x86 instruction listings

List of x86 microprocessor instructions

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

The x86 instruction set has been extended several times, introducing wider registers and datatypes as well as new functionality.^[1]

x86 integer instructions

Below is the full 8086/8088 instruction set of Intel (81 instructions total).^[2] These instructions are also available in 32-bit mode, they operate instead on 32-bit registers (eax, ebx, etc.) and values instead of their 16-bit (ax, bx, etc.) counterparts. The updated instruction set is grouped according to architecture (i186, i286, i386, i486, i586/i686) and is referred to as (32-bit) x86 and (64-bit) x86-64 (also known as AMD64).

Original 8086/8088 instructions

This is the original instruction set. In the 'Notes' column, r means register, m means memory address and imm means immediate (i.e. a value).

Added in specific processors

Added with 80186/80188

Added with 80286

The new instructions added in 80286 add support for x86 protected mode. Some but not all of the instructions are available in real mode as well.

1. The descriptors used by the LGDT, LIDT, SGDT and SIDT instructions consist of a 2-part data structure. The first part is a 16-bit value, specifying table size in bytes minus 1. The second part is a 32-bit value (64-bit value in 64-bit mode), specifying the linear start address of the table.
   For LGDT and LIDT with a 16-bit operand size, the address is ANDed with 00FFFFFFh. On Intel (but not AMD) CPUs, the SGDT and SIDT instructions with a 16-bit operand size is – as of Intel SDM revision 079, March 2023 – documented to write a descriptor to memory with the last byte being set to 0. However, observed behavior is that bits 31:24 of the descriptor table address are written instead.^[3]
2. The LGDT, LIDT, LLDT, LMSW and LTR instructions are serializing on Pentium and later processors.
3. On 80386 and later, the "Machine Status Word" is the same as the CR0 control register – however, the LMSW instruction can only modify the bottom 4 bits of this register and cannot clear bit 0. The inability to clear bit 0 means that LMSW can be used to enter but not leave x86 Protected Mode.
   On 80286, it is not possible to leave Protected Mode at all (neither with LMSW nor with LOADALL^[4]) without a CPU reset – on 80386 and later, it is possible to leave Protected Mode, but this requires the use of the 80386-and-later MOV to CR0 instruction.
4. If CR4.UMIP=1 is set, then the SGDT, SIDT, SLDT, SMSW and STR instructions can only run in Ring 0.
   These instructions were unprivileged on all x86 CPUs from 80286 onwards until the introduction of UMIP in 2017.^[5]This has been a significant security problem for software-based virtualization, since it enables these instructions to be used by a VM guest to detect that it is running inside a VM.^[6][7]
5. The SMSW, SLDT and STR instructions always use an operand size of 16 bits when used with a memory argument. With a register argument on 80386 or later processors, wider destination operand sizes are available and behave as follows:
   • SMSW: Stores full CR0 in x86-64 long mode, undefined otherwise.
   • SLDT: Zero-extends 16-bit argument on Pentium Pro and later processors, undefined on earlier processors.
   • STR: Zero-extends 16-bit argument.
6. In 64-bit long mode, the ARPL instruction is not available – the 63 /r opcode has been reassigned to the 64-bit-mode-only MOVSXD instruction.
7. The ARPL instruction causes #UD in Real mode and Virtual 8086 Mode – Windows 95 and OS/2 2.x are known to make extensive use of this #UD to use the 63 opcode as a one-byte breakpoint to transition from Virtual 8086 Mode to kernel mode.^[8][9]
8. Bits 19:16 of this mask are documented as "undefined" on Intel CPUs.^[10] On AMD CPUs, the mask is documented as 0x00FFFF00.
9. On some Intel CPU/microcode combinations from 2019 onwards, the VERW instruction also flushes microarchitectural data buffers. This enables it to be used as part of workarounds for Microarchitectural Data Sampling security vulnerabilities.^[11][12]
10. Undocumented, 80286 only.^[4][13][14] (A different variant of LOADALL with a different opcode and memory layout exists on 80386.)

Added with 80386

The 80386 added support for 32-bit operation to the x86 instruction set. This was done by widening the general-purpose registers to 32 bits and introducing the concepts of OperandSize and AddressSize – most instruction forms that would previously take 16-bit data arguments were given the ability to take 32-bit arguments by setting their OperandSize to 32 bits, and instructions that could take 16-bit address arguments were given the ability to take 32-bit address arguments by setting their AddressSize to 32 bits. (Instruction forms that work on 8-bit data continue to be 8-bit regardless of OperandSize. Using a data size of 16 bits will cause only the bottom 16 bits of the 32-bit general-purpose registers to be modified – the top 16 bits are left unchanged.)

The default OperandSize and AddressSize to use for each instruction is given by the D bit of the segment descriptor of the current code segment - D=0 makes both 16-bit, D=1 makes both 32-bit. Additionally, they can be overridden on a per-instruction basis with two new instruction prefixes that were introduced in the 80386:

• 66h: OperandSize override. Will change OperandSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.
• 67h: AddressSize override. Will change AddressSize from 16-bit to 32-bit if CS.D=0, or from 32-bit to 16-bit if CS.D=1.

The 80386 also introduced the two new segment registers FS and GS as well as the x86 control, debug and test registers.

The new instructions introduced in the 80386 can broadly be subdivided into two classes:

• Pre-existing opcodes that needed new mnemonics for their 32-bit OperandSize variants (e.g. CWDE, LODSD)
• New opcodes that introduced new functionality (e.g. SHLD, SETcc)

For instruction forms where the operand size can be inferred from the instruction's arguments (e.g. ADD EAX,EBX can be inferred to have a 32-bit OperandSize due to its use of EAX as an argument), new instruction mnemonics are not needed and not provided.

1. For the 32-bit string instructions, the ±± notation is used to indicate that the indicated register is post-decremented by 4 if EFLAGS.DF=1 and post-incremented by 4 otherwise.
   For the operands where the DS segment is indicated, the DS segment can be overridden by a segment-override prefix – where the ES segment is indicated, the segment is always ES and cannot be overridden.
   The choice of whether to use the 16-bit SI/DI registers or the 32-bit ESI/EDI registers as the address registers to use is made by AddressSize, overridable with the 67 prefix.
2. The 32-bit string instructions accept repeat-prefixes in the same way as older 8/16-bit string instructions.
   For LODSD, STOSD, MOVSD, INSD and OUTSD, the REP prefix (F3) will repeat the instruction the number of times specified in rCX (CX or ECX, decided by AddressSize), decrementing rCX for each iteration (with rCX=0 resulting in no-op and proceeding to the next instruction).
   For CMPSD and SCASD, the REPE (F3) and REPNE (F2) prefixes are available, which will repeat the instruction but only as long as the flag condition (ZF=1 for REPE, ZF=0 for REPNE) holds true.
3. For the INSB/W/D instructions, the memory access rights for the ES:[rDI] memory address might not be checked until after the port access has been performed – if this check fails (e.g. page fault or other memory exception), then the data item read from the port is lost. As such, it is not recommended to use this instruction to access an I/O port that performs any kind of side effect upon read.
4. I/O port access is only allowed when CPL≤IOPL or the I/O port permission bitmap bits for the port to access are all set to 0.
5. The CWDE instruction differs from the older CWD instruction in that CWD would sign-extend the 16-bit value in AX into a 32-bit value in the DX:AX register pair.
6. For the E3 opcode (JCXZ/JECXZ), the choice of whether the instruction will use CX or ECX for its comparison (and consequently which mnemonic to use) is based on the AddressSize, not OperandSize. (OperandSize instead controls whether the jump destination should be truncated to 16 bits or not).
   This also applies to the loop instructions LOOP,LOOPE,LOOPNE (opcodes E0,E1,E2), however, unlike JCXZ/JECXZ, these instructions have not been given new mnemonics for their ECX-using variants.
7. For PUSHA(D), the value of SP/ESP pushed onto the stack is the value it had just before the PUSHA(D) instruction started executing.
8. For POPA/POPAD, the stack item corresponding to SP/ESP is popped off the stack (performing a memory read), but not placed into SP/ESP.
9. The PUSHFD and POPFD instructions will cause a #GP exception if executed in virtual 8086 mode if IOPL is not 3.
   The PUSHF, POPF, IRET and IRETD instructions will cause a #GP exception if executed in Virtual-8086 mode if IOPL is not 3 and VME is not enabled.
10. If IRETD is used to return from kernel mode to user mode (which will entail a CPL change) and the user-mode stack segment indicated by SS is a 16-bit segment, then the IRETD instruction will only restore the low 16 bits of the stack pointer (ESP/RSP), with the remaining bits keeping whatever value they had in kernel code before the IRETD. This has necessitated complex workarounds on both Linux ("ESPFIX")^[15] and Windows.^[16] This issue also affects the later 64-bit IRETQ instruction.

