | Instruction mnemonics | Opcode[a] | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| XSAVE memXSAVE64 mem | NP 0F AE /4NP REX.W 0F AE /4 | Save state components specified by bitmap in EDX:EAX to memory. | 3 | Penryn,[b] Bulldozer, Jaguar, Goldmont, ZhangJiang |
XRSTOR memXRSTOR64 mem | NP 0F AE /5NP REX.W 0F AE /5 | Restore state components specified by EDX:EAX from memory. | |||
XGETBV | NP 0F 01 D0 | Get value of Extended Control Register. Reads an XCR specified by ECX into EDX:EAX.[c] | |||
XSETBV | NP 0F 01 D1 | Set Extended Control Register.[d] Write the value in EDX:EAX to the XCR specified by ECX. | 0 | ||
| XSAVEOPT memXSAVEOPT64 mem | NP 0F AE /6NP REX.W 0F AE /6 | Save state components specified by EDX:EAX to memory. Unlike the older XSAVE instruction,XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent correspondingXRSTOR. | 3 | Sandy Bridge, Steamroller, Puma, Goldmont, ZhangJiang |
| XSAVEC memXSAVEC64 mem | NP 0F C7 /4NP REX.W 0F C7 /4 | Save processor extended state components specified by EDX:EAX to memory with compaction. | 3 | Skylake, Goldmont, Zen 1 |
| XSAVES memXSAVES64 mem | NP 0F C7 /5NP REX.W 0F C7 /5 | Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible. | 0 | Skylake, Goldmont, Zen 1 |
XRSTORS memXRSTORS64 mem | NP 0F C7 /3NP REX.W 0F C7 /3 | Restore state components specified by EDX:EAX from memory. | |||
XSAVE* andXRSTOR* instructions cannot be encoded with the REX2 prefix.XGETBV with ECX=1 is permitted – this will not returnXCR1 (no such register exists) but instead returnXCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).XGETBV is indicated byCPUID.(EAX=0Dh,ECX=1):EAX[bit 2].XSETBV instruction will cause a mandatory #VMEXIT if executed underIntel VT-x virtualization.| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
PREFETCHNTA m8 | 0F 18 /0 | Prefetch with Non-Temporal Access. Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.[b] | 3 | Pentium III, (K7),[a] (Geode GX2),[a] Nehemiah, Efficeon | |
PREFETCHT0 m8 | 0F 18 /1 | Prefetch data to all levels of the cache hierarchy.[b] | |||
PREFETCHT1 m8 | 0F 18 /2 | Prefetch data to all levels of the cache hierarchy except L1 cache.[b] | |||
PREFETCHT2 m8 | 0F 18 /3 | Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.[b] | |||
SFENCE | NP 0F AE F8+x[c] | Store Fence.[d] | |||
| LFENCE | NP 0F AE E8+x[c] | Load Fence and Dispatch Serialization.[e] | 3 | Pentium 4, K8, Efficeon, C7 Esther |
MFENCE | NP 0F AE F0+x[c] | Memory Fence.[f] | |||
MOVNTI m32,r32MOVNTI m64,r64 | NP 0F C3 /rNP REX.W 0F C3 /r | Non-Temporal Memory Store. | |||
PAUSE | F3 90[g] | Pauses CPU thread for a short time period.[h] Intended for use in spinlocks.[i] | |||
| CLFLUSH m8 | NP 0F AE /7 | Flush one cache line to memory. In a system with multiplecache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them. | 3 | (SSE2), Geode LX |
| MONITOR[l]MONITOR EAX,ECX,EDX | NP 0F 01 C8 | Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.[m] ECX and EDX are reserved for extra extension and hint flags, respectively.[n] | Usually 0[o] | Prescott, Yonah, Bonnell, K10, Nano |
MWAIT[l]MWAIT EAX,ECX | NP 0F 01 C9 | Wait for a write to a monitored memory location previously specified withMONITOR.[p]ECX and EAX are used to provide extra extension[q] and hint[r] flags, respectively. MWAIT hints are commonly used for CPU power management. | |||
| GETSEC | NP 0F 37[s] | Perform an SMX function. The leaf function to perform is given in EAX.[t] Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX. | Usually 0[u] | Conroe/Merom, WuDaoKou,[107] Tremont |
| RDTSCP | 0F 01 F9 | Read Time Stamp Counter and processor core ID.[v] The TSC value is placed in EDX:EAX and the core ID in ECX.[w] | Usually 3[x] | K8,[y] Nehalem, Silvermont, Nano |
| POPCNT r16,r/m16POPCNT r32,r/m32 | F3 0F B8 /r | Count the number of bits that are set to 1 in its source argument. | 3 | K10, Nehalem, Nano 3000 |
POPCNT r64,r/m64 | F3 REX.W 0F B8 /r | ||||
| CRC32 r32,r/m8 | F2 0F 38 F0 /r | AccumulateCRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits. | 3 | Nehalem, Bulldozer, ZhangJiang |
CRC32 r32,r/m16CRC32 r32,r/m32 | F2 0F 38 F1 /r | ||||
CRC32 r64,r/m64 | F2 REX.W 0F 38 F1 /r | ||||
| RDFSBASE r32RDFSBASE r64 | F3 0F AE /0F3 REX.W 0F AE /0 | Read base address of FS: segment. | 3 | Ivy Bridge, Steamroller, Goldmont, ZhangJiang |
RDGSBASE r32RDGSBASE r64 | F3 0F AE /1F3 REX.W 0F AE /1 | Read base address of GS: segment. | |||
WRFSBASE r32WRFSBASE r64 | F3 0F AE /2F3 REX.W 0F AE /2 | Write base address of FS: segment. | |||
WRGSBASE r32WRGSBASE r64 | F3 0F AE /3F3 REX.W 0F AE /3 | Write base address of GS: segment. | |||
| MOVBE r16,m16MOVBE r32,m32 | NFx 0F 38 F0 /r | Load from memory to register with byte-order swap. | 3 | Bonnell, Haswell, Jaguar, Steamroller, ZhangJiang |
MOVBE r64,m64 | NP REX.W 0F 38 F0 /r[aa] | ||||
MOVBE m16,r16MOVBE m32,r32 | NFx 0F 38 F1 /r | Store to memory from register with byte-order swap. | |||
MOVBE m64,r64 | NP REX.W 0F 38 F1 /r[aa] | ||||
| INVPCID reg,m128 | 66 0F 38 82 /r | Invalidate entries in TLB and paging-structure caches based on invalidation type in register[ab] and descriptor in m128. The descriptor contains a memory address and a PCID.[ac] Instruction is serializing on AMD but not Intel CPUs. | 0 | Haswell, ZhangJiang, Zen 3, Gracemont |
| PREFETCHW m8 | 0F 0D /1 | Prefetch cache line with intent to write.[b] | 3 | K6-2, (Cedar Mill),[ae] Silvermont, Broadwell, ZhangJiang |
PREFETCH m8[af] | 0F 0D /0 | Prefetch cache line.[b] | |||
| ADCX r32,r/m32ADCX r64,r/m64 | 66 0F 38 F6 /r66 REX.W 0F 38 F6 /r | Add-with-carry. Differs from the olderADC instruction in that it leaves flags other thanEFLAGS.CF unchanged. | 3 | Broadwell, Zen 1, ZhangJiang, Gracemont |
ADOX r32,r/m32ADOX r64,r/m64 | F3 0F 38 F6 /rF3 REX.W 0F 38 F6 /r | Add-with-carry, with the overflow-flagEFLAGS.OF serving as carry input and output, with other flags left unchanged. | |||
| CLAC | NP 0F 01 CA | ClearEFLAGS.AC. | 0 | Broadwell, Goldmont, Zen 1, LuJiaZui[ag] |
STAC | NP 0F 01 CB | SetEFLAGS.AC. | |||
| CLFLUSHOPT m8 | NFx 66 0F AE /7 | Flush cache line. Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance. | 3 | Skylake, Goldmont, Zen 1 |
| PREFETCHWT1 m8 | 0F 0D /2 | Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint.[b] | 3 | Knights Landing, YongFeng |
| RDPKRU | NP 0F 01 EE | Read User Page Key register into EAX. | 3 | Skylake-X, Comet Lake, Gracemont, Zen 3, LuJiaZui[ag] |
