X86 instruction listings

Today, X86 instruction listings is a topic that arouses great interest in society. With the advancement of technology and globalization, X86 instruction listings has become a fundamental element in people's lives. Its impact ranges from the economy, politics, culture, to the daily life of each individual. In this article we will explore the various facets of X86 instruction listings and how it has changed over time. From its origins to its relevance in today's world, X86 instruction listings is a topic that will continue to generate debate and controversy in the near future.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

The x86 instruction set has been extended several times, introducing wider registers and datatypes as well as new functionality.

x86 integer instructions

Below is the full 8086/8088 instruction set of Intel (81 instructions total). Most if not all of these instructions are available in 32-bit mode; they just operate on 32-bit registers (eax, ebx, etc.) and values instead of their 16-bit (ax, bx, etc.) counterparts. The updated instruction set is also grouped according to architecture (i386, i486, i686) and more generally is referred to as (32-bit) x86 and (64-bit) x86-64 (also known as AMD64).

Original 8086/8088 instructions

Original 8086/8088 instruction set
Instruction Meaning Notes Opcode
AAA ASCII adjust AL after addition used with unpacked binary-coded decimal 0x37
AAD ASCII adjust AX before division 8086/8088 datasheet documents only base 10 version of the AAD instruction (opcode 0xD5 0x0A), but any other base will work. Later Intel's documentation has the generic form too. NEC V20 and V30 (and possibly other NEC V-series CPUs) always use base 10, and ignore the argument, causing a number of incompatibilities 0xD5
AAM ASCII adjust AX after multiplication Only base 10 version (Operand is 0xA) is documented, see notes for AAD 0xD4
AAS ASCII adjust AL after subtraction 0x3F
ADC Add with carry destination = destination + source + carry_flag 0x10...0x15, 0x80...0x81/2, 0x82...0x83/2 (since 80186)
ADD Add (1) r/m += r/imm; (2) r += r/imm; 0x00...0x05, 0x80/0...0x81/0, 0x82/0...0x83/0 (since 80186)
AND Logical AND (1) r/m &= r/imm; (2) r &= r/imm; 0x20...0x25, 0x80...0x81/4, 0x82...0x83/4 (since 80186)
CALL Call procedure push eip; eip points to the instruction directly after the call 0x9A, 0xE8, 0xFF/2, 0xFF/3
CBW Convert byte to word 0x98
CLC Clear carry flag CF = 0; 0xF8
CLD Clear direction flag DF = 0; 0xFC
CLI Clear interrupt flag IF = 0; 0xFA
CMC Complement carry flag 0xF5
CMP Compare operands 0x38...0x3D, 0x80...0x81/7, 0x82...0x83/7 (since 80186)
CMPSB Compare bytes in memory. May be used with a REP prefix to repeat the instruction CX times. 0xA6
CMPSW Compare words. May be used with a REP prefix to repeat the instruction CX times. 0xA7
CWD Convert word to doubleword 0x99
DAA Decimal adjust AL after addition (used with packed binary-coded decimal) 0x27
DAS Decimal adjust AL after subtraction 0x2F
DEC Decrement by 1 0x48...0x4F, 0xFE/1, 0xFF/1
DIV Unsigned divide (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder 0xF7/6, 0xF6/6
ESC Used with floating-point unit 0xD8..0xDF
HLT Enter halt state 0xF4
IDIV Signed divide (1) AX = DX:AX / r/m; resulting DX = remainder (2) AL = AX / r/m; resulting AH = remainder 0xF7/7, 0xF6/7
IMUL Signed multiply in One-operand form (1) DX:AX = AX * r/m; (2) AX = AL * r/m 0x69, 0x6B (both since 80186), 0xF7/5, 0xF6/5, 0x0FAF (since 80386)
IN Input from port (1) AL = port; (2) AL = port; (3) AX = port; (4) AX = port; 0xE4, 0xE5, 0xEC, 0xED
INC Increment by 1 0x40...0x47, 0xFE/0, 0xFF/0
INT Call to interrupt 0xCC, 0xCD
INTO Call to interrupt if overflow 0xCE
IRET Return from interrupt 0xCF
Jcc Jump if condition (JA, JAE, JB, JBE, JC, JE, JG, JGE, JL, JLE, JNA, JNAE, JNB, JNBE, JNC, JNE, JNG, JNGE, JNL, JNLE, JNO, JNP, JNS, JNZ, JO, JP, JPE, JPO, JS, JZ) 0x70...0x7F, 0x0F80...0x0F8F (since 80386)
JCXZ Jump if CX is zero 0xE3
JMP Jump 0xE9...0xEB, 0xFF/4, 0xFF/5
LAHF Load FLAGS into AH register 0x9F
LDS Load DS:r with far pointer 0xC5
LEA Load Effective Address 0x8D
LES Load ES:r with far pointer 0xC4
LOCK Assert BUS LOCK# signal (for multiprocessing) 0xF0
LODSB Load string byte. May be used with a REP prefix to repeat the instruction CX times. if (DF==0) AL = *SI++; else AL = *SI--; 0xAC
LODSW Load string word. May be used with a REP prefix to repeat the instruction CX times. if (DF==0) AX = *SI++; else AX = *SI--; 0xAD
LOOP/LOOPx Loop control (LOOPE, LOOPNE, LOOPNZ, LOOPZ) if (x && --CX) goto lbl; 0xE0...0xE2
MOV Move copies data from one location to another, (1) r/m = r; (2) r = r/m; 0xA0...0xA3
MOVSB Move byte from string to string. May be used with a REP prefix to repeat the instruction CX times.
if (DF==0)
  *(byte*)DI++ = *(byte*)SI++;
else
  *(byte*)DI-- = *(byte*)SI--;
.
0xA4
MOVSW Move word from string to string. May be used with a REP prefix to repeat the instruction CX times.
if (DF==0)
  *(word*)DI++ = *(word*)SI++;
else
  *(word*)DI-- = *(word*)SI--;
0xA5
MUL Unsigned multiply (1) DX:AX = AX * r/m; (2) AX = AL * r/m; 0xF7/4, 0xF6/4
NEG Two's complement negation r/m = 0 r/m; 0xF6/3...0xF7/3
NOP No operation opcode equivalent to XCHG EAX, EAX 0x90
NOT Negate the operand, logical NOT r/m ^= -1; 0xF6/2...0xF7/2
OR Logical OR (1) r/m (2) r 0x08...0x0D, 0x80...0x81/1, 0x82...0x83/1 (since 80186)
OUT Output to port (1) port = AL; (2) port = AL; (3) port = AX; (4) port = AX; 0xE6, 0xE7, 0xEE, 0xEF
POP Pop data from stack r/m = *SP++; POP CS (opcode 0x0F) works only on 8086/8088. Later CPUs use 0x0F as a prefix for newer instructions. 0x07, 0x0F(8086/8088 only), 0x17, 0x1F, 0x58...0x5F, 0x8F/0
POPF Pop FLAGS register from stack FLAGS = *SP++; 0x9D
PUSH Push data onto stack *--SP = r/m; 0x06, 0x0E, 0x16, 0x1E, 0x50...0x57, 0x68, 0x6A (both since 80186), 0xFF/6
PUSHF Push FLAGS onto stack *--SP = FLAGS; 0x9C
RCL Rotate left (with carry) 0xC0...0xC1/2 (since 80186), 0xD0...0xD3/2
RCR Rotate right (with carry) 0xC0...0xC1/3 (since 80186), 0xD0...0xD3/3
REPxx Repeat MOVS/STOS/CMPS/LODS/SCAS (REP, REPE, REPNE, REPNZ, REPZ) 0xF2, 0xF3
RET Return from procedure Not a real instruction. The assembler will translate these to a RETN or a RETF depending on the memory model of the target system.
RETN Return from near procedure 0xC2, 0xC3
RETF Return from far procedure 0xCA, 0xCB
ROL Rotate left 0xC0...0xC1/0 (since 80186), 0xD0...0xD3/0
ROR Rotate right 0xC0...0xC1/1 (since 80186), 0xD0...0xD3/1
SAHF Store AH into FLAGS 0x9E
SAL Shift Arithmetically left (signed shift left) (1) r/m <<= 1; (2) r/m <<= CL; 0xC0...0xC1/4 (since 80186), 0xD0...0xD3/4
SAR Shift Arithmetically right (signed shift right) (1) (signed) r/m >>= 1; (2) (signed) r/m >>= CL; 0xC0...0xC1/7 (since 80186), 0xD0...0xD3/7
SBB Subtraction with borrow alternative 1-byte encoding of SBB AL, AL is available via undocumented SALC instruction 0x18...0x1D, 0x80...0x81/3, 0x82...0x83/3 (since 80186)
SCASB Compare byte string. May be used with a REP prefix to repeat the instruction CX times. 0xAE
SCASW Compare word string. May be used with a REP prefix to repeat the instruction CX times. 0xAF
SHL Shift left (unsigned shift left) 0xC0...0xC1/4 (since 80186), 0xD0...0xD3/4
SHR Shift right (unsigned shift right) 0xC0...0xC1/5 (since 80186), 0xD0...0xD3/5
STC Set carry flag CF = 1; 0xF9
STD Set direction flag DF = 1; 0xFD
STI Set interrupt flag IF = 1; 0xFB
STOSB Store byte in string. May be used with a REP prefix to repeat the instruction CX times. if (DF==0) *ES:DI++ = AL; else *ES:DI-- = AL; 0xAA
STOSW Store word in string. May be used with a REP prefix to repeat the instruction CX times. if (DF==0) *ES:DI++ = AX; else *ES:DI-- = AX; 0xAB
SUB Subtraction (1) r/m -= r/imm; (2) r -= m/imm; 0x28...0x2D, 0x80...0x81/5, 0x82...0x83/5 (since 80186)
TEST Logical compare (AND) (1) r/m & r/imm; (2) r & m/imm; 0x84, 0x85, 0xA8, 0xA9, 0xF6/0, 0xF7/0
WAIT Wait until not busy Waits until BUSY# pin is inactive (used with floating-point unit) 0x9B
XCHG Exchange data r :=: r/m; A spinlock typically uses xchg as an atomic operation. (coma bug). 0x86, 0x87, 0x91...0x97
XLAT Table look-up translation behaves like MOV AL, 0xD7
XOR Exclusive OR (1) r/m ^= r/imm; (2) r ^= m/imm; 0x30...0x35, 0x80...0x81/6, 0x82...0x83/6 (since 80186)

Added in specific processors

Added with 80186/80188

Instruction Opcode Meaning Notes
BOUND 62 /r Check array index against bounds raises software interrupt 5 if test fails
ENTER C8 iw ib Enter stack frame Modifies stack for entry to procedure for high level language. Takes two operands: the amount of storage to be allocated on the stack and the nesting level of the procedure.
INSB/INSW 6C Input from port to string equivalent to:
IN AX, DX
MOV ES:, AX
; adjust DI according to operand size and DF
6D
LEAVE C9 Leave stack frame Releases the local stack storage created by the previous ENTER instruction.
OUTSB/OUTSW 6E Output string to port equivalent to:
MOV AX, DS:
OUT DX, AX
; adjust SI according to operand size and DF
6F
POPA 61 Pop all general purpose registers from stack equivalent to:
POP DI
POP SI
POP BP
POP AX ; no POP SP here, all it does is ADD SP, 2 (since AX will be overwritten later)
POP BX
POP DX
POP CX
POP AX
PUSHA 60 Push all general purpose registers onto stack equivalent to:
PUSH AX
PUSH CX
PUSH DX
PUSH BX
PUSH SP ; The value stored is the initial SP value
PUSH BP
PUSH SI
PUSH DI
PUSH immediate 6A ib Push an immediate byte/word value onto the stack example:
PUSH 12h
PUSH 1200h
68 iw
IMUL immediate 6B /r ib Signed and unsigned multiplication of immediate byte/word value example:
IMUL BX,12h
IMUL DX,1200h
IMUL CX, DX, 12h
IMUL BX, SI, 1200h
IMUL DI, word ptr , 12h
IMUL SI, word ptr , 1200h

Note that since the lower half is the same for unsigned and signed multiplication, this version of the instruction can be used for unsigned multiplication as well.

69 /r iw
SHL/SHR/SAL/SAR/ROL/ROR/RCL/RCR immediate C0 Rotate/shift bits with an immediate value greater than 1 example:
ROL AX,3
SHR BL,3
C1

Added with 80286

The new instructions added in 80286 add support for x86 protected mode. Some but not all of the instructions are available in real mode as well.

Instruction Opcode Instruction description Real mode Ring
LGDT m16&32 0F 01 /2 Load GDTR (Global Descriptor Table Register) from memory. Yes 0
LIDT m16&32 0F 01 /3 Load IDTR (Interrupt Descriptor Table Register) from memory.
The IDTR controls not just the address/size of the IDT (interrupt Descriptor Table) in protected mode, but the IVT (Interrupt Vector Table) in real mode as well.
LMSW r/m16 0F 01 /6 Load MSW (Machine Status Word) from 16-bit register or memory.
CLTS 0F 06 Clear task-switched flag in the MSW.
LLDT r/m16 0F 00 /2 Load LDTR (Local Descriptor Table Register) from 16-bit register or memory. #UD
LTR r/m16 0F 00 /3 Load TR (Task Register) from 16-bit register or memory.

The TSS (Task State Segment) specified by the 16-bit argument is marked busy, but a task switch is not done.

SGDT m16&32 0F 01 /0 Store GDTR to memory. Yes Usually 3
SIDT m16&32 0F 01 /1 Store IDTR to memory.
SMSW r/m16 0F 01 /4 Store MSW to register or 16-bit memory.
SLDT r/m16 0F 00 /0 Store LDTR to register or 16-bit memory. #UD
STR r/m16 0F 00 /1 Store TR to register or 16-bit memory.
ARPL r/m16,r16 63 /r Adjust RPL (Requested Privilege Level) field of selector. The operation performed is:
if (dst & 3) < (src & 3) then
   dst = (dst & 0xFFFC) | (src & 3)
   eflags.zf = 1
else
   eflags.zf = 0
#UD 3
LAR r,r/m16 0F 02 /r Load access rights byte from the specified segment descriptor.
Reads bytes 4-7 of segment descriptor, bitwise-ANDs it with 0x00FxFF00, then stores the bottom 16/32 bits of the result in destination register. Sets EFLAGS.ZF=1 if the descriptor could be loaded, ZF=0 otherwise.
#UD
LSL r,r/m16 0F 03 /r Load segment limit from the specified segment descriptor. Sets ZF=1 if the descriptor could be loaded, ZF=0 otherwise.
VERR r/m16 0F 00 /4 Verify a segment for reading. Sets ZF=1 if segment can be read, ZF=0 otherwise.
VERW r/m16 0F 00 /5 Verify a segment for writing. Sets ZF=1 if segment can be written, ZF=0 otherwise.
 LOADALL  0F 05 Load all CPU registers from a 102-byte data structure starting at physical address 800h, including "hidden" part of segment descriptor registers. Yes 0
 STOREALL  F1 0F 04 Store all CPU registers to a 102-byte data structure starting at physical address 800h, then shut down CPU.
  1. ^ a b c d The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.
    For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079, March 2023 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.
  2. ^ a b c d e The LGDT, LIDT, LLDT, LMSW and LTR instructions are serializing on Pentium and later processors.
  3. ^ On 80386 and later, the "Machine Status Word" is the same as the CR0 control register – however, the LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW can be used to enter but not leave x86 Protected Mode.
    On 80286, it is not possible to leave Protected Mode at all (neither with LMSW nor with LOADALL) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV to CR0 instruction.
  4. ^ If CR4.UMIP=1 is set, then the SGDT, SIDT, SLDT, SMSW and STR instructions can only run in Ring 0.
    These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017. This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.
  5. ^ a b c The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:
    • SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise.
    • SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.
    • STR: Zero-extends 16-bit argument.
  6. ^ In 64-bit long mode, the ARPL instruction is not available – the 63 /r opcode has been reassigned to the 64-bit-mode-only MOVSXD instruction.
  7. ^ The ARPL instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.
  8. ^ Bits 19:16 of this mask are documented as "undefined" on Intel CPUs. On AMD CPUs, the mask is documented as 0x00FFFF00.
  9. ^ On some Intel CPU/microcode combinations from 2019 onwards, the VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.
  10. ^ a b Undocumented, 80286 only. (A different variant of LOADALL with a different opcode and memory layout exists on 80386.)

Added with 80386

The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts of OperandSize and AddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)

The default OperandSize and AddressSize to use for each instruction is given by the D bit of the segment descriptor of the current code segment - D=0 makes both 16-bit, D=1 makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:

  • 66h: OperandSize override. Will change OperandSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.
  • 67h: AddressSize override. Will change AddressSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.

The 80386 also introduced the two new segment registers FS and GS as well as the x86 control, debug and test registers.

The new instructions introduced in the 80386 can broadly be subdivided into two classes:

  • Pre-existing opcodes that needed new mnemonics for their 32-bit OperandSize variants (e.g. CWDE, LODSD)
  • New opcodes that introduced new functionality (e.g. SHLD, SETcc)

For instruction forms where the operand size can be inferred from the instruction's arguments (e.g. ADD EAX,EBX can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.

80386: new instruction mnemonics for 32-bit variants of older opcodes
Type Instruction mnemonic Opcode Description Mnemonic for older 16-bit variant Ring
String instructions LODSD AD Load string doubleword: EAX := DS: LODSW 3
STOSD AB Store string doubleword: ES: := EAX STOSW
MOVSD A5 Move string doubleword: ES: := DS: MOVSW
CMPSD A7 Compare string doubleword:
temp1 := DS:
temp2 := ES:
CMP temp1, temp2 /* 32-bit compare and set EFLAGS */
CMPSW
SCASD AF Scan string doubleword:
temp1 := ES:
CMP EAX, temp1 /* 32-bit compare and set EFLAGS */
SCASW
INSD 6D Input string from doubleword I/O port:ES: := port INSW Usually 0
OUTSD 6F Output string to doubleword I/O port:port := DS: OUTSW
Other CWDE 98 Sign-extend 16-bit value in AX to 32-bit value in EAX CBW 3
CDQ 99 Sign-extend 32-bit value in EAX to 64-bit value in EDX:EAX.

Mainly used to prepare a dividend for the 32-bit IDIV (signed divide) instruction.

CWD
JECXZ rel8 E3 cb Jump if ECX is zero JCXZ
PUSHAD 60 Push all 32-bit registers onto stack PUSHA
POPAD 61 Pop all 32-bit general-purpose registers off stack POPA
PUSHFD 9C Push 32-bit EFLAGS register onto stack PUSHF Usually 3
POPFD 9D Pop 32-bit EFLAGS register off stack POPF
IRETD CF 32-bit interrupt return. Differs from the older 16-bit IRET instruction in that it will pop interrupt return items (EIP,CS,EFLAGS; also ESP and SS if there is a CPL change) off the stack as 32-bit items instead of 16-bit items. Should be used to return from interrupts when the interrupt handler was entered through a 32-bit IDT interrupt/trap gate.

Instruction is serializing.

IRET
  1. ^ For the 32-bit string instructions, the ±± notation is used to indicate that the indicated register is post-decremented by 4 if EFLAGS.DF=1 and post-incremented by 4 otherwise.
    For the operands where the DS segment is indicated, the DS segment can be overridden by a segment-override prefix – where the ES segment is indicated, the segment is always ES and cannot be overridden.
    The choice of whether to use the 16-bit SI/DI registers or the 32-bit ESI/EDI registers as the address registers to use is made by AddressSize, overridable with the 67 prefix.
  2. ^ The 32-bit string instructions accept repeat-prefixes in the same way as older 8/16-bit string instructions.
    For LODSD, STOSD, MOVSD, INSD and OUTSD, the REP prefix (F3) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).
    For CMPSD and SCASD, the REPE (F3) and REPNE (F2) prefixes are available, which will repeat the instruction but only as long as the flag condition (ZF=1 for REPE, ZF=0 for REPNE) holds true.
  3. ^ For the INSB/W/D instructions, the memory access rights for the ES: memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read.
  4. ^ I/O port access is only allowed when CPL≤IOPL or the I/O port permission bitmap bits for the port to access are all set to 0.
  5. ^ The CWDE instruction differs from the older CWD instruction in that CWD would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair.
  6. ^ For the E3 opcode (JCXZ/JECXZ), the choice of whether the instruction will use CX or ECX for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).
    This also applies to the loop instructions LOOP,LOOPE,LOOPNE (opcodes E0,E1,E2), however, unlike JCXZ/JECXZ, these instructions have not been given new mnemonics for their ECX-using variants.
  7. ^ For PUSHA(D), the value of SP/ESP pushed onto the stack is the value it had just before the PUSHA(D) instruction started executing.
  8. ^ For POPA/POPAD, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP.
  9. ^ The PUSHFD and POPFD instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.
    The PUSHF, POPF, IRET and IRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.
  10. ^ If IRETD is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stack segment indicated by SS is a 16-bit segment, then the IRETD instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before the IRETD. This has necessitated complex workarounds on both Linux ("ESPFIX") and Windows. This issue also affects the later 64-bit IRETQ instruction.
80386: new opcodes introduced
Instruction mnemonics Opcode Description Ring
BT r/m, r 0F A3 /r Bit Test.

Second operand specifies which bit of the first operand to test. The bit to test is copied to EFLAGS.CF.

3
BT r/m, imm8 0F BA /4 ib
BTS r/m, r 0F AB /r Bit Test-and-set.

Second operand specifies which bit of the first operand to test and set.

BTS r/m, imm8 0F BA /5 ib
BTR r/m, r 0F B3 /r Bit Test and Reset.

Second operand specifies which bit of the first operand to test and clear.

BTR r/m, imm8 0F BA /6 ib
BTC r/m, r 0F BB /r Bit Test and Complement.

Second operand specifies which bit of the first operand to test and toggle.

BTC r/m, imm8 0F BA /7 ib
BSF r, r/m NFx 0F BC /r Bit scan forward. Returns bit index of lowest set bit in input. 3
BSR r, r/m NFx 0F BD /r Bit scan reverse. Returns bit index of highest set bit in input.
SHLD r/m, r, imm8 0F A4 /r ib Shift Left Double.
The operation of SHLD arg1,arg2,shamt is:
arg1 := (arg1<<shamt) | (arg2>>(operand_size - shamt))
SHLD r/m, r, CL 0F A5 /r
SHRD r/m, r, imm8 0F AC /r ib Shift Right Double.
The operation of SHRD arg1,arg2,shamt is:
arg1 := (arg1>>shamt) | (arg2<<(operand_size - shamt))
SHRD r/m, r, CL 0F AD /r
MOVZX reg, r/m8 0F B6 /r Move from 8/16-bit source to 16/32-bit register with zero-extension. 3
MOVZX reg, r/m16 0F B7 /r
MOVSX reg, r/m8 0F BE /r Move from 8/16-bit source to 16/32/64-bit register with sign-extension.
MOVSX reg, r/m16 0F BF /r
SETcc r/m8 0F 9x /0 Set byte to 1 if condition is satisfied, 0 otherwise.
Jcc rel16
Jcc rel32
0F 8x cw
0F 8x cd
Conditional jump near.

Differs from older variants of conditional jumps in that they accept a 16/32-bit offset rather than just an 8-bit offset.

IMUL r, r/m 0F AF /r Two-operand non-widening integer multiply.
FS: 64 Segment-override prefixes for FS and GS segment registers. 3
GS: 65
PUSH FS 0F A0 Push/pop FS and GS segment registers.
POP FS 0F A1
PUSH GS 0F A8
POP GS 0F A9
LFS r16, m16&16
LFS r32, m32&16
0F B4 /r Load far pointer from memory.

Offset part is stored in destination register argument, segment part in FS/GS/SS segment register as indicated by the instruction mnemonic.

LGS r16, m16&16
LGS r32, m32&16
0F B5 /r
LSS r16, m16&16
LSS r32, m32&16
0F B2 /r
MOV reg,CRx 0F 20 /r Move from control register to general register. 0
MOV CRx,reg 0F 22 /r Move from general register to control register.

On Pentium and later processors, moves to the CR0, CR3 and CR4 control registers are serializing.

MOV reg,DRx 0F 21 /r Move from x86 debug register to general register.
MOV DRx,reg 0F 23 /r Move from general register to x86 debug register.

On Pentium and later processors, moves to the DR0-DR7 debug registers are serializing.

MOV reg,TRx 0F 24 /r Move from x86 test register to general register.
MOV TRx,reg 0F 26 /r Move from general register to x86 test register.
 ICEBP,
 INT01,
 INT1
 F1 In-circuit emulation breakpoint.

Performs software interrupt #1 if executed when not using in-circuit emulation.

3
 UMOV r/m, r8  0F 10 /r User Move – perform data moves that can access user memory while in In-circuit emulation HALT mode.

Performs same operation as MOV if executed when not doing in-circuit emulation.

 UMOV r/m, r16/32  0F 11 /r
 UMOV r8, r/m  0F 12 /r
 UMOV r16/32, r/m  0F 13 /r
 XBTS reg,r/m  0F A6 /r Bitfield extract.
 IBTS r/m,reg  0F A7 /r Bitfield insert.
 LOADALLD,
 LOADALL386
 0F 07 Load all CPU registers from a 296-byte data structure starting at ES:EDI, including "hidden" part of segment descriptor registers. 0
  1. ^ a b c d For the BT, BTS, BTR and BTC instructions:
    • If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.)
    • If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test.
  2. ^ a b c The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically.
  3. ^ If the F3 prefix is used with the 0F BC /r opcode, then the instruction will execute as TZCNT on systems that support the BMI1 extension. TZCNT differs from BSF in that TZCNT but not BSR is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result.
  4. ^ a b BSF and BSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.
    If the source argument was all-0s, then the destination register is documented as being left unchanged on AMD processors, but set to an undefined value on Intel processors.
  5. ^ If the F3 prefix is used with the 0F BD /r opcode, then the instruction will execute as LZCNT on systems that support the ABM or LZCNT extensions. LZCNT produces a different result from BSR for most input values.
  6. ^ a b For SHLD and SHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.
    SHLD and SHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.)
  7. ^ a b The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are:
    x cc Condition (EFLAGS)
    0 O OF=1: "Overflow"
    1 NO OF=0: "Not Overflow"
    2 C,B,NAE CF=1: "Carry", "Below", "Not Above or Equal"
    3 NC,NB,AE CF=0: "Not Carry", "Not Below", "Above or Equal"
    4 Z,E ZF=1: "Zero", "Equal"
    5 NZ,NE ZF=0: "Not Zero", "Not Equal"
    6 NA,BE (CF=1 or ZF=1): "Not Above", "Below or Equal"
    7 A,NBE (CF=0 and ZF=0): "Above", "Not Below or Equal"
    8 S SF=1: "Sign"
    9 NS SF=0: "Not Sign"
    A P,PE PF=1: "Parity", "Parity Even"
    B NP,PO PF=0: "Not Parity", "Parity Odd"
    C L,NGE SF≠OF: "Less", "Not Greater Or Equal"
    D NL,GE SF=OF: "Not Less", "Greater Or Equal"
    E LE,NG (ZF=1 or SF≠OF): "Less or Equal", "Not Greater"
    F NLE,G (ZF=0 and SF=OF): "Not Less or Equal", "Greater"
  8. ^ For SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc regardless of the contents of these bits.
  9. ^ For LFS, LGS and LSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors.
  10. ^ a b c d e f For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b.
  11. ^ a b c d For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise.
  12. ^ On processors prior to Pentium, moves to CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump immediately after a MOV to CR0 if such a MOV is used to enable/disable protected mode and/or memory paging.
    MOV to CR2 is architecturally listed as serializing, but has been reported to be non-serializing on at least some Intel Core-i7 processors.
    MOV to CR8 (introduced with x86-64) is not serializing.
  13. ^ a b The MOV TRx instructions were discontinued from Pentium onwards.
  14. ^ The INT1/ICEBP (F1) instruction is present on all known Intel x86 processors from the 80386 onwards, but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards. Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.
    For AMD processors, the instruction has been documented since 2002.
  15. ^ The operation of the F1(ICEBP) opcode differs from the operation of the regular software interrupt opcode CD 01 in several ways:
      In protected mode, CD 01 will check CPL against the interrupt descriptor's DPL field as an access-rights check, while F1 will not.
    • In virtual-8086 mode, CD 01 will also check CPL against IOPL as an access-rights check, while F1 will not.
    • In virtual-8086 mode with VME enabled, interrupt redirection is supported for CD 01 but not F1.
  16. ^ The UMOV instruction is present on 386 and 486 processors only.
  17. ^ a b The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386.
    They have been used by software mainly for detection of the buggy B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.
  18. ^ a b For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.
  19. ^ Undocumented, 80386 only.