1. For the BT, BTS, BTR and BTC instructions:
   • If the first argument to the instruction is a register operand and/or the second argument is an immediate, then the bit-index in the second argument is taken modulo operand size (16/32/64, in effect using only the bottom 4, 5 or 6 bits of the index.)
   • If the first argument is a memory operand and the second argument is a register operand, then the bit-index in the second argument is used in full – it is interpreted as a signed bit-index that is used to offset the memory address to use for the bit test.
2. The BTS, BTC and BTR instructions accept the LOCK (F0) prefix when used with a memory argument – this results in the instruction executing atomically.
3. If the F3 prefix is used with the 0F BC /r opcode, then the instruction will execute as TZCNT on systems that support the BMI1 extension. TZCNT differs from BSF in that TZCNT but not BSR is defined to return operand size if the source operand is zero – for other source operand values, they produce the same result.
4. BSF and BSR set the EFLAGS.ZF flag to 1 if the source argument was all-0s and 0 otherwise.
   If the source argument was all-0s, then the destination register is documented as being left unchanged on AMD processors, but set to an undefined value on Intel processors.
5. If the F3 prefix is used with the 0F BD /r opcode, then the instruction will execute as LZCNT on systems that support the ABM or LZCNT extensions. LZCNT produces a different result from BSR for most input values.
6. For SHLD and SHRD, the shift-amount is masked – the bottom 5 bits are used for 16/32-bit operand size and 6 bits for 64-bit operand size.
   SHLD and SHRD with 16-bit arguments and a shift-amount greater than 16 produce undefined results. (Actual results differ between different Intel CPUs, with at least three different behaviors known.^[17])
7. The condition codes supported for the SETcc and Jcc near instructions (opcodes 0F 9x /0 and 0F 8x respectively, with the x nibble specifying the condition) are:
8. For SETcc, while the opcode is commonly specified as /0 – implying that bits 5:3 of the instruction's ModR/M byte should be 000 – modern x86 processors (Pentium and later) ignore bits 5:3 and will execute the instruction as SETcc regardless of the contents of these bits.
9. For LFS, LGS and LSS, the size of the offset part of the far pointer is given by operand size – the size of the segment part is always 16 bits. In 64-bit mode, using the REX.W prefix with these instructions will cause them to load a far pointer with a 64-bit offset on Intel but not AMD processors.
10. For MOV to/from the CRx, DRx and TRx registers, the reg part of the ModR/M byte is used to indicate CRx/DRx/TRx register and r/m part the general-register. Uniquely for the MOV CRx/DRx/TRx opcodes, the top two bits of the ModR/M byte is ignored – these opcodes are decoded and executed as if the top two bits of the ModR/M byte are 11b.
11. For moves to/from the CRx and DRx registers, the operand size is always 64 bits in 64-bit mode and 32 bits otherwise.
12. On processors prior to Pentium, moves to CR0 would not serialize the instruction stream – in part for this reason, it is usually required to perform a far jump immediately after a MOV to CR0 if such a MOV is used to enable/disable protected mode and/or memory paging.
    MOV to CR2 is architecturally listed as serializing, but has been reported to be non-serializing on at least some Intel Core-i7 processors.^[18]
    MOV to CR8 (introduced with x86-64) is not serializing.
13. The MOV TRx instructions were discontinued from Pentium onwards.
14. The INT1/ICEBP (F1) instruction is present on all known Intel x86 processors from the 80386 onwards,^[19] but only fully documented for Intel processors from the May 2018 release of the Intel SDM (rev 067) onwards.^[20] Before this release, mention of the instruction in Intel material was sporadic, e.g. AP-526 rev 001.^[21]
    For AMD processors, the instruction has been documented since 2002.^[22]
15. The operation of the F1(ICEBP) opcode differs from the operation of the regular software interrupt opcode CD 01 in several ways:
    In protected mode, CD 01 will check CPL against the interrupt descriptor's DPL field as an access-rights check, while F1 will not.
    • In virtual-8086 mode, CD 01 will also check CPL against IOPL as an access-rights check, while F1 will not.
    • In virtual-8086 mode with VME enabled, interrupt redirection is supported for CD 01 but not F1.
16. The UMOV instruction is present on 386 and 486 processors only.^[19]
17. The XBTS and IBTS instructions were discontinued with the B1 stepping of 80386.
    They have been used by software mainly for detection of the buggy^[23] B0 stepping of the 80386. Microsoft Windows (v2.01 and later) will attempt to run the XBTS instruction as part of its CPU detection if CPUID is not present, and will refuse to boot if XBTS is found to be working.^[24]
18. For XBTS and IBTS, the r/m argument represents the data to extract/insert a bitfield from/to, the reg argument the bitfield to be inserted/extracted, AX/EAX a bit-offset and CL a bitfield length.^[25]
19. Undocumented, 80386 only.^[26]

Added with 80486

1. Using BSWAP with 16-bit registers is not disallowed per se (it will execute without producing an #UD or other exceptions) but is documented to produce undefined results – it is reported to produce various different results on 486,^[27] 586, and Bochs/QEMU.^[28]
2. On Intel 80486 stepping A,^[29] the CMPXCHG instruction uses a different encoding - 0F A6 /r for 8-bit variant, 0F A7 /r for 16/32-bit variant. The 0F B0/B1 encodings are used on 80486 stepping B and later.^[30][31]
3. The CMPXCHG instruction sets EFLAGS in the same way as a CMP instruction that uses the accumulator (AL/AX/EAX/RAX) as its first argument would do.
4. INVLPG executes as no-operation if the m8 argument is invalid (e.g. unmapped page or non-canonical address).
   INVLPG can be used to invalidate TLB entries for individual global pages.
5. The INVD and WBINVD instructions will invalidate all cache lines in the CPU's L1 caches. It is implementation-defined whether they will invalidate L2/L3 caches as well.
   These instructions are serializing – on some processors, they may block interrupts until completion as well.
6. If the PRM (Processor Reserved Memory) has been set up by using the PRMRRs (PRM range registers), then the INVD instruction is not permitted and will cause a #GP(0) exception. (The PRM is needed for Intel SGX.)^[32]
7. If the F3 prefix is used with the 0F 09 opcode, then the instruction will execute as WBNOINVD on processors that support the WBNOINVD extension – this will not invalidate the cache.

Added in P5/P6-class processors

Integer/system instructions that were not present in the basic 80486 instruction set, but were added in various x86 processors prior to the introduction of SSE. (Discontinued instructions are not included.)

1. On Intel and AMD CPUs, the WRMSR instruction is also used to update the CPU microcode. This is done by writing the virtual address of the new microcode to upload to MSR 79h on Intel CPUs and MSR C001_0020h^[34] on AMD CPUs.
2. Writes to the following MSRs are not serializing:^[35]
3. System Management Mode and the RSM instruction were made available on non-SL variants of the Intel 486 only after the initial release of the Intel Pentium in 1993.
4. On some older 32-bit processors, executing CPUID with a leaf index (EAX) greater than 0 may leave EBX and ECX unmodified, keeping their old values. For this reason, it is recommended to zero out EBX and ECX before executing CPUID.
   Processors noted to exhibit this behavior include Cyrix MII^[40] and IDT WinChip 2.^[41]
   
   In 64-bit mode, CPUID will set the top 32 bits of RAX, RBX, RCX and RDX to zero.
5. On some Intel processors starting from Ivy Bridge, there exists MSRs that can be used to restrict CPUID to ring 0. Such MSRs are documented for at least Ivy Bridge^[42] and Denverton.^[43]
   The ability to restrict CPUID to ring 0 also exists on AMD processors supporting the "CpuidUserDis" feature (Zen 4 "Raphael" and later).^[44]
6. CPUID is also available on some Intel and AMD 486 processor variants that were released after the initial release of the Intel Pentium.
7. On the Cyrix 5x86 and 6x86 CPUs, CPUID is not enabled by default and must be enabled through a Cyrix configuration register.
8. On NexGen CPUs, CPUID is only supported with some system BIOSes. On some NexGen CPUs that do support CPUID, EFLAGS.ID is not supported but EFLAGS.AC is, complicating CPU detection.^[45]
9. Unlike the older CMPXCHG instruction, the CMPXCHG8B instruction does not modify any EFLAGS bits other than ZF.
10. LOCK CMPXCHG8B with a register operand (which is an invalid encoding) can cause hangs on some Intel Pentium CPUs (Pentium F00F bug).
11. On IDT WinChip, Transmeta Crusoe and Rise mP6 processors, the CMPXCHG8B instruction is always supported, however its CPUID bit may be missing. This is a workaround for a bug in Windows NT.^[46]
12. The RDTSC and RDPMC instructions are not ordered with respect to other instructions, and may sample their respective counters before earlier instructions are executed or after later instructions have executed. Invocations of RDPMC (but not RDTSC) may be reordered relative to each other even for reads of the same counter.
    In order to impose ordering with respect to other instructions, LFENCE or serializing instructions (e.g. CPUID) are needed.^[47]
13. Fixed-rate TSC was introduced in two stages:

    Constant TSC

    TSC running at a fixed rate as long as the processor core is not in a deep-sleep (C2 or deeper) mode, but not synchronized between CPU cores. Introduced in Intel Prescott, Yonah and Bonnell. Also present in all Transmeta and VIA Nano^[48] CPUs. Does not have a CPUID bit.

    Invariant TSC

    TSC running at a fixed rate, and remaining synchronized between CPU cores in all P-,C- and T-states (but not necessarily S-states).
    Present in AMD K10 and later; Intel Nehalem/Saltwell^[49] and later; Zhaoxin WuDaoKou^[50] and later. Indicated with a CPUID bit (leaf 8000_0007:EDX[8]).

