List of undocumented x86 instructions
The x86 CPUs contain undocumented instructions which are implemented on the chips and can execute, but are not listed in some official documents.
Undocumented x86 instructions
Undocumented instructions that are widely available across many x86 CPUs include:
Mnemonics | Opcodes | Description | Status |
---|---|---|---|
AAM imm8 | D4 imm8 | ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD.
The actual operation is |
Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments). |
AAD imm8 | D5 imm8 | ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction.
The actual operation is | |
SALC,
SETALC |
D6 | Set AL depending on the value of the Carry Flag (a 1-byte alternative of SBB AL, AL) | Available beginning with 8086, but only documented since Pentium Pro. |
TEST | F6 /1 imm8,
F7 /1 imm16/32 |
Undocumented variants of the TEST instruction.[2] Performs the same operation as the documented F6 /0 and F7 /0 variants, respectively. | Available since the 8086. |
SHL,
SAL |
(D0..D3) /6,
(C0..C1) /6 imm8 |
Undocumented variants of the SHL instruction.[2] Performs the same operation as the documented (D0..D3) /4 and (C0..C1) /4 variants, respectively. | Available since the 80186 (performs different operation on the 8086)[5] |
(multiple) | 82 /(0..7) imm8 | Alias of opcode 80, which provides variants of 8-bit integer instructions (ADD, OR, ADC, SBB, AND, SUB, XOR, CMP) with an 8-bit immediate argument.[6] | Available since the 8086.[6] Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.[7] |
OR,AND,XOR | 83 /(1,4,6) imm8 | 16-bit OR/AND/XOR with a sign-extended 8-bit immediate. | Available on 8086, but only documented from 80386 onwards.[8][9] |
REPNZ MOVS | F2 (A4..A5) | The behavior of the F2 prefix (REPNZ, REPNE) when used with string instructions other than CMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22[10]) that rely on it to behave in the same way as the documented F3 (REP) prefix. | Available since the 8086. |
REPNZ STOS | F2 (AA..AB) | ||
REP RET | F3 C3 | The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the F3 C3 encoding as a way to encode a two-byte RET instruction - this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions.[11] At least some versions of gcc are known to use this encoding.[12] | Executes as RET on all known x86 CPUs. |
NOP | 67 90 | NOP with address-size override prefix. The use of the 67 prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.[13][14] | Executes as NOP on 80386 and later. |
ICEBP,
INT1 |
F1 | Single byte single-step exception / Invoke ICE | Available beginning with 80386, documented (as INT1) since Pentium Pro. Treated as undocumented instruction prefix on 8086 and 80286.[15] |
NOP r/m | 0F 1F /0 | Official long NOP.
Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.[16][17][18] |
Available on Pentium Pro and AMD K7[19] and later.
Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.[20] |
NOP r/m | 0F 0D /r | Reserved-NOP. Introduced in 65 nm Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005.[21][22] From Broadwell onwards, 0F 0D /1 has been documented as PREFETCHW.
On AMD CPUs, 0F 0D with a memory argument is documented as PREFETCH/PREFETCHW since K6-2 - originally as part of 3dnow!, but has been kept in later AMD CPUs even after the rest of 3dnow! was dropped. |
Available on Intel CPUs since 65 nm Pentium 4. |
UD1 | 0F B9 /r | Intentionally undefined instructions, but unlike UD2 (0F 0B) these instructions were left unpublished until December 2016.[23][24]
Microsoft Windows 95 Setup is known to depend on 0F FF being invalid[25][26] - it is used as a self check to test that its #UD exception handler is working properly. Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include FF FF (DIF-2,[27] LaserLok[28]) and C4 C4 ("BOP"[29][30]), however as of January 2022 they are not published as intentionally invalid opcodes. |
All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least 0F FF to the BRKEM instruction.) |
UD0 | 0F FF |
Undocumented instructions that appear only in a limited subset of x86 CPUs include:
Mnemonics | Opcodes | Description | Status |
---|---|---|---|
SAVEALL,
STOREALL |
0F 04 | Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.[31]
In some implementations, emulated through BIOS as a halting sequence.[32] In a forum post at the Vintage Computing Federation, this instruction is explained as SAVEALL. It interacts with ICE mode. |
Only available on 80286 |
LOADALL | 0F 05 | Loads All Registers from Memory Address 0x000800H | Only available on 80286.