WRPKRU | NP 0F 01 EF | Write data from EAX into User Page Key Register, and perform a Memory Fence. | |||
| CLWB m8 | NFx 66 0F AE /6 | Write one cache line back to memory without invalidating the cache line. | 3 | Skylake-X, Zen 2, Tiger Lake, Tremont |
| RDPID r32 | F3 0F C7 /7 | Read processor core ID into register.[v] | 3[ah] | Goldmont Plus, Zen 2, Ice Lake, LuJiaZui[ag] |
| MOVDIRI m32,r32MOVDIRI m64,r64 | NP 0F 38 F9 /rNP REX.W 0F 38 F9 /r | Store to memory using Direct Store (memory store that is not cached or write-combined with other stores). | 3 | Tiger Lake, Tremont, Zen 5 |
| MOVDIR64B reg,m512 | 66 0F 38 F8 /r | Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store.[ai] | 3 | Tiger Lake, Tremont, Zen 5 |
| WBNOINVD | F3 0F 09 | Write back all dirty cache lines to memory without invalidation.[aj] Instruction is serializing. | 0 | Zen 2, Ice Lake-SP |
| PREFETCHIT0 m8 | 0F 18 /7 | Prefetch code to all levels of the cache hierarchy.[ak] | 3 | Zen 5, Granite Rapids |
PREFETCHIT1 m8 | 0F 18 /6 | Prefetch code to all levels of the cache hierarchy except first-level cache.[ak] | |||
PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.SFENCE,LFENCE andMFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.SFENCE instruction ensures that all memory stores after theSFENCE instruction are made globally observable after all memory stores before theSFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.[96]SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with theCLFLUSH,CLFLUSHOPT andCLWB instructions. (Older AMD CPUs requireMFENCE to orderCLFLUSH.)SFENCE is not ordered with respect toLFENCE, and anSFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store.[97] To prevent such reordering, it is necessary to execute anMFENCE,LOCK or a serializing instruction.LFENCE instruction ensures that all memory loads after theLFENCE instruction are made globally observable after all memory loads before theLFENCE.LFENCE instruction provides a stronger ordering guarantee:[98] it isdispatch-serializing, meaning that instructions after theLFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is thatLFENCE also acts as aspeculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g.RDTSC orRDPMC) andx2apic MSRs.LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializingLFENCE, it can be made dispatch-serializing by setting bit 1 of MSRC001_1029.[99]MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after theMFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before theMFENCE.MFENCE isnot dispatch-serializing, and therefore cannot be used on its own to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs.MFENCE is still ordered with respect toLFENCE, so if there is a need to enforce ordering between memory stores and subsequent non-memory accesses, then such an ordering can be obtained by issuing anMFENCE followed by anLFENCE.[53][100]MFENCE is serializing.PAUSE instruction in 64-bit mode is, unlikeNOP, unaffected by the presence of theREX.R prefix. NeitherNOP norPAUSE are affected by the other bits of theREX prefix. A few examples of how opcode90 interacts with various prefixes in 64-bit mode are:90 isNOP41 90 isXCHG R8D,EAX4E 90 isNOP49 90 isXCHG R8,RAXF3 90 isPAUSEF3 41 90 isPAUSEF3 4F 90 isPAUSEPAUSE instruction is implementation-dependent.PAUSE will execute as NOP.PAUSE many times in a short time interval may cause a #VMEXIT. The number ofPAUSE executions and interval length that can trigger #VMEXIT are platform-specific.CLFLUSH instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMDGeode LX supportsCLFLUSH but not SSE2.)MONITOR andMWAIT instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g.Athlon 64 X2 andVIA C7 supported SSE3 but not MONITOR.)MONITOR andMWAIT instructions, older Intel documentation[101] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX andMWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.[102]MONITOR, the DS: segment can be overridden with a segment prefix.MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX.MONITOR andMWAIT to run in Ring 3.MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.MONITOR before usingMWAIT to wait for memory writes again.MWAIT in the ECX register are:| Bits | MWAIT Extension |
|---|---|
| 0 | Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations ofMWAIT.) |
| 1 | Timed MWAIT: end the wait when theTSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in IntelSkylake and later Intel processors)[105] |
| 2 | Monitorless MWAIT[106] |
| 31:3 | Not used, must be set to zero. |
MWAIT in the EAX register are:| Bits | MWAIT Hint |
|---|---|
| 3:0 | Sub-state within a C-state (see bits 7:4) (Intel processors only) |
| 7:4 | TargetCPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0) |
| 31:8 | Not used. |
The C-states are processor-specific power states, which do not necessarily correspond 1:1 toACPI C-states.
GETSEC instruction, theREX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.GETSEC (selected by EAX) are:| EAX | Function |
|---|---|
| 0 (CAPABILITIES) | Report SMX capabilities |
| 2 (ENTERACCES) | Enter execution of authenticated code module |
| 3 (EXITAC) | Exit execution of authenticated code module |
| 4 (SENTER) | Enter measured environment |
| 5 (SEXIT) | Exit measured environment |
| 6 (PARAMETERS) | Report SMX parameters |
| 7 (SMCTRL) | SMX Mode Control |
| 8 (WAKEUP) | Wake up sleeping processors in measured environment |
Any unsupported value in EAX causes an #UD exception.
GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.RDTSCP andRDPID is actually theTSC_AUX MSR (MSRC000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention.RDTSC instruction,RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores).RDTSCP is not ordered with respect to subsequent instructions, though.RDTSCP can be run outside Ring 0 only ifCR4.TSD=0.RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings.POPCNT instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.MOVBE instruction, encodings that use both the66h prefix and theREX.W prefix will cause #UD on some processors (e.g. Haswell[108]) and should therefore be avoided.INVPCID (selected by register argument) are:| Value | Function |
|---|---|
| 0 | Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries |
| 1 | Invalidate TLB entries matching PCID in descriptor, excluding global entries |
| 2 | Invalidate all TLB entries, including global entries |
| 3 | Invalidate all TLB entries, excluding global entries |
Any unsupported value in the register argument causes a #GP exception.
