List of undocumented x86 instructions

From HandWiki
Revision as of 01:17, 12 November 2023 by Smart bot editor (talk | contribs) (linkage)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The x86 CPUs contain undocumented instructions which are implemented on the chips and can execute, but are not listed in some official documents.

Undocumented x86 instructions

Undocumented instructions that are widely available across many x86 CPUs include:

Mnemonics Opcodes Description Status
AAM imm8 D4 imm8 ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD.

The actual operation is AH ← AL/imm8; AL ← AL mod imm8 for any imm8 value (except zero, which produces a divide-by-zero exception).[1]

Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments).
AAD imm8 D5 imm8 ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction.

The actual operation is AL ← (AL+(AH*imm8)) & 0FFh; AH ← 0 for any imm8 value.

SALC,

SETALC

D6 Set AL depending on the value of the Carry Flag (a 1-byte alternative of SBB AL, AL) Available beginning with 8086, but only documented since Pentium Pro.
TEST F6 /1 imm8,

F7 /1 imm16/32

Undocumented variants of the TEST instruction.[2] Performs the same operation as the documented F6 /0 and F7 /0 variants, respectively. Available since the 8086.

Unavailable on some 80486 steppings.[3][4]

SHL,

SAL

(D0..D3) /6,

(C0..C1) /6 imm8

Undocumented variants of the SHL instruction.[2] Performs the same operation as the documented (D0..D3) /4 and (C0..C1) /4 variants, respectively. Available since the 80186 (performs different operation on the 8086)[5]
(multiple) 82 /(0..7) imm8 Alias of opcode 80, which provides variants of 8-bit integer instructions (ADD, OR, ADC, SBB, AND, SUB, XOR, CMP) with an 8-bit immediate argument.[6] Available since the 8086.[6] Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.[7]
OR,AND,XOR 83 /(1,4,6) imm8 16-bit OR/AND/XOR with a sign-extended 8-bit immediate. Available on 8086, but only documented from 80386 onwards.[8][9]
REPNZ MOVS F2 (A4..A5) The behavior of the F2 prefix (REPNZ, REPNE) when used with string instructions other than CMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22[10]) that rely on it to behave in the same way as the documented F3 (REP) prefix. Available since the 8086.
REPNZ STOS F2 (AA..AB)
REP RET F3 C3 The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the F3 C3 encoding as a way to encode a two-byte RET instruction - this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions.[11] At least some versions of gcc are known to use this encoding.[12] Executes as RET on all known x86 CPUs.
NOP 67 90 NOP with address-size override prefix. The use of the 67 prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386.[13][14] Executes as NOP on 80386 and later.
ICEBP,

INT1

F1 Single byte single-step exception / Invoke ICE Available beginning with 80386, documented (as INT1) since Pentium Pro. Treated as undocumented instruction prefix on 8086 and 80286.[15]
NOP r/m 0F 1F /0 Official long NOP.

Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.[16][17][18]

Available on Pentium Pro and AMD K7[19] and later.

Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.[20]

NOP r/m 0F 0D /r Reserved-NOP. Introduced in 65 nm Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005.[21][22] From Broadwell onwards, 0F 0D /1 has been documented as PREFETCHW.

On AMD CPUs, 0F 0D with a memory argument is documented as PREFETCH/PREFETCHW since K6-2 - originally as part of 3dnow!, but has been kept in later AMD CPUs even after the rest of 3dnow! was dropped.

Available on Intel CPUs since 65 nm Pentium 4.

UD1 0F B9 /r Intentionally undefined instructions, but unlike UD2 (0F 0B) these instructions were left unpublished until December 2016.[23][24]

Microsoft Windows 95 Setup is known to depend on 0F FF being invalid[25][26] - it is used as a self check to test that its #UD exception handler is working properly.

Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include FF FF (DIF-2,[27] LaserLok[28]) and C4 C4 ("BOP"[29][30]), however as of January 2022 they are not published as intentionally invalid opcodes.