Added with 80486

Instruction Opcode Description Ring
BSWAP r32 0F C8+r Byte Order Swap. Usually used to convert between big-endian and little-endian data representations. For 32-bit registers, the operation performed is:
r =   (r << 24)
    | ((r << 8) & 0x00FF0000)
    | ((r >> 8) & 0x0000FF00)
    | (r >> 24);

Using BSWAP with a 16-bit register argument produces an undefined result.

3
CMPXCHG r/m8,r8 0F B0 /r Compare and Exchange. If accumulator (AL/AX/EAX/RAX) compares equal to first operand, then EFLAGS.ZF is set to 1 and the first operand is overwritten with the second operand. Otherwise, EFLAGS.ZF is set to 0, and first operand is copied into the accumulator.

Instruction atomic only if used with LOCK prefix.

CMPXCHG r/m,r16
CMPXCHG r/m,r32
0F B1 /r
XADD r/m,r8 0F C0 /r eXchange and ADD. Exchanges the first operand with the second operand, then stores the sum of the two values into the destination operand.

Instruction atomic only if used with LOCK prefix.

XADD r/m,r16
XADD r/m,r32
0F C1 /r
INVLPG m8 0F 01 /7 Invalidate the TLB entries that would be used for the 1-byte memory operand.

Instruction is serializing.

0
INVD 0F 08 Invalidate Internal Caches. Modified data in the cache are not written back to memory, potentially causing data loss.
WBINVD NFx 0F 09 Write Back and Invalidate Cache. Writes back all modified cache lines in the processor's internal cache to main memory and invalidates the internal caches.
  1. ^ Using BSWAP with 16-bit registers isn't disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486, 586, and Bochs/QEMU.
  2. ^ a b On Intel 80486 stepping A, the CMPXCHG instruction uses a different encoding - 0F A6 /r for 8-bit variant, 0F A7 /r for 16/32-bit variant. The 0F B0/B1 encodings are used on 80486 stepping B and later.
  3. ^ The CMPXCHG instruction sets EFLAGS in the same way as a CMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.
  4. ^ INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).
    INVLPG can be used to invalidate TLB entries for individual global pages.
  5. ^ a b The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.
    These instructions are serializing – on some processors, they may block interrupts until completion as well.
  6. ^ If the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then the INVD instruction is not permitted and will cause a #GP(0) exception. (The PRM is needed for Intel SGX.)
  7. ^ If the F3 prefix is used with the 0F 09 opcode, then the instruction will execute as WBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache.

Added in P5/P6-class processors

Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)

Instruction Opcode Description Ring Added in
RDMSR 0F 32 Read Model-specific register. The MSR to read is specified in ECX. The value of the MSR is then returned as a 64-bit value in EDX:EAX. 0 IBM 386SLC,
Intel Pentium,
AMD K5,
Cyrix 6x86MX,MediaGXm,
IDT WinChip C6,
Transmeta Crusoe
WRMSR 0F 30 Write Model-specific register. The MSR to write is specified in ECX, and the data to write is given in EDX:EAX.

Instruction is, with some exceptions, serializing.

RSM 0F AA Resume from System Management Mode.

Instruction is serializing.

-2
(SMM)
Intel 386SL, 486SL,
Intel Pentium,
AMD 5x86,
Cyrix 486SLC/e,
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6
CPUID 0F A2 CPU Identification and feature information. Takes as input a CPUID leaf index in EAX and, depending on leaf, a sub-index in ECX. Result is returned in EAX,EBX,ECX,EDX.

Instruction is serializing, and causes a mandatory #VMEXIT under virtualization.

Support for CPUID can be checked by toggling bit 21 of EFLAGS (EFLAGS.ID) – if this bit can be toggled, CPUID is present.

Usually 3 Intel Pentium,
AMD 5x86,
Cyrix 5x86,
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6,
NexGen Nx586,
UMC Green CPU
CMPXCHG8B m64 0F C7 /1 Compare and Exchange 8 bytes. Compares EDX:EAX with m64. If equal, set ZF and store ECX:EBX into m64. Else, clear ZF and load m64 into EDX:EAX.
Instruction atomic only if used with LOCK prefix.
3 Intel Pentium,
AMD K5,
Cyrix 6x86L,MediaGXm,
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6
RDTSC 0F 31 Read 64-bit Time Stamp Counter (TSC) into EDX:EAX.

In early processors, the TSC was a cycle counter, incrementing by 1 for each clock cycle (which could cause its rate to vary on processors that could change clock speed at runtime) – in later processors, it increments at a fixed rate that doesn't necessarily match the CPU clock speed.

Usually 3 Intel Pentium,
AMD K5,
Cyrix 6x86MX,MediaGXm,
IDT WinChip C6,
Transmeta Crusoe,
Rise mP6
RDPMC 0F 33 Read Performance Monitoring Counter. The counter to read is specified by ECX and its value is returned in EDX:EAX. Usually 3 Intel Pentium MMX,
Intel Pentium Pro,
AMD K7,
Cyrix 6x86MX,
IDT WinChip C6,
VIA Nano
CMOVcc reg,r/m 0F 4x /r Conditional move to register. The source operand may be either register or memory. 3 Intel Pentium Pro,
AMD K7,
Cyrix 6x86MX,MediaGXm,
Transmeta Crusoe,
VIA C3 "Nehemiah"
NOP r/m,
NOPL r/m
NFx 0F 1F /0 Official long NOP.

Other than AMD K7/K8, broadly unsupported in non-Intel processors released before 2006.

3 Intel Pentium Pro,
AMD K7, x86-64
UD2,
UD2A
0F 0B Undefined Instructions – will generate an invalid opcode (#UD) exception in all operating modes.

These instructions are provided for software testing to explicitly generate invalid opcodes. The opcodes for these instructions are reserved for this purpose.

(3) (80186),
Intel Pentium
UD1 reg,r/m,
UD2B reg,r/m
0F B9 /r
OIO,
UD0,
UD0 reg,r/m
0F FF,
0F FF /r
(80186),
Cyrix 6x86,
AMD K5
SYSCALL 0F 05 Fast System call. 3 AMD K6,
x86-64
SYSRET 0F 07 Fast Return from System Call. Designed to be used together with SYSCALL. 0
SYSENTER 0F 34 Fast System call. 3 Intel Pentium II,
AMD K7,
Transmeta Crusoe,
NatSemi Geode GX2,
VIA C3 "Nehemiah"
SYSEXIT 0F 35 Fast Return from System Call. Designed to be used together with SYSENTER. 0
  1. ^ On Intel and AMD CPUs, the WRMSR instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h on Intel CPUs and MSR C001_0020h on AMD CPUs.
  2. ^ Writes to the following MSRs are not serializing:
    Number Name
    48h SPEC_CTRL
    49h PRED_CMD
    122h TSX_CTRL
    6E0h TSC_DEADLINE
    6E1h PKRS
    774h HWP_REQUEST
    (non-serializing only if the FAST_IA32_­HWP_REQUEST bit it set)
    802h to 83Fh (x2APIC MSRs)
    C001_011Bh Doorbell Register (AMD)
  3. ^ System Management Mode and the RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.
  4. ^ On some older 32-bit processors, executing CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID.
    Processors noted to exhibit this behavior include Cyrix MII and IDT WinChip 2.

    In 64-bit mode, CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero.
  5. ^ On some Intel processors starting from Ivy Bridge, there exists MSRs that can be used to restrict CPUID to ring 0. Such MSRs are documented for at least Ivy Bridge and Denverton.
    The ability to restrict CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).
  6. ^ a b CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.
  7. ^ On the Cyrix 5x86 and 6x86 CPUs, CPUID is not enabled by default and must be enabled through a Cyrix configuration register.
  8. ^ On NexGen CPUs, CPUID is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.
  9. ^ Unlike the older CMPXCHG instruction, the CMPXCHG8B instruction does not modify any EFLAGS bits other than ZF.
  10. ^ LOCK CMPXCHG8B with a register operand (which is an invalid encoding) can cause hangs on some Intel Pentium CPUs (Pentium F00F bug).
  11. ^ a b c On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.
  12. ^ a b The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.
    In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.
  13. ^ Fixed-rate TSC was introduced in two stages:
    Constant TSC
    TSC running at a fixed rate as long as the processor core is not in a deep-sleep (C2 or deeper) mode, but not synchronized between CPU cores. Introduced in Intel Prescott, Yonah and Bonnell. Also present in all Transmeta and VIA Nano CPUs. Does not have a CPUID bit.
    Invariant TSC
    TSC running at a fixed rate, and remaining synchronized between CPU cores in all P-,C- and T-states (but not necessarily S-states).
    Present in AMD K10 and later; Intel Nehalem/Saltwell and later; Zhaoxin LuJiaZui and later. Indicated with a CPUID bit (leaf 8000_0007:EDX).
  14. ^ RDTSC can be run outside Ring 0 only if CR4.TSD=0.
    On Intel Pentium and AMD K5, RDTSC cannot be run in Virtual-8086 mode. Later processors removed this restriction.
  15. ^ RDPMC can be run outside Ring 0 only if CR4.PCE=1.
  16. ^ The RDPMC instruction is not present in VIA processors prior to the Nano.
  17. ^ The condition codes supported for CMOVcc instruction (opcode 0F 4x /r, with the x nibble specifying the condition) are:
    x cc Condition (EFLAGS)
    0 O OF=1: "Overflow"
    1 NO OF=0: "Not Overflow"
    2 C,B,NAE CF=1: "Carry", "Below", "Not Above or Equal"
    3 NC,NB,AE CF=0: "Not Carry", "Not Below", "Above or Equal"
    4 Z,E ZF=1: "Zero", "Equal"
    5 NZ,NE ZF=0: "Not Zero", "Not Equal"
    6 NA,BE (CF=1 or ZF=1): "Not Above", "Below or Equal"
    7 A,NBE (CF=0 and ZF=0): "Above", "Not Below or Equal"
    8 S SF=1: "Sign"
    9 NS SF=0: "Not Sign"
    A P,PE PF=1: "Parity", "Parity Even"
    B NP,PO PF=0: "Not Parity", "Parity Odd"
    C L,NGE SF≠OF: "Less", "Not Greater Or Equal"
    D NL,GE SF=OF: "Not Less", "Greater Or Equal"
    E LE,NG (ZF=1 or SF≠OF): "Less or Equal", "Not Greater"
    F NLE,G (ZF=0 and SF=OF): "Not Less or Equal", "Greater"
  18. ^ In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.
    For CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines an EVEX-encoded variant of CMOVcc that will suppress memory exceptions if the condition is false.)
  19. ^ Unlike other instructions added in Pentium Pro, long NOP does not have a CPUID feature bit.
  20. ^ 0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006. The whole 0F 18..1F opcode range was NOP in Pentium Pro. However, except for 0F 1F /0, Intel does not guarantee that these opcodes will remain NOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.
  21. ^ Documented for AMD x86-64 since 2002.
  22. ^ While the 0F 0B opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonic UD2 from Pentium Pro onwards.
  23. ^ a b GNU Binutils have used the UD2A and UD2B mnemonics for the 0F 0B and 0F B9 opcodes since version 2.7.
    Neither UD2A nor UD2B originally took any arguments - UD2B was later modified to accept a ModR/M byte, in Binutils version 2.30.
  24. ^ a b The UD0/1/2 opcodes - 0F 0B, 0F B9 and 0F FF - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.
  25. ^ While the 0F B9 opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonic UD1 much later – AMD APM started listing UD1 in its opcode maps from rev 3.17 onwards, while Intel SDM started listing it from rev 061 onwards.
  26. ^ a b For both the 0F B9 and 0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.
  27. ^ For the 0F FF opcode, the OIO mnemonic was introduced by Cyrix, while the UD0 menmonic (without arguments) was introduced by AMD and Intel at the same time as the UD1 mnemonic for 0F B9. Later Intel (but not AMD) documentation modified its description of UD0 to add a ModR/M byte and take two arguments.
  28. ^ On K6, the SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.
  29. ^ SYSCALL and SYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.
    Outside 64-bit mode, the instructions are available on AMD processors only.
  30. ^ The exact semantics of SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.
  31. ^ a b For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.
    Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code.)
  32. ^ a b c The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.)
  33. ^ The CPUID flags that indicate support for SYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.
    Third party testing indicates that the opcodes are present on the Pentium Pro but too buggy to be usable.
  34. ^ On AMD CPUs, the SYSENTER and SYSEXIT instructions are not available in x86-64 long mode (#UD).
  35. ^ On Transmeta CPUs, the SYSENTER and SYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.
  36. ^ On Nehemiah, SYSENTER and SYSEXIT are available only on stepping 8 and later.

Added as instruction set extensions

Added with x86-64

These instructions can only be encoded in 64 bit mode. They fall in four groups:

  • original instructions that reuse existing opcodes for a different purpose (MOVSXD replacing ARPL)
  • original instructions with new opcodes (SWAPGS)
  • existing instructions extended to a 64 bit address size (JRCXZ)
  • existing instructions extended to a 64 bit operand size (remaining instructions)

Most instructions with a 64 bit operand size encode this using a REX.W prefix; in the absence of the REX.W prefix, the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operand size. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.

Instruction Encoding Meaning Ring
CDQE REX.W 98 Sign extend EAX into RAX 3
CQO REX.W 99 Sign extend RAX into RDX:RAX
CMPSQ REX.W A7 CoMPare String Quadword
CMPXCHG16B m128 REX.W 0F C7 /1 CoMPare and eXCHanGe 16 Bytes.
Atomic only if used with LOCK prefix.
IRETQ REX.W CF 64-bit Return from Interrupt
JRCXZ rel8 E3 cb Jump if RCX is zero
LODSQ REX.W AD LoaD String Quadword
MOVSXD r64,r/m32 REX.W 63 /r MOV with Sign Extend 32-bit to 64-bit
MOVSQ REX.W A5 Move String Quadword
POPFQ 9D POP RFLAGS Register
PUSHFQ 9C PUSH RFLAGS Register
SCASQ REX.W AF SCAn String Quadword
STOSQ REX.W AB STOre String Quadword
SWAPGS 0F 01 F8 Exchange GS base with KernelGSBase MSR 0
  1. ^ The memory operand to CMPXCHG16B must be 16-byte aligned.
  2. ^ The CMPXCHG16B instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing from Xeon "Nocona" stepping D, but added in stepping E. On AMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.
    For this reason, CMPXCHG16B has its own CPUID flag, separate from the rest of x86-64.
  3. ^ Encodings of MOVSXD without REX.W prefix are permitted but discouraged – such encodings behave identically to 16/32-bit MOV (8B /r).

Bit manipulation extensions

Bit manipulation instructions. For all of the VEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants.

Bit Manipulation Extension Instruction
mnemonics
Opcode Instruction description Added in
ABM (LZCNT)
Advanced Bit Manipulation
POPCNT r16,r/m16
POPCNT r32,r/m32
F3 0F B8 /r Population Count. Counts the number of bits that are set to 1 in its source argument. K10,
Bobcat,
Haswell,
ZhangJiang,
Gracemont
POPCNT r64,r/m64 F3 REX.W 0F B8 /r
LZCNT r16,r/m16
LZCNT r32,r/m32
F3 0F BD /r Count Leading zeroes.
If source operand is all-0s, then LZCNT will return operand size in bits (16/32/64) and set CF=1.
LZCNT r64,r/m64 F3 REX.W 0F BD /r
BMI1
Bit Manipulation Instruction Set 1
TZCNT r16,r/m16
TZCNT r32,r/m32
F3 0F BC /r Count Trailing zeroes.
If source operand is all-0s, then TZCNT will return operand size in bits (16/32/64) and set CF=1.
Haswell,
Piledriver,
Jaguar,
ZhangJiang,
Gracemont
TZCNT r64,r/m64 F3 REX.W 0F BC /r
ANDN ra,rb,r/m VEX.LZ.0F38 F2 /r Bitwise AND-NOT: ra = r/m AND NOT(rb)
BEXTR ra,r/m,rb VEX.LZ.0F38 F7 /r Bitfield extract. Bitfield start position is specified in bits of rb, length in bits of rb. The bitfield is then extracted from the r/m value with zero-extension, then stored in ra. Equivalent to
mask = (1 << rb) - 1
ra = (r/m >> rb) AND mask
BLSI reg,r/m VEX.LZ.0F38 F3 /3 Extract lowest set bit in source argument. Returns 0 if source argument is 0. Equivalent to
dst = (-src) AND src
BLSMSK reg,r/m VEX.LZ.0F38 F3 /2 Generate a bitmask of all-1s bits up to the lowest bit position with a 1 in the source argument. Returns all-1s if source argument is 0. Equivalent to
dst = (src-1) XOR src
BLSR reg,r/m VEX.LZ.0F38 F3 /1 Copy all bits of the source argument, then clear the lowest set bit. Equivalent to
dst = (src-1) AND src
BMI2
Bit Manipulation Instruction Set 2
BZHI ra,r/m,rb VEX.LZ.0F38 F5 /r Zero out high-order bits in r/m starting from the bit position specified in rb, then write result to rd. Equivalent to
ra = r/m AND NOT(-1 << rb)
Haswell,
Excavator,
ZhangJiang,
Gracemont
MULX ra,rb,r/m VEX.LZ.F2.0F38 F6 /r Widening unsigned integer multiply without setting flags. Multiplies EDX/RDX with r/m, then stores the low half of the multiplication result in ra and the high half in rb. If ra and rb specify the same register, only the high half of the result is stored.
PDEP ra,rb,r/m VEX.LZ.F2.0F38 F5 /r Parallel Bit Deposit. Scatters contiguous bits from rb to the bit positions set in r/m, then stores result to ra. Operation performed is:
ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
   if (mask == 1) then
       ra=rb; k=k+1
PEXT ra,rb,r/m VEX.LZ.F3.0F38 F5 /r Parallel Bit Extract. Uses r/m argument as a bit mask to select bits in rb, then compacts the selected bits into a contiguous bit-vector. Operation performed is:
ra=0; k=0; mask=r/m
for i=0 to opsize-1 do
   if (mask == 1) then
       ra=rb; k=k+1
RORX reg,r/m,imm8 VEX.LZ.F2.0F3A F0 /r ib Rotate right by immediate without affecting flags.
SARX ra,r/m,rb VEX.LZ.F3.0F38 F7 /r Arithmetic shift right without updating flags.
For SARX, SHRX and SHLX, the shift-amount specified in rb is masked to 5 bits for 32-bit operand size and 6 bits for 64-bit operand size.
SHRX ra,r/m,rb VEX.LZ.F2.0F38 F7 /r Logical shift right without updating flags.
SHLX ra,r/m,rb VEX.LZ.66.0F38 F7 /r Shift left without updating flags.
  1. ^ On AMD CPUs, the "ABM" extension provides both POPCNT and LZCNT. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of the LZCNT instruction and is listed as "LZCNT", while POPCNT has its own separate CPUID feature bit.
    However, all known processors that implement the "ABM"/"LZCNT" extensions also implement POPCNT and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.
    (The converse is not true – there exist processors that support POPCNT but not ABM, such as Intel Nehalem and VIA Nano 3000.)
  2. ^ The LZCNT instruction will execute as BSR on systems that do not support the LZCNT or ABM extensions. BSR computes the index of the highest set bit in the source operand, producing a different result from LZCNT for most input values.
  3. ^ The TZCNT instruction will execute as BSF on systems that do not support the BMI1 extension. BSF produces the same result as TZCNT for all input operand values except zero – for which TZCNT returns input operand size, but BSF produces undefined behavior (leaves destination unmodified on most modern CPUs).
  4. ^ For BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m argument (which has the usual 32/64-bit operand size), then the excess bits are read out as 0.
  5. ^ On AMD processors before Zen 3, the PEXT and PDEP instructions are quite slow and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.

Added with Intel TSX

TSX Subset Instruction Opcode Description Added in
RTM
Restricted Transactional memory
XBEGIN rel16
XBEGIN rel32
C7 F8 cw
C7 F8 cd
Start transaction. If transaction fails, perform a branch to the given relative offset. Haswell
(Deprecated on desktop/laptop CPUs from 10th generation (Ice Lake, Comet Lake) onwards, but continues to be available on Xeon-branded server parts (e.g. Ice Lake-SP, Sapphire Rapids))
XABORT imm8 C6 F8 ib Abort transaction with 8-bit immediate as error code.
XEND NP 0F 01 D5 End transaction.
XTEST NP 0F 01 D6 Test if in transactional execution. Sets EFLAGS.ZF to 0 if executed inside a transaction (RTM or HLE), 1 otherwise.
HLE
Hardware Lock Elision
XACQUIRE F2 Instruction prefix to indicate start of hardware lock elision, used with memory atomic instructions only (for other instructions, the F2 prefix may have other meanings). When used with such instructions, may start a transaction instead of performing the memory atomic operation. Haswell
(Discontinued – the last processors to support HLE were Coffee Lake and Cascade Lake)
XRELEASE F3 Instruction prefix to indicate end of hardware lock elision, used with memory atomic/store instructions only (for other instructions, the F3 prefix may have other meanings). When used with such instructions during hardware lock elision, will end the associated transaction instead of performing the store/atomic.
TSXLDTRK
Load Address Tracking suspend/resume
XSUSLDTRK F2 0F 01 E8 Suspend Tracking Load Addresses Sapphire Rapids
XRESLDTRK F2 0F 01 E9 Resume Tracking Load Addresses

Added with Intel CET

Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such as return-oriented programming: a shadow stack (CET_SS), and indirect branch tracking (CET_IBT).

CET Subset Instruction Opcode Description Ring Added in
CET_SS
Shadow stack.
When shadow stacks are enabled, return addresses are pushed on both the regular stack and the shadow stack when a function call is made. They are then both popped on return from the function call – if they do not match, then the stack is assumed to be corrupted, and a #CP exception is issued.
The shadow stack is additionally required to be stored in specially marked memory pages which cannot be modified by normal memory store instructions.
INCSSPD r32 F3 0F AE /5 Increment shadow stack pointer 3 Tiger Lake,
Zen 3
INCSSPQ r64 F3 REX.W 0F AE /5
RDSSPD r32 F3 0F 1E /1 Read shadow stack pointer into register (low 32 bits)
RDSSPQ r64 F3 REX.W 0F 1E /1 Read shadow stack pointer into register (full 64 bits)
SAVEPREVSSP F3 0F 01 EA Save previous shadow stack pointer
RSTORSSP m64 F3 0F 01 /5 Restore saved shadow stack pointer
WRSSD m32,r32 NP 0F 38 F6 /r Write 4 bytes to shadow stack
WRSSQ m64,r64 NP REX.W 0F 38 F6 /r Write 8 bytes to shadow stack
WRUSSD m32,r32 66 0F 38 F5 /r Write 4 bytes to user shadow stack 0
WRUSSQ m64,r64 66 REX.W 0F 38 F5 /r Write 8 bytes to user shadow stack
SETSSBSY F3 0F 01 E8 Mark shadow stack busy
CLRSSBSY m64 F3 0F AE /6 Clear shadow stack busy flag
CET_IBT
Indirect Branch Tracking.
When IBT is enabled, an indirect branch (jump, call, return) to any instruction that is not an ENDBR32/64 instruction will cause a #CP exception.
ENDBR32 F3 0F 1E FB Terminate indirect branch in 32-bit mode 3 Tiger Lake
ENDBR64 F3 0F 1E FA Terminate indirect branch in 64-bit mode
NOTRACK 3E Prefix used with indirect CALL/JMP near instructions (opcodes FF /2 and FF /4) to indicate that the branch target is not required to start with an ENDBR32/64 instruction. Prefix only honored when NO_TRACK_EN flag is set.
  1. ^ a b The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.
  2. ^ a b ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled.
  3. ^ This prefix has the same encoding as the DS: segment override prefix – as of April 2022, Intel documentation does not appear to specify whether this prefix also retains its old segment-override function when used as a no-track prefix, nor does it provide an official mnemonic for this prefix. (GNU binutils use "notrack")

Added with other cross-vendor extensions

Instruction Set Extension Instruction
mnemonics
Opcode Instruction description Ring Added in
SSE
(non-SIMD)
PREFETCHNTA m8 0F 18 /0 Prefetch with Non-Temporal Access.
Prefetch data under the assumption that the data will be used only once, and attempt to minimize cache pollution from said data. The methods used to minimize cache pollution are implementation-dependent.
3 Pentium III,
(K7),
(Geode GX2),
Nehemiah,
Efficeon
PREFETCHT0 m8 0F 18 /1 Prefetch data to all levels of the cache hierarchy.
PREFETCHT1 m8 0F 18 /2 Prefetch data to all levels of the cache hierarchy except L1 cache.
PREFETCHT2 m8 0F 18 /3 Prefetch data to all levels of the cache hierarchy except L1 and L2 caches.
SFENCE NP 0F AE F8+x Store Fence.
SSE2
(non-SIMD)
LFENCE NP 0F AE E8+x Load Fence and Dispatch Serialization. 3 Pentium 4,
K8,
Efficeon,
C7 Esther
MFENCE NP 0F AE F0+x Memory Fence.
MOVNTI m32,r32
MOVNTI m64,r64
NP 0F C3 /r
NP REX.W 0F C3 /r
Non-Temporal Memory Store.
PAUSE F3 90 Pauses CPU thread for a short time period.
Intended for use in spinlocks.
CLFSH
Cache Line Flush.
CLFLUSH m8 NP 0F AE /7 Flush one cache line to memory.
In a system with multiple cache hierarchy levels and/or multiple processors each with their own caches, the line is flushed from all of them.
3 (SSE2),
Geode LX
MONITOR
Monitor a memory location for memory writes.
MONITOR
MONITOR EAX,ECX,EDX
NP 0F 01 C8 Start monitoring a memory location for memory writes. The memory address to monitor is given by DS:AX/EAX/RAX.
ECX and EDX are reserved for extra extension and hint flags, respectively.
Usually 0 Prescott,
Yonah,
Bonnell,
K10,
Nano
MWAIT
MWAIT EAX,ECX
NP 0F 01 C9 Wait for a write to a monitored memory location previously specified with MONITOR.
ECX and EAX are used to provide extra extension and hint flags, respectively. MWAIT hints are commonly used for CPU power management.
SMX
Safer Mode Extensions.
Load, authenticate and execute a digitally signed "Authenticated Code Module" as part of Intel Trusted Execution Technology.
GETSEC NP 0F 37 Perform an SMX function. The leaf function to perform is given in EAX.
Depending on leaf function, the instruction may take additional arguments in RBX, ECX and EDX.
Usually 0 Conroe/Merom,
WuDaoKou,
Tremont
XSAVE
Processor Extended State Save/Restore.
XSAVE mem
XSAVE64 mem
NP 0F AE /4
NP REX.W 0F AE /4
Save state components specified by EDX:EAX to memory. 3 Penryn,
Bulldozer,
Jaguar,
Goldmont,
ZhangJiang
XRSTOR mem
XRSTOR64 mem
NP 0F AE /5
NP REX.W 0F AE /5
Restore state components specified by EDX:EAX from memory.
XGETBV NP 0F 01 D0 Get value of Extended Control Register.
Reads an XCR specified by ECX into EDX:EAX.
XSETBV NP 0F 01 D1 Set Extended Control Register.
Write the value in EDX:EAX to the XCR specified by ECX.
0
RDTSCP
Read Time Stamp Counter and Processor ID.
RDTSCP 0F 01 F9 Read Time Stamp Counter and processor core ID.
The TSC value is placed in EDX:EAX and the core ID in ECX.
Usually 3 K8,
Nehalem,
Silvermont,
Nano
POPCNT
Population Count.
POPCNT r16,r/m16
POPCNT r32,r/m32
F3 0F B8 /r Count the number of bits that are set to 1 in its source argument. 3 K10,
Nehalem,
Nano 3000
POPCNT r64,r/m64 F3 REX.W 0F B8 /r
SSE4.2
(non-SIMD)
CRC32 r32,r/m8 F2 0F 38 F0 /r Accumulate CRC value using the CRC-32C (Castagnoli) polynomial 0x11EDC6F41 (normal form 0x1EDC6F41). This is the polynomial used in iSCSI. In contrast to the more popular one used in Ethernet, its parity is even, and it can thus detect any error with an odd number of changed bits. 3 Nehalem,
Bulldozer,
ZhangJiang
CRC32 r32,r/m16
CRC32 r32,r/m32
F2 0F 38 F1 /r
CRC32 r64,r/m64 F2 REX.W 0F 38 F1 /r
XSAVEOPT
Processor Extended State Save/Restore Optimized
XSAVEOPT mem
XSAVEOPT64 mem
NP 0F AE /6
NP REX.W 0F AE /6
Save state components specified by EDX:EAX to memory.
Unlike the older XSAVE instruction, XSAVEOPT may abstain from writing processor state items to memory when the CPU can determine that they haven't been modified since the most recent corresponding XRSTOR.
3 Sandy Bridge,
Steamroller,
Puma,
Goldmont,
ZhangJiang
FSGSBASE
Read/write base address of FS and GS segments from user-mode.
Available in 64-bit mode only.
RDFSBASE r32
RDFSBASE r64
F3 0F AE /0
F3 REX.W 0F AE /0
Read base address of FS: segment. 3 Ivy Bridge,
Steamroller,
Goldmont,
ZhangJiang
RDGSBASE r32
RDGSBASE r64
F3 0F AE /1
F3 REX.W 0F AE /1
Read base address of GS: segment.
WRFSBASE r32
WRFSBASE r64
F3 0F AE /2
F3 REX.W 0F AE /2
Write base address of FS: segment.
WRGSBASE r32
WRGSBASE r64
F3 0F AE /3
F3 REX.W 0F AE /3
Write base address of GS: segment.
MOVBE
Move to/from memory with byte order swap.
MOVBE r16,m16
MOVBE r32,m32
NFx 0F 38 F0 /r Load from memory to register with byte-order swap. 3 Bonnell,
Haswell,
Jaguar,
Steamroller,
ZhangJiang
MOVBE r64,m64 NFx REX.W 0F 38 F0 /r
MOVBE m16,r16
MOVBE m32,r32
NFx 0F 38 F1 /r Store to memory from register with byte-order swap.
MOVBE m64,r64 NFx REX.W 0F 38 F1 /r
INVPCID
Invalidate TLB entries by Process-context identifier.
INVPCID reg,m128 66 0F 38 82 /r Invalidate entries in TLB and paging-structure caches based on invalidation type in register and descriptor in m128. The descriptor contains a memory address and a PCID.

