The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.
The x86 instruction set has been extended several times, introducing wider registers and datatypes as well as new functionality.[1]
Main article: x86 assembly language |
Below is the full 8086/8088 instruction set of Intel (81 instructions total).[2] These instructions are also available in 32-bit mode, they operate instead on 32-bit registers (eax, ebx, etc.) and values instead of their 16-bit (ax, bx, etc.) counterparts. The updated instruction set is grouped according to architecture (i186, i286, i386, i486, i586/i686) and is referred to as (32-bit) x86 and (64-bit) x86-64 (also known as AMD64).
This is the original instruction set. In the 'Notes' column, r means register, m means memory address and imm means immediate (i.e. a value).
In- struc- tion |
Meaning | Notes | Opcode |
---|---|---|---|
AAA | ASCII adjust AL after addition | used with unpacked binary-coded decimal | 0x37 |
AAD | ASCII adjust AX before division | 8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode 0xD5 0x0A), but any other base will work. Later Intel's documentation has the generic form too. NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities | 0xD5 |
AAM | ASCII adjust AX after multiplication | Only base 10 version (Operand is 0xA) is documented, see notes for AAD | 0xD4 |
AAS | ASCII adjust AL after subtraction | 0x3F | |
ADC | Add with carry | destination = destination + source + carry_flag |
0x10...0x15, 0x80...0x81/2, 0x82...0x83/2 (186+) |
ADD | Add | (1) r/m += r/imm; (2) r += r/imm; |
0x00...0x05, 0x80/0...0x81/0, 0x82/0...0x83/0 (186+) |
AND | Logical AND | (1) r/m &= r/imm; (2) r &= r/imm; |
0x20...0x25, 0x80...0x81/4, 0x82...0x83/4 (186+) |
CALL | Call procedure | push eip; eip points to the instruction directly after the call |
0x9A, 0xE8, 0xFF/2, 0xFF/3 |
CBW | Convert byte to word | 0x98 | |
CLC | Clear carry flag | CF = 0; |
0xF8 |
CLD | Clear direction flag | DF = 0; |
0xFC |
CLI | Clear interrupt flag | IF = 0; |
0xFA |
CMC | Complement carry flag | 0xF5 | |
CMP | Compare operands | 0x38...0x3D, 0x80...0x81/7, 0x82...0x83/7 (186+) | |
CMPSB | Compare bytes in memory. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | 0xA6 | |
CMPSW | Compare words. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | 0xA7 | |
CWD | Convert word to doubleword | 0x99 | |
DAA | Decimal adjust AL after addition | (used with packed binary-coded decimal) | 0x27 |
DAS | Decimal adjust AL after subtraction | 0x2F | |
DEC | Decrement by 1 | 0x48...0x4F, 0xFE/1, 0xFF/1 | |
DIV | Unsigned divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder |
0xF7/6, 0xF6/6 |
ESC | Used with floating-point unit | 0xD8..0xDF | |
HLT | Enter halt state | 0xF4 | |
IDIV | Signed divide | (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder |
0xF7/7, 0xF6/7 |
IMUL | Signed multiply in One-operand form | (1) DX:AX = AX * r/m; (2) AX = AL * r/m |
0x69, 0x6B (both 186+), 0xF7/5, 0xF6/5, 0x0FAF (386+) |
IN | Input from port | (1) AL = port[imm]; (2) AL = port[DX]; (3) AX = port[imm]; (4) AX = port[DX]; |
0xE4, 0xE5, 0xEC, 0xED |
INC | Increment by 1 | 0x40...0x47, 0xFE/0, 0xFF/0 | |
INT | Call to interrupt | 0xCC, 0xCD | |
INTO | Call to interrupt if overflow | 0xCE | |
IRET | Return from interrupt | 0xCF | |
Jcc | Jump if condition | (JA, JAE, JB, JBE, JC, JE, JG, JGE, JL, JLE, JNA, JNAE, JNB, JNBE, JNC, JNE, JNG, JNGE, JNL, JNLE, JNO, JNP, JNS, JNZ, JO, JP, JPE, JPO, JS, JZ) | 0x70...0x7F, 0x0F80...0x0F8F (386+) |
JCXZ | Jump if CX is zero | 0xE3 | |
JMP | Jump | 0xE9...0xEB, 0xFF/4, 0xFF/5 | |
LAHF | Load FLAGS into AH register | 0x9F | |
LDS | Load DS:r with far pointer | 0xC5 | |
LEA | Load Effective Address | 0x8D | |
LES | Load ES:r with far pointer | 0xC4 | |
LOCK | Assert BUS LOCK# signal | (for multiprocessing) | 0xF0 |
LODSB | Load string byte. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) AL = *SI++; else AL = *SI--; |
0xAC |
LODSW | Load string word. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) AX = *SI++; else AX = *SI--; |
0xAD |
LOOP/ LOOPx |
Loop control | (LOOPE, LOOPNE, LOOPNZ, LOOPZ) if (x && --CX) goto lbl; |
0xE0...0xE2 |
MOV | Move | copies data from one location to another, (1) r/m = r; (2) r = r/m; |
0xA0...0xA3 |
MOVSB | Move byte from string to string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *(byte*)DI++ = *(byte*)SI++;
else *(byte*)DI-- = *(byte*)SI--;
|
0xA4 |
MOVSW | Move word from string to string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *(word*)DI++ = *(word*)SI++;
else *(word*)DI-- = *(word*)SI--;
|
0xA5 |
MUL | Unsigned multiply | (1) DX:AX = AX * r/m; (2) AX = AL * r/m; |
0xF7/4, 0xF6/4 |
NEG | Two's complement negation | r/m = 0 – r/m; |
0xF6/3...0xF7/3 |
NOP | No operation | opcode equivalent to XCHG EAX, EAX |
0x90 |
NOT | Negate the operand, logical NOT | r/m ^= -1; |
0xF6/2...0xF7/2 |
OR | Logical OR | (1) r/m (2) r |
0x08...0x0D, 0x80...0x81/1, 0x82...0x83/1 (186+) |
OUT | Output to port | (1) port[imm] = AL; (2) port[DX] = AL; (3) port[imm] = AX; (4) port[DX] = AX; |
0xE6, 0xE7, 0xEE, 0xEF |
POP | Pop data from stack | r/m = *SP++; POP CS (opcode 0x0F) works only on 8086/8088. Later CPUs use 0x0F as a prefix for newer instructions. |
0x07, 0x0F(8086/8088 only), 0x17, 0x1F, 0x58...0x5F, 0x8F/0 |
POPF | Pop FLAGS register from stack | FLAGS = *SP++; |
0x9D |
PUSH | Push data onto stack | *--SP = r/m; |
0x06, 0x0E, 0x16, 0x1E, 0x50...0x57, 0x68, 0x6A (both 186+), 0xFF/6 |
PUSHF | Push FLAGS onto stack | *--SP = FLAGS; |
0x9C |
RCL | Rotate left (with carry) | 0xC0...0xC1/2 (186+), 0xD0...0xD3/2 | |
RCR | Rotate right (with carry) | 0xC0...0xC1/3 (186+), 0xD0...0xD3/3 | |
REPxx | Repeat MOVS/STOS/CMPS/LODS/SCAS | (REP, REPE, REPNE, REPNZ, REPZ) | 0xF2, 0xF3 |
RET | Return from procedure | Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system. | |
RETN | Return from near procedure | 0xC2, 0xC3 | |
RETF | Return from far procedure | 0xCA, 0xCB | |
ROL | Rotate left | 0xC0...0xC1/0 (186+), 0xD0...0xD3/0 | |
ROR | Rotate right | 0xC0...0xC1/1 (186+), 0xD0...0xD3/1 | |
SAHF | Store AH into FLAGS | 0x9E | |
SAL | Shift Arithmetically left (signed shift left) | (1) r/m <<= 1; (2) r/m <<= CL; |
0xC0...0xC1/4 (186+), 0xD0...0xD3/4 |
SAR | Shift Arithmetically right (signed shift right) | (1) (signed) r/m >>= 1; (2) (signed) r/m >>= CL; |
0xC0...0xC1/7 (186+), 0xD0...0xD3/7 |
SBB | Subtraction with borrow | alternative 1-byte encoding of SBB AL, AL is available via undocumented SALC instruction |
0x18...0x1D, 0x80...0x81/3, 0x82...0x83/3 (186+) |
SCASB | Compare byte string. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | 0xAE | |
SCASW | Compare word string. May be used with a REPE or REPNE prefix to test and repeat the instruction CX times. | 0xAF | |
SHL | Shift left (unsigned shift left) | 0xC0...0xC1/4 (186+), 0xD0...0xD3/4 | |
SHR | Shift right (unsigned shift right) | 0xC0...0xC1/5 (186+), 0xD0...0xD3/5 | |
STC | Set carry flag | CF = 1; |
0xF9 |
STD | Set direction flag | DF = 1; |
0xFD |
STI | Set interrupt flag | IF = 1; |
0xFB |
STOSB | Store byte in string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *ES:DI++ = AL; else *ES:DI-- = AL; |
0xAA |
STOSW | Store word in string. May be used with a REP prefix to repeat the instruction CX times. | if (DF==0) *ES:DI++ = AX; else *ES:DI-- = AX; |
0xAB |
SUB | Subtraction | (1) r/m -= r/imm; (2) r -= m/imm; |
0x28...0x2D, 0x80...0x81/5, 0x82...0x83/5 (186+) |
TEST | Logical compare (AND) | (1) r/m & r/imm; (2) r & m/imm; |
0x84, 0x85, 0xA8, 0xA9, 0xF6/0, 0xF7/0 |
WAIT | Wait until not busy | Waits until BUSY# pin is inactive (used with floating-point unit) | 0x9B |
XCHG | Exchange data | r :=: r/m; A spinlock typically uses xchg as an atomic operation. (coma bug). |
0x86, 0x87, 0x91...0x97 |
XLAT | Table look-up translation | behaves like MOV AL, [BX+AL] |
0xD7 |
XOR | Exclusive OR | (1) r/m ^= r/imm; (2) r ^= m/imm; |
0x30...0x35, 0x80...0x81/6, 0x82...0x83/6 (186+) |
Instruction | Opcode | Meaning | Notes |
---|---|---|---|
BOUND | 62 /r | Check array index against bounds | raises software interrupt 5 if test fails |
ENTER | C8 iw ib | Enter stack frame | Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure. |
INSB/INSW | 6C | Input from port to string. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:
IN AL, DX
MOV ES:[DI], AL
INC DI ; adjust DI according to operand size and DF
|
6D | |||
LEAVE | C9 | Leave stack frame | Releases the local stack storage created by the previous ENTER instruction. |
OUTSB/OUTSW | 6E | Output string to port. May be used with a REP prefix to repeat the instruction CX times. | equivalent to:
MOV AL, DS:[SI]
OUT DX, AL
INC SI ; adjust SI according to operand size and DF
|
6F | |||
POPA | 61 | Pop all general purpose registers from stack | equivalent to:
POP DI
POP SI
POP BP
POP AX ; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later)
POP BX
POP DX
POP CX
POP AX
|
PUSHA | 60 | Push all general purpose registers onto stack | equivalent to:
PUSH AX
PUSH CX
PUSH DX
PUSH BX
PUSH SP ; The value stored is the initial SP value
PUSH BP
PUSH SI
PUSH DI
|
PUSH immediate | 6A ib | Push an immediate byte/word value onto the stack | example:
PUSH 12h
PUSH 1200h
|
68 iw | |||
IMUL immediate | 6B /r ib | Signed and unsigned multiplication of immediate byte/word value | example:
IMUL BX,12h
IMUL DX,1200h
IMUL CX, DX, 12h
IMUL BX, SI, 1200h
IMUL DI, word ptr [BX+SI], 12h
IMUL SI, word ptr [BP-4], 1200h
Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well. |
69 /r iw | |||
SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate | C0 | Rotate/shift bits with an immediate value greater than 1 | example:
ROL AX,3
SHR BL,3
|
C1 |
The new instructions added in 80286 add support for x86 protected mode. Some but not all of the instructions are available in real mode as well.
Instruction | Opcode | Instruction description | Real mode | Ring |
---|---|---|---|---|
LGDT m16&32 [a]
|
0F 01 /2
|
Load GDTR (Global Descriptor Table Register) from memory.[b] | Yes | 0 |
LIDT m16&32 [a]
|
0F 01 /3
|
Load IDTR (Interrupt Descriptor Table Register) from memory.[b] The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well. | ||
LMSW r/m16
|
0F 01 /6
|
Load MSW (Machine Status Word) from 16-bit register or memory.[b][c] | ||
CLTS
|
0F 06
|
Clear task-switched flag in the MSW. | ||
LLDT r/m16
|
0F 00 /2
|
Load LDTR (Local Descriptor Table Register) from 16-bit register or memory.[b] | #UD | |
LTR r/m16
|
0F 00 /3
|
Load TR (Task Register) from 16-bit register or memory.[b]
The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done. | ||
SGDT m16&32 [a]
|
0F 01 /0
|
Store GDTR to memory. | Yes | Usually 3[d] |
SIDT m16&32 [a]
|
0F 01 /1
|
Store IDTR to memory. | ||
SMSW r/m16
|
0F 01 /4
|
Store MSW to register or 16-bit memory.[e] | ||
SLDT r/m16
|
0F 00 /0
|
Store LDTR to register or 16-bit memory.[e] | #UD | |
STR r/m16
|
0F 00 /1
|
Store TR to register or 16-bit memory.[e] | ||
ARPL r/m16,r16
|
63 /r [f]
|
Adjust RPL (Requested Privilege Level) field of selector. The operation performed is:if (dst & 3) < (src & 3) then dst = (dst & 0xFFFC) | (src & 3) eflags.zf = 1 else eflags.zf = 0 |
#UD[g] | 3 |
LAR r,r/m16
|
0F 02 /r
|
Load access rights byte from the specified segment descriptor. Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00 ,[h] then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.
|
#UD | |
LSL r,r/m16
|
0F 03 /r
|
Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise. | ||
VERR r/m16
|
0F 00 /4
|
Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise. | ||
VERW r/m16
|
0F 00 /5
|
Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.[i] | ||
LOADALL[j] | 0F 05 | Load all CPU registers from a 102-byte data structure starting at physical address 800h , including "hidden" part of segment descriptor registers.
|
Yes | 0 |
STOREALL[j] | F1 0F 04 | Store all CPU registers to a 102-byte data structure starting at physical address 800h , then shut down CPU.
|
LGDT
, LIDT
, SGDT
and SIDT
instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.LGDT
and LIDT
with a 16-bit operand size, the address is ANDed with 00FFFFFFh.
On Intel (but not AMD) CPUs, the SGDT
and SIDT
instructions with a 16-bit operand size is – as of Intel SDM revision 079, March 2023 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.[3]
LGDT
, LIDT
, LLDT
, LMSW
and LTR
instructions are serializing on Pentium and later processors.
LMSW
instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW
can be used to enter but not leave x86 Protected Mode.LMSW
nor with LOADALL
[4]) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV
to CR0
instruction.
CR4.UMIP=1
is set, then the SGDT
, SIDT
, SLDT
, SMSW
and STR
instructions can only run in Ring 0.SMSW
, SLDT
and STR
instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:
SMSW
: Stores full CR0 in x86-64 long mode, undefined otherwise.SLDT
: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.STR
: Zero-extends 16-bit argument.ARPL
instruction is not available – the 63 /r
opcode has been reassigned to the 64-bit-mode-only MOVSXD
instruction.
ARPL
instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63
opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.[8][9]
0x00FFFF00
.
VERW
instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.[11][12]
LOADALL
with a different opcode and memory layout exists on 80386.)
The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts of OperandSize and AddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)
The default OperandSize and AddressSize to use for each instruction is given by the D bit of the segment descriptor of the current code segment - D=0
makes both 16-bit, D=1
makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:
66h
: OperandSize override. Will change OperandSize from 16-bit to 32-bit if CS.D=0
, or from 32-bit to 16-bit if CS.D=1
.67h
: AddressSize override. Will change AddressSize from 16-bit to 32-bit if CS.D=0
, or from 32-bit to 16-bit if CS.D=1
.The 80386 also introduced the two new segment registers FS
and GS
as well as the x86 control, debug and test registers.
The new instructions introduced in the 80386 can broadly be subdivided into two classes:
CWDE
, LODSD
)SHLD
, SETcc
)For instruction forms where the operand size can be inferred from the instruction's arguments (e.g. ADD EAX,EBX
can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.
Type | Instruction mnemonic | Opcode | Description | Mnemonic for older 16-bit variant | Ring |
---|---|---|---|---|---|
String instructions[a][b] | LODSD |
AD |
Load string doubleword: EAX := DS:[rSI±±] |
LODSW
|
3 |
STOSD |
AB |
Store string doubleword: ES:[rDI±±] := EAX |
STOSW
| ||
MOVSD |
A5 |
Move string doubleword: ES:[rDI±±] := DS:[rSI±±] |
MOVSW
| ||
CMPSD |
A7 |
Compare string doubleword: temp1 := DS:[rSI±±] temp2 := ES:[rDI±±] CMP temp1, temp2 /* 32-bit compare and set EFLAGS */ |
CMPSW
| ||
SCASD |
AF |
Scan string doubleword: temp1 := ES:[rDI±±] CMP EAX, temp1 /* 32-bit compare and set EFLAGS */ |
SCASW
| ||
INSD |
6D |
Input string from doubleword I/O port:ES:[rDI±±] := port[DX] [c] |
INSW |
Usually 0[d] | |
OUTSD |
6F |
Output string to doubleword I/O port:port[DX] := DS:[rSI±±] |
OUTSW
| ||
Other | CWDE |
98 |
Sign-extend 16-bit value in AX to 32-bit value in EAX[e] | CBW
|
3 |
CDQ |
99 |
Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX.
Mainly used to prepare a dividend for the 32-bit |
CWD
| ||
JECXZ rel8 |
E3 cb [f] |
Jump if ECX is zero | JCXZ
| ||
PUSHAD |
60 |
Push all 32-bit registers onto stack[g] | PUSHA
| ||
POPAD |
61 |
Pop all 32-bit general-purpose registers off stack[h] | POPA
| ||
PUSHFD |
9C |
Push 32-bit EFLAGS register onto stack | PUSHF
|
Usually 3[i] | |
POPFD |
9D |
Pop 32-bit EFLAGS register off stack | POPF
| ||
IRETD |
CF |
32-bit interrupt return. Differs from the older 16-bit IRET instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP[j] and SS if there is a CPL change) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bit IDT interrupt/trap gate.
Instruction is serializing. |
IRET
|
EFLAGS.DF=1
and post-incremented by 4 otherwise.67
prefix.
LODSD
, STOSD
, MOVSD
, INSD
and OUTSD
, the REP
prefix (F3
) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).CMPSD
and SCASD
, the REPE
(F3
) and REPNE
(F2
) prefixes are available, which will repeat the instruction but only as long as the flag condition (ZF=1 for REPE
, ZF=0 for REPNE
) holds true.
INSB/W/D
instructions, the memory access rights for the ES:[rDI]
memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read.
CWDE
instruction differs from the older CWD
instruction in that CWD
would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair.
E3
opcode (JCXZ
/JECXZ
), the choice of whether the instruction will use CX
or ECX
for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).LOOP
,LOOPE
,LOOPNE
(opcodes E0
,E1
,E2
), however, unlike JCXZ
/JECXZ
, these instructions have not been given new mnemonics for their ECX-using variants.
PUSHA(D)
, the value of SP/ESP pushed onto the stack is the value it had just before the PUSHA(D)
instruction started executing.
POPA
/POPAD
, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP.
PUSHFD
and POPFD
instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.PUSHF
, POPF
, IRET
and IRETD
instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.
IRETD
is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stack segment indicated by SS is a 16-bit segment, then the IRETD
instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before the IRETD
. This has necessitated complex workarounds on both Linux ("ESPFIX")[15] and Windows.[16] This issue also affects the later 64-bit IRETQ
instruction.
Instruction mnemonics | Opcode | Description | Ring |
---|---|---|---|
BT r/m, r |
0F A3 /r |
Bit Test.[a]
Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF. |
3 |
BT r/m, imm8 |
0F BA /4 ib
| ||
BTS r/m, r |
0F AB /r |
Bit Test-and-set.[a][b]
Second operand specifies which bit of the first operand to test and set. | |
BTS r/m, imm8 |
0F BA /5 ib
| ||
BTR r/m, r |
0F B3 /r |
Bit Test and Reset.[a][b]
Second operand specifies which bit of the first operand to test and clear. | |
BTR r/m, imm8 |
0F BA /6 ib
| ||
BTC r/m, r |
0F BB /r |
Bit Test and Complement.[a][b]
Second operand specifies which bit of the first operand to test and toggle. | |
BTC r/m, imm8 |
0F BA /7 ib
| ||
BSF r, r/m |
NFx 0F BC /r [c] |
Bit scan forward. Returns bit index of lowest set bit in input.[d] | 3 |
BSR r, r/m |
NFx 0F BD /r [e] |
Bit scan reverse. Returns bit index of highest set bit in input.[d] | |
SHLD r/m, r, imm8 |
0F A4 /r ib |
Shift Left Double. The operation of SHLD arg1,arg2,shamt is:arg1 := (arg1<<shamt) | (arg2>>(operand_size - shamt)) [f]
| |
SHLD r/m, r, CL |
0F A5 /r
| ||
SHRD r/m, r, imm8 |
0F AC /r ib |
Shift Right Double. The operation of SHRD arg1,arg2,shamt is:arg1 := (arg1>>shamt) | (arg2<<(operand_size - shamt)) [f]
| |
SHRD r/m, r, CL |
0F AD /r
| ||
MOVZX reg, r/m8 |
0F B6 /r |
Move from 8/16-bit source to 16/32-bit register with zero-extension. | 3 |
MOVZX reg, r/m16 |
0F B7 /r
| ||
MOVSX reg, r/m8 |
0F BE /r |
Move from 8/16-bit source to 16/32/64-bit register with sign-extension. | |
MOVSX reg, r/m16 |
0F BF /r
| ||
SETcc r/m8
|
0F 9x /0 [g][h]
|
Set byte to 1 if condition is satisfied, 0 otherwise. | |
Jcc rel16 Jcc rel32
|
0F 8x cw 0F 8x cd [g]
|
Conditional jump near.
Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset. | |
IMUL r, r/m |
0F AF /r |
Two-operand non-widening integer multiply. | |
FS: |
64 |
Segment-override prefixes for FS and GS segment registers. | 3 |
GS: |
65
| ||
PUSH FS |
0F A0 |
Push/pop FS and GS segment registers. | |
POP FS |
0F A1
| ||
PUSH GS |
0F A8
| ||
POP GS |
0F A9
| ||
LFS r16, m16&16 LFS r32, m32&16 |
0F B4 /r |
Load far pointer from memory.
Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.[i] | |
LGS r16, m16&16 LGS r32, m32&16 |
0F B5 /r
| ||
LSS r16, m16&16 LSS r32, m32&16 |
0F B2 /r
| ||
MOV reg,CRx |
0F 20 /r [j] |
Move from control register to general register.[k] | 0 |
MOV CRx,reg |
0F 22 /r [j] |
Move from general register to control register.[k]
On Pentium and later processors, moves to the | |
MOV reg,DRx |
0F 21 /r [j] |
Move from x86 debug register to general register.[k] | |
MOV DRx,reg |
0F 23 /r [j] |
Move from general register to x86 debug register.[k]
On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing. | |
MOV reg,TRx |
0F 24 /r [j] |
Move from x86 test register to general register.[m] | |
MOV TRx,reg |
0F 26 /r [j] |
Move from general register to x86 test register.[m] | |
ICEBP, INT01, INT1[n] |
F1 | In-circuit emulation breakpoint.