All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least 0F FF to the BRKEM instruction.)
UD0 0F FF

Undocumented instructions that appear only in a limited subset of x86 CPUs include:

Mnemonics Opcodes Description Status
SAVEALL,

STOREALL

0F 04 Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.[31]

In some implementations, emulated through BIOS as a halting sequence.[32]

In a forum post at the Vintage Computing Federation, this instruction is explained as SAVEALL. It interacts with ICE mode.

Only available on 80286
LOADALL 0F 05 Loads All Registers from Memory Address 0x000800H Only available on 80286.

Opcode reused for SYSCALL in AMD K6-2 and later CPUs.

LOADALLD 0F 07 Loads All Registers from Memory Address ES:EDI Only available on 80386.

Opcode reused for SYSRET in AMD K6-2 and later CPUs.

CL1INVMB 0F 0A[33] On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The menmonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification.[34] Available on the SCC only.
PATCH2 0F 0E On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel[35] Only available in Red unlock state (0F 0F too)
PATCH3 0F 0F Write uarch Can change RAM part of microcode on Intel
UMOV r,r/m

UMOV r/m,r

0F (10..13) /r Moves data to/from user memory when operating in ICE HALT mode.[36] Acts as regular MOV otherwise. Available on some 386 and 486 processors only.

Opcodes reused for SSE instructions in later CPUs.

NXOP 0F 55 NexGen hypercode interface.[37] Available on NexGen Nx586 only.
(multiple) 0F (E0..FB)[38] NexGen Nx586 "hyper mode" instructions.

The NexGen Nx586 CPU uses "hyper code"[39] (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation.

Available in Nx586 hyper mode only.
PSWAPW mm,mm/m64 0F 0F /r BB Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.[40][41]

Instruction known to be recognized by MASM 6.13 and 6.14.

Available on K6-2 and K6-3 only.

Opcode reused for documented PSWAPD instruction from AMD K7 onwards.

Unknown mnemonic 64 D6 Using the 64h (FS: segment) prefix with the undocumented D6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07.[42][43] Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs.
FS: Jcc 64 (70..7F) rel8,

64 0F (80..8F) rel16/32

On Intel "NetBurst" (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken.[44] Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. Available on NetBurst CPUs only.

Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs.

ALTINST 0F 3F Jump and execute instructions in the undocumented Alternate Instruction Set. Only available on some x86 processors made by VIA Technologies.
(FMA4) VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8 On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation.[45] Removed from Zen2 onwards.
REP XSHA512 F3 0F A6 E0 Perform SHA-512 hashing.

Supported by OpenSSL [46] as part of its VIA PadLock support, but not documented by the VIA PadLock Programming Guide.

Only available on some x86 processors made by VIA Technologies and Zhaoxin.
REP XMODEXP F3 0F A6 F8 Instructions to perform modular exponentiation and random number generation, respectively.

Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL,[47] but not documented by the VIA PadLock Programming Guide.

XRNG2 F3 0F A7 F8
Unknown mnemonic 0F A7 (C1..C7) Detected by CPU fuzzing tools such as SandSifter[48] and UISFuzz[49] as executing without causing #UD on several different VIA and Zhaoxin CPUs.

Unknown operation, may be related to the documented XSTORE (0F A7 C0) instruction.

(unknown, multiple) 0F 0F /r ?? The whitepapers for SandSifter[48] and UISFuzz[49] report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known.

On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented PF2IW, PI2FW and PSWAPW instructions) execute as equivalents of POR (MMX bitwise-OR instruction).[41]

Present on some AMD CPUs with 3DNow!.
MONTMUL2 unknown Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler,[50] but opcodes and instruction descriptions are not available. Unknown. Some Zhaoxin CPUs[51] have the CPUID flags for these instructions set.
MOVDB,

GP2MEM

unknown Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM - and also mentions that Cyrix did not intend to publish specifications for these instructions.[52] Unknown.

No specification known to have been published.

Undocumented x87 instructions

Mnemonics Opcodes Description Status
FFREEP DF C0+i Same operation as FFREE st(i) followed by FSTP st(0). Available on all Intel x87 FPUs from 8087 onwards.