INVLPG instruction,INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.[109]PREFETCH andPREFETCHW instructions are mandatory parts of the3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow!PREFETCH andPREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nmPentium 4) onwards, withPREFETCHW gaining prefetch functionality from Broadwell onwards.PREFETCH (0F 0D /0) instruction is a3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.0F 0D /0 as well as opcodes0F 0D /2../7 are all documented to be performing prefetch.0F 0D /2 beingPREFETCHWT1 m8 onXeon Phi only) – third party testing[111] indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs.RDTSCP instruction which can also be used to read the processor ID, user-modeRDPID is not disabled byCR4.TSD=1.MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.67h prefix.WBNOINVD instruction will execute asWBINVD if run on a system that doesn't support the WBNOINVD extension.WBINVD differs fromWBNOINVD in thatWBINVD will invalidate all cache lines after writeback.PREFETCHIT0 andPREFETCHIT1 instructions will perform code prefetch only when using the RIP-relative addressing mode and act as NOPs otherwise.| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| HWNT,hint-not-taken[a] | 2E[b] | Instruction prefix: branch hint weakly not taken. | 3 | Pentium 4,[c] Meteor Lake[116] |
HST,hint-taken[a] | 3E[b] | Instruction prefix: branch hint strongly taken. | |||
| ENCLS | NP 0F 01 CF | Perform an SGX Supervisor function. The function to perform is given in EAX[d] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data in RBX and/or an error code in EAX. | 0 | |
ENCLU | NP 0F 01 D7 | Perform an SGX User function. The function to perform is given in EAX[f] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Depending on function, the instruction may return data/status information in EAX and/or RCX. | 3[g] | ||
ENCLV | NP 0F 01 C0 | Perform an SGX Virtualization function. The function to perform is given in EAX[h] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. Instruction returns status information in EAX. | 0[i] | ||
| PTWRITE r/m32PTWRITE r/m64 | F3 0F AE /4F3 REX.W 0F AE /4 | Read data from register or memory to encode into a PTW packet.[j] | 3 | Kaby Lake, Goldmont Plus |
| PCONFIG | NP 0F 01 C5 | Perform a platform feature configuration function. The function to perform is specified in EAX[k] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. | 0 | Ice Lake-SP |
| CLDEMOTE m8 | NP 0F 1C /0 | Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy.[l] | 3 | (Tremont), (Alder Lake), Sapphire Rapids[m] |
| UMONITOR r16/32/64 | F3 0F AE /6 | Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument.[n] | 3 | Tremont, Alder Lake |
UMWAIT r32UMWAIT r32,EDX,EAX | F2 0F AE /6 | Timed wait for a write to a monitored memory location previously specified withUMONITOR. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time.[o] | Usually 3[p] | ||
TPAUSE r32TPAUSE r32,EDX,EAX | 66 0F AE /6 | Wait until theTime Stamp Counter reaches the value specified in EDX:EAX.[o] The register argument to the | |||
| SERIALIZE | NP 0F 01 E8 | Serialize instruction fetch and execution.[r] | 3 | Alder Lake |
| HRESET imm8 | F3 0F 3A F0 C0ib | Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored).[s] | 0 | Alder Lake |
| SENDUIPI reg | F3 0F C7 /6 | Send Interprocessor User Interrupt.[t] | 3 | Sapphire Rapids |
UIRET | F3 0F 01 EC | User Interrupt Return. | |||
TESTUI | F3 0F 01 ED | Test User Interrupt Flag. Copies UIF toEFLAGS.CF . | |||
CLUI | F3 0F 01 EE | Clear User Interrupt Flag. | |||
STUI | F3 0F 01 EF | Set User Interrupt Flag. | |||
| ENQCMD reg,m512 | F2 0F 38 F8 /r | Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.[v]) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.) | 3 | Sapphire Rapids |
ENQCMDS reg,m512 | F3 0F 38 F8 /r | Enqueue Command Supervisor. Differs fromENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue. | 0 | ||
| WRMSRNS | NP 0F 01 C6 | Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX. The instruction differs from the older | 0 | Sierra Forest |
| RDMSRLIST | F2 0F 01 C6 | Read multiple MSRs. RSI points to a table of up to 64 MSR indexes to read (64 bits each), RDI points to a table of up to 64 data items that the MSR read-results will be written to (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR read for.[w] | 0 | Sierra Forest |
WRMSRLIST | F3 0F 01 C6 | Write multiple MSRs. RSI points to a table of up to 64 MSR indexes to write (64 bits each), RDI points to a table of up to 64 data items to write into the MSRs (also 64 bits each), and RCX provides a 64-entry bitmap of which of the table entries to actually perform an MSR write for.[w] The MSRs are written in table order. The instruction is not serializing. | |||
| CMPccXADD m32,r32,r32CMPccXADD m64,r64,r64 | VEX.128.66.0F38.W0 Ex /rVEX.128.66.0F38.W1 Ex /r[x][y] | Read value from memory, then compare to first register operand. If the comparison passes, then add the second register operand to the memory value. The instruction as a whole is performed atomically. The operation of CMPccXADD [mem],reg1,reg2 is:temp1 := [mem]EFLAGS := CMP temp1, reg1 // sets EFLAGS like regular comparereg1 := temp1if( condition ) [mem] := temp1 + reg2 | 3 | Sierra Forest, Lunar Lake |
| PBNDKB | NP 0F 01 C7 | Bind information to a platform by encrypting it with a platform-specific wrapping key. The instruction takes as input the addresses to two 256-byte-aligned "bind structures" in RBX and RCX, reads the structure pointed to by RBX and writes a modified structure to the address given in RCX. If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. | 0 | Lunar Lake |
HWNT andHST are listed in earlyWillamette documentation only[113] - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.[114]Intel XED uses the mnemonicshint-taken andhint-not-taken for these branch hints.[115]
2E and3E prefixes are interpreted as branch hints only when used with theJcc conditional branch instructions (opcodes70..7F and0F 80..8F) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixesCS: andDS:, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used withJcc.ENCLS (selected by EAX) are:| EAX | Function |
|---|---|
| 0 (ECREATE) | Create an enclave |
| 1 (EADD) | Add a page |
| 2 (EINIT) | Initialize an enclave |
| 3 (EREMOVE) | Remove a page from EPC (Enclave Page Cache) |
| 4 (EDBGRD) | Read data by debugger |
| 5 (EDBGWR) | Write data by debugger |
| 6 (EEXTEND) | Extend EPC page measurement |
| 7 (ELDB) | Load an EPC page as blocked |
| 8 (ELDU) | Load an EPC page as unblocked |
| 9 (EBLOCK) | Block an EPC page |
| A (EPA) | Add version array |
| B (EWB) | Writeback/invalidate EPC page |
| C (ETRACK) | Activate EBLOCK checks |
| Added with SGX2 | |
| D (EAUG) | Add page to initialized enclave |
| E (EMODPTR) | Restrict permissions of EPC page |
| F (EMODT) | Change type of EPC page |
| Added with OVERSUB[117] | |
| 10 (ERDINFO) | Read EPC page type/status info |
| 11 (ETRACKC) | Activate EBLOCK checks |
| 12 (ELDBC) | Load EPC page as blocked with enhanced error reporting |
| 13 (ELDUC) | Load EPC page as unblocked with enhanced error reporting |
| Other | |
| 18 (EUPDATESVN) | Update SVN (Security Version Number) after live microcode update[118] |
Any unsupported value in EAX causes a #GP exception.
ENCLU (selected by EAX) are:| EAX | Function |
|---|---|
| 0 (EREPORT) | Create a cryptographic report |
| 1 (EGETKEY) | Create a cryptographic key |
| 2 (EENTER) | Enter an Enclave |
| 3 (ERESUME) | Re-enter an Enclave |
| 4 (EEXIT) | Exit an Enclave |
| Added with SGX2 | |
| 5 (EACCEPT) | Accept changes to EPC page |
| 6 (EMODPE) | Extend EPC page permissions |
| 7 (EACCEPTCOPY) | Initialize pending page |
| Added with TDX[121] | |
| 8 (EVERIFYREPORT2) | Verify a cryptographic report of a trust domain |
| Added with AEX-Notify | |
| 9 (EDECCSSA) | Decrement TCS.CSSA |
Any unsupported value in EAX causes a #GP exception.