14. RDTSC can be run outside Ring 0 only if CR4.TSD=0.
    On Intel Pentium and AMD K5, RDTSC cannot be run in Virtual-8086 mode.^[51] Later processors removed this restriction.
15. RDPMC can be run outside Ring 0 only if CR4.PCE=1.
16. The RDPMC instruction is not present in VIA processors prior to the Nano.
17. The condition codes supported for CMOVcc instruction (opcode 0F 4x /r, with the x nibble specifying the condition) are:
18. In 64-bit mode, CMOVcc with a 32-bit operand size will clear the upper 32 bits of the destination register even if the condition is false.
    For CMOVcc with a memory source operand, the CPU will always read the operand from memory – potentially causing memory exceptions and cache line-fills – even if the condition for the move is not satisfied. (The Intel APX extension defines a set of new EVEX-encoded variants of CMOVcc that will suppress memory exceptions if the condition is false.)
19. On pre-Nehemiah VIA C3 variants ("Samuel"/"Ezra"), the reg,reg but not reg,[mem] forms of the CMOVcc instructions have been reported to be present as undocumented instructions.^[52]
20. Intel's recommended byte encodings for multi-byte NOPs of lengths 2 to 9 bytes in 32/64-bit mode are (in hex):^[53]

    For cases where there is a need to use more than 9 bytes of NOP padding, it is recommended to use multiple NOPs.

21. Unlike other instructions added in Pentium Pro, long NOP does not have a CPUID feature bit.
22. 0F 1F /0 as long-NOP was introduced in the Pentium Pro, but remained undocumented until 2006.^[55]The whole 0F 18..1F opcode range was NOP in Pentium Pro. However, except for 0F 1F /0, Intel does not guarantee that these opcodes will remain NOP in future processors, and have indeed assigned some of these opcodes to other instructions in at least some processors.^[56]
23. Documented for AMD x86-64 since 2002.^[57]
24. While the 0F 0B opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned the mnemonic UD2 from Pentium Pro onwards.^[59]
25. GNU Binutils have used the UD2A and UD2B mnemonics for the 0F 0B and 0F B9 opcodes since version 2.7.^[60]
    Neither UD2A nor UD2B originally took any arguments - UD2B was later modified to accept a ModR/M byte, in Binutils version 2.30.^[61]
26. The UD2 (0F 0B) instruction will additionally stop subsequent bytes from being decoded as instructions, even speculatively. For this reason, if an indirect branch instruction is followed by something that is not code, it is recommended to place an UD2 instruction after the indirect branch.^[62]
27. The UD0/1/2 opcodes - 0F 0B, 0F B9 and 0F FF - will cause an #UD exception on all x86 processors from the 80186 onwards (except NEC V-series processors), but did not get explicitly reserved for this purpose until P5-class processors.
28. While the 0F B9 opcode was officially reserved as an invalid opcode from Pentium onwards, it only got assigned its mnemonic UD1 much later – AMD APM started listing UD1 in its opcode maps from rev 3.17 onwards,^[64] while Intel SDM started listing it from rev 061 onwards.^[65]
29. For both the 0F B9 and 0F FF opcodes, different x86 implementations are known to differ regarding whether the opcodes accept a ModR/M byte.^[66][67]
30. For the 0F FF opcode, the OIO mnemonic was introduced by Cyrix,^[68] while the UD0 menmonic (without arguments) was introduced by AMD and Intel at the same time as the UD1 mnemonic for 0F B9.^[64][65] Later Intel (but not AMD) documentation modified its description of UD0 to add a ModR/M byte and take two arguments.^[69]
31. On K6, the SYSCALL/SYSRET instructions were available on Model 7 (250nm "Little Foot") and later, not on the earlier Model 6.^[71]
32. SYSCALL and SYSRET were made an integral part of x86-64 – as a result, the instructions are available in 64-bit mode on all x86-64 processors from AMD, Intel, VIA and Zhaoxin.
    Outside 64-bit mode, the instructions are available on AMD processors only.
33. The exact semantics of SYSRET differs slightly between AMD and Intel processors: non-canonical return addresses cause a #GP exception to be thrown in Ring 3 on AMD CPUs but Ring 0 on Intel CPUs. This has been known to cause security issues.^[72]
34. For the SYSRET and SYSEXIT instructions under x86-64, it is necessary to add the REX.W prefix for variants that will return to 64-bit user-mode code.
    Encodings of these instructions without the REX.W prefix are used to return to 32-bit user-mode code. (Neither of these instructions can be used to return to 16-bit user-mode code.)
35. The SYSRET, SYSENTER and SYSEXIT instructions are unavailable in Real mode. (SYSENTER is, however, available in Virtual 8086 mode.)
36. The CPUID flags that indicate support for SYSENTER/SYSEXIT are set on the Pentium Pro, even though the processor does not officially support these instructions.^[73]
    Third party testing indicates that the opcodes are present on the Pentium Pro but too buggy to be usable.^[74]
37. On AMD CPUs, the SYSENTER and SYSEXIT instructions are not available in x86-64 long mode (#UD).
38. On Transmeta CPUs, the SYSENTER and SYSEXIT instructions are only available with version 4.2 or higher of the Transmeta Code Morphing software.^[76]
39. On Nehemiah, SYSENTER and SYSEXIT are available only on stepping 8 and later.^[77]

Added as instruction set extensions

Added with x86-64

These instructions can only be encoded in 64 bit mode. They fall in four groups:

• original instructions that reuse existing opcodes for a different purpose (MOVSXD replacing ARPL)
• original instructions with new opcodes (SWAPGS)
• existing instructions extended to a 64 bit address size (JRCXZ)
• existing instructions extended to a 64 bit operand size (remaining instructions)

Most instructions with a 64 bit operand size encode this using a REX.W prefix; in the absence of the REX.W prefix, the corresponding instruction with 32 bit operand size is encoded. This mechanism also applies to most other instructions with 32 bit operand size. These are not listed here as they do not gain a new mnemonic in Intel syntax when used with a 64 bit operand size.

1. The memory operand to CMPXCHG16B must be 16-byte aligned.
2. The CMPXCHG16B instruction was absent from a few of the earliest Intel/AMD x86-64 processors. On Intel processors, the instruction was missing from Xeon "Nocona" stepping D,^[78] but added in stepping E.^[79] On AMD K8 family processors, it was added in stepping F, at the same time as DDR2 support was introduced.^[80]
   For this reason, CMPXCHG16B has its own CPUID flag, separate from the rest of x86-64.
3. Encodings of MOVSXD without REX.W prefix are permitted but discouraged^[81] – such encodings behave identically to 16/32-bit MOV (8B /r).

Bit manipulation extensions

Bit manipulation instructions. For all of the VEX-encoded instructions defined by BMI1 and BMI2, the operand size may be 32 or 64 bits, controlled by the VEX.W bit – none of these instructions are available in 16-bit variants.

1. On AMD CPUs, the "ABM" extension provides both POPCNT and LZCNT. On Intel CPUs, however, the CPUID bit for "ABM" is only documented to indicate the presence of the LZCNT instruction and is listed as "LZCNT", while POPCNT has its own separate CPUID feature bit.
   However, all known processors that implement the "ABM"/"LZCNT" extensions also implement POPCNT and set the CPUID feature bit for POPCNT, so the distinction is theoretical only.
   (The converse is not true – there exist processors that support POPCNT but not ABM, such as Intel Nehalem and VIA Nano 3000.)
2. The LZCNT instruction will execute as BSR on systems that do not support the LZCNT or ABM extensions. BSR computes the index of the highest set bit in the source operand, producing a different result from LZCNT for most input values.
3. The TZCNT instruction will execute as BSF on systems that do not support the BMI1 extension. BSF produces the same result as TZCNT for all input operand values except zero – for which TZCNT returns input operand size, but BSF produces undefined behavior (leaves destination unmodified on most modern CPUs).
4. For BEXTR, the start position and length are not masked and can take values from 0 to 255. If the selected bits extend beyond the end of the r/m argument (which has the usual 32/64-bit operand size), then the excess bits are read out as 0.
5. On AMD processors before Zen 3, the PEXT and PDEP instructions are quite slow^[82] and exhibit data-dependent timing due to the use of a microcoded implementation (about 18 to 300 cycles, depending on the number of bits set in the mask argument). As a result, it is often faster to use other instruction sequences on these processors.^[83][84]

Added with Intel TSX

Added with Intel CET

Intel CET (Control-Flow Enforcement Technology) adds two distinct features to help protect against security exploits such as return-oriented programming: a shadow stack (CET_SS), and indirect branch tracking (CET_IBT).

1. The RDSSPD and RDSSPQ instructions act as NOPs on processors where shadow stacks are disabled or CET is not supported.
2. ENDBR32 and ENDBR64 act as NOPs on processors that don't support CET_IBT or where IBT is disabled.
3. This prefix has the same encoding as the DS: segment override prefix – as of April 2022, Intel documentation does not appear to specify whether this prefix also retains its old segment-override function when used as a no-track prefix, nor does it provide an official mnemonic for this prefix.^[85][86] (GNU binutils use "notrack"^[87])

Added with XSAVE

The XSAVE instruction set extensions are designed to save/restore CPU extended state (typically for the purpose of context switching) in a manner that can be extended to cover new instruction set extensions without the OS context-switching code needing to understand the specifics of the new extensions. This is done by defining a series of state-components, each with a size and offset within a given save area, and each corresponding to a subset of the state needed for one CPU extension or another. The EAX=0Dh CPUID leaf is used to provide information about which state-components the CPU supports and what their sizes/offsets are, so that the OS can reserve the proper amount of space and set the associated enable-bits.