Opcode reused for SYSCALL in AMD K6-2 and later CPUs. |
LOADALLD | 0F 07 | Loads All Registers from Memory Address ES:EDI | Only available on 80386.
Opcode reused for SYSRET in AMD K6-2 and later CPUs. |
CL1INVMB | 0F 0A[33] | On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The menmonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.[34] | Available on the SCC only. |
PATCH2 | 0F 0E | On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel[35] | Only available in Red unlock state (0F 0F too) |
PATCH3 | 0F 0F | Write uarch | Can change RAM part of microcode on Intel |
UMOV r,r/m
UMOV r/m,r |
0F (10..13) /r | Moves data to/from user memory when operating in ICE HALT mode.[36] Acts as regular MOV otherwise. | Available on some 386 and 486 processors only.
Opcodes reused for SSE instructions in later CPUs. |
NXOP | 0F 55 | NexGen hypercode interface.[37] | Available on NexGen Nx586 only. |
(multiple) | 0F (E0..FB)[38] | NexGen Nx586 "hyper mode" instructions.
The NexGen Nx586 CPU uses "hyper code"[39] (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation. |
Available in Nx586 hyper mode only. |
PSWAPW mm,mm/m64 | 0F 0F /r BB | Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.[40][41]
Instruction known to be recognized by MASM 6.13 and 6.14. |
Available on K6-2 and K6-3 only.
Opcode reused for documented PSWAPD instruction from AMD K7 onwards. |
Unknown mnemonic | 64 D6 | Using the 64h (FS: segment) prefix with the undocumented D6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07.[42][43] | Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs. |
FS: Jcc | 64 (70..7F) rel8,
64 0F (80..8F) rel16/32 |
On Intel "NetBurst" (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.[44] Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. | Available on NetBurst CPUs only.
Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs. |
ALTINST | 0F 3F | Jump and execute instructions in the undocumented Alternate Instruction Set. | Only available on some x86 processors made by VIA Technologies. |
(FMA4) | VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8 | On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.[45] | Removed from Zen2 onwards. |
REP XSHA512 | F3 0F A6 E0 | Perform SHA-512 hashing.
Supported by OpenSSL [46] as part of its VIA PadLock support, but not documented by the VIA PadLock Programming Guide. |
Only available on some x86 processors made by VIA Technologies and Zhaoxin. |
REP XMODEXP | F3 0F A6 F8 | Instructions to perform modular exponentiation and random number generation, respectively.
Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,[47] but not documented by the VIA PadLock Programming Guide. | |
XRNG2 | F3 0F A7 F8 | ||
Unknown mnemonic | 0F A7 (C1..C7) | Detected by CPU fuzzing tools such as SandSifter[48] and UISFuzz[49] as executing without causing #UD on several different VIA and Zhaoxin CPUs.
Unknown operation, may be related to the documented XSTORE (0F A7 C0) instruction. | |
(unknown, multiple) | 0F 0F /r ?? | The whitepapers for SandSifter[48] and UISFuzz[49] report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known.
On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented PF2IW, PI2FW and PSWAPW instructions) execute as equivalents of POR (MMX bitwise-OR instruction).[41] |
Present on some AMD CPUs with 3DNow!. |
MONTMUL2 | unknown | Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,[50] but opcodes and instruction descriptions are not available. | Unknown. Some Zhaoxin CPUs[51] have the CPUID flags for these instructions set. |
MOVDB,
GP2MEM |
unknown | Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM - and also mentions that Cyrix did not intend to publish specifications for these instructions.[52] | Unknown.
No specification known to have been published. |
Undocumented x87 instructions
Mnemonics | Opcodes | Description | Status |
---|---|---|---|
FFREEP | DF C0+i | Same operation as FFREE st(i) followed by FSTP st(0). | Available on all Intel x87 FPUs from 8087 onwards.