The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.
ENCLU can only be executed in ring 3, not rings 0/1/2.ENCLV (selected by EAX) are:| EAX | Function |
|---|---|
| Added with OVERSUB[117] | |
| 0 (EDECVIRTCHILD) | Decrement VIRTCHILDCNT in SECS |
| 1 (EINCVIRTCHILD) | Increment VIRTCHILDCNT in SECS |
| 2 (ESETCONTEXT) | Set ENCLAVECONTEXT field in SECS |
Any unsupported value in EAX causes a #GP exception.
TheENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").
ENCLV is only available if Intel VMX operation is enabled withVMXON, and will produce #UD otherwise.PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of theRTIT_STATUS MSR and the "PTWEn" bit of theRTIT_CTL MSR) are all set to 1.PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.PCONFIG (selected by EAX) are:| EAX | Function |
|---|---|
| 0 | MKTME_KEY_PROGRAM: Program key and encryption mode to use with an TME-MK Key ID. |
| Added with TSE | |
| 1 | TSE_KEY_PROGRAM: Direct key programming for TSE. |
| 2 | TSE_KEY_PROGRAM_WRAPPED: Wrapped key programming for TSE. |
Any unsupported value in EAX causes a #GP(0) exception.
CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the67h prefix. The default segment used is DS:, which can be overridden with a segment prefix.UMWAIT andTPAUSE instructions, the operating system can use theIA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a singleUMWAIT/TPAUSE invocation is permitted to wait. TheUMWAIT andTPAUSE instructions will setRFLAGS.CF to 1 if they reached theIA32_UMWAIT_CONTROL-defined time limit and 0 otherwise.TPAUSE andUMWAIT can be run outside Ring 0 only ifCR4.TSD=0.UMWAIT andTPAUSE instructions, the following flag bits are supported:| Bits | Usage |
|---|---|
| 0 | Preferred optimization state.
|
| 31:1 | (Reserved) |
CPUID andIRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) TheSERIALIZE instruction performs serialization only, avoiding these added costs.HRESET is provided byCPUID.(EAX=20h,ECX=0):EBX.| Bit | Usage |
|---|---|
| 0 | Intel Thread Director history |
| 31:1 | (Reserved) |
SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the newUINTR_TT andUINT_MISCMSRs.)UIRET instruction always sets UIF (User Interrupt Flag) to 1. OnSierra Forest and later processors,UIRET will set UIF to the value of bit 1 of the value popped off the stack for RFLAGS - this functionality is indicated byCPUID.(EAX=7,ECX=1):EDX[17].ENQCMD andEMQCMDS, the operand-size of the register argument is given by the current address-size, which can be overridden with the67h prefix.RDMSRLIST andWRMSRLIST instructions, the addresses specified in the RSI and RDI registers must be 8-byte aligned.CMPccXADD instructions (opcodeVEX.128.66.0F38 Ex /r with thex nibble specifying the condition) are:| x | cc | Condition (EFLAGS) |
|---|---|---|
| 0 | O | OF=1: "Overflow" |
| 1 | NO | OF=0:"Not Overflow" |
| 2 | B | CF=1: "Below" |
| 3 | NB | CF=0:"Not Below" |
| 4 | Z | ZF=1: "Zero" |
| 5 | NZ | ZF=0:"Not Zero" |
| 6 | BE | (CF=1 or ZF=1):"Below or Equal" |
| 7 | NBE | (CF=0 and ZF=0):"Not Below or Equal" |
| 8 | S | SF=1: "Sign" |
| 9 | NS | SF=0:"Not Sign" |
| A | P | PF=1: "Parity" |
| B | NP | PF=0:"Not Parity" |
| C | L | SF≠OF: "Less" |
| D | NL | SF=OF:"Not Less" |
| E | LE | (ZF=1 or SF≠OF):"Less or Equal" |
| F | NLE | (ZF=0 and SF=OF):"Not Less or Equal" |
CMPccXADD instructions perform a locked memory operation, they do not require or accept theLOCK (F0h) prefix - attempting to use this prefix results in #UD.| Instruction Set Extension | Instruction mnemonics | Opcode | Instruction description | Ring | Added in |
|---|---|---|---|---|---|
| MOV reg,CR8 | F0 0F 20 /0[b] | Read the CR8 register. | 0 | K8[c] |
MOV CR8,reg | F0 0F 22 /0[b] | Write to the CR8 register. | |||
| MONITORX | NP 0F 01 FA | Start monitoring a memory location for memory writes. Similar to olderMONITOR, except available in user mode. | 3 | Excavator |
MWAITX | NP 0F 01 FB | Wait for a write to a monitored memory location previously specified withMONITORX.MWAITX differs from the olderMWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.) | |||
| CLZERO rAX | NP 0F 01 FC | Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX.[d] | 3 | Zen 1 |
| RDPRU | NP 0F 01 FD | Read selectedMSRs (mainly performance counters) in user mode. ECX specifies which register to read.[e] The value of the MSR is returned in EDX:EAX. | Usually 3[f] | Zen 2 |
| MCOMMIT | F3 0F 01 FA | Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific. Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise. | 3 | Zen 2 |
| INVLPGB | NP 0F 01 FE | Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system. rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for. | 0 | Zen 3 |
TLBSYNC | NP 0F 01 FF | Synchronize TLB invalidations. Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing. | |||
REX.R prefix, e.g.44 0F 20 07 (MOV RDI,CR8). However, theREX.R prefix is only available in 64-bit mode.F0 (LOCK) prefix instead ofREX.R – this provides access to CR8 outside 64-bit mode.11b.LOCK prefix with theREX.R prefix is not permitted and will cause an #UD exception.CLZERO, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.CLZERO instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.[125]RDPRU does not necessarily match that ofRDMSR/WRMSR.RDPRU as of December 2022 are:| ECX | Register |
|---|---|
| 0 | MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count) |
| 1 | APERF (MSR 0E8h: Actual Performance Frequency Clock Count) |
Unsupported values in ECX return 0.
CR4.TSD=1, then theRDPRU instruction can only run in ring 0.Thex87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1), st(2), ...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0, C1, C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.