Performs software interrupt #1 if executed when not using in-circuit emulation.[o] |
3 |
UMOV r/m, r8 | 0F 10 /r | User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode.
Performs same operation as | |
UMOV r/m, r16/32 | 0F 11 /r | ||
UMOV r8, r/m | 0F 12 /r | ||
UMOV r16/32, r/m | 0F 13 /r | ||
XBTS reg,r/m | 0F A6 /r | Bitfield extract.[q][r] | |
IBTS r/m,reg | 0F A7 /r | Bitfield insert.[q][r] | |
LOADALLD, LOADALL386[s] |
0F 07 | Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers. | 0 |
BT
, BTS
, BTR
and BTC
instructions:
BTS
, BTC
and BTR
instructions accept the LOCK
(F0
) prefix when used with a memory argument – this results in the instruction executing atomically.
F3
prefix is used with the 0F BC /r
opcode, then the instruction will execute as TZCNT
on systems that support the BMI1 extension. TZCNT
differs from BSF
in that TZCNT
but not BSR
is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result.
BSF
and BSR
set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.F3
prefix is used with the 0F BD /r
opcode, then the instruction will execute as LZCNT
on systems that support the ABM or LZCNT extensions. LZCNT
produces a different result from BSR
for most input values.
SHLD
and SHRD
, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.SHLD
and SHRD
with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.[17])
SETcc
and Jcc near
instructions (opcodes 0F 9x /0
and 0F 8x
respectively, with the x nibble specifying the condition) are:
x | cc | Condition (EFLAGS) |
---|---|---|
0 | O | OF=1: "Overflow" |
1 | NO | OF=0: "Not Overflow" |
2 | C,B,NAE | CF=1: "Carry", "Below", "Not Above or Equal" |
3 | NC,NB,AE | CF=0: "Not Carry", "Not Below", "Above or Equal" |
4 | Z,E | ZF=1: "Zero", "Equal" |
5 | NZ,NE | ZF=0: "Not Zero", "Not Equal" |
6 | NA,BE | (CF=1 or ZF=1): "Not Above", "Below or Equal" |
7 | A,NBE | (CF=0 and ZF=0): "Above", "Not Below or Equal" |
8 | S | SF=1: "Sign" |
9 | NS | SF=0: "Not Sign" |
A | P,PE | PF=1: "Parity", "Parity Even" |
B | NP,PO | PF=0: "Not Parity", "Parity Odd" |
C | L,NGE | SF≠OF: "Less", "Not Greater Or Equal" |
D | NL,GE | SF=OF: "Not Less", "Greater Or Equal" |
E | LE,NG | (ZF=1 or SF≠OF): "Less or Equal", "Not Greater" |
F | NLE,G | (ZF=0 and SF=OF): "Not Less or Equal", "Greater" |
SETcc
, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc
regardless of the contents of these bits.
LFS
, LGS
and LSS
, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W
prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors.
MOV
to/from the CRx
, DRx
and TRx
registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx
register and r/m part the general-register.
Uniquely for the MOV CRx/DRx/TRx
opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b
.
CRx
and DRx
registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise.
CR0
would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump immediately after a MOV
to CR0
if such a MOV
is used to enable/disable protected mode and/or memory paging.MOV
to CR2
is architecturally listed as serializing, but has been reported to be non-serializing on at least some Intel Core-i7 processors.[18]MOV
to CR8
(introduced with x86-64) is not serializing.
MOV TRx
instructions were discontinued from Pentium onwards.
INT1
/ICEBP
(F1
) instruction is present on all known Intel x86 processors from the 80386 onwards,[19] but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards.[20] Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.[21]F1
(ICEBP
) opcode differs from the operation of the regular software interrupt opcode CD 01
in several ways:CD 01
will check CPL against the interrupt descriptor's DPL field as an access-rights check, while F1
will not.CD 01
will also check CPL against IOPL as an access-rights check, while F1
will not.CD 01
but not F1
.XBTS
and IBTS
instructions were discontinued with the B1 stepping of 80386.XBTS
instruction as part of its CPU detection if CPUID
is not present, and will refuse to boot if XBTS
is found to be working.[24]
XBTS
and IBTS
, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.[25]
Instruction | Opcode | Description | Ring |
---|---|---|---|
BSWAP r32
|
0F C8+r
|
Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:r = (r << 24) | ((r << 8) & 0x00FF0000) | ((r >> 8) & 0x0000FF00) | (r >> 24); Using |
3 |
CMPXCHG r/m8,r8
|
0F B0 /r [b]
|
Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand,[c] then EFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise, EFLAGS.ZF is set to 0, and first operand is copied into the accumulator.
Instruction atomic only if used with | |
CMPXCHG r/m,r16 CMPXCHG r/m,r32
|
0F B1 /r [b]
| ||
XADD r/m,r8
|
0F C0 /r
|
eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand.
Instruction atomic only if used with | |
XADD r/m,r16 XADD r/m,r32
|
0F C1 /r
| ||
INVLPG m8
|
0F 01 /7
|
Invalidate the TLB entries that would be used for the 1-byte memory operand.[d]
Instruction is serializing. |
0 |
INVD
|
0F 08
|
Invalidate Internal Caches.[e] Modified data in the cache are not written back to memory, potentially causing data loss.[f] | |
WBINVD
|
NFx 0F 09 [g]
|
Write Back and Invalidate Cache.[e] Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches. |
BSWAP
with 16-bit registers is not disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,[27] 586, and Bochs/QEMU.[28]
CMPXCHG
instruction uses a different encoding - 0F A6 /r
for 8-bit variant, 0F A7 /r
for 16/32-bit variant. The 0F B0/B1
encodings are used on 80486 stepping B and later.[30][31]
CMPXCHG
instruction sets EFLAGS
in the same way as a CMP
instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.
INVLPG
executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).INVLPG
can be used to invalidate TLB entries for individual global pages.
INVD
and WBINVD
instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.INVD
instruction is not permitted and will cause a #GP(0) exception. (The PRM is needed for Intel SGX.)[32]
F3
prefix is used with the 0F 09
opcode, then the instruction will execute as WBNOINVD
on processors that support the WBNOINVD extension – this will not invalidate the cache.
Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)
Instruction | Opcode | Description | Ring | Added in |
---|---|---|---|---|
RDMSR
|
0F 32
|
Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX. | 0 | IBM 386SLC,[33] Intel Pentium, AMD K5, Cyrix 6x86MX,MediaGXm, IDT WinChip C6, Transmeta Crusoe |
WRMSR
|
0F 30
|
Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.[a]
Instruction is, with some exceptions, serializing.[b] | ||
RSM [36]
|
0F AA
|
Resume from System Management Mode.
Instruction is serializing. |
-2 (SMM) |
Intel 386SL,[37][38] 486SL,[c] Intel Pentium, AMD 5x86, Cyrix 486SLC/e,[39] IDT WinChip C6, Transmeta Crusoe, Rise mP6 |
CPUID
|
0F A2
|
CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.[d]
Instruction is serializing, and causes a mandatory #VMEXIT under virtualization. Support for |
Usually 3[e] | Intel Pentium,[f] AMD 5x86,[f] Cyrix 5x86,[g] IDT WinChip C6, Transmeta Crusoe, Rise mP6, NexGen Nx586,[h] UMC Green CPU |
CMPXCHG8B m64
|
0F C7 /1
|
Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF[i] and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX. Instruction atomic only if used with LOCK prefix.[j]
|
3 | Intel Pentium, AMD K5, Cyrix 6x86L,MediaGXm, IDT WinChip C6,[k] Transmeta Crusoe,[k] Rise mP6[k] |
RDTSC
|
0F 31
|
Read 64-bit Time Stamp Counter (TSC) into EDX:EAX.[l]
In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.[m] |
Usually 3[n] | Intel Pentium, AMD K5, Cyrix 6x86MX,MediaGXm, IDT WinChip C6, Transmeta Crusoe, Rise mP6 |
RDPMC
|
0F 33
|
Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX.[l] | Usually 3[o] | Intel Pentium MMX, Intel Pentium Pro, AMD K7, Cyrix 6x86MX, IDT WinChip C6, VIA Nano[p] |
CMOVcc reg,r/m
|
0F 4x /r [q]
|
Conditional move to register. The source operand may be either register or memory.[r] | 3 | Intel Pentium Pro, AMD K7, Cyrix 6x86MX,MediaGXm, Transmeta Crusoe, VIA C3 "Nehemiah" |
NOP r/m ,NOPL r/m
|
NFx 0F 1F /0
|
Official long NOP.
Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2005.[s][52] |
3 | Intel Pentium Pro,[t] AMD K7, x86-64,[u] VIA C7[56] |
UD2 ,[v]UD2A [w]
|
0F 0B
|
Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes.
These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose. |
(3) | (80186),[x] Intel Pentium[60] |
UD1 reg,r/m ,[y]UD2B reg,r/m [w]
|
0F B9 /r [z]
| |||
OIO ,UD0 ,UD0 reg,r/m [aa]
|
0F FF ,0F FF /r [z]
|
(80186),[x] Cyrix 6x86,[65] AMD K5[67] | ||
SYSCALL
|
0F 05
|
Fast System call. | 3 | AMD K6,[ab] x86-64[ac][ad] |
SYSRET
|
0F 07 [ae]
|
Fast Return from System Call. Designed to be used together with SYSCALL .
|
0[af] | |
SYSENTER
|
0F 34
|
Fast System call. | 3[af] | Intel Pentium II,[ag] AMD K7,[72][ah] Transmeta Crusoe,[ai] NatSemi Geode GX2, VIA C3 "Nehemiah"[aj] |
SYSEXIT
|
0F 35 [ae]
|
Fast Return from System Call. Designed to be used together with SYSENTER .
|
0[af] |
WRMSR
instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h
on Intel CPUs and MSR C001_0020h
[34] on AMD CPUs.
Number | Name |
---|---|
48h |
SPEC_CTRL |
49h |
PRED_CMD |
122h |
TSX_CTRL |
6E0h |
TSC_DEADLINE |
6E1h |
PKRS |
774h |
HWP_REQUEST (non-serializing only if the FAST_IA32_HWP_REQUEST bit it set) |
802h to 83Fh |
(x2APIC MSRs) |
C001_011Bh |
Doorbell Register (AMD) |
RSM
instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.
CPUID
with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID
.CPUID
will set the top 32 bits of RAX, RBX, RCX and RDX to zero.
CPUID
to ring 0. Such MSRs are documented for at least Ivy Bridge[42] and Denverton.[43]CPUID
to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).[44]
CPUID
is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.
CPUID
is not enabled by default and must be enabled through a Cyrix configuration register.
CPUID
is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID
, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.[45]
CMPXCHG
instruction, the CMPXCHG8B
instruction does not modify any EFLAGS bits other than ZF.
LOCK CMPXCHG8B
with a register operand (which is an invalid encoding) can cause hangs on some Intel Pentium CPUs (Pentium F00F bug).
CMPXCHG8B
instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.[46]
RDTSC
and RDPMC
instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC
(but not RDTSC
) may be reordered relative to each other even for reads of the same counter.LFENCE
or serializing instructions (e.g. CPUID
) are needed.[47]
8000_0007:EDX[8]
).RDTSC
can be run outside Ring 0 only if CR4.TSD=0
.RDTSC
cannot be run in Virtual-8086 mode.[51] Later processors removed this restriction.
RDPMC
can be run outside Ring 0 only if CR4.PCE=1
.
RDPMC
instruction is not present in VIA processors prior to the Nano.
CMOVcc
instruction (opcode 0F 4x /r
, with the x nibble specifying the condition) are:
x | cc | Condition (EFLAGS) |
---|---|---|
0 | O | OF=1: "Overflow" |
1 | NO | OF=0: "Not Overflow" |
2 | C,B,NAE | CF=1: "Carry", "Below", "Not Above or Equal" |
3 | NC,NB,AE | CF=0: "Not Carry", "Not Below", "Above or Equal" |
4 | Z,E | ZF=1: "Zero", "Equal" |
5 | NZ,NE | ZF=0: "Not Zero", "Not Equal" |
6 | NA,BE | (CF=1 or ZF=1): "Not Above", "Below or Equal" |
7 | A,NBE | (CF=0 and ZF=0): "Above", "Not Below or Equal" |
8 | S | SF=1: "Sign" |
9 | NS | SF=0: "Not Sign" |
A | P,PE | PF=1: "Parity", "Parity Even" |
B | NP,PO | PF=0: "Not Parity", "Parity Odd" |
C | L,NGE | SF≠OF: "Less", "Not Greater Or Equal" |
D | NL,GE | SF=OF: "Not Less", "Greater Or Equal" |
E | LE,NG | (ZF=1 or SF≠OF): "Less or Equal", "Not Greater" |
F | NLE,G | (ZF=0 and SF=OF): "Not Less or Equal", "Greater" |
CMOVcc
with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.CMOVcc
with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines an EVEX-encoded variant of CMOVcc
that will suppress memory exceptions if the condition is false.)
0F 1F /0
as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.[53]
The whole 0F 18..1F
opcode range was NOP
in Pentium Pro. However, except for 0F 1F /0
, Intel does not guarantee that these opcodes will remain NOP
in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.[54]
0F 0B
opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonic UD2
from Pentium Pro onwards.[57]
UD2A
and UD2B
mnemonics for the 0F 0B
and 0F B9
opcodes since version 2.7.[58]UD2A
nor UD2B
originally took any arguments - UD2B
was later modified to accept a ModR/M byte, in Binutils version 2.30.[59]
0F 0B
, 0F B9
and 0F FF
- will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.
0F B9
opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonic UD1
much later – AMD APM started listing UD1
in its opcode maps from rev 3.17 onwards,[61] while Intel SDM started listing it from rev 061 onwards.[62]
0F B9
and 0F FF
opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.[63][64]
0F FF
opcode, the OIO
mnemonic was introduced by Cyrix,[65] while the UD0
menmonic (without arguments) was introduced by AMD and Intel at the same time as the UD1
mnemonic for 0F B9
.[61][62] Later Intel (but not AMD) documentation modified its description of UD0
to add a ModR/M byte and take two arguments.[66]
SYSCALL
/SYSRET
instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.[68]
SYSCALL
and SYSRET
were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.SYSRET
differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.[69]
SYSRET
and SYSEXIT
instructions under x86-64, it is necessary to add the REX.W
prefix for variants that will return to 64-bit user-mode code.REX.W
prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code.)
SYSRET
, SYSENTER
and SYSEXIT
instructions are unavailable in Real mode. (SYSENTER
is, however, available in Virtual 8086 mode.)
CPUID
flags that indicate support for SYSENTER
/SYSEXIT
are set on the Pentium Pro, even though the processor does not officially support these instructions.[70]SYSENTER
and SYSEXIT
instructions are not available in x86-64 long mode (#UD).
SYSENTER
and SYSEXIT
instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.[73]
SYSENTER
and SYSEXIT
are available only on stepping 8 and later.[74]
These instructions can only be encoded in 64 bit mode. They fall in four groups:
MOVSXD
replacing ARPL
)SWAPGS
)JRCXZ
)Most instructions with a 64 bit operand size encode this using a REX.W
prefix; in the absence of the REX.W
prefix,
the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operand
size. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.
Instruction | Encoding | Meaning | Ring |
---|---|---|---|
CDQE
|
REX.W 98
|
Sign extend EAX into RAX | 3 |
CQO
|
REX.W 99
|
Sign extend RAX into RDX:RAX | |
CMPSQ
|
REX.W A7
|
CoMPare String Quadword | |
CMPXCHG16B m128 [a][b]
|
REX.W 0F C7 /1
|
CoMPare and eXCHanGe 16 Bytes. Atomic only if used with LOCK prefix. | |
IRETQ
|
REX.W CF
|
64-bit Return from Interrupt | |
JRCXZ rel8
|
E3 cb
|
Jump if RCX is zero | |
LODSQ
|
REX.W AD
|
LoaD String Quadword | |
MOVSXD r64,r/m32
|
REX.W 63 /r [c]
|
MOV with Sign Extend 32-bit to 64-bit | |
MOVSQ
|
REX.W A5
|
Move String Quadword | |
POPFQ
|
9D
|
POP RFLAGS Register | |
PUSHFQ
|
9C
|
PUSH RFLAGS Register | |
SCASQ
|
REX.W AF
|
SCAn String Quadword | |
STOSQ
|
REX.W AB
|
STOre String Quadword | |
SWAPGS
|
0F 01 F8
|
Exchange GS base with KernelGSBase MSR | 0 |
CMPXCHG16B
must be 16-byte aligned.
CMPXCHG16B
instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing from Xeon "Nocona" stepping D,[75] but added in stepping E.[76] On AMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.[77]CMPXCHG16B
has its own CPUID flag, separate from the rest of x86-64.
MOVSXD
without REX.W prefix are permitted but discouraged[78] – such encodings behave identically to 16/32-bit MOV
(8B /r
).
Main article: X86 Bit manipulation instruction set |
Bit manipulation instructions. For all of the VEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants.
Bit Manipulation Extension | Instruction mnemonics |
Opcode | Instruction description | Added in |
---|---|---|---|---|
POPCNT r16,r/m16 POPCNT r32,r/m32
|
F3 0F B8 /r
|
Population Count. Counts the number of bits that are set to 1 in its source argument. | K10, Bobcat, Haswell, ZhangJiang, Gracemont | |
POPCNT r64,r/m64
|
F3 REX.W 0F B8 /r
| |||
LZCNT r16,r/m16 LZCNT r32,r/m32
|
F3 0F BD /r
|
Count Leading zeroes.[b] If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1.
| ||
LZCNT r64,r/m64
|
F3 REX.W 0F BD /r
| |||
|
TZCNT r16,r/m16 TZCNT r32,r/m32
|
F3 0F BC /r
|
Count Trailing zeroes.[c] If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1.
|
Haswell, Piledriver, Jaguar, ZhangJiang, Gracemont |
TZCNT r64,r/m64
|
F3 REX.W 0F BC /r
| |||
ANDN ra,rb,r/m
|
VEX.LZ.0F38 F2 /r
|
Bitwise AND-NOT: ra = r/m AND NOT(rb)
| ||
BEXTR ra,r/m,rb
|
VEX.LZ.0F38 F7 /r
|
Bitfield extract. Bitfield start position is specified in bits [7:0] of rb , length in bits[15:8] of rb . The bitfield is then extracted from the r/m value with zero-extension, then stored in ra . Equivalent to[d]mask = (1 << rb[15:8]) - 1 ra = (r/m >> rb[7:0]) AND mask | ||
BLSI reg,r/m
|
VEX.LZ.0F38 F3 /3
|
Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent todst = (-src) AND src
| ||
BLSMSK reg,r/m
|
VEX.LZ.0F38 F3 /2
|
Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to dst = (src-1) XOR src
| ||
BLSR reg,r/m
|
VEX.LZ.0F38 F3 /1
|
Copy all bits of the source argument, then clear the lowest set bit. Equivalent todst = (src-1) AND src
| ||
|
BZHI ra,r/m,rb
|
VEX.LZ.0F38 F5 /r
|
Zero out high-order bits in r/m starting from the bit position specified in rb , then write result to rd . Equivalent tora = r/m AND NOT(-1 << rb[7:0])
|
Haswell, Excavator,[e] ZhangJiang, Gracemont |
MULX ra,rb,r/m
|
VEX.LZ.F2.0F38 F6 /r
|
Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with r/m , then stores the low half of the multiplication result in ra and the high half in rb . If ra and rb specify the same register, only the high half of the result is stored.
| ||
PDEP ra,rb,r/m
|
VEX.LZ.F2.0F38 F5 /r
|
Parallel Bit Deposit. Scatters contiguous bits from rb to the bit positions set in r/m , then stores result to ra . Operation performed is:ra=0; k=0; mask=r/m for i=0 to opsize-1 do if (mask[i] == 1) then ra[i]=rb[k]; k=k+1 | ||
PEXT ra,rb,r/m
|
VEX.LZ.F3.0F38 F5 /r
|
Parallel Bit Extract. Uses r/m argument as a bit mask to select bits in rb , then compacts the selected bits into a contiguous bit-vector. Operation performed is:ra=0; k=0; mask=r/m for i=0 to opsize-1 do if (mask[i] == 1) then ra[k]=rb[i]; k=k+1 | ||
RORX reg,r/m,imm8
|
VEX.LZ.F2.0F3A F0 /r ib
|
Rotate right by immediate without affecting flags. | ||
SARX ra,r/m,rb
|
VEX.LZ.F3.0F38 F7 /r
|
Arithmetic shift right without updating flags. For SARX , SHRX and SHLX , the shift-amount specified in rb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size.
| ||
SHRX ra,r/m,rb
|
VEX.LZ.F2.0F38 F7 /r
|
Logical shift right without updating flags. | ||
SHLX ra,r/m,rb
|
VEX.LZ.66.0F38 F7 /r
|
Shift left without updating flags. |
POPCNT
and LZCNT
. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of the LZCNT
instruction and is listed as "LZCNT", while POPCNT
has its own separate CPUID feature bit.POPCNT
and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.POPCNT
but not ABM, such as Intel Nehalem and VIA Nano 3000.)
LZCNT
instruction will execute as BSR
on systems that do not support the LZCNT or ABM extensions. BSR
computes the index of the highest set bit in the source operand, producing a different result from LZCNT
for most input values.
TZCNT
instruction will execute as BSF
on systems that do not support the BMI1 extension. BSF
produces the same result as TZCNT
for all input operand values except zero – for which TZCNT
returns input operand size, but BSF
produces undefined behavior (leaves destination unmodified on most modern CPUs).
BEXTR
, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m
argument (which has the usual 32/64-bit operand size), then the excess bits are read out as 0.
PEXT
and PDEP
instructions are quite slow[79] and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.[80][81]
Main article: Transactional Synchronization Extensions |
TSX Subset | Instruction | Opcode | Description | Added in |
---|---|---|---|---|
|
XBEGIN rel16 XBEGIN rel32
|
C7 F8 cw C7 F8 cd
|
Start transaction. If transaction fails, perform a branch to the given relative offset. | Haswell (Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids)) |
XABORT imm8
|
C6 F8 ib
|
Abort transaction with 8-bit immediate as error code. | ||
XEND
|
NP 0F 01 D5
|
End transaction. | ||
XTEST
|
NP 0F 01 D6
|
Test if in transactional execution. Sets EFLAGS.ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise.
| ||
|
XACQUIRE
|
F2
|
Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the F2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation.
|
Haswell (Discontinued – the last processors to support HLE were Coffee Lake and Cascade Lake) |
XRELEASE
|
F3
|
Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the F3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic.
| ||
|
XSUSLDTRK
|
F2 0F 01 E8
|
Suspend Tracking Load Addresses | Sapphire Rapids |
XRESLDTRK
|
F2 0F 01 E9
|
Resume Tracking Load Addresses |
Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such as return-oriented programming: a shadow stack (CET_SS), and indirect branch tracking (CET_IBT).