Available on most AMD x87 FPUs. Unavailable on AMD Geode GX/LX, DM&P Vortex86[53] and NexGen 586PF.[54] Documented for the Intel 80287[55] but then omitted from later manuals until the October 2017 update of the Intel SDM.[56] |
FSTPNCE | D9 D8+i | Same operation as documented FSTP st(i), DD D8+i, except that it won't produce a stack underflow exception. | |
FCOM | DC D0+i | Same operation as documented FCOM st(i), D8 D0+i | |
FCOMP | DC D8+i,
DE D0+i |
Same operation as documented FCOMP st(i), D8 D8+i | |
FXCH | DD C8+i,
DF C8+i |
Same operation as documented FXCH st(i), D9 C8+i | |
FSTP | DF D0+i,
DF D8+i |
Same operation as documented FSTP st(i), DD D8+i | |
FENI,
FENI8087_NOP |
DB E0 | FPU Enable Interrupts (8087) | Documented for the Intel 80287.[55]
Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for FENI/FDISI and 80287 for FSETPM), they act as NOPs. These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. Intel SDM 325462-076, december 2021 mentions them twice without opcodes). The opcodes are, however, recognized by Intel XED.[57] |
FDISI,
FDISI8087_NOP |
DB E1 | FPU Disable Interrupts (8087) | |
FSETPM,
FSETPM287_NOP |
DB E4 | FPU Set Protected Mode (80287) | |
(no mnemonic) | D9 D7, D9 E2, D9 E7, DD FC, DE D8, DE DA, DE DC, DE DD, DE DE, DF FC |
"Reserved by Cyrix" opcodes | These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,[58] 6x86MX, MII, MediaGX, and AMD Geode GX/LX.[59] (The documentation for these CPUs all list the same ten opcodes.)
Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs. |
See also
References
- ↑ Robert Collins, Undocumented OpCodes: AAM
- ↑ 2.0 2.1 Frank van Gilluwe, "The Undocumented PC - Second Edition", p. 93-95
- ↑ Michal Necasek, Intel 486 Errata?
- ↑ Robert Hummel, "PC Magazine Programmer's Technical Reference" (ISBN 1-56276-016-5) p.728
- ↑ Raúl Gutiérrez Sanz, Undocumented 8086 Opcodes, Part I
- ↑ 6.0 6.1 "Asm, opcode 82h". http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm.
- ↑ Intel Corporation 2022, p. 3698.
- ↑ Intel, The 8086 Family User's Manual, october 1979, opcodes omitted on pages 4-25 and 4-31
- ↑ Retrocomputing StackExchange, Undocumented instructions in x86 CPU prior to 80386?
- ↑ Daniel B. Sedory, An Examination of the Standard MBR
- ↑ AMD, Software Optimization Guide for AMD64 Processors (publication 25112, revision 3.06, sep 2005), section 6.2, p.128
- ↑ Bug 48227 - "rep ret" generated for -march=core2
- ↑ Raymond Chen, My, what strange NOPs you have!
- ↑ Jeff Parsons, Intel 80386 CPU information (B1 errata section, item #7)
- ↑ Retrocomputing StackExchange, 0F1h opcode-prefix on i80286
- ↑ Intel Community: Multibyte NOP Made Official. Archived on 7 Apr 2022.
- ↑ Intel Software Developers Manual, volume 2B (jan 2006, order no 235667-018, does not have long NOP)
- ↑ Intel Software Developers Manual, volume 2B (march 2006, order no 235667-019, has long NOP)
- ↑ Agner Fog, Instruction Tables, AMD K7 section.
- ↑ "579838 – glibc not compatible with AMD Geode LX". https://bugzilla.redhat.com/show_bug.cgi?id=579838#c46.
- ↑ Intel Software Developers Manual, volume 2B (april 2005, order no 235667-015, does not list 0F0D-nop)
- ↑ Intel Software Developers Manual, volume 2B (june 2005, order no 235667-016, lists 0F0D-nop in opcode table but not under NOP instruction description.)
- ↑ Intel Software Developers Manual, volume 2B (order no. 253667-060, september 2016) does not list UD0 and UD1.
- ↑ Intel Software Developers Manual, volume 2B (order no. 253667-061, december 2016) lists UD0 and UD1.
- ↑ "PCJS : pcjs/x86op0F.js (two-byte x86 opcode handlers), lines 1647-1651". 17 April 2022. https://github.com/jeffpar/pcjs/blob/e565ffa65d8ee5d600ec04e62c6651dabb4894cb/machines/pcx86/lib/x86op0f.js#L1647.