| Instruction description | Mnemonic | Opcode | Additional items | |
|---|---|---|---|---|
| x87 Non-Waiting[a] FPU Control Instructions | Waiting mnemonic[b] | |||
| Initialize x87 FPU | FNINIT | DB E3 | FINIT | |
| Load x87 Control Word | FLDCW m16 | D9 /5 | (none) | |
| Store x87 Control Word | FNSTCW m16 | D9 /7 | FSTCW | |
| Store x87 Status Word | FNSTSW m16[c] | DD /7 | FSTSW | |
| Clear x87 Exception Flags | FNCLEX | DB E2 | FCLEX | |
| Load x87 FPU Environment | FLDENV m112/m224[d] | D9 /4 | (none) | |
| Store x87 FPU Environment | FNSTENV m112/m224[d] | D9 /6 | FSTENV | |
| Save x87 FPU State, then initialize x87 FPU | FNSAVE m752/m864[d] | DD /6 | FSAVE | |
| Restore x87 FPU State | FRSTOR m752/m864[d] | DD /4 | (none) | |
| Enable Interrupts (8087 only)[e] | FNENI | DB E0 | FENI | |
| Disable Interrupts (8087 only)[e] | FNDISI | DB E1 | FDISI | |
| x87 Floating-point Load/Store/Move Instructions | precision control | rounding control | ||
| Load floating-point value onto stack | FLD m32 | D9 /0 | No | — |
FLD m64 | DD /0 | |||
FLD m80 | DB /5 | |||
FLD st(i) | D9 C0+i | |||
| Store top-of-stack floating-point value to memory or stack register | FST m32 | D9 /2 | No | Yes |
FST m64 | DD /2 | |||
FST st(i)[f] | DD D0+i | No | — | |
| Store top-of-stack floating-point value to memory or stack register, then pop | FSTP m32 | D9 /3 | No | Yes |
FSTP m64 | DD /3 | |||
FSTP m80[f] | DB /7 | No | — | |
FSTP st(i)[f][g] | DD D8+i | |||
| DF D0+i[h] | ||||
| DF D8+i[h] | ||||
| Push +0.0 onto stack | FLDZ | D9 EE | No | — |
| Push +1.0 onto stack | FLD1 | D9 E8 | ||
| Pushπ (approximately 3.14159) onto stack | FLDPI | D9 EB | No | 387[i] |
| Push (approximately 3.32193) onto stack | FLDL2T | D9 E9 | ||
| Push (approximately 1.44269) onto stack | FLDL2E | D9 EA | ||
| Push (approximately 0.30103) onto stack | FLDLG2 | D9 EC | ||
| Push (approximately 0.69315) onto stack | FLDLN2 | D9 ED | ||
| Exchange top-of-stack register with other stack register | FXCH st(i)[j][k] | D9 C8+i | No | — |
| DD C8+i[h] | ||||
| DF C8+i[h] | ||||
| x87 Integer Load/Store Instructions | precision control | rounding control | ||
| Load signed integer value onto stack from memory, with conversion to floating-point | FILD m16 | DF /0 | No | — |
FILD m32 | DB /0 | |||
FILD m64 | DF /5 | |||
| Store top-of-stack value to memory, with conversion to signed integer | FIST m16 | DF /2 | No | Yes |
FIST m32 | DB /2 | |||
| Store top-of-stack value to memory, with conversion to signed integer, then pop stack | FISTP m16 | DF /3 | No | Yes |
FISTP m32 | DB /3 | |||
FISTP m64 | DF /7 | |||
| Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point[l] | FBLD m80 | DF /4 | No | — |
| Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack | FBSTP m80 | DF /6 | No | 387[i] |
| x87 Basic Arithmetic Instructions | precision control | rounding control | ||
Floating-point add
| FADD m32 | D8 /0 | Yes | Yes |
FADD m64 | DC /0 | |||
FADD st,st(i) | D8 C0+i | |||
FADD st(i),st | DC C0+i | |||
Floating-point multiply
| FMUL m32 | D8 /1 | Yes | Yes |
FMUL m64 | DC /1 | |||
FMUL st,st(i) | D8 C8+i | |||
FMUL st(i),st | DC C8+i | |||
Floating-point subtract
| FSUB m32 | D8 /4 | Yes | Yes |
FSUB m64 | DC /4 | |||
FSUB st,st(i) | D8 E0+i | |||
FSUB st(i),st | DC E8+i | |||
Floating-point reverse subtract
| FSUBR m32 | D8 /5 | Yes | Yes |
FSUBR m64 | DC /5 | |||
FSUBR st,st(i) | D8 E8+i | |||
FSUBR st(i),st | DC E0+i | |||
Floating-point divide[m]
| FDIV m32 | D8 /6 | Yes | Yes |
FDIV m64 | DC /6 | |||
FDIV st,st(i) | D8 F0+i | |||
FDIV st(i),st | DC F8+i | |||
Floating-point reverse divide
| FDIVR m32 | D8 /7 | Yes | Yes |
FDIVR m64 | DC /7 | |||
FDIVR st,st(i) | D8 F8+i | |||
FDIVR st(i),st | DC F0+i | |||
Floating-point compare
| FCOM m32 | D8 /2 | No | — |
FCOM m64 | DC /2 | |||
FCOM st(i)[j] | D8 D0+i | |||
| DC D0+i[h] | ||||
| x87 Basic Arithmetic Instructions with Stack Pop | precision control | rounding control | ||
| Floating-point add and pop | FADDP st(i),st[j] | DE C0+i | Yes | Yes |
| Floating-point multiply and pop | FMULP st(i),st[j] | DE C8+i | Yes | Yes |
| Floating-point subtract and pop | FSUBP st(i),st[j] | DE E8+i | Yes | Yes |
| Floating-point reverse-subtract and pop | FSUBRP st(i),st[j] | DE E0+i | Yes | Yes |
| Floating-point divide and pop | FDIVP st(i),st[j] | DE F8+i | Yes | Yes |
| Floating-point reverse-divide and pop | FDIVRP st(i),st[j] | DE F0+i | Yes | Yes |
| Floating-point compare and pop | FCOMP m32 | D8 /3 | No | — |
FCOMP m64 | DC /3 | |||
FCOMP st(i)[j] | D8 D8+i | |||
| DC D8+i[h] | ||||
| DE D0+i[h] | ||||
| Floating-point compare to st(1), then pop twice | FCOMPP | DE D9 | No | — |
| x87 Basic Arithmetic Instructions with Integer Source Argument | precision control | rounding control | ||
| Floating-point add by integer | FIADD m16 | DA /0 | Yes | Yes |
FIADD m32 | DE /0 | |||
| Floating-point multiply by integer | FIMUL m16 | DA /1 | Yes | Yes |
FIMUL m32 | DE /1 | |||
| Floating-point subtract by integer | FISUB m16 | DA /4 | Yes | Yes |
FISUB m32 | DE /4 | |||
| Floating-point reverse-subtract by integer | FISUBR m16 | DA /5 | Yes | Yes |
FISUBR m32 | DE /5 | |||
| Floating-point divide by integer | FIDIV m16 | DA /6 | Yes | Yes |
FIDIV m32 | DE /6 | |||
| Floating-point reverse-divide by integer | FIDIVR m16 | DA /7 | Yes | Yes |
FIDIVR m32 | DE /7 | |||
| Floating-point compare to integer | FICOM m16 | DA /2 | No | — |
FICOM m32 | DE /2 | |||
| Floating-point compare to integer, and stack pop | FICOMP m16 | DA /3 | No | — |
FICOMP m32 | DE /3 | |||
| x87 Additional Arithmetic Instructions | precision control | rounding control | ||
| Floating-point change sign | FCHS | D9 E0 | No | — |
| Floating-point absolute value | FABS | D9 E1 | No | — |
| Floating-point compare top-of-stack value to 0 | FTST | D9 E4 | No | — |
| Classify top-of-stack st(0) register value. The classification result is stored in the x87 CC register.[n] | FXAM | D9 E5 | No | — |
| Split the st(0) value into two valuesE andM representing the exponent and mantissa of st(0). The split is done such that, whereE is an integer andM is a number whose absolute value is within the range. [o] st(0) is then replaced withE, after whichM is pushed onto the stack. | FXTRACT | D9 F4 | No | — |
| Floating-point partial[p] remainder (notIEEE 754 compliant): | FPREM | D9 F8 | No | —[q] |
| Floating-pointsquare root | FSQRT | D9 FA | Yes | Yes |
| Floating-point round to integer | FRNDINT | D9 FC | No | Yes |
| Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0):[r] | FSCALE | D9 FD | No | Yes[s] |
| x87 Transcendental Instructions[t] | Source operand range restriction | |||
| Base-2 exponential minus 1, with extra precision for st(0) close to 0: | F2XM1 | D9 F0 | 8087: 80387: | |
| Base-2Logarithm and multiply:[u] followed by stack pop | FYL2X | D9 F1 | no restrictions | |
| Partial Tangent: Computes from st(0) a pair of valuesX andY, such thatTheY value replaces the top-of-stack value, and thenX is pushed onto the stack. On 80387 and later x87, but not original 8087,X is always 1.0 | FPTAN | D9 F2 | 8087: 80387: | |