CET Subset | Instruction | Opcode | Description | Ring | Added in |
---|---|---|---|---|---|
|
INCSSPD r32
|
F3 0F AE /5
|
Increment shadow stack pointer | 3 | Tiger Lake, Zen 3 |
INCSSPQ r64
|
F3 REX.W 0F AE /5
| ||||
RDSSPD r32
|
F3 0F 1E /1
|
Read shadow stack pointer into register (low 32 bits)[a] | |||
RDSSPQ r64
|
F3 REX.W 0F 1E /1
|
Read shadow stack pointer into register (full 64 bits)[a] | |||
SAVEPREVSSP
|
F3 0F 01 EA
|
Save previous shadow stack pointer | |||
RSTORSSP m64
|
F3 0F 01 /5
|
Restore saved shadow stack pointer | |||
WRSSD m32,r32
|
NP 0F 38 F6 /r
|
Write 4 bytes to shadow stack | |||
WRSSQ m64,r64
|
NP REX.W 0F 38 F6 /r
|
Write 8 bytes to shadow stack | |||
WRUSSD m32,r32
|
66 0F 38 F5 /r
|
Write 4 bytes to user shadow stack | 0 | ||
WRUSSQ m64,r64
|
66 REX.W 0F 38 F5 /r
|
Write 8 bytes to user shadow stack | |||
SETSSBSY
|
F3 0F 01 E8
|
Mark shadow stack busy | |||
CLRSSBSY m64
|
F3 0F AE /6
|
Clear shadow stack busy flag | |||
|
ENDBR32
|
F3 0F 1E FB
|
Terminate indirect branch in 32-bit mode[b] | 3 | Tiger Lake |
ENDBR64
|
F3 0F 1E FA
|
Terminate indirect branch in 64-bit mode[b] | |||
NOTRACK
|
3E [c]
|
Prefix used with indirect CALL /JMP near instructions (opcodes FF /2 and FF /4 ) to indicate that the branch target is not required to start with an ENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set.
|
RDSSPD
and RDSSPQ
instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.
ENDBR32
and ENDBR64
act as NOPs on processors that don't support CET_IBT or where IBT is disabled.
Instruction Set Extension | Instruction mnemonics |
Opcode | Instruction description | Ring | Added in |
---|---|---|---|---|---|
PREFETCHNTA m8
|
0F 18 /0
|
Prefetch with Non-Temporal Access. Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.[b] |
3 | Pentium III, (K7),[a] (Geode GX2),[a] Nehemiah, Efficeon | |
PREFETCHT0 m8
|
0F 18 /1
|
Prefetch data to all levels of the cache hierarchy.[b] | |||
PREFETCHT1 m8
|
0F 18 /2
|
Prefetch data to all levels of the cache hierarchy except L1 cache.[b] | |||
PREFETCHT2 m8
|
0F 18 /3
|
Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.[b] | |||
SFENCE
|
NP 0F AE F8+x[c]
|
Store Fence.[d] | |||
|
LFENCE
|
NP 0F AE E8+x[c]
|
Load Fence and Dispatch Serialization.[e] | 3 | Pentium 4, K8, Efficeon, C7 Esther |
MFENCE
|
NP 0F AE F0+x[c]
|
Memory Fence.[f] | |||
MOVNTI m32,r32 MOVNTI m64,r64
|
NP 0F C3 /r NP REX.W 0F C3 /r
|
Non-Temporal Memory Store. | |||
PAUSE
|
F3 90 [g]
|
Pauses CPU thread for a short time period.[h] Intended for use in spinlocks.[i] | |||
|
CLFLUSH m8
|
NP 0F AE /7
|
Flush one cache line to memory. In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them. |
3 | (SSE2), Geode LX |
|
MONITOR [l]MONITOR EAX,ECX,EDX
|
NP 0F 01 C8
|
Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.[m] ECX and EDX are reserved for extra extension and hint flags, respectively.[n] |
Usually 0[o] | Prescott, Yonah, Bonnell, K10, Nano |
MWAIT [l]MWAIT EAX,ECX
|
NP 0F 01 C9
|
Wait for a write to a monitored memory location previously specified with MONITOR .[p]ECX and EAX are used to provide extra extension[q] and hint[r] flags, respectively. MWAIT hints are commonly used for CPU power management.
| |||
|
GETSEC
|
NP 0F 37 [s]
|
Perform an SMX function. The leaf function to perform is given in EAX.[t] Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX. |
Usually 0[u] | Conroe/Merom, WuDaoKou,[96] Tremont |
|
XSAVE mem XSAVE64 mem
|
NP 0F AE /4 NP REX.W 0F AE /4
|
Save state components specified by EDX:EAX to memory. | 3 | Penryn,[v] Bulldozer, Jaguar, Goldmont, ZhangJiang |
XRSTOR mem XRSTOR64 mem
|
NP 0F AE /5 NP REX.W 0F AE /5
|
Restore state components specified by EDX:EAX from memory. | |||
XGETBV
|
NP 0F 01 D0
|
Get value of Extended Control Register. Reads an XCR specified by ECX into EDX:EAX.[w] | |||
XSETBV
|
NP 0F 01 D1
|
Set Extended Control Register. Write the value in EDX:EAX to the XCR specified by ECX. |
0 | ||
|
RDTSCP
|
0F 01 F9
|
Read Time Stamp Counter and processor core ID.[x] The TSC value is placed in EDX:EAX and the core ID in ECX.[y] |
Usually 3[z] | K8,[aa] Nehalem, Silvermont, Nano |
|
POPCNT r16,r/m16 POPCNT r32,r/m32
|
F3 0F B8 /r
|
Count the number of bits that are set to 1 in its source argument. | 3 | K10, Nehalem, Nano 3000 |
POPCNT r64,r/m64
|
F3 REX.W 0F B8 /r
| ||||
|
CRC32 r32,r/m8
|
F2 0F 38 F0 /r
|
Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits. | 3 | Nehalem, Bulldozer, ZhangJiang |
CRC32 r32,r/m16 CRC32 r32,r/m32
|
F2 0F 38 F1 /r
| ||||
CRC32 r64,r/m64
|
F2 REX.W 0F 38 F1 /r
| ||||
|
XSAVEOPT mem XSAVEOPT64 mem
|
NP 0F AE /6 NP REX.W 0F AE /6
|
Save state components specified by EDX:EAX to memory. Unlike the older XSAVE instruction, XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding XRSTOR .
|
3 | Sandy Bridge, Steamroller, Puma, Goldmont, ZhangJiang |
|
RDFSBASE r32 RDFSBASE r64
|
F3 0F AE /0 F3 REX.W 0F AE /0
|
Read base address of FS: segment. | 3 | Ivy Bridge, Steamroller, Goldmont, ZhangJiang |
RDGSBASE r32 RDGSBASE r64
|
F3 0F AE /1 F3 REX.W 0F AE /1
|
Read base address of GS: segment. | |||
WRFSBASE r32 WRFSBASE r64
|
F3 0F AE /2 F3 REX.W 0F AE /2
|
Write base address of FS: segment. | |||
WRGSBASE r32 WRGSBASE r64
|
F3 0F AE /3 F3 REX.W 0F AE /3
|
Write base address of GS: segment. | |||
|
MOVBE r16,m16 MOVBE r32,m32
|
NFx 0F 38 F0 /r
|
Load from memory to register with byte-order swap. | 3 | Bonnell, Haswell, Jaguar, Steamroller, ZhangJiang |
MOVBE r64,m64
|
NFx REX.W 0F 38 F0 /r
| ||||
MOVBE m16,r16 MOVBE m32,r32
|
NFx 0F 38 F1 /r
|
Store to memory from register with byte-order swap. | |||
MOVBE m64,r64
|
NFx REX.W 0F 38 F1 /r
| ||||
|
INVPCID reg,m128
|
66 0F 38 82 /r
|
Invalidate entries in TLB and paging-structure caches based on invalidation type in register[ac] and descriptor in m128. The descriptor contains a memory address and a PCID.[ad]
Instruction is serializing on AMD but not Intel CPUs. |
0 | Haswell, ZhangJiang, Zen 3, Gracemont |
|
PREFETCHW m8
|
0F 0D /1
|
Prefetch cache line with intent to write.[b] | 3 | K6-2, (Cedar Mill),[af] Silvermont, Broadwell, ZhangJiang |
PREFETCH m8 [ag]
|
0F 0D /0
|
Prefetch cache line.[b] | |||
|
ADCX r32,r/m32 ADCX r64,r/m64
|
66 0F 38 F6 /r 66 REX.W 0F 38 F6 /r
|
Add-with-carry. Differs from the older ADC instruction in that it leaves flags other than EFLAGS.CF unchanged.
|
3 | Broadwell, Zen 1, ZhangJiang, Gracemont |
ADOX r32,r/m32 ADOX r64,r/m64
|
F3 0F 38 F6 /r F3 REX.W 0F 38 F6 /r
|
Add-with-carry, with the overflow-flag EFLAGS.OF serving as carry input and output, with other flags left unchanged.
| |||
|
CLAC
|
NP 0F 01 CA
|
Clear EFLAGS.AC .
|
0 | Broadwell, Goldmont, Zen 1, LuJiaZui[ah] |
STAC
|
NP 0F 01 CB
|
Set EFLAGS.AC .
| |||
|
CLFLUSHOPT m8
|
NFx 66 0F AE /7
|
Flush cache line. Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance.
|
3 | Skylake, Goldmont, Zen 1 |
|
XSAVEC mem XSAVEC64 mem
|
NP 0F C7 /4 NP REX.W 0F C7 /4
|
Save processor extended state components specified by EDX:EAX to memory with compaction. | 3 | Skylake, Goldmont, Zen 1 |
|
XSAVES mem XSAVES64 mem
|
NP 0F C7 /5 NP REX.W 0F C7 /5
|
Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible. | 0 | Skylake, Goldmont, Zen 1 |
XRSTORS mem XRSTORS64 mem
|
NP 0F C7 /3 NP REX.W 0F C7 /3
|
Restore state components specified by EDX:EAX from memory. | |||
|
PREFETCHWT1 m8
|
0F 0D /2
|
Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint.[b] | 3 | Knights Landing, YongFeng |
|
RDPKRU
|
NP 0F 01 EE
|
Read User Page Key register into EAX. | 3 | Skylake-X, Comet Lake, Gracemont, Zen 3, LuJiaZui[ah] |
WRPKRU
|
NP 0F 01 EF
|
Write data from EAX into User Page Key Register, and perform a Memory Fence. | |||
|
CLWB m8
|
NFx 66 0F AE /6
|
Write one cache line back to memory without invalidating the cache line. | 3 | Skylake-X, Zen 2, Tiger Lake, Tremont |
|
RDPID r32
|
F3 0F C7 /7
|
Read processor core ID into register.[x] | 3[ai] | Goldmont Plus, Zen 2, Ice Lake, LuJiaZui[ah] |
|
WBNOINVD
|
F3 0F 09
|
Write back all dirty cache lines to memory without invalidation.[aj] Instruction is serializing. | 0 | Zen 2, Ice Lake-SP |
PREFETCH*
instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.
SFENCE
, LFENCE
and MFENCE
instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.
SFENCE
instruction ensures that all memory stores after the SFENCE
instruction are made globally observable after all memory stores before the SFENCE
. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.[86]SFENCE
also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH
, CLFLUSHOPT
and CLWB
instructions. (Older AMD CPUs require MFENCE
to order CLFLUSH
.)SFENCE
is not ordered with respect to LFENCE
, and an SFENCE+LFENCE
sequence is not sufficient to prevent a load from being reordered past a previous store.[87] To prevent such reordering, it is necessary to execute an MFENCE
, LOCK
or a serializing instruction.
LFENCE
instruction ensures that all memory loads after the LFENCE
instruction are made globally observable after all memory loads before the LFENCE
.LFENCE
instruction provides a stronger ordering guarantee:[88] it is dispatch-serializing, meaning that instructions after the LFENCE
instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE
also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC
or RDPMC
) and x2apic MSRs.LFENCE
is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE
, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029
.[89]
MFENCE
instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE
instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE
.MFENCE
is not dispatch-serializing, and therefore cannot be used to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE
is still ordered with respect to LFENCE
, so if a memory barrier with dispatch serialization is needed, then it can be obtained by issuing an MFENCE
followed by an LFENCE
.[47]MFENCE
is serializing.
PAUSE
instruction in 64-bit mode is, unlike NOP
, unaffected by the presence of the REX.R
prefix. Neither NOP
nor PAUSE
are affected by the other bits of the REX
prefix. A few examples of opcode 90
with various prefixes in 64-bit mode are:90
is NOP
41 90
is XCHG R8D,EAX
4E 90
is NOP
49 90
is XCHG R8,RAX
F3 90
is PAUSE
F3 41 90
is PAUSE
F3 4F 90
is PAUSE
PAUSE
instruction is implementation-dependent.PAUSE
will execute as NOP.
PAUSE
many times in a short time interval may cause a #VMEXIT. The number of PAUSE
executions and interval length that can trigger #VMEXIT are platform-specific.
CLFLUSH
instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMD Geode LX supports CLFLUSH
but not SSE2.)
MONITOR
and MWAIT
instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g. Athlon 64 X2 and VIA C7 supported SSE3 but not MONITOR.)
MONITOR
and MWAIT
instructions, older Intel documentation[90] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX
and MWAIT EAX,ECX
), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.[91]
MONITOR
, the DS: segment can be overridden with a segment prefix.MONITOR
instruction. As such, the instruction requires ECX=0 and ignores EDX.
MONITOR
and MWAIT
to run in Ring 3.
MWAIT
may be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.MONITOR
before using MWAIT
to wait for memory writes again.
MWAIT
in the ECX register are:
Bits | MWAIT Extension |
---|---|
0 | Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of MWAIT .)
|
1 | Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)[94] |
2 | Monitorless MWAIT[95] |
31:3 | Not used, must be set to zero. |
MWAIT
in the EAX register are:
Bits | MWAIT Hint |
---|---|
3:0 | Sub-state within a C-state (see bits 7:4) (Intel processors only) |
7:4 | Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0) |
31:8 | Not used. |
The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states.
GETSEC
instruction, the REX.W
prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.
GETSEC
(selected by EAX) are:
EAX | Function |
---|---|
0 (CAPABILITIES) | Report SMX capabilities |
2 (ENTERACCES) | Enter execution of authenticated code module |
3 (EXITAC) | Exit execution of authenticated code module |
4 (SENTER) | Enter measured environment |
5 (SEXIT) | Exit measured environment |
6 (PARAMETERS) | Report SMX parameters |
7 (SMCTRL) | SMX Mode Control |
8 (WAKEUP) | Wake up sleeping processors in measured environment |
Any unsupported value in EAX causes an #UD exception.
GETSEC
, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.
XGETBV
with ECX=1 is permitted – this will not return XCR1
(no such register exists) but instead return XCR0
bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).XGETBV
is indicated by CPUID.(EAX=0Dh,ECX=1):EAX[bit 2].
RDTSCP
and RDPID
is actually the TSC_AUX
MSR (MSR C000_0103h
). Whether this value actually corresponds to a processor ID is a matter of operating system convention.
RDTSC
instruction, RDTSCP
will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP
is not ordered with respect to subsequent instructions, though.
RDTSCP
can be run outside Ring 0 only if CR4.TSD=0
.
RDTSCP
was added in stepping F of the AMD K8, and is not available on earlier steppings.
POPCNT
instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.INVPCID
(selected by register argument) are:
Value | Function |
---|---|
0 | Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries |
1 | Invalidate TLB entries matching PCID in descriptor, excluding global entries |
2 | Invalidate all TLB entries, including global entries |
3 | Invalidate all TLB entries, excluding global entries |
Any unsupported value in the register argument causes a #GP exception.
INVLPG
instruction, INVPCID
will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.[97]
PREFETCH
and PREFETCHW
instructions are mandatory parts of the 3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow!
PREFETCH
and PREFETCHW
(0F 0D /r
) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW
gaining prefetch functionality from Broadwell onwards.
PREFETCH
(0F 0D /0
) instruction is a 3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.0F 0D /0
as well as opcodes 0F 0D /2../7
are all documented to be performing prefetch.0F 0D /2
being PREFETCHWT1 m8
on Xeon Phi only) – third party testing[99] indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs.
RDTSCP
instruction which can also be used to read the processor ID, user-mode RDPID
is not disabled by CR4.TSD=1
.
WBNOINVD
instruction will execute as WBINVD
if run on a system that doesn't support the WBNOINVD extension.WBINVD
differs from WBNOINVD
in that WBINVD
will invalidate all cache lines after writeback.
Instruction Set Extension | Instruction mnemonics |
Opcode | Instruction description | Ring | Added in |
---|---|---|---|---|---|
|
(HWNT )[a]
|
2E [b]
|
Instruction prefix: branch hint weakly not taken. | 3 | Pentium 4,[c] Meteor Lake[103] |
(HST )[a]
|
3E [b]
|
Instruction prefix: branch hint strongly taken. | |||
|
ENCLS
|
NP 0F 01 CF
|
Perform an SGX Supervisor function. The function to perform is given in EAX[d] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX.
Depending on function, the instruction may return data in RBX and/or an error code in EAX. |
0 | |
ENCLU
|
NP 0F 01 D7
|
Perform an SGX User function. The function to perform is given in EAX[f] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX.
Depending on function, the instruction may return data/status information in EAX and/or RCX. |
3[g] | ||
ENCLV
|
NP 0F 01 C0
|
Perform an SGX Virtualization function. The function to perform is given in EAX[h] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX.
Instruction returns status information in EAX. |
0[i] | ||
|
PTWRITE r/m32 PTWRITE r/m64
|
F3 0F AE /4 F3 REX.W 0F AE /4
|
Read data from register or memory to encode into a PTW packet.[j] | 3 | Kaby Lake, Goldmont Plus |
|
MOVDIRI m32,r32 MOVDIRI m64,r64
|
NP 0F 38 F9 /r NP REX.W 0F 38 F9 /r
|
Store to memory using Direct Store (memory store that is not cached or write-combined with other stores). | 3 | Tiger Lake, Tremont |
|
MOVDIR64B reg,m512
|
66 0F 38 F8 /r
|
Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store.[k] | 3 | Tiger Lake, Tremont |
|
PCONFIG
|
NP 0F 01 C5
|
Perform a platform feature configuration function. The function to perform is specified in EAX[l] - depending on function, the instruction may take additional input operands in RBX, RCX and RDX.
If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0. |
0 | Ice Lake-SP |
|
CLDEMOTE m8
|
NP 0F 1C /0
|
Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy.[m] | 3 | (Tremont), (Alder Lake), Sapphire Rapids[n] |
|
UMONITOR r16/32/64
|
F3 0F AE /6
|
Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument.[o] | 3 | Tremont, Alder Lake |
UMWAIT r32 UMWAIT r32,EDX,EAX
|
F2 0F AE /6
|
Timed wait for a write to a monitored memory location previously specified with UMONITOR . In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time.[p]
|
Usually 3[q] | ||
TPAUSE r32 TPAUSE r32,EDX,EAX
|
66 0F AE /6
|
Wait until the Time Stamp Counter reaches the value specified in EDX:EAX.[p]
The register argument to the | |||
|
SERIALIZE
|
NP 0F 01 E8
|
Serialize instruction fetch and execution.[s] | 3 | Alder Lake |
|
HRESET imm8
|
F3 0F 3A F0 C0 ib
|
Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored).[t] | 0 | Alder Lake |
|
SENDUIPI reg
|
F3 0F C7 /6
|
Send Interprocessor User Interrupt.[u] | 3 | Sapphire Rapids |
UIRET
|
F3 0F 01 EC
|
User Interrupt Return. | |||
TESTUI
|
F3 0F 01 ED
|
Test User Interrupt Flag. Copies UIF to EFLAGS.CF . | |||
CLUI
|
F3 0F 01 EE
|
Clear User Interrupt Flag. | |||
STUI
|
F3 0F 01 EF
|
Set User Interrupt Flag. | |||
|
ENQCMD r32/64,m512
|
F2 0F 38 F8 /r
|
Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.) | 3 | Sapphire Rapids |
ENQCMDS r32/64,m512
|
F3 0F 38 F8 /r
|
Enqueue Command Supervisor. Differs from ENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue.
|
0 |
HWNT
and HST
are listed in early Willamette documentation only[101] - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.[102]
2E
and 3E
prefixes are interpreted as branch hints only when used with the Jcc
conditional branch instructions (opcodes 70..7F
and 0F 80..8F
) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixes CS:
and DS:
, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used with Jcc
.
ENCLS
(selected by EAX) are:
EAX | Function |
---|---|
0 (ECREATE) | Create an enclave |
1 (EADD) | Add a page |
2 (EINIT) | Initialize an enclave |
3 (EREMOVE) | Remove a page from EPC (Enclave Page Cache) |
4 (EDBGRD) | Read data by debugger |
5 (EDBGWR) | Write data by debugger |
6 (EEXTEND) | Extend EPC page measurement |
7 (ELDB) | Load an EPC page as blocked |
8 (ELDU) | Load an EPC page as unblocked |
9 (EBLOCK) | Block an EPC page |
A (EPA) | Add version array |
B (EWB) | Writeback/invalidate EPC page |
C (ETRACK) | Activate EBLOCK checks |
Added with SGX2 | |
D (EAUG) | Add page to initialized enclave |
E (EMODPTR) | Restrict permissions of EPC page |
F (EMODT) | Change type of EPC page |
Added with OVERSUB[104] | |
10 (ERDINFO) | Read EPC page type/status info |
11 (ETRACKC) | Activate EBLOCK checks |
12 (ELDBC) | Load EPC page as blocked with enhanced error reporting |
13 (ELDUC) | Load EPC page as unblocked with enhanced error reporting |
Other | |
18 (EUPDATESVN) | Update SVN (Security Version Number) after live microcode update[105] |
Any unsupported value in EAX causes a #GP exception.
ENCLU
(selected by EAX) are:
EAX | Function |
---|---|
0 (EREPORT) | Create a cryptographic report |
1 (EGETKEY) | Create a cryptographic key |
2 (EENTER) | Enter an Enclave |
3 (ERESUME) | Re-enter an Enclave |
4 (EEXIT) | Exit an Enclave |
Added with SGX2 | |
5 (EACCEPT) | Accept changes to EPC page |
6 (EMODPE) | Extend EPC page permissions |
7 (EACCEPTCOPY) | Initialize pending page |
Added with TDX[108] | |
8 (EVERIFYREPORT2) | Verify a cryptographic report of a trust domain |
Added with AEX-Notify | |
9 (EDECCSSA) | Decrement TCS.CSSA |
Any unsupported value in EAX causes a #GP exception.
The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.
ENCLU
can only be executed in ring 3, not rings 0/1/2.
ENCLV
(selected by EAX) are:
EAX | Function |
---|---|
Added with OVERSUB[104] | |
0 (EDECVIRTCHILD) | Decrement VIRTCHILDCNT in SECS |
1 (EINCVIRTCHILD) | Increment VIRTCHILDCNT in SECS |
2 (ESETCONTEXT) | Set ENCLAVECONTEXT field in SECS |
Any unsupported value in EAX causes a #GP exception.
The ENCLV
instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").
ENCLV
is only available if Intel VMX operation is enabled with VMXON
, and will produce #UD otherwise.
PTWRITE
, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS
MSR and the "PTWEn" bit of the RTIT_CTL
MSR) are all set to 1.PTWRITE
instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.
MOVDIR64
, the destination address given by ES:reg must be 64-byte aligned.67h
prefix.PCONFIG
(selected by EAX) are:
EAX | Function |
---|---|
0 | MKTME_KEY_PROGRAM: Program key and encryption mode to use with an TME-MK Key ID. |
Added with TSE | |
1 | TSE_KEY_PROGRAM: Direct key programming for TSE. |
2 | TSE_KEY_PROGRAM_WRAPPED: Wrapped key programming for TSE. |
Any unsupported value in EAX causes a #GP(0) exception.
CLDEMOTE
, the cache level that it will demote a cache line to is implementation-dependent.UMONITOR
, the operand size of the address argument is given by the address size, which may be overridden by the 67h
prefix. The default segment used is DS:, which can be overridden with a segment prefix.