Instruction is serializing on AMD but not Intel CPUs.

0 Haswell,
ZhangJiang,
Zen 3,
Gracemont
PREFETCHW
Cache-line prefetch with intent to write.
PREFETCHW m8 0F 0D /1 Prefetch cache line with intent to write. 3 K6-2,
(Cedar Mill),
Silvermont,
Broadwell,
ZhangJiang
PREFETCH m8 0F 0D /0 Prefetch cache line.
ADX
Enhanced variants of add-with-carry.
ADCX r32,r/m32
ADCX r64,r/m64
66 0F 38 F6 /r
66 REX.W 0F 38 F6 /r
Add-with-carry. Differs from the older ADC instruction in that it leaves flags other than EFLAGS.CF unchanged. 3 Broadwell,
Zen 1,
ZhangJiang,
Gracemont
ADOX r32,r/m32
ADOX r64,r/m64
F3 0F 38 F6 /r
F3 REX.W 0F 38 F6 /r
Add-with-carry, with the overflow-flag EFLAGS.OF serving as carry input and output, with other flags left unchanged.
SMAP
Supervisor Mode Access Prevention.
Repurposes the EFLAGS.AC (alignment check) flag to a flag that prevents access to user-mode memory while in ring 0, 1 or 2.
CLAC NP 0F 01 CA Clear EFLAGS.AC. 0 Broadwell,
Goldmont,
Zen 1,
LuJiaZui
STAC NP 0F 01 CB Set EFLAGS.AC.
CLFLUSHOPT
Optimized Cache Line Flush.
CLFLUSHOPT m8 NFx 66 0F AE /7 Flush cache line.
Differs from the older CLFLUSH instruction in that it has more relaxed ordering rules with respect to memory stores and other cache line flushes, enabling improved performance.
3 Skylake,
Goldmont,
Zen 1
XSAVEC
Processor Extended State save/restore with compaction.
XSAVEC mem
XSAVEC64 mem
NP 0F C7 /4
NP REX.W 0F C7 /4
Save processor extended state components specified by EDX:EAX to memory with compaction. 3 Skylake,
Goldmont,
Zen 1
XSS
Processor Extended State save/restore, including supervisor state.
XSAVES mem
XSAVES64 mem
NP 0F C7 /5
NP REX.W 0F C7 /5
Save processor extended state components specified by EDX:EAX to memory with compaction and optimization if possible. 0 Skylake,
Goldmont,
Zen 1
XRSTORS mem
XRSTORS64 mem
NP 0F C7 /3
NP REX.W 0F C7 /3
Restore state components specified by EDX:EAX from memory.
PREFETCHWT1
Cache-line prefetch into L2 cache with intent to write.
PREFETCHWT1 m8 0F 0D /2 Prefetch data with T1 locality hint (fetch into L2 cache, but not L1 cache) and intent-to-write hint. 3 Knights Landing,
YongFeng
PKU
Protection Keys for user pages.
RDPKRU NP 0F 01 EE Read User Page Key register into EAX. 3 Skylake-X,
Comet Lake,
Gracemont,
Zen 3,
LuJiaZui
WRPKRU NP 0F 01 EF Write data from EAX into User Page Key Register, and perform a Memory Fence.
CLWB
Cache Line Writeback to memory.
CLWB m8 NFx 66 0F AE /6 Write one cache line back to memory without invalidating the cache line. 3 Skylake-X,
Zen 2,
Tiger Lake,
Tremont
RDPID
Read processor core ID.
RDPID r32 F3 0F C7 /7 Read processor core ID into register. 3 Goldmont Plus,
Zen 2,
Ice Lake,
LuJiaZui
WBNOINVD
Whole Cache Writeback without invalidate.
WBNOINVD F3 0F 09 Write back all dirty cache lines to memory without invalidation. Instruction is serializing. 0 Zen 2,
Ice Lake-SP
  1. ^ a b c AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions". These extensions (without full SSE) are also present on Geode GX2 and later Geode processors.
  2. ^ a b c d e f g All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.
  3. ^ a b c For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.
  4. ^ The SFENCE instruction ensures that all memory stores after the SFENCE instruction are made globally observable after all memory stores before the SFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.
    On Intel CPUs, as well as AMD CPUs from Zen1 onwards (but not older AMD CPUs), SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH, CLFLUSHOPT and CLWB instructions. (Older AMD CPUs require MFENCE to order CLFLUSH.)
    SFENCE is not ordered with respect to LFENCE, and an SFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store. To prevent such reordering, it is necessary to execute an MFENCE, LOCK or a serializing instruction.
  5. ^ The LFENCE instruction ensures that all memory loads after the LFENCE instruction are made globally observable after all memory loads before the LFENCE.
    On all Intel CPUs that support SSE2, the LFENCE instruction provides a stronger ordering guarantee: it is dispatch-serializing, meaning that instructions after the LFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC or RDPMC) and x2apic MSRs.
    On AMD CPUs, LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029.
  6. ^ The MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE.
    On Intel CPUs, MFENCE is not dispatch-serializing, and therefore cannot be used to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE is still ordered with respect to LFENCE, so if a memory barrier with dispatch serialization is needed, then it can be obtained by issuing an MFENCE followed by an LFENCE.
    On AMD CPUs, MFENCE is serializing.
  7. ^ The operation of the PAUSE instruction in 64-bit mode is, unlike NOP, unaffected by the presence of the REX.R prefix. Neither NOP nor PAUSE are affected by the other bits of the REX prefix. A few examples of opcode 90 with various prefixes in 64-bit mode are:
    • 90 is NOP
    • 41 90 is XCHG R8D,EAX
    • 4E 90 is NOP
    • 49 90 is XCHG R8,RAX
    • F3 90 is PAUSE
    • F3 41 90 is PAUSE
    • F3 4F 90 is PAUSE
  8. ^ The actual length of the pause performed by the PAUSE instruction is implementation-dependent.
    On systems without SSE2, PAUSE will execute as NOP.
  9. ^ Under VT-x or AMD-V virtualization, executing PAUSE many times in a short time interval may cause a #VMEXIT. The number of PAUSE executions and interval length that can trigger #VMEXIT are platform-specific.
  10. ^ While the CLFLUSH instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMD Geode LX supports CLFLUSH but not SSE2.)
  11. ^ While the MONITOR and MWAIT instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g. Athlon64 X2 and VIA C7 supported SSE3 but not MONITOR.)
  12. ^ a b For the MONITOR and MWAIT instructions, older Intel documentation lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.
  13. ^ For MONITOR, the DS: segment can be overridden with a segment prefix.
    The memory area that will be monitored will be not just the single byte specified by DS:rAX, but a linear memory region containing the byte – the size and alignment of this memory region is implementation-dependent and can be queried through CPUID.
    The memory location to monitor should have memory type WB (write-back cacheable), or else monitoring may fail.
  14. ^ As of March 2023, no extensions or hints have been defined for the MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX.
  15. ^ On some processors, such as Intel Xeon Phi x200 and AMD K10 and later, there exist documented MSRs that can be used to enable MONITOR and MWAIT to run in Ring 3.
  16. ^ The wait performed by MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.
    Regardless of whether the wait was ended by a memory write or some other event, monitoring will have ended and it will be necessary to set up monitoring again with MONITOR before performing any further MWAITs.
  17. ^ The extension flags available for MWAIT in the ECX register are:
    Bits MWAIT Extension
    0 Treat interrupts as break events, even when masked (EFLAGS.IF=0). (Available on all non-NetBurst implementations of MWAIT.)
    1 Timed MWAIT: end the wait when the TSC reaches or exceeds the value in EDX:EBX. (Undocumented, reportedly present in Intel Skylake and later Intel processors)
    31:2 Not used, must be set to zero.
  18. ^ The hint flags available for MWAIT in the EAX register are:
    Bits MWAIT Hint
    3:0 Sub-state within a C-state (see bits 7:4) (Intel processors only)
    7:4 Target CPU power C-state during wait, minus 1. (E.g. 0000b for C1, 0001b for C2, 1111b for C0)
    31:8 Not used.

    The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states.

  19. ^ For the GETSEC instruction, the REX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.
  20. ^ The leaf functions defined for GETSEC (selected by EAX) are:
    EAX Function
    0 (CAPABILITIES) Report SMX capabilities
    2 (ENTERACCES) Enter execution of authenticated code module
    3 (EXITAC) Exit execution of authenticated code module
    4 (SENTER) Enter measured environment
    5 (SEXIT) Exit measured environment
    6 (PARAMETERS) Report SMX parameters
    7 (SMCTRL) SMX Mode Control
    8 (WAKEUP) Wake up sleeping processors in measured environment

    Any unsupported value in EAX causes an #UD exception.

  21. ^ For GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.
  22. ^ XSAVE was added in steppings E0/R0 of Penryn and is not available in earlier steppings.
  23. ^ On some processors (starting with Skylake, Goldmont and Zen 1), executing XGETBV with ECX=1 is permitted – this will not return XCR1 (no such register exists) but instead return XCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).
    The presence of this functionality of XGETBV is indicated by CPUID.(EAX=0Dh,ECX=1):EAX.
  24. ^ a b The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention.
  25. ^ Unlike the older RDTSC instruction, RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP is not ordered with respect to subsequent instructions, though.
  26. ^ RDTSCP can be run outside Ring 0 only if CR4.TSD=0.
  27. ^ Support for RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings.
  28. ^ While the POPCNT instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.
    On AMD processors, it is considered to be a part of the ABM extension, but still has its own CPUID flag.
  29. ^ The invalidation types defined for INVPCID (selected by register argument) are:
    Value Function
    0 Invalidate TLB entries matching PCID and virtual memory address in descriptor, excluding global entries
    1 Invalidate TLB entries matching PCID in descriptor, excluding global entries
    2 Invalidate all TLB entries, including global entries
    3 Invalidate all TLB entries, excluding global entries

    Any unsupported value in the register argument causes a #GP exception.

  30. ^ Unlike the older INVLPG instruction, INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.
  31. ^ The PREFETCH and PREFETCHW instructions are mandatory parts of the 3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow!
  32. ^ The opcodes for PREFETCH and PREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW gaining prefetch functionality from Broadwell onwards.
  33. ^ The PREFETCH (0F 0D /0) instruction is a 3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.
    On AMD CPUs with PREFETCHW, opcode 0F 0D /0 as well as opcodes 0F 0D /2../7 are all documented to be performing prefetch.
    On Intel processors with PREFETCHW, these opcodes are documented as performing reserved-NOPs (except 0F 0D /2 being PREFETCHWT1 m8 on Xeon Phi only) – third party testing indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs.
  34. ^ a b c The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2 and later of Zhaoxin LuJiaZui, but not on earlier steppings.
  35. ^ Unlike the older RDTSCP instruction which can also be used to read the processor ID, user-mode RDPID is not disabled by CR4.TSD=1.
  36. ^ The WBNOINVD instruction will execute as WBINVD if run on a system that doesn't support the WBNOINVD extension.
    WBINVD differs from WBNOINVD in that WBINVD will invalidate all cache lines after writeback.

Added with other Intel-specific extensions

Instruction Set Extension Instruction
mnemonics
Opcode Instruction description Ring Added in
SGX
Software Guard Extensions.
Set up an encrypted enclave in which a guest can execute code that a compromised or malicious host cannot inspect or tamper with.
ENCLS NP 0F 01 CF Perform an SGX Supervisor function. The function to perform is given in EAX. 0
SGX1
Skylake,
Goldmont Plus
SGX2
Goldmont Plus,
Ice Lake-SP
OVERSUB
Ice Lake-SP,
Tremont
ENCLU NP 0F 01 D7 Perform an SGX User function. The function to perform is given in EAX. 3
ENCLV NP 0F 01 C0 Perform an SGX Virtualization function. The function to perform is given in EAX. 0
PTWRITE
Write data to a Processor Trace Packet.
PTWRITE r/m32
PTWRITE r/m64
F3 0F AE /4
F3 REX.W 0F AE /4
Read data from register or memory to encode into a PTW packet. 3 Kaby Lake,
Goldmont Plus
MOVDIRI
Move to memory as Direct Store.
MOVDIRI m32,r32
MOVDIRI m64,r64
NP 0F 38 F9 /r
NP REX.W 0F 38 F9 /r
Store to memory using Direct Store (memory store that is not cached or write-combined with other stores). 3 Tiger Lake,
Tremont
MOVDIR64B
Move 64 bytes as Direct Store.
MOVDIR64B reg,m512 66 0F 38 F8 /r Move 64 bytes of data from m512 to address given by ES:reg. The 64-byte write is done atomically with Direct Store. 3 Tiger Lake,
Tremont
PCONFIG
Platform Configuration, including TME-MK ("Total Memory Encryption – Multi-Key") and TSE ("Total Storage Encryption").
PCONFIG NP 0F 01 C5 Perform a platform feature configuration function. The function to perform is specified in EAX - depending on function, RBX, RCX and RDX may provide additional input information.

If the instruction fails, it will set EFLAGS.ZF=1 and return an error code in EAX. If it is successful, it sets EFLAGS.ZF=0 and EAX=0.

0 Ice Lake-SP
CLDEMOTE
Cache Line Demotion Hint.
CLDEMOTE m8 NP 0F 1C /0 Move cache line containing m8 from CPU L1 cache to a more distant level of the cache hierarchy. 3 (Tremont),
(Alder Lake),
Sapphire Rapids
WAITPKG
User-mode memory monitoring and waiting.
UMONITOR r16/32/64 F3 0F AE /6 Start monitoring a memory location for memory writes. The memory address to monitor is given by the register argument. 3 Tremont,
Alder Lake
UMWAIT r32
UMWAIT r32,EDX,EAX
F2 0F AE /6 Timed wait for a write to a monitored memory location previously specified with UMONITOR. In the absence of a memory write, the wait will end when either the TSC reaches the value specified by EDX:EAX or the wait has been going on for an OS-controlled maximum amount of time. Usually 3
TPAUSE r32
TPAUSE r32,EDX,EAX
66 0F AE /6 Wait until the Time Stamp Counter reaches the value specified in EDX:EAX.
The register argument to the instruction specifies extra flags to control the operation of the instruction.
SERIALIZE
Instruction Execution Serialization.
SERIALIZE NP 0F 01 E8 Serialize instruction fetch and execution. 3 Alder Lake
HRESET
Processor History Reset.
HRESET imm8 F3 0F 3A F0 C0 ib Request that the processor reset selected components of hardware-maintained prediction history. A bitmap of which components of the CPU's prediction history to reset is given in EAX (the imm8 argument is ignored). 0 Alder Lake
UINTR
User Interprocessor interrupt.
Available in 64-bit mode only.
SENDUIPI reg F3 0F C7 /6 Send Interprocessor User Interrupt. 3 Sapphire Rapids
UIRET F3 0F 01 EC User Interrupt Return.
TESTUI F3 0F 01 ED Test User Interrupt Flag.
Copies UIF to EFLAGS.CF .
CLUI F3 0F 01 EE Clear User Interrupt Flag.
STUI F3 0F 01 EF Set User Interrupt Flag.
ENQCMD
Enqueue Store.
ENQCMD r32/64,m512 F2 0F 38 F8 /r Enqueue Command. Reads a 64-byte "command data" structure from memory (m512 argument) and writes atomically to a memory-mapped Enqueue Store device (register argument provides the memory address of this device, using ES segment and requiring 64-byte alignment.) Sets ZF=0 to indicate that device accepted the command, or ZF=1 to indicate that command was not accepted (e.g. queue full or the memory location was not an Enqueue Store device.) 3 Sapphire Rapids
ENQCMDS r32/64,m512 F3 0F 38 F8 /r Enqueue Command Supervisor. Differs from ENQCMD in that it can place an arbitrary PASID (process address-space identifier) and a privilege-bit in the "command data" to enqueue. 0
  1. ^ The leaf functions defined for ENCLS (selected by EAX) are:
    EAX Function
    0 (ECREATE) Create an enclave
    1 (EADD) Add a page
    2 (EINIT) Initialize an enclave
    3 (EREMOVE) Remove a page from EPC (Enclave Page Cache)
    4 (EDBGRD) Read data by debugger
    5 (EDBGWR) Write data by debugger
    6 (EEXTEND) Extend EPC page measurement
    7 (ELDB) Load an EPC page as blocked
    8 (ELDU) Load an EPC page as unblocked
    9 (EBLOCK) Block an EPC page
    A (EPA) Add version array
    B (EWB) Writeback/invalidate EPC page
    C (ETRACK) Activate EBLOCK checks
    Added with SGX2
    D (EAUG) Add page to initialized enclave
    E (EMODPTR) Restrict permissions of EPC page
    F (EMODT) Change type of EPC page
    Added with OVERSUB
    10 (ERDINFO) Read EPC page type/status info
    11 (ETRACKC) Activate EBLOCK checks
    12 (ELDBC) Load EPC page as blocked with enhanced error reporting
    13 (ELDUC) Load EPC page as unblocked with enhanced error reporting
    Other
    18 (EUPDATESVN) Update SVN (Security Version Number) after live microcode update

    Any unsupported value in EAX causes a #GP exception.

  2. ^ SGX is deprecated on desktop/laptop processors from 11th generation (Rocket Lake, Tiger Lake) onwards, but continues to be available on Xeon-branded server parts.
  3. ^ The leaf functions defined for ENCLU (selected by EAX) are:
    EAX Function
    0 (EREPORT) Create a cryptographic report
    1 (EGETKEY) Create a cryptographic key
    2 (EENTER) Enter an Enclave
    3 (ERESUME) Re-enter an Enclave
    4 (EEXIT) Exit an Enclave
    Added with SGX2
    5 (EACCEPT) Accept changes to EPC page
    6 (EMODPE) Extend EPC page permissions
    7 (EACCEPTCOPY) Initialize pending page
    Added with TDX
    8 (EVERIFYREPORT2) Verify a cryptographic report of a trust domain
    Added with AEX-Notify
    9 (EDECCSSA) Decrement TCS.CSSA

    Any unsupported value in EAX causes a #GP exception.
    The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.

  4. ^ ENCLU can only be executed in ring 3, not rings 0/1/2.
  5. ^ The leaf functions defined for ENCLV (selected by EAX) are:
    EAX Function
    Added with OVERSUB
    0 (EDECVIRTCHILD) Decrement VIRTCHILDCNT in SECS
    1 (EINCVIRTCHILD) Increment VIRTCHILDCNT in SECS
    2 (ESETCONTEXT) Set ENCLAVECONTEXT field in SECS

    Any unsupported value in EAX causes a #GP exception.
    The ENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").

  6. ^ ENCLV is only available if Intel VMX operation is enabled with VMXON, and will produce #UD otherwise.
  7. ^ For PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS MSR and the "PTWEn" bit of the RTIT_CTL MSR) are all set to 1.
    The PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.
  8. ^ For MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.
    The operand size for the register argument is given by the address size, which may be overridden by the 67h prefix.
    The 64-byte memory source argument does not need to be 64-byte aligned, and is not guaranteed to be read atomically.
  9. ^ The leaf functions defined for PCONFIG (selected by EAX) are:
    EAX Function
    0 MKTME_KEY_PROGRAM:
    Program key and encryption mode to use with an TME-MK Key ID.
    Added with TSE
    1 TSE_KEY_PROGRAM:
    Direct key programming for TSE.
    2 TSE_KEY_PROGRAM_WRAPPED:
    Wrapped key programming for TSE.

    Any unsupported value in EAX causes a #GP(0) exception.

  10. ^ For CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.
    Since the instruction is considered a hint, it will execute as a NOP without any exceptions if the provided memory address is invalid or not in the L1 cache. It may also execute as a NOP under other implementation-dependent circumstances as well.
    On systems that do not support the CLDEMOTE extension, it executes as a NOP.
  11. ^ Intel documentation lists Tremont and Alder Lake as the processors in which CLDEMOTE was introduced. However, as of May 2022, no Tremont or Alder Lake models have been observed to have the CPUID feature bit for CLDEMOTE set, while several of them have the CPUID bit cleared.
    As of April 2023, the CPUID feature bit for CLDEMOTE has been observed to be set for Sapphire Rapids.
  12. ^ For UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the 67h prefix. The default segment used is DS:, which can be overridden with a segment prefix.
  13. ^ For UMWAIT, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT invocation is permitted to wait. The UMWAIT instruction will set RFLAGS.CF to 1 if it reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise.
  14. ^ TPAUSE and UMWAIT can be run outside Ring 0 only if CR4.TSD=0.
  15. ^ While serialization can be performed with older instructions such as e.g. CPUID and IRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE instruction performs serialization only, avoiding these added costs.
  16. ^ A bitmap of CPU history components that can be reset through HRESET is provided by CPUID.(EAX=20h,ECX=0):EBX.
    As of July 2023, the following bits are defined:
    Bit Usage
    0 Intel Thread Director history
    31:1 (Reserved)
  17. ^ The register argument to SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT and UINT_MISC MSRs.)

Added with other AMD-specific extensions

Instruction Set Extension Instruction
mnemonics
Opcode Instruction description Ring Added in
AltMovCr8
Alternative mechanism to access the CR8 control register.
MOV reg,CR8 F0 0F 20 /0 Read the CR8 register. 0 K8
MOV CR8,reg F0 0F 22 /0 Write to the CR8 register.
MONITORX
Monitor a memory location for writes in user mode.
MONITORX NP 0F 01 FA Start monitoring a memory location for memory writes. Similar to older MONITOR, except available in user mode. 3 Excavator
MWAITX NP 0F 01 FB Wait for a write to a monitored memory location previously specified with MONITORX.
MWAITX differs from the older MWAIT instruction mainly in that it runs in user mode and that it can accept an optional timeout argument (given in TSC time units) in EBX (enabled by setting bit of ECX to 1.)
CLZERO
Zero out full cache line.
CLZERO rAX NP 0F 01 FC Write zeroes to all bytes in a memory region that has the size and alignment of a CPU cache line and contains the byte addressed by DS:rAX. 3 Zen 1
RDPRU
Read processor register in user mode.
RDPRU NP 0F 01 FD Read selected MSRs (mainly performance counters) in user mode. ECX specifies which register to read.

The value of the MSR is returned in EDX:EAX.

Usually 3 Zen 2
MCOMMIT
Commit Stores To Memory.
MCOMMIT F3 0F 01 FA Ensure that all preceding stores in thread have been committed to memory, and that any errors encountered by these stores have been signalled to any associated error logging resources. The set of errors that can be reported and the logging mechanism are platform-specific.
Sets EFLAGS.CF to 0 if any errors occurred, 1 otherwise.
3 Zen 2
INVLPGB
Invalidate TLB Entries with broadcast.
INVLPGB NP 0F 01 FE Invalidate TLB Entries for a range of pages, with broadcast. The invalidation is performed on the processor executing the instruction, and also broadcast to all other processors in the system.
rAX takes the virtual address to invalidate and some additional flags, ECX takes the number of pages to invalidate, and EDX specifies ASID and PCID to perform TLB invalidation for.
0 Zen 3
TLBSYNC NP 0F 01 FF Synchronize TLB invalidations.
Wait until all TLB invalidations signalled by preceding invocations of the INVLPGB instruction on the same logical processor have been responded to by all processors in the system. Instruction is serializing.
  1. ^ The standard way to access the CR8 register is to use an encoding that makes use of the REX.R prefix, e.g. 44 0F 20 07 (MOV RDI,CR8). However, the REX.R prefix is only available in 64-bit mode.
    The AltMovCr8 extension adds an additional method to access CR8, using the F0 (LOCK) prefix instead of REX.R – this provides access to CR8 outside 64-bit mode.
  2. ^ a b Like other variants of MOV to/from the CRx registers, the AltMovCr8 encodings ignore the top 2 bits of the instruction's ModR/M byte, and always execute as if these two bits are set to 11b.
    The AltMovCr8 encodings are available in 64-bit mode. However, combining the LOCK prefix with the REX.R prefix is not permitted and will cause an #UD exception.
  3. ^ Support for AltMovCR8 was added in stepping F of the AMD K8, and is not available on earlier steppings.
  4. ^ For CLZERO, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.
    The CLZERO instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.
  5. ^ The register numbering used by RDPRU does not necessarily match that of RDMSR/WRMSR.
    The registers supported by RDPRU as of December 2022 are:
    ECX Register
    0 MPERF (MSR 0E7h: Maximum Performance Frequency Clock Count)
    1 APERF (MSR 0E8h: Actual Performance Frequency Clock Count)

    Unsupported values in ECX return 0.

  6. ^ If CR4.TSD=1, then the RDPRU instruction can only run in ring 0.

x87 floating-point instructions

The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1),st(2),...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0,C1,C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.