1. Under Intel APX, the XSAVE* and XRSTOR* instructions cannot be encoded with the REX2 prefix.
2. XSAVE was added in steppings E0/R0 of Penryn and is not available in earlier steppings.
3. On some processors (starting with Skylake, Goldmont and Zen 1), executing XGETBV with ECX=1 is permitted – this will not return XCR1 (no such register exists) but instead return XCR0 bitwise-ANDed with the current value of the "XINUSE" state-component bitmap (a bitmap of XSAVE state-components that are not known to be in their initial state).
   The presence of this functionality of XGETBV is indicated by CPUID.(EAX=0Dh,ECX=1):EAX[bit 2].

Added with other cross-vendor extensions

1. AMD Athlon processors prior to the Athlon XP did not support full SSE, but did introduce the non-SIMD instructions of SSE as part of "MMX Extensions".^[88] These extensions (without full SSE) are also present on Geode GX2 and later Geode processors.
2. All of the PREFETCH* instructions are hint instructions with effects only on performance, not program semantics. Providing an invalid address (e.g. address of an unmapped page or a non-canonical address) will cause the instruction to act as a NOP without any exceptions generated.
3. For the SFENCE, LFENCE and MFENCE instructions, the bottom 3 bits of the ModR/M byte are ignored, and any value of x in the range 0..7 will result in a valid instruction.
4. The SFENCE instruction ensures that all memory stores after the SFENCE instruction are made globally observable after all memory stores before the SFENCE. This imposes ordering on stores that can otherwise be reordered, such as non-temporal stores and stores to WC (Write-Combining) memory regions.^[89]
   On Intel CPUs, as well as AMD CPUs from Zen1 onwards (but not older AMD CPUs), SFENCE also acts as a reordering barrier on cache flushes/writebacks performed with the CLFLUSH, CLFLUSHOPT and CLWB instructions. (Older AMD CPUs require MFENCE to order CLFLUSH.)
   SFENCE is not ordered with respect to LFENCE, and an SFENCE+LFENCE sequence is not sufficient to prevent a load from being reordered past a previous store.^[90] To prevent such reordering, it is necessary to execute an MFENCE, LOCK or a serializing instruction.
5. The LFENCE instruction ensures that all memory loads after the LFENCE instruction are made globally observable after all memory loads before the LFENCE.
   On all Intel CPUs that support SSE2, the LFENCE instruction provides a stronger ordering guarantee:^[91] it is dispatch-serializing, meaning that instructions after the LFENCE instruction are allowed to start executing only after all instructions before it have retired (which will ensure that all preceding loads but not necessarily stores have completed). The effect of dispatch-serialization is that LFENCE also acts as a speculation barrier and a reordering barrier for accesses to non-memory resources such as performance counters (accessed through e.g. RDTSC or RDPMC) and x2apic MSRs.
   On AMD CPUs, LFENCE is not necessarily dispatch-serializing by default – however, on all AMD CPUs that support any form of non-dispatch-serializing LFENCE, it can be made dispatch-serializing by setting bit 1 of MSR C001_1029.^[92]
6. The MFENCE instruction ensures that all memory loads, stores and cacheline-flushes after the MFENCE instruction are made globally observable after all memory loads, stores and cacheline-flushes before the MFENCE.
   On Intel CPUs, MFENCE is not dispatch-serializing, and therefore cannot be used to enforce ordering on accesses to non-memory resources such as performance counters and x2apic MSRs. MFENCE is still ordered with respect to LFENCE, so if a memory barrier with dispatch serialization is needed, then it can be obtained by issuing an MFENCE followed by an LFENCE.^[47]
   On AMD CPUs, MFENCE is serializing.
7. The operation of the PAUSE instruction in 64-bit mode is, unlike NOP, unaffected by the presence of the REX.R prefix. Neither NOP nor PAUSE are affected by the other bits of the REX prefix. A few examples of opcode 90 with various prefixes in 64-bit mode are:
   • 90 is NOP
   • 41 90 is XCHG R8D,EAX
   • 4E 90 is NOP
   • 49 90 is XCHG R8,RAX
   • F3 90 is PAUSE
   • F3 41 90 is PAUSE
   • F3 4F 90 is PAUSE
8. The actual length of the pause performed by the PAUSE instruction is implementation-dependent.
   On systems without SSE2, PAUSE will execute as NOP.
9. Under VT-x or AMD-V virtualization, executing PAUSE many times in a short time interval may cause a #VMEXIT. The number of PAUSE executions and interval length that can trigger #VMEXIT are platform-specific.
10. While the CLFLUSH instruction was introduced together with SSE2, it has its own CPUID flag and may be present on processors not otherwise implementing SSE2 and/or absent from processors that otherwise implement SSE2. (E.g. AMD Geode LX supports CLFLUSH but not SSE2.)
11. While the MONITOR and MWAIT instructions were introduced at the same time as SSE3, they have their own CPUID flag that needs to be checked separately from the SSE3 CPUID flag (e.g. Athlon 64 X2 and VIA C7 supported SSE3 but not MONITOR.)
12. For the MONITOR and MWAIT instructions, older Intel documentation^[93] lists instruction mnemonics with explicit operands (MONITOR EAX,ECX,EDX and MWAIT EAX,ECX), while newer documentation omits these operands. Assemblers/disassemblers may support one or both of these variants.^[94]
13. For MONITOR, the DS: segment can be overridden with a segment prefix.
    The memory area that will be monitored will be not just the single byte specified by DS:rAX, but a linear memory region containing the byte – the size and alignment of this memory region is implementation-dependent and can be queried through CPUID.
    The memory location to monitor should have memory type WB (write-back cacheable), or else monitoring may fail.
14. As of April 2024, no extensions or hints have been defined for the MONITOR instruction. As such, the instruction requires ECX=0 and ignores EDX.
15. On some processors, such as Intel Xeon Phi x200^[95] and AMD K10^[96] and later, there exist documented MSRs that can be used to enable MONITOR and MWAIT to run in Ring 3.
16. The wait performed by MWAITmay be ended by system events other than a memory write (e.g. cacheline evictions, interrupts) – the exact set of events that can cause the wait to end is implementation-specific.
    Regardless of whether the wait was ended by a memory write or some other event, monitoring will have ended and it will be necessary to set up monitoring again with MONITOR before using MWAIT to wait for memory writes again.
17. The extension flags available for MWAIT in the ECX register are:
18. The hint flags available for MWAIT in the EAX register are:

    The C-states are processor-specific power states, which do not necessarily correspond 1:1 to ACPI C-states.

19. For the GETSEC instruction, the REX.W prefix enables 64-bit addresses for the EXITAC leaf function only - REX prefixes are otherwise permitted but ignored for the instruction.
20. The leaf functions defined for GETSEC (selected by EAX) are:

    Any unsupported value in EAX causes an #UD exception.

21. For GETSEC, most leaf functions are restricted to Ring 0, but the CAPABILITIES (EAX=0) and PARAMETERS (EAX=6) leaf functions are available in Ring 3.
22. The "core ID" value read by RDTSCP and RDPID is actually the TSC_AUX MSR (MSR C000_0103h). Whether this value actually corresponds to a processor ID is a matter of operating system convention.
23. Unlike the older RDTSC instruction, RDTSCP will delay the TSC read until all previous instructions have retired, guaranteeing ordering with respect to preceding memory loads (but not stores). RDTSCP is not ordered with respect to subsequent instructions, though.
24. RDTSCP can be run outside Ring 0 only if CR4.TSD=0.
25. Support for RDTSCP was added in stepping F of the AMD K8, and is not available on earlier steppings.
26. While the POPCNT instruction was introduced at the same time as SSE4.2, it is not considered to be a part of SSE4.2, but instead a separate extension with its own CPUID flag.
    On AMD processors, it is considered to be a part of the ABM extension, but still has its own CPUID flag.
27. The invalidation types defined for INVPCID (selected by register argument) are:

    Any unsupported value in the register argument causes a #GP exception.

28. Unlike the older INVLPG instruction, INVPCID will cause a #GP exception if the provided memory address is non-canonical. This discrepancy has been known to cause security issues.^[100]
29. The PREFETCH and PREFETCHW instructions are mandatory parts of the 3DNow! instruction set extension, but are also available as a standalone extension on systems that do not support 3DNow!
30. The opcodes for PREFETCH and PREFETCHW (0F 0D /r) execute as NOPs on Intel CPUs from Cedar Mill (65nm Pentium 4) onwards, with PREFETCHW gaining prefetch functionality from Broadwell onwards.
31. The PREFETCH (0F 0D /0) instruction is a 3DNow! instruction, present on all processors with 3DNow! but not necessarily on processors with the PREFETCHW extension.
    On AMD CPUs with PREFETCHW, opcode 0F 0D /0 as well as opcodes 0F 0D /2../7 are all documented to be performing prefetch.
    On Intel processors with PREFETCHW, these opcodes are documented as performing reserved-NOPs^[101] (except 0F 0D /2 being PREFETCHWT1 m8 on Xeon Phi only) – third party testing^[102] indicates that some or all of these opcodes may be performing prefetch on at least some Intel Core CPUs.
32. The SMAP, PKU and RDPID instruction set extensions are supported on stepping 2^[103] and later of Zhaoxin LuJiaZui, but not on earlier steppings.
33. Unlike the older RDTSCP instruction which can also be used to read the processor ID, user-mode RDPID is not disabled by CR4.TSD=1.
34. For MOVDIR64, the destination address given by ES:reg must be 64-byte aligned.
    The operand size for the register argument is given by the address size, which may be overridden by the 67h prefix.
    The 64-byte memory source argument does not need to be 64-byte aligned, and is not guaranteed to be read atomically.
35. The WBNOINVD instruction will execute as WBINVD if run on a system that doesn't support the WBNOINVD extension.
    WBINVD differs from WBNOINVD in that WBINVD will invalidate all cache lines after writeback.