UMWAIT
and TPAUSE
instructions, the operating system can use the IA32_UMWAIT_CONTROL
MSR to limit the maximum amount of time that a single UMWAIT
/TPAUSE
invocation is permitted to wait. The UMWAIT
and TPAUSE
instructions will set RFLAGS.CF
to 1 if they reached the IA32_UMWAIT_CONTROL
-defined time limit and 0 otherwise.
TPAUSE
and UMWAIT
can be run outside Ring 0 only if CR4.TSD=0
.
UMWAIT
and TPAUSE
instructions, the following flag bits are supported:
Bits | Usage |
---|---|
0 | Preferred optimization state.
|
31:1 | (Reserved) |
CPUID
and IRET
, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID
additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE
instruction performs serialization only, avoiding these added costs.
HRESET
is provided by CPUID.(EAX=20h,ECX=0):EBX.Bit | Usage |
---|---|
0 | Intel Thread Director history |
31:1 | (Reserved) |
SENDUIPI
is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT
and UINT_MISC
MSRs.)
UIRET
instruction always sets UIF (User Interrupt Flag) to 1. On Emerald Rapids and later processors, UIRET
will set UIF to the value of bit 1 of the value popped off the stack for RFLAGS - this functionality is indicated by CPUID.(EAX=7,ECX=1):EDX[17]
.
Instruction Set Extension | Instruction mnemonics |
Opcode | Instruction description | Ring | Added in |
---|---|---|---|---|---|
|
MOV reg,CR8
|
F0 0F 20 /0 [b]
|
Read the CR8 register. | 0 | K8[c] |
MOV CR8,reg
|
F0 0F 22 /0 [b]
|
Write to the CR8 register. | |||
|
MONITORX
|
NP 0F 01 FA
|
Start monitoring a memory location for memory writes. Similar to older MONITOR , except available in user mode.
|
3 | Excavator |
MWAITX
|
NP 0F 01 FB
|
Wait for a write to a monitored memory location previously specified with MONITORX .MWAITX differs from the older MWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit[1] of ECX to 1.)
| |||
|
CLZERO rAX
|
NP 0F 01 FC
|
Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX.[d] | 3 | Zen 1 |
|
RDPRU
|
NP 0F 01 FD
|
Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read.[e]
The value of the MSR is returned in EDX:EAX. |
Usually 3[f] | Zen 2 |
|
MCOMMIT
|
F3 0F 01 FA
|
Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific. Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise.
|
3 | Zen 2 |
|
INVLPGB
|
NP 0F 01 FE
|
Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system. rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for. |
0 | Zen 3 |
TLBSYNC
|
NP 0F 01 FF
|
Synchronize TLB invalidations. Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing.
|
REX.R
prefix, e.g. 44 0F 20 07
(MOV RDI,CR8
). However, the REX.R
prefix is only available in 64-bit mode.F0
(LOCK
) prefix instead of REX.R
– this provides access to CR8 outside 64-bit mode.
11b
.LOCK
prefix with the REX.R
prefix is not permitted and will cause an #UD exception.
CLZERO
, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.CLZERO
instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.[111]
RDPRU
does not necessarily match that of RDMSR
/WRMSR
.RDPRU
as of December 2022 are:
ECX | Register |
---|---|
0 | MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count) |
1 | APERF (MSR 0E8h: Actual Performance Frequency Clock Count) |
Unsupported values in ECX return 0.
CR4.TSD=1
, then the RDPRU
instruction can only run in ring 0.
The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1),st(2),...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0,C1,C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.
Instruction description | Mnemonic | Opcode | Additional items | |
---|---|---|---|---|
x87 Non-Waiting[a] FPU Control Instructions | Waiting mnemonic[b] | |||
Initialize x87 FPU | FNINIT
|
DB E3 |
FINIT
| |
Load x87 Control Word | FLDCW m16 |
D9 /5 |
(none) | |
Store x87 Control Word | FNSTCW m16 |
D9 /7 |
FSTCW
| |
Store x87 Status Word | FNSTSW m16
|
DD /7 |
FSTSW
| |
Clear x87 Exception Flags | FNCLEX
|
DB E2 |
FCLEX
| |
Load x87 FPU Environment | FLDENV m112/m224 [c]
|
D9 /4 |
(none) | |
Store x87 FPU Environment | FNSTENV m112/m224 [c]
|
D9 /6 |
FSTENV
| |
Save x87 FPU State, then initialize x87 FPU | FNSAVE m752/m864 [c]
|
DD /6 |
FSAVE
| |
Restore x87 FPU State | FRSTOR m752/m864 [c]
|
DD /4 |
(none) | |
Enable Interrupts (8087 only)[d] | FNENI |
DB E0 |
FENI
| |
Disable Interrupts (8087 only)[d] | FNDISI |
DB E1 |
FDISI
| |
x87 Floating-point Load/Store/Move Instructions | precision control |
rounding control | ||
Load floating-point value onto stack | FLD m32 |
D9 /0 |
No | — |
FLD m64 |
DD /0
| |||
FLD m80 |
DB /5
| |||
FLD st(i) |
D9 C0+i
| |||
Store top-of-stack floating-point value to memory or stack register | FST m32 |
D9 /2 |
No | Yes |
FST m64 |
DD /2
| |||
FST st(i) [e]
|
DD D0+i |
No | — | |
Store top-of-stack floating-point value to memory or stack register, then pop | FSTP m32 |
D9 /3 |
No | Yes |
FSTP m64 |
DD /3
| |||
FSTP m80 [e]
|
DB /7 |
No | — | |
FSTP st(i) [e][f]
|
DD D8+i
| |||
DF D0+i[g] | ||||
DF D8+i[g] | ||||
Push +0.0 onto stack | FLDZ |
D9 EE |
No | — |
Push +1.0 onto stack | FLD1 |
D9 E8
| ||
Push π (approximately 3.14159) onto stack | FLDPI |
D9 EB |
No | 387[h] |
Push (approximately 3.32193) onto stack | FLDL2T |
D9 E9
| ||
Push (approximately 1.44269) onto stack | FLDL2E |
D9 EA
| ||
Push (approximately 0.30103) onto stack | FLDLG2 |
D9 EC
| ||
Push (approximately 0.69315) onto stack | FLDLN2 |
D9 ED
| ||
Exchange top-of-stack register with other stack register | FXCH st(i) [i][j]
|
D9 C8+i
|
No | — |
DD C8+i[g] | ||||
DF C8+i[g] | ||||
x87 Integer Load/Store Instructions | precision control |
rounding control | ||
Load signed integer value onto stack from memory, with conversion to floating-point | FILD m16 |
DF /0 |
No | — |
FILD m32 |
DB /0
| |||
FILD m64 |
DF /5
| |||
Store top-of-stack value to memory, with conversion to signed integer | FIST m16 |
DF /2 |
No | Yes |
FIST m32 |
DB /2
| |||
Store top-of-stack value to memory, with conversion to signed integer, then pop stack | FISTP m16 |
DF /3 |
No | Yes |
FISTP m32 |
DB /3
| |||
FISTP m64 |
DF /7
| |||
Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point | FBLD m80 [k]
|
DF /4 |
No | — |
Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack | FBSTP m80 |
DF /6 |
No | 387[h] |
x87 Basic Arithmetic Instructions | precision control |
rounding control | ||
Floating-point add
|
FADD m32 |
D8 /0 |
Yes | Yes |
FADD m64 |
DC /0
| |||
FADD st,st(i) |
D8 C0+i
| |||
FADD st(i),st |
DC C0+i
| |||
Floating-point multiply
|
FMUL m32 |
D8 /1 |
Yes | Yes |
FMUL m64 |
DC /1
| |||
FMUL st,st(i) |
D8 C8+i
| |||
FMUL st(i),st |
DC C8+i
| |||
Floating-point subtract
|
FSUB m32 |
D8 /4 |
Yes | Yes |
FSUB m64 |
DC /4
| |||
FSUB st,st(i) |
D8 E0+i
| |||
FSUB st(i),st |
DC E8+i
| |||
Floating-point reverse subtract
|
FSUBR m32 |
D8 /5 |
Yes | Yes |
FSUBR m64 |
DC /5
| |||
FSUBR st,st(i) |
D8 E8+i
| |||
FSUBR st(i),st |
DC E0+i
| |||
Floating-point divide[l]
|
FDIV m32 |
D8 /6 |
Yes | Yes |
FDIV m64 |
DC /6
| |||
FDIV st,st(i) |
D8 F0+i
| |||
FDIV st(i),st |
DC F8+i
| |||
Floating-point reverse divide
|
FDIVR m32 |
D8 /7 |
Yes | Yes |
FDIVR m64 |
DC /7
| |||
FDIVR st,st(i) |
D8 F8+i
| |||
FDIVR st(i),st |
DC F0+i
| |||
Floating-point compare
|
FCOM m32 |
D8 /2 |
No | — |
FCOM m64 |
DC /2
| |||
FCOM st(i) [i]
|
D8 D0+i
| |||
DC D0+i[g] | ||||
x87 Basic Arithmetic Instructions with Stack Pop | precision control |
rounding control | ||
Floating-point add and pop | FADDP st(i),st [i] |
DE C0+i |
Yes | Yes |
Floating-point multiply and pop | FMULP st(i),st [i] |
DE C8+i |
Yes | Yes |
Floating-point subtract and pop | FSUBP st(i),st [i] |
DE E8+i |
Yes | Yes |
Floating-point reverse-subtract and pop | FSUBRP st(i),st [i] |
DE E0+i |
Yes | Yes |
Floating-point divide and pop | FDIVP st(i),st [i] |
DE F8+i |
Yes | Yes |
Floating-point reverse-divide and pop | FDIVRP st(i),st [i] |
DE F0+i |
Yes | Yes |
Floating-point compare and pop | FCOMP m32 |
D8 /3 |
No | — |
FCOMP m64 |
DC /3
| |||
FCOMP st(i) [i]
|
D8 D8+i
| |||
DC D8+i[g] | ||||
DE D0+i[g] | ||||
Floating-point compare to st(1), then pop twice | FCOMPP |
DE D9 |
No | — |
x87 Basic Arithmetic Instructions with Integer Source Argument | precision control |
rounding control | ||
Floating-point add by integer | FIADD m16 |
DA /0 |
Yes | Yes |
FIADD m32 |
DE /0
| |||
Floating-point multiply by integer | FIMUL m16 |
DA /1 |
Yes | Yes |
FIMUL m32 |
DE /1
| |||
Floating-point subtract by integer | FISUB m16 |
DA /4 |
Yes | Yes |
FISUB m32 |
DE /4
| |||
Floating-point reverse-subtract by integer | FISUBR m16 |
DA /5 |
Yes | Yes |
FISUBR m32 |
DE /5
| |||
Floating-point divide by integer | FIDIV m16 |
DA /6 |
Yes | Yes |
FIDIV m32 |
DE /6
| |||
Floating-point reverse-divide by integer | FIDIVR m16 |
DA /7 |
Yes | Yes |
FIDIVR m32 |
DE /7
| |||
Floating-point compare to integer | FICOM m16 |
DA /2 |
No | — |
FICOM m32 |
DE /2
| |||
Floating-point compare to integer, and stack pop | FICOMP m16
|
DA /3 |
No | — |
FICOMP m32
|
DE /3
| |||
x87 Additional Arithmetic Instructions | precision control |
rounding control | ||
Floating-point change sign | FCHS |
D9 E0 |
No | — |
Floating-point absolute value | FABS |
D9 E1 |
No | — |
Floating-point compare top-of-stack value to 0 | FTST |
D9 E4 |
No | — |
Classify top-of-stack st(0) register value. The classification result is stored in the x87 CC register.[m] |
FXAM |
D9 E5 |
No | — |
Split the st(0) value into two values E and M representing the exponent and mantissa of st(0). The split is done such that , where E is an integer and M is a number whose absolute value is within the range . [n] st(0) is then replaced with E, after which M is pushed onto the stack. |
FXTRACT |
D9 F4 |
No | — |
Floating-point partial[o] remainder (not IEEE 754 compliant): | FPREM |
D9 F8 |
No | —[p] |
Floating-point square root | FSQRT |
D9 FA |
Yes | Yes |
Floating-point round to integer | FRNDINT |
D9 FC |
No | Yes |
Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0):[q] | FSCALE |
D9 FD |
No | Yes[r] |
x87 Transcendental Instructions[s] | Source operand range restriction | |||
Base-2 exponential minus 1, with extra precision for st(0) close to 0: | F2XM1 |
D9 F0
|
8087: 80387: | |
Base-2 Logarithm:followed by stack pop | FYL2X [t]
|
D9 F1 |
no restrictions | |
Partial Tangent: Computes from st(0) a pair of values X and Y, such thatThe Y value replaces the top-of-stack value, and then X is pushed onto the stack. On 80387 and later x87, but not original 8087, X is always 1.0 |
FPTAN |
D9 F2
|
8087: 80387: | |
Two-argument arctangent with quadrant adjustment:[u] followed by stack pop | FPATAN |
D9 F3
|
8087: 80387: no restrictions | |
Base-2 Logarithm plus 1, with extra precision for st(0) close to 0:followed by stack pop | FYL2XP1 [t] |
D9 F9
|
Intel: AMD: | |
Other x87 Instructions | ||||
No operation[v] | FNOP |
D9 D0
| ||
Decrement x87 FPU Register Stack Pointer | FDECSTP |
D9 F6
| ||
Increment x87 FPU Register Stack Pointer | FINCSTP |
D9 F7
| ||
Free x87 FPU Register | FFREE st(i)
|
DD C0+i
| ||
Check and handle pending unmasked x87 FPU exceptions | WAIT ,FWAIT |
9B
| ||
Floating-point store and pop, without stack underflow exception | FSTPNCE st(i) | D9 D8+i[g] | ||
Free x87 register, then stack pop | FFREEP st(i) | DF C0+i[g] |
WAIT
instruction is executed.FN
, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of a WAIT
instruction (opcode 9B
) followed by the corresponding non-waiting x87 instruction. For example:FNCLEX
is an instruction with the opcode DB E2
. The corresponding pseudo-instruction FCLEX
is then encoded as 9B DB E2
.FNSAVE ES:[BX+6]
is an instruction with the opcode 26 DD 77 06
. The corresponding pseudo-instruction FSAVE ES:[BX+6]
is then encoded as 9B 26 DD 77 06
FLDENV
, F(N)STENV
, FRSTOR
and F(N)SAVE
exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE
/FRSTOR
will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D
bit and the presence of the 66h
instruction prefix. On 8087 and 80287, only the 16-bit variants are available.REX.W
under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64
/FXRSTOR64
instead if 64-bit operation is desired.
F(N)DISI
and F(N)ENI
instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,[114] to control the interrupt.F(N)ENI
and F(N)DISI
instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state.
FST
/FSTP
with an 80-bit destination (m80 or st(i)) and an sNaN source value will produce exceptions on AMD but not Intel FPUs.
FSTP ST(0)
is a commonly used idiom for popping a single register off the x87 register stack.
FBSTP
and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register.
FADDP
, FSUBP
, FSUBRP
, FMULP
, FDIVP
, FDIVRP
, FCOM
, FCOMP
and FXCH
instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
FXCH
is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.
FBLD
instruction on non-BCD data is undefined.
FPREM
and FPATAN
.[121]
FXAM
instruction will set C0, C2 and C3 based on value type in st(0) as follows:
C3 | C2 | C0 | Classification |
---|---|---|---|
0 | 0 | 0 | Unsupported (unnormal or pseudo-NaN) |
0 | 0 | 1 | NaN |
0 | 1 | 0 | Normal finite number |
0 | 1 | 1 | Infinity |
1 | 0 | 0 | Zero |
1 | 0 | 1 | Empty |
1 | 1 | 0 | Denormal number |
1 | 1 | 1 | Empty (may occur on 8087/80287 only) |
C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.
FXTRACT
, if st(0) is zero or ±∞, then M is set equal to st(0). If st(0) is zero, E is set to 0 on 8087/80287 but -∞ on 80387 and later. If st(0) is ±∞, then E is set to +∞.
FPREM
, if the quotient Q is larger than , then the remainder calculation may have been done only partially – in this case, the FPREM
instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction setting C2
to 1.C2
to 0 and set the three bits {C0,C3,C1}
to the bottom three bits of the quotient Q.FPREM
instruction is always exact with no roundoff errors.
FSCALE
instruction on 8087 and 80287, st(1) is required to be in the range . Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.FSCALE
, rounding is only applied in the case of overflow, underflow or subnormal result.
FYL2X
and FYL2XP1
instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.
FPATAN
, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio :FNOP
is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present.
Instruction description | Mnemonic | Opcode | Additional items |
---|---|---|---|
x87 Non-Waiting Control Instructions added in 80287 | Waiting mnemonic | ||
Notify FPU of entry into Protected Mode[a] | FNSETPM |
DB E4 |
FSETPM
|
Store x87 Status Word to AX | FNSTSW AX |
DF E0 |
FSTSW AX
|
x87 Instructions added in 80387[b] | Source operand range restriction | ||
Floating-point unordered compare. Similar to the regular floating-point compare instruction FCOM , except will not produce an exception in response to any qNaN operands. |
FUCOM st(i) [c] |
DD E0+i |
no restrictions |
Floating-point unordered compare and pop | FUCOMP st(i) [c] |
DD E8+i
| |
Floating-point unordered compare to st(1), then pop twice | FUCOMPP |
DA E9
| |
IEEE 754 compliant floating-point partial remainder.[d] | FPREM1 |
D9 F5
| |
Floating-point sine and cosine. Computes two values and [e] Top-of-stack st(0) is replaced with S, after which C is pushed onto the stack. |
FSINCOS |
D9 FB |
|
Floating-point sine.[e] | FSIN |
D9 FE
| |
Floating-point cosine.[e] | FCOS |
D9 FF
| |
x87 Instructions added in Pentium Pro | Condition for conditional moves | ||
Floating-point conditional move to st(0) based on EFLAGS | FCMOVB st(0),st(i) |
DA C0+i |
below (CF=1) |
FCMOVE st(0),st(i) |
DA C8+i |
equal (ZF=1) | |
FCMOVBE st(0),st(i) |
DA D0+i |
below or equal (CF=1 or ZF=1) | |
FCMOVU st(0),st(i) |
DA D8+i |
unordered (PF=1) | |
FCMOVNB st(0),st(i) |
DB C0+i |
not below (CF=0) | |
FCMOVNE st(0),st(i) |
DB C8+i |
not equal (ZF=0) | |
FCMOVNBE st(0),st(i) |
DB D0+i |
not below or equal (CF=0 and ZF=0) | |
FCMOVNU st(0),st(i) |
DB D8+i |
not unordered (PF=0) | |
Floating-point compare and set EFLAGS .Differs from the older FCOM floating-point compare instruction in that it puts its result in the integer EFLAGS register rather than the x87 CC register.[f] |
FCOMI st(0),st(i) |
DB F0+i
| |
Floating-point compare and set EFLAGS , then pop |
FCOMIP st(0),st(i) |
DF F0+i
| |
Floating-point unordered compare and set EFLAGS |
FUCOMI st(0),st(i) |
DB E8+i
| |
Floating-point unordered compare and set EFLAGS , then pop |
FUCOMIP st(0),st(i) |
DF E8+i
| |
x87 Non-Waiting Instructions added in Pentium II, AMD K7 and SSE[g] | 64-bit mnemonic ( REX.W prefix)
| ||
Save x87, MMX and SSE state to 512-byte data structure[h][i][j] | FXSAVE m512byte |
NP 0F AE /0 |
FXSAVE64 m512byte
|
Restore x87, MMX and SSE state from 512-byte data structure[h][i] | FXRSTOR m512byte |
NP 0F AE /1 |
FXRSTOR64 m512byte
|
x87 Instructions added as part of SSE3 | |||
Floating-point store integer and pop, with round-to-zero | FISTTP m16 |
DF /1
| |
FISTTP m32 |
DB /1
| ||
FISTTP m64 |
DD /1
|
F(N)SAVE
, FRSTOR
, FLDENV
and F(N)STENV
instructions has different formats in Real Mode and Protected Mode. On 80287, the F(N)SETPM
instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are communicated automatically to the FPU without the need for any dedicated instructions – therefore, on these FPUs, FNSETPM
executes as a NOP that does not modify any FPU state.
FUCOM
and FUCOMP
instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
FPREM1
instruction differs from the older FPREM
(D9 F8
) instruction in that the quotient Q is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used by FPREM
. Like FPREM
, FPREM1
always computes an exact result with no roundoff errors. Like FPREM
, it may also perform a partial computation if the quotient is too large, in which case it must be run again.
FSIN
, FCOS
and FSINCOS
is not precisely 1.0, but instead given by[122][123]This argument reduction inaccuracy also affects the FPTAN
instruction.
FCOMI
, FCOMIP
, FUCOMI
and FUCOMIP
instructions write their results to the ZF
, CF
and PF
bits of the EFLAGS
register. On Intel but not AMD processors, the SF
, AF
and OF
bits of EFLAGS
are also zeroed out by these instructions.
FXSAVE
and FXRSTOR
instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.FXSAVE
and FXRSTOR
instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.FXSAVE
/FXRSTOR
has a completely different layout than the data structure of the older F(N)SAVE
/FRSTOR
instructions, enabling faster save/restore by avoiding misaligned loads and stores.
CR0.EM=1
, FXSAVE(64)
and FXRSTOR(64)
are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT
, these are the only opcodes outside the D8..DF
ESC opcode space that exhibit this behavior. (All opcodes in D8..DF
will produce #NM if CR0.EM=1
, even for undefined opcodes that would produce #UD otherwise.)
F(N)SAVE
instruction, FXSAVE
will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified.
MMX instructions operate on the mm registers, which are 64 bits wide. They are shared with the FPU registers.