| Two-argument arctangent with quadrant adjustment:[v] followed by stack pop | FPATAN | D9 F3 | 8087: 80387: no restrictions | |
| Base-2 Logarithm plus 1 with extra precision for st(0) close to 0, followed by multiply:[u] followed by stack pop | FYL2XP1 | D9 F9 | Intel: AMD: | |
| Other x87 Instructions | ||||
| No operation[w] | FNOP | D9 D0 | ||
| Decrement x87 FPU Register Stack Pointer | FDECSTP | D9 F6 | ||
| Increment x87 FPU Register Stack Pointer | FINCSTP | D9 F7 | ||
| Free x87 FPU Register | FFREE st(i) | DD C0+i | ||
| Check and handle pending unmasked x87 FPU exceptions | WAIT,FWAIT | 9B | ||
| Floating-point store and pop, without stack underflow exception[x] | FSTPNCE st(i) | D9 D8+i[h] | ||
| Free x87 register, then stack pop | FFREEP st(i) | DF C0+i[h] | ||
WAIT instruction is executed.FN, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of aWAIT instruction (opcode9B) followed by the corresponding non-waiting x87 instruction. For example:FNCLEX is an instruction with the opcodeDB E2. The corresponding pseudo-instructionFCLEX is then encoded as9B DB E2.FNSAVE ES:[BX+6] is an instruction with the opcode26 DD 77 06. The corresponding pseudo-instructionFSAVE ES:[BX+6] is then encoded as9B 26 DD 77 06F(N)STSW with the AX register as a destination is available on 80287 and later, but not on the 8087.FLDENV,F(N)STENV,FRSTOR andF(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on theCS.D bit and the presence of the66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to useFXSAVE64/FXRSTOR64 instead if 64-bit operation is desired.F(N)DISI andF(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,[128] to control the interrupt.F(N)ENI andF(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state.FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value is documented to produce exceptions on AMD but not Intel FPUs.FSTP ST(0) is a commonly used idiom for popping a single register off the x87 register stack.FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register.FADDP,FSUBP,FSUBRP,FMULP,FDIVP,FDIVRP,FCOM,FCOMP andFXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.FBLD instruction on non-BCD data is undefined.FPREM andFPATAN.[135]FXAM instruction will set C0, C2 and C3 based on value type in st(0) as follows:| C3 | C2 | C0 | Classification |
|---|---|---|---|
| 0 | 0 | 0 | Unsupported (unnormal or pseudo-NaN) |
| 0 | 0 | 1 | NaN |
| 0 | 1 | 0 | Normal finite number |
| 0 | 1 | 1 | Infinity |
| 1 | 0 | 0 | Zero |
| 1 | 0 | 1 | Empty |
| 1 | 1 | 0 | Denormal number |
| 1 | 1 | 1 | Empty (may occur on 8087/80287 only) |
C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.
FXTRACT, the behavior that results from st(0) being zero or ±∞, differs between 8087 and 80387:FPREM, if the quotientQ is larger than, then the remainder calculation may have been done only partially – in this case, theFPREM instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction settingC2 to 1.C2 to 0 and set the three bits{C0,C3,C1} to the bottom three bits of the quotientQ.FPREM instruction is always exact with no roundoff errors.FSCALE instruction on 8087 and 80287, st(1) is required to be in the range. Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.FSCALE, rounding is only applied in the case of overflow, underflow or subnormal result.FYL2X andFYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.FYL2X can produce a #Z (divide-by-zero exception) if st(0)=0 and st(1) is a finite nonzero value.FYL2XP1, however, cannot produce #Z.FPATAN, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio:FNOP is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present.FSTPNCE instruction will behave likeFINCSTP, incrementing the stack pointer with no data movement and no exceptions reported.| Instruction description | Mnemonic | Opcode | Additional items |
|---|---|---|---|
| x87 Non-Waiting Control Instructions added in80287 | Waiting mnemonic | ||
| Notify FPU of entry intoProtected Mode[a] | FNSETPM | DB E4 | FSETPM |
| Store x87 Status Word to AX | FNSTSW AX | DF E0 | FSTSW AX |
| x87 Instructions added in80387[b] | Source operand range restriction | ||
| Floating-point unordered compare. Similar to the regular floating-point compare instruction FCOM, except will not produce an exception in response to anyqNaN operands. | FUCOM st(i)[c] | DD E0+i | no restrictions |
| Floating-point unordered compare and pop | FUCOMP st(i)[c] | DD E8+i | |
| Floating-point unordered compare to st(1), then pop twice | FUCOMPP | DA E9 | |
| IEEE 754 compliant floating-point partial remainder.[d] | FPREM1 | D9 F5 | |
| Floating-point sine and cosine. Computes two values and [e] Top-of-stack st(0) is replaced withS, after whichC is pushed onto the stack. | FSINCOS | D9 FB | [f] |
| Floating-point sine.[e] | FSIN | D9 FE | |
| Floating-point cosine.[e] | FCOS | D9 FF | |
| x87 Instructions added inPentium Pro | Condition for conditional moves | ||
| Floating-point conditional move to st(0) based onEFLAGS | FCMOVB st(0),st(i) | DA C0+i | below (CF=1) |
FCMOVE st(0),st(i) | DA C8+i | equal (ZF=1) | |
FCMOVBE st(0),st(i) | DA D0+i | below or equal (CF=1 or ZF=1) | |
FCMOVU st(0),st(i) | DA D8+i | unordered (PF=1) | |
FCMOVNB st(0),st(i) | DB C0+i | not below (CF=0) | |
FCMOVNE st(0),st(i) | DB C8+i | not equal (ZF=0) | |
FCMOVNBE st(0),st(i) | DB D0+i | not below or equal (CF=0 and ZF=0) | |
FCMOVNU st(0),st(i) | DB D8+i | not unordered (PF=0) | |
Floating-point compare and setEFLAGS.Differs from the older FCOM floating-point compare instruction in that it puts its result in the integerEFLAGS register rather than the x87 CC register.[g] | FCOMI st(0),st(i) | DB F0+i | |
Floating-point compare and setEFLAGS, then pop | FCOMIP st(0),st(i) | DF F0+i | |
Floating-point unordered compare and setEFLAGS | FUCOMI st(0),st(i) | DB E8+i | |
Floating-point unordered compare and setEFLAGS, then pop | FUCOMIP st(0),st(i) | DF E8+i | |
| x87 Non-Waiting Instructions added inPentium II,AMD K7 andSSE[h] | 64-bit mnemonic ( REX.W prefix) | ||
| Save x87, MMX and SSE state to a 464-byte data structure[i][j][k] | FXSAVE m464byte | NP 0F AE /0 | FXSAVE64 m464byte[l] |
| Restore x87, MMX and SSE state from 464-byte data structure[i][j] | FXRSTOR m464byte | NP 0F AE /1 | FXRSTOR64 m464byte[l] |
| x87 Instructions added as part ofSSE3 | |||
| Floating-point store integer and pop, with round-to-zero | FISTTP m16 | DF /1 | |
FISTTP m32 | DB /1 | ||
FISTTP m64 | DD /1 | ||