Added with other Intel-specific extensions

1. The branch hint mnemonics HWNT and HST are listed in early Willamette documentation only^[104] - later Intel documentation lists the branch hint prefixes without assigning them a mnemonic.^[105]
2. The 2E and 3E prefixes are interpreted as branch hints only when used with the Jcc conditional branch instructions (opcodes 70..7F and 0F 80..8F) - when used with other opcodes, they may take other meanings (e.g. for instructions with memory operands outside 64-bit mode, they will work as segment-override prefixes CS: and DS:, respectively). On processors that don't support branch hints, these prefixes are accepted but ignored when used with Jcc.
3. Branch hints are supported on all NetBurst (Pentium 4 family) processors - but not supported on any other known processor prior to their re-introduction in "Redwood Cove" CPUs, starting with "Meteor Lake" in 2023.
4. The leaf functions defined for ENCLS (selected by EAX) are:

   Any unsupported value in EAX causes a #GP exception.

5. SGX is deprecated on desktop/laptop processors from 11th generation (Rocket Lake, Tiger Lake) onwards, but continues to be available on Xeon-branded server parts.^[109]
6. The leaf functions defined for ENCLU (selected by EAX) are:

   Any unsupported value in EAX causes a #GP exception.
   The EENTER and ERESUME functions cannot be executed inside an SGX enclave – the other functions can only be executed inside an enclave.

7. ENCLU can only be executed in ring 3, not rings 0/1/2.
8. The leaf functions defined for ENCLV (selected by EAX) are:

   Any unsupported value in EAX causes a #GP exception.
   The ENCLV instruction is only present on systems that support the EPC Oversubscription Extensions to SGX ("OVERSUB").

9. ENCLV is only available if Intel VMX operation is enabled with VMXON, and will produce #UD otherwise.
10. For PTWRITE, the write to the Processor Trace Packet will only happen if a set of enable-bits (the "TriggerEn", "ContextEn", "FilterEn" bits of the RTIT_STATUS MSR and the "PTWEn" bit of the RTIT_CTL MSR) are all set to 1.
    The PTWRITE instruction is indicated in the SDM to cause an #UD exception if the 66h instruction prefix is used, regardless of other prefixes.
11. The leaf functions defined for PCONFIG (selected by EAX) are:

    Any unsupported value in EAX causes a #GP(0) exception.

12. For CLDEMOTE, the cache level that it will demote a cache line to is implementation-dependent.
    Since the instruction is considered a hint, it will execute as a NOP without any exceptions if the provided memory address is invalid or not in the L1 cache. It may also execute as a NOP under other implementation-dependent circumstances as well.
    On systems that do not support the CLDEMOTE extension, it executes as a NOP.
13. Intel documentation lists Tremont and Alder Lake as the processors in which CLDEMOTE was introduced. However, as of May 2022, no Tremont or Alder Lake models have been observed to have the CPUID feature bit for CLDEMOTE set, while several of them have the CPUID bit cleared.^[112]
    As of April 2023, the CPUID feature bit for CLDEMOTE has been observed to be set for Sapphire Rapids.^[113]
14. For UMONITOR, the operand size of the address argument is given by the address size, which may be overridden by the 67h prefix. The default segment used is DS:, which can be overridden with a segment prefix.
15. For the UMWAIT and TPAUSE instructions, the operating system can use the IA32_UMWAIT_CONTROL MSR to limit the maximum amount of time that a single UMWAIT/TPAUSE invocation is permitted to wait. The UMWAIT and TPAUSE instructions will set RFLAGS.CF to 1 if they reached the IA32_UMWAIT_CONTROL-defined time limit and 0 otherwise.
16. TPAUSE and UMWAIT can be run outside Ring 0 only if CR4.TSD=0.
17. For the register argument to the UMWAIT and TPAUSE instructions, the following flag bits are supported:
18. While serialization can be performed with older instructions such as e.g. CPUID and IRET, these instructions perform additional functions, causing side-effects and reduced performance when stand-alone instruction serialization is needed. (CPUID additionally has the issue that it causes a mandatory #VMEXIT when executed under virtualization, which causes a very large overhead.) The SERIALIZE instruction performs serialization only, avoiding these added costs.
19. A bitmap of CPU history components that can be reset through HRESET is provided by CPUID.(EAX=20h,ECX=0):EBX.
    As of July 2023, the following bits are defined:
20. The register argument to SENDUIPI is an index to pick an entry from the UITT (User-Interrupt Target Table, a table specified by the new UINTR_TT and UINT_MISC MSRs.)
21. On Sapphire Rapids processors, the UIRET instruction always sets UIF (User Interrupt Flag) to 1. On Sierra Forest and later processors, UIRET will set UIF to the value of bit 1 of the value popped off the stack for RFLAGS - this functionality is indicated by CPUID.(EAX=7,ECX=1):EDX[17].
22. The condition codes supported for the CMPccXADD instructions (opcode VEX.128.66.0F38 Ex /r with the x nibble specifying the condition) are:
23. Even though the CMPccXADD instructions perform a locked memory operation, they do not require or accept the LOCK (F0h) prefix - attempting to use this prefix results in #UD.

Added with other AMD-specific extensions

1. The standard way to access the CR8 register is to use an encoding that makes use of the REX.R prefix, e.g. 44 0F 20 07 (MOV RDI,CR8). However, the REX.R prefix is only available in 64-bit mode.
   The AltMovCr8 extension adds an additional method to access CR8, using the F0 (LOCK) prefix instead of REX.R – this provides access to CR8 outside 64-bit mode.
2. Like other variants of MOV to/from the CRx registers, the AltMovCr8 encodings ignore the top 2 bits of the instruction's ModR/M byte, and always execute as if these two bits are set to 11b.
   The AltMovCr8 encodings are available in 64-bit mode. However, combining the LOCK prefix with the REX.R prefix is not permitted and will cause an #UD exception.
3. Support for AltMovCR8 was added in stepping F of the AMD K8, and is not available on earlier steppings.
4. For CLZERO, the address size and 67h prefix control whether to use AX, EAX or RAX as address. The default segment DS: can be overridden by a segment-override prefix. The provided address does not need to be aligned – hardware will align it as necessary.
   The CLZERO instruction is intended for recovery from otherwise-fatal Machine Check errors. It is non-cacheable, cannot be used to allocate a cache line without a memory access, and should not be used for fast memory clears.^[114]
5. The register numbering used by RDPRU does not necessarily match that of RDMSR/WRMSR.
   The registers supported by RDPRU as of December 2022 are:

   Unsupported values in ECX return 0.

6. If CR4.TSD=1, then the RDPRU instruction can only run in ring 0.

x87 floating-point instructions

The x87 coprocessor, if present, provides support for floating-point arithmetic. The coprocessor provides eight data registers, each holding one 80-bit floating-point value (1 sign bit, 15 exponent bits, 64 mantissa bits) – these registers are organized as a stack, with the top-of-stack register referred to as "st" or "st(0)", and the other registers referred to as st(1),st(2),...st(7). It additionally provides a number of control and status registers, including "PC" (precision control, to control whether floating-point operations should be rounded to 24, 53 or 64 mantissa bits) and "RC" (rounding control, to pick rounding-mode: round-to-zero, round-to-positive-infinity, round-to-negative-infinity, round-to-nearest-even) and a 4-bit condition code register "CC", whose four bits are individually referred to as C0,C1,C2 and C3). Not all of the arithmetic instructions provided by x87 obey PC and RC.