Original 8087 instructions

Instruction description Mnemonic Opcode Additional items
x87 Non-Waiting FPU Control Instructions Waiting
mnemonic
Initialize x87 FPU FNINIT DB E3 FINIT
Load x87 Control Word FLDCW m16 D9 /5 (none)
Store x87 Control Word FNSTCW m16 D9 /7 FSTCW
Store x87 Status Word FNSTSW m16 DD /7 FSTSW
Clear x87 Exception Flags FNCLEX DB E2 FCLEX
Load x87 FPU Environment FLDENV m112/m224 D9 /4 (none)
Store x87 FPU Environment FNSTENV m112/m224 D9 /6 FSTENV
Save x87 FPU State, then initialize x87 FPU FNSAVE m752/m864 DD /6 FSAVE
Restore x87 FPU State FRSTOR m752/m864 DD /4 (none)
Enable Interrupts (8087 only) FNENI DB E0 FENI
Disable Interrupts (8087 only) FNDISI DB E1 FDISI
x87 Floating-point Load/Store/Move Instructions precision
control
rounding
control
Load floating-point value onto stack FLD m32 D9 /0 No
FLD m64 DD /0
FLD m80 DB /5
FLD st(i) D9 C0+i
Store top-of-stack floating-point value to memory or stack register FST m32 D9 /2 No Yes
FST m64 DD /2
FST st(i) DD D0+i No
Store top-of-stack floating-point value to memory or stack register, then pop FSTP m32 D9 /3 No Yes
FSTP m64 DD /3
FSTP m80 DB /7 No
FSTP st(i) DD D8+i
DF D0+i
DF D8+i
Push +0.0 onto stack FLDZ D9 EE No
Push +1.0 onto stack FLD1 D9 E8
Push π (approximately 3.14159) onto stack FLDPI D9 EB No 387
Push (approximately 3.32193) onto stack FLDL2T D9 E9
Push (approximately 1.44269) onto stack FLDL2E D9 EA
Push (approximately 0.30103) onto stack FLDLG2 D9 EC
Push (approximately 0.69315) onto stack FLDLN2 D9 ED
Exchange top-of-stack register with other stack register FXCH st(i) D9 C8+i No
DD C8+i
DF C8+i
x87 Integer Load/Store Instructions precision
control
rounding
control
Load signed integer value onto stack from memory, with conversion to floating-point FILD m16 DF /0 No
FILD m32 DB /0
FILD m64 DF /5
Store top-of-stack value to memory, with conversion to signed integer FIST m16 DF /2 No Yes
FIST m32 DB /2
Store top-of-stack value to memory, with conversion to signed integer, then pop stack FISTP m16 DF /3 No Yes
FISTP m32 DB /3
FISTP m64 DF /7
Load 18-digit Binary-Coded-Decimal integer value onto stack from memory, with conversion to floating-point FBLD m80 DF /4 No
Store top-of-stack value to memory, with conversion to 18-digit Binary-Coded-Decimal integer, then pop stack FBSTP m80 DF /6 No 387
x87 Basic Arithmetic Instructions precision
control
rounding
control
Floating-point add
dst <- dst + src
FADD m32 D8 /0 Yes Yes
FADD m64 DC /0
FADD st,st(i) D8 C0+i
FADD st(i),st DC C0+i
Floating-point multiply
dst <- dst * src
FMUL m32 D8 /1 Yes Yes
FMUL m64 DC /1
FMUL st,st(i) D8 C8+i
FMUL st(i),st DC C8+i
Floating-point subtract
dst <- dst – src
FSUB m32 D8 /4 Yes Yes
FSUB m64 DC /4
FSUB st,st(i) D8 E0+i
FSUB st(i),st DC E8+i
Floating-point reverse subtract
dst <- src – dst
FSUBR m32 D8 /5 Yes Yes
FSUBR m64 DC /5
FSUBR st,st(i) D8 E8+i
FSUBR st(i),st DC E0+i
Floating-point divide
dst <- dst / src
FDIV m32 D8 /6 Yes Yes
FDIV m64 DC /6
FDIV st,st(i) D8 F0+i
FDIV st(i),st DC F8+i
Floating-point reverse divide
dst <- src / dst
FDIVR m32 D8 /7 Yes Yes
FDIVR m64 DC /7
FDIVR st,st(i) D8 F8+i
FDIVR st(i),st DC F0+i
Floating-point compare
CC <- result_of( st(0) – src )
Same operation as subtract, except that it updates the x87 CC status register instead of any of the FPU stack registers
FCOM m32 D8 /2 No
FCOM m64 DC /2
FCOM st(i) D8 D0+i
DC D0+i
x87 Basic Arithmetic Instructions with Stack Pop precision
control
rounding
control
Floating-point add and pop FADDP st(i),st DE C0+i Yes Yes
Floating-point multiply and pop FMULP st(i),st DE C8+i Yes Yes
Floating-point subtract and pop FSUBP st(i),st DE E8+i Yes Yes
Floating-point reverse-subtract and pop FSUBRP st(i),st DE E0+i Yes Yes
Floating-point divide and pop FDIVP st(i),st DE F8+i Yes Yes
Floating-point reverse-divide and pop FDIVRP st(i),st DE F0+i Yes Yes
Floating-point compare and pop FCOMP m32 D8 /3 No
FCOMP m64 DC /3
FCOMP st(i) D8 D8+i
DC D8+i
DE D0+i
Floating-point compare to st(1), then pop twice FCOMPP DE D9 No
x87 Basic Arithmetic Instructions with Integer Source Argument precision
control
rounding
control
Floating-point add by integer FIADD m16 DA /0 Yes Yes
FIADD m32 DE /0
Floating-point multiply by integer FIMUL m16 DA /1 Yes Yes
FIMUL m32 DE /1
Floating-point subtract by integer FISUB m16 DA /4 Yes Yes
FISUB m32 DE /4
Floating-point reverse-subtract by integer FISUBR m16 DA /5 Yes Yes
FISUBR m32 DE /5
Floating-point divide by integer FIDIV m16 DA /6 Yes Yes
FIDIV m32 DE /6
Floating-point reverse-divide by integer FIDIVR m16 DA /7 Yes Yes
FIDIVR m32 DE /7
Floating-point compare to integer FICOM m16 DA /2 No
FICOM m32 DE /2
Floating-point compare to integer, and stack pop FICOMP m16 DA /3 No
FICOMP m32 DE /3
x87 Additional Arithmetic Instructions precision
control
rounding
control
Floating-point change sign FCHS D9 E0 No
Floating-point absolute value FABS D9 E1 No
Floating-point compare top-of-stack value to 0 FTST D9 E4 No
Classify top-of-stack st(0) register value.
The classification result is stored in the x87 CC register.
FXAM D9 E5 No
Split the st(0) value into two values E and M representing the exponent and mantissa of st(0).
The split is done such that , where E is an integer and M is a number whose absolute value is within the range .  
st(0) is then replaced with E, after which M is pushed onto the stack.
FXTRACT D9 F4 No
Floating-point partial remainder (not IEEE 754 compliant):
FPREM D9 F8 No
Floating-point square root FSQRT D9 FA Yes Yes
Floating-point round to integer FRNDINT D9 FC No Yes
Floating-point power-of-2 scaling. Rounds the value of st(1) to integer with round-to-zero, then uses it as a scale factor for st(0):
FSCALE D9 FD No Yes
x87 Transcendental Instructions Source operand
range restriction
Base-2 exponential minus 1, with extra precision for st(0) close to 0:
F2XM1 D9 F0 8087: 
80387: 
Base-2 Logarithm:
followed by stack pop
FYL2X D9 F1 no restrictions
Partial Tangent: Computes from st(0) a pair of values X and Y, such that
The Y value replaces the top-of-stack value, and then X is pushed onto the stack.
On 80387 and later x87, but not original 8087, X is always 1.0
FPTAN D9 F2 8087: 
80387: 
Two-argument arctangent with quadrant adjustment:
followed by stack pop
FPATAN D9 F3 8087: 
80387: no restrictions
Base-2 Logarithm plus 1, with extra precision for st(0) close to 0:
followed by stack pop
FYL2XP1 D9 F9 Intel: 
AMD: 
Other x87 Instructions
No operation FNOP D9 D0
Decrement x87 FPU Register Stack Pointer FDECSTP D9 F6
Increment x87 FPU Register Stack Pointer FINCSTP D9 F7
Free x87 FPU Register FFREE st(i) DD C0+i
Check and handle pending unmasked x87 FPU exceptions WAIT,
FWAIT
9B
Floating-point store and pop, without stack underflow exception FSTPNCE st(i) D9 D8+i
Free x87 register, then stack pop FFREEP st(i) DF C0+i
  1. ^ x87 coprocessors (other than the 8087) handle exceptions in a fairly unusual way. When an x87 instruction generates an unmasked arithmetic exception, it will still complete without causing a CPU fault – instead of causing a fault, it will record within the coprocessor information needed to handle the exception (instruction pointer, opcode, data pointer if the instruction had a memory operand) and set FPU status-word flag to indicate that a pending exception is present. This pending exception will then cause a CPU fault when the next x87, MMX or WAIT instruction is executed.
    The exception to this is x87's "Non-Waiting" instructions, which will execute without causing such a fault even if a pending exception is present (with some caveats, see application note AP-578). These instructions are mostly control instructions that can inspect and/or modify the pending-exception state of the x87 FPU.
  2. ^ For each non-waiting x87 instruction whose mnemonic begins with FN, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of a WAIT instruction (opcode 9B) followed by the corresponding non-waiting x87 instruction. For example:
    • FNCLEX is an instruction with the opcode DB E2. The corresponding pseudo-instruction FCLEX is then encoded as 9B DB E2.
    • FNSAVE ES: is an instruction with the opcode 26 DD 77 06. The corresponding pseudo-instruction FSAVE ES: is then encoded as 9B 26 DD 77 06
    These pseudo-instructions are commonly recognized by x86 assemblers and disassemblers and treated as single instructions, even though all x86 CPUs with x87 coprocessors execute them as a sequence of two instructions.
  3. ^ a b c d On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.
    64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired.
  4. ^ a b In the case of an x87 instruction producing an unmasked FPU exception, the 8087 FPU will signal an IRQ some indeterminate time after the instruction was issued. This may not always be possible to handle, and so the FPU offers the F(N)DISI and F(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word, to control the interrupt.
    Later x87 FPUs, from 80287 onwards, changed the FPU exception mechanism to instead produce a CPU exception on the next x87 instruction. This made the Interrupt Mask bit unnecessary, so it was removed. In later Intel x87 FPUs, the F(N)ENI and F(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state.
  5. ^ a b c FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value will produce exceptions on AMD but not Intel FPUs.
  6. ^ FSTP ST(0) is a commonly used idiom for popping a single register off the x87 register stack.
  7. ^ a b c d e f g h i Intel x87 alias opcode. Use of this opcode is not recommended.
    On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087 and 80287, but then omitted from later manuals until the October 2017 update of the Intel SDM.
    They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86 and NexGen 586PF.
  8. ^ a b On the 8087 and 80287, FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register.
  9. ^ a b c d e f g h i For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
  10. ^ On Intel Pentium and later processors, FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.
  11. ^ The result of executing the FBLD instruction on non-BCD data is undefined.
  12. ^ On early Intel Pentium processors, floating-point divide was subject to the Pentium FDIV bug. This also affected instructions that perform divide as part of their operations, such as FPREM and FPATAN.
  13. ^ The FXAM instruction will set C0, C2 and C3 based on value type in st(0) as follows:
    C3 C2 C0 Classification
    0 0 0 Unsupported (unnormal or pseudo-NaN)
    0 0 1 NaN
    0 1 0 Normal finite number
    0 1 1 Infinity
    1 0 0 Zero
    1 0 1 Empty
    1 1 0 Denormal number
    1 1 1 Empty (may occur on 8087/80287 only)

    C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.

  14. ^ For FXTRACT, if st(0) is zero or ±∞, then M is set equal to st(0). If st(0) is zero, E is set to 0 on 8087/80287 but -∞ on 80387 and later. If st(0) is ±∞, then E is set to +∞.
  15. ^ For FPREM, if the quotient Q is larger than , then the remainder calculation may have been done only partially – in this case, the FPREM instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction setting C2 to 1.
    If the instruction did complete the remainder calculation, it will set C2 to 0 and set the three bits {C0,C3,C1} to the bottom three bits of the quotient Q.
    On 80387 and later, if the instruction didn't complete the remainder calculation, then the computed remainder Q used for argument reduction will have been rounded to a multiple of 8 (or larger power-of-2), so that the bottom 3 bits of the quotient can still be correctly retrieved in a later pass that does complete the remainder calculation.
  16. ^ The remainder computation done by the FPREM instruction is always exact with no roundoff errors.
  17. ^ For the FSCALE instruction on 8087 and 80287, st(1) is required to be in the range . Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.
    These restrictions were removed in the 80387.
  18. ^ For FSCALE, rounding is only applied in the case of overflow, underflow or subnormal result.
  19. ^ The x87 transcendental instructions do not obey PC or RC, but instead compute full 80-bit results. These results are not necessarily correctly rounded (see Table-maker's dilemma) – they may have an error of up to ±1 ulp on Pentium or later, or up to ±1.5 ulps on earlier x87 coprocessors.
  20. ^ a b For the FYL2X and FYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.
  21. ^ For FPATAN, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio :
    • If both st(0) and st(1) are ±∞, then the arctangent is computed as if each of st(0) and st(1) had been replaced with ±1 of the same sign. This produces a result that is an odd multiple of .
    • If both st(0) and st(1) are ±0, then the arctangent is computed as if st(0) but not st(1) had been replaced with ±1 of the same sign, producing a result of ±0 or .
    • If st(0) is negative (has sign bit set), then an addend of with the same sign as st(1) is added to the result.
  22. ^ While FNOP is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present.

x87 instructions added in later processors

Instruction description Mnemonic Opcode Additional items
x87 Non-Waiting Control Instructions added in 80287 Waiting
mnemonic
Notify FPU of entry into Protected Mode FNSETPM DB E4 FSETPM
Store x87 Status Word to AX FNSTSW AX DF E0 FSTSW AX
x87 Instructions added in 80387 Source operand
range restriction
Floating-point unordered compare.
Similar to the regular floating-point compare instruction FCOM, except will not produce an exception in response to any qNaN operands.
FUCOM st(i) DD E0+i no restrictions
Floating-point unordered compare and pop FUCOMP st(i) DD E8+i
Floating-point unordered compare to st(1), then pop twice FUCOMPP DA E9
IEEE 754 compliant floating-point partial remainder. FPREM1 D9 F5
Floating-point sine and cosine.
Computes two values and  
Top-of-stack st(0) is replaced with S, after which C is pushed onto the stack.
FSINCOS D9 FB
Floating-point sine.
FSIN D9 FE
Floating-point cosine.
FCOS D9 FF
x87 Instructions added in Pentium Pro Condition for
conditional moves
Floating-point conditional move to st(0) based on EFLAGS FCMOVB st(0),st(i) DA C0+i below (CF=1)
FCMOVE st(0),st(i) DA C8+i equal (ZF=1)
FCMOVBE st(0),st(i) DA D0+i below or equal
(CF=1 or ZF=1)
FCMOVU st(0),st(i) DA D8+i unordered (PF=1)
FCMOVNB st(0),st(i) DB C0+i not below (CF=0)
FCMOVNE st(0),st(i) DB C8+i not equal (ZF=0)
FCMOVNBE st(0),st(i) DB D0+i not below or equal
(CF=0 and ZF=0)
FCMOVNU st(0),st(i) DB D8+i not unordered (PF=0)
Floating-point compare and set EFLAGS.
Differs from the older FCOM floating-point compare instruction in that it puts its result in the integer EFLAGS register rather than the x87 CC register.
FCOMI st(0),st(i) DB F0+i
Floating-point compare and set EFLAGS, then pop FCOMIP st(0),st(i) DF F0+i
Floating-point unordered compare and set EFLAGS FUCOMI st(0),st(i) DB E8+i
Floating-point unordered compare and set EFLAGS, then pop FUCOMIP st(0),st(i) DF E8+i
x87 Non-Waiting Instructions added in Pentium II, AMD K7 and SSE 64-bit mnemonic
(REX.W prefix)
Save x87, MMX and SSE state to 512-byte data structure FXSAVE m512byte NP 0F AE /0 FXSAVE64 m512byte
Restore x87, MMX and SSE state from 512-byte data structure FXRSTOR m512byte NP 0F AE /1 FXRSTOR64 m512byte
x87 Instructions added as part of SSE3
Floating-point store integer and pop, with round-to-zero FISTTP m16 DF /1
FISTTP m32 DB /1
FISTTP m64 DD /1
  1. ^ The x87 FPU needs to know whether it is operating in Real Mode or Protected Mode because the floating-point environment accessed by the F(N)SAVE, FRSTOR, FLDENV and F(N)STENV instructions has different formats in Real Mode and Protected Mode. On 80287, the F(N)SETPM instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are communicated automatically to the FPU without the need for any dedicated instructions – therefore, on these FPUs, FNSETPM executes as a NOP that does not modify any FPU state.
  2. ^ Not including discontinued instructions specific to particular 80387-compatible FPU models.
  3. ^ a b For the FUCOM and FUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
  4. ^ The 80387 FPREM1 instruction differs from the older FPREM (D9 F8) instruction in that the quotient Q is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used by FPREM. Like FPREM, FPREM1 always computes an exact result with no roundoff errors. Like FPREM, it may also perform a partial computation if the quotient is too large, in which case it must be run again.
  5. ^ a b c Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by
    This argument reduction inaccuracy also affects the FPTAN instruction.
  6. ^ The FCOMI, FCOMIP, FUCOMI and FUCOMIP instructions write their results to the ZF, CF and PF bits of the EFLAGS register. On Intel but not AMD processors, the SF, AF and OF bits of EFLAGS are also zeroed out by these instructions.
  7. ^ The FXSAVE and FXRSTOR instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.
    They are also present in AMD K7.
    They are also considered an integral part of SSE and are therefore present in all processors with SSE.
  8. ^ a b The FXSAVE and FXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.
    The x87 section of the state saved/restored by FXSAVE/FXRSTOR has a completely different layout than the data structure of the older F(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.
  9. ^ a b When floating-point emulation is enabled with CR0.EM=1, FXSAVE(64) and FXRSTOR(64) are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT, these are the only opcodes outside the D8..DF ESC opcode space that exhibit this behavior. (All opcodes in D8..DF will produce #NM if CR0.EM=1, even for undefined opcodes that would produce #UD otherwise.)
  10. ^ Unlike the older F(N)SAVE instruction, FXSAVE will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified.

SIMD instructions

MMX instructions

MMX instructions operate on the mm registers, which are 64 bits wide. They are shared with the FPU registers.

Original MMX instructions

Added with Pentium MMX

Instruction Opcode Meaning Notes
EMMS 0F 77 Empty MMX Technology State Marks all x87 FPU registers for use by FPU
MOVD mm, r/m32 0F 6E /r Move doubleword
MOVD r/m32, mm 0F 7E /r Move doubleword
MOVQ mm/m64, mm 0F 7F /r Move quadword
MOVQ mm, mm/m64 0F 6F /r Move quadword
MOVQ mm, r/m64 REX.W + 0F 6E /r Move quadword
MOVQ r/m64, mm REX.W + 0F 7E /r Move quadword
PACKSSDW mm1, mm2/m64 0F 6B /r Pack doublewords to words (signed with saturation)
PACKSSWB mm1, mm2/m64 0F 63 /r Pack words to bytes (signed with saturation)
PACKUSWB mm, mm/m64 0F 67 /r Pack words to bytes (unsigned with saturation)
PADDB mm, mm/m64 0F FC /r Add packed byte integers
PADDW mm, mm/m64 0F FD /r Add packed word integers
PADDD mm, mm/m64 0F FE /r Add packed doubleword integers
PADDSB mm, mm/m64 0F EC /r Add packed signed byte integers and saturate
PADDSW mm, mm/m64 0F ED /r Add packed signed word integers and saturate
PADDUSB mm, mm/m64 0F DC /r Add packed unsigned byte integers and saturate
PADDUSW mm, mm/m64 0F DD /r Add packed unsigned word integers and saturate
PAND mm, mm/m64 0F DB /r Bitwise AND
PANDN mm, mm/m64 0F DF /r Bitwise AND NOT
POR mm, mm/m64 0F EB /r Bitwise OR
PXOR mm, mm/m64 0F EF /r Bitwise XOR
PCMPEQB mm, mm/m64 0F 74 /r Compare packed bytes for equality
PCMPEQW mm, mm/m64 0F 75 /r Compare packed words for equality
PCMPEQD mm, mm/m64 0F 76 /r Compare packed doublewords for equality
PCMPGTB mm, mm/m64 0F 64 /r Compare packed signed byte integers for greater than
PCMPGTW mm, mm/m64 0F 65 /r Compare packed signed word integers for greater than
PCMPGTD mm, mm/m64 0F 66 /r Compare packed signed doubleword integers for greater than
PMADDWD mm, mm/m64 0F F5 /r Multiply packed words, add adjacent doubleword results
PMULHW mm, mm/m64 0F E5 /r Multiply packed signed word integers, store high 16 bits of results
PMULLW mm, mm/m64 0F D5 /r Multiply packed signed word integers, store low 16 bits of results
PSLLW mm1, imm8 0F 71 /6 ib Shift left words, shift in zeros
PSLLW mm, mm/m64 0F F1 /r Shift left words, shift in zeros
PSLLD mm, imm8 0F 72 /6 ib Shift left doublewords, shift in zeros
PSLLD mm, mm/m64 0F F2 /r Shift left doublewords, shift in zeros
PSLLQ mm, imm8 0F 73 /6 ib Shift left quadword, shift in zeros
PSLLQ mm, mm/m64 0F F3 /r Shift left quadword, shift in zeros
PSRAD mm, imm8 0F 72 /4 ib Shift right doublewords, shift in sign bits
PSRAD mm, mm/m64 0F E2 /r Shift right doublewords, shift in sign bits
PSRAW mm, imm8 0F 71 /4 ib Shift right words, shift in sign bits
PSRAW mm, mm/m64 0F E1 /r Shift right words, shift in sign bits
PSRLW mm, imm8 0F 71 /2 ib Shift right words, shift in zeros
PSRLW mm, mm/m64 0F D1 /r Shift right words, shift in zeros
PSRLD mm, imm8 0F 72 /2 ib Shift right doublewords, shift in zeros
PSRLD mm, mm/m64 0F D2 /r Shift right doublewords, shift in zeros
PSRLQ mm, imm8 0F 73 /2 ib Shift right quadword, shift in zeros
PSRLQ mm, mm/m64 0F D3 /r Shift right quadword, shift in zeros
PSUBB mm, mm/m64 0F F8 /r Subtract packed byte integers
PSUBW mm, mm/m64 0F F9 /r Subtract packed word integers
PSUBD mm, mm/m64 0F FA /r Subtract packed doubleword integers
PSUBSB mm, mm/m64 0F E8 /r Subtract signed packed bytes with saturation
PSUBSW mm, mm/m64 0F E9 /r Subtract signed packed words with saturation
PSUBUSB mm, mm/m64 0F D8 /r Subtract unsigned packed bytes with saturation
PSUBUSW mm, mm/m64 0F D9 /r Subtract unsigned packed words with saturation
PUNPCKHBW mm, mm/m64 0F 68 /r Unpack and interleave high-order bytes
PUNPCKHWD mm, mm/m64 0F 69 /r Unpack and interleave high-order words
PUNPCKHDQ mm, mm/m64 0F 6A /r Unpack and interleave high-order doublewords
PUNPCKLBW mm, mm/m32 0F 60 /r Unpack and interleave low-order bytes
PUNPCKLWD mm, mm/m32 0F 61 /r Unpack and interleave low-order words
PUNPCKLDQ mm, mm/m32 0F 62 /r Unpack and interleave low-order doublewords

MMX instructions added in specific processors

MMX instructions added with MMX+ and SSE

The following MMX instruction were added with SSE. They are also available on the Athlon under the name MMX+.

Instruction Opcode Meaning
MASKMOVQ mm1, mm2 0F F7 /r Masked Move of Quadword
MOVNTQ m64, mm 0F E7 /r Move Quadword Using Non-Temporal Hint
PSHUFW mm1, mm2/m64, imm8 0F 70 /r ib Shuffle Packed Words
PINSRW mm, r32/m16, imm8 0F C4 /r Insert Word
PEXTRW reg, mm, imm8 0F C5 /r Extract Word
PMOVMSKB reg, mm 0F D7 /r Move Byte Mask
PMINUB mm1, mm2/m64 0F DA /r Minimum of Packed Unsigned Byte Integers
PMAXUB mm1, mm2/m64 0F DE /r Maximum of Packed Unsigned Byte Integers
PAVGB mm1, mm2/m64 0F E0 /r Average Packed Integers
PAVGW mm1, mm2/m64 0F E3 /r Average Packed Integers
PMULHUW mm1, mm2/m64 0F E4 /r Multiply Packed Unsigned Integers and Store High Result
PMINSW mm1, mm2/m64 0F EA /r Minimum of Packed Signed Word Integers
PMAXSW mm1, mm2/m64 0F EE /r Maximum of Packed Signed Word Integers
PSADBW mm1, mm2/m64 0F F6 /r Compute Sum of Absolute Differences
MMX instructions added with SSE2

The following MMX instructions were added with SSE2:

Instruction Opcode Meaning
PADDQ mm, mm/m64 0F D4 /r Add packed quadword integers
PSUBQ mm1, mm2/m64 0F FB /r Subtract packed quadword integers
PMULUDQ mm1, mm2/m64 0F F4 /r Multiply unsigned doubleword integer
MMX instructions added with SSSE3
Instruction Opcode Meaning
PSIGNB mm1, mm2/m64 0F 38 08 /r Negate/zero/preserve packed byte integers depending on corresponding sign
PSIGNW mm1, mm2/m64 0F 38 09 /r Negate/zero/preserve packed word integers depending on corresponding sign
PSIGND mm1, mm2/m64 0F 38 0A /r Negate/zero/preserve packed doubleword integers depending on corresponding sign
PSHUFB mm1, mm2/m64 0F 38 00 /r Shuffle bytes
PMULHRSW mm1, mm2/m64 0F 38 0B /r Multiply 16-bit signed words, scale and round signed doublewords, pack high 16 bits
PMADDUBSW mm1, mm2/m64 0F 38 04 /r Multiply signed and unsigned bytes, add horizontal pair of signed words, pack saturated signed-words
PHSUBW mm1, mm2/m64 0F 38 05 /r Subtract and pack 16-bit signed integers horizontally
PHSUBSW mm1, mm2/m64 0F 38 07 /r Subtract and pack 16-bit signed integer horizontally with saturation
PHSUBD mm1, mm2/m64 0F 38 06 /r Subtract and pack 32-bit signed integers horizontally
PHADDSW mm1, mm2/m64 0F 38 03 /r Add and pack 16-bit signed integers horizontally, pack saturated integers to mm1.
PHADDW mm1, mm2/m64 0F 38 01 /r Add and pack 16-bit integers horizontally
PHADDD mm1, mm2/m64 0F 38 02 /r Add and pack 32-bit integers horizontally
PALIGNR mm1, mm2/m64, imm8 0F 3A 0F /r ib Concatenate destination and source operands, extract byte-aligned result shifted to the right
PABSB mm1, mm2/m64 0F 38 1C /r Compute the absolute value of bytes and store unsigned result
PABSW mm1, mm2/m64 0F 38 1D /r Compute the absolute value of 16-bit integers and store unsigned result
PABSD mm1, mm2/m64 0F 38 1E /r Compute the absolute value of 32-bit integers and store unsigned result

SSE instructions

Added with Pentium III

SSE instructions operate on xmm registers, which are 128 bit wide.