Available on most AMD x87 FPUs. Unavailable on AMD Geode GX/LX, DM&P Vortex86[53] and NexGen 586PF.[54]

Documented for the Intel 80287[55] but then omitted from later manuals until the October 2017 update of the Intel SDM.[56]

FSTPNCE D9 D8+i Same operation as documented FSTP st(i), DD D8+i, except that it won't produce a stack underflow exception.
FCOM DC D0+i Same operation as documented FCOM st(i), D8 D0+i
FCOMP DC D8+i,

DE D0+i

Same operation as documented FCOMP st(i), D8 D8+i
FXCH DD C8+i,

DF C8+i

Same operation as documented FXCH st(i), D9 C8+i
FSTP DF D0+i,

DF D8+i

Same operation as documented FSTP st(i), DD D8+i
FENI,

FENI8087_NOP

DB E0 FPU Enable Interrupts (8087) Documented for the Intel 80287.[55]

Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for FENI/FDISI and 80287 for FSETPM), they act as NOPs.

These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. Intel SDM 325462-076, december 2021 mentions them twice without opcodes).

The opcodes are, however, recognized by Intel XED.[57]

FDISI,

FDISI8087_NOP

DB E1 FPU Disable Interrupts (8087)
FSETPM,

FSETPM287_NOP

DB E4 FPU Set Protected Mode (80287)
(no mnemonic) D9 D7,  D9 E2,
D9 E7,  DD FC,
DE D8,  DE DA,
DE DC,  DE DD,
DE DE,  DF FC
"Reserved by Cyrix" opcodes These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86,[58] 6x86MX, MII, MediaGX, and AMD Geode GX/LX.[59] (The documentation for these CPUs all list the same ten opcodes.)

Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs.