Original 8087 instructions

1. x87 coprocessors (other than the 8087) handle exceptions in a fairly unusual way. When an x87 instruction generates an unmasked arithmetic exception, it will still complete without causing a CPU fault – instead of causing a fault, it will record within the coprocessor information needed to handle the exception (instruction pointer, opcode, data pointer if the instruction had a memory operand) and set FPU status-word flag to indicate that a pending exception is present. This pending exception will then cause a CPU fault when the next x87, MMX or WAIT instruction is executed.
   The exception to this is x87's "Non-Waiting" instructions, which will execute without causing such a fault even if a pending exception is present (with some caveats, see application note AP-578^[115]). These instructions are mostly control instructions that can inspect and/or modify the pending-exception state of the x87 FPU.
2. For each non-waiting x87 instruction whose mnemonic begins with FN, there exists a pseudo-instruction that has the same mnemonic except without the N. These pseudo-instructions consist of a WAIT instruction (opcode 9B) followed by the corresponding non-waiting x87 instruction. For example:
   • FNCLEX is an instruction with the opcode DB E2. The corresponding pseudo-instruction FCLEX is then encoded as 9B DB E2.
   • FNSAVE ES:[BX+6] is an instruction with the opcode 26 DD 77 06. The corresponding pseudo-instruction FSAVE ES:[BX+6] is then encoded as 9B 26 DD 77 06
   These pseudo-instructions are commonly recognized by x86 assemblers and disassemblers and treated as single instructions, even though all x86 CPUs with x87 coprocessors execute them as a sequence of two instructions.
3. On 80387 and later x87 FPUs, FLDENV, F(N)STENV, FRSTOR and F(N)SAVE exist in 16-bit and 32-bit variants. The 16-bit variants will load/store a 14-byte floating-point environment data structure to/from memory – the 32-bit variants will load/store a 28-byte data structure instead. (F(N)SAVE/FRSTOR will additionally load/store an additional 80 bytes of FPU data register content after the FPU environment, for a total of 94 or 108 bytes). The choice between the 16-bit and 32-bit variants is based on the CS.D bit and the presence of the 66h instruction prefix. On 8087 and 80287, only the 16-bit variants are available.
   64-bit variants of these instructions do not exist – using REX.W under x86-64 will cause the 32-bit variants to be used. Since these can only load/store the bottom 32 bits of FIP and FDP, it is recommended to use FXSAVE64/FXRSTOR64 instead if 64-bit operation is desired.
4. In the case of an x87 instruction producing an unmasked FPU exception, the 8087 FPU will signal an IRQ some indeterminate time after the instruction was issued. This may not always be possible to handle,^[116] and so the FPU offers the F(N)DISI and F(N)ENI instructions to set/clear the Interrupt Mask bit (bit 7) of the x87 Control Word,^[117] to control the interrupt.
   Later x87 FPUs, from 80287 onwards, changed the FPU exception mechanism to instead produce a CPU exception on the next x87 instruction. This made the Interrupt Mask bit unnecessary, so it was removed.^[118] In later Intel x87 FPUs, the F(N)ENI and F(N)DISI instructions were kept for backwards compatibility, executing as NOPs that do not modify any x87 state.
5. FST/FSTP with an 80-bit destination (m80 or st(i)) and an sNaN source value will produce exceptions on AMD but not Intel FPUs.
6. FSTP ST(0) is a commonly used idiom for popping a single register off the x87 register stack.
7. Intel x87 alias opcode. Use of this opcode is not recommended.
   On the Intel 8087 coprocessor, several reserved opcodes would perform operations behaving similarly to existing defined x87 instructions. These opcodes were documented for the 8087^[119] and 80287,^[120] but then omitted from later manuals until the October 2017 update of the Intel SDM.^[121]
   They are present on all known Intel x87 FPUs but unavailable on some older non-Intel FPUs, such as AMD Geode GX/LX, DM&P Vortex86^[122] and NexGen 586PF.^[123]
8. On the 8087 and 80287, FBSTP and the load-constant instructions always use the round-to-nearest rounding mode. On the 80387 and later x87 FPUs, these instructions will use the rounding mode specified in the x87 RC register.
9. For the FADDP, FSUBP, FSUBRP, FMULP, FDIVP, FDIVRP, FCOM, FCOMP and FXCH instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
10. On Intel Pentium and later processors, FXCH is implemented as a register renaming rather than a true data move. This has no semantic effect, but enables zero-cycle-latency operation. It also allows the instruction to break data dependencies for the x87 top-of-stack value, improving attainable performance for code optimized for these processors.
11. The result of executing the FBLD instruction on non-BCD data is undefined.
12. On early Intel Pentium processors, floating-point divide was subject to the Pentium FDIV bug. This also affected instructions that perform divide as part of their operations, such as FPREM and FPATAN.^[124]
13. The FXAM instruction will set C0, C2 and C3 based on value type in st(0) as follows:

    C1 is set to the sign-bit of st(0), regardless of whether st(0) is Empty or not.

14. For FXTRACT, if st(0) is zero or ±∞, then M is set equal to st(0). If st(0) is zero, E is set to 0 on 8087/80287 but -∞ on 80387 and later. If st(0) is ±∞, then E is set to +∞.
15. For FPREM, if the quotient Q is larger than ${\displaystyle 2^{63}}$, then the remainder calculation may have been done only partially – in this case, the FPREM instruction will need to be run again in order to complete the remainder calculation. This is indicated by the instruction setting C2 to 1.
    If the instruction did complete the remainder calculation, it will set C2 to 0 and set the three bits {C0,C3,C1} to the bottom three bits of the quotient Q.
    On 80387 and later, if the instruction didn't complete the remainder calculation, then the computed remainder Q used for argument reduction will have been rounded to a multiple of 8 (or larger power-of-2), so that the bottom 3 bits of the quotient can still be correctly retrieved in a later pass that does complete the remainder calculation.
16. The remainder computation done by the FPREM instruction is always exact with no roundoff errors.
17. For the FSCALE instruction on 8087 and 80287, st(1) is required to be in the range ${\displaystyle -2^{15}\leq st(1)<2^{15}}$. Also, its absolute value must be either 0 or at least 1. If these requirements are not satisfied, the result is undefined.
    These restrictions were removed in the 80387.
18. For FSCALE, rounding is only applied in the case of overflow, underflow or subnormal result.
19. The x87 transcendental instructions do not obey PC or RC, but instead compute full 80-bit results. These results are not necessarily correctly rounded (see Table-maker's dilemma) – they may have an error of up to ±1 ulp on Pentium or later, or up to ±1.5 ulps on earlier x87 coprocessors.
20. For the FYL2X and FYL2XP1 instructions, the maximum error bound of ±1 ulp only holds for st(1)=1.0 – for other values of st(1), the error bound is increased to ±1.35 ulps.
21. For FPATAN, the following adjustments are done as compared to just computing a one-argument arctangent of the ratio ${\displaystyle {\frac {st(1)}{st(0)}}}$:
    • If both st(0) and st(1) are ±∞, then the arctangent is computed as if each of st(0) and st(1) had been replaced with ±1 of the same sign. This produces a result that is an odd multiple of ${\displaystyle {\frac {\pi }{4}}}$.
    • If both st(0) and st(1) are ±0, then the arctangent is computed as if st(0) but not st(1) had been replaced with ±1 of the same sign, producing a result of ±0 or ${\displaystyle \pm \pi }$.
    • If st(0) is negative (has sign bit set), then an addend of ${\displaystyle \pm \pi }$ with the same sign as st(1) is added to the result.
22. While FNOP is a no-op in the sense that will leave the x87 FPU register stack unmodified, it may still modify FIP and CC, and it may fault if a pending x87 FPU exception is present.

x87 instructions added in later processors

1. The x87 FPU needs to know whether it is operating in Real Mode or Protected Mode because the floating-point environment accessed by the F(N)SAVE, FRSTOR, FLDENV and F(N)STENV instructions has different formats in Real Mode and Protected Mode. On 80287, the F(N)SETPM instruction is required to communicate the real-to-protected mode transition to the FPU. On 80387 and later x87 FPUs, real↔protected mode transitions are communicated automatically to the FPU without the need for any dedicated instructions – therefore, on these FPUs, FNSETPM executes as a NOP that does not modify any FPU state.
2. Not including discontinued instructions specific to particular 80387-compatible FPU models.
3. For the FUCOM and FUCOMP instructions, x86 assemblers/disassemblers may recognize variants of the instructions with no arguments. Such variants are equivalent to variants using st(1) as their first argument.
4. The 80387 FPREM1 instruction differs from the older FPREM (D9 F8) instruction in that the quotient Q is rounded to integer with round-to-nearest-even rounding rather than the round-to-zero rounding used by FPREM. Like FPREM, FPREM1 always computes an exact result with no roundoff errors. Like FPREM, it may also perform a partial computation if the quotient is too large, in which case it must be run again.
5. Due to the x87 FPU performing argument reduction for sin/cos with only about 68 bits of precision, the value of k used in the calculation of FSIN, FCOS and FSINCOS is not precisely 1.0, but instead given by^[125][126] $${\displaystyle k{=}{\frac {2^{66}*\pi }{\lfloor 2^{66}*\pi \rfloor }}\approx 1.0000000000000000000012874}$$This argument reduction inaccuracy also affects the FPTAN instruction.
6. The FCOMI, FCOMIP, FUCOMI and FUCOMIP instructions write their results to the ZF, CF and PF bits of the EFLAGS register. On Intel but not AMD processors, the SF, AF and OF bits of EFLAGS are also zeroed out by these instructions.
7. The FXSAVE and FXRSTOR instructions were added in the "Deschutes" revision of Pentium II, and are not present in earlier "Klamath" revision.
   They are also present in AMD K7.
   They are also considered an integral part of SSE and are therefore present in all processors with SSE.
8. The FXSAVE and FXRSTOR instructions will save/restore SSE state only on processors that support SSE. Otherwise, they will only save/restore x87 and MMX state.
   The x87 section of the state saved/restored by FXSAVE/FXRSTOR has a completely different layout than the data structure of the older F(N)SAVE/FRSTOR instructions, enabling faster save/restore by avoiding misaligned loads and stores.
9. When floating-point emulation is enabled with CR0.EM=1, FXSAVE(64) and FXRSTOR(64) are considered to be x87 instructions and will accordingly produce an #NM (device-not-available) exception. Other than WAIT, these are the only opcodes outside the D8..DF ESC opcode space that exhibit this behavior. (All opcodes in D8..DF will produce #NM if CR0.EM=1, even for undefined opcodes that would produce #UD otherwise.)
10. Unlike the older F(N)SAVE instruction, FXSAVE will not initialize the FPU after saving its state to memory, but instead leave the x87 coprocessor state unmodified.