F(N)SAVE,FRSTOR,FLDENV andF(N)STENV instructions has different formats in Real Mode and Protected Mode. On 80287, theF(N)SETPM instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are handled automatically between the CPU and the FPU without the need for any dedicated instructions – therefore, on these FPUs,FNSETPM executes as a NOP that does not modify any FPU state.FUCOM andFUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.FPREM1 instruction differs from the olderFPREM (D9 F8) instruction in that the quotientQ is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used byFPREM. LikeFPREM,FPREM1 always computes an exact result with no roundoff errors. LikeFPREM, it may also perform a partial computation if the quotient is too large, in which case it must be run again.FSIN,FCOS andFSINCOS is not precisely 1.0, but instead given by[137][138][136]This argument reduction inaccuracy also affects theFPTAN instruction.FSIN,FCOS andFSINCOS instructions, as well asFPTAN on 80387 and later.FSINCOS andFPTAN instructions will also abstain from pushing a value onto the x87 register-stack.FCOMI,FCOMIP,FUCOMI andFUCOMIP instructions write their results to theZF,CF andPF bits of theEFLAGS register. On Intel but not AMD processors, theSF,AF andOF bits ofEFLAGS are also zeroed out by these instructions.FXSAVE andFXRSTOR instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.FXSAVE andFXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.FXSAVE(64)/FXRSTOR(64) has a completely different layout than the data structure of the olderF(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.FXSAVE andFXRSTOR require their memory argument to be 16-byte aligned.CR0.EM=1,FXSAVE(64) andFXRSTOR(64) are considered to be x87 instructions and will accordingly produce an#NM (device-not-available) exception. Other thanWAIT, these are the only opcodes outside theD8..DF ESC opcode space that exhibit this behavior.D8..DF will produce#NM ifCR0.EM=1, even for undefined opcodes that would produce#UD otherwise.F(N)SAVE instruction,FXSAVE will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified.FXSAVE64/FXRSTOR64 instruction differ from theFXSAVE/FXRSTOR instructions in that:FXSAVE/FXRSTOR will save/restore FIP and FDP as 32-bit items, and will also save/restore FCS and FDS as 16-bit items.FXSAVE64/FXRSTOR64 will save/restore FIP and FDP as 64-bit items while not saving/restoring FCS and FDS.XSAVE/XRSTOR vsXSAVE64/XRSTOR64 instructions.(F)XSAVE and(F)XSAVE64. This has been known to cause problems, especially for 64-bit hypervisors running 16/32-bit guests.[139][140]x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.
The x86 CPUs containundocumented instructions which are implemented on the chips but not listed in some official documents. They can be found in various sources across the Internet, such asRalf Brown's Interrupt List and atsandpile.org
Some of these instructions are widely available across many/most x86 CPUs, while others are specific to a narrow range of CPUs.
| Mnemonics | Opcodes | Description | Status |
|---|---|---|---|
AAM imm8 | D4ib | ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD. The actual operation is | Available beginning with 8086, documented for imm8 values other than0Ah since Pentium (earlier documentation lists no arguments). |
AAD imm8 | D5ib | ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction. The actual operation is | |
SALC,SETALC | D6 | Set AL depending on the value of the Carry Flag (a 1-byte alternative ofSBB AL, AL) | Available beginning with 8086, but only documented since Pentium Pro. |
ICEBP,INT1 | F1 | Single byte single-step exception / InvokeICE | Available beginning with 80386, documented (asINT1) since Pentium Pro. Executes as undocumented instruction prefix on 8086 and 80286.[142] |
TEST r/m8,imm8 | F6 /1ib | Undocumented variants of theTEST instruction.[143] Performs the same operation as the documentedF6 /0 andF7 /0 variants, respectively. | Available since the 8086. |
TEST r/m16,imm16,TEST r/m32,imm32 | F7 /1iw,F7 /1id | ||
SHL,SAL | (D0..D3) /6,(C0..C1) /6ib | Undocumented variants of theSHL instruction.[143] Performs the same operation as the documented(D0..D3) /4 and(C0..C1) /4ib variants, respectively. | Available since the 80186 (performs different operation on the 8086)[146] |
| (multiple) | 82 /(0..7)ib | Alias of opcode80h, which provides variants of 8-bit integer instructions (ADD,OR,ADC,SBB,AND,SUB,XOR,CMP) with an 8-bit immediate argument.[147] | Available since the 8086.[147] Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.[148] |
OR/AND/XOR r/m16,imm8 | 83 /(1,4,6)ib | 16-bitOR/AND/XOR with a sign-extended 8-bit immediate. | Available on 8086, but only documented from 80386 onwards.[149][150] |
REPNZ MOVS | F2 (A4..A5) | The behavior of theF2 prefix (REPNZ,REPNE) when used with string instructions other thanCMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22[151]) that rely on it to behave in the same way as the documentedF3 (REP) prefix. | Available since the 8086. |
REPNZ STOS | F2 (AA..AB) | ||
REP RET | F3 C3 | The use of theREP prefix with theRET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes theF3 C3 encoding as a way to encode a two-byteRET instruction – this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byteRET instructions.[152] At least some versions of gcc are known to use this encoding.[153] | Executes asRET on all known x86 CPUs. |
NOP | 67 90 | NOP with address-size override prefix. The use of the67h prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.[154][155] | Executes asNOP on 80386 and later. |
NOP r/m | 0F 1F /0 | Official long NOP. Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.[61][156][157] | Available on Pentium Pro and AMD K7[158] and later. Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.[159] |
NOP r/m | 0F 0D /r | Reserved-NOP. Introduced in65 nm Pentium 4. Intel documentation lists this opcode asNOP in opcode tables but not instruction listings since June 2005.[160][161] From Broadwell onwards,0F 0D /1 has been documented asPREFETCHW, while0F 0D /0 and/2../7 have been reported to exhibit undocumented prefetch functionality.[111]On AMD CPUs, | Available on Intel CPUs since65 nmPentium 4. |
UD1 | 0F B9 /r | Intentionally undefined instructions, but unlikeUD2 (0F 0B) these instructions were left unpublished until December 2016.[162][71]Microsoft Windows 95 Setup is known to depend on Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include | All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least0F FF to the NEC-specificBRKEM instruction.) |
UD0 | 0F FF | ||
| Mnemonics | Opcodes | Description | Status | |
|---|---|---|---|---|
REP MUL | F3 F6 /4,F3 F7 /4 | On 8086/8088, aREP orREPNZ prefix on aMUL orIMUL instruction causes the result to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the result. | 8086/8088 only.[169] | |
REP IMUL | F3 F6 /5,F3 F7 /5 | |||
REP IDIV | F3 F6 /7,F3 F7 /7 | On 8086/8088, aREP orREPNZ prefix on anIDIV (but notDIV) instruction causes the quotient to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the quotient. | 8086/8088 only.[169] | |
SAVEALL,
| (F1) 0F 04 | Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.[170] In some implementations, emulated throughBIOS as ahalting sequence.[171] Ina forum post at the Vintage Computing Federation, this instruction (with | Only available on 80286. | |
LOADALL | 0F 05 | Loads All Registers from Memory Address 0x000800H | Only available on 80286. Opcode reused for | |
LOADALLD | 0F 07 | Loads All Registers from Memory Address ES:EDI | Only available on 80386. Opcode reused for | |
CL1INVMB | 0F 0A[172] | On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The mnemonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.[173] | Available on the SCC only. | |