See also

References

  1. Robert Collins, Undocumented OpCodes: AAM
  2. 2.0 2.1 Frank van Gilluwe, "The Undocumented PC - Second Edition", p. 93-95
  3. Michal Necasek, Intel 486 Errata?
  4. Robert Hummel, "PC Magazine Programmer's Technical Reference" (ISBN 1-56276-016-5) p.728
  5. Raúl Gutiérrez Sanz, Undocumented 8086 Opcodes, Part I
  6. 6.0 6.1 "Asm, opcode 82h". http://computer-programming-forum.com/46-asm/143edbd28ae1a091.htm. 
  7. Intel Corporation 2022, p. 3698.
  8. Intel, The 8086 Family User's Manual, october 1979, opcodes omitted on pages 4-25 and 4-31
  9. Retrocomputing StackExchange, Undocumented instructions in x86 CPU prior to 80386?
  10. Daniel B. Sedory, An Examination of the Standard MBR
  11. AMD, Software Optimization Guide for AMD64 Processors (publication 25112, revision 3.06, sep 2005), section 6.2, p.128
  12. Bug 48227 - "rep ret" generated for -march=core2
  13. Raymond Chen, My, what strange NOPs you have!
  14. Jeff Parsons, Intel 80386 CPU information (B1 errata section, item #7)
  15. Retrocomputing StackExchange, 0F1h opcode-prefix on i80286
  16. Intel Community: Multibyte NOP Made Official. Archived on 7 Apr 2022.
  17. Intel Software Developers Manual, volume 2B (jan 2006, order no 235667-018, does not have long NOP)
  18. Intel Software Developers Manual, volume 2B (march 2006, order no 235667-019, has long NOP)
  19. Agner Fog, Instruction Tables, AMD K7 section.
  20. "579838 – glibc not compatible with AMD Geode LX". https://bugzilla.redhat.com/show_bug.cgi?id=579838#c46. 
  21. Intel Software Developers Manual, volume 2B (april 2005, order no 235667-015, does not list 0F0D-nop)
  22. Intel Software Developers Manual, volume 2B (june 2005, order no 235667-016, lists 0F0D-nop in opcode table but not under NOP instruction description.)
  23. Intel Software Developers Manual, volume 2B (order no. 253667-060, september 2016) does not list UD0 and UD1.
  24. Intel Software Developers Manual, volume 2B (order no. 253667-061, december 2016) lists UD0 and UD1.
  25. "PCJS : pcjs/x86op0F.js (two-byte x86 opcode handlers), lines 1647-1651". 17 April 2022. https://github.com/jeffpar/pcjs/blob/e565ffa65d8ee5d600ec04e62c6651dabb4894cb/machines/pcx86/lib/x86op0f.js#L1647. 
  26. "80486 paging protection faults? \ VOGONS". https://www.vogons.org/viewtopic.php?t=62949. 
  27. "Invalid opcode handling \ VOGONS". https://www.vogons.org/viewtopic.php?t=13379. 
  28. "Invalid instructions cause exit even if Int 6 is hooked \ VOGONS". https://www.vogons.org/viewtopic.php?t=21418. 
  29. "Tutorial - Calling Win32 from DOS". 17 Sep 2005. https://www.ragestorm.net/tutorial?id=27. 
  30. "Accessing Windows device drivers from DOS programs". https://sta.c64.org/blog/dosvddaccess.html. 
  31. "Re: Undocumented opcodes (HINT_NOP)". http://www.sandpile.org/post/msgs/20004129.htm. 
  32. "Re: Also some undocumented 0Fh opcodes". http://www.sandpile.org/post/msgs/20003986.htm. 
  33. Intel's RCCE library for the SCC uses opcode 0F 0A for SCC's message invalidation instruction.
  34. Intel Labs, SCC External Architecture Specification (EAS), Revision 0.94, p.29
  35. "Undocumented x86 instructions to control the CPU at the microarchitecture level in modern Intel processors". 9 July 2021. https://raw.githubusercontent.com/chip-red-pill/udbgInstr/main/paper/undocumented_x86_insts_for_uarch_control.pdf. 
  36. Robert R. Collins, Undocumented OpCodes: UMOV
  37. Herbert Oppmann, NXOP (Opcode 0Fh 55h)
  38. Herbert Oppmann, NexGen Nx586 Hypercode Source, see COMMON.INC
  39. Herbert Oppmann, Inside the NexGen Nx586 System BIOS
  40. Grzegorz Mazur, AMD 3DNow! undocumented instructions
  41. 41.0 41.1 "Archived copy". http://grafi.ii.pw.edu.pl/gbm/x86/3dundoc.html. 
  42. Potemkin's Hacker Group's OPCODE.LST, v4.51
  43. "[UCA CPU Analysis] Prototype UMC Green CPU U5S-SUPER33". 25 May 2020. https://x86.fr/uca-cpu-analysis-prototype-umc-green-cpu-u5s-super33. 
  44. Agner Fog, The Microarchitecture of Intel, AMD and VIA CPUs, section 3.4 "Branch Prediction in P4 and P4E".
  45. Reddit /r/Amd discussion thread: Ryzen has undocumented support for FMA4
  46. "Welcome to the OpenSSL Project". 21 April 2022. https://github.com/openssl/openssl/blob/1aa89a7a3afb053d0c0b7fad8d3ea1b0a5447289/engines/asm/e_padlock-x86.pl#L597. 
  47. PATCH: Update PadLock engine for VIA C7 and Nano CPUs
  48. 48.0 48.1 Christopher Domas, Breaking the x86 ISA
  49. 49.0 49.1 Xixing Li et al, UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching
  50. OpenEuler mailing list, PATCH kernel-4.19 v2 5/6 : x86/cpufeatures: Add Zhaoxin feature bits. Archived on 9 Apr 2022.
  51. CPUID dump for Zhaoxin KaiXian-U6870, see C0000001 line. Archived on 9 Apr 2022.
  52. Microprocessor Report, MediaGX Targets Low-Cost PCs (vol 11, no. 3, mar 10, 1997)
  53. "GCC Bugzilla – 37179 – GCC emits bad opcode 'ffreep'". https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37179. 
  54. Michael Steil, FFREEP – the assembly instruction that never existed
  55. 55.0 55.1 Intel 80286 and 80287 Programmers Reference Manual, 1987 (order no. 210498-005), p. 485
  56. Intel Software Developer's Manual, revision 064, volume 3B, section 22.18.9 [1]
  57. ISA datafile for Intel XED (apr 17, 2022), lines 916-944
  58. Cyrix 6x86 processor data book, page 6-34
  59. AMD Geode LX Processors Data Book, publication 33234H, p.670

External links