SSE consists of the following SSE SIMD floating-point instructions:

Instruction Opcode Meaning
ANDPS* xmm1, xmm2/m128 0F 54 /r Bitwise Logical AND of Packed Single-Precision Floating-Point Values
ANDNPS* xmm1, xmm2/m128 0F 55 /r Bitwise Logical AND NOT of Packed Single-Precision Floating-Point Values
ORPS* xmm1, xmm2/m128 0F 56 /r Bitwise Logical OR of Single-Precision Floating-Point Values
XORPS* xmm1, xmm2/m128 0F 57 /r Bitwise Logical XOR for Single-Precision Floating-Point Values
MOVUPS xmm1, xmm2/m128 0F 10 /r Move Unaligned Packed Single-Precision Floating-Point Values
MOVSS xmm1, xmm2/m32 F3 0F 10 /r Move Scalar Single-Precision Floating-Point Values
MOVUPS xmm2/m128, xmm1 0F 11 /r Move Unaligned Packed Single-Precision Floating-Point Values
MOVSS xmm2/m32, xmm1 F3 0F 11 /r Move Scalar Single-Precision Floating-Point Values
MOVLPS xmm, m64 0F 12 /r Move Low Packed Single-Precision Floating-Point Values
MOVHLPS xmm1, xmm2 0F 12 /r Move Packed Single-Precision Floating-Point Values High to Low
MOVLPS m64, xmm 0F 13 /r Move Low Packed Single-Precision Floating-Point Values
UNPCKLPS xmm1, xmm2/m128 0F 14 /r Unpack and Interleave Low Packed Single-Precision Floating-Point Values
UNPCKHPS xmm1, xmm2/m128 0F 15 /r Unpack and Interleave High Packed Single-Precision Floating-Point Values
MOVHPS xmm, m64 0F 16 /r Move High Packed Single-Precision Floating-Point Values
MOVLHPS xmm1, xmm2 0F 16 /r Move Packed Single-Precision Floating-Point Values Low to High
MOVHPS m64, xmm 0F 17 /r Move High Packed Single-Precision Floating-Point Values
MOVAPS xmm1, xmm2/m128 0F 28 /r Move Aligned Packed Single-Precision Floating-Point Values
MOVAPS xmm2/m128, xmm1 0F 29 /r Move Aligned Packed Single-Precision Floating-Point Values
MOVNTPS m128, xmm1 0F 2B /r Move Aligned Four Packed Single-FP Non Temporal
MOVMSKPS reg, xmm 0F 50 /r Extract Packed Single-Precision Floating-Point 4-bit Sign Mask. The upper bits of the register are filled with zeros.
CVTPI2PS xmm, mm/m64 0F 2A /r Convert Packed Dword Integers to Packed Single-Precision FP Values
CVTSI2SS xmm, r/m32 F3 0F 2A /r Convert Dword Integer to Scalar Single-Precision FP Value
CVTSI2SS xmm, r/m64 F3 REX.W 0F 2A /r Convert Qword Integer to Scalar Single-Precision FP Value
CVTTPS2PI mm, xmm/m64 0F 2C /r Convert with Truncation Packed Single-Precision FP Values to Packed Dword Integers
CVTTSS2SI r32, xmm/m32 F3 0F 2C /r Convert with Truncation Scalar Single-Precision FP Value to Dword Integer
CVTTSS2SI r64, xmm1/m32 F3 REX.W 0F 2C /r Convert with Truncation Scalar Single-Precision FP Value to Qword Integer
CVTPS2PI mm, xmm/m64 0F 2D /r Convert Packed Single-Precision FP Values to Packed Dword Integers
CVTSS2SI r32, xmm/m32 F3 0F 2D /r Convert Scalar Single-Precision FP Value to Dword Integer
CVTSS2SI r64, xmm1/m32 F3 REX.W 0F 2D /r Convert Scalar Single-Precision FP Value to Qword Integer
UCOMISS xmm1, xmm2/m32 0F 2E /r Unordered Compare Scalar Single-Precision Floating-Point Values and Set EFLAGS
COMISS xmm1, xmm2/m32 0F 2F /r Compare Scalar Ordered Single-Precision Floating-Point Values and Set EFLAGS
SQRTPS xmm1, xmm2/m128 0F 51 /r Compute Square Roots of Packed Single-Precision Floating-Point Values
SQRTSS xmm1, xmm2/m32 F3 0F 51 /r Compute Square Root of Scalar Single-Precision Floating-Point Value
RSQRTPS xmm1, xmm2/m128 0F 52 /r Compute Reciprocal of Square Root of Packed Single-Precision Floating-Point Value
RSQRTSS xmm1, xmm2/m32 F3 0F 52 /r Compute Reciprocal of Square Root of Scalar Single-Precision Floating-Point Value
RCPPS xmm1, xmm2/m128 0F 53 /r Compute Reciprocal of Packed Single-Precision Floating-Point Values
RCPSS xmm1, xmm2/m32 F3 0F 53 /r Compute Reciprocal of Scalar Single-Precision Floating-Point Values
ADDPS xmm1, xmm2/m128 0F 58 /r Add Packed Single-Precision Floating-Point Values
ADDSS xmm1, xmm2/m32 F3 0F 58 /r Add Scalar Single-Precision Floating-Point Values
MULPS xmm1, xmm2/m128 0F 59 /r Multiply Packed Single-Precision Floating-Point Values
MULSS xmm1, xmm2/m32 F3 0F 59 /r Multiply Scalar Single-Precision Floating-Point Values
SUBPS xmm1, xmm2/m128 0F 5C /r Subtract Packed Single-Precision Floating-Point Values
SUBSS xmm1, xmm2/m32 F3 0F 5C /r Subtract Scalar Single-Precision Floating-Point Values
MINPS xmm1, xmm2/m128 0F 5D /r Return Minimum Packed Single-Precision Floating-Point Values
MINSS xmm1, xmm2/m32 F3 0F 5D /r Return Minimum Scalar Single-Precision Floating-Point Values
DIVPS xmm1, xmm2/m128 0F 5E /r Divide Packed Single-Precision Floating-Point Values
DIVSS xmm1, xmm2/m32 F3 0F 5E /r Divide Scalar Single-Precision Floating-Point Values
MAXPS xmm1, xmm2/m128 0F 5F /r Return Maximum Packed Single-Precision Floating-Point Values
MAXSS xmm1, xmm2/m32 F3 0F 5F /r Return Maximum Scalar Single-Precision Floating-Point Values
LDMXCSR m32 0F AE /2 Load MXCSR Register State
STMXCSR m32 0F AE /3 Store MXCSR Register State
CMPPS xmm1, xmm2/m128, imm8 0F C2 /r ib Compare Packed Single-Precision Floating-Point Values
CMPSS xmm1, xmm2/m32, imm8 F3 0F C2 /r ib Compare Scalar Single-Precision Floating-Point Values
SHUFPS xmm1, xmm2/m128, imm8 0F C6 /r ib Shuffle Packed Single-Precision Floating-Point Values
  • The floating point single bitwise operations ANDPS, ANDNPS, ORPS and XORPS produce the same result as the SSE2 integer (PAND, PANDN, POR, PXOR) and double ones (ANDPD, ANDNPD, ORPD, XORPD), but can introduce extra latency for domain changes when applied values of the wrong type.

SSE2 instructions

Added with Pentium 4

SSE2 SIMD floating-point instructions

SSE2 data movement instructions
Instruction Opcode Meaning
MOVAPD xmm1, xmm2/m128 66 0F 28 /r Move Aligned Packed Double-Precision Floating-Point Values
MOVAPD xmm2/m128, xmm1 66 0F 29 /r Move Aligned Packed Double-Precision Floating-Point Values
MOVNTPD m128, xmm1 66 0F 2B /r Store Packed Double-Precision Floating-Point Values Using Non-Temporal Hint
MOVHPD xmm1, m64 66 0F 16 /r Move High Packed Double-Precision Floating-Point Value
MOVHPD m64, xmm1 66 0F 17 /r Move High Packed Double-Precision Floating-Point Value
MOVLPD xmm1, m64 66 0F 12 /r Move Low Packed Double-Precision Floating-Point Value
MOVLPD m64, xmm1 66 0F 13/r Move Low Packed Double-Precision Floating-Point Value
MOVUPD xmm1, xmm2/m128 66 0F 10 /r Move Unaligned Packed Double-Precision Floating-Point Values
MOVUPD xmm2/m128, xmm1 66 0F 11 /r Move Unaligned Packed Double-Precision Floating-Point Values
MOVMSKPD reg, xmm 66 0F 50 /r Extract Packed Double-Precision Floating-Point Sign Mask
MOVSD* xmm1, xmm2/m64 F2 0F 10 /r Move or Merge Scalar Double-Precision Floating-Point Value
MOVSD xmm1/m64, xmm2 F2 0F 11 /r Move or Merge Scalar Double-Precision Floating-Point Value
SSE2 packed arithmetic instructions
Instruction Opcode Meaning
ADDPD xmm1, xmm2/m128 66 0F 58 /r Add Packed Double-Precision Floating-Point Values
ADDSD xmm1, xmm2/m64 F2 0F 58 /r Add Low Double-Precision Floating-Point Value
DIVPD xmm1, xmm2/m128 66 0F 5E /r Divide Packed Double-Precision Floating-Point Values
DIVSD xmm1, xmm2/m64 F2 0F 5E /r Divide Scalar Double-Precision Floating-Point Value
MAXPD xmm1, xmm2/m128 66 0F 5F /r Maximum of Packed Double-Precision Floating-Point Values
MAXSD xmm1, xmm2/m64 F2 0F 5F /r Return Maximum Scalar Double-Precision Floating-Point Value
MINPD xmm1, xmm2/m128 66 0F 5D /r Minimum of Packed Double-Precision Floating-Point Values
MINSD xmm1, xmm2/m64 F2 0F 5D /r Return Minimum Scalar Double-Precision Floating-Point Value
MULPD xmm1, xmm2/m128 66 0F 59 /r Multiply Packed Double-Precision Floating-Point Values
MULSD xmm1,xmm2/m64 F2 0F 59 /r Multiply Scalar Double-Precision Floating-Point Value
SQRTPD xmm1, xmm2/m128 66 0F 51 /r Square Root of Double-Precision Floating-Point Values
SQRTSD xmm1,xmm2/m64 F2 0F 51/r Compute Square Root of Scalar Double-Precision Floating-Point Value
SUBPD xmm1, xmm2/m128 66 0F 5C /r Subtract Packed Double-Precision Floating-Point Values
SUBSD xmm1, xmm2/m64 F2 0F 5C /r Subtract Scalar Double-Precision Floating-Point Value
SSE2 logical instructions
Instruction Opcode Meaning
ANDPD xmm1, xmm2/m128 66 0F 54 /r Bitwise Logical AND of Packed Double Precision Floating-Point Values
ANDNPD xmm1, xmm2/m128 66 0F 55 /r Bitwise Logical AND NOT of Packed Double Precision Floating-Point Values
ORPD xmm1, xmm2/m128 66 0F 56/r Bitwise Logical OR of Packed Double Precision Floating-Point Values
XORPD xmm1, xmm2/m128 66 0F 57/r Bitwise Logical XOR of Packed Double Precision Floating-Point Values
SSE2 compare instructions
Instruction Opcode Meaning
CMPPD xmm1, xmm2/m128, imm8 66 0F C2 /r ib Compare Packed Double-Precision Floating-Point Values
CMPSD* xmm1, xmm2/m64, imm8 F2 0F C2 /r ib Compare Low Double-Precision Floating-Point Values
COMISD xmm1, xmm2/m64 66 0F 2F /r Compare Scalar Ordered Double-Precision Floating-Point Values and Set EFLAGS
UCOMISD xmm1, xmm2/m64 66 0F 2E /r Unordered Compare Scalar Double-Precision Floating-Point Values and Set EFLAGS
SSE2 shuffle and unpack instructions
Instruction Opcode Meaning
SHUFPD xmm1, xmm2/m128, imm8 66 0F C6 /r ib Packed Interleave Shuffle of Pairs of Double-Precision Floating-Point Values
UNPCKHPD xmm1, xmm2/m128 66 0F 15 /r Unpack and Interleave High Packed Double-Precision Floating-Point Values
UNPCKLPD xmm1, xmm2/m128 66 0F 14 /r Unpack and Interleave Low Packed Double-Precision Floating-Point Values
SSE2 conversion instructions
Instruction Opcode Meaning
CVTDQ2PD xmm1, xmm2/m64 F3 0F E6 /r Convert Packed Doubleword Integers to Packed Double-Precision Floating-Point Values
CVTDQ2PS xmm1, xmm2/m128 0F 5B /r Convert Packed Doubleword Integers to Packed Single-Precision Floating-Point Values
CVTPD2DQ xmm1, xmm2/m128 F2 0F E6 /r Convert Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
CVTPD2PI mm, xmm/m128 66 0F 2D /r Convert Packed Double-Precision FP Values to Packed Dword Integers
CVTPD2PS xmm1, xmm2/m128 66 0F 5A /r Convert Packed Double-Precision Floating-Point Values to Packed Single-Precision Floating-Point Values
CVTPI2PD xmm, mm/m64 66 0F 2A /r Convert Packed Dword Integers to Packed Double-Precision FP Values
CVTPS2DQ xmm1, xmm2/m128 66 0F 5B /r Convert Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values
CVTPS2PD xmm1, xmm2/m64 0F 5A /r Convert Packed Single-Precision Floating-Point Values to Packed Double-Precision Floating-Point Values
CVTSD2SI r32, xmm1/m64 F2 0F 2D /r Convert Scalar Double-Precision Floating-Point Value to Doubleword Integer
CVTSD2SI r64, xmm1/m64 F2 REX.W 0F 2D /r Convert Scalar Double-Precision Floating-Point Value to Quadword Integer With Sign Extension
CVTSD2SS xmm1, xmm2/m64 F2 0F 5A /r Convert Scalar Double-Precision Floating-Point Value to Scalar Single-Precision Floating-Point Value
CVTSI2SD xmm1, r32/m32 F2 0F 2A /r Convert Doubleword Integer to Scalar Double-Precision Floating-Point Value
CVTSI2SD xmm1, r/m64 F2 REX.W 0F 2A /r Convert Quadword Integer to Scalar Double-Precision Floating-Point value
CVTSS2SD xmm1, xmm2/m32 F3 0F 5A /r Convert Scalar Single-Precision Floating-Point Value to Scalar Double-Precision Floating-Point Value
CVTTPD2DQ xmm1, xmm2/m128 66 0F E6 /r Convert with Truncation Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
CVTTPD2PI mm, xmm/m128 66 0F 2C /r Convert with Truncation Packed Double-Precision FP Values to Packed Dword Integers
CVTTPS2DQ xmm1, xmm2/m128 F3 0F 5B /r Convert with Truncation Packed Single-Precision Floating-Point Values to Packed Signed Doubleword Integer Values
CVTTSD2SI r32, xmm1/m64 F2 0F 2C /r Convert with Truncation Scalar Double-Precision Floating-Point Value to Signed Dword Integer
CVTTSD2SI r64, xmm1/m64 F2 REX.W 0F 2C /r Convert with Truncation Scalar Double-Precision Floating-Point Value To Signed Qword Integer
  • CMPSD and MOVSD have the same name as the string instruction mnemonics CMPSD (CMPS) and MOVSD (MOVS); however, the former refer to scalar double-precision floating-points whereas the latter refer to doubleword strings. Assemblers disambiguate them based on the presence or absence of operands.

SSE2 SIMD integer instructions

SSE2 MMX-like instructions extended to SSE registers

SSE2 allows execution of MMX instructions on SSE registers, processing twice the amount of data at once.

Instruction Opcode Meaning
MOVD xmm, r/m32 66 0F 6E /r Move doubleword
MOVD r/m32, xmm 66 0F 7E /r Move doubleword
MOVQ xmm1, xmm2/m64 F3 0F 7E /r Move quadword
MOVQ xmm2/m64, xmm1 66 0F D6 /r Move quadword
MOVQ r/m64, xmm 66 REX.W 0F 7E /r Move quadword
MOVQ xmm, r/m64 66 REX.W 0F 6E /r Move quadword
PMOVMSKB reg, xmm 66 0F D7 /r Move a byte mask, zeroing the upper bits of the register
PEXTRW reg, xmm, imm8 66 0F C5 /r ib Extract specified word and move it to reg, setting bits 15-0 and zeroing the rest
PINSRW xmm, r32/m16, imm8 66 0F C4 /r ib Move low word at the specified word position
PACKSSDW xmm1, xmm2/m128 66 0F 6B /r Converts 4 packed signed doubleword integers into 8 packed signed word integers with saturation
PACKSSWB xmm1, xmm2/m128 66 0F 63 /r Converts 8 packed signed word integers into 16 packed signed byte integers with saturation
PACKUSWB xmm1, xmm2/m128 66 0F 67 /r Converts 8 signed word integers into 16 unsigned byte integers with saturation
PADDB xmm1, xmm2/m128 66 0F FC /r Add packed byte integers
PADDW xmm1, xmm2/m128 66 0F FD /r Add packed word integers
PADDD xmm1, xmm2/m128 66 0F FE /r Add packed doubleword integers
PADDQ xmm1, xmm2/m128 66 0F D4 /r Add packed quadword integers.
PADDSB xmm1, xmm2/m128 66 0F EC /r Add packed signed byte integers with saturation
PADDSW xmm1, xmm2/m128 66 0F ED /r Add packed signed word integers with saturation
PADDUSB xmm1, xmm2/m128 66 0F DC /r Add packed unsigned byte integers with saturation
PADDUSW xmm1, xmm2/m128 66 0F DD /r Add packed unsigned word integers with saturation
PAND xmm1, xmm2/m128 66 0F DB /r Bitwise AND
PANDN xmm1, xmm2/m128 66 0F DF /r Bitwise AND NOT
POR xmm1, xmm2/m128 66 0F EB /r Bitwise OR
PXOR xmm1, xmm2/m128 66 0F EF /r Bitwise XOR
PCMPEQB xmm1, xmm2/m128 66 0F 74 /r Compare packed bytes for equality.
PCMPEQW xmm1, xmm2/m128 66 0F 75 /r Compare packed words for equality.
PCMPEQD xmm1, xmm2/m128 66 0F 76 /r Compare packed doublewords for equality.
PCMPGTB xmm1, xmm2/m128 66 0F 64 /r Compare packed signed byte integers for greater than
PCMPGTW xmm1, xmm2/m128 66 0F 65 /r Compare packed signed word integers for greater than
PCMPGTD xmm1, xmm2/m128 66 0F 66 /r Compare packed signed doubleword integers for greater than
PMULLW xmm1, xmm2/m128 66 0F D5 /r Multiply packed signed word integers with saturation
PMULHW xmm1, xmm2/m128 66 0F E5 /r Multiply the packed signed word integers, store the high 16 bits of the results
PMULHUW xmm1, xmm2/m128 66 0F E4 /r Multiply packed unsigned word integers, store the high 16 bits of the results
PMULUDQ xmm1, xmm2/m128 66 0F F4 /r Multiply packed unsigned doubleword integers
PSLLW xmm1, xmm2/m128 66 0F F1 /r Shift words left while shifting in 0s
PSLLW xmm1, imm8 66 0F 71 /6 ib Shift words left while shifting in 0s
PSLLD xmm1, xmm2/m128 66 0F F2 /r Shift doublewords left while shifting in 0s
PSLLD xmm1, imm8 66 0F 72 /6 ib Shift doublewords left while shifting in 0s
PSLLQ xmm1, xmm2/m128 66 0F F3 /r Shift quadwords left while shifting in 0s
PSLLQ xmm1, imm8 66 0F 73 /6 ib Shift quadwords left while shifting in 0s
PSRAD xmm1, xmm2/m128 66 0F E2 /r Shift doubleword right while shifting in sign bits
PSRAD xmm1, imm8 66 0F 72 /4 ib Shift doublewords right while shifting in sign bits
PSRAW xmm1, xmm2/m128 66 0F E1 /r Shift words right while shifting in sign bits
PSRAW xmm1, imm8 66 0F 71 /4 ib Shift words right while shifting in sign bits
PSRLW xmm1, xmm2/m128 66 0F D1 /r Shift words right while shifting in 0s
PSRLW xmm1, imm8 66 0F 71 /2 ib Shift words right while shifting in 0s
PSRLD xmm1, xmm2/m128 66 0F D2 /r Shift doublewords right while shifting in 0s
PSRLD xmm1, imm8 66 0F 72 /2 ib Shift doublewords right while shifting in 0s
PSRLQ xmm1, xmm2/m128 66 0F D3 /r Shift quadwords right while shifting in 0s
PSRLQ xmm1, imm8 66 0F 73 /2 ib Shift quadwords right while shifting in 0s
PSUBB xmm1, xmm2/m128 66 0F F8 /r Subtract packed byte integers
PSUBW xmm1, xmm2/m128 66 0F F9 /r Subtract packed word integers
PSUBD xmm1, xmm2/m128 66 0F FA /r Subtract packed doubleword integers
PSUBQ xmm1, xmm2/m128 66 0F FB /r Subtract packed quadword integers.
PSUBSB xmm1, xmm2/m128 66 0F E8 /r Subtract packed signed byte integers with saturation
PSUBSW xmm1, xmm2/m128 66 0F E9 /r Subtract packed signed word integers with saturation
PMADDWD xmm1, xmm2/m128 66 0F F5 /r Multiply the packed word integers, add adjacent doubleword results
PSUBUSB xmm1, xmm2/m128 66 0F D8 /r Subtract packed unsigned byte integers with saturation
PSUBUSW xmm1, xmm2/m128 66 0F D9 /r Subtract packed unsigned word integers with saturation
PUNPCKHBW xmm1, xmm2/m128 66 0F 68 /r Unpack and interleave high-order bytes
PUNPCKHWD xmm1, xmm2/m128 66 0F 69 /r Unpack and interleave high-order words
PUNPCKHDQ xmm1, xmm2/m128 66 0F 6A /r Unpack and interleave high-order doublewords
PUNPCKLBW xmm1, xmm2/m128 66 0F 60 /r Interleave low-order bytes
PUNPCKLWD xmm1, xmm2/m128 66 0F 61 /r Interleave low-order words
PUNPCKLDQ xmm1, xmm2/m128 66 0F 62 /r Interleave low-order doublewords
PAVGB xmm1, xmm2/m128 66 0F E0, /r Average packed unsigned byte integers with rounding
PAVGW xmm1, xmm2/m128 66 0F E3 /r Average packed unsigned word integers with rounding
PMINUB xmm1, xmm2/m128 66 0F DA /r Compare packed unsigned byte integers and store packed minimum values
PMINSW xmm1, xmm2/m128 66 0F EA /r Compare packed signed word integers and store packed minimum values
PMAXSW xmm1, xmm2/m128 66 0F EE /r Compare packed signed word integers and store maximum packed values
PMAXUB xmm1, xmm2/m128 66 0F DE /r Compare packed unsigned byte integers and store packed maximum values
PSADBW xmm1, xmm2/m128 66 0F F6 /r Computes the absolute differences of the packed unsigned byte integers; the 8 low differences and 8 high differences are then summed separately to produce two unsigned word integer results
SSE2 integer instructions for SSE registers only

The following instructions can be used only on SSE registers, since by their nature they do not work on MMX registers

Instruction Opcode Meaning
MASKMOVDQU xmm1, xmm2 66 0F F7 /r Non-Temporal Store of Selected Bytes from an XMM Register into Memory
MOVDQ2Q mm, xmm F2 0F D6 /r Move low quadword from XMM to MMX register.
MOVDQA xmm1, xmm2/m128 66 0F 6F /r Move aligned double quadword
MOVDQA xmm2/m128, xmm1 66 0F 7F /r Move aligned double quadword
MOVDQU xmm1, xmm2/m128 F3 0F 6F /r Move unaligned double quadword
MOVDQU xmm2/m128, xmm1 F3 0F 7F /r Move unaligned double quadword
MOVQ2DQ xmm, mm F3 0F D6 /r Move quadword from MMX register to low quadword of XMM register
MOVNTDQ m128, xmm1 66 0F E7 /r Store Packed Integers Using Non-Temporal Hint
PSHUFHW xmm1, xmm2/m128, imm8 F3 0F 70 /r ib Shuffle packed high words.
PSHUFLW xmm1, xmm2/m128, imm8 F2 0F 70 /r ib Shuffle packed low words.
PSHUFD xmm1, xmm2/m128, imm8 66 0F 70 /r ib Shuffle packed doublewords.
PSLLDQ xmm1, imm8 66 0F 73 /7 ib Packed shift left logical double quadwords.
PSRLDQ xmm1, imm8 66 0F 73 /3 ib Packed shift right logical double quadwords.
PUNPCKHQDQ xmm1, xmm2/m128 66 0F 6D /r Unpack and interleave high-order quadwords,
PUNPCKLQDQ xmm1, xmm2/m128 66 0F 6C /r Interleave low quadwords,

SSE3 instructions

Added with Pentium 4 supporting SSE3

SSE3 SIMD floating-point instructions

Instruction Opcode Meaning Notes
ADDSUBPS xmm1, xmm2/m128 F2 0F D0 /r Add/subtract single-precision floating-point values for Complex Arithmetic
ADDSUBPD xmm1, xmm2/m128 66 0F D0 /r Add/subtract double-precision floating-point values
MOVDDUP xmm1, xmm2/m64 F2 0F 12 /r Move double-precision floating-point value and duplicate
MOVSLDUP xmm1, xmm2/m128 F3 0F 12 /r Move and duplicate even index single-precision floating-point values
MOVSHDUP xmm1, xmm2/m128 F3 0F 16 /r Move and duplicate odd index single-precision floating-point values
HADDPS xmm1, xmm2/m128 F2 0F 7C /r Horizontal add packed single-precision floating-point values for Graphics
HADDPD xmm1, xmm2/m128 66 0F 7C /r Horizontal add packed double-precision floating-point values
HSUBPS xmm1, xmm2/m128 F2 0F 7D /r Horizontal subtract packed single-precision floating-point values
HSUBPD xmm1, xmm2/m128 66 0F 7D /r Horizontal subtract packed double-precision floating-point values

SSE3 SIMD integer instructions

Instruction Opcode Meaning Notes
LDDQU xmm1, mem F2 0F F0 /r Load unaligned data and return double quadword Instructionally equivalent to MOVDQU. For video encoding

SSSE3 instructions

Added with Xeon 5100 series and initial Core 2

The following MMX-like instructions extended to SSE registers were added with SSSE3

Instruction Opcode Meaning
PSIGNB xmm1, xmm2/m128 66 0F 38 08 /r Negate/zero/preserve packed byte integers depending on corresponding sign
PSIGNW xmm1, xmm2/m128 66 0F 38 09 /r Negate/zero/preserve packed word integers depending on corresponding sign
PSIGND xmm1, xmm2/m128 66 0F 38 0A /r Negate/zero/preserve packed doubleword integers depending on corresponding
PSHUFB xmm1, xmm2/m128 66 0F 38 00 /r Shuffle bytes
PMULHRSW xmm1, xmm2/m128 66 0F 38 0B /r Multiply 16-bit signed words, scale and round signed doublewords, pack high 16 bits
PMADDUBSW xmm1, xmm2/m128 66 0F 38 04 /r Multiply signed and unsigned bytes, add horizontal pair of signed words, pack saturated signed-words
PHSUBW xmm1, xmm2/m128 66 0F 38 05 /r Subtract and pack 16-bit signed integers horizontally
PHSUBSW xmm1, xmm2/m128 66 0F 38 07 /r Subtract and pack 16-bit signed integer horizontally with saturation
PHSUBD xmm1, xmm2/m128 66 0F 38 06 /r Subtract and pack 32-bit signed integers horizontally
PHADDSW xmm1, xmm2/m128 66 0F 38 03 /r Add and pack 16-bit signed integers horizontally with saturation
PHADDW xmm1, xmm2/m128 66 0F 38 01 /r Add and pack 16-bit integers horizontally
PHADDD xmm1, xmm2/m128 66 0F 38 02 /r Add and pack 32-bit integers horizontally
PALIGNR xmm1, xmm2/m128, imm8 66 0F 3A 0F /r ib Concatenate destination and source operands, extract byte-aligned result shifted to the right
PABSB xmm1, xmm2/m128 66 0F 38 1C /r Compute the absolute value of bytes and store unsigned result
PABSW xmm1, xmm2/m128 66 0F 38 1D /r Compute the absolute value of 16-bit integers and store unsigned result
PABSD xmm1, xmm2/m128 66 0F 38 1E /r Compute the absolute value of 32-bit integers and store unsigned result