Added with Pentium MMX
Instruction | Opcode | Meaning | Notes |
---|---|---|---|
EMMS | 0F 77 | Empty MMX Technology State | Marks all x87 FPU registers for use by FPU |
MOVD mm, r/m32 | 0F 6E /r | Move doubleword | |
MOVD r/m32, mm | 0F 7E /r | Move doubleword | |
MOVQ mm/m64, mm | 0F 7F /r | Move quadword | |
MOVQ mm, mm/m64 | 0F 6F /r | Move quadword | |
MOVQ mm, r/m64 | REX.W + 0F 6E /r | Move quadword | |
MOVQ r/m64, mm | REX.W + 0F 7E /r | Move quadword | |
PACKSSDW mm1, mm2/m64 | 0F 6B /r | Pack doublewords to words (signed with saturation) | |
PACKSSWB mm1, mm2/m64 | 0F 63 /r | Pack words to bytes (signed with saturation) | |
PACKUSWB mm, mm/m64 | 0F 67 /r | Pack words to bytes (unsigned with saturation) | |
PADDB mm, mm/m64 | 0F FC /r | Add packed byte integers | |
PADDW mm, mm/m64 | 0F FD /r | Add packed word integers | |
PADDD mm, mm/m64 | 0F FE /r | Add packed doubleword integers | |
PADDSB mm, mm/m64 | 0F EC /r | Add packed signed byte integers and saturate | |
PADDSW mm, mm/m64 | 0F ED /r | Add packed signed word integers and saturate | |
PADDUSB mm, mm/m64 | 0F DC /r | Add packed unsigned byte integers and saturate | |
PADDUSW mm, mm/m64 | 0F DD /r | Add packed unsigned word integers and saturate | |
PAND mm, mm/m64 | 0F DB /r | Bitwise AND | |
PANDN mm, mm/m64 | 0F DF /r | Bitwise AND NOT | |
POR mm, mm/m64 | 0F EB /r | Bitwise OR | |
PXOR mm, mm/m64 | 0F EF /r | Bitwise XOR | |
PCMPEQB mm, mm/m64 | 0F 74 /r | Compare packed bytes for equality | |
PCMPEQW mm, mm/m64 | 0F 75 /r | Compare packed words for equality | |
PCMPEQD mm, mm/m64 | 0F 76 /r | Compare packed doublewords for equality | |
PCMPGTB mm, mm/m64 | 0F 64 /r | Compare packed signed byte integers for greater than | |
PCMPGTW mm, mm/m64 | 0F 65 /r | Compare packed signed word integers for greater than | |
PCMPGTD mm, mm/m64 | 0F 66 /r | Compare packed signed doubleword integers for greater than | |
PMADDWD mm, mm/m64 | 0F F5 /r | Multiply packed words, add adjacent doubleword results | |
PMULHW mm, mm/m64 | 0F E5 /r | Multiply packed signed word integers, store high 16 bits of results | |
PMULLW mm, mm/m64 | 0F D5 /r | Multiply packed signed word integers, store low 16 bits of results | |
PSLLW mm1, imm8 | 0F 71 /6 ib | Shift left words, shift in zeros | |
PSLLW mm, mm/m64 | 0F F1 /r | Shift left words, shift in zeros | |
PSLLD mm, imm8 | 0F 72 /6 ib | Shift left doublewords, shift in zeros | |
PSLLD mm, mm/m64 | 0F F2 /r | Shift left doublewords, shift in zeros | |
PSLLQ mm, imm8 | 0F 73 /6 ib | Shift left quadword, shift in zeros | |
PSLLQ mm, mm/m64 | 0F F3 /r | Shift left quadword, shift in zeros | |
PSRAD mm, imm8 | 0F 72 /4 ib | Shift right doublewords, shift in sign bits | |
PSRAD mm, mm/m64 | 0F E2 /r | Shift right doublewords, shift in sign bits | |
PSRAW mm, imm8 | 0F 71 /4 ib | Shift right words, shift in sign bits | |
PSRAW mm, mm/m64 | 0F E1 /r | Shift right words, shift in sign bits | |
PSRLW mm, imm8 | 0F 71 /2 ib | Shift right words, shift in zeros | |
PSRLW mm, mm/m64 | 0F D1 /r | Shift right words, shift in zeros | |
PSRLD mm, imm8 | 0F 72 /2 ib | Shift right doublewords, shift in zeros | |
PSRLD mm, mm/m64 | 0F D2 /r | Shift right doublewords, shift in zeros | |
PSRLQ mm, imm8 | 0F 73 /2 ib | Shift right quadword, shift in zeros | |
PSRLQ mm, mm/m64 | 0F D3 /r | Shift right quadword, shift in zeros | |
PSUBB mm, mm/m64 | 0F F8 /r | Subtract packed byte integers | |
PSUBW mm, mm/m64 | 0F F9 /r | Subtract packed word integers | |
PSUBD mm, mm/m64 | 0F FA /r | Subtract packed doubleword integers | |
PSUBSB mm, mm/m64 | 0F E8 /r | Subtract signed packed bytes with saturation | |
PSUBSW mm, mm/m64 | 0F E9 /r | Subtract signed packed words with saturation | |
PSUBUSB mm, mm/m64 | 0F D8 /r | Subtract unsigned packed bytes with saturation | |
PSUBUSW mm, mm/m64 | 0F D9 /r | Subtract unsigned packed words with saturation | |
PUNPCKHBW mm, mm/m64 | 0F 68 /r | Unpack and interleave high-order bytes | |
PUNPCKHWD mm, mm/m64 | 0F 69 /r | Unpack and interleave high-order words | |
PUNPCKHDQ mm, mm/m64 | 0F 6A /r | Unpack and interleave high-order doublewords | |
PUNPCKLBW mm, mm/m32 | 0F 60 /r | Unpack and interleave low-order bytes | |
PUNPCKLWD mm, mm/m32 | 0F 61 /r | Unpack and interleave low-order words | |
PUNPCKLDQ mm, mm/m32 | 0F 62 /r | Unpack and interleave low-order doublewords |
The following MMX instruction were added with SSE. They are also available on the Athlon under the name MMX+.
Instruction | Opcode | Meaning |
---|---|---|
MASKMOVQ mm1, mm2 | 0F F7 /r | Masked Move of Quadword |
MOVNTQ m64, mm | 0F E7 /r | Move Quadword Using Non-Temporal Hint |
PSHUFW mm1, mm2/m64, imm8 | 0F 70 /r ib | Shuffle Packed Words |
PINSRW mm, r32/m16, imm8 | 0F C4 /r | Insert Word |
PEXTRW reg, mm, imm8 | 0F C5 /r | Extract Word |
PMOVMSKB reg, mm | 0F D7 /r | Move Byte Mask |
PMINUB mm1, mm2/m64 | 0F DA /r | Minimum of Packed Unsigned Byte Integers |
PMAXUB mm1, mm2/m64 | 0F DE /r | Maximum of Packed Unsigned Byte Integers |
PAVGB mm1, mm2/m64 | 0F E0 /r | Average Packed Integers |
PAVGW mm1, mm2/m64 | 0F E3 /r | Average Packed Integers |
PMULHUW mm1, mm2/m64 | 0F E4 /r | Multiply Packed Unsigned Integers and Store High Result |
PMINSW mm1, mm2/m64 | 0F EA /r | Minimum of Packed Signed Word Integers |
PMAXSW mm1, mm2/m64 | 0F EE /r | Maximum of Packed Signed Word Integers |
PSADBW mm1, mm2/m64 | 0F F6 /r | Compute Sum of Absolute Differences |
The following MMX instructions were added with SSE2:
Instruction | Opcode | Meaning |
---|---|---|
PADDQ mm, mm/m64 | 0F D4 /r | Add packed quadword integers |
PSUBQ mm1, mm2/m64 | 0F FB /r | Subtract packed quadword integers |
PMULUDQ mm1, mm2/m64 | 0F F4 /r | Multiply unsigned doubleword integer |
Instruction | Opcode | Meaning |
---|---|---|
PSIGNB mm1, mm2/m64 | 0F 38 08 /r | Negate/zero/preserve packed byte integers depending on corresponding sign |
PSIGNW mm1, mm2/m64 | 0F 38 09 /r | Negate/zero/preserve packed word integers depending on corresponding sign |
PSIGND mm1, mm2/m64 | 0F 38 0A /r | Negate/zero/preserve packed doubleword integers depending on corresponding sign |
PSHUFB mm1, mm2/m64 | 0F 38 00 /r | Shuffle bytes |
PMULHRSW mm1, mm2/m64 | 0F 38 0B /r | Multiply 16-bit signed words, scale and round signed doublewords, pack high 16 bits |
PMADDUBSW mm1, mm2/m64 | 0F 38 04 /r | Multiply signed and unsigned bytes, add horizontal pair of signed words, pack saturated signed-words |
PHSUBW mm1, mm2/m64 | 0F 38 05 /r | Subtract and pack 16-bit signed integers horizontally |
PHSUBSW mm1, mm2/m64 | 0F 38 07 /r | Subtract and pack 16-bit signed integer horizontally with saturation |
PHSUBD mm1, mm2/m64 | 0F 38 06 /r | Subtract and pack 32-bit signed integers horizontally |
PHADDSW mm1, mm2/m64 | 0F 38 03 /r | Add and pack 16-bit signed integers horizontally, pack saturated integers to mm1. |
PHADDW mm1, mm2/m64 | 0F 38 01 /r | Add and pack 16-bit integers horizontally |
PHADDD mm1, mm2/m64 | 0F 38 02 /r | Add and pack 32-bit integers horizontally |
PALIGNR mm1, mm2/m64, imm8 | 0F 3A 0F /r ib | Concatenate destination and source operands, extract byte-aligned result shifted to the right |
PABSB mm1, mm2/m64 | 0F 38 1C /r | Compute the absolute value of bytes and store unsigned result |
PABSW mm1, mm2/m64 | 0F 38 1D /r | Compute the absolute value of 16-bit integers and store unsigned result |
PABSD mm1, mm2/m64 | 0F 38 1E /r | Compute the absolute value of 32-bit integers and store unsigned result |
Added with Pentium III
SSE instructions operate on xmm registers, which are 128 bit wide.
SSE consists of the following SSE SIMD floating-point instructions:
Instruction | Opcode | Meaning |
---|---|---|
ANDPS* xmm1, xmm2/m128 | 0F 54 /r | Bitwise Logical AND of Packed Single-Precision Floating-Point Values |
ANDNPS* xmm1, xmm2/m128 | 0F 55 /r | Bitwise Logical AND NOT of Packed Single-Precision Floating-Point Values |
ORPS* xmm1, xmm2/m128 | 0F 56 /r | Bitwise Logical OR of Single-Precision Floating-Point Values |
XORPS* xmm1, xmm2/m128 | 0F 57 /r | Bitwise Logical XOR for Single-Precision Floating-Point Values |
MOVUPS xmm1, xmm2/m128 | 0F 10 /r | Move Unaligned Packed Single-Precision Floating-Point Values |
MOVSS xmm1, xmm2/m32 | F3 0F 10 /r | Move Scalar Single-Precision Floating-Point Values |
MOVUPS xmm2/m128, xmm1 | 0F 11 /r | Move Unaligned Packed Single-Precision Floating-Point Values |
MOVSS xmm2/m32, xmm1 | F3 0F 11 /r | Move Scalar Single-Precision Floating-Point Values |
MOVLPS xmm, m64 | 0F 12 /r | Move Low Packed Single-Precision Floating-Point Values |
MOVHLPS xmm1, xmm2 | 0F 12 /r | Move Packed Single-Precision Floating-Point Values High to Low |
MOVLPS m64, xmm | 0F 13 /r | Move Low Packed Single-Precision Floating-Point Values |
UNPCKLPS xmm1, xmm2/m128 | 0F 14 /r | Unpack and Interleave Low Packed Single-Precision Floating-Point Values |
UNPCKHPS xmm1, xmm2/m128 | 0F 15 /r | Unpack and Interleave High Packed Single-Precision Floating-Point Values |
MOVHPS xmm, m64 | 0F 16 /r | Move High Packed Single-Precision Floating-Point Values |
MOVLHPS xmm1, xmm2 | 0F 16 /r | Move Packed Single-Precision Floating-Point Values Low to High |
MOVHPS m64, xmm | 0F 17 /r | Move High Packed Single-Precision Floating-Point Values |
MOVAPS xmm1, xmm2/m128 | 0F 28 /r | Move Aligned Packed Single-Precision Floating-Point Values |
MOVAPS xmm2/m128, xmm1 | 0F 29 /r | Move Aligned Packed Single-Precision Floating-Point Values |
MOVNTPS m128, xmm1 | 0F 2B /r | Move Aligned Four Packed Single-FP Non Temporal |
MOVMSKPS reg, xmm | 0F 50 /r | Extract Packed Single-Precision Floating-Point 4-bit Sign Mask. The upper bits of the register are filled with zeros. |
CVTPI2PS xmm, mm/m64 | 0F 2A /r | Convert Packed Dword Integers to Packed Single-Precision FP Values |
CVTSI2SS xmm, r/m32 | F3 0F 2A /r | Convert Dword Integer to Scalar Single-Precision FP Value |
CVTSI2SS xmm, r/m64 | F3 REX.W 0F 2A /r | Convert Qword Integer to Scalar Single-Precision FP Value |
CVTTPS2PI mm, xmm/m64 | 0F 2C /r | Convert with Truncation Packed Single-Precision FP Values to Packed Dword Integers |
CVTTSS2SI r32, xmm/m32 | F3 0F 2C /r | Convert with Truncation Scalar Single-Precision FP Value to Dword Integer |
CVTTSS2SI r64, xmm1/m32 | F3 REX.W 0F 2C /r | Convert with Truncation Scalar Single-Precision FP Value to Qword Integer |
CVTPS2PI mm, xmm/m64 | 0F 2D /r | Convert Packed Single-Precision FP Values to Packed Dword Integers |
CVTSS2SI r32, xmm/m32 | F3 0F 2D /r | Convert Scalar Single-Precision FP Value to Dword Integer |
CVTSS2SI r64, xmm1/m32 | F3 REX.W 0F 2D /r | Convert Scalar Single-Precision FP Value to Qword Integer |
UCOMISS xmm1, xmm2/m32 | 0F 2E /r | Unordered Compare Scalar Single-Precision Floating-Point Values and Set EFLAGS |
COMISS xmm1, xmm2/m32 | 0F 2F /r | Compare Scalar Ordered Single-Precision Floating-Point Values and Set EFLAGS |
SQRTPS xmm1, xmm2/m128 | 0F 51 /r | Compute Square Roots of Packed Single-Precision Floating-Point Values |
SQRTSS xmm1, xmm2/m32 | F3 0F 51 /r | Compute Square Root of Scalar Single-Precision Floating-Point Value |
RSQRTPS xmm1, xmm2/m128 | 0F 52 /r | Compute Reciprocal of Square Root of Packed Single-Precision Floating-Point Value |
RSQRTSS xmm1, xmm2/m32 | F3 0F 52 /r | Compute Reciprocal of Square Root of Scalar Single-Precision Floating-Point Value |
RCPPS xmm1, xmm2/m128 | 0F 53 /r | Compute Reciprocal of Packed Single-Precision Floating-Point Values |
RCPSS xmm1, xmm2/m32 | F3 0F 53 /r | Compute Reciprocal of Scalar Single-Precision Floating-Point Values |
ADDPS xmm1, xmm2/m128 | 0F 58 /r | Add Packed Single-Precision Floating-Point Values |
ADDSS xmm1, xmm2/m32 | F3 0F 58 /r | Add Scalar Single-Precision Floating-Point Values |
MULPS xmm1, xmm2/m128 | 0F 59 /r | Multiply Packed Single-Precision Floating-Point Values |
MULSS xmm1, xmm2/m32 | F3 0F 59 /r | Multiply Scalar Single-Precision Floating-Point Values |
SUBPS xmm1, xmm2/m128 | 0F 5C /r | Subtract Packed Single-Precision Floating-Point Values |
SUBSS xmm1, xmm2/m32 | F3 0F 5C /r | Subtract Scalar Single-Precision Floating-Point Values |
MINPS xmm1, xmm2/m128 | 0F 5D /r | Return Minimum Packed Single-Precision Floating-Point Values |
MINSS xmm1, xmm2/m32 | F3 0F 5D /r | Return Minimum Scalar Single-Precision Floating-Point Values |
DIVPS xmm1, xmm2/m128 | 0F 5E /r | Divide Packed Single-Precision Floating-Point Values |
DIVSS xmm1, xmm2/m32 | F3 0F 5E /r | Divide Scalar Single-Precision Floating-Point Values |
MAXPS xmm1, xmm2/m128 | 0F 5F /r | Return Maximum Packed Single-Precision Floating-Point Values |
MAXSS xmm1, xmm2/m32 | F3 0F 5F /r | Return Maximum Scalar Single-Precision Floating-Point Values |
LDMXCSR m32 | 0F AE /2 | Load MXCSR Register State |
STMXCSR m32 | 0F AE /3 | Store MXCSR Register State |
CMPPS xmm1, xmm2/m128, imm8 | 0F C2 /r ib | Compare Packed Single-Precision Floating-Point Values |
CMPSS xmm1, xmm2/m32, imm8 | F3 0F C2 /r ib | Compare Scalar Single-Precision Floating-Point Values |
SHUFPS xmm1, xmm2/m128, imm8 | 0F C6 /r ib | Shuffle Packed Single-Precision Floating-Point Values |
* The floating point single bitwise operations ANDPS, ANDNPS, ORPS and XORPS produce the same result as the SSE2 integer (PAND, PANDN, POR, PXOR) and double ones (ANDPD, ANDNPD, ORPD, XORPD), but can introduce extra latency for domain changes when applied values of the wrong type.[124]
Added with Pentium 4
Instruction | Opcode | Meaning |
---|---|---|
MOVAPD xmm1, xmm2/m128 | 66 0F 28 /r | Move Aligned Packed Double-Precision Floating-Point Values |
MOVAPD xmm2/m128, xmm1 | 66 0F 29 /r | Move Aligned Packed Double-Precision Floating-Point Values |
MOVNTPD m128, xmm1 | 66 0F 2B /r | Store Packed Double-Precision Floating-Point Values Using Non-Temporal Hint |
MOVHPD xmm1, m64 | 66 0F 16 /r | Move High Packed Double-Precision Floating-Point Value |
MOVHPD m64, xmm1 | 66 0F 17 /r | Move High Packed Double-Precision Floating-Point Value |
MOVLPD xmm1, m64 | 66 0F 12 /r | Move Low Packed Double-Precision Floating-Point Value |
MOVLPD m64, xmm1 | 66 0F 13/r | Move Low Packed Double-Precision Floating-Point Value |
MOVUPD xmm1, xmm2/m128 | 66 0F 10 /r | Move Unaligned Packed Double-Precision Floating-Point Values |
MOVUPD xmm2/m128, xmm1 | 66 0F 11 /r | Move Unaligned Packed Double-Precision Floating-Point Values |
MOVMSKPD reg, xmm | 66 0F 50 /r | Extract Packed Double-Precision Floating-Point Sign Mask |
MOVSD* xmm1, xmm2/m64 | F2 0F 10 /r | Move or Merge Scalar Double-Precision Floating-Point Value |
MOVSD xmm1/m64, xmm2 | F2 0F 11 /r | Move or Merge Scalar Double-Precision Floating-Point Value |
Instruction | Opcode | Meaning |
---|---|---|
ADDPD xmm1, xmm2/m128 | 66 0F 58 /r | Add Packed Double-Precision Floating-Point Values |
ADDSD xmm1, xmm2/m64 | F2 0F 58 /r | Add Low Double-Precision Floating-Point Value |
DIVPD xmm1, xmm2/m128 | 66 0F 5E /r | Divide Packed Double-Precision Floating-Point Values |
DIVSD xmm1, xmm2/m64 | F2 0F 5E /r | Divide Scalar Double-Precision Floating-Point Value |
MAXPD xmm1, xmm2/m128 | 66 0F 5F /r | Maximum of Packed Double-Precision Floating-Point Values |
MAXSD xmm1, xmm2/m64 | F2 0F 5F /r | Return Maximum Scalar Double-Precision Floating-Point Value |
MINPD xmm1, xmm2/m128 | 66 0F 5D /r | Minimum of Packed Double-Precision Floating-Point Values |
MINSD xmm1, xmm2/m64 | F2 0F 5D /r | Return Minimum Scalar Double-Precision Floating-Point Value |
MULPD xmm1, xmm2/m128 | 66 0F 59 /r | Multiply Packed Double-Precision Floating-Point Values |
MULSD xmm1,xmm2/m64 | F2 0F 59 /r | Multiply Scalar Double-Precision Floating-Point Value |
SQRTPD xmm1, xmm2/m128 | 66 0F 51 /r | Square Root of Double-Precision Floating-Point Values |
SQRTSD xmm1,xmm2/m64 | F2 0F 51/r | Compute Square Root of Scalar Double-Precision Floating-Point Value |
SUBPD xmm1, xmm2/m128 | 66 0F 5C /r | Subtract Packed Double-Precision Floating-Point Values |
SUBSD xmm1, xmm2/m64 | F2 0F 5C /r | Subtract Scalar Double-Precision Floating-Point Value |
Instruction | Opcode | Meaning |
---|---|---|
ANDPD xmm1, xmm2/m128 | 66 0F 54 /r | Bitwise Logical AND of Packed Double Precision Floating-Point Values |
ANDNPD xmm1, xmm2/m128 | 66 0F 55 /r | Bitwise Logical AND NOT of Packed Double Precision Floating-Point Values |
ORPD xmm1, xmm2/m128 | 66 0F 56/r | Bitwise Logical OR of Packed Double Precision Floating-Point Values |
XORPD xmm1, xmm2/m128 | 66 0F 57/r | Bitwise Logical XOR of Packed Double Precision Floating-Point Values |
Instruction | Opcode | Meaning |
---|---|---|
CMPPD xmm1, xmm2/m128, imm8 | 66 0F C2 /r ib | Compare Packed Double-Precision Floating-Point Values |
CMPSD* xmm1, xmm2/m64, imm8 | F2 0F C2 /r ib | Compare Low Double-Precision Floating-Point Values |
COMISD xmm1, xmm2/m64 | 66 0F 2F /r | Compare Scalar Ordered Double-Precision Floating-Point Values and Set EFLAGS |
UCOMISD xmm1, xmm2/m64 | 66 0F 2E /r | Unordered Compare Scalar Double-Precision Floating-Point Values and Set EFLAGS |
Instruction | Opcode | Meaning |
---|---|---|
SHUFPD xmm1, xmm2/m128, imm8 | 66 0F C6 /r ib | Packed Interleave Shuffle of Pairs of Double-Precision Floating-Point Values |
UNPCKHPD xmm1, xmm2/m128 | 66 0F 15 /r | Unpack and Interleave High Packed Double-Precision Floating-Point Values |
UNPCKLPD xmm1, xmm2/m128 | 66 0F 14 /r | Unpack and Interleave Low Packed Double-Precision Floating-Point Values |
Instruction | Opcode | Meaning |
---|---|---|
CVTDQ2PD xmm1, xmm2/m64 | F3 0F E6 /r | Convert Packed Doubleword Integers to Packed Double-Precision Floating-Point Values |
CVTDQ2PS xmm1, xmm2/m128 | 0F 5B /r | Convert Packed Doubleword Integers to Packed Single-Precision Floating-Point Values |
CVTPD2DQ xmm1, xmm2/m128 | F2 0F E6 /r | Convert Packed Double-Precision Floating-Point Values to Packed Doubleword Integers |
CVTPD2PI mm, xmm/m128 | 66 0F 2D /r | Convert Packed Double-Precision FP Values to Packed Dword Integers |
CVTPD2PS xmm1, xmm2/m128 | 66 0F 5A /r | Convert Packed Double-Precision Floating-Point Values to Packed Single-Precision Floating-Point Values |
CVTPI2PD xmm, mm/m64 | 66 0F 2A /r | Convert Packed Dword Integers to Packed Double-Precision FP Values |
CVTPS2DQ xmm1, xmm2/m128 | 66 0F 5B /r | Convert Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values |
CVTPS2PD xmm1, xmm2/m64 | 0F 5A /r | Convert Packed Single-Precision Floating-Point Values to Packed Double-Precision Floating-Point Values |
CVTSD2SI r32, xmm1/m64 | F2 0F 2D /r | Convert Scalar Double-Precision Floating-Point Value to Doubleword Integer |
CVTSD2SI r64, xmm1/m64 | F2 REX.W 0F 2D /r | Convert Scalar Double-Precision Floating-Point Value to Quadword Integer With Sign Extension |
CVTSD2SS xmm1, xmm2/m64 | F2 0F 5A /r | Convert Scalar Double-Precision Floating-Point Value to Scalar Single-Precision Floating-Point Value |
CVTSI2SD xmm1, r32/m32 | F2 0F 2A /r | Convert Doubleword Integer to Scalar Double-Precision Floating-Point Value |
CVTSI2SD xmm1, r/m64 | F2 REX.W 0F 2A /r | Convert Quadword Integer to Scalar Double-Precision Floating-Point value |
CVTSS2SD xmm1, xmm2/m32 | F3 0F 5A /r | Convert Scalar Single-Precision Floating-Point Value to Scalar Double-Precision Floating-Point Value |
CVTTPD2DQ xmm1, xmm2/m128 | 66 0F E6 /r | Convert with Truncation Packed Double-Precision Floating-Point Values to Packed Doubleword Integers |
CVTTPD2PI mm, xmm/m128 | 66 0F 2C /r | Convert with Truncation Packed Double-Precision FP Values to Packed Dword Integers |
CVTTPS2DQ xmm1, xmm2/m128 | F3 0F 5B /r | Convert with Truncation Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values |
CVTTSD2SI r32, xmm1/m64 | F2 0F 2C /r | Convert with Truncation Scalar Double-Precision Floating-Point Value to Signed Dword Integer |
CVTTSD2SI r64, xmm1/m64 | F2 REX.W 0F 2C /r | Convert with Truncation Scalar Double-Precision Floating-Point Value To Signed Qword Integer |
SSE2 allows execution of MMX instructions on SSE registers, processing twice the amount of data at once.