- ↑ "80486 paging protection faults? \ VOGONS". https://www.vogons.org/viewtopic.php?t=62949.
- ↑ "Invalid opcode handling \ VOGONS". https://www.vogons.org/viewtopic.php?t=13379.
- ↑ "Invalid instructions cause exit even if Int 6 is hooked \ VOGONS". https://www.vogons.org/viewtopic.php?t=21418.
- ↑ "Tutorial - Calling Win32 from DOS". 17 Sep 2005. https://www.ragestorm.net/tutorial?id=27.
- ↑ "Accessing Windows device drivers from DOS programs". https://sta.c64.org/blog/dosvddaccess.html.
- ↑ "Re: Undocumented opcodes (HINT_NOP)". http://www.sandpile.org/post/msgs/20004129.htm.
- ↑ "Re: Also some undocumented 0Fh opcodes". http://www.sandpile.org/post/msgs/20003986.htm.
- ↑ Intel's RCCE library for the SCC uses opcode 0F 0A for SCC's message invalidation instruction.
- ↑ Intel Labs, SCC External Architecture Specification (EAS), Revision 0.94, p.29
- ↑ "Undocumented x86 instructions to control the CPU at the microarchitecture level in modern Intel processors". 9 July 2021. https://raw.githubusercontent.com/chip-red-pill/udbgInstr/main/paper/undocumented_x86_insts_for_uarch_control.pdf.
- ↑ Robert R. Collins, Undocumented OpCodes: UMOV
- ↑ Herbert Oppmann, NXOP (Opcode 0Fh 55h)
- ↑ Herbert Oppmann, NexGen Nx586 Hypercode Source, see COMMON.INC
- ↑ Herbert Oppmann, Inside the NexGen Nx586 System BIOS
- ↑ Grzegorz Mazur, AMD 3DNow! undocumented instructions
- ↑ 41.0 41.1 "Archived copy". http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html.
- ↑ Potemkin's Hacker Group's OPCODE.LST, v4.51
- ↑ "[UCA CPU Analysis] Prototype UMC Green CPU U5S-SUPER33". 25 May 2020. https://x86.fr/uca-cpu-analysis-prototype-umc-green-cpu-u5s-super33.
- ↑ Agner Fog, The Microarchitecture of Intel, AMD and VIA CPUs, section 3.4 "Branch Prediction in P4 and P4E".
- ↑ Reddit /r/Amd discussion thread: Ryzen has undocumented support for FMA4
- ↑ "Welcome to the OpenSSL Project". 21 April 2022. https://github.com/openssl/openssl/blob/1aa89a7a3afb053d0c0b7fad8d3ea1b0a5447289/engines/asm/e_padlock-x86.pl#L597.
- ↑ PATCH: Update PadLock engine for VIA C7 and Nano CPUs
- ↑ 48.0 48.1 Christopher Domas, Breaking the x86 ISA
- ↑ 49.0 49.1 Xixing Li et al, UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching
- ↑ OpenEuler mailing list, PATCH kernel-4.19 v2 5/6 : x86/cpufeatures: Add Zhaoxin feature bits. Archived on 9 Apr 2022.
- ↑ CPUID dump for Zhaoxin KaiXian-U6870, see C0000001 line. Archived on 9 Apr 2022.
- ↑ Microprocessor Report, MediaGX Targets Low-Cost PCs (vol 11, no. 3, mar 10, 1997)
- ↑ "GCC Bugzilla – 37179 – GCC emits bad opcode 'ffreep'". https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37179.
- ↑ Michael Steil, FFREEP – the assembly instruction that never existed
- ↑ 55.0 55.1 Intel 80286 and 80287 Programmers Reference Manual, 1987 (order no. 210498-005), p. 485
- ↑ Intel Software Developer's Manual, revision 064, volume 3B, section 22.18.9 [1]
- ↑ ISA datafile for Intel XED (apr 17, 2022), lines 916-944
- ↑ Cyrix 6x86 processor data book, page 6-34
- ↑ AMD Geode LX Processors Data Book, publication 33234H, p.670
External links
- sandpile.org – x86 processor information