SSE4 instructions

SSE4.1

Added with Core 2 manufactured in 45nm

SSE4.1 SIMD floating-point instructions
Instruction Opcode Meaning
DPPS xmm1, xmm2/m128, imm8 66 0F 3A 40 /r ib Selectively multiply packed SP floating-point values, add and selectively store
DPPD xmm1, xmm2/m128, imm8 66 0F 3A 41 /r ib Selectively multiply packed DP floating-point values, add and selectively store
BLENDPS xmm1, xmm2/m128, imm8 66 0F 3A 0C /r ib Select packed single precision floating-point values from specified mask
BLENDVPS xmm1, xmm2/m128, <XMM0> 66 0F 38 14 /r Select packed single precision floating-point values from specified mask
BLENDPD xmm1, xmm2/m128, imm8 66 0F 3A 0D /r ib Select packed DP-FP values from specified mask
BLENDVPD xmm1, xmm2/m128, <XMM0> 66 0F 38 15 /r Select packed DP FP values from specified mask
ROUNDPS xmm1, xmm2/m128, imm8 66 0F 3A 08 /r ib Round packed single precision floating-point values
ROUNDSS xmm1, xmm2/m32, imm8 66 0F 3A 0A /r ib Round the low packed single precision floating-point value
ROUNDPD xmm1, xmm2/m128, imm8 66 0F 3A 09 /r ib Round packed double precision floating-point values
ROUNDSD xmm1, xmm2/m64, imm8 66 0F 3A 0B /r ib Round the low packed double precision floating-point value
INSERTPS xmm1, xmm2/m32, imm8 66 0F 3A 21 /r ib Insert a selected single-precision floating-point value at the specified destination element and zero out destination elements
EXTRACTPS reg/m32, xmm1, imm8 66 0F 3A 17 /r ib Extract one single-precision floating-point value at specified offset and store the result (zero-extended, if applicable)
SSE4.1 SIMD integer instructions
Instruction Opcode Meaning
MPSADBW xmm1, xmm2/m128, imm8 66 0F 3A 42 /r ib Sums absolute 8-bit integer difference of adjacent groups of 4 byte integers with starting offset
PHMINPOSUW xmm1, xmm2/m128 66 0F 38 41 /r Find the minimum unsigned word
PMULLD xmm1, xmm2/m128 66 0F 38 40 /r Multiply the packed dword signed integers and store the low 32 bits
PMULDQ xmm1, xmm2/m128 66 0F 38 28 /r Multiply packed signed doubleword integers and store quadword result
PBLENDVB xmm1, xmm2/m128, <XMM0> 66 0F 38 10 /r Select byte values from specified mask
PBLENDW xmm1, xmm2/m128, imm8 66 0F 3A 0E /r ib Select words from specified mask
PMINSB xmm1, xmm2/m128 66 0F 38 38 /r Compare packed signed byte integers
PMINUW xmm1, xmm2/m128 66 0F 38 3A/r Compare packed unsigned word integers
PMINSD xmm1, xmm2/m128 66 0F 38 39 /r Compare packed signed dword integers
PMINUD xmm1, xmm2/m128 66 0F 38 3B /r Compare packed unsigned dword integers
PMAXSB xmm1, xmm2/m128 66 0F 38 3C /r Compare packed signed byte integers
PMAXUW xmm1, xmm2/m128 66 0F 38 3E/r Compare packed unsigned word integers
PMAXSD xmm1, xmm2/m128 66 0F 38 3D /r Compare packed signed dword integers
PMAXUD xmm1, xmm2/m128 66 0F 38 3F /r Compare packed unsigned dword integers
PINSRB xmm1, r32/m8, imm8 66 0F 3A 20 /r ib Insert a byte integer value at specified destination element
PINSRD xmm1, r/m32, imm8 66 0F 3A 22 /r ib Insert a dword integer value at specified destination element
PINSRQ xmm1, r/m64, imm8 66 REX.W 0F 3A 22 /r ib Insert a qword integer value at specified destination element
PEXTRB reg/m8, xmm2, imm8 66 0F 3A 14 /r ib Extract a byte integer value at source byte offset, upper bits are zeroed.
PEXTRW reg/m16, xmm, imm8 66 0F 3A 15 /r ib Extract word and copy to lowest 16 bits, zero-extended
PEXTRD r/m32, xmm2, imm8 66 0F 3A 16 /r ib Extract a dword integer value at source dword offset
PEXTRQ r/m64, xmm2, imm8 66 REX.W 0F 3A 16 /r ib Extract a qword integer value at source qword offset
PMOVSXBW xmm1, xmm2/m64 66 0f 38 20 /r Sign extend 8 packed 8-bit integers to 8 packed 16-bit integers
PMOVZXBW xmm1, xmm2/m64 66 0f 38 30 /r Zero extend 8 packed 8-bit integers to 8 packed 16-bit integers
PMOVSXBD xmm1, xmm2/m32 66 0f 38 21 /r Sign extend 4 packed 8-bit integers to 4 packed 32-bit integers
PMOVZXBD xmm1, xmm2/m32 66 0f 38 31 /r Zero extend 4 packed 8-bit integers to 4 packed 32-bit integers
PMOVSXBQ xmm1, xmm2/m16 66 0f 38 22 /r Sign extend 2 packed 8-bit integers to 2 packed 64-bit integers
PMOVZXBQ xmm1, xmm2/m16 66 0f 38 32 /r Zero extend 2 packed 8-bit integers to 2 packed 64-bit integers
PMOVSXWD xmm1, xmm2/m64 66 0f 38 23/r Sign extend 4 packed 16-bit integers to 4 packed 32-bit integers
PMOVZXWD xmm1, xmm2/m64 66 0f 38 33 /r Zero extend 4 packed 16-bit integers to 4 packed 32-bit integers
PMOVSXWQ xmm1, xmm2/m32 66 0f 38 24 /r Sign extend 2 packed 16-bit integers to 2 packed 64-bit integers
PMOVZXWQ xmm1, xmm2/m32 66 0f 38 34 /r Zero extend 2 packed 16-bit integers to 2 packed 64-bit integers
PMOVSXDQ xmm1, xmm2/m64 66 0f 38 25 /r Sign extend 2 packed 32-bit integers to 2 packed 64-bit integers
PMOVZXDQ xmm1, xmm2/m64 66 0f 38 35 /r Zero extend 2 packed 32-bit integers to 2 packed 64-bit integers
PTEST xmm1, xmm2/m128 66 0F 38 17 /r Set ZF if AND result is all 0s, set CF if AND NOT result is all 0s
PCMPEQQ xmm1, xmm2/m128 66 0F 38 29 /r Compare packed qwords for equality
PACKUSDW xmm1, xmm2/m128 66 0F 38 2B /r Convert 2 × 4 packed signed doubleword integers into 8 packed unsigned word integers with saturation
MOVNTDQA xmm1, m128 66 0F 38 2A /r Move double quadword using non-temporal hint if WC memory type

SSE4a

Added with Phenom processors

Instruction Opcode Meaning
EXTRQ 66 0F 78 /0 ib ib Extract Field From Register
66 0F 79 /r
INSERTQ F2 0F 78 /r ib ib Insert Field
F2 0F 79 /r
MOVNTSD F2 0F 2B /r Move Non-Temporal Scalar Double-Precision Floating-Point
MOVNTSS F3 0F 2B /r Move Non-Temporal Scalar Single-Precision Floating-Point

SSE4.2

Added with Nehalem processors

Instruction Opcode Meaning
PCMPESTRI xmm1, xmm2/m128, imm8 66 0F 3A 61 /r imm8 Packed comparison of string data with explicit lengths, generating an index
PCMPESTRM xmm1, xmm2/m128, imm8 66 0F 3A 60 /r imm8 Packed comparison of string data with explicit lengths, generating a mask
PCMPISTRI xmm1, xmm2/m128, imm8 66 0F 3A 63 /r imm8 Packed comparison of string data with implicit lengths, generating an index
PCMPISTRM xmm1, xmm2/m128, imm8 66 0F 3A 62 /r imm8 Packed comparison of string data with implicit lengths, generating a mask
PCMPGTQ xmm1,xmm2/m128 66 0F 38 37 /r Compare packed signed qwords for greater than.

F16C

Half-precision floating-point conversion.

Instruction Meaning
VCVTPH2PS xmmreg,xmmrm64 Convert four half-precision floating point values in memory or the bottom half of an XMM register to four single-precision floating-point values in an XMM register
VCVTPH2PS ymmreg,xmmrm128 Convert eight half-precision floating point values in memory or an XMM register (the bottom half of a YMM register) to eight single-precision floating-point values in a YMM register
VCVTPS2PH xmmrm64,xmmreg,imm8 Convert four single-precision floating point values in an XMM register to half-precision floating-point values in memory or the bottom half an XMM register
VCVTPS2PH xmmrm128,ymmreg,imm8 Convert eight single-precision floating point values in a YMM register to half-precision floating-point values in memory or an XMM register

AVX

AVX were first supported by Intel with Sandy Bridge and by AMD with Bulldozer.

Vector operations on 256 bit registers.

Instruction Description
VBROADCASTSS Copy a 32-bit, 64-bit or 128-bit memory operand to all elements of a XMM or YMM vector register.
VBROADCASTSD
VBROADCASTF128
VINSERTF128 Replaces either the lower half or the upper half of a 256-bit YMM register with the value of a 128-bit source operand. The other half of the destination is unchanged.
VEXTRACTF128 Extracts either the lower half or the upper half of a 256-bit YMM register and copies the value to a 128-bit destination operand.
VMASKMOVPS Conditionally reads any number of elements from a SIMD vector memory operand into a destination register, leaving the remaining vector elements unread and setting the corresponding elements in the destination register to zero. Alternatively, conditionally writes any number of elements from a SIMD vector register operand to a vector memory operand, leaving the remaining elements of the memory operand unchanged. On the AMD Jaguar processor architecture, this instruction with a memory source operand takes more than 300 clock cycles when the mask is zero, in which case the instruction should do nothing. This appears to be a design flaw.
VMASKMOVPD
VPERMILPS Permute In-Lane. Shuffle the 32-bit or 64-bit vector elements of one input operand. These are in-lane 256-bit instructions, meaning that they operate on all 256 bits with two separate 128-bit shuffles, so they can not shuffle across the 128-bit lanes.
VPERMILPD
VPERM2F128 Shuffle the four 128-bit vector elements of two 256-bit source operands into a 256-bit destination operand, with an immediate constant as selector.
VZEROALL Set all YMM registers to zero and tag them as unused. Used when switching between 128-bit use and 256-bit use.
VZEROUPPER Set the upper half of all YMM registers to zero. Used when switching between 128-bit use and 256-bit use.

AVX2

Introduced in Intel's Haswell microarchitecture and AMD's Excavator.

Expansion of most vector integer SSE and AVX instructions to 256 bits

Instruction Description
VBROADCASTSS Copy a 32-bit or 64-bit register operand to all elements of a XMM or YMM vector register. These are register versions of the same instructions in AVX1. There is no 128-bit version however, but the same effect can be simply achieved using VINSERTF128.
VBROADCASTSD
VPBROADCASTB Copy an 8, 16, 32 or 64-bit integer register or memory operand to all elements of a XMM or YMM vector register.
VPBROADCASTW
VPBROADCASTD
VPBROADCASTQ
VBROADCASTI128 Copy a 128-bit memory operand to all elements of a YMM vector register.
VINSERTI128 Replaces either the lower half or the upper half of a 256-bit YMM register with the value of a 128-bit source operand. The other half of the destination is unchanged.
VEXTRACTI128 Extracts either the lower half or the upper half of a 256-bit YMM register and copies the value to a 128-bit destination operand.
VGATHERDPD Gathers single or double precision floating point values using either 32 or 64-bit indices and scale.
VGATHERQPD
VGATHERDPS
VGATHERQPS
VPGATHERDD Gathers 32 or 64-bit integer values using either 32 or 64-bit indices and scale.
VPGATHERDQ
VPGATHERQD
VPGATHERQQ
VPMASKMOVD Conditionally reads any number of elements from a SIMD vector memory operand into a destination register, leaving the remaining vector elements unread and setting the corresponding elements in the destination register to zero. Alternatively, conditionally writes any number of elements from a SIMD vector register operand to a vector memory operand, leaving the remaining elements of the memory operand unchanged.
VPMASKMOVQ
VPERMPS Shuffle the eight 32-bit vector elements of one 256-bit source operand into a 256-bit destination operand, with a register or memory operand as selector.
VPERMD
VPERMPD Shuffle the four 64-bit vector elements of one 256-bit source operand into a 256-bit destination operand, with a register or memory operand as selector.
VPERMQ
VPERM2I128 Shuffle (two of) the four 128-bit vector elements of two 256-bit source operands into a 256-bit destination operand, with an immediate constant as selector.
VPBLENDD Doubleword immediate version of the PBLEND instructions from SSE4.
VPSLLVD Shift left logical. Allows variable shifts where each element is shifted according to the packed input.
VPSLLVQ
VPSRLVD Shift right logical. Allows variable shifts where each element is shifted according to the packed input.
VPSRLVQ
VPSRAVD Shift right arithmetically. Allows variable shifts where each element is shifted according to the packed input.

FMA3 and FMA4 instructions

Floating-point fused multiply-add instructions are introduced in x86 as two instruction set extensions, "FMA3" and "FMA4", both of which build on top of AVX to provide a set of scalar/vector instructions using the xmm/ymm/zmm vector registers. FMA3 defines a set of 3-operand fused-multiply-add instructions that take three input operands and writes its result back to the first of them. FMA4 defines a set of 4-operand fused-multiply-add instructions that take four input operands – a destination operand and three source operands.

FMA3 is supported on Intel CPUs starting with Haswell, on AMD CPUs starting with Piledriver, and on Zhaoxin CPUs starting with YongFeng. FMA4 was only supported on AMD Family 15h (Bulldozer) CPUs and has been abandoned from AMD Zen onwards. The FMA3/FMA4 extensions are not considered to be an intrinsic part of AVX or AVX2, although all Intel and AMD (but not Zhaoxin) processors that support AVX2 also support FMA3. FMA3 instructions (in EVEX-encoded form) are, however, AVX-512 foundation instructions.
The FMA3 and FMA4 instruction sets both define a set of 10 fused-multiply-add operations, all available in FP32 and FP64 variants. For each of these variants, FMA3 defines three operand orderings while FMA4 defines two.
FMA3 encoding
FMA3 instructions are encoded with the VEX or EVEX prefixes – on the form VEX.66.0F38 xy /r or EVEX.66.0F38 xy /r. The VEX.W/EVEX.W bit selects floating-point format (W=0 means FP32, W=1 means FP64). The opcode byte xy consists of two nibbles, where the top nibble x selects operand ordering (9='132', A='213', B='231') and the bottom nibble y (values 6..F) selects which one of the 10 fused-multiply-add operations to perform. (x and y outside the given ranges will result in something that is not an FMA3 instruction.)
At the assembly language level, the operand ordering is specified in the mnemonic of the instruction:

  • vfmadd132sd xmm1,xmm2,xmm3 will perform xmm1 ← (xmm1*xmm3)+xmm2
  • vfmadd213sd xmm1,xmm2,xmm3 will perform xmm1 ← (xmm2*xmm1)+xmm3
  • vfmadd231sd xmm1,xmm2,xmm3 will perform xmm1 ← (xmm2*xmm3)+xmm1

For all FMA3 variants, the first two arguments must be xmm/ymm/zmm vector register arguments, while the last argument may be either a vector register or memory argument. Under AVX-512, the EVEX-encoded variants support EVEX-prefix-encoded broadcast, opmasks and rounding-controls.
The AVX512-FP16 extension, introduced in Sapphire Rapids, adds FP16 variants of the FMA3 instructions – these all take the form EVEX.66.MAP6.W0 xy /r with the opcode byte working in the same way as for the FP32/FP64 variants. (For the FMA4 instructions, no FP16 variants are defined.)
FMA4 encoding
FMA4 instructions are encoded with the VEX prefix, on the form VEX.66.0F3A xx /r ib (no EVEX encodings are defined). The opcode byte xx uses its bottom bit to select floating-point format (0=FP32, 1=FP64) and the remaining bits to select one of the 10 fused-multiply-add operations to perform.

For FMA4, operand ordering is controlled by the VEX.W bit. If VEX.W=0, then the third operand is the r/m operand specified by the instruction's ModR/M byte and the fourth operand is a register operand, specified by bits 7:4 of the ib (8-bit immediate) part of the instruction. If VEX.W=1, then these two operands are swapped. For example:

  • vfmaddsd xmm1,xmm2,,xmm3 will perform xmm1 ← (xmm2*)+xmm3 and require a W=0 encoding.
  • vfmaddsd xmm1,xmm2,xmm3, will perform xmm1 ← (xmm2*xmm3)+ and require a W=1 encoding.
  • vfmaddsd xmm1,xmm2,xmm3,xmm4 will perform xmm1 ← (xmm2*xmm3)+xmm4 and can be encoded with either W=0 or W=1.


Opcode table
The 10 fused-multiply-add operations and the 110 instruction variants they give rise to are given by the following table – with FMA4 instructions highlighted with * and yellow cell coloring, and FMA3 instructions not highlighted:

Basic operation Opcode byte FP32 instructions FP64 instructions FP16 instructions
Packed alternating multiply-add/subtract
  • (A*B)-C in even-numbered lanes
  • (A*B)+C in odd-numbered lanes
96 VFMADDSUB132PS VFMADDSUB132PD VFMADDSUB132PH
A6 VFMADDSUB213PS VFMADDSUB213PD VFMADDSUB213PH
B6 VFMADDSUB231PS VFMADDSUB231PD VFMADDSUB231PH
5C/5D* VFMADDSUBPS* VFMADDSUBPD*
Packed alternating multiply-subtract/add
  • (A*B)+C in even-numbered lanes
  • (A*B)-C in odd-numbered lanes
97 VFMSUBADD132PS VFMSUBADD132PD VFMSUBADD132PH
A7 VFMSUBADD213PS VFMSUBADD213PD VFMSUBADD213PH
B7 VFMSUBADD231PS VFMSUBADD231PD VFMSUBADD231PH
5E/5F* VFMSUBADDPS* VFMSUBADDPD*
Packed multiply-add
(A*B)+C
98 VFMADD132PS VFMADD132PD VFMADD132PH
A8 VFMADD213PS VFMADD213PD VFMADD213PH
B8 VFMADD231PS VFMADD231PD VFMADD231PH
68/69* VFMADDPS* VFMADDPD*
Scalar multiply-add
(A*B)+C
99 VFMADD132SS VFMADD132SD VFMADD132SH
A9 VFMADD213SS VFMADD213SD VFMADD213SH
B9 VFMADD231SS VFMADD231SD VFMADD231SH
6A/6B* VFMADDSS* VFMADDSD*
Packed multiply-subtract
(A*B)-C
9A VFMSUB132PS VFMSUB132PD VFMSUB132PH
AA VFMSUB213PS VFMSUB213PD VFMSUB213PH
BA VFMSUB231PS VFMSUB231PD VFMSUB231PH
6C/6D* VFMSUBPS* VFMSUBPD*
Scalar multiply-subtract
(A*B)-C
9B VFMSUB132SS VFMSUB132SD VFMSUB132SH
AB VFMSUB213SS VFMSUB213SD VFMSUB213SH
BB VFMSUB231SS VFMSUB231SD VFMSUB231SH
6E/6F* VFMSUBSS* VFMSUBSD*
Packed negative-multiply-add
(-A*B)+C
9C VFNMADD132PS VFNMADD132PD VFNMADD132PH
AC VFNMADD213PS VFNMADD213PD VFNMADD213PH
BC VFNMADD231PS VFNMADD231PD VFNMADD231PH
78/79* VFMADDPS* VFMADDPD*
Scalar negative-multiply-add
(-A*B)+C
9D VFMADD132SS VFMADD132SD VFMADD132SH
AD VFMADD213SS VFMADD213SD VFMADD213SH
BD VFMADD231SS VFMADD231SD VFMADD231SH
7A/7B* VFMADDSS* VFMADDSD*
Packed negative-multiply-subtract
(-A*B)-C
9E VFNMSUB132PS VFNMSUB132PD VFNMSUB132PH
AE VFNMSUB213PS VFNMSUB213PD VFNMSUB213PH
BE VFNMSUB231PS VFNMSUB231PD VFNMSUB231PH
7C/7D* VFNMSUBPS* VFNMSUBPD*
Scalar negative-multiply-subtract
(-A*B)-C
9F VFNMSUB132SS VFNMSUB132SD VFNMSUB132SH
AF VFNMSUB213SS VFNMSUB213SD VFNMSUB213SH
BF VFNMSUB231SS VFNMSUB231SD VFNMSUB231SH
7E/7F* VFNMSUBSS* VFNMSUBSD*
  1. ^ Vector register lanes are counted from 0 upwards in a little-endian manner – the lane that contains the first byte of the vector is considered to be even-numbered.

AVX-512

AVX-512, introduced in 2014, adds 512-bit wide vector registers (extending the 256-bit registers, which become the new registers' lower halves) and doubles their count to 32; the new registers are thus named zmm0 through zmm31. It adds eight mask registers, named k0 through k7, which may be used to restrict operations to specific parts of a vector register. Unlike previous instruction set extensions, AVX-512 is implemented in several groups; only the foundation ("AVX-512F") extension is mandatory. Most of the added instructions may also be used with the 256- and 128-bit registers.

AMX

Intel AMX adds eight new tile-registers, tmm0-tmm7, each holding a matrix, with a maximum capacity of 16 rows of 64 bytes per tile-register. It also adds a TILECFG register to configure the sizes of the actual matrices held in each of the eight tile-registers, and a set of instructions to perform matrix multiplications on these registers.

AMX subset Instruction mnemonics Opcode Instruction description Added in
AMX-TILE
AMX control and tile management.
LDTILECFG m512 VEX.128.NP.0F38.W0 49 /0 Load AMX tile configuration data structure from memory as a 64-byte data structure. Sapphire Rapids
STTILECFG m512 VEX.128.66.0F38 W0 49 /0 Store AMX tile configuration data structure to memory.
TILERELEASE VEX.128.NP.0F38.W0 49 C0 Initialize TILECFG and tile data registers (tmm0 to tmm7) to the INIT state (all-zeroes).
TILEZERO tmm VEX.128.F2.0F38.W0 49 /r Zero out contents of one tile register.
TILELOADD tmm, sibmem VEX.128.F2.0F38.W0 4B /r Load a data tile from memory into AMX tile register.
TILELOADDT1 tmm, sibmem VEX.128.66.0F38.W0 4B /r Load a data tile from memory into AMX tile register, with a hint that data should not be kept in the nearest cache levels.
TILESTORED mem, sibtmm VEX.128.F3.0F38.W0 4B /r Store a data tile to memory from AMX tile register.
AMX-INT8
Matrix multiplication of tiles, with source data interpreted as 8-bit integers and destination data accumulated as 32-bit integers.
TDPBSSD tmm1,tmm2,tmm3 VEX.128.F2.0F38.W0 5E /r Matrix multiply signed bytes from tmm2 with signed bytes from tmm3, accumulating result in tmm1.
TDPBSUD tmm1,tmm2,tmm3 VEX.128.F3.0F38.W0 5E /r Matrix multiply signed bytes from tmm2 with unsigned bytes from tmm3, accumulating result in tmm1.
TDPBUSD tmm1,tmm2,tmm3 VEX.128.66.0F38.W0 5E /r Matrix multiply unsigned bytes from tmm2 with signed bytes from tmm3, accumulating result in tmm1.
TDPBUUD tmm1,tmm2,tmm3 VEX.128.NP.0F38.W0 5E /r Matrix multiply unsigned bytes from tmm2 with unsigned bytes from tmm3, accumulating result in tmm1.
AMX-BF16
Matrix multiplication of tiles, with source data interpreted as bfloat16 values, and destination data accumulated as FP32 floating-point values.
TDPBF16PS tmm1,tmm2,tmm3 VEX.128.F3.0F38.W0 5C /r Matrix multiply BF16 values from tmm2 with BF16 values from tmm3, accumulating result in tmm1.
AMX-FP16
Matrix multiplication of tiles, with source data interpreted as FP16 values, and destination data accumulated as FP32 floating-point values.
TDPFP16PS tmm1,tmm2,tmm3 VEX.128.F2.0F38.W0 5C /r Matrix multiply FP16 values from tmm2 with FP16 values from tmm3, accumulating result in tmm1. (Granite Rapids)
AMX-COMPLEX
Matrix multiplication of tiles, with source data interpreted as complex numbers represented as pairs of FP16 values, and destination data accumulated as FP32 floating-point values.
TCMMRLFP16PS tmm1,tmm2,tmm3 VEX.128.NP.0F38.W0 6C /r Matrix multiply complex numbers from tmm2 with complex numbers from tmm3, accumulating real part of result in tmm1. (Granite Rapids D)
TCMMILFP16PS tmm1,tmm2,tmm3 VEX.128.66.0F38.W0 6C /r Matrix multiply complex numbers from tmm2 with complex numbers from tmm3, accumulating imaginary part of result in tmm1.
  1. ^ For TILEZERO, the tile-register to clear is specified by bits 5:3 of the instruction's ModR/M byte. Bits 7:6 must be set to 11b, and bits 2:0 must be set to 000b.
  2. ^ a b c For the TILELOADD, TILELOADDT1 and TILESTORED instructions, the memory argument must use a memory addressing mode with the SIB-byte. Under this addressing mode, the base register and displacement are used to specify the starting address for the first row of the tile to load/store from/to memory – the scale and index are used to specify a per-row stride.
    These instructions are all interruptible – an interrupt or memory exception taken in the middle of these instructions will cause progress tracking information to be written to TILECFG.start_row, so that the instruction may continue on a partially-loaded/stored tile after the interruption.
  3. ^ a b c d e f g h For all of the AMX matrix multiply instructions, the three arguments are required to be three different tile registers, or else the instruction will #UD.

Cryptographic instructions

Intel AES instructions

6 new instructions.

Instruction Encoding Description
AESENC xmm1,xmm2/m128 66 0F 38 DC /r Perform one round of an AES encryption flow
AESENCLAST xmm1,xmm2/m128 66 0F 38 DD /r Perform the last round of an AES encryption flow
AESDEC xmm1,xmm2/m128 66 0F 38 DE /r Perform one round of an AES decryption flow
AESDECLAST xmm1,xmm2/m128 66 0F 38 DF /r Perform the last round of an AES decryption flow
AESKEYGENASSIST xmm1,xmm2/m128,imm8 66 0F 3A DF /r ib Assist in AES round key generation
AESIMC xmm1,xmm2/m128 66 0F 38 DB /r Assist in AES Inverse Mix Columns

CLMUL instructions

Instruction Opcode Description
PCLMULQDQ xmm1,xmm2,imm8 66 0F 3A 44 /r ib Perform a carry-less multiplication of two 64-bit polynomials over the finite field GF(2k).
PCLMULLQLQDQ xmm1,xmm2/m128 66 0F 3A 44 /r 00 Multiply the low halves of the two 128-bit operands.
PCLMULHQLQDQ xmm1,xmm2/m128 66 0F 3A 44 /r 01 Multiply the high half of the destination register by the low half of the source operand.
PCLMULLQHQDQ xmm1,xmm2/m128 66 0F 3A 44 /r 10 Multiply the low half of the destination register by the high half of the source operand.
PCLMULHQHQDQ xmm1,xmm2/m128 66 0F 3A 44 /r 11 Multiply the high halves of the two 128-bit operands.

RDRAND and RDSEED

Instruction Encoding Description Added in
RDRAND r16
RDRAND r32
NFx 0F C7 /6 Return a random number that has been generated with a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) compliant with NIST SP 800-90A. Ivy Bridge,
Excavator,
Puma,
ZhangJiang,
Knights Landing,
Gracemont
RDRAND r64 NFx REX.W 0F C7 /6
RDSEED r16
RDSEED r32
NFx 0F C7 /7 Return a random number that has been generated with a HRNG/TRNG (Hardware/"True" Random Number Generator) compliant with NIST SP 800-90B and C. Broadwell,
ZhangJiang,
Knights Landing,
Zen 1,
Gracemont
RDSEED r64 NFx REX.W 0F C7 /7
  1. ^ a b The RDRAND and RDSEED instructions may fail to obtain and return a random number if the CPU's random number generators cannot keep up with the issuing of these instructions – if this happens, then software may retry the instructions (although the number of retries should be limited, in order to ensure forward progress). The instructions set EFLAGS.CF to 1 if a random number was successfully obtained and 0 otherwise. Failure to obtain a random number will also set the instruction's destination register to 0.

Intel SHA instructions

7 new instructions.