Instruction | Opcode | Meaning |
---|---|---|
MOVD xmm, r/m32 | 66 0F 6E /r | Move doubleword |
MOVD r/m32, xmm | 66 0F 7E /r | Move doubleword |
MOVQ xmm1, xmm2/m64 | F3 0F 7E /r | Move quadword |
MOVQ xmm2/m64, xmm1 | 66 0F D6 /r | Move quadword |
MOVQ r/m64, xmm | 66 REX.W 0F 7E /r | Move quadword |
MOVQ xmm, r/m64 | 66 REX.W 0F 6E /r | Move quadword |
PMOVMSKB reg, xmm | 66 0F D7 /r | Move a byte mask, zeroing the upper bits of the register |
PEXTRW reg, xmm, imm8 | 66 0F C5 /r ib | Extract specified word and move it to reg, setting bits 15-0 and zeroing the rest |
PINSRW xmm, r32/m16, imm8 | 66 0F C4 /r ib | Move low word at the specified word position |
PACKSSDW xmm1, xmm2/m128 | 66 0F 6B /r | Converts 4 packed signed doubleword integers into 8 packed signed word integers with saturation |
PACKSSWB xmm1, xmm2/m128 | 66 0F 63 /r | Converts 8 packed signed word integers into 16 packed signed byte integers with saturation |
PACKUSWB xmm1, xmm2/m128 | 66 0F 67 /r | Converts 8 signed word integers into 16 unsigned byte integers with saturation |
PADDB xmm1, xmm2/m128 | 66 0F FC /r | Add packed byte integers |
PADDW xmm1, xmm2/m128 | 66 0F FD /r | Add packed word integers |
PADDD xmm1, xmm2/m128 | 66 0F FE /r | Add packed doubleword integers |
PADDQ xmm1, xmm2/m128 | 66 0F D4 /r | Add packed quadword integers. |
PADDSB xmm1, xmm2/m128 | 66 0F EC /r | Add packed signed byte integers with saturation |
PADDSW xmm1, xmm2/m128 | 66 0F ED /r | Add packed signed word integers with saturation |
PADDUSB xmm1, xmm2/m128 | 66 0F DC /r | Add packed unsigned byte integers with saturation |
PADDUSW xmm1, xmm2/m128 | 66 0F DD /r | Add packed unsigned word integers with saturation |
PAND xmm1, xmm2/m128 | 66 0F DB /r | Bitwise AND |
PANDN xmm1, xmm2/m128 | 66 0F DF /r | Bitwise AND NOT |
POR xmm1, xmm2/m128 | 66 0F EB /r | Bitwise OR |
PXOR xmm1, xmm2/m128 | 66 0F EF /r | Bitwise XOR |
PCMPEQB xmm1, xmm2/m128 | 66 0F 74 /r | Compare packed bytes for equality. |
PCMPEQW xmm1, xmm2/m128 | 66 0F 75 /r | Compare packed words for equality. |
PCMPEQD xmm1, xmm2/m128 | 66 0F 76 /r | Compare packed doublewords for equality. |
PCMPGTB xmm1, xmm2/m128 | 66 0F 64 /r | Compare packed signed byte integers for greater than |
PCMPGTW xmm1, xmm2/m128 | 66 0F 65 /r | Compare packed signed word integers for greater than |
PCMPGTD xmm1, xmm2/m128 | 66 0F 66 /r | Compare packed signed doubleword integers for greater than |
PMULLW xmm1, xmm2/m128 | 66 0F D5 /r | Multiply packed signed word integers with saturation |
PMULHW xmm1, xmm2/m128 | 66 0F E5 /r | Multiply the packed signed word integers, store the high 16 bits of the results |
PMULHUW xmm1, xmm2/m128 | 66 0F E4 /r | Multiply packed unsigned word integers, store the high 16 bits of the results |
PMULUDQ xmm1, xmm2/m128 | 66 0F F4 /r | Multiply packed unsigned doubleword integers |
PSLLW xmm1, xmm2/m128 | 66 0F F1 /r | Shift words left while shifting in 0s |
PSLLW xmm1, imm8 | 66 0F 71 /6 ib | Shift words left while shifting in 0s |
PSLLD xmm1, xmm2/m128 | 66 0F F2 /r | Shift doublewords left while shifting in 0s |
PSLLD xmm1, imm8 | 66 0F 72 /6 ib | Shift doublewords left while shifting in 0s |
PSLLQ xmm1, xmm2/m128 | 66 0F F3 /r | Shift quadwords left while shifting in 0s |
PSLLQ xmm1, imm8 | 66 0F 73 /6 ib | Shift quadwords left while shifting in 0s |
PSRAD xmm1, xmm2/m128 | 66 0F E2 /r | Shift doubleword right while shifting in sign bits |
PSRAD xmm1, imm8 | 66 0F 72 /4 ib | Shift doublewords right while shifting in sign bits |
PSRAW xmm1, xmm2/m128 | 66 0F E1 /r | Shift words right while shifting in sign bits |
PSRAW xmm1, imm8 | 66 0F 71 /4 ib | Shift words right while shifting in sign bits |
PSRLW xmm1, xmm2/m128 | 66 0F D1 /r | Shift words right while shifting in 0s |
PSRLW xmm1, imm8 | 66 0F 71 /2 ib | Shift words right while shifting in 0s |
PSRLD xmm1, xmm2/m128 | 66 0F D2 /r | Shift doublewords right while shifting in 0s |
PSRLD xmm1, imm8 | 66 0F 72 /2 ib | Shift doublewords right while shifting in 0s |
PSRLQ xmm1, xmm2/m128 | 66 0F D3 /r | Shift quadwords right while shifting in 0s |
PSRLQ xmm1, imm8 | 66 0F 73 /2 ib | Shift quadwords right while shifting in 0s |
PSUBB xmm1, xmm2/m128 | 66 0F F8 /r | Subtract packed byte integers |
PSUBW xmm1, xmm2/m128 | 66 0F F9 /r | Subtract packed word integers |
PSUBD xmm1, xmm2/m128 | 66 0F FA /r | Subtract packed doubleword integers |
PSUBQ xmm1, xmm2/m128 | 66 0F FB /r | Subtract packed quadword integers. |
PSUBSB xmm1, xmm2/m128 | 66 0F E8 /r | Subtract packed signed byte integers with saturation |
PSUBSW xmm1, xmm2/m128 | 66 0F E9 /r | Subtract packed signed word integers with saturation |
PMADDWD xmm1, xmm2/m128 | 66 0F F5 /r | Multiply the packed word integers, add adjacent doubleword results |
PSUBUSB xmm1, xmm2/m128 | 66 0F D8 /r | Subtract packed unsigned byte integers with saturation |
PSUBUSW xmm1, xmm2/m128 | 66 0F D9 /r | Subtract packed unsigned word integers with saturation |
PUNPCKHBW xmm1, xmm2/m128 | 66 0F 68 /r | Unpack and interleave high-order bytes |
PUNPCKHWD xmm1, xmm2/m128 | 66 0F 69 /r | Unpack and interleave high-order words |
PUNPCKHDQ xmm1, xmm2/m128 | 66 0F 6A /r | Unpack and interleave high-order doublewords |
PUNPCKLBW xmm1, xmm2/m128 | 66 0F 60 /r | Interleave low-order bytes |
PUNPCKLWD xmm1, xmm2/m128 | 66 0F 61 /r | Interleave low-order words |
PUNPCKLDQ xmm1, xmm2/m128 | 66 0F 62 /r | Interleave low-order doublewords |
PAVGB xmm1, xmm2/m128 | 66 0F E0, /r | Average packed unsigned byte integers with rounding |
PAVGW xmm1, xmm2/m128 | 66 0F E3 /r | Average packed unsigned word integers with rounding |
PMINUB xmm1, xmm2/m128 | 66 0F DA /r | Compare packed unsigned byte integers and store packed minimum values |
PMINSW xmm1, xmm2/m128 | 66 0F EA /r | Compare packed signed word integers and store packed minimum values |
PMAXSW xmm1, xmm2/m128 | 66 0F EE /r | Compare packed signed word integers and store maximum packed values |
PMAXUB xmm1, xmm2/m128 | 66 0F DE /r | Compare packed unsigned byte integers and store packed maximum values |
PSADBW xmm1, xmm2/m128 | 66 0F F6 /r | Computes the absolute differences of the packed unsigned byte integers; the 8 low differences and 8 high differences are then summed separately to produce two unsigned word integer results |
The following instructions can be used only on SSE registers, since by their nature they do not work on MMX registers
Instruction | Opcode | Meaning |
---|---|---|
MASKMOVDQU xmm1, xmm2 | 66 0F F7 /r | Non-Temporal Store of Selected Bytes from an XMM Register into Memory |
MOVDQ2Q mm, xmm | F2 0F D6 /r | Move low quadword from XMM to MMX register. |
MOVDQA xmm1, xmm2/m128 | 66 0F 6F /r | Move aligned double quadword |
MOVDQA xmm2/m128, xmm1 | 66 0F 7F /r | Move aligned double quadword |
MOVDQU xmm1, xmm2/m128 | F3 0F 6F /r | Move unaligned double quadword |
MOVDQU xmm2/m128, xmm1 | F3 0F 7F /r | Move unaligned double quadword |
MOVQ2DQ xmm, mm | F3 0F D6 /r | Move quadword from MMX register to low quadword of XMM register |
MOVNTDQ m128, xmm1 | 66 0F E7 /r | Store Packed Integers Using Non-Temporal Hint |
PSHUFHW xmm1, xmm2/m128, imm8 | F3 0F 70 /r ib | Shuffle packed high words. |
PSHUFLW xmm1, xmm2/m128, imm8 | F2 0F 70 /r ib | Shuffle packed low words. |
PSHUFD xmm1, xmm2/m128, imm8 | 66 0F 70 /r ib | Shuffle packed doublewords. |
PSLLDQ xmm1, imm8 | 66 0F 73 /7 ib | Packed shift left logical double quadwords. |
PSRLDQ xmm1, imm8 | 66 0F 73 /3 ib | Packed shift right logical double quadwords. |
PUNPCKHQDQ xmm1, xmm2/m128 | 66 0F 6D /r | Unpack and interleave high-order quadwords, |
PUNPCKLQDQ xmm1, xmm2/m128 | 66 0F 6C /r | Interleave low quadwords, |
Added with Pentium 4 supporting SSE3
Instruction | Opcode | Meaning | Notes |
---|---|---|---|
ADDSUBPS xmm1, xmm2/m128 | F2 0F D0 /r | Add/subtract single-precision floating-point values | for Complex Arithmetic |
ADDSUBPD xmm1, xmm2/m128 | 66 0F D0 /r | Add/subtract double-precision floating-point values | |
MOVDDUP xmm1, xmm2/m64 | F2 0F 12 /r | Move double-precision floating-point value and duplicate | |
MOVSLDUP xmm1, xmm2/m128 | F3 0F 12 /r | Move and duplicate even index single-precision floating-point values | |
MOVSHDUP xmm1, xmm2/m128 | F3 0F 16 /r | Move and duplicate odd index single-precision floating-point values | |
HADDPS xmm1, xmm2/m128 | F2 0F 7C /r | Horizontal add packed single-precision floating-point values | for Graphics |
HADDPD xmm1, xmm2/m128 | 66 0F 7C /r | Horizontal add packed double-precision floating-point values | |
HSUBPS xmm1, xmm2/m128 | F2 0F 7D /r | Horizontal subtract packed single-precision floating-point values | |
HSUBPD xmm1, xmm2/m128 | 66 0F 7D /r | Horizontal subtract packed double-precision floating-point values |
Instruction | Opcode | Meaning | Notes |
---|---|---|---|
LDDQU xmm1, mem | F2 0F F0 /r | Load unaligned data and return double quadword | Instructionally equivalent to MOVDQU. For video encoding |
Added with Xeon 5100 series and initial Core 2
The following MMX-like instructions extended to SSE registers were added with SSSE3
Instruction | Opcode | Meaning |
---|---|---|
PSIGNB xmm1, xmm2/m128 | 66 0F 38 08 /r | Negate/zero/preserve packed byte integers depending on corresponding sign |
PSIGNW xmm1, xmm2/m128 | 66 0F 38 09 /r | Negate/zero/preserve packed word integers depending on corresponding sign |
PSIGND xmm1, xmm2/m128 | 66 0F 38 0A /r | Negate/zero/preserve packed doubleword integers depending on corresponding |
PSHUFB xmm1, xmm2/m128 | 66 0F 38 00 /r | Shuffle bytes |
PMULHRSW xmm1, xmm2/m128 | 66 0F 38 0B /r | Multiply 16-bit signed words, scale and round signed doublewords, pack high 16 bits |
PMADDUBSW xmm1, xmm2/m128 | 66 0F 38 04 /r | Multiply signed and unsigned bytes, add horizontal pair of signed words, pack saturated signed-words |
PHSUBW xmm1, xmm2/m128 | 66 0F 38 05 /r | Subtract and pack 16-bit signed integers horizontally |
PHSUBSW xmm1, xmm2/m128 | 66 0F 38 07 /r | Subtract and pack 16-bit signed integer horizontally with saturation |
PHSUBD xmm1, xmm2/m128 | 66 0F 38 06 /r | Subtract and pack 32-bit signed integers horizontally |
PHADDSW xmm1, xmm2/m128 | 66 0F 38 03 /r | Add and pack 16-bit signed integers horizontally with saturation |
PHADDW xmm1, xmm2/m128 | 66 0F 38 01 /r | Add and pack 16-bit integers horizontally |
PHADDD xmm1, xmm2/m128 | 66 0F 38 02 /r | Add and pack 32-bit integers horizontally |
PALIGNR xmm1, xmm2/m128, imm8 | 66 0F 3A 0F /r ib | Concatenate destination and source operands, extract byte-aligned result shifted to the right |
PABSB xmm1, xmm2/m128 | 66 0F 38 1C /r | Compute the absolute value of bytes and store unsigned result |
PABSW xmm1, xmm2/m128 | 66 0F 38 1D /r | Compute the absolute value of 16-bit integers and store unsigned result |
PABSD xmm1, xmm2/m128 | 66 0F 38 1E /r | Compute the absolute value of 32-bit integers and store unsigned result |
Added with Core 2 manufactured in 45nm
Instruction | Opcode | Meaning |
---|---|---|
DPPS xmm1, xmm2/m128, imm8 | 66 0F 3A 40 /r ib | Selectively multiply packed SP floating-point values, add and selectively store |
DPPD xmm1, xmm2/m128, imm8 | 66 0F 3A 41 /r ib | Selectively multiply packed DP floating-point values, add and selectively store |
BLENDPS xmm1, xmm2/m128, imm8 | 66 0F 3A 0C /r ib | Select packed single precision floating-point values from specified mask |
BLENDVPS xmm1, xmm2/m128, <XMM0> | 66 0F 38 14 /r | Select packed single precision floating-point values from specified mask |
BLENDPD xmm1, xmm2/m128, imm8 | 66 0F 3A 0D /r ib | Select packed DP-FP values from specified mask |
BLENDVPD xmm1, xmm2/m128, <XMM0> | 66 0F 38 15 /r | Select packed DP FP values from specified mask |
ROUNDPS xmm1, xmm2/m128, imm8 | 66 0F 3A 08 /r ib | Round packed single precision floating-point values |
ROUNDSS xmm1, xmm2/m32, imm8 | 66 0F 3A 0A /r ib | Round the low packed single precision floating-point value |
ROUNDPD xmm1, xmm2/m128, imm8 | 66 0F 3A 09 /r ib | Round packed double precision floating-point values |
ROUNDSD xmm1, xmm2/m64, imm8 | 66 0F 3A 0B /r ib | Round the low packed double precision floating-point value |
INSERTPS xmm1, xmm2/m32, imm8 | 66 0F 3A 21 /r ib | Insert a selected single-precision floating-point value at the specified destination element and zero out destination elements |
EXTRACTPS reg/m32, xmm1, imm8 | 66 0F 3A 17 /r ib | Extract one single-precision floating-point value at specified offset and store the result (zero-extended, if applicable) |
Instruction | Opcode | Meaning |
---|---|---|
MPSADBW xmm1, xmm2/m128, imm8 | 66 0F 3A 42 /r ib | Sums absolute 8-bit integer difference of adjacent groups of 4 byte integers with starting offset |
PHMINPOSUW xmm1, xmm2/m128 | 66 0F 38 41 /r | Find the minimum unsigned word |
PMULLD xmm1, xmm2/m128 | 66 0F 38 40 /r | Multiply the packed dword signed integers and store the low 32 bits |
PMULDQ xmm1, xmm2/m128 | 66 0F 38 28 /r | Multiply packed signed doubleword integers and store quadword result |
PBLENDVB xmm1, xmm2/m128, <XMM0> | 66 0F 38 10 /r | Select byte values from specified mask |
PBLENDW xmm1, xmm2/m128, imm8 | 66 0F 3A 0E /r ib | Select words from specified mask |
PMINSB xmm1, xmm2/m128 | 66 0F 38 38 /r | Compare packed signed byte integers |
PMINUW xmm1, xmm2/m128 | 66 0F 38 3A/r | Compare packed unsigned word integers |
PMINSD xmm1, xmm2/m128 | 66 0F 38 39 /r | Compare packed signed dword integers |
PMINUD xmm1, xmm2/m128 | 66 0F 38 3B /r | Compare packed unsigned dword integers |
PMAXSB xmm1, xmm2/m128 | 66 0F 38 3C /r | Compare packed signed byte integers |
PMAXUW xmm1, xmm2/m128 | 66 0F 38 3E/r | Compare packed unsigned word integers |
PMAXSD xmm1, xmm2/m128 | 66 0F 38 3D /r | Compare packed signed dword integers |
PMAXUD xmm1, xmm2/m128 | 66 0F 38 3F /r | Compare packed unsigned dword integers |
PINSRB xmm1, r32/m8, imm8 | 66 0F 3A 20 /r ib | Insert a byte integer value at specified destination element |
PINSRD xmm1, r/m32, imm8 | 66 0F 3A 22 /r ib | Insert a dword integer value at specified destination element |
PINSRQ xmm1, r/m64, imm8 | 66 REX.W 0F 3A 22 /r ib | Insert a qword integer value at specified destination element |
PEXTRB reg/m8, xmm2, imm8 | 66 0F 3A 14 /r ib | Extract a byte integer value at source byte offset, upper bits are zeroed. |
PEXTRW reg/m16, xmm, imm8 | 66 0F 3A 15 /r ib | Extract word and copy to lowest 16 bits, zero-extended |
PEXTRD r/m32, xmm2, imm8 | 66 0F 3A 16 /r ib | Extract a dword integer value at source dword offset |
PEXTRQ r/m64, xmm2, imm8 | 66 REX.W 0F 3A 16 /r ib | Extract a qword integer value at source qword offset |
PMOVSXBW xmm1, xmm2/m64 | 66 0f 38 20 /r | Sign extend 8 packed 8-bit integers to 8 packed 16-bit integers |
PMOVZXBW xmm1, xmm2/m64 | 66 0f 38 30 /r | Zero extend 8 packed 8-bit integers to 8 packed 16-bit integers |
PMOVSXBD xmm1, xmm2/m32 | 66 0f 38 21 /r | Sign extend 4 packed 8-bit integers to 4 packed 32-bit integers |
PMOVZXBD xmm1, xmm2/m32 | 66 0f 38 31 /r | Zero extend 4 packed 8-bit integers to 4 packed 32-bit integers |
PMOVSXBQ xmm1, xmm2/m16 | 66 0f 38 22 /r | Sign extend 2 packed 8-bit integers to 2 packed 64-bit integers |
PMOVZXBQ xmm1, xmm2/m16 | 66 0f 38 32 /r | Zero extend 2 packed 8-bit integers to 2 packed 64-bit integers |
PMOVSXWD xmm1, xmm2/m64 | 66 0f 38 23/r | Sign extend 4 packed 16-bit integers to 4 packed 32-bit integers |
PMOVZXWD xmm1, xmm2/m64 | 66 0f 38 33 /r | Zero extend 4 packed 16-bit integers to 4 packed 32-bit integers |
PMOVSXWQ xmm1, xmm2/m32 | 66 0f 38 24 /r | Sign extend 2 packed 16-bit integers to 2 packed 64-bit integers |
PMOVZXWQ xmm1, xmm2/m32 | 66 0f 38 34 /r | Zero extend 2 packed 16-bit integers to 2 packed 64-bit integers |
PMOVSXDQ xmm1, xmm2/m64 | 66 0f 38 25 /r | Sign extend 2 packed 32-bit integers to 2 packed 64-bit integers |
PMOVZXDQ xmm1, xmm2/m64 | 66 0f 38 35 /r | Zero extend 2 packed 32-bit integers to 2 packed 64-bit integers |
PTEST xmm1, xmm2/m128 | 66 0F 38 17 /r | Set ZF if AND result is all 0s, set CF if AND NOT result is all 0s |
PCMPEQQ xmm1, xmm2/m128 | 66 0F 38 29 /r | Compare packed qwords for equality |
PACKUSDW xmm1, xmm2/m128 | 66 0F 38 2B /r | Convert 2 × 4 packed signed doubleword integers into 8 packed unsigned word integers with saturation |
MOVNTDQA xmm1, m128 | 66 0F 38 2A /r | Move double quadword using non-temporal hint if WC memory type |
Added with Phenom processors
Instruction | Opcode | Meaning |
---|---|---|
EXTRQ | 66 0F 78 /0 ib ib | Extract Field From Register |
66 0F 79 /r | ||
INSERTQ | F2 0F 78 /r ib ib | Insert Field |
F2 0F 79 /r | ||
MOVNTSD | F2 0F 2B /r | Move Non-Temporal Scalar Double-Precision Floating-Point |
MOVNTSS | F3 0F 2B /r | Move Non-Temporal Scalar Single-Precision Floating-Point |
Added with Nehalem processors
Instruction | Opcode | Meaning |
---|---|---|
PCMPESTRI xmm1, xmm2/m128, imm8 | 66 0F 3A 61 /r imm8 | Packed comparison of string data with explicit lengths, generating an index |
PCMPESTRM xmm1, xmm2/m128, imm8 | 66 0F 3A 60 /r imm8 | Packed comparison of string data with explicit lengths, generating a mask |
PCMPISTRI xmm1, xmm2/m128, imm8 | 66 0F 3A 63 /r imm8 | Packed comparison of string data with implicit lengths, generating an index |
PCMPISTRM xmm1, xmm2/m128, imm8 | 66 0F 3A 62 /r imm8 | Packed comparison of string data with implicit lengths, generating a mask |
PCMPGTQ xmm1,xmm2/m128 | 66 0F 38 37 /r | Compare packed signed qwords for greater than. |
Half-precision floating-point conversion.