SIMD instructions

Cryptographic instructions

Virtualization instructions

Other instructions

x86 also includes discontinued instruction sets which are no longer supported by Intel and AMD, and undocumented instructions which execute but are not officially documented.

See also

• CLMUL
• RDRAND
• Advanced Vector Extensions 2
• AVX-512
• x86 Bit manipulation instruction set
• CPUID
• List of discontinued x86 instructions

References

1. "Re: Intel Processor Identification and the CPUID Instruction". Retrieved 2013-04-21.
2. "Intel 80x86 Instruction Set Summary" (PDF). eecs.wsu.edu.
3. Michal Necasek, SGDT/SIDT Fiction and Reality, 4 May 2017. Archived on 29 Nov 2023.
4. Intel, Undocumented iAPX 286 Test Instruction. Archived on 20 Dec 2023.
5. WikiChip, UMIP – x86. Archived on 16 Mar 2023.
6. Oracle Corp, Oracle® VM VirtualBox Administrator's Guide for Release 6.0, section 3.5: Details About Software Virtualization. Archived on 8 Dec 2023.
7. MBC Project, Virtual Machine Detection (permanent link) or Virtual Machine Detection (non permanent link)
8. Andrew Schulman, "Unauthorized Windows 95" (ISBN 1-56884-169-8), chapter 8, p.249,257.
9. US Patent 4974159, "Method of transferring control in a multitasking computer system" mentions 63h/ARPL.
10. Intel, Pentium® Processor Family Developer’s Manual, Volume 3, 1995, order no. 241430-004, section 12.7, p. 323
11. Intel, How Microarchitectural Data Sampling works, see mitigations section. Archived on Apr 22,2022
12. Linux kernel documentation, Microarchitectural Data Sampling (MDS) mitigation Archived 2020-10-21 at the Wayback Machine
13. VCF Forums, I found the SAVEALL opcode, jun 21, 2019. Archived on 13 Apr 2023.
14. rep lodsb, Intel 286 secrets: ICE mode and F1 0F 04, aug 12, 2022. Archived on 8 Dec 2023.
15. LKML, (PATCH) x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack, Apr 29, 2014. Archived on Jan 4, 2018
16. Raymond Chen, Getting MS-DOS games to run on Windows 95: Working around the iretd problem, Apr 4, 2016. Archived on Mar 15, 2019
17. sandpile.org, x86 architecture rFLAGS register, see note #7
18. Can Bölük, Speculating the entire x86-64 Instruction Set In Seconds with This One Weird Trick, Mar 22, 2021. Archived on Mar 23, 2021.
19. Robert Collins, Undocumented OpCodes, 29 july 1995. Archived on 21 feb 2001
20. Michal Necasek, ICEBP finally documented, OS/2 Museum, May 25, 2018. Archived on 6 June 2018
21. Intel, AP-526: Optimization For Intel's 32-bit Processors, order no. 242816-001, october 1995 – lists INT1 on page 86.
22. AMD, AMD 64-bit Technology, vol 2: System Programming, order no. 24593, rev 3.06, aug 2002, page 248
23. "Intel 80386 CPU Information | PCjs Machines". www.pcjs.org.
24. Geoff Chappell, CPU Identification before CPUID
25. Jeff Parsons, Obsolete 80386 Instructions: IBTS and XBTS, PCjs Machines. Archived on Sep 19, 2020.
26. Robert Collins, The LOADALL Instruction. Archived from the original on Jun 5, 1997.
27. Toth, Ervin (1998-03-16). "BSWAP with 16-bit registers". Archived from the original on 1999-11-03. The instruction brings down the upper word of the doubleword register without affecting its upper 16 bits.
28. Coldwin, Gynvael (2009-12-29). "BSWAP + 66h prefix". Retrieved 2018-10-03. internal (zero-)extending the value of a smaller (16-bit) register … applying the bswap to a 32-bit value "00 00 AH AL", … truncated to lower 16-bits, which are "00 00". … Bochs … bswap reg16 acts just like the bswap reg32 … QEMU … ignores the 66h prefix
29. Intel "i486 Microprocessor" (April 1989, order no. 240440-001) p.142 lists CMPXCHG with 0F A6/A7 encodings.
30. Intel "i486 Microprocessor" (November 1989, order no. 240440-002) p.135 lists CMPXCHG with 0F B0/B1 encodings.
31. "Intel 486 & 486 POD CPUID, S-spec, & Steppings".
32. Intel, Software Guard Extensions Programming Reference, order no. 329298-002, oct 2014, sections 3.5 and 3.6.5.
33. Frank van Gilluwe, "The Undocumented PC, second edition", 1997, ISBN 0-201-47950-8, page 55
34. AMD, Revision Guide for AMD Athlon 64 and AMD Opteron Processors pub.no. 25759, rev 3.79, July 2009, page 34. Archived on 20 Dec 2023.
35. Intel, Software Developer’s Manual, vol 3A, order no. 253668-078, Dec 2022, section 9.3, page 299
36. "RSM—Resume from System Management Mode". Archived from the original on 2012-03-12.
37. Microprocessor Report, System Management Mode Explained (vol 6, no. 8, june 17, 1992). Archived on Jun 29, 2022.
38. Ellis, Simson C., "The 386 SL Microprocessor in Notebook PCs", Intel Corporation, Microcomputer Solutions, March/April 1991, page 20
39. Cyrix 486SLC/e Data Sheet (1992), section 2.6.4
40. Linux 6.3 kernel sources, /arch/x86/include/asm/cpuid.h, line 69
41. gcc-patches mailing list, CPUID Patch for IDT Winchip, May 21, 2019. Archived on Apr 27, 2023.
42. Intel, Intel® Virtualization Technology FlexMigration Application Note order no. 323850-004, oct 2012, section 2.3.2 on page 12. Archived on Oct 13, 2014.
43. Intel, Atom Processor C3000 Product Family Datasheet order no. 337018-002, Feb 2018, pages 133, 3808 and 3814. Archived on Feb 9, 2022.
44. AMD, AMD64 Architecture Programmer’s Manual Volume 3 pub.no. 24594, rev 3.34, oct 2022, p. 165 (entry on CPUID instruction)
45. Robert Collins, CPUID Algorithm Wars, nov 1996. Archived from the original on dec 18, 2000.
46. Geoff Chappell, CMPXCHG8B Support in the 32-Bit Windows Kernel, 23 jan 2008. Archived on 5 Nov 2023.
47. Intel, Software Developer's Manual, order no. 325426-077, Nov 2022 – the entry on the RDTSC instruction on p.1739 describes the instruction sequences required to order the RDTSC instruction with respect to earlier and later instructions.
48. Linux kernel 5.4.12, /arch/x86/kernel/cpu/centaur.c
49. Stack Overflow, Can constant non-invariant tsc change frequency across cpu states? Accessed 24 Jan 2023. Archived on 24 Jan 2023.
50. CPU-World, CPUID for Zhaoxin KaiXian KX-5000 KX-5650 (by timw4mail), 24 Apr 2024. Archived on 26 Apr 2024.
51. Michal Necasek, "Undocumented RDTSC", 27 Apr 2018. Archived on 16 Dec 2023.
52. Willy Tarreau, Re: i686 quirk for AMD Geode, Linux Kernel Mailing List, 10 Nov 2009.
53. Intel, Intel 64 and IA-32 Architectures Optimization Reference Manual: Volume 1, order no. 248966-050US, April 2024, section 3.5.1.9, page 119. Archived on 9 May 2024.
54. JookWiki, "nopl", sep 24, 2022 – provides a lengthy account of the history of the long NOP and the issues around it. Archived on oct 28, 2022.
55. Intel Community: Multibyte NOP Made Official. Archived on 7 Apr 2022.
56. Intel Software Developers Manual, vol 3B (order no 253669-076us, December 2021), section 22.15 "Reserved NOP"
57. AMD, AMD 64-bit Technology – AMD x86-64 Architecture Programmer’s Manual Volume 3, publication no. 24594, rev 3.02, aug 2002, page 379.
58. Debian bug report logs, -686 build uses long noops, that are unsupported by Transmeta Crusoe, immediate crash on boot, see messages 148 and 158 for NOPL on VIA C7. Archived on 1 Aug 2019
59. Intel, Intel Architecture Software Developer’s Manual, Volume 2, 1997, order no. 243191-001, pages 3-9 and A-7.
60. John Hassey, Pentium Pro changes, GAS2 mailing list, 28 dec 1995 – patch that added the UD2A and UD2B instruction mnemomics to GNU Binutils. Archived on 25 Jul 2023.
61. Jan Beulich, x86: correct UDn, binutils-gdb mailing list, 23 nov 2017 – Binutils patch that added ModR/M byte to UD1/UD2B and added UD0. Archived on 25 Jul 2023.
62. Intel, Intel Pentium 4 and Intel Xeon Processor Optimization Reference Manual, order no. 248966-007, see "Assembly/Compiler Coding Rule 13" on page 74. Archived from the original on 16 Mar 2003.
63. Intel, Pentium® Processor Family Developer's Manual Volume 3, 1995. order no. 241430-004, appendix A, page 943 – reserves the opcodes 0F 0B and 0F B9.