Instruction Encoding Description
SHA1RNDS4 xmm1,xmm2/m128,imm8 NP 0F 3A CC /r ib Perform Four Rounds of SHA1 Operation
SHA1NEXTE xmm1,xmm2/m128 NP 0F 38 C8 /r Calculate SHA1 State Variable E after Four Rounds
SHA1MSG1 xmm1,xmm2/m128 NP 0F 38 C9 /r Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords
SHA1MSG2 xmm1,xmm2/m128 NP 0F 38 CA /r Perform a Final Calculation for the Next Four SHA1 Message Dwords
SHA256RNDS2 xmm1,xmm2/m128 NP 0F 38 CB /r Perform Two Rounds of SHA256 Operation
SHA256MSG1 xmm1,xmm2/m128 NP 0F 38 CC /r Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords
SHA256MSG2 xmm1,xmm2/m128 NP 0F 38 CD /r Perform a Final Calculation for the Next Four SHA256 Message Dwords

Intel AES Key Locker instructions

These instructions, available in Tiger Lake and later Intel processors, are designed to enable encryption/decryption with an AES key without having access to any unencrypted copies of the key during the actual encryption/decryption process.

Instruction Encoding Description Notes
LOADIWKEY xmm1,xmm2 F3 0F 38 DC /r Load internal wrapping key ("IWKey") from xmm1, xmm2 and XMM0. The two explicit operands (which must be register operands) specify a 256-bit encryption key. The implicit operand in XMM0 specifies a 128-bit integrity key. EAX contains flags controlling operation of instruction.

After being loaded, the IWKey cannot be directly read from software, but is used for the key wrapping done by ENCODEKEY128/256 and checked by the Key Locker encode/decode instructions.

LOADIWKEY is privileged and can run in Ring 0 only.

ENCODEKEY128 r32,r32 F3 0F 38 FA /r Wrap a 128-bit AES key from XMM0 into a 384-bit key handle and output handle in XMM0-2. Source operand specifies handle restrictions to build into the handle.

Destination operand is initialized with information about the source and attributes of the key.

These instruction may also modify XMM4-6 (zeroed out in existing implementations, but this should not be relied on).

ENCODEKEY256 r32,r32 F3 0F 3A FB /r Wrap a 256-bit AES key from XMM1:XMM0 into a 512-bit key handle and output handle in XMM0-3.
AESENC128KL xmm,m384 F3 0F 38 DC /r Encrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm. All of the Key Locker encode/decode instructions will check whether the handle is valid for the current IWKey and encode/decode data only if the handle is valid.

These instructions will set the ZF flag to indicate whether the provided handle was valid (ZF=0) or not (ZF=1).

AESDEC128KL xmm,m384 F3 0F 38 DD /r Decrypt xmm using 128-bit AES key indicated by handle at m384 and store result in xmm.
AESENC256KL xmm,m512 F3 0F 38 DE /r Encrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm.
AESDEC256KL xmm,m512 F3 0F 38 DF /r Decrypt xmm using 256-bit AES key indicated by handle at m512 and store result in xmm.
AESENCWIDE128KL m384 F3 0F 38 D8 /0 Encrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register.
AESDECWIDE128KL m384 F3 0F 38 D8 /1 Decrypt XMM0-7 using 128-bit AES key indicated by handle at m384 and store each resultant block back to its corresponding register.
AESENCWIDE256KL m512 F3 0F 38 D8 /2 Encrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register.
AESDECWIDE256KL m512 F3 0F 38 D8 /3 Decrypt XMM0-7 using 256-bit AES key indicated by handle at m512 and store each resultant block back to its corresponding register.

VIA PadLock instructions

The VIA/Zhaoxin PadLock instructions are instructions designed to apply cryptographic primitives in bulk, similar to the 8086 repeated string instructions. As such, unless otherwise specified, they take, as applicable, pointers to source data in ES:rSI and destination data in ES:rDI, and a data-size or count in rCX. Like the old string instructions, they are all designed to be interruptible.

Padlock subset Instruction Encoding Description Added in
RNG
Random Number Generation.
XSTORE NFx 0F A7 C0 Store random bytes to ES:, and increment ES:rDI accordingly. XSTORE will store currently-available bytes, which may be from 0 to 8 bytes. REP XSTORE will write the number of random bytes specified by rCX, waiting for the random number generator when needed. EDX specifies a "quality factor". Nehemiah
(stepping 3)
REP XSTORE F3 0F A7 C0
ACE
Advanced Cryptography Engine.
REP XCRYPTECB F3 0F A7 C8 Encrypt/Decrypt data, using the AES cipher in various block modes (ECB, CBC, CFB, OFB and CTR, respectively). rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rAX a pointer to an initialization vector for block modes that need it, and rDX a pointer to a control word. Nehemiah
(stepping 8)
REP XCRYPTCBC F3 0F A7 D0
REP XCRYPTCFB F3 0F A7 E0
REP XCRYPTOFB F3 0F A7 E8
ACE2
REP XCRYPTCTR F3 0F A7 D8 C7 "Esther"
PHE
Hash Engine.
REP XSHA1 F3 0F A6 C8 Compute a cryptographic hash (using the SHA-1 and SHA-256 functions, respectively). ES:rSI points to data to compute a hash for, ES:rDI points to a message digest and rCX specifies the number of bytes. rAX should be set to 0 at the start of a calculation. Esther
REP XSHA256 F3 0F A6 D0
PMM
Montgomery Multiplier.
REP MONTMUL F3 0F A6 C0 Perform Montgomery Multiplication. Takes an operand width in ECX (given as a number of bits – must be in range 256..32768 and divisble by 128) and pointer to a data structure in ES:ESI. Esther
GMI
Chinese national cryptographic algorithms. (Zhaoxin only.)
CCS_HASH F3 0F A6 E8 Compute SM3 hash, similar to the REP XSHA* instructions. The rBX register is used to specify hash function (20h for SM3 being the only documented value). ZhangJiang
CCS_ENCRYPT F3 0F A7 F0 Encrypt/Decrypt data, using the SM4 cipher in various block modes. rCX contains the number of 16-byte blocks to encrypt/decrypt, rBX contains a pointer to an encryption key, rDX a pointer to an initialization vector for block modes that need it, and rAX contains a control word.
  1. ^ The control word for REP XCRYPT* is a 128-bit data structure with the following layout:
    Bits Usage
    3:0 AES round count
    4 Digest mode enable (ACE2 only)
    5 1=allow data that is not 16-byte aligned (ACE2 only)
    6 Cipher: 0=AES, 1=undefined
    7 Key schedule: 0=compute (128bit key only), 1=load from memory
    8 0=normal, 1=intermediate-result
    9 0=encrypt, 1=decrypt
    11:10 Key size: 00=128bit, 01=192bit, 10=256bit, 11=reserved
    127:12 Reserved, set to 0
  2. ^ ACE2 also adds extra features to the other REP XCRYPT instructions: a digest mode for the CBC and CFB instructions, and the ability to use input/output data that are not 16-byte aligned for the non-ECB instructions.
  3. ^ On VIA Nano and later processors, setting rAX to an all-1s value for the REP XSHA* instructions will enable an alternate operation mode, where rCX specifies the number of 64-byte blocks, and where the standard FIPS-180-2 length extension procedure at the end of the hash calculation is omitted. This makes for a variant more suitable for data streaming than the original EAX=0 variant. This functionality also exists for CCS_HASH.
     
  4. ^ The data structure to REP MONTMUL contains six 32-bit elements, where the first one is a negated modular inverse of the bottom 32 bits of the modulus and the remaining 5 are pointers to various memory buffers:
    Offset Data item
    0 Negated modular inverse
    4 Pointer to first multiplicand
    8 Pointer to second multiplicand
    12 Pointer to result buffer
    16 Pointer to modulus
    20 Pointer to 32-byte scratchpad
  5. ^ The CCS_ENCRYPT control word in rAX has the following format:
    Bits Usage
    0 0=Encrypt, 1=Decrypt
    5:1 Must be 10000b for SM4.
    6 ECB block mode
    7 CBC block mode
    8 CFB block mode
    9 OFB block mode
    10 CTR block mode
    11 Digest enable

    Remaining bits in rAX must be set to all-0s.

    Of bits 10:6 in rAX (block mode selection), exactly one bit must be set, or else behavior is undefined.

Virtualization instructions

AMD-V instructions

Instruction Opcode Instruction Description Used by Added in
Basic SVM (Secure Virtual Machine) instructions
INVLPGA rAX,ECX 0F 01 DF Invalidate TLB mappings for the virtual page specified in rAX and the ASID (Address Space IDentifier) specified in ECX. VMM K8
VMRUN rAX 0F 01 D8 Run virtual machine managed by the VMCB (Virtual Machine Control Block) specified by physical address in rAX.
VMLOAD rAX 0F 01 DA Load a specific subset of processor state from the VMCB specified by the physical address in the rAX register. Usually the VMM
VMSAVE rAX 0F 01 DB Save a specific subset of processor state to the VMCB specified by the physical address in the rAX register.
STGI 0F 01 DC Set GIF (Global Interrupt Flag). Usually the VMM
CLGI 0F 01 DD Clear GIF.
VMMCALL NFx 0F 01 D9 Call to VM monitor from guest by causing a VMEXIT. Guest
SKINIT EAX 0F 01 DE Secure Init and Jump with Attestation.
Initializes CPU to known state, designates a 64 Kbyte memory area specified by EAX as an SLB ("Secure Loader Block"), submits a copy of the memory area to the system TPM for validation using a digital signature, then jumps into the SLB.
VMM Turion "Lion",
Opteron "Shanghai",
Phenom II
Secure Encrypted Virtualization (SEV): Encrypted State (SEV-ES) instructions
VMGEXIT F2/F3 0F 01 D9 SEV-ES Exit to VMM.
Explicit communication with the VMM for SEV-ES VMs.
Guest Zen 1
Secure Nested Paging (SEV-SNP): Reverse-Map Table (RMP) instructions
PSMASH F3 0F 01 FF Page Smash: expands a 2MB-page RMP entry into a corresponding set of contiguous 4KB-page RMP entries. The 2 MB page's system physical address is specified in the RAX register. VMM Zen 3
RMPUPDATE F2 0F 01 FE Write a new RMP entry. The system physical address of a page whose RMP entry is modified is specified in the RAX register. The RCX register provides the effective address of a 16-byte data structure which contains the new RMP state.
PVALIDATE F2 0F 01 FF Validate or rescind validation of a guest page's RMP entry. The guest virtual address is specified in the register operand rAX. Guest
RMPADJUST F3 0F 01 FE Adjust RMP permissions for a guest page. The guest virtual address is specified in the RAX register. The page size is specified in RCX. The target VMPL (Virtual Machine Privilege Level) and its permissions are specified in the RDX register.
RMPQUERY F3 0F 01 FD Reads an RMP permission mask for a guest page. The guest virtual address is specified in the RAX register. The target VMPL is specified in RDX. RMP permissions for the specified VMPL are returned in RDX and the RCX register. Guest Zen 4
  1. ^ a b c d For the rAX argument to the VMRUN, VMLOAD, VMSAVE and INVLPGA instructions, the choice of AX/EAX/RAX depends on address-size, which can be overridden with the 67h prefix.
  2. ^ Support for AMD-V was added in stepping F of the AMD K8, and is not available on earlier steppings.
  3. ^ a b The VMRUN instruction will load only a limited subset of CPU state - VMLOAD should be run before VMRUN to load additional state.
    Similarly, #VMEXIT will store only a limited amount of guest state to the VMCB, and VMSAVE is needed to store additional state.
    For simple intercept conditions where the VMM doesn't need to make use of the state items handled by VMSAVE/VMLOAD, the VMM may improve performance by abstaining from performing VMSAVE/VMLOAD before re-entering the virtual machine with VMRUN.
  4. ^ On CPUs that support VMLOAD/VMSAVE virtualization (Excavator and later), the VMLOAD and VMSAVE instructions can be executed in guest mode as well.
  5. ^ On CPUs that support Virtual GIF (Excavator and later), the STGI and CLGI instructions can be executed in guest mode as well.
  6. ^ VMGEXIT is executed as VMMCALL if not executed by a SEV-ES guest.

Intel VT-x instructions

Intel virtualization instructions. VT-x is also supported on some processors from VIA and Zhaoxin.

Instruction Opcode Instruction Description Used by Added in
Basic VMX (Virtual Machine Extensions) instructions
VMXON m64 F3 0F C7 /6 Enter VMX Operation – enters hardware supported virtualisation environment. VMM Prescott 2M,
Yonah,
Centerton,
Nano 3000
VMXOFF NP 0F 01 C4 Leave VMX Operation – stops hardware supported virtualisation environment.
VMPTRLD m64 NP 0F C7 /6 Load pointer to Virtual-Machine Control Structure (VMCS) from memory and mark it valid.
VMPTRST m64 NP 0F C7 /7 Store pointer to current VMCS to memory.
VMCLEAR m64 66 0F C7 /6 Flush VMCS data from CPU to VMCS region in memory. If the specified VMCS is the current VMCS, then the current-VMCS is marked as invalid.
VMLAUNCH NP 0F 01 C2 Launch virtual machine managed by current VMCS.
VMRESUME NP 0F 01 C3 Resume virtual machine managed by current VMCS.
VMREAD r/m,reg NP 0F 78 /r Read a specified field from the current-VMCS. The reg argument specifies which field to read – the result is stored to r/m. Usually the VMM
VMWRITE reg,r/m NP 0F 79 /r Write to specified field of current-VMCS. The reg argument specifies which field to write, and the r/m argument provides the data item to write to the field.
VMCALL NP 0F 01 C1 Call to VM monitor from guest by causing a VMEXIT. Usually the guest
Extended Page Tables (EPT) instructions
INVEPT reg,m128 66 0F 38 80 /r Invalidates EPT-derived entries in the TLBs and paging-structure caches. VMM Nehalem,
Centerton,
ZhangJiang
INVVPID reg,m128 66 0F 38 81 /r Invalidates entries in the TLBs and paging-structure caches based on VPID (Virtual Processor ID).
VMFUNC NP 0F 01 D4 Invoke VM function specified in EAX. Guest Haswell,
Silvermont
Trust Domain Extensions (TDX): Secure Arbitration Mode (SEAM) instructions
SEAMOPS 66 0F 01 CE Invoke SEAM specific operations. Operation to perform is specified in RAX. SEAM
root
Sapphire Rapids
SEAMRET 66 0F 01 CD Return to legacy VMX root operation from SEAM VMX root operation.
SEAMCALL 66 0F 01 CF Call to SEAM VMX root operation from legacy VMX root operation. VMM
TDCALL 66 0F 01 CC Call to VM monitor from TD guest by causing a VMEXIT. TD Guest
  1. ^ Executing any of the VT-x VMM instructions while within the VM guest will cause a VMEXIT.
    If VMX operation has not been entered through VMXON, then all of the VT-x instructions (except VMXON) will cause #UD.
  2. ^ a b c d The m64 argument to VMPTRLD, VMPTRST, VMCLEAR and VMXON is a 64-bit physical address.
  3. ^ The m64 argument to VMXON is the 64-bit physical address to a "VMXON region", which is a 4Kbyte region that must be 4 Kbyte aligned. This region may be used by the processor to support VMX operation in an implementation-dependent manner and should never be accessed by software until the processor has left VMX operation through the VMXOFF instruction.
  4. ^ If "VMCS Shadowing" is enabled (available on Haswell and later), the VMREAD and VMWRITE instructions can be executed by the guest as well.
  5. ^ The VMCALL instruction can be executed by the VMM as well – doing so will cause a special SMM VM exit.
  6. ^ The functions available for VMFUNC in the EAX register are:
    EAX Function
    0 EPTP switching: switch extended page table pointer to one of up to 512 table pointers prepared in advance by the VM host.
    ECX specifies which one of the 512 pointers to use.
    1-63 (Reserved, will cause VMEXIT)
    ≥64 Invalid, will cause #UD.
  7. ^ The operations available for SEAMOPS in the RAX register are:
    RAX Operation
    0 (CAPABILITIES) Return bitmap of supported SEAMOPS leaves in RAX.
    1 (SEAMREPORT) Generate SEAMREPORT structure.

    Any unsupported value in RAX will cause a #GP(0) exception.

Other instructions

x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.

Undocumented instructions

Undocumented x86 instructions

The x86 CPUs contain undocumented instructions which are implemented on the chips but not listed in some official documents. They can be found in various sources across the Internet, such as Ralf Brown's Interrupt List and at sandpile.org

Some of these instructions are widely available across many/most x86 CPUs, while others are specific to a narrow range of CPUs.

Undocumented instructions that are widely available across many x86 CPUs include

Mnemonics Opcodes Description Status
AAM imm8 D4 ib ASCII-Adjust-after-Multiply. On the 8086, documented for imm8=0Ah only, which is used to convert a binary multiplication result to BCD.

The actual operation is AH ← AL/imm8; AL ← AL mod imm8 for any imm8 value (except zero, which produces a divide-by-zero exception).

Available beginning with 8086, documented for imm8 values other than 0Ah since Pentium (earlier documentation lists no arguments).
AAD imm8 D5 ib ASCII-Adjust-Before-Division. On the 8086, documented for imm8=0Ah only, which is used to convert a BCD value to binary for a following division instruction.

The actual operation is AL ← (AL+(AH*imm8)) & 0FFh; AH ← 0 for any imm8 value.

SALC,
SETALC
D6 Set AL depending on the value of the Carry Flag (a 1-byte alternative of SBB AL, AL) Available beginning with 8086, but only documented since Pentium Pro.
ICEBP,
INT1
F1 Single byte single-step exception / Invoke ICE Available beginning with 80386, documented (as INT1) since Pentium Pro. Executes as undocumented instruction prefix on 8086 and 80286.
TEST r/m8,imm8 F6 /1 ib Undocumented variants of the TEST instruction. Performs the same operation as the documented F6 /0 and F7 /0 variants, respectively. Available since the 8086.

Unavailable on some 80486 steppings.

TEST r/m16,imm16,
TEST r/m32,imm32
F7 /1 iw,
F7 /1 id
SHL, SAL (D0..D3) /6,
(C0..C1) /6 ib
Undocumented variants of the SHL instruction. Performs the same operation as the documented (D0..D3) /4 and (C0..C1) /4 ib variants, respectively. Available since the 80186 (performs different operation on the 8086)
(multiple) 82 /(0..7) ib Alias of opcode 80h, which provides variants of 8-bit integer instructions (ADD, OR, ADC, SBB, AND, SUB, XOR, CMP) with an 8-bit immediate argument. Available since the 8086. Explicitly unavailable in 64-bit mode but kept and reserved for compatibility.
OR/AND/XOR r/m16,imm8 83 /(1,4,6) ib 16-bit OR/AND/XOR with a sign-extended 8-bit immediate. Available on 8086, but only documented from 80386 onwards.
REPNZ MOVS F2 (A4..A5) The behavior of the F2 prefix (REPNZ, REPNE) when used with string instructions other than CMPS/SCAS is officially undefined, but there exists commercial software (e.g. the version of FDISK distributed with MS-DOS versions 3.30 to 6.22) that rely on it to behave in the same way as the documented F3 (REP) prefix. Available since the 8086.
REPNZ STOS F2 (AA..AB)
REP RET F3 C3 The use of the REP prefix with the RET instruction is not listed as supported in either the Intel SDM or the AMD APM. However, AMD's optimization guide for the AMD-K8 describes the F3 C3 encoding as a way to encode a two-byte RET instruction – this is the recommended workaround for an issue in the AMD-K8's branch predictor that can cause branch prediction to fail for some 1-byte RET instructions. At least some versions of gcc are known to use this encoding. Executes as RET on all known x86 CPUs.
NOP 67 90 NOP with address-size override prefix. The use of the 67h prefix for instructions without memory operands is listed by the Intel SDM (vol 2, section 2.1.1) as "reserved", but it is used in Microsoft Windows 95 as a workaround for a bug in the B1 stepping of Intel 80386. Executes as NOP on 80386 and later.
NOP r/m 0F 1F /0 Official long NOP.

Introduced in the Pentium Pro in 1995, but remained undocumented until March 2006.

Available on Pentium Pro and AMD K7 and later.

Unavailable on AMD K6, AMD Geode LX, VIA Nehemiah.

NOP r/m 0F 0D /r Reserved-NOP. Introduced in 65 nm Pentium 4. Intel documentation lists this opcode as NOP in opcode tables but not instruction listings since June 2005. From Broadwell onwards, 0F 0D /1 has been documented as PREFETCHW, while 0F 0D /0 and /2../7 have been reported to exhibit undocumented prefetch functionality.

On AMD CPUs, 0F 0D /r with a memory argument is documented as PREFETCH/PREFETCHW since K6-2 – originally as part of 3Dnow!, but has been kept in later AMD CPUs even after the rest of 3Dnow! was dropped.

Available on Intel CPUs since 65 nm Pentium 4.

UD1 0F B9 /r Intentionally undefined instructions, but unlike UD2 (0F 0B) these instructions were left unpublished until December 2016.

Microsoft Windows 95 Setup is known to depend on 0F FF being invalid – it is used as a self check to test that its #UD exception handler is working properly.

Other invalid opcodes that are being relied on by commercial software to produce #UD exceptions include FF FF (DIF-2, LaserLok) and C4 C4 ("BOP"), however as of January 2022 they are not published as intentionally invalid opcodes.

All of these opcodes produce #UD exceptions on 80186 and later (except on NEC V20/V30, which assign at least 0F FF to the NEC-specific BRKEM instruction.)
UD0 0F FF

Undocumented instructions that appear only in a limited subset of x86 CPUs include

Mnemonics Opcodes Description Status
REP MUL F3 F6 /4, F3 F7 /4 On 8086/8088, a REP or REPNZ prefix on a MUL or IMUL instruction causes the result to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the result. 8086/8088 only.
REP IMUL F3 F6 /5, F3 F7 /5
REP IDIV F3 F6 /7, F3 F7 /7 On 8086/8088, a REP or REPNZ prefix on an IDIV (but not DIV) instruction causes the quotient to be negated. This is due to the microcode using the “REP prefix present” bit to store the sign of the quotient. 8086/8088 only.
SAVEALL,

STOREALL

(F1) 0F 04 Exact purpose unknown, causes CPU hang (HCF). The only way out is CPU reset.

In some implementations, emulated through BIOS as a halting sequence.

In a forum post at the Vintage Computing Federation, this instruction (with F1 prefix) is explained as SAVEALL. It interacts with ICE mode.

Only available on 80286.
LOADALL 0F 05 Loads All Registers from Memory Address 0x000800H Only available on 80286.

Opcode reused for SYSCALL in AMD K6 and later CPUs.

LOADALLD 0F 07 Loads All Registers from Memory Address ES:EDI Only available on 80386.

Opcode reused for SYSRET in AMD K6 and later CPUs.

CL1INVMB 0F 0A On the Intel SCC (Single-chip Cloud Computer), invalidate all message buffers. The mnemonic and operation of the instruction, but not its opcode, are described in Intel's SCC architecture specification. Available on the SCC only.
PATCH2 0F 0E On AMD K6 and later maps to FEMMS operation (fast clear of MMX state) but on Intel identified as uarch data read on Intel Only available in Red unlock state (0F 0F too)
PATCH3 0F 0F Write uarch Can change RAM part of microcode on Intel
UMOV r,r/m,
UMOV r/m,r
0F (10..13) /r Moves data to/from user memory when operating in ICE HALT mode. Acts as regular MOV otherwise. Available on some 386 and 486 processors only.

Opcodes reused for SSE instructions in later CPUs.

NXOP 0F 55 NexGen hypercode interface. Available on NexGen Nx586 only.
(multiple) 0F (E0..FB) NexGen Nx586 "hyper mode" instructions.

The NexGen Nx586 CPU uses "hyper code" (x86 code sequences unpacked at boot time and only accessible in a special "hyper mode" operation mode, similar to DEC Alpha's PALcode and Intel's XuCode) for many complicated operations that are implemented with microcode in most other x86 CPUs. The Nx586 provides a large number of undocumented instructions to assist hyper mode operation.

Available in Nx586 hyper mode only.
PSWAPW mm,mm/m64 0F 0F /r BB Undocumented AMD 3DNow! instruction on K6-2 and K6-3. Swaps 16-bit words within 64-bit MMX register.

Instruction known to be recognized by MASM 6.13 and 6.14.

Available on K6-2 and K6-3 only.

Opcode reused for documented PSWAPD instruction from AMD K7 onwards.

Un­known mnemonic 64 D6 Using the 64 (FS: segment) prefix with the undocumented D6 (SALC/SETALC) instruction will, on UMC CPUs only, cause EAX to be set to 0xAB6B1B07. Available on the UMC Green CPU only. Executes as SALC on non-UMC CPUs.
FS: Jcc 64 (70..7F) rel8,

64 0F (80..8F) rel16/32

On Intel NetBurst (Pentium 4) CPUs, the 64h (FS: segment) instruction prefix will, when used with conditional branch instructions, act as a branch hint to indicate that the branch will be alternating between taken and not-taken. Unlike other NetBurst branch hints (CS: and DS: segment prefixes), this hint is not documented. Available on NetBurst CPUs only.

Segment prefixes on conditional branches are accepted but ignored by non-NetBurst CPUs.

JMPAI 0F 3F Jump and execute instructions in the undocumented Alternate Instruction Set. Only available on some x86 processors made by VIA Technologies.
(FMA4) VEX.66.0F38 (5C..5F,68..6F,78..7F) /r imm8 On AMD Zen1, FMA4 instructions are present but undocumented (missing CPUID flag). The reason for leaving the feature undocumented may or may not have been due to a buggy implementation. Removed from Zen2 onwards.
(unknown, multiple) 0F 0F /r ?? The whitepapers for SandSifter and UISFuzz report the detection of large numbers of undocumented instructions in the 3DNow! opcode range on several different AMD CPUs (at least Geode NX and C-50). Their operation is not known.

On at least AMD K6-2, all of the unassigned 3DNow! opcodes (other than the undocumented PF2IW, PI2FW and PSWAPW instructions) are reported to execute as equivalents of POR (MMX bitwise-OR instruction).

Present on some AMD CPUs with 3DNow!.
MOVDB,

GP2MEM

Un­known Microprocessor Report's article "MediaGX Targets Low-Cost PCs" from 1997, covering the introduction of the Cyrix MediaGX processor, lists several new instructions that are said to have been added to this processor in order to support its new "Virtual System Architecture" features, including MOVDB and GP2MEM – and also mentions that Cyrix did not intend to publish specifications for these instructions. Un­known.

No specification known to have been published.

REP XSHA512 F3 0F A6 E0 Perform SHA-512 hashing.

Supported by OpenSSL as part of its VIA PadLock support, and listed in a Zhaoxin-supplied Linux kernel patch, but not documented by the VIA PadLock Programming Guide.

Only available on some x86 processors made by VIA Technologies and Zhaoxin.
REP XMODEXP F3 0F A6 F8 Instructions to perform modular exponentiation and random number generation, respectively.

Listed in a VIA-supplied patch to add support for VIA Nano-specific PadLock instructions to OpenSSL, but not documented by the VIA PadLock Programming Guide.

XRNG2 F3 0F A7 F8
Un­known mnemonic 0F A7 (C1..C7) Detected by CPU fuzzing tools such as SandSifter and UISFuzz as executing without causing #UD on several different VIA and Zhaoxin CPUs.

Unknown operation, may be related to the documented XSTORE (0F A7 C0) instruction.

Un­known mnemonic F2 0F A6 C0 Zhaoxin SM2 instruction. CPUID flags listed in a Linux kernel patch for OpenEuler, description and opcode (but no instruction mnemonic) provided in a Zhaoxin patent application and a Zhaoxin-provided Linux kernel patch. Present in Zhaoxin KX-6000G.
ZXPAUSE F2 0F A6 D0 Pause the processor until the Time Stamp Counter reaches or exceeds the value specified in EDX:EAX. Low-power processor C-state can be requested in ECX. Listed in OpenEuler kernel patch. Present in Zhaoxin KX-7000.
MONTMUL2 Un­known Zhaoxin RSA/"xmodx" instructions. Mnemonics and CPUID flags are listed in a Linux kernel patch for OpenEuler, but opcodes and instruction descriptions are not available. Unknown. Some Zhaoxin CPUs have the CPUID flags for these instructions set.