Instruction | Meaning |
---|---|
VCVTPH2PS xmmreg,xmmrm64 | Convert four half-precision floating point values in memory or the bottom half of an XMM register to four single-precision floating-point values in an XMM register |
VCVTPH2PS ymmreg,xmmrm128 | Convert eight half-precision floating point values in memory or an XMM register (the bottom half of a YMM register) to eight single-precision floating-point values in a YMM register |
VCVTPS2PH xmmrm64,xmmreg,imm8 | Convert four single-precision floating point values in an XMM register to half-precision floating-point values in memory or the bottom half an XMM register |
VCVTPS2PH xmmrm128,ymmreg,imm8 | Convert eight single-precision floating point values in a YMM register to half-precision floating-point values in memory or an XMM register |
AVX were first supported by Intel with Sandy Bridge and by AMD with Bulldozer.
Vector operations on 256 bit registers.
Instruction | Description |
---|---|
VBROADCASTSS | Copy a 32-bit, 64-bit or 128-bit memory operand to all elements of a XMM or YMM vector register. |
VBROADCASTSD | |
VBROADCASTF128 | |
VINSERTF128 | Replaces either the lower half or the upper half of a 256-bit YMM register with the value of a 128-bit source operand. The other half of the destination is unchanged. |
VEXTRACTF128 | Extracts either the lower half or the upper half of a 256-bit YMM register and copies the value to a 128-bit destination operand. |
VMASKMOVPS | Conditionally reads any number of elements from a SIMD vector memory operand into a destination register, leaving the remaining vector elements unread and setting the corresponding elements in the destination register to zero. Alternatively, conditionally writes any number of elements from a SIMD vector register operand to a vector memory operand, leaving the remaining elements of the memory operand unchanged. On the AMD Jaguar processor architecture, this instruction with a memory source operand takes more than 300 clock cycles when the mask is zero, in which case the instruction should do nothing. This appears to be a design flaw.[125] |
VMASKMOVPD | |
VPERMILPS | Permute In-Lane. Shuffle the 32-bit or 64-bit vector elements of one input operand. These are in-lane 256-bit instructions, meaning that they operate on all 256 bits with two separate 128-bit shuffles, so they can not shuffle across the 128-bit lanes.[126] |
VPERMILPD | |
VPERM2F128 | Shuffle the four 128-bit vector elements of two 256-bit source operands into a 256-bit destination operand, with an immediate constant as selector. |
VZEROALL | Set all YMM registers to zero and tag them as unused. Used when switching between 128-bit use and 256-bit use. |
VZEROUPPER | Set the upper half of all YMM registers to zero. Used when switching between 128-bit use and 256-bit use. |
Introduced in Intel's Haswell microarchitecture and AMD's Excavator.
Expansion of most vector integer SSE and AVX instructions to 256 bits
Instruction | Description |
---|---|
VBROADCASTSS | Copy a 32-bit or 64-bit register operand to all elements of a XMM or YMM vector register. These are register versions of the same instructions in AVX1. There is no 128-bit version however, but the same effect can be simply achieved using VINSERTF128. |
VBROADCASTSD | |
VPBROADCASTB | Copy an 8, 16, 32 or 64-bit integer register or memory operand to all elements of a XMM or YMM vector register. |
VPBROADCASTW | |
VPBROADCASTD | |
VPBROADCASTQ | |
VBROADCASTI128 | Copy a 128-bit memory operand to all elements of a YMM vector register. |
VINSERTI128 | Replaces either the lower half or the upper half of a 256-bit YMM register with the value of a 128-bit source operand. The other half of the destination is unchanged. |
VEXTRACTI128 | Extracts either the lower half or the upper half of a 256-bit YMM register and copies the value to a 128-bit destination operand. |
VGATHERDPD | Gathers single or double precision floating point values using either 32 or 64-bit indices and scale. |
VGATHERQPD | |
VGATHERDPS | |
VGATHERQPS | |
VPGATHERDD | Gathers 32 or 64-bit integer values using either 32 or 64-bit indices and scale. |
VPGATHERDQ | |
VPGATHERQD | |
VPGATHERQQ | |
VPMASKMOVD | Conditionally reads any number of elements from a SIMD vector memory operand into a destination register, leaving the remaining vector elements unread and setting the corresponding elements in the destination register to zero. Alternatively, conditionally writes any number of elements from a SIMD vector register operand to a vector memory operand, leaving the remaining elements of the memory operand unchanged. |
VPMASKMOVQ | |
VPERMPS | Shuffle the eight 32-bit vector elements of one 256-bit source operand into a 256-bit destination operand, with a register or memory operand as selector. |
VPERMD | |
VPERMPD | Shuffle the four 64-bit vector elements of one 256-bit source operand into a 256-bit destination operand, with a register or memory operand as selector. |
VPERMQ | |
VPERM2I128 | Shuffle (two of) the four 128-bit vector elements of two 256-bit source operands into a 256-bit destination operand, with an immediate constant as selector. |
VPBLENDD | Doubleword immediate version of the PBLEND instructions from SSE4. |
VPSLLVD | Shift left logical. Allows variable shifts where each element is shifted according to the packed input. |
VPSLLVQ | |
VPSRLVD | Shift right logical. Allows variable shifts where each element is shifted according to the packed input. |
VPSRLVQ | |
VPSRAVD | Shift right arithmetically. Allows variable shifts where each element is shifted according to the packed input. |
Main article: FMA instruction set |
Floating-point fused multiply-add instructions are introduced in x86 as two instruction set extensions, "FMA3" and "FMA4", both of which build on top of AVX to provide a set of scalar/vector instructions using the xmm/ymm/zmm vector registers. FMA3 defines a set of 3-operand fused-multiply-add instructions that take three input operands and writes its result back to the first of them. FMA4 defines a set of 4-operand fused-multiply-add instructions that take four input operands – a destination operand and three source operands.
FMA3 is supported on Intel CPUs starting with Haswell, on AMD CPUs starting with Piledriver, and on Zhaoxin CPUs starting with YongFeng. FMA4 was only supported on AMD Family 15h (Bulldozer) CPUs and has been abandoned from AMD Zen onwards. The FMA3/FMA4 extensions are not considered to be an intrinsic part of AVX or AVX2, although all Intel and AMD (but not Zhaoxin) processors that support AVX2 also support FMA3. FMA3 instructions (in EVEX-encoded form) are, however, AVX-512 foundation instructions.
The FMA3 and FMA4 instruction sets both define a set of 10 fused-multiply-add operations, all available in FP32 and FP64 variants. For each of these variants, FMA3 defines three operand orderings while FMA4 defines two.
FMA3 encoding
FMA3 instructions are encoded with the VEX or EVEX prefixes – on the form VEX.66.0F38 xy /r
or EVEX.66.0F38 xy /r
. The VEX.W/EVEX.W bit selects floating-point format (W=0 means FP32, W=1 means FP64). The opcode byte xy
consists of two nibbles, where the top nibble x
selects operand ordering (9
='132', A
='213', B
='231') and the bottom nibble y
(values 6..F) selects which one of the 10 fused-multiply-add operations to perform. (x
and y
outside the given ranges will result in something that is not an FMA3 instruction.)
At the assembly language level, the operand ordering is specified in the mnemonic of the instruction:
vfmadd132sd xmm1,xmm2,xmm3
will perform xmm1 ← (xmm1*xmm3)+xmm2
vfmadd213sd xmm1,xmm2,xmm3
will perform xmm1 ← (xmm2*xmm1)+xmm3
vfmadd231sd xmm1,xmm2,xmm3
will perform xmm1 ← (xmm2*xmm3)+xmm1
For all FMA3 variants, the first two arguments must be xmm/ymm/zmm vector register arguments, while the last argument may be either a vector register or memory argument. Under AVX-512, the EVEX-encoded variants support EVEX-prefix-encoded broadcast, opmasks and rounding-controls.
The AVX512-FP16 extension, introduced in Sapphire Rapids, adds FP16 variants of the FMA3 instructions – these all take the form EVEX.66.MAP6.W0 xy /r
with the opcode byte working in the same way as for the FP32/FP64 variants. (For the FMA4 instructions, no FP16 variants are defined.)
FMA4 encoding
FMA4 instructions are encoded with the VEX prefix, on the form VEX.66.0F3A xx /r ib
(no EVEX encodings are defined). The opcode byte xx
uses its bottom bit to select floating-point format (0=FP32, 1=FP64) and the remaining bits to select one of the 10 fused-multiply-add operations to perform.
For FMA4, operand ordering is controlled by the VEX.W bit. If VEX.W=0, then the third operand is the r/m operand specified by the instruction's ModR/M byte and the fourth operand is a register operand, specified by bits 7:4 of the ib (8-bit immediate) part of the instruction. If VEX.W=1, then these two operands are swapped. For example:
vfmaddsd xmm1,xmm2,[mem],xmm3
will perform xmm1 ← (xmm2*[mem])+xmm3
and require a W=0 encoding.vfmaddsd xmm1,xmm2,xmm3,[mem]
will perform xmm1 ← (xmm2*xmm3)+[mem]
and require a W=1 encoding.vfmaddsd xmm1,xmm2,xmm3,xmm4
will perform xmm1 ← (xmm2*xmm3)+xmm4
and can be encoded with either W=0 or W=1.
Opcode table
The 10 fused-multiply-add operations and the 110 instruction variants they give rise to are given by the following table – with FMA4 instructions highlighted with * and yellow cell coloring, and FMA3 instructions not highlighted:
Basic operation | Opcode byte | FP32 instructions | FP64 instructions | FP16 instructions |
---|---|---|---|---|
Packed alternating multiply-add/subtract
|
96 |
VFMADDSUB132PS |
VFMADDSUB132PD |
VFMADDSUB132PH
|
A6 |
VFMADDSUB213PS |
VFMADDSUB213PD |
VFMADDSUB213PH
| |
B6 |
VFMADDSUB231PS |
VFMADDSUB231PD |
VFMADDSUB231PH
| |
5C/5D * |
VFMADDSUBPS * |
VFMADDSUBPD * |
— | |
Packed alternating multiply-subtract/add
|
97 |
VFMSUBADD132PS |
VFMSUBADD132PD |
VFMSUBADD132PH
|
A7 |
VFMSUBADD213PS |
VFMSUBADD213PD |
VFMSUBADD213PH
| |
B7 |
VFMSUBADD231PS |
VFMSUBADD231PD |
VFMSUBADD231PH
| |
5E/5F * |
VFMSUBADDPS * |
VFMSUBADDPD * |
— | |
Packed multiply-add (A*B)+C |
98 |
VFMADD132PS |
VFMADD132PD |
VFMADD132PH
|
A8 |
VFMADD213PS |
VFMADD213PD |
VFMADD213PH
| |
B8 |
VFMADD231PS |
VFMADD231PD |
VFMADD231PH
| |
68/69 * |
VFMADDPS * |
VFMADDPD * |
— | |
Scalar multiply-add (A*B)+C |
99 |
VFMADD132SS |
VFMADD132SD |
VFMADD132SH
|
A9 |
VFMADD213SS |
VFMADD213SD |
VFMADD213SH
| |
B9 |
VFMADD231SS |
VFMADD231SD |
VFMADD231SH
| |
6A/6B * |
VFMADDSS * |
VFMADDSD * |
— | |
Packed multiply-subtract (A*B)-C |
9A |
VFMSUB132PS |
VFMSUB132PD |
VFMSUB132PH
|
AA |
VFMSUB213PS |
VFMSUB213PD |
VFMSUB213PH
| |
BA |
VFMSUB231PS |
VFMSUB231PD |
VFMSUB231PH
| |
6C/6D * |
VFMSUBPS * |
VFMSUBPD * |
— | |
Scalar multiply-subtract (A*B)-C |
9B |
VFMSUB132SS |
VFMSUB132SD |
VFMSUB132SH
|
AB |
VFMSUB213SS |
VFMSUB213SD |
VFMSUB213SH
| |
BB |
VFMSUB231SS |
VFMSUB231SD |
VFMSUB231SH
| |
6E/6F * |
VFMSUBSS * |
VFMSUBSD * |
— | |
Packed negative-multiply-add (-A*B)+C |
9C |
VFNMADD132PS |
VFNMADD132PD |
VFNMADD132PH
|
AC |
VFNMADD213PS |
VFNMADD213PD |
VFNMADD213PH
| |
BC |
VFNMADD231PS |
VFNMADD231PD |
VFNMADD231PH
| |
78/79 * |
VFMADDPS * |
VFMADDPD * |
— | |
Scalar negative-multiply-add (-A*B)+C |
9D |
VFMADD132SS |
VFMADD132SD |
VFMADD132SH
|
AD |
VFMADD213SS |
VFMADD213SD |
VFMADD213SH
| |
BD |
VFMADD231SS |
VFMADD231SD |
VFMADD231SH
| |
7A/7B * |
VFMADDSS * |
VFMADDSD * |
— | |
Packed negative-multiply-subtract (-A*B)-C |
9E |
VFNMSUB132PS |
VFNMSUB132PD |
VFNMSUB132PH
|
AE |
VFNMSUB213PS |
VFNMSUB213PD |
VFNMSUB213PH
| |
BE |
VFNMSUB231PS |
VFNMSUB231PD |
VFNMSUB231PH
| |
7C/7D * |
VFNMSUBPS * |
VFNMSUBPD * |
— | |
Scalar negative-multiply-subtract (-A*B)-C |
9F |
VFNMSUB132SS |
VFNMSUB132SD |
VFNMSUB132SH
|
AF |
VFNMSUB213SS |
VFNMSUB213SD |
VFNMSUB213SH
| |
BF |
VFNMSUB231SS |
VFNMSUB231SD |
VFNMSUB231SH
| |
7E/7F * |
VFNMSUBSS * |
VFNMSUBSD * |
— |
Main article: AVX-512 § New instructions by sets |
AVX-512, introduced in 2014, adds 512-bit wide vector registers (extending the 256-bit registers, which become the new registers' lower halves) and doubles their count to 32; the new registers are thus named zmm0 through zmm31. It adds eight mask registers, named k0 through k7, which may be used to restrict operations to specific parts of a vector register. Unlike previous instruction set extensions, AVX-512 is implemented in several groups; only the foundation ("AVX-512F") extension is mandatory.[127] Most of the added instructions may also be used with the 256- and 128-bit registers.
Main article: Advanced Matrix Extensions |
Intel AMX adds eight new tile-registers, tmm0
-tmm7
, each holding a matrix, with a maximum capacity of 16 rows of 64 bytes per tile-register. It also adds a TILECFG
register to configure the sizes of the actual matrices held in each of the eight tile-registers, and a set of instructions to perform matrix multiplications on these registers.
AMX subset | Instruction mnemonics | Opcode | Instruction description | Added in |
---|---|---|---|---|
|
LDTILECFG m512 |
VEX.128.NP.0F38.W0 49 /0 |
Load AMX tile configuration data structure from memory as a 64-byte data structure. | Sapphire Rapids |
STTILECFG m512 |
VEX.128.66.0F38 W0 49 /0 |
Store AMX tile configuration data structure to memory. | ||
TILERELEASE |
VEX.128.NP.0F38.W0 49 C0 |
Initialize TILECFG and tile data registers (tmm0 to tmm7 ) to the INIT state (all-zeroes).
| ||
TILEZERO tmm |
VEX.128.F2.0F38.W0 49 /r [a] |
Zero out contents of one tile register. | ||
TILELOADD tmm, sibmem |
VEX.128.F2.0F38.W0 4B /r [b] |
Load a data tile from memory into AMX tile register. | ||
TILELOADDT1 tmm, sibmem |
VEX.128.66.0F38.W0 4B /r [b] |
Load a data tile from memory into AMX tile register, with a hint that data should not be kept in the nearest cache levels. | ||
TILESTORED mem, sibtmm |
VEX.128.F3.0F38.W0 4B /r [b] |
Store a data tile to memory from AMX tile register. | ||
|
TDPBSSD tmm1,tmm2,tmm3 [c] |
VEX.128.F2.0F38.W0 5E /r |
Matrix multiply signed bytes from tmm2 with signed bytes from tmm3, accumulating result in tmm1. | |
TDPBSUD tmm1,tmm2,tmm3 [c] |
VEX.128.F3.0F38.W0 5E /r |
Matrix multiply signed bytes from tmm2 with unsigned bytes from tmm3, accumulating result in tmm1. | ||
TDPBUSD tmm1,tmm2,tmm3 [c] |
VEX.128.66.0F38.W0 5E /r |
Matrix multiply unsigned bytes from tmm2 with signed bytes from tmm3, accumulating result in tmm1. | ||
TDPBUUD tmm1,tmm2,tmm3 [c] |
VEX.128.NP.0F38.W0 5E /r |
Matrix multiply unsigned bytes from tmm2 with unsigned bytes from tmm3, accumulating result in tmm1. | ||
TDPBF16PS tmm1,tmm2,tmm3 [c] |
VEX.128.F3.0F38.W0 5C /r |
Matrix multiply BF16 values from tmm2 with BF16 values from tmm3, accumulating result in tmm1. | ||
TDPFP16PS tmm1,tmm2,tmm3 [c] |
VEX.128.F2.0F38.W0 5C /r |
Matrix multiply FP16 values from tmm2 with FP16 values from tmm3, accumulating result in tmm1. | (Granite Rapids) | |
|
TCMMRLFP16PS tmm1,tmm2,tmm3 [c] |
VEX.128.NP.0F38.W0 6C /r |
Matrix multiply complex numbers from tmm2 with complex numbers from tmm3, accumulating real part of result in tmm1. | (Granite Rapids D) |
TCMMILFP16PS tmm1,tmm2,tmm3 [c] |
VEX.128.66.0F38.W0 6C /r |
Matrix multiply complex numbers from tmm2 with complex numbers from tmm3, accumulating imaginary part of result in tmm1. |
TILEZERO
, the tile-register to clear is specified by bits 5:3 of the instruction's ModR/M byte. Bits 7:6 must be set to 11b, and bits 2:0 must be set to 000b.
TILELOADD
, TILELOADDT1
and TILESTORED
instructions, the memory argument must use a memory addressing mode with the SIB-byte. Under this addressing mode, the base register and displacement are used to specify the starting address for the first row of the tile to load/store from/to memory – the scale and index are used to specify a per-row stride.TILECFG.start_row
, so that the instruction may continue on a partially-loaded/stored tile after the interruption.
Main article: AES instruction set |
6 new instructions.
Instruction | Encoding | Description |
---|---|---|
AESENC xmm1,xmm2/m128
|
66 0F 38 DC /r
|
Perform one round of an AES encryption flow |
AESENCLAST xmm1,xmm2/m128
|
66 0F 38 DD /r
|
Perform the last round of an AES encryption flow |
AESDEC xmm1,xmm2/m128
|
66 0F 38 DE /r
|
Perform one round of an AES decryption flow |
AESDECLAST xmm1,xmm2/m128
|
66 0F 38 DF /r
|
Perform the last round of an AES decryption flow |
AESKEYGENASSIST xmm1,xmm2/m128,imm8
|
66 0F 3A DF /r ib
|
Assist in AES round key generation |
AESIMC xmm1,xmm2/m128
|
66 0F 38 DB /r
|
Assist in AES Inverse Mix Columns |
Main article: CLMUL instruction set |
Instruction | Opcode | Description |
---|---|---|
PCLMULQDQ xmm1,xmm2,imm8 |
66 0F 3A 44 /r ib
|
Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF(2k). |
PCLMULLQLQDQ xmm1,xmm2/m128 |
66 0F 3A 44 /r 00
|
Multiply the low halves of the two 128-bit operands. |
PCLMULHQLQDQ xmm1,xmm2/m128 |
66 0F 3A 44 /r 01
|
Multiply the high half of the destination register by the low half of the source operand. |
PCLMULLQHQDQ xmm1,xmm2/m128 |
66 0F 3A 44 /r 10
|
Multiply the low half of the destination register by the high half of the source operand. |
PCLMULHQHQDQ xmm1,xmm2/m128 |
66 0F 3A 44 /r 11
|
Multiply the high halves of the two 128-bit operands. |
Main article: RDRAND |
Instruction | Encoding | Description | Added in |
---|---|---|---|
RDRAND r16 RDRAND r32
|
NFx 0F C7 /6
|
Return a random number that has been generated with a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) compliant with NIST SP 800-90A.[a] | Ivy Bridge, Excavator, Puma, ZhangJiang, Knights Landing, Gracemont |
RDRAND r64
|
NFx REX.W 0F C7 /6
| ||
RDSEED r16 RDSEED r32
|
NFx 0F C7 /7
|
Return a random number that has been generated with a HRNG/TRNG (Hardware/"True" Random Number Generator) compliant with NIST SP 800-90B and C.[a] | Broadwell, ZhangJiang, Knights Landing, Zen 1, Gracemont |
RDSEED r64
|
NFx REX.W 0F C7 /7
|
RDRAND
and RDSEED
instructions may fail to obtain and return a random number if the CPU's random number generators cannot keep up with the issuing of these instructions – if this happens, then software may retry the instructions (although the number of retries should be limited, in order to ensure forward progress[128]). The instructions set EFLAGS.CF
to 1 if a random number was successfully obtained and 0 otherwise. Failure to obtain a random number will also set the instruction's destination register to 0.
Main article: Intel SHA extensions |
7 new instructions.
Instruction | Encoding | Description |
---|---|---|
SHA1RNDS4 xmm1,xmm2/m128,imm8
|
NP 0F 3A CC /r ib
|
Perform Four Rounds of SHA1 Operation |
SHA1NEXTE xmm1,xmm2/m128
|
NP 0F 38 C8 /r
|
Calculate SHA1 State Variable E after Four Rounds |
SHA1MSG1 xmm1,xmm2/m128
|
NP 0F 38 C9 /r
|
Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords |
SHA1MSG2 xmm1,xmm2/m128
|
NP 0F 38 CA /r
|
Perform a Final Calculation for the Next Four SHA1 Message Dwords |
SHA256RNDS2 xmm1,xmm2/m128,<XMM0>
|
NP 0F 38 CB /r
|
Perform Two Rounds of SHA256 Operation |
SHA256MSG1 xmm1,xmm2/m128
|
NP 0F 38 CC /r
|
Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords |
SHA256MSG2 xmm1,xmm2/m128
|
NP 0F 38 CD /r
|
Perform a Final Calculation for the Next Four SHA256 Message Dwords |
These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.
Instruction | Encoding | Description | Notes |
---|---|---|---|
LOADIWKEY xmm1,xmm2
|
F3 0F 38 DC /r
|
Load internal wrapping key ("IWKey") from xmm1, xmm2 and XMM0. | The two explicit operands (which must be register operands) specify a 256-bit encryption key. The implicit operand in XMM0 specifies a 128-bit integrity key. EAX contains flags controlling operation of instruction.
After being loaded, the IWKey cannot be directly read from software, but is used for the key wrapping done by
|
ENCODEKEY128 r32,r32
|
F3 0F 38 FA /r
|
Wrap a 128-bit AES key from XMM0 into a 384-bit key handle and output handle in XMM0-2. | Source operand specifies handle restrictions to build into the handle.
Destination operand is initialized with information about the source and attributes of the key. These instruction may also modify XMM4-6 (zeroed out in existing implementations, but this should not be relied on). |
ENCODEKEY256 r32,r32
|
F3 0F 3A FB /r
|
Wrap a 256-bit AES key from XMM1:XMM0 into a 512-bit key handle and output handle in XMM0-3. | |
AESENC128KL xmm,m384
|
F3 0F 38 DC /r
|
Encrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | All of the Key Locker encode/decode instructions will check whether the handle is valid for the current IWKey and encode/decode data only if the handle is valid.