64. AMD, AMD64 Architecture Programmer’s Manual Volume 3, publication no. 24594, rev 3.17, dec 2011 – see page 416 for UD0 and page 415 and 419 for UD1.
65. Intel, Software Developer's Manual, vol 2B, order no. 253667-061, dec 2016 – lists UD1 (with ModR/M byte) and UD0 (without ModR/M byte) on page 4-687.
66. Stecklina, Julian (2019-02-08). "Fingerprinting x86 CPUs using Illegal Opcodes". x86.lol. Archived from the original on 15 Dec 2023. Retrieved 2023-12-15.
67. "ud0 length fix · intelxed/xed@7561f54". GitHub. Archived from the original on 1 Jun 2023. Retrieved 2023-12-15.
68. Cyrix, 6x86 processor data book, 1996, order no. 94175-01, table 6-20, page 209 – uses the mnemonic OIO ("Official invalid opcode") for the 0F FF opcode.
69. Intel, Software Developer's Manual, vol 2B, order no. 253667-064, oct 2017 – lists UD0 (with ModR/M byte) on page 4-683.
70. AMD, AMD-K5 Processor Technical Reference Manual, Nov 1996, order no. 18524C/0, section 3.3.7, page 90 – reserves the 0F FF opcode without assigning it a mnemonic.
71. AMD, AMD-K6 Processor Data Sheet, order no. 20695H/0, March 1998, section 24.2, page 283.
72. George Dunlap, The Intel SYSRET Privilege Escalation, The Xen Project., 13 june 2012. Archived on Mar 15, 2019.
73. Intel, AP-485: Intel® Processor Identification and the CPUID Instruction, order no. 241618-039, may 2012, section 5.1.2.5, page 32
74. Michal Necasek, "SYSENTER, Where Are You?", 20 Jul 2017. Archived on 29 Nov 2023.
75. AMD, Athlon Processor x86 Code Optimization Guide, publication no. 22007, rev K, feb 2002, appendix F, page 284. Archived on 13 Apr 2017.
76. Transmeta, Processor Recognition, May 7, 2002.
77. VIA, VIA C3 Nehemiah Processor Datasheet, rev 1.13, sep 29, 2004, page 17
78. CPU-World, CPUID for Intel Xeon 3.40 GHz – Nocona stepping D CPUID without CMPXCHG16B
79. CPU-World, CPUID for Intel Xeon 3.60 GHz – Nocona stepping E CPUID with CMPXCHG16B
80. SuperUser StackExchange, How prevalent are old x64 processors lacking the cmpxchg16b instruction?
81. Intel SDM order no. 325462-077, apr 2022, vol 2B, p.4-130 "MOVSX/MOVSXD-Move with Sign-Extension" lists MOVSXD without REX.W as "discouraged"
82. Anandtech, AMD Zen 3 Ryzen Deep Dive Review, nov 5, 2020, page 6
83. @instlatx64 (October 31, 2020). "Saving Private Ryzen: PEXT/PDEP 32/64b replacement functions for #AMD CPUs (BR/#Zen/Zen+/#Zen2) based on @zwegner's zp7" (Tweet). Retrieved 2023-01-20 – via Twitter.
84. Wegner, Zach (4 November 2020). "zwegner/zp7". GitHub.
85. Intel, Control-flow Enforcement Technology Specification (v3.0, order no. 334525-003, March 2019)
86. Intel SDM, rev 076, December 2021, volume 1, section 18.3.1
87. Binutils mailing list: x86: CET v2.0: Update NOTRACK prefix
88. AMD, Extensions to the 3DNow! and MMX Instruction Sets, ref no. 22466D/0, March 2000, p.11
89. Hadi Brais, The Significance of the x86 SFENCE instruction, 26 Feb 2019.
90. Intel, Software Developer's Manual, order no. 325426-077, Nov 2022, Volume 1, section 11.4.4.3, page 276.
91. Hadi Brais, The Significance of the LFENCE instruction, 14 May 2018
92. AMD, Software techniques for managing speculation on AMD processor, rev 3.8.22, 8 March 2022, page 4. Archived on 13 March 2022.
93. Intel, Prescott New Instructions Software Developer’s Guide, order no. 252490-003, june 2003, pages 3-26 and 3-38 list MONITOR and MWAIT with explicit operands. Archived on 9 May 2005.
94. Flat Assembler messageboard, "BLENDVPS/BLENDVPD/PBLENDVB syntax", also covers MONITOR/MWAIT mnemonics. Archived on 6 Nov 2022.
95. Intel, Intel® Xeon Phi™ Product Family x200 (KNL) User mode (ring 3) MONITOR and MWAIT (archived 5 mar 2017)
96. AMD, BIOS and Kernel Developer’s Guide (BKDG) For AMD Family 10h Processors, order no. 31116, rev 3.62, page 419. Archived on Apr 8, 2024.
97. R. Zhang et al, (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels, 3 Jan 2023, page 5. Archived from the original on 5 Jan 2023.
98. Intel, Architecture Instruction Set Extensions Programming Reference, order no. 319433-052, March 2024, chapter 17. Archived on Apr 7, 2024.
99. Guru3D, VIA Zhaoxin x86 4 and 8-core SoC processors launch, Jan 22, 2018
100. Vulners, x86: DoS from attempting to use INVPCID with a non-canonical addresses, 20 nov 2018
101. Intel, Intel® 64 and IA-32 Architectures Software Developer’s Manual volume 3, order no. 325384-078, december 2022, chapter 23.15
102. Catherine Easdon, Undocumented CPU Behaviour on x86 and RISC-V Microarchitectures: A Security Perspective, 10 May 2019, page 39
103. Instlatx64, Zhaoxin Kaixian KX-6000G CPUID dump, May 15, 2023
104. Intel, Willamette Processor Software Developer’s Guide, order no. 245355-001, feb 2000, section 3.5.3, page 294 - lists HWNT/HST mnemonics for the branch hint prefixes. Archived from the original on 5 Feb 2005.
105. Intel, Software Developer's Manual, order no. 325462-083, March 2024 - volume 1, chapter 11.4.5, page 281 and volume 2A, chapter 2.1.1, page 525.
106. Intel, Intel 64 and IA-32 Architectures Optimization Reference Manual: Volume 1, order no. 248966-050US, April 2024, chapter 2.1.1.1, page 46.
107. Intel, Intel® Software Guard Extensions (Intel® SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment, 25 Jun 2017.
108. Intel, Runtime Microcode Updates with Intel® Software Guard Extensions, sep 2021, order no. 648682 rev 1.0. Archived from the original on 31 mar 2023.
109. Intel, 11th Generation Intel® Core™ Processor Desktop Datasheet, Volume 1, may 2022, order no. 634648-004, section 3.5, page 65
110. Intel, Which Platforms Support Intel® Software Guard Extensions (Intel® SGX) SGX2? Archived on 5 May 2022.
111. Intel, Trust Domain CPU Architectural Extensions, order no. 343754-002, may 2021.
112. @InstLatX64 (May 3, 2022). "The CLDEMOTE Story" (Tweet). Retrieved 2023-01-23 – via Twitter.
113. @Instlatx64 (Apr 17, 2023). "20-Core Intel Xeon w7-2475X (SapphireRapids-64L) 806F8 CPUID dump" (Tweet). Retrieved 2023-04-20 – via Twitter.
114. Wikichip, CLZERO – x86
115. Intel, Application note AP-578: Software and Hardware Considerations for FPU Exception Handlers for Intel Architecture Processors, order no. 243291-002, February 1997
116. Intel, Application Note AP-113: Getting Started With The Numeric Data Processor, feb 1981, pages 24-25
117. Intel, 8087 Math Coprocessor, oct 1989, order no. 285385-007, page 3-100, fig 9
118. Intel, 80287 80-bit HMOS Numeric Processor Extension, feb 1983, order no. 201920-001, page 14
119. Intel, iAPX86, 88 User's Manual, 1981 (order no. 210201-001), p. 797
120. Intel 80286 and 80287 Programmers Reference Manual, 1987 (order no. 210498-005), p. 485
121. Intel Software Developer's Manual volume 3B, revision 064, section 22.18.9
122. "GCC Bugzilla – 37179 – GCC emits bad opcode 'ffreep'".
123. Michael Steil, FFREEP – the assembly instruction that never existed
124. Dusko Koncaliev, Pentium FDIV Bug
125. Bruce Dawson, Intel Underestimates Error Bounds by 1.3 quintillion
126. Intel SDM, rev 053 and later, describes the exact argument reduction procedure used for FSIN, FCOS, FSINCOS and FPTAN in volume 1, section 8.3.8

• Intel Corporation (April 2022). "Intel 64 and IA-32 Architectures Software Developer's Manual, Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D and 4". Intel. Retrieved 21 June 2022.

External links

• Free IA-32 and x86-64 documentation, provided by Intel
• AMD64 Architecture Programmer's Manual, Volumes 1-5, provided by AMD
• x86 Opcode and Instruction Reference
• x86 and amd64 instruction reference
• Instruction tables: Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs
• Netwide Assembler Instruction List (from Netwide Assembler)