Undocumented x87 instructions

Mnemonics Opcodes Description Status
FENI,

FENI8087_NOP

DB E0 FPU Enable Interrupts (8087) Documented for the Intel 80287.

Present on all Intel x87 FPUs from 80287 onwards. For FPUs other than the ones where they were introduced on (8087 for FENI/FDISI and 80287 for FSETPM), they act as NOPs.

These instructions and their operation on modern CPUs are commonly mentioned in later Intel documentation, but with opcodes omitted and opcode table entries left blank (e.g. Intel SDM 325462-077, April 2022 mentions them twice without opcodes).

The opcodes are, however, recognized by Intel XED.

FDISI,

FDISI8087_NOP

DB E1 FPU Disable Interrupts (8087)
FSETPM,

FSETPM287_NOP

DB E4 FPU Set Protected Mode (80287)
(no mnemonic) D9 D7,  D9 E2,
D9 E7,  DD FC,
DE D8,  DE DA,
DE DC,  DE DD,
DE DE,  DF FC
"Reserved by Cyrix" opcodes These opcodes are listed as reserved opcodes that will produce "unpredictable results" without generating exceptions on at least Cyrix 6x86, 6x86MX, MII, MediaGX, and AMD Geode GX/LX. (The documentation for these CPUs all list the same ten opcodes.)

Their actual operation is not known, nor is it known whether their operation is the same on all of these CPUs.

See also

References

  1. ^ "Re: Intel Processor Identification and the CPUID Instruction". Retrieved 2013-04-21.
  2. ^ Michal Necasek, SGDT/SIDT Fiction and Reality, 4 May 2017. Archived on 29 Nov 2023.
  3. ^ a b Intel, Undocumented iAPX 286 Test Instruction. Archived on 20 Dec 2023.
  4. ^ WikiChip, UMIP – x86. Archived on 16 Mar 2023.
  5. ^ Oracle Corp, Oracle® VM VirtualBox Administrator's Guide for Release 6.0, section 3.5: Details About Software Virtualization. Archived on 8 Dec 2023.
  6. ^ MBC Project, Virtual Machine Detection (permanent link) or Virtual Machine Detection (non permanent link)
  7. ^ Andrew Schulman, "Unauthorized Windows 95" (ISBN 1-56884-169-8), chapter 8, p.249,257.
  8. ^ US Patent 4974159, "Method of transferring control in a multitasking computer system" mentions 63h/ARPL.
  9. ^ Intel, Pentium® Processor Family Developer’s Manual, Volume 3, 1995, order no. 241430-004, section 12.7, p. 323
  10. ^ Intel, How Microarchitectural Data Sampling works, see mitigations section. Archived on Apr 22,2022
  11. ^ Linux kernel documentation, Microarchitectural Data Sampling (MDS) mitigation Archived 2020-10-21 at the Wayback Machine
  12. ^ VCF Forums, I found the SAVEALL opcode, jun 21, 2019. Archived on 13 Apr 2023.
  13. ^ rep lodsb, Intel 286 secrets: ICE mode and F1 0F 04, aug 12, 2022. Archived on 8 Dec 2023.
  14. ^ LKML, (PATCH) x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack, Apr 29, 2014. Archived on Jan 4, 2018
  15. ^ Raymond Chen, Getting MS-DOS games to run on Windows 95: Working around the iretd problem, Apr 4, 2016. Archived on Mar 15, 2019
  16. ^ sandpile.org, x86 architecture rFLAGS register, see note #7
  17. ^ Can Bölük, Speculating the entire x86-64 Instruction Set In Seconds with This One Weird Trick, Mar 22, 2021. Archived on Mar 23, 2021.
  18. ^ a b Robert Collins, Undocumented OpCodes, 29 july 1995. Archived on 21 feb 2001
  19. ^ Michal Necasek, ICEBP finally documented, OS/2 Museum, May 25, 2018. Archived on 6 June 2018
  20. ^ Intel, AP-526: Optimization For Intel's 32-bit Processors, order no. 242816-001, october 1995 – lists INT1 on page 86.
  21. ^ AMD, AMD 64-bit Technology, vol 2: System Programming, order no. 24593, rev 3.06, aug 2002, page 248
  22. ^ "Intel 80386 CPU Information | PCJS Machines".
  23. ^ Geoff Chappell, CPU Identification before CPUID
  24. ^ Jeff Parsons, Obsolete 80386 Instructions: IBTS and XBTS, PCjs Machines. Archived on Sep 19, 2020.
  25. ^ Robert Collins, The LOADALL Instruction. Archived from the original on Jun 5, 1997.
  26. ^ Toth, Ervin (1998-03-16). "BSWAP with 16-bit registers". Archived from the original on 1999-11-03. The instruction brings down the upper word of the doubleword register without affecting its upper 16 bits.
  27. ^ Coldwin, Gynvael (2009-12-29). "BSWAP + 66h prefix". Retrieved 2018-10-03. internal (zero-)extending the value of a smaller (16-bit) register … applying the bswap to a 32-bit value "00 00 AH AL", … truncated to lower 16-bits, which are "00 00". … Bochs … bswap reg16 acts just like the bswap reg32 … QEMU … ignores the 66h prefix
  28. ^ Intel "i486 Microprocessor" (April 1989, order no. 240440-001) p.142 lists CMPXCHG with 0F A6/A7 encodings.
  29. ^ Intel "i486 Microprocessor" (November 1989, order no. 240440-002) p.135 lists CMPXCHG with 0F B0/B1 encodings.
  30. ^ "Intel 486 & 486 POD CPUID, S-spec, & Steppings".
  31. ^ Intel, Software Guard Extensions Programming Reference, order no. 329298-002, oct 2014, sections 3.5 and 3.6.5.
  32. ^ Frank van Gilluwe, "The Undocumented PC, second edition", 1997, ISBN 0-201-47950-8, page 55
  33. ^ AMD, Revision Guide for AMD Athlon 64 and AMD Opteron Processors pub.no. 25759, rev 3.79, July 2009, page 34. Archived on 20 Dec 2023.
  34. ^ Intel, Software Developer’s Manual, vol 3A, order no. 253668-078, Dec 2022, section 9.3, page 299
  35. ^ "RSM—Resume from System Management Mode". Archived from the original on 2012-03-12.
  36. ^ Microprocessor Report, System Management Mode Explained (vol 6, no. 8, june 17, 1992). Archived on Jun 29, 2022.
  37. ^ Ellis, Simson C., "The 386 SL Microprocessor in Notebook PCs", Intel Corporation, Microcomputer Solutions, March/Apri 1991, page 20
  38. ^ Cyrix 486SLC/e Data Sheet (1992), section 2.6.4
  39. ^ Linux 6.3 kernel sources, /arch/x86/include/asm/cpuid.h, line 69
  40. ^ gcc-patches mailing list, CPUID Patch for IDT Winchip, May 21, 2019. Archived on Apr 27, 2023.
  41. ^ Intel, Intel® Virtualization Technology FlexMigration Application Note order no. 323850-004, oct 2012, section 2.3.2 on page 12. Archived on Oct 13, 2014.
  42. ^ Intel, Atom Processor C3000 Product Family Datasheet order no. 337018-002, Feb 2018, pages 133, 3808 and 3814. Archived on Feb 9, 2022.
  43. ^ AMD, AMD64 Architecture Programmer’s Manual Volume 3 pub.no. 24594, rev 3.34, oct 2022, p. 165 (entry on CPUID instruction)
  44. ^ Robert Collins, CPUID Algorithm Wars, nov 1996. Archived from the original on dec 18, 2000.
  45. ^ Geoff Chappell, CMPXCHG8B Support in the 32-Bit Windows Kernel, 23 jan 2008. Archived on 5 Nov 2023.
  46. ^ a b Intel, Software Developer's Manual, order no. 325426-077, Nov 2022 – the entry on the RDTSC instruction on p.1739 describes the instruction sequences required to order the RDTSC instruction with respect to earlier and later instructions.
  47. ^ Linux kernel 5.4.12, /arch/x86/kernel/cpu/centaur.c
  48. ^ Stack Overflow, Can constant non-invariant tsc change frequency across cpu states? Accessed 24 Jan 2023. Archived on 24 Jan 2023.
  49. ^ CPU-World, CPUID for IDT ZHAOXIN KaiXian KX-U6780 2.7 GHz (by KZ). Accessed 24 Jan 2023. [https://web.archive.org/web/20230124204353/https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=78468 Archived on 24 Jan 2023.
  50. ^ Michal Necasek, "Undocumented RDTSC", 27 Apr 2018. Archived on 16 Dec 2023.
  51. ^ JookWiki, "nopl", sep 24, 2022 – provides a lengthy account of the history of the long NOP and the issues around it. Archived on oct 28, 2022.
  52. ^ a b Intel Community: Multibyte NOP Made Official. Archived on 7 Apr 2022.
  53. ^ Intel Software Developers Manual, vol 3B (order no 253669-076us, December 2021), section 22.15 "Reserved NOP"
  54. ^ AMD, AMD 64-bit Technology – AMD x86-64 Architecture Programmer’s Manual Volume 3, publication no. 24594, rev 3.02, aug 2002, page 379.
  55. ^ Intel, Intel Architecture Software Developer’s Manual, Volume 2, 1997, order no. 243191-001, pages 3-9 and A-7.
  56. ^ John Hassey, Pentium Pro changes, GAS2 mailing list, 28 dec 1995 – patch that added the UD2A and UD2B instruction mnemomics to GNU Binutils. Archived on 25 Jul 2023.
  57. ^ Jan Beulich, x86: correct UDn, binutils-gdb mailing list, 23 nov 2017 – Binutils patch that added ModR/M byte to UD1/UD2B and added UD0. Archived on 25 Jul 2023.
  58. ^ Intel, Pentium® Processor Family Developer's Manual Volume 3, 1995. order no. 241430-004, appendix A, page 943 – reserves the opcodes 0F 0B and 0F B9.
  59. ^ a b AMD, AMD64 Architecture Programmer’s Manual Volume 3, publication no. 24594, rev 3.17, dec 2011 – see page 416 for UD0 and page 415 and 419 for UD1.
  60. ^ a b c Intel, Software Developer's Manual, vol 2B, order no. 253667-061, dec 2016 – lists UD1 (with ModR/M byte) and UD0 (without ModR/M byte) on page 4-687.
  61. ^ Stecklina, Julian (2019-02-08). "Fingerprinting x86 CPUs using Illegal Opcodes". x86.lol. Archived from the original on 15 Dec 2023. Retrieved 2023-12-15.
  62. ^ "ud0 length fix · intelxed/xed@7561f54". GitHub. Archived from the original on 1 Jun 2023. Retrieved 2023-12-15.
  63. ^ a b Cyrix, 6x86 processor data book, 1996, order no. 94175-01, table 6-20, page 209 – uses the mnemonic OIO ("Official invalid opcode") for the 0F FF opcode.
  64. ^ Intel, Software Developer's Manual, vol 2B, order no. 253667-064, oct 2017 – lists UD0 (with ModR/M byte) on page 4-683.
  65. ^ AMD, AMD-K5 Processor Technical Reference Manual, Nov 1996, order no. 18524C/0, section 3.3.7, page 90 – reserves the 0F FF opcode without assigning it a mnemonic.
  66. ^ AMD, AMD-K6 Processor Data Sheet, order no. 20695H/0, March 1998, section 24.2, page 283.
  67. ^ George Dunlap, The Intel SYSRET Privilege Escalation, The Xen Project., 13 june 2012. Archived on Mar 15, 2019.
  68. ^ Intel, AP-485: Intel® Processor Identification and the CPUID Instruction, order no. 241618-039, may 2012, section 5.1.2.5, page 32
  69. ^ Michal Necasek, "SYSENTER, Where Are You?", 20 Jul 2017. Archived on 29 Nov 2023.
  70. ^ AMD, Athlon Processor x86 Code Optimization Guide, publication no. 22007, rev K, feb 2002, appendix F, page 284. Archived on 13 Apr 2017.
  71. ^ Transmeta, Processor Recognition, May 7, 2002.
  72. ^ VIA, VIA C3 Nehemiah Processor Datasheet, rev 1.13, sep 29, 2004, page 17
  73. ^ CPU-World, CPUID for Intel Xeon 3.40 GHz – Nocona stepping D CPUID without CMPXCHG16B
  74. ^ CPU-World, CPUID for Intel Xeon 3.60 GHz – Nocona stepping E CPUID with CMPXCHG16B
  75. ^ SuperUser StackExchange, How prevalent are old x64 processors lacking the cmpxchg16b instruction?
  76. ^ Intel SDM order no. 325462-077, apr 2022, vol 2B, p.4-130 "MOVSX/MOVSXD-Move with Sign-Extension" lists MOVSXD without REX.W as "discouraged"
  77. ^ Anandtech, AMD Zen 3 Ryzen Deep Dive Review, nov 5, 2020, page 6
  78. ^ @instlatx64 (October 31, 2020). "Saving Private Ryzen: PEXT/PDEP 32/64b replacement functions for #AMD CPUs (BR/#Zen/Zen+/#Zen2) based on @zwegner's zp7" (Tweet). Retrieved 2023-01-20 – via Twitter.
  79. ^ Wegner, Zach (4 November 2020). "zwegner/zp7". GitHub.
  80. ^ Intel, Control-flow Enforcement Technology Specification (v3.0, order no. 334525-003, March 2019)
  81. ^ Intel SDM, rev 076, December 2021, volume 1, section 18.3.1
  82. ^ Binutils mailing list: x86: CET v2.0: Update NOTRACK prefix
  83. ^ AMD, Extensions to the 3DNow! and MMX Instruction Sets, ref no. 22466D/0, March 2000, p.11
  84. ^ Hadi Brais, The Significance of the x86 SFENCE instruction, 26 Feb 2019.
  85. ^ Intel, Software Developer's Manual, order no. 325426-077, Nov 2022, Volume 1, section 11.4.4.3, page 276.
  86. ^ Hadi Brais, The Significance of the LFENCE instruction, 14 May 2018
  87. ^ AMD, Software techniques for managing speculation on AMD processor, rev 3.8.22, 8 March 2022, page 4. Archived on 13 March 2022.
  88. ^ Intel, Prescott New Instructions Software Developer’s Guide, order no. 252490-003, june 2003, pages 3-26 and 3-38 list MONITOR and MWAIT with explicit operands.
  89. ^ Flat Assembler messageboard, "BLENDVPS/BLENDVPD/PBLENDVB syntax", also covers MONITOR/MWAIT mnemonics
  90. ^ Intel, Intel® Xeon Phi™ Product Family x200 (KNL) User mode (ring 3) MONITOR and MWAIT (archived 5 mar 2017)
  91. ^ AMD, BIOS and Kernel Developer’s Guide (BKDG) For AMD Family 10h Processors, order no. 31116, rev 3.62, page 419
  92. ^ R. Zhang et al, (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels, 3 Jan 2023, page 5. Archived from the original on 5 Jan 2023.
  93. ^ Guru3D, VIA Zhaoxin x86 4 and 8-core SoC processors launch, Jan 22, 2018
  94. ^ Vulners, x86: DoS from attempting to use INVPCID with a non-canonical addresses, 20 nov 2018
  95. ^ Intel, Intel® 64 and IA-32 Architectures Software Developer’s Manual volume 3, order no. 325384-078, december 2022, chapter 23.15
  96. ^ a b Catherine Easdon, Undocumented CPU Behaviour on x86 and RISC-V Microarchitectures: A Security Perspective, 10 May 2019, page 39
  97. ^ Instlatx64, Zhaoxin Kaixian KX-6000G CPUID dump, May 15, 2023
  98. ^ a b c Intel, Intel® Software Guard Extensions (Intel® SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment, 25 Jun 2017.
  99. ^ Intel, Runtime Microcode Updates with Intel® Software Guard Extensions, sep 2021, order no. 648682 rev 1.0. Archived from the original on 31 mar 2023.
  100. ^ Intel, 11th Generation Intel® Core™ Processor Desktop Datasheet, Volume 1, may 2022, order no. 634648-004, section 3.5, page 65
  101. ^ Intel, Which Platforms Support Intel® Software Guard Extensions (Intel® SGX) SGX2? Archived on 5 May 2022.
  102. ^ a b Intel, Trust Domain CPU Architectural Extensions, order no. 343754-002, may 2021.
  103. ^ @InstLatX64 (May 3, 2022). "The CLDEMOTE Story" (Tweet). Retrieved 2023-01-23 – via Twitter.
  104. ^ @Instlatx64 (April 17, 2023). "20-Core Intel Xeon w7-2475X (SapphireRapids-64L) 806F8 CPUID dump" (Tweet). Retrieved 2023-04-20 – via Twitter.
  105. ^ Wikichip, CLZERO – x86
  106. ^ Intel, Application note AP-578: Software and Hardware Considerations for FPU Exception Handlers for Intel Architecture Processors, order no. 243291-002, February 1997
  107. ^ Intel, Application Note AP-113: Getting Started With The Numeric Data Processor, feb 1981, pages 24-25
  108. ^ Intel, 8087 Math Coprocessor, oct 1989, order no. 285385-007, page 3-100, fig 9
  109. ^ Intel, 80287 80-bit HMOS Numeric Processor Extension, feb 1983, order no. 201920-001, page 14
  110. ^ Intel, iAPX86, 88 User's Manual, 1981 (order no. 210201-001), p. 797
  111. ^ a b Intel 80286 and 80287 Programmers Reference Manual, 1987 (order no. 210498-005), p. 485
  112. ^ Intel Software Developer's Manual volume 3B, revision 064, section 22.18.9
  113. ^ "GCC Bugzilla – 37179 – GCC emits bad opcode 'ffreep'".
  114. ^ Michael Steil, FFREEP – the assembly instruction that never existed
  115. ^ Dusko Koncaliev, Pentium FDIV Bug
  116. ^ Bruce Dawson, Intel Underestimates Error Bounds by 1.3 quintillion
  117. ^ Intel SDM, rev 053 and later, describes the exact argument reduction procedure used for FSIN, FCOS, FSINCOS and FPTAN in volume 1, section 8.3.8
  118. ^ Intel, Intel® 64 and IA-32 Architectures Optimization Reference Manual (order no. 248966-044, June 2021) section 3.5.2.3
  119. ^ "The microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers" (PDF). Retrieved October 17, 2016.
  120. ^ "Chess programming AVX2". Archived from the original on July 10, 2017. Retrieved October 17, 2016.
  121. ^ "Intel AVX-512 Instructions". Intel. Retrieved 21 June 2022.
  122. ^ Intel, Digital Random Number Generator (DRNG) Software Implementation Guide rev 2.1, oct 17, 2018, sections 5.2 and 5.3. Archived on nov 19, 2021.
  123. ^ Michal Ludvig, VIA PadLock—Wicked Fast Encryption, Linux Journal, Apr 6, 2005. Archived on Jun 20, 2005.
  124. ^ Stack Overflow, Streaming SHA calculation using VIA's Padlock Hashing Engine?, Aug 11, 2014. Archived on Jun 14, 2019.
    The PadLock SDK (v3.1) referenced in the Stack Overflow answer can be downloaded from the Crypto++ wiki (accessed on Aug 11, 2023) or the Wayback Machine.
  125. ^ Zhaoxin, Core Technology | Instructions for the use of accelerated instructions for national encryption algorithm based on Zhaoxin processor (in Chinese). Archived on Jan 5, 2022
  126. ^ Zhaoxin, GMI User Manual v1.0 (in Chinese). Archived on Feb 28, 2022
  127. ^ AMD, AMD64 Virtualization Codenamed “Pacifica” Technology, publication no. 33407, rev 3.01, May 2005. Archived on Jun 13, 2011.
  128. ^ CPU-World, CPUID for AMD Turion 64 X2 RM-75, 2022-03-05.
  129. ^ Intel, Intel® Atom™ Processor S1200 Product Family for Microserver Datasheet, Volume 1 of 2, order no. 328194-001, dec 2012, page 44
  130. ^ SecurityWeek, Intel Adds TDX to Confidential Computing Portfolio With Launch of 4th Gen Xeon Processors, 10 jan 2023
  131. ^ Robert Collins, Undocumented OpCodes: AAM. Archived on 21 Feb 2001
  132. ^ Retrocomputing StackExchange, 0F1h opcode-prefix on i80286. Archived on 13 Apr 2023.
  133. ^ a b Frank van Gilluwe, "The Undocumented PC – Second Edition", p. 93-95
  134. ^ Michal Necasek, Intel 486 Errata?, 6 Dec 2015. Archived on 29 Nov 2023.
  135. ^ Robert Hummel, "PC Magazine Programmer's Technical Reference" (ISBN 1-56276-016-5) p.728
  136. ^ Raúl Gutiérrez Sanz, Undocumented 8086 Opcodes, Part I, 27 Dec 2017. Archived on 29 Nov 2023.
  137. ^ a b "Asm, opcode 82h". 24 Dec 1998. Archived from the original on 14 Apr 2023.
  138. ^ Intel Corporation 2022, p. 3698.
  139. ^ Intel, The 8086 Family User's Manual, October 1979, opcodes omitted on pages 4-25 and 4-31
  140. ^ Retrocomputing StackExchange, Undocumented instructions in x86 CPU prior to 80386?, 4 Jun 2021. Archived on 18 Jul 2023.
  141. ^ Daniel B. Sedory, An Examination of the Standard MBR, 2000. Archived on 6 Oct 2023.
  142. ^ AMD, Software Optimization Guide for AMD64 Processors (publication 25112, revision 3.06, sep 2005), section 6.2, p.128
  143. ^ GCC bugzilla, Bug 48227 – "rep ret" generated for -march=core2. Archived on 9 Apr 2023.
  144. ^ Raymond Chen, My, what strange NOPs you have!, 12 Jan 2011. Archived on 20 May 2023.
  145. ^ Jeff Parsons, Intel 80386 CPU information (B1 errata section, item #7). Archived on 13 Nov 2023.
  146. ^ Intel Software Developers Manual, volume 2B (Jan 2006, order no 235667-018, does not have long NOP)
  147. ^ Intel Software Developers Manual, volume 2B (March 2006, order no 235667-019, has long NOP)
  148. ^ Agner Fog, Instruction Tables, AMD K7 section.
  149. ^ "579838 – glibc not compatible with AMD Geode LX". Archived from the original on 30 Jul 2023.
  150. ^ Intel Software Developers Manual, volume 2B (April 2005, order no 235667-015, does not list 0F0D-nop)
  151. ^ Intel Software Developers Manual, volume 2B (June 2005, order no 235667-016, lists 0F0D-nop in opcode table but not under NOP instruction description.)
  152. ^ Intel Software Developers Manual, volume 2B (order no. 253667-060, September 2016) does not list UD0 and UD1.
  153. ^ "PCJS : pcjs/x86op0F.js (two-byte x86 opcode handlers), lines 1647–1651". GitHub. 17 April 2022. Archived from the original on 13 Apr 2023.
  154. ^ "80486 paging protection faults? \ VOGONS". Archived from the original on 9 April 2022.
  155. ^ "Invalid opcode handling \ VOGONS". Archived from the original on 9 April 2022.
  156. ^ "Invalid instructions cause exit even if Int 6 is hooked \ VOGONS". Archived from the original on 9 April 2022.
  157. ^ "Tutorial – Calling Win32 from DOS". Ragestorm. 17 Sep 2005. Archived from the original on 9 April 2022.
  158. ^ "Accessing Windows device drivers from DOS programs". Archived from the original on 8 Nov 2011.
  159. ^ a b "8086 microcode disassembled". Reenigne blog. 2020-09-03. Archived from the original on 8 Dec 2023. Retrieved 2022-07-26. Using the REP or REPNE prefix with a MUL or IMUL instruction negates the product. Using the REP or REPNE prefix with an IDIV instruction negates the quotient.
  160. ^ "Re: Undocumented opcodes (HINT_NOP)". Archived from the original on 2004-11-06. Retrieved 2010-11-07.
  161. ^ "Re: Also some undocumented 0Fh opcodes". Archived from the original on 2003-06-26. Retrieved 2010-11-07.
  162. ^ Intel's RCCE library for the SCC used opcode 0F 0A for SCC's message invalidation instruction.
  163. ^ Intel Labs, SCC External Architecture Specification (EAS), Revision 0.94, p.29. Archived on May 22, 2022.
  164. ^ "Undocumented x86 instructions to control the CPU at the microarchitecture level in modern Intel processors" (PDF). 9 July 2021.
  165. ^ Robert R. Collins, Undocumented OpCodes: UMOV. Archived on Feb 21, 2001.
  166. ^ Herbert Oppmann, NXOP (Opcode 0Fh 55h)
  167. ^ Herbert Oppmann, NexGen Nx586 Hypercode Source, see COMMON.INC. Archived on 9 Apr 2023.
  168. ^ Herbert Oppmann, Inside the NexGen Nx586 System BIOS. Archived on 29 Dec 2023.
  169. ^ Intel, XuCode: An Innovative Technology for Implementing Complex Instruction Flows, May 6, 2021. Archived on Jul 19, 2022.
  170. ^ Grzegorz Mazur, AMD 3DNow! undocumented instructions
  171. ^ a b "Undocumented 3DNow! Instructions". grafi.ii.pw.edu.pl. Archived from the original on 30 January 2003. Retrieved 22 February 2022.
  172. ^ Potemkin's Hacker Group's OPCODE.LST, v4.51, 15 Oct 1999. Archived on 21 May 2001.
  173. ^ "[UCA CPU Analysis] Prototype UMC Green CPU U5S-SUPER33". 25 May 2020. Archived from the original on 9 Jun 2023.
  174. ^ Agner Fog, The Microarchitecture of Intel, AMD and VIA CPUs, section 3.4 "Branch Prediction in P4 and P4E". Archived on 7 Jan 2024.
  175. ^ Reddit /r/Amd discussion thread: Ryzen has undocumented support for FMA4
  176. ^ a b Christopher Domas, Breaking the x86 ISA, 27 July 2017. Archived on 27 Dec 2023.
  177. ^ a b Xixing Li et al, UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching, 9 Oct 2019. Archived on 27 Dec 2023.
  178. ^ Microprocessor Report, MediaGX Targets Low-Cost PCs (vol 11, no. 3, mar 10, 1997). Archived on 6 Jun 2022.
  179. ^ "Welcome to the OpenSSL Project". GitHub. 21 April 2022. Archived from the original on 4 Jan 2022.
  180. ^ LKML, (PATCH) crypto: Zhaoxin: Hardware Engine Driver for SHA1/256/384/512, 2 Aug 2023. Archived on 17 Jan 2024.
  181. ^ Kary Jin, PATCH: Update PadLock engine for VIA C7 and Nano CPUs, openssl-dev mailing list, 10 Jun 2011. Archived on 11 Feb 2022.
  182. ^ a b OpenEuler mailing list, PATCH kernel-4.19 v2 5/6 : x86/cpufeatures: Add Zhaoxin feature bits. Archived on 9 Apr 2022.
  183. ^ USPTO/Zhaoxin, Patent application US2023/006718: Processor with a hash cryptographic algorithm and data processing thereof, pages 13 and 45, Mar 2, 2023. Archived on Sep 12, 2023.
  184. ^ LKML, (PATCH) crypto: x86/sm2 -add Zhaoxin SM2 algorithm implementation, 11 Nov 2023. Archived on 17 Jan 2024.
  185. ^ a b InstLatx64, CPUID dump for Zhaoxin KaiXian KX-6000G – has the SM2 and xmodx feature bits set (CPUID leaf C0000001:EDX:bits 0 and 29). Archived on Jul 25, 2023.
  186. ^ OpenEuler kernel pull request 2602: x86/delay: add support for Zhaoxin ZXPAUSE instruction. Gitee. 26 Oct 2023. Archived on 22 Jan 2024.
  187. ^ ISA datafile for Intel XED (April 17, 2022), lines 916-944
  188. ^ Cyrix 6x86 processor data book, page 6-34
  189. ^ AMD Geode LX Processors Data Book, publication 33234H, p.670

External links