PATCH2 | 0F 0E | On AMD K6 and later maps toFEMMS operation (fast clear of MMX state) but on Intel identified asuarch data read on Intel[174] | Only available in Red unlock state (0F 0F too) | |
PATCH3 | 0F 0F | Write uarch | Can change RAM part of microcode on Intel | |
UMOV r,r/m,UMOV r/m,r | 0F (10..13) /r | Moves data to/from user memory when operating inICE HALT mode.[175] Acts as regularMOV otherwise. | Available on some 386 and 486 processors only. Opcodes reused for SSE instructions in later CPUs. | |
NXOP | 0F 55 | NexGen hypercode interface.[176] | Available onNexGen Nx586 only. | |
| (multiple) | 0F (E0..FB)[177] | NexGen Nx586 "hyper mode" instructions. The NexGen Nx586 CPU uses "hyper code"[178] (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha'sPALcode and Intel's XuCode[179]) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation. | Available in Nx586 hyper mode only. | |
PSWAPW mm,mm/m64 | 0F 0F /r BB | Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.[180][181] Instruction known to be recognized byMASM 6.13 and 6.14. | Available on K6-2 and K6-3 only. Opcode reused for documented | |
| Unknown mnemonic | 64 D6 | Using the64 (FS: segment) prefix with the undocumentedD6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to0xAB6B1B07.[182][183] | Available on theUMC Green CPU only. Executes asSALC on non-UMC CPUs. | |
FS: Jcc | 64 (70..7F) rel8,
| On IntelNetBurst (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.[184] Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. | Available on NetBurst CPUs only. Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs. | |
JMPAI | 0F 3F | Jump and execute instructions in the undocumentedAlternate Instruction Set. | Only available on some x86 processors made byVIA Technologies. | |
| (FMA4) | VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8 | On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.[185] | Removed from Zen2 onwards. | |
| (unknown, multiple) | 0F 0F /r ?? | The whitepapers for SandSifter[186] and UISFuzz[187] report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at leastGeode NX andC-50). Their operation is not known. On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented | Present on some AMD CPUs with 3DNow!. | |
MOVDB,
| Unknown | Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the CyrixMediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, includingMOVDB andGP2MEM – and also mentions that Cyrix did not intend to publish specifications for these instructions.[188] | Unknown. No specification known to have been published. | |
REP XSHA512 | F3 0F A6 E0 | PerformSHA-512 hashing. Supported by OpenSSL[189] as part of itsVIA PadLock support, and listed in a Zhaoxin-supplied Linux kernel patch,[190] but not documented by theVIA PadLock Programming Guide. | Only available on some x86 processors made byVIA Technologies andZhaoxin. | |
REP XMODEXP | F3 0F A6 F8 | Instructions to performmodular exponentiation andrandom number generation, respectively. Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,[191] but not documented by the VIA PadLock Programming Guide. | ||
XRNG2 | F3 0F A7 F8 | |||
| Unknown mnemonic | 0F A7 (C1..C7) | Detected by CPU fuzzing tools such as SandSifter[186] and UISFuzz[187] as executing without causing #UD on several different VIA and Zhaoxin CPUs. Unknown operation, may be related to the documentedXSTORE (0F A7 C0) instruction. | ||
| Unknown mnemonic | F2 0F A6 C0 | ZhaoxinSM2 instruction.CPUID flags listed in a Linux kernel patch for OpenEuler,[192] description and opcode (but no instruction mnemonic) provided in a Zhaoxin patent application[193] and a Zhaoxin-provided Linux kernel patch.[194] | Present in Zhaoxin KX-6000G.[195] | |
ZXPAUSE | F2 0F A6 D0 | Pause the processor until theTime Stamp Counter reaches or exceeds the value specified in EDX:EAX. Low-power processor C-state can be requested in ECX. Listed in OpenEuler kernel patch.[196] | Present in Zhaoxin KX-7000. | |
MONTMUL2 | Unknown | Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,[192] but opcodes and instruction descriptions are not available. | Unknown. Some Zhaoxin CPUs[195] have the CPUID flags for these instructions set. | |
| Mnemonics | Opcodes | Description | Status |
|---|---|---|---|
FENI,
| DB E0 | FPU Enable Interrupts (8087) | Documented for the Intel 80287.[131] Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g.Intel SDM 325462-077, April 2022 mentions them twice without opcodes). The opcodes are, however, recognized by Intel XED.[197] |
FDISI,
| DB E1 | FPU Disable Interrupts (8087) | |
FSETPM,
| DB E4 | FPU Set Protected Mode (80287) | |
| (no mnemonic) | D9 D7, D9 E2,D9 E7, DD FC,DE D8, DE DA,DE DC, DE DD,DE DE, DF FC | "Reserved by Cyrix" opcodes | These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,[198] 6x86MX, MII, MediaGX, and AMD Geode GX/LX.[199] (The documentation for these CPUs all list the same ten opcodes.) Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs. |
CR0, it is specifically necessary to do a farJMP (opcodeEA) in order to restore proper real-mode access-rights for the CS segment, and that other far control transfers (e.g.RETF,IRET) will not do this.Archived on 4 Nov 2024.SALC on page 83,INT1 on page 86 andFFREEP on page 114. Archived from theoriginal on 22 Dec 1996.The instruction brings down the upper word of the doubleword register without affecting its upper 16 bits.
internal (zero-)extending the value of a smaller (16-bit) register … applying the bswap to a 32-bit value "00 00 AH AL", … truncated to lower 16-bits, which are "00 00". … Bochs … bswap reg16 acts just like the bswap reg32 … QEMU … ignores the 66h prefix
CMPXCHG with0F A6/A7 encodings.CMPXCHG with0F B0/B1 encodings.CPUID instruction)RDTSC instruction on p.1739 describes the instruction sequences required to order theRDTSC instruction with respect to earlier and later instructions.UD2A andUD2B instruction mnemomics to GNU Binutils.Archived on 25 Jul 2023.UD1/UD2B and addedUD0.Archived on 25 Jul 2023.0F 0B and0F B9.UD0 and page 415 and 419 forUD1.UD1 (withModR/M byte) andUD0 (without ModR/M byte) on page 4-687.UD1 instruction on page 356.Archived on 29 Dec 2024.OIO ("Official invalid opcode") for the0F FF opcode.UD0 (with ModR/M byte) on page 4-683.0F FF opcode without assigning it a mnemonic.MFENCE;LFENCE sequence to enforce ordering between a memory store and a later x2apic MSR write.Archived on 4 Jul 2024MONITOR andMWAIT with explicit operands.Archived on 9 May 2005.MONITOR/MWAIT mnemonics.Archived on 6 Nov 2022.HWNT/HST mnemonics for the branch hint prefixes. Archived from theoriginal on 5 Feb 2005.FXTRACT special-cases and section 4.4.9 on page 87 for information about theFPTAN (and by extensionFSIN/FCOS/FSINCOS) argument reduction inaccuracy.FSIN,FCOS,FSINCOS andFPTAN in volume 1, section 8.3.8NOP instruction description.)UD0 andUD1.Using the REP or REPNE prefix with a MUL or IMUL instruction negates the product. Using the REP or REPNE prefix with an IDIV instruction negates the quotient.
0F 0A for SCC's message invalidation instruction.