These instructions will set the ZF flag to indicate whether the provided handle was valid (ZF=0) or not (ZF=1). |
AESDEC128KL xmm,m384
|
F3 0F 38 DD /r
|
Decrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. | |
AESENC256KL xmm,m512
|
F3 0F 38 DE /r
|
Encrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESDEC256KL xmm,m512
|
F3 0F 38 DF /r
|
Decrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm. | |
AESENCWIDE128KL m384
|
F3 0F 38 D8 /0
|
Encrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | |
AESDECWIDE128KL m384
|
F3 0F 38 D8 /1
|
Decrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register. | |
AESENCWIDE256KL m512
|
F3 0F 38 D8 /2
|
Encrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. | |
AESDECWIDE256KL m512
|
F3 0F 38 D8 /3
|
Decrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register. |
Main article: VIA PadLock |
The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.
Padlock subset | Instruction | Encoding | Description | Added in |
---|---|---|---|---|
|
XSTORE
|
NFx 0F A7 C0
|
Store random bytes to ES:[rDI], and increment ES:rDI accordingly. XSTORE will store currently-available bytes, which may be from 0 to 8 bytes. REP XSTORE will write the number of random bytes specified by rCX, waiting for the random number generator when needed. EDX specifies a "quality factor".
|
Nehemiah (stepping 3) |
REP XSTORE
|
F3 0F A7 C0
| |||
|
REP XCRYPTECB
|
F3 0F A7 C8
|
Encrypt/Decrypt data, using the AES cipher in various block modes (ECB, CBC, CFB, OFB and CTR, respectively). rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rAX a pointer to an initialization vector for block modes that need it, and rDX a pointer to a control word.[a] | Nehemiah (stepping 8) |
REP XCRYPTCBC
|
F3 0F A7 D0
| |||
REP XCRYPTCFB
|
F3 0F A7 E0
| |||
REP XCRYPTOFB
|
F3 0F A7 E8
| |||
|
REP XCRYPTCTR
|
F3 0F A7 D8
|
C7 "Esther"[129] | |
|
REP XSHA1
|
F3 0F A6 C8
|
Compute a cryptographic hash (using the SHA-1 and SHA-256 functions, respectively). ES:rSI points to data to compute a hash for, ES:rDI points to a message digest and rCX specifies the number of bytes. rAX should be set to 0 at the start of a calculation.[c] | Esther |
REP XSHA256
|
F3 0F A6 D0
| |||
|
REP MONTMUL
|
F3 0F A6 C0
|
Perform Montgomery Multiplication. Takes an operand width in ECX (given as a number of bits – must be in range 256..32768 and divisble by 128) and pointer to a data structure in ES:ESI.[d] | Esther |
CCS_HASH
|
F3 0F A6 E8
|
Compute SM3 hash, similar to the REP XSHA* instructions. The rBX register is used to specify hash function (20h for SM3 being the only documented value).
|
ZhangJiang | |
CCS_ENCRYPT
|
F3 0F A7 F0
|
Encrypt/Decrypt data, using the SM4 cipher in various block modes. rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rDX a pointer to an initialization vector for block modes that need it, and rAX contains a control word.[e] |
REP XCRYPT*
is a 128-bit data structure with the following layout:
Bits | Usage |
---|---|
3:0 | AES round count |
4 | Digest mode enable (ACE2 only) |
5 | 1=allow data that is not 16-byte aligned (ACE2 only) |
6 | Cipher: 0=AES, 1=undefined |
7 | Key schedule: 0=compute (128bit key only), 1=load from memory |
8 | 0=normal, 1=intermediate-result |
9 | 0=encrypt, 1=decrypt |
11:10 | Key size: 00=128bit, 01=192bit, 10=256bit, 11=reserved |
127:12 | Reserved, set to 0 |
REP XCRYPT
instructions: a digest mode for the CBC and CFB instructions, and the ability to use input/output data that are not 16-byte aligned for the non-ECB instructions.
REP XSHA*
instructions will enable an alternate operation mode, where rCX specifies the number of 64-byte blocks, and where the standard FIPS-180-2 length extension procedure at the end of the hash calculation is omitted. This makes for a variant more suitable for data streaming than the original EAX=0 variant.[130] This functionality also exists for CCS_HASH
.REP MONTMUL
contains six 32-bit elements, where the first one is a negated modular inverse of the bottom 32 bits of the modulus and the remaining 5 are pointers to various memory buffers:
Offset | Data item |
---|---|
0 | Negated modular inverse |
4 | Pointer to first multiplicand |
8 | Pointer to second multiplicand |
12 | Pointer to result buffer |
16 | Pointer to modulus |
20 | Pointer to 32-byte scratchpad |
CCS_ENCRYPT
control word in rAX has the following format:
Bits | Usage |
---|---|
0 | 0=Encrypt, 1=Decrypt |
5:1 | Must be 10000b for SM4. |
6 | ECB block mode |
7 | CBC block mode |
8 | CFB block mode |
9 | OFB block mode |
10 | CTR block mode |
11 | Digest enable |
Remaining bits in rAX must be set to all-0s.
Of bits 10:6 in rAX (block mode selection), exactly one bit must be set, or else behavior is undefined.
See also: x86 virtualization |
Instruction | Opcode | Instruction Description | Used by | Added in |
---|---|---|---|---|
Basic SVM (Secure Virtual Machine) instructions[133] | ||||
INVLPGA rAX,ECX [a] |
0F 01 DF |
Invalidate TLB mappings for the virtual page specified in rAX and the ASID (Address Space IDentifier) specified in ECX. | VMM | K8[b] |
VMRUN rAX [a] |
0F 01 D8 |
Run virtual machine managed by the VMCB (Virtual Machine Control Block) specified by physical address in rAX. | ||
VMLOAD rAX [a] |
0F 01 DA |
Load a specific subset of processor state from the VMCB specified by the physical address in the rAX register.[c] | Usually the VMM[d] | |
VMSAVE rAX [a] |
0F 01 DB |
Save a specific subset of processor state to the VMCB specified by the physical address in the rAX register.[c] | ||
STGI |
0F 01 DC |
Set GIF (Global Interrupt Flag). | Usually the VMM[e] | |
CLGI |
0F 01 DD |
Clear GIF. | ||
VMMCALL |
NFx 0F 01 D9 |
Call to VM monitor from guest by causing a VMEXIT. | Guest | |
SKINIT EAX |
0F 01 DE |
Secure Init and Jump with Attestation. Initializes CPU to known state, designates a 64 Kbyte memory area specified by EAX as an SLB ("Secure Loader Block"), submits a copy of the memory area to the system TPM for validation using a digital signature, then jumps into the SLB. |
VMM | Turion "Lion",[134] Opteron "Shanghai", Phenom II |
Secure Encrypted Virtualization (SEV): Encrypted State (SEV-ES) instructions | ||||
VMGEXIT |
F2/F3 0F 01 D9 |
SEV-ES Exit to VMM. Explicit communication with the VMM for SEV-ES VMs.[f] |
Guest | Zen 1 |
Secure Nested Paging (SEV-SNP): Reverse-Map Table (RMP) instructions | ||||
PSMASH |
F3 0F 01 FF |
Page Smash: expands a 2MB-page RMP entry into a corresponding set of contiguous 4KB-page RMP entries. The 2 MB page's system physical address is specified in the RAX register. | VMM | Zen 3 |
RMPUPDATE |
F2 0F 01 FE |
Write a new RMP entry. The system physical address of a page whose RMP entry is modified is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure which contains the new RMP state. | ||
PVALIDATE |
F2 0F 01 FF |
Validate or rescind validation of a guest page's RMP entry. The guest virtual address is specified in the register operand rAX.[a] | Guest | |
RMPADJUST |
F3 0F 01 FE |
Adjust RMP permissions for a guest page. The guest virtual address is specified in the RAX register. The page size is specified in RCX[0]. The target VMPL (Virtual Machine Privilege Level) and its permissions are specified in the RDX register. | ||
RMPQUERY |
F3 0F 01 FD |
Reads an RMP permission mask for a guest page. The guest virtual address is specified in the RAX register. The target VMPL is specified in RDX[7:0]. RMP permissions for the specified VMPL are returned in RDX[63:8] and the RCX register. | Guest | Zen 4 |
RMPREAD |
F2 0F 01 FD |
Read an RMP entry. The system physical address of the page whose RMP entry is to be read is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure that the RMP entry will be written to. | VMM | (Zen 5) |
VMRUN
, VMLOAD
, VMSAVE
, INVLPGA
and PVALIDATE
instructions, the choice of AX/EAX/RAX depends on address-size, which can be overridden with the 67h prefix.
VMRUN
instruction will load only a limited subset of CPU state - VMLOAD
should be run before VMRUN
to load additional state.VMSAVE
is needed to store additional state.VMSAVE
/VMLOAD
, the VMM may improve performance by abstaining from performing VMSAVE
/VMLOAD
before re-entering the virtual machine with VMRUN
.
VMLOAD
and VMSAVE
instructions can be executed in guest mode as well.
STGI
and CLGI
instructions can be executed in guest mode as well.
VMGEXIT
is executed as VMMCALL
if not executed by a SEV-ES guest.
Intel virtualization instructions. VT-x is also supported on some processors from VIA and Zhaoxin.
Instruction | Opcode | Instruction Description | Used by[a] | Added in |
---|---|---|---|---|
Basic VMX (Virtual Machine Extensions) instructions | ||||
VMXON m64 [b] |
F3 0F C7 /6 |
Enter VMX Operation – enters hardware supported virtualisation environment.[c] | VMM | Prescott 2M, Yonah, Centerton, Nano 3000 |
VMXOFF |
NP 0F 01 C4 |
Leave VMX Operation – stops hardware supported virtualisation environment. | ||
VMPTRLD m64 [b] |
NP 0F C7 /6 |
Load pointer to Virtual-Machine Control Structure (VMCS) from memory and mark it valid. | ||
VMPTRST m64 [b] |
NP 0F C7 /7 |
Store pointer to current VMCS to memory. | ||
VMCLEAR m64 [b] |
66 0F C7 /6 |
Flush VMCS data from CPU to VMCS region in memory. If the specified VMCS is the current VMCS, then the current-VMCS is marked as invalid. | ||
VMLAUNCH |
NP 0F 01 C2 |
Launch virtual machine managed by current VMCS. | ||
VMRESUME |
NP 0F 01 C3 |
Resume virtual machine managed by current VMCS. | ||
VMREAD r/m,reg |
NP 0F 78 /r |
Read a specified field from the current-VMCS. The reg argument specifies which field to read – the result is stored to r/m . |
Usually the VMM[d] | |
VMWRITE reg,r/m |
NP 0F 79 /r |
Write to specified field of current-VMCS. The reg argument specifies which field to write, and the r/m argument provides the data item to write to the field.
| ||
VMCALL |
NP 0F 01 C1 |
Call to VM monitor from guest by causing a VMEXIT. | Usually the guest[e] | |
Extended Page Tables (EPT) instructions | ||||
INVEPT reg,m128 |
66 0F 38 80 /r |
Invalidates EPT-derived entries in the TLBs and paging-structure caches. The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor.[f]
|
VMM | Nehalem, Centerton,[135] ZhangJiang |
INVVPID reg,m128 |
66 0F 38 81 /r |
Invalidates entries in the TLBs and paging-structure caches based on VPID (Virtual Processor ID). The reg argument specifies an invalidation type, the memory argument specifies a 128-bit descriptor.[g]
| ||
VMFUNC |
NP 0F 01 D4 |
Invoke VM function specified in EAX.[h] | Guest | Haswell, Silvermont, LuJiaZui |
Trust Domain Extensions (TDX): Secure Arbitration Mode (SEAM) instructions[108] | ||||
SEAMOPS |
66 0F 01 CE |
Invoke SEAM specific operations. Operation to perform is specified in RAX.[i] | SEAM root |
(Sapphire Rapids[137]), Emerald Rapids[138] |
SEAMRET |
66 0F 01 CD |
Return to legacy VMX root operation from SEAM VMX root operation. | ||
SEAMCALL |
66 0F 01 CF |
Call to SEAM VMX root operation from legacy VMX root operation. | VMM | |
TDCALL |
66 0F 01 CC |
Call to VM monitor from TD guest by causing a VMEXIT. | TD Guest |
VMXON
, then all of the VT-x instructions (except VMXON
) will cause #UD.
VMPTRLD
, VMPTRST
, VMCLEAR
and VMXON
is a 64-bit physical address.
VMXON
is the 64-bit physical address to a "VMXON region", which is a 4Kbyte region that must be 4 Kbyte aligned. This region may be used by the processor to support VMX operation in an implementation-dependent manner and should never be accessed by software until the processor has left VMX operation through the VMXOFF
instruction.
VMREAD
and VMWRITE
instructions can be executed by the guest as well.
VMCALL
instruction can be executed by the VMM as well – doing so will cause a special SMM VM exit.
reg
argument of INVEPT
are:
Value | Function |
---|---|
1 | Single-context invalidation: invalidate all mappings associated with EPT-pointer in bits 63:0 of descriptor. |
2 | Global invalidation: invalidate all mappings associated with all EPT-pointers. |
reg
argument of INVVPID
are:
Value | Function |
---|---|
0 | Invalidate mapping for linear address and VPID specified in descriptor. (Unlike INVLPG , INVVPID will fail when used with non-canonical addresses.[136])
|
1 | Invalidate all mappings for VPID specified in descriptor. |
2 | All-contexts invalidation: invalidate all mappings for all VPIDs except VPID 0. |
3 | Invalidate all mappings for VPID specified in descriptor, except global translations. |
VMFUNC
in the EAX register are:
EAX | Function |
---|---|
0 | EPTP switching: switch extended page table pointer to one of up to 512 table pointers prepared in advance by the VM host. ECX specifies which one of the 512 pointers to use. |
1-63 | (Reserved, will cause VMEXIT) |
≥64 | Invalid, will cause #UD. |
SEAMOPS
in the RAX register are:
RAX | Operation |
---|---|
0 (CAPABILITIES) | Return bitmap of supported SEAMOPS leaves in RAX. |
1 (SEAMREPORT) | Generate SEAMREPORT structure. |
Any unsupported value in RAX will cause a #GP(0) exception.
Main article: List of discontinued x86 instructions |
x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.
The x86 CPUs contain undocumented instructions which are implemented on the chips but not listed in some official documents. They can be found in various sources across the Internet, such as Ralf Brown's Interrupt List and at sandpile.org
Some of these instructions are widely available across many/most x86 CPUs, while others are specific to a narrow range of CPUs.
Mnemonics | Opcodes | Description | Status |
---|---|---|---|
AAM imm8
|
D4 ib
|
ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD.
The actual operation is |
Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments).
|
AAD imm8
|
D5 ib
|
ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction.
The actual operation is | |
SALC ,SETALC
|
D6
|
Set AL depending on the value of the Carry Flag (a 1-byte alternative of SBB AL, AL )
|
Available beginning with 8086, but only documented since Pentium Pro. |
ICEBP ,INT1
|
F1
|
Single byte single-step exception / Invoke ICE | Available beginning with 80386, documented (as INT1 ) since Pentium Pro. Executes as undocumented instruction prefix on 8086 and 80286.[140]
|
TEST r/m8,imm8
|
F6 /1 ib
|
Undocumented variants of the TEST instruction.[141] Performs the same operation as the documented F6 /0 and F7 /0 variants, respectively.
|
Available since the 8086. |
TEST r/m16,imm16 ,TEST r/m32,imm32
|
F7 /1 iw ,F7 /1 id
| ||
SHL , SAL
|
(D0..D3) /6 ,(C0..C1) /6 ib
|
Undocumented variants of the SHL instruction.[141] Performs the same operation as the documented (D0..D3) /4 and (C0..C1) /4 ib variants, respectively.
|
Available since the 80186 (performs different operation on the 8086)[144] |
(multiple) | 82 /(0..7) ib
|
Alias of opcode 80h , which provides variants of 8-bit integer instructions (ADD , OR , ADC , SBB , AND , SUB , XOR , CMP ) with an 8-bit immediate argument.[145]
|
Available since the 8086.[145] Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.[146] |
OR/AND/XOR r/m16,imm8
|
83 /(1,4,6) ib
|
16-bit OR /AND /XOR with a sign-extended 8-bit immediate.
|
Available on 8086, but only documented from 80386 onwards.[147][148] |
REPNZ MOVS
|
F2 (A4..A5)
|
The behavior of the F2 prefix (REPNZ , REPNE ) when used with string instructions other than CMPS /SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22[149]) that rely on it to behave in the same way as the documented F3 (REP ) prefix.
|
Available since the 8086. |
REPNZ STOS
|
F2 (AA..AB)
| ||
REP RET
|
F3 C3
|
The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the F3 C3 encoding as a way to encode a two-byte RET instruction – this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions.[150] At least some versions of gcc are known to use this encoding.[151]
|
Executes as RET on all known x86 CPUs.
|
NOP
|
67 90
|
NOP with address-size override prefix. The use of the 67h prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.[152][153]
|
Executes as NOP on 80386 and later.
|
NOP r/m
|
0F 1F /0
|
Official long NOP.
Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.[53][154][155] |
Available on Pentium Pro and AMD K7[156] and later.
Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.[157] |
NOP r/m
|
0F 0D /r
|
Reserved-NOP. Introduced in 65 nm Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005.[158][159] From Broadwell onwards, 0F 0D /1 has been documented as PREFETCHW , while 0F 0D /0 and /2../7 have been reported to exhibit undocumented prefetch functionality.[99]
On AMD CPUs, |
Available on Intel CPUs since 65 nm Pentium 4. |
UD1
|
0F B9 /r
|
Intentionally undefined instructions, but unlike UD2 (0F 0B ) these instructions were left unpublished until December 2016.[160][62]
Microsoft Windows 95 Setup is known to depend on Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include |
All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least 0F FF to the NEC-specific BRKEM instruction.)
|
UD0
|
0F FF
|
Mnemonics | Opcodes | Description | Status | |
---|---|---|---|---|
REP MUL
|
F3 F6 /4 , F3 F7 /4
|
On 8086/8088, a REP or REPNZ prefix on a MUL or IMUL instruction causes the result to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the result.
|
8086/8088 only.[167] | |
REP IMUL
|
F3 F6 /5 , F3 F7 /5
| |||
REP IDIV
|
F3 F6 /7 , F3 F7 /7
|
On 8086/8088, a REP or REPNZ prefix on an IDIV (but not DIV ) instruction causes the quotient to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the quotient.
|
8086/8088 only.[167] | |
SAVEALL ,
|
(F1) 0F 04
|
Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.[168]
In some implementations, emulated through BIOS as a halting sequence.[169] In a forum post at the Vintage Computing Federation, this instruction (with |
Only available on 80286. | |
LOADALL
|
0F 05
|
Loads All Registers from Memory Address 0x000800H | Only available on 80286.
Opcode reused for | |
LOADALLD
|
0F 07
|
Loads All Registers from Memory Address ES:EDI | Only available on 80386.
Opcode reused for | |
CL1INVMB
|
0F 0A [170]
|
On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The mnemonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.[171] | Available on the SCC only. | |
PATCH2
|
0F 0E
|
On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel[172]
|
Only available in Red unlock state (0F 0F too)
| |
PATCH3
|
0F 0F
|
Write uarch | Can change RAM part of microcode on Intel | |
UMOV r,r/m ,UMOV r/m,r
|
0F (10..13) /r
|
Moves data to/from user memory when operating in ICE HALT mode.[173] Acts as regular MOV otherwise.
|
Available on some 386 and 486 processors only.
Opcodes reused for SSE instructions in later CPUs. | |
NXOP
|
0F 55
|
NexGen hypercode interface.[174] | Available on NexGen Nx586 only. | |
(multiple) | 0F (E0..FB) [175]
|
NexGen Nx586 "hyper mode" instructions.
The NexGen Nx586 CPU uses "hyper code"[176] (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode and Intel's XuCode[177]) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation. |
Available in Nx586 hyper mode only. | |
PSWAPW mm,mm/m64
|
0F 0F /r BB
|
Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.[178][179]
Instruction known to be recognized by MASM 6.13 and 6.14. |
Available on K6-2 and K6-3 only.
Opcode reused for documented | |
Unknown mnemonic | 64 D6
|
Using the 64 (FS: segment) prefix with the undocumented D6 (SALC /SETALC ) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07 .[180][181]
|
Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs.
| |
FS: Jcc
|
64 (70..7F) rel8 ,
|
On Intel NetBurst (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.[182] Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. | Available on NetBurst CPUs only.
Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs. | |
JMPAI
|
0F 3F
|
Jump and execute instructions in the undocumented Alternate Instruction Set. | Only available on some x86 processors made by VIA Technologies. | |
(FMA4) | VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8
|
On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.[183] | Removed from Zen2 onwards. | |
(unknown, multiple) | 0F 0F /r ??
|
The whitepapers for SandSifter[184] and UISFuzz[185] report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known.
On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented |
Present on some AMD CPUs with 3DNow!. | |
MOVDB ,
|
Unknown | Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM – and also mentions that Cyrix did not intend to publish specifications for these instructions.[186]
|
Unknown. No specification known to have been published. | |
REP XSHA512
|
F3 0F A6 E0
|
Perform SHA-512 hashing.
Supported by OpenSSL[187] as part of its VIA PadLock support, and listed in a Zhaoxin-supplied Linux kernel patch,[188] but not documented by the VIA PadLock Programming Guide. |
Only available on some x86 processors made by VIA Technologies and Zhaoxin. | |
REP XMODEXP
|
F3 0F A6 F8
|
Instructions to perform modular exponentiation and random number generation, respectively.
Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,[189] but not documented by the VIA PadLock Programming Guide. | ||
XRNG2
|
F3 0F A7 F8
| |||
Unknown mnemonic | 0F A7 (C1..C7)
|
Detected by CPU fuzzing tools such as SandSifter[184] and UISFuzz[185] as executing without causing #UD on several different VIA and Zhaoxin CPUs. Unknown operation, may be related to the documented XSTORE (0F A7 C0 ) instruction.
| ||
Unknown mnemonic | F2 0F A6 C0
|
Zhaoxin SM2 instruction. CPUID flags listed in a Linux kernel patch for OpenEuler,[190] description and opcode (but no instruction mnemonic) provided in a Zhaoxin patent application[191] and a Zhaoxin-provided Linux kernel patch.[192] | Present in Zhaoxin KX-6000G.[193] | |
ZXPAUSE
|
F2 0F A6 D0
|
Pause the processor until the Time Stamp Counter reaches or exceeds the value specified in EDX:EAX. Low-power processor C-state can be requested in ECX. Listed in OpenEuler kernel patch.[194] | Present in Zhaoxin KX-7000. | |
MONTMUL2
|
Unknown | Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,[190] but opcodes and instruction descriptions are not available. | Unknown. Some Zhaoxin CPUs[193] have the CPUID flags for these instructions set. |
Mnemonics | Opcodes | Description | Status |
---|---|---|---|
FENI ,
|
DB E0
|
FPU Enable Interrupts (8087) | Documented for the Intel 80287.[117]
Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. Intel SDM 325462-077, April 2022 mentions them twice without opcodes). The opcodes are, however, recognized by Intel XED.[195] |
FDISI ,
|
DB E1
|
FPU Disable Interrupts (8087) | |
FSETPM ,
|
DB E4
|
FPU Set Protected Mode (80287) | |
(no mnemonic) | D9 D7 , D9 E2 ,D9 E7 , DD FC ,DE D8 , DE DA ,DE DC , DE DD ,DE DE , DF FC
|
"Reserved by Cyrix" opcodes | These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,[196] 6x86MX, MII, MediaGX, and AMD Geode GX/LX.[197] (The documentation for these CPUs all list the same ten opcodes.)
